Tuesday, December 06, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
'Team Mysterious Bangladesh' Hackers Target Indian Education Entity
FROM THE MEDIA: A threat actor group named “Team Mysterious Bangladesh” has claimed to have compromised the Indian Central Board of Higher Education (CBHE) systems. According to a new advisory by cybersecurity experts at CloudSEK, the hackers would have stolen personally identifiable information (PII), including names, Aadhaar numbers, Indian Financial System Codes (IFSC codes) and other details of numerous individuals. “CloudSEK’s contextual AI digital risk platform [...] discovered a threat actor group named Team Mysterious Bangladesh who claimed to have compromised the CBHE Delhi, India,” the company wrote.
READ THE STORY: InfoSecMag
Weaponizing the IT Supply Chain: Leviathan’s Attacks and Kinetic Naval Intervention in the South China Sea
FROM THE MEDIA: From the description of the presentation “Rising Tide Redux” at CYBERWARCON 2022, which was held recently in-person (and virtual) in Arlington, VA: Leviathan, a Chinese APT [advanced persistent threat] actor and contractor known to support the Chinese Ministry of State Security, is targeting the supply chains of naval defense and energy exploration entities active in the South China Sea.
READ THE STORY: OODALOOP
Amnesty International Canada hit by cyberattack out of China
FROM THE MEDIA: The Canadian branch of Amnesty International was the target of a sophisticated cyber-security breach this fall — an attack forensic investigators believe originated in China with the blessing of the government in Beijing. The intrusion was first detected on October 5, the human rights group said Monday. The attack showed signs of being the work of what's known as an advanced persistent-threat group (APT), according to the cyber security company that conducted the forensic investigation.
READ THE STORY: CBC
Wiper, Disguised as Fake Ransomware, Targets Russian Orgs
FROM THE MEDIA: Companies infected with purported ransomware may no longer have an option to pay a ransom. A new malicious program acts exactly like crypto-ransomware — overwriting and renaming files, then dropping a text file with a ransom note and a Bitcoin address for payment — but the program instead deletes the contents of a victim's files. The program, CryWiper, currently targets Russian organizations but could easily be used against companies and organizations in other nations, according to cybersecurity firm Kaspersky, which analyzed the program.
READ THE STORY: DARKReading
Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware
FROM THE MEDIA: A version of an open source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities due to its "weak architecture and programming." Cryptonite, unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down. Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a ".cryptn8" extension.
READ THE STORY: THN
Ukrainian software developers deal with power outages
FROM THE MEDIA: Ukrainian IT services companies are using diesel generators and creative time management to overcome power outages due to Russian missile attacks on energy infrastructure, the most recent of which was underway today. Planned shutdowns and emergency restrictions on electricity continue in parts of Ukraine as repairs are made on the power grid. Ukrainian energy company DTEK last week informed its customers in Kyiv that it would aim to provide electricity for two to three hours, twice a day.
READ THE STORY: TechTarget
Elon Musk Says 'Significant' Risk of Assassination, Talks Hunter Biden, Free Speech
FROM THE MEDIA: Elon Musk has expressed anxiety about his own safety while discussing free speech and his plans for Twitter amid the release of private communications from inside the social media company in the lead up to the 2020 presidential election. While engaging in a Twitter Spaces discussion, the CEO said, "Frankly the risk of something bad happening or literally even being shot is quite significant. I'm definitely not going to be doing any open air car parades, let me put it that way."
READ THE STORY: toofab
Ukrainian long-range drone attacks expose Russian air defenses
FROM THE MEDIA: A third Russian airfield was ablaze on Tuesday from a drone strike, a day after Ukraine demonstrated an apparent new ability to penetrate hundreds of kilometers deep into Russian air space with attacks on two Russian air bases. Officials in the Russian city of Kursk, located closer to Ukraine, released pictures of black smoke above an airfield in the early morning hours of Tuesday after the latest strike. The governor said an oil storage tank there had been set ablaze but there were no casualties.
READ THE STORY: Reuters
Chinese government-linked hackers stole millions in COVID funds
FROM THE MEDIA: The U.S. government has just confirmed the first official case of pandemic fraud linked to foreign state-sponsored hackers. At least $20 million in COVID relief funds have been stolen by the China-based, state-sponsored hacking group, APT41, according to the Secret Service per NBC News. And officials believe there is much more of this going on that's yet to be discovered as over 1,000 related investigations are underway. APT41 is a sophisticated group that has carried out high-level attacks on the U.S. before.
READ THE STORY: Mashable
Hackers hijack Linux devices using PRoot isolated filesystems
FROM THE MEDIA: Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions. A Bring Your Own Filesystem attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks. This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to compromise a Linux system further.
READ THE STORY: Bleeping Computer
Sneaky hackers reverse defense mitigations when detected
FROM THE MEDIA: A financially motivated threat actor is hacking telecommunication service providers and business process outsourcing firms, actively reversing defensive mitigations applied when the breach is detected. The campaign was spotted by Crowdstrike, who says the attacks started in June 2022 and are still ongoing, with the security researchers able to identify five distinct intrusions. The attacks have been attributed with low confidence to hackers tracked as 'Scattered Spider,' who demonstrate persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets if thwarted.
READ THE STORY: Bleeping Computer
Russian Hackers 'Intensify' Cyberattacks On Italy's Government Websites
FROM THE MEDIA: Russian hackers intensified their cyberattacks against Italy's government websites, causing alarm for officials. Italy's Computer Security Incident Response Team (CSIRT), the incident response team of the National Cybersecurity Agency of Italy, detected an increase in distributed denial of service (DDoS) attacks against the country's official websites by hacker groups of Russian origin, the Italian news agency ANSA reported.
READ THE STORY: IBT
DHS secretary says US faces 'a new kind of warfare'
FROM THE MEDIA: Secretary of Homeland Security Alejandro Mayorkas said national security and homeland security are now more interconnected than ever before, largely driven by the fact that U.S. adversaries can execute attacks “with a keystroke.” In a speech Monday, Mayorkas said that global interconnectedness and the willingness of nations to unleash digital attacks that have international ramifications has brought the national security threat “directly to our communities.”
READ THE STORY: CyberScoop
Killnet DDoS Group Executes a Cyber Attack on the EU Parliament Website After Resolution Against Russia
FROM THE MEDIA: The EU parliament website suffered a distributed denial of service (DDoS) cyber attack, moments after declaring Russia a state sponsor of terrorism and calling for further isolation. A DDoS attack involves flooding the targeted website with requests to prevent legitimate users from accessing it. Anonymous Russia, a cyber-hacktivist group linked to the Killnet DDoS group, claimed responsibility for the attack. EU parliament officials linked the cyber attack to a pro-Russian group known for executing DDoS attacks against countries that oppose Russia.
READ THE STORY: CPOMAG
Microsoft warns of Russian cyberattacks throughout the winter
FROM THE MEDIA: Microsoft has warned of Russian-sponsored cyberattacks continuing to target Ukrainian infrastructure and NATO allies in Europe throughout the winter. Redmond said in a report published over the weekend that it observed a pattern of targeted attacks on infrastructure in Ukraine by the Russian military intelligence threat group Sandworm in association with missile strikes. The attacks have been accompanied by a propaganda campaign to undermine Western support (from the U.S., EU, and NATO) for Ukraine.
READ THE STORY: Bleeping Computer
Elon Musk's SpaceX unveils Starshield satellite services for U.S. military
FROM THE MEDIA: SpaceX is rolling out a new business called Starshield to support U.S. military applications, building upon the company's existing satellite system. The latest Elon Musk endeavor expands on Starlink Internet satellite technology for national security uses, to include secure communications and space surveillance payloads, for its largest customer, the Pentagon. "While Starlink is designed for consumer and commercial use, Starshield is designed for government use," the company wrote on its website, "with an initial focus on three areas: Earth observation, communications and hosted payloads."
READ THE STORY: UPI
Nearly 500 Million WhatsApp Records Allegedly Stolen in Data Leak, Offered on Dark Web for a Few Thousand Dollars
FROM THE MEDIA: The world’s most commonly used messaging app may have suffered a data leak impacting about 487 million of its users, if a dark web posting is to be believed. The threat actor is offering the information for a relatively low cost, dividing it up by country of origin and offering each package for prices in the range of several thousand dollars. It remains to be seen if the entire collection is legitimate, but samples provided by the hackers have been verified by security researchers. If the full data leak is legitimate, it would impact about a quarter of WhatsApp’s global user base.
READ THE STORY: HackRead
Iran: State-Backed Hacking of Activists
FROM THE MEDIA: Hackers backed by the Iranian government have targeted two Human Rights Watch staff members and at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign, Human Rights Watch said today. An investigation by Human Rights Watch attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as Charming Kitten.
READ THE STORY: CPO
Hive Social Buzzing With Security Flaws, Analysts Warn
FROM THE MEDIA: Social media users looking for an alternative to Elon Musk's Twitter should probably avoid Hive Social, according to a team of cybersecurity experts who turned their attention to the platform after it hit more than a million users. German researchers Zerforschung issued an all-out warning to avoid Hive Social. "The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages," the team wrote in its report. "This also includes private email addresses and phone numbers entered during login."
READ THE STORY: DARKReading
CommonSpirit confirms network accessed a week before ransomware attack
FROM THE MEDIA: CommonSpirit Health issued an update on the ransomware attack that brought down multiple hospitals across the country for more than a month, confirming the threat actors first gained network access weeks before the attack and patient data was, indeed, accessed. As previously reported, the attackers first struck CommonSpirit on Oct. 2 and spurred network IT outages at various care sites operated by the country’s second-largest nonprofit hospital chain. While reports suspected all 142 hospitals and 700 care sites were impacted, the attack did not affect Dignity Health, TriHealth, Virginia Mason Medical Center, or Centura Health.
READ THE STORY: SCMAG
Education sector hit by Hive ransomware in November
FROM THE MEDIA: November saw an influx of ransomware attacks reported against the education sector, with some tied to the Hive ransomware group after threat actors claimed responsibility through the groups' public data leak site. At least five of the 24 confirmed or disclosed ransomware attacks last month were against K-12 schools and universities, though that figure is likely much larger. While TechTarget Editorial tracks publicly reported ransomware events and official disclosures that include terms such as "encrypted data," there were signs that ransomware was involved in several additional instances referred to only as a cyber attack or security incident.
READ THE STORY: TechTarget
Ransomware attack forces French hospital to transfer patients
FROM THE MEDIA: The André-Mignot teaching hospital in the suburbs of Paris had to shut down its phone and computer systems because of a ransomware attack that occurred on Saturday evening. According to Richard Delepierre, the co-chairman of the hospital's supervisory board, the attackers behind this ransomware incident have already demanded a ransom. "A ransom, the amount of which I do not know, has been requested but we do not intend to pay it," Delepierre said per an RFI report.
READ THE STORY: Bleeping Computer
Ransomware Professionalization Grows as RaaS Takes Hold
FROM THE MEDIA: Ransomware groups are getting their acts together, growing in sophistication and business acumen while monetizing ransomware beyond encryption, including double and triple extortion, as the market for ransomware-as-a-service (RaaS) matures. In first half of 2022, LockBit, Conti, Alphv, Black Basta, and Vice Society were among the most prolific ransomware gangs, focusing their attack on US-based organizations, according to a LookingGlass report on the topic.
READ THE STORY: DARKReading
Wiper, Disguised as Fake Ransomware, Targets Russian Orgs
FROM THE MEDIA: Companies infected with purported ransomware may no longer have an option to pay a ransom. A new malicious program acts exactly like crypto-ransomware — overwriting and renaming files, then dropping a text file with a ransom note and a Bitcoin address for payment — but the program instead deletes the contents of a victim's files. The program, CryWiper, currently targets Russian organizations but could easily be used against companies and organizations in other nations, according to cybersecurity firm Kaspersky, which analyzed the program.
READ THE STORY: DARKReading
Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware
FROM THE MEDIA: A version of an open source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities due to its "weak architecture and programming." Cryptonite, unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down. Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a ".cryptn8" extension.
READ THE STORY: THN
Ransomware Gang Steals Employee and Customer Data From LJ Hooker
FROM THE MEDIA: A ransomware gang claims to have stolen 375 gigabytes worth of employee and customer data from a franchise of the Australian real estate giant, LJ Hooker, including passport scans, credit card details, and loans data. On November 30, LJ Hooker was added to the victim list of Russia-linked ransomware gang, ALPHV, also known as “BlackCat”, in a blog post on the dark web previewing some of the data stolen in the breach. So far, the group has published passport details of staff members, seen by VICE, along with login details to a throng of social media accounts, a couple of profit and loss statements, and a property sale contract.
READ THE STORY: VICE
Google warns stolen Android keys used to sign info-stealing malware
FROM THE MEDIA: Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties. Googler Łukasz Siewierski found and reported the security issue and it's a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of privileges as the Android operating system — essentially unfettered access to the victim's device.
READ THE STORY: The Register
Infostealer Malware Market Booms, as MFA Fatigue Sets In
FROM THE MEDIA: Malicious actors are finding success deploying information stealer (infostealer) malware, combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks. These were among the findings of a report from Accenture’s Cyber Threat Intelligence team (ACTI) surveying the infostealer malware landscape in 2022, which also noted a spike in the number of Dark Web advertisements for variety of new infostealer malware variants.
READ THE STORY: DARKReading
Items of interest
Cyber Extortion Growing Exponentially in Africa, Middle East and China, Finds Orange
FROM THE MEDIA: Cyber extortion remains a top threat, but its geographical reach is shifting, Orange Cyber defense (OCD) found in the Security Navigator 2023, the latest edition of its annual report on the threat landscape, released on December 1, 2022. The report shows that cyber extortion, a category designated ‘Cy-X’ by OCD represents the compromise of some assets from a corporate network for ransom and includes ransomware, ranks as the number one type of cyberattack. Such attacks accounted for a large majority of the 29,291 incidents the report was able to confirm, Charl van der Walt, head of OCD’s Security Research Center and lead author of the report, told Infosecurity.
READ THE STORY: InfoSecMag
Chris Miller: Chip War and the Battle Between the US and China (Video)
FROM THE MEDIA: From microwaves to missiles, smartphones to the stock market, our world is increasingly dependent on microchip technology. According to Chris Miller, microchips are the new oil, a critical resource that defines the current state of military, economic and geopolitical power.
Why The World Relies On ASML For Machines That Print Chips (Video)
FROM THE MEDIA: In a Dutch factory, there’s a revolutionary chipmaking machine the whole world has come to rely on. It takes months to assemble, and only one company in the world knows how: Advanced Semiconductor Materials Lithography.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com