Tuesday, January 11, 2022
Oops: Cyberspies infect themselves with their own malware
FROM THE MEDIA: After infecting themselves with their own custom remote access trojan (RAT), an Indian-linked cyber-espionage group has accidentally exposed its operations to security researchers. The threat actor has been active since at least December 2015 and is tracked as PatchWork (aka Dropping Elephant, Chinastrats, or Quilted Tiger) due to the use of copy-pasted code. The Ragnatela RAT allows the threat actors to execute commands, capture screen snapshots, log keystrokes, harvest sensitive files and a list of running apps, deploy additional payloads, and upload files. "Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes Labs' Threat Intelligence Team explained. After discovering that the PatchWork operators infected their own development systems with the RAT, the researchers were able to monitor them while using VirtualBox and VMware for testing and web development and testing on computers with dual keyboard layouts (i.e., English and Indian).
READ THE STORY: Bleeping Computer
A QUICK LOOK: Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a Chinese or pro-Indian/Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. [1] [2] [3] [4]
Extortion DDoS attacks grow stronger and more common
FROM THE MEDIA: The end of 2021 saw a rise in the number of distributed denial-of-service incidents that came with a ransom demand from the attackers to stop the assault. In the fourth quarter of last year, about a quarter of Cloudflare's customers that were the target of a DDoS attack said that they received a ransom note from the perpetrator. According to the company, 2021 is when most of these attacks happened, with a 29% recorded year-over-year increase and a 175% quarter-over-quarter jump. Extortion or ransom DDoS (RDDoS) attacks started to become a new threat in August 2020 and grew bigger and more complex since then. They started around 200Gbps and then flexed to more than 500Gbps in mid-September. In February 2021, internet security services company Akamai saw its share of a challenge dealing with an 800Gbps RDDoS that targeted a gambling company in Europe. Last September, a threat actor deployed an RDDoS against VoIP.ms voice-over-Internet provider, disrupting phone services as the company’s DNS servers became unreachable.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
Microsoft Details macOS Bug That Could Let Attackers Gain Access to User Data
FROM THE MEDIA: Microsoft on Monday disclosed details of a recently patched security vulnerability in Apple's macOS operating system that could be weaponized by a threat actor to expose users' personal information. Tracked as CVE-2021-30970, the flaw concerns a logic issue in the Transparency, Consent and Control (TCC) security framework, which enables users to configure the privacy settings of their apps and provide access to protected files and app data. The Security & Privacy pane in the macOS System Preferences app serves as the front end of TCC. Microsoft 365 Defender Research Team, which reported the flaw to Apple on July 15, 2021, dubbed the flaw "powerdir." Apple addressed the issue as part of macOS 11.6 and 12.1 updates released in December 2021 with improved state management.
READ THE STORY: THN
A QUICK LOOK:
Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware
FROM THE MEDIA: New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered links with a cryptocurrency-mining botnet attack that came to light in December 2020. Attacks involving Abcbot, first disclosed by Qihoo 360’s Netlab security team in November 2021, are triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is itself an iteration of an earlier version originally discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud. But in an interesting twist, continued analysis of the botnet by mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, has revealed Abcbot’s code and feature-level similarities to that of a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the infection.
READ THE STORY: Cyber Reports
A QUICK LOOK:
Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries
FROM THE MEDIA: A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, JavaScript, PHP, Python, and Ruby languages and used by several web applications. "The confusion in URL parsing can cause unexpected behavior in the software (e.g., web application), and could be exploited by threat actors to cause denial-of-service conditions, information leaks, or possibly conduct remote code execution attacks," the researchers said in a report shared with The Hacker News. With URLs being a fundamental mechanism by which resources — located either locally or on the web — can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose significant risk for users.
READ THE STORY: THN
A QUICK LOOK:
WordPress 5.8.3 security update fixes SQL injection, XSS flaws
FROM THE MEDIA: The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance. The set includes an SQL injection on WP_Query, a blind SQL injection via the WP_Meta_Query, an XSS attack via the post slugs, and an admin object injection. All of the issues have prerequisites for their exploitation, and most WordPress sites that use the default automatic core updates setting aren't in danger.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
AvosLocker ransomware now targets Linux systems, including ESXi servers
FROM THE MEDIA: AvosLocker expands its targets by implementing the support for encrypting Linux systems, specifically VMware ESXi servers, Bleeping computed reported. “While we couldn’t find what targets were attacked using this AvosLocker ransomware Linux variant, BleepingComputer knows of at least one victim that got hit with a $1 million ransom demand.” reported BleepingComputer. Security researcher MalwareHunterTeam confirmed that the ransomware gang is using the Linux encryptor since November 2021. Other ransomware operations supporting Linux and ESXi servers are RansomExx/Defray, Mespinoza, HelloKitty, and Babuk. Linux-based versions of popular ransomware allow gangs to target a broad range of organizations, especially those using ESXi servers. AvosLocker operators already advertised in the past a Linux variant, dubbed AvosLinux, of their malware claiming it was able to support Linux and ESXi servers.
READ THE STORY: Security Affairs
A QUICK LOOK:
Offense can win some battles, but cyber defense will win the war
FROM THE MEDIA: We are years into a ransomware epidemic with no clear end in sight. Policymakers and security researchers are now using combative efforts to “impose cost” on hackers. Sanctions, hacking back, infrastructure disruption, indictments and other offensive activities all have a negative impact on cybercriminals. Defense, and investment in mandatory cybersecurity requirements, is how we will solve the fundamental problems at the heart of the ransomware epidemic. Since early 2021, law enforcement and U.S. military activities against cybercrime threat actors, specifically those responsible for ransomware attacks against critical infrastructure, have increased dramatically. The White House also announced this year the creation of a ransomware task force, and dozens of nations have acknowledged the need for urgent action in this space.
READ THE STORY: Cyber Scoop
A QUICK LOOK:
Why Politically Motivated Cyber-Attacks Are a Threat to Democracy
FROM THE MEDIA: Politically motivated cyber-attacks, of course, have implications. Most developed countries are highly dependent on their information infrastructure; an attack of this nature could have devastating consequences and is taken incredibly seriously by governments. This was seen recently in France with President Emmanuel Macron pushing for an Israeli inquiry into NSO spyware, which was allegedly used to target him and 50,000 other dignitaries. According to newspaper reports, Macron expressed concern that his phone and those of most of his cabinet could have been infected with Pegasus, hacking software developed by the Israeli surveillance firm NSO Group, which enables operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones from infected devices. Macron’s party was also subjected to a cyber-attack in 2017 when more than 20,000 emails belonging to his election campaign were published online.
READ THE STORY: InfoSec Mag
A QUICK LOOK:
Oil, Cyber and Weapons: Inside Israel's Relationship With Kazakhstan
FROM THE MEDIA: The Central Asian republic of Kazakhstan, which has been experiencing massive protests, is an important source of oil and a lucrative market for Israeli arms sales. Although the Central Asian republic rarely enters the public discourse and ties seem so marginal that there are no direct flights between the two countries, Kazakhstan is an important source for imported oil and a lucrative market for Israeli arms. Both businesses are shrouded in secrecy but are strategically important, say experts. Israel doesn’t release information on where it sources its imported oil, but the financial reports of Israel’s two big refiners cite the Black and Caspian seas, through which Kazakhstan and other Central Asian producers ship their petroleum to Mediterranean markets.
READ THE STORY: Haaretz
A QUICK LOOK: The below video is a big picture look at the effects of the Kazakhstan conflict.
Items of interest
An Inspection Regime for Cyber Weapons: A Challenge Too Far? (Paper)
FROM THE MEDIA: Two of the most pressing questions concerning international peace and security today are how to avoid an escalation of conflicts in cyberspace and how to ensure responsible behavior and accountability of states in their use of information and communication technologies. With more than thirty states now possessing offensive cyber capabilities and cybersecurity incidents such as Stuxnet, WannaCry, and NotPetya causing significant physical effects or financial damage, there is a clear need to find a better way to manage security risks connected with the use of increasingly sophisticated cyber means by states. At present, this issue is on the agenda of two United Nations groups and is mainly addressed through a “framework for responsible behavior of states” consisting of international law, voluntary and non-binding norms, and confidence-building measures for states’ use of information and communication technologies.
READ THE STORY: Cambridge
The Cyber Weapons Arms Race (Video)
FROM THE MEDIA: Zero day: a software bug that allows a hacker to break into your devices and move around undetected. One of the most coveted tools in a spy's arsenal, a zero day has the power to silently spy on your iPhone, dismantle the safety controls at a chemical plant, alter an election, and shut down the electric grid (just ask the Ukraine). For decades, under cover of classification levels and non-disclosure agreements, the United States government became the world's dominant hoarder of zero days. U.S. government agents paid top dollar-first thousands, and later millions of dollars- to hackers willing to sell their lock-picking code and their silence. Then the United States lost control of its hoard and the market. In this week's episode Nicole Perlroth of The New York Times speaks with Josh Glancy about her new book on the dangers and risks of the new world of cyber weapons and the potential catastrophic consequences.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com