Sunday, January 9, 2022
Researchers warn of new campaigns distributing a new improved version of the FluBot malware posing as Flash Player
FROM THE MEDIA: Researchers from F5 security are warning of a new enhanced version of the FluBot Android malware that that spread posed as Flash Player. A recent SMISHING campaign spotted by CSIRT KNF, FluBot targeted Polish users with a messaging asking them if to click on a link to view a video. Upon clicking on the link, recipients are redirected to a page offering a fake Flash Player APK that delivers the FluBot malware on the Android device. Flubot has been active since late 2020, it was first observed targeting Spanish users. Since March 2021, the malicious code was also employed in attacks aimed at several European countries as well as Japan. In March, experts from Swiss security outfit PRODAFT estimated that the number of infected devices worldwide was approximately 60,000. The Android malware has been used to steal banking credentials, payment information, and sensitive data from infected devices. In past attacks, the malware was spreading by spamming text messages to contacts from infected phones that instruct them to install tainted apps from servers under the control of the attackers. The malicious code also requests permissions to access the Android Accessibility service, implemented to assist users with disabilities in using Android devices and apps, but that was abused by threat actors to carry out malicious activities. Since October 2021, threat actors behind the Flubot Android malware are leveraging fake security updates to trick victims into installing the malicious code. The attackers use fake security warnings of Flubot infections and urge them to install the security updates. The following chart shows the FluBot infection chain, the malicious code start spreading using the initial victim’s contact list.
READ THE STORY: Security Affairs
ANALYST COMMENT: NSTR
In a new campaign discovered by security researchers, the Google Docs comment box is abused to send malicious links
FROM THE MEDIA: The technological world gives us many security and safety benefits along with enhancing our capabilities to make us more productive. But the Hackers always seem to be curious to find any loophole in the new technology to take advantage of it for their malicious activities. And now they target Google Docs to send malicious links to the users. And the users who easily click on any link without knowing its consequences make the work of malicious parties easier. A new report released by Avanan, an email security provider, describes that the new campaign exploits the Google Docs comments section for sending phishing links and malware. Because one of the favorite techniques of hackers is to abuse popular products for illegal activities, now, look at how the users get affected by these harmful activities. Google Docs has a feature of commenting from where the users can collaborate. So when a person wants to assign a task to someone, he must include the email address of the relevant person. In a phishing campaign, the hackers comment on the app in which they include their email address by putting the “@” sign to grab the targeted party. The whole comment contains a link with the email that becomes the cause of spreading malware infection. In recent December, it was reported that this harmful activity firstly affects the users of Microsoft Outlook. Still, it gradually covers other recipients connected with different email platforms after some time. According to an estimation, the Third-party uses almost hundreds of Gmail accounts to target more than 500 chat boxes of various organizations. Unlike other phishing activities, the hackers send emails to grab users, this time; it is more because now, Google itself sends emails to the users. Although the electronic mail address of the attacker is not mentioned, only a name is shown, which is used to pretend another person comes for an entertainment purpose, but its actual aim is something different. Because of this, the spam filter is unable to detect. Hackers can also misuse the name of trustworthy fellow workers. That’s why the chances of fraud are more. To stop being the victim of these attacks, users should be as focused as they are while checking their inboxes whether any malicious email comes; if they see any, they never go for it. The same thing users can apply here too while commenting on Google Docs. Moreover, antivirus software is also built to remove these kinds of malware.
READ THE STORY: Digital Information World
ANALYST COMMENT: NSTR
Inside story of cyber attacks on India’s banks, airlines, railways and the fightback
FROM THE MEDIA: More than 11.5 lakh incidents of cyberattacks were tracked and reported to India’s Computer Emergency Response Team (CERT-In) in 2021. According to official estimates, ransomware attacks have increased by 120 per cent in India. Power companies, oil and gas majors, telecom vendors, restaurant chains and even diagnostic labs have been victims of cyberattacks. On October 12, 2020, Mumbai, the country’s financial capital, was hit by a massive power outage. Train services were cancelled, water supply was affected and hospitals had to rely on generators. Commercial establishments in Mumbai, Thane and Navi Mumbai struggled to keep their operations running until the crisis was resolved two hours later. Maharashtra Power Minister Nitin Raut alleged sabotage, while cybersecurity experts suspected the hand of China’s People’s Liberation Army (PLA), which was engaged in a major standoff with the Indian Army in Ladakh. The needle of suspicion pointed towards 14 Trojan horses, a kind of malware which might have been introduced into the Maharashtra State Electricity Transmission Company servers. The suspicion was not out of place. Maharashtra Cyber, the nodal agency for cybersecurity in the state, has already been warned of attacks on power conglomerates and dispatch centers. It is an open secret that the PLA’s cyber warfare branch and a million malware families hosted by Chinese cyber espionage groups specialize in such attacks. India’s cybersecurity czar Lieutenant General (retd) Rajesh Pant would not take any chances. He called for reports from the state and Central power ministries. “Was there actuation in the grid? What were the indicators of compromise?” Several suspects—most of them Chinese—showed up. Cyber forensic teams fanned out to investigate and two reports landed on Pant’s table, of which one said the outage was due to an external attack. Experts, however, concluded that although malware was detected, it did not cause the outage. “There are two types of operating systems connecting the power grid,” said an expert. “The malware was detected in the system that was not capable of putting lights out.” Finally, the national power grid controlled by the Power System Operation Corporation Limited said the failure happened because of human error. Union Power Minister R.K. Singh, too, clarified that there was no link between the outage and the cyberattack.
READ THE STORY: The Week
ANALYST COMMENT: NSTR
Israeli NSO Spyware Found on Activists’ Phones in Kazakhstan
FROM THE MEDIA: Amnesty International’s Security Lab confirms the four Kazakhstan phones were actually infected with Israeli NSO’s Pegasus software, just weeks after Apple alerted the victims to a ‘state-sponsored’ hack. The phones of at least four activists who are critical of their government in Kazakhstan were found to have been infected with software developed by Israeli spyware firm NSO Group, a forensic analysis by Amnesty International’s Security Lab said Thursday. Three of the four had received prior warning from Apple at the end of November that their iPhones could have been infected by a “state-sponsored attacker.” NSO’s clients are usually state intelligence agencies from around the world. Its Pegasus spyware can provide clients with remote access to successfully hacked phones. Amnesty did not identify who the client could be in this case. An NSO spokesperson told Haaretz that as “Amnesty chose to publish accusations in the media, rather than provide us with the information for the purpose of thorough investigations … we cannot refer to an alleged report we have not seen, published by an organization that has been known for publishing false accusations against NSO.” An Israeli man was killed in clashes in Kazakhstan on Friday, the day the country's president ordered forces to use lethal fire amid anti-government protests. The demonstrations, which began Januray 2 as a response to a fuel price hike have swelled into a broad movement against the government and ex-leader Nursultan Nazarbayev. Over the summer, an international consortium of journalists, led by Paris-based NGO Forbidden Stories in collaboration with Amnesty International’s Security Lab, published a major investigation into a leak of 50,000 potential targets selected for possible snooping by NSO’s clients. Reports at the time said that up to 2,000 of them were linked to Kazakhstan, with potential targets including a former prime minister and current President Kassym-Jomart Tokayev.
READ THE STORY: Haaretz
ANALYST COMMENT: NSTR
How Successor Liability May Disrupt The Best Laid Plans Of Cyber Ninjas
FROM THE MEDIA: A recent news article mentions that Cyber Ninjas, the firm employed by the Arizona Senate to conduct its ill-fated review of the 2020 election, will be formerly shutting down but will then be re-created as a new firm with the same workers doing essentially the same thing. The reason for this is that Cyber Ninjas is currently facing a $50,000 daily fine imposed by an Arizona judge for its contemptuous failure to turn over certain election review records. But will that work for Cyber Ninjas II, or whatever the new firm will be called, to avoid this liability? Probably not. American law has long recognized the concept of "successor liability", which means that a successor entity can be liable for the claims and judgments against its predecessor. The idea behind this concept is to prevent a company like Cyber Ninjas from doing exactly what it intends, i.e., to shut down the predecessor company so as to cut off its liabilities and then start up a new liability-free company doing basically the same thing. Consider a local pizza place called ABC Pizza LLC down on the corner which is very successful in making pizzas. However, the pizza place gets into a dispute with one of its suppliers, and goes to court and suffers a large judgment. Instead of paying the supplier's judgment, the owners of ABC Pizza LLC reorganize it as DEF Pizza LLC and it continues business down on the same corner, with the same employees and making the same pizzas. In that event, the court would apply successor liability to make DEF Pizza LLC liable for the judgment against ABC Pizza LLC. Successor liability is a concept which is an adjunct of alter ego liability, which is about as an amorphous a concept as is found in our law. There are a good number of factors that a court can properly look at, and the determination of whether successor liability exists is ultimately one of the particular facts and circumstances of a given case. However, there is a bit of certainty in that to establish successor liability, a creditor would need to prove at least two thing: First, that the same person or persons own or control both the predecessor entity and the successor entity, and, second, that an inequitable result would obtain were the entity separateness of the predecessor and the successor be respected. As to the first element, it appears from news reports that the founder of Cyber Ninjas, being Doug Logan, will be forming the new company, and thus common ownership or control will be relatively easy to establish. The second element, being that it would be inequitable to recognize Cyber Ninjas as distinct from the new company, is more problematic for the reason that what constitutes an inequitable result is often difficult to figure out.
READ THE STORY: Forbes
ANALYST COMMENT: NSTR
Hacking: Demand for products from the NSO Group and Co. does not decrease
FROM THE MEDIA: A shock wave has reverberated across Israel in recent months. The multi-billion dollar Israeli company NSO Group, which has been selling hacking tools to governments around the world for more than a decade, finds itself the focus of scrutiny after a series of public scandals. The crisis is so severe that even the company’s future is in question. The hacking software business is booming: over the past ten years, the industry has developed from a novice to an important instrument of power for countries all over the world. As recently as December last year, Facebook reported that seven of these “hacking contract” firms from around the world had targeted around 50,000 people on the company’s platforms. The fact that the NSO Group was not even mentioned in the investigation shows that the industry and its target groups are far more extensive than the public normally perceives. As a manufacturer, NSO Group has always avoided penalties The allegations against the NSO Group are not new: The company has been confronted with criticism and allegations of abuse for years. 2016 were caught the United Arab Emirates how they targeted human rights activist Ahmed Mansoor with the help of the NSO program “Pegasus”. This exploits software errors to hack iPhones and hand over control to the customers of the NSO Group. In this case, however, the UAE government was found to be guilty and NSO got away with it. Mansoor himself is still in jail, because he criticized the regime. In November the US imposed sanctions against the company, and in December reported the Reuters news agency that U.S. State Department officials were hacked using Pegasus. Now, the NSO Group is not only facing expensive public lawsuits from Apple and Facebook, but is grappling with debt, low morale, and fundamental threats to its future. The figurehead for espionage programs is in an existential crisis. None of this happens for the first time. The mysterious hacker industry first hit the international scene in 2014 Headlines when the Italian company Hacking Team was charged with its “undetectable” spy software regardless on human rights and privacy violations to sell to dozens of countries.
READ THE STORY: MRT
ANALYST COMMENT: NSTR
Drones used by farmers in Taiwan could be spying
FROM THE MEDIA: Chinese companies are obligated by law to help Beijing in its national intelligence efforts, making commercial drones a potential risk. China-made commercial drones might contain back doors and malware that transmit flight and video data to the government in China, an official said yesterday. Speaking on condition of anonymity, the senior official said that Chinese drones, widely used by farmers for crop dusting, pose a significant cybersecurity threat to users and the government. Beijing has unrestricted access to private user data held by Chinese corporations, which are obligated to cooperate with the country’s national intelligence efforts under China’s National Intelligence Law, the official said. In Taipei, government agencies have taken steps to remove Chinese-manufactured devices and software from official use as President Tsai Ing-wen (蔡英文) has made cybersecurity a priority in her national security policy, the source said. Security protocols were tightened to no longer allow middle and high-ranking officials to use Chinese-made electronics for work or personal use, they said. The official spoke on the matter following a statement by the National Communications Commission (NCC) on Thursday that said Xiaomi Corp’s (小米) Mi 10T 5G smartphones have built-in censorship capabilities and can transmit user data to servers in Beijing. The commission said that its Telecommunications Technology Center in October last year tested a model sold in Taiwan, after the Lithuanian National Cyber Security Center on Sep. 21 last year discovered the device’s censorship capabilities. The official yesterday said that while Xiaomi disavowed security issues with its products by saying that the features did not appear in models sold in Taiwan and Europe, the claims were not supported by the NCC’s independent analysis, and its report raised troubling implications about Chinese electronics. The ban on devices applies to government employees only and not private citizens, the source said, adding that the government could only advise the public against buying products with compromised security features.
READ THE STORY: Taipei Times
ANALYST COMMENT: NSTR
Biden officials weighing Russia sanctions options after warnings about economic fallout, heightened cyber risk for US and allies
FROM THE MEDIA: The Biden administration is still weighing exactly how it would penalize Russia if the country invades Ukraine, as US diplomats are just days away from high-stakes meetings with Kremlin officials. Some Biden administration officials are warning of collateral economic damage from harsh sanctions and the risk of retaliatory Russian cyberattacks should the US follow through with President Joe Biden's promised "severe consequences" on the Russian economy if Russian President Vladimir Putin orders a full-scale invasion of Ukraine. At least two analyses done in recent weeks by the Treasury and State departments found that the sanctions that would be most crippling for Russia -- like penalties on the Russian energy giant Gazprom or its Central Bank -- could also damage economies throughout the rest of the world by potentially spiking gas prices or hampering European trade and investment with Russia at a particularly delicate moment for the bloc. One concern is that those negative effects could boomerang back onto the US during an election year, sources told CNN. But others in the administration believe the tough sanctions being weighed would have a manageable impact on the US, and would be worth it to impose severe penalties on Russia. The extent of the blowback would depend largely on the parameters of the sanctions and how much Europe would suffer, said Jeff Schott, a senior fellow at the Peterson Institute for International Economics who focuses on international trade policy and economic sanctions. "The problem with discussing these countermeasures is that if you take a strong sanctions action that has a big impact on the European economy, that will in turn rebound to the US economy," he said. The administration has been considering options including targeting major Russian commercial banks, sanctioning Russia's energy sector, blocking Russia's access to bond markets, cutting Russia off from the SWIFT international payment system, and tightening export control measures. Among the most "realistic" economic penalties that the US and its allies could impose would be to kill the Russia-to-Germany gas pipeline project Nord Stream 2, Schott said, which -- when operational -- will account for about 10-15% of European Union gas consumption but will bypass Ukraine and be a major boon to Russia.
READ THE STORY: WENY News
ANALYST COMMENT: NSTR
U.S. court seizes $2.4M in North Korea case
FROM THE MEDIA: An U.S. district court on Thursday ordered the seizure of $2.4 million in funds from companies involved in money laundering for North Korea in violation of U.S. and international sanctions. The court’s ruling follows a probe by the Federal Bureau of Investigation (FBI) into a series of wire transfers by four companies acting on behalf of North Korea’s Foreign Trade Bank in violation of the International Emergency Economic Powers Act (Ieepa). The state-run bank is subject to both U.S. and United Nations Security Council sanctions. Judge Rudolph Contreras of the U.S. District Court of the District of Columbia granted the U.S. government’s request for a default judgement allowing it to confiscate the funds, as the companies failed to respond to official complaints about their activities. In its court filing, the U.S. government alleged that the North Korean bank laundered over $2.5 billion via such front companies through the U.S. financial system. The $2.4 million funds seized by U.S. authorities in Thursday’s ruling are just the transfers detected and intercepted by U.S. law enforcement. The four companies – whose names were withheld and identified in court documents as only Company 1, 2, 3 and 4 – have not yet been sanctioned by the United States, but their funds were seized after their transactions with known North Korean front companies operating abroad came to light. $1.8 million of the funds seized came from Company 1, which according to the U.S. government complaint not only made several wire transfers to the Foreign Trade Bank’s front companies based in Russia, Thailand and Kuwait, but also received transfers from other known North Korean front companies. The U.S. government said that Company 2, which was incorporated in Singapore just two months after Company 1’s funds were seized by U.S. authorities, was a new front company established by North Korean agents to continue money laundering on behalf of the regime. Citing a “confidential reliable source,” the U.S. government also argued that both Company 1 and 2 follow orders from the North’s Reconnaissance General Bureau (RGB), which conducts the regime’s cyber warfare and other clandestine operations.
According to the U.S. government, Company 3 and 4 were also involved in a series of wire transfers with organizations closely linked with the regime, including the Chi Yupeng network, which encompasses a number of North Korean front companies.
READ THE STORY: KJA Daily
ANALYST COMMENT: NSTR
Grey-zone warfare
FROM THE MEDIA: Pakistan’s adversaries are unleashing a ‘full-spectrum war’ on us. Pakistan’s adversaries are moving from kinetic military actions to non-kinetic military actions. Yes, “war is now conducted by a roughly 4:1 ratio of non-military and military measures.” A ‘completely benign or peaceful action’ is “white”. A ‘clearly hostile action seen as an act of war’ is “black”. Anything and everything between the two is “grey”. Pakistan’s adversaries are unleashing at least ten distinct ‘grey-zone operations’ against us: financial operations; digital influence operations; perception operations; lawfare; information operations; network operations; public opinion operations; media operations; psychological operations and cyber operations. Pakistan’s adversaries are undertaking potentially hostile actions while trying to ensure that these very actions are not seen as hostile. There is no real blood on Pakistani streets but that does not mean that Pakistan’s adversaries are not trying to bleed Pakistan. There is no blood on Pakistani streets because Pakistan’s adversaries are using ‘weapons of mass distraction’ as opposed to ‘weapons of mass destruction’. There is no blood on Pakistani streets because Pakistan’s adversaries are using ‘information operations’ as opposed to ‘destructive operations’. There is no real blood on Pakistani streets but make no mistake a more dangerous war is on. There is now an ‘undefined battlefield’. This is ‘war beyond rules’. This is a fusion of ‘regular’ and ‘irregular’. This is an expansion of the battlefield. This is integrated use of military and non-military. This is a 24/7 war and the human mind is the new battlefield. 'Grey-zone warfare’ employs ‘multiple instruments’ to target ‘specific vulnerabilities’. Grey-zone warfare targets ‘societal functions’ with a ‘synchronized use’ of ‘multiple instruments’ for ‘synergistic effects’. There are now at least five instruments of war at work: military, political, economic, civilian and informational. ‘Grey-zone attacks’ at times use proxy forces that are deniable.
READ THE STORY: ITN
ANALYST COMMENT: NSTR
Paper of interest
Cybercrime on the menu? Examining cafeteria-style offending among financially motivated cybercriminals
FROM THE MEDIA: Criminologists have frequently debated whether offenders are specialists, in that they consistently perform either one offense or similar offenses, or versatile by performing any crime based on opportunities and situational provocations. Such foundational research has yet to be developed regarding cybercrimes, or offenses enabled by computer technology and the Internet. This study address this issue using a sample of 37 offender networks. The results show variations in the offending behaviors of those involved in cybercrime. Almost half of the offender networks in this sample appeared to be cybercrime specialists, in that they only performed certain forms of cybercrime. The other half performed various types of crimes on and offline. The relative equity in specialization relative to versatility, particularly in both on and offline activities, suggests that there may be limited value in treating cybercriminals as a distinct offender group. Furthermore, this study calls to question what factors influence an offender's pathway into cybercrime, whether as a specialized or versatile offender. The actors involved in cybercrime networks, whether as specialists or generalists, were enmeshed into broader online offender networks who may have helped recognize and act on opportunities to engage in phishing, malware, and other economic offenses.
READ THE STORY: Science Direct
ANALYST COMMENT: NSTR
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com