Daily Drop
1-6-22
Thursday, January 6, 2022
China wins data wars unless American businesses, universities team with U.S. gov’t states Pentagon officer
FROM THE MEDIA: The American government must have successful relationships with academia and the business sector in order to win the ongoing data competition with China, according to David Spirk, the Department of Defense‘s chief data officer. Both the U.S.government and the Chinese government scoop up all kinds of data, from publicly accessible information to knowledge gathered from satellites and electronic signals. But China has access to data generated by its commercial sector because of policies that remove barriers between businesses and the country’s communist rulers. America’s government and business sectors are independent, though the Biden administration has sought new partnerships between companies and government to bolster U.S. cyber defenses. Mr. Spirk told reporters at George Washington University’s Project for Media and National Security on Wednesday that America is not losing its competition with China — yet. “I don’t necessarily see China having an advantage over us,” Mr. Spirk said. “But I do understand that if we don’t continue to partner with our commercial sector, with some of what I view [as] our lead cloud vendors, and see them as national security treasures in addition to some of our just academic powerhouses, if we don’t continue to grow those partnerships and leverage those capabilities, then I think we’ll find ourselves falling off pace.” Mr. Spirk said the U.S. is focused on the speed and accuracy of its decisions because it is aware that authoritarian rule gives China the ability to leverage data taken from its large population in a way that is unacceptable in a free society like the U.S.
READ THE STORY: Washington Times
ANALYST COMMENT: NSTR
Government regulation is the answer to addressing cyber-threats
FROM THE MEDIA: As we enter 2022 the world continues to be at risk from cybersecurity incidents, both from rogue actors and from some nation states. The central themes that are likely to emerge as the year progresses have been identified and reviewed by David Carroll, MD of Nominet Cyber. Carroll has outlined to Digital Journal about what we could expect in the world of cyber security in 2022 when it comes to government cyber action, protecting critical national infrastructure, setting policy for ransomware, and related areas. Carroll begins by seeing the charge against cyber-threats as being coordinated at the nation state level, a trend that was embedded in 2021. According to Carroll: “Governments around the world will continue to take a more active role in cyber defense during 2022.” The requirement for state regulation and defense has arisen due to the scale and fall-out from man cyberattacks. Here Carroll notes: “Economic losses are mounting, supply chain attacks have compromised entire nations, and ransomware now poses a significant threat to national security.” He adds further that there are other triggers springing governments into action: “With cyber now presenting a risk to lives as well as to economies, we are potentially reaching a tipping point where governments will increasingly step in to correct any perceived market failures.” Carroll concludes that we should expect more rules to be in place, noting: “We will hear more discussion about cyber regulation next year, although it is probably too early to predict that new laws will change the way we protect citizens and conduct business.” As an example, Carroll thinks: “A ban on ransomware payments may be introduced, challenging though that would be to realize. There will also be increased diplomatic pressure to establish cyber norms and make it harder for cyber criminals to move money.” Carroll also thinks that the burden of security needs to be passed on by key public services to governments. Here the analyst says: “2022 will be the year when a realization takes hold that it is unreasonable to expect operators of critical national infrastructure and providers of essential public services to exclusively own national security risk. Hospitals should be focused on keeping people alive and healthy, not combatting international ransomware gangs, and that will be the turn of the tide in the year to come.”
READ THE STORY: Digital Journal
ANALYST COMMENT: NSTR
MalSmoke attack: Zloader malware exploits Microsoft's signature verification to steal sensitive data
FROM THE MEDIA: Already impacting more than 2,000 victims, the malware is able to modify a DLL file digitally signed by Microsoft, says Check Point Research. A new malware campaign is taking advantage of a vulnerability in the way Microsoft digitally signs a specific file type. As described on Wednesday by cyber threat intelligence firm Check Point Research, an attack using the infamous Zloader banking malware aims to steal account credentials and other private data and has already infected 2,170 unique machines that downloaded the malicious DLL file involved in the exploit. Most of the victims are in the US and Canada, but the campaign has hit more than 100 other countries, including India, Germany, Russia and the UK. Attributing the attack to the MalSmoke cybercriminal group, Check Point said that the campaign, first seen in early November 2021, uses legitimate remote management software to access the target machine. From there, the attackers exploit Microsoft's digital signature verification method to inject their malicious payload into a signed Windows DLL file to skirt past security defenses. Specifically, the campaign begins by installing the Atera remote monitoring and management software on a target machine. Upon analysis, Check Point discovered that this file is signed by Microsoft with a valid signature. Despite that digital signature, the malware is able to append a script to this file to carry out the attack. This is because the operators were able to append data to the signature section of the file without changing the validity of the signature itself. Ironically, Microsoft had issued a fix for this exploit in 2013, as documented in the following CVEs: CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151. This fix was designed to resolve a vulnerability in the way portable executable (PE) files are validated through digital signatures. But after determining that the fix could impact existing software, the company changed it from a strict update to one that was opt-in. As the fix is disabled by default, many organizations are likely still vulnerable.
READ THE STORY: Tech Republic
ANALYST COMMENT: NSTR
Researchers Uncover Hacker Group Behind Organized Financial-Theft Operation
FROM THE MEDIA: Cybersecurity researchers have taken the wraps of an organized financial-theft operation undertaken by a discreet actor to target transaction processing systems and siphon funds from entities primarily located in Latin America for at least four years. The malicious hacking group has been codenamed Elephant Beetle by Israeli incident response firm Sygnia, with the intrusions aimed at banks and retail companies by injecting fraudulent transactions among benign activity to slip under the radar after an extensive study of the targets' financial structures. "The attack is relentless in its ingenious simplicity serving as an ideal tactic to hide in plain sight, without any need to develop exploits," the researchers said in a report shared with The Hacker News, calling out the group's overlaps with another tracked by Mandiant as FIN13, an "industrious" threat actor linked to data theft and ransomware attacks in Mexico stretching back as early as 2016.
READ THE STORY: THN
ANALYST COMMENT: NSTR
Kazakhstan leaders shut down internet amid gas price protests
FROM THE MEDIA: Internet service in Kazakhstan was disrupted this week as thousands took to the streets in protest over a rise in energy prices. The internet was partially restored on Wednesday but there is still evidence of significant disruption. Both Netblocks and Cloudflare reported significant internet shutdowns in the country on Tuesday evening after protests began in the western town of Zhanaozen. Alp Toker, director of NetBlocks, told ZDNet that they have been tracking the disruptions since their onset on Tuesday. NetBlocks found that initially, mobile services and some fixed lines were affected before there was a country-wide blackout around 5 pm on Wednesday affecting all connectivity in the country. "What's striking here is the rapid deployment of internet restrictions at national scale, effectively resulting in an information vacuum both inside and outside the country. This has made it difficult to get a clear picture of what is happening on the ground in Kazakhstan as political instability spirals," Toker said.
READ THE STORY: ZDNET
ANALYST COMMENT: NSTR
70 investors lose $50 million to fraudsters posing as broker-dealers
FROM THE MEDIA: A California man confirmed his role in a large-scale and long-running Internet-based fraud scheme that allowed him and other fraudsters to siphon roughly $50 million from dozens of investors over eight years, between 2012 to October 2020. 56-year-old Allen Giltman and his co-conspirators created fraudulent sites advertising various investment opportunities (primarily the purchase of certificates of deposit) to solicit money from investors via the internet. "The Fraudulent Websites advertised higher than average rates of return on the CDs, which enhanced the attractiveness of the investment opportunities to potential victims," according to court documents. "At times, the fraudulent websites were designed to closely resemble websites being operated by actual, well-known, and publicly reputable financial institutions; at other times, the fraudulent websites were designed to resemble legitimate-seeming financial institutions that did not exist."
READ THE STORY: Bleeping Computer
ANALYST COMMENT: NSTR
NY OAG: Hackers stole 1.1 million customer accounts from 17 companies
FROM THE MEDIA: The New York State Office of the Attorney General (NY OAG) has warned 17 well-known companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks. In such attacks, threat actors make automated and repeated attempts (millions at a time) to access user accounts using credentials (usually user/password pairs) stolen from other online services. This tactic works particularly well against the accounts of those who reuse their credentials across multiple platforms. The attackers' end goal is to gain access to as many accounts as possible to steal the associated personal and financial information that can be sold on hacking forums or the dark web. The threat actors can also use the info themselves in various identity theft scams or make unauthorized purchases. NY OAG discovered these compromised online accounts after a "sweeping investigation" over several months after monitoring multiple online communities dedicated to sharing validated credentials harvested in previously undetected credential stuffing attacks. "After reviewing thousands of posts, the OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services," NY OAG said today. "In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.
READ THE STORY: Bleeping Computer
ANALYST COMMENT: NSTR
Google Releases New Chrome Update to Patch Dozens of New Browser Vulnerabilities
FROM THE MEDIA: Google has rolled out the first round of updates to its Chrome web browser for 2022 to fix 37 security issues, one of which is rated Critical in severity and could be exploited to pass arbitrary code and gain control over a victim's system. Tracked as CVE-2022-0096, the flaw relates to a use-after-free bug in the Storage component, which could have devastating effects ranging from corruption of valid data to the execution of malicious code on a compromised machine. Security researcher Yangkang (@dnpushme) of Qihoo 360 ATA, who has previously disclosed zero-day vulnerabilities in Apple's WebKit, has been credited with discovering and reporting the flaw on November 30, 2021.
READ THE STORY: THN
ANALYST COMMENT: NSTR
FTC warns of legal risks of failing on Log4j mitigation
FROM THE MEDIA: The Federal Trade Commission warned of potential legal consequences for companies that fail to protect consumer data and mitigate known software vulnerabilities amid fallout from the widespread Log4j security flaw. The agency said in a blog post published Tuesday that the vulnerability posed a “severe risk to millions of consumer products,” and that failing to take reasonable steps to mitigate known software vulnerabilities could be considered a violation of the FTC Act. The post also cited the Equifax breach of 2017, in which the consumer credit bureau paid $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and all 50 states. “I don’t recall the FTC being this proactive about a specific vulnerability in the past,” Grant Schneider, senior director of cybersecurity services for Venable LLP who previously served as the White House federal chief information officer, told FCW. “It speaks to the potential significance of the Log4j vulnerability, and it shows the FTC is paying attention to the bigger issue of cybersecurity and companies’ cyber posture.” The FTC directed firms to Log4j vulnerability guidance previously published by the Cybersecurity and Infrastructure Security Agency after the security flaw was discovered in December, which featured detailed remediation and mitigation procedures for both vendors and customers. The post also linked to a site to download the latest available version of Apache Log4j, a Java-based logging utility. The FTC warning said the vulnerability was "being widely exploited by a growing set of attackers." The post was published as separate reports indicated nation-state hackers were attempting to exploit the flaw in China, Iran, North Korea and Turkey. CISA Director Jen Easterly described the Log4j flaw as the "most serious" vulnerability she has seen throughout her entire career in cybersecurity. Shortly after the vulnerability was reported, CISA issued a directive instructing all federal agencies to patch any known vulnerabilities by Dec. 24.
READ THE STORY: FCW
ANALYST COMMENT: NSTR
Paper of interest
Why the Russia-Iran Alliance Will Backfire Whither Iran?
FROM THE MEDIA: For all its talk of leading a "resistance front," the Islamic Republic of Iran has historically had few allies. When Ayatollah Ruhollah Khomeini led his revolutionaries, "Neither East nor West but Islamic Republic" was a foundational slogan of the Islamic Revolution. Khomeini also described the United States and Russia as being "two blades of the same scissors."[1] He meant it: While the seizure of the U.S. embassy in Tehran symbolized the Islamic Republic's hostility toward the United States and its European allies, Khomeini was equally distrustful of the Soviet Union and its eastern bloc satellites. Iran's isolation was cemented when every Arab state with the exception of Syria sided with Iraq during their 1980-88 war. Tehran's ties with Damascus have remained tight, but Syria's influence is limited inside the Middle East and its diplomatic weight is nonexistent outside it. The Iranian authorities sought to cultivate African states and were able to purchase the occasional vote on an international body, but Tehran's declining resources limited its success.
READ THE STORY: Middle East Forum
ANALYST COMMENT: NSTR
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com