Thursday, January 13, 2022
Iranian intel cyber suite of malware uses open source tools
FROM THE MEDIA: To better enable defense against malicious cyber actors, U.S. Cyber Command’s Cyber National Mission Force has identified and disclosed multiple open-source tools that Iranian intelligence actors are using in networks around the world. These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks. MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies."
READ THE STORY: CYBERCOM
A QUICK LOOK:
Polish Gov't Finally Admits It Deployed NSO Malware, Pretends Targeting Of Opposition Leaders Isn't Abusive
FROM THE MEDIA: Poland -- like far too many countries -- has a Pegasus problem. The highly intrusive (and highly effective) phone malware sold by Israel's NSO Group for the ostensible purpose of tracking down terrorists and other deadly criminals has been observed (yet again) being deployed to track government critics and political opponents. When Apple announced its lawsuit against NSO Group for targeting iPhone users, it also announced plans to notify users who had been targeted by NSO spyware. The first beneficiary of this notification program was a Polish prosecutor who was apparently targeted for trying to investigate election irregularities. That initial notification opened the floodgates. The Polish government had access to the spyware and was deploying it for reasons entirely unrelated for the reasons it stated when purchasing it.
READ THE STORY: TechDirt
A QUICK LOOK:
Fortinet: Cybercriminals are exploiting Omicron news to distribute RedLine malware
FROM THE MEDIA: Fortinet has uncovered an effort to spread RedLine malware through news about the COVID-19 Omicron strain. FortiGuard Labs researchers said the people behind the malware are trying to use the ongoing pandemic to steal information and credentials. RedLine is a relatively common malware that steals all of the usernames and passwords it finds throughout an infected system. Fortinet said the RedLine Stealer variant in this instance steals stored credentials for VPN applications like NordVPN, OpenVPN, and ProtonVPN. "FortiGuard Labs recently came across a curiously named file, 'Omicron Stats.exe' which turned out to be a variant of RedLine Stealer malware. While we have not been able to identify the infection vector for this particular variant, we believe that it is being distributed via email," the company said in its report, noting that the issue affects Windows users. "Based on the information collected by FortiGuard Labs, potential victims of this RedLine Stealer variant are spread across 12 countries. This indicates that this is a broad-brush attack and that the threat actors did not target specific organizations or individuals."
READ THE STORY: ZDnet
A QUICK LOOK:
Congress to update government cyber rules, one year after SolarWinds
FROM THE MEDIA: Congress is preparing to overhaul federal cybersecurity rules roughly a year after one of the worst breaches in government history. That attack, in which Kremlin-backed hackers wormed their way in through the IT supplier SolarWinds and captured reams of data from federal agencies, highlighted the massive growth in the sophistication and danger of cyber threats since federal cyber rules were last updated eight years ago. The Federal Information Security Management Act (FISMA), which initially dates to 2002, is too focused on checking boxes and not enough on being nimble about protecting against sophisticated hacking threats. “[FISMA] is the best defense our federal information networks and supply chains have against cyberattacks. But the reality is that it’s simply not enough to protect us in its current form,” House Oversight Chairwoman Carolyn B. Maloney (D-N.Y.) said during a hearing on the rules yesterday. “The mounting attacks by China, Russia and other bad actors are constantly changing. They are as dynamic as they are diabolical,” warned Maloney, who’s sponsoring a bill to update FISMA with the committee’s top Republican, Rep. James Comer (Ky.).
READ THE STORY: Washington Post
A QUICK LOOK:
Israel Is Preparing For the Next Cyber War
FROM THE MEDIA: Israel announced in December that its Joint Cyber Defense Division (JCDD) held an important cyber defense drill with its American counterparts in U.S. Cyber Command. The recent drill was the largest cyber exercise ever held by Israel. A senior officer from the JCDD recently described the future of the JCDD and the value that Israel sees in developing its cyber defense capabilities. “To give you it in a nutshell, JCDD is the division responsible for cyber defense in the IDF,” the officer said in an interview. He noted that Israel’s cyber efforts are divided into several entities responsible for various aspects of cyber defense. “We look at this from the perspective of the digital landscape and also taking part [in] the wider effort of defending Israel in this matter. We are combined with the National Cyber Directorate,” the officer said. The cyber frontier is different than traditional warfare, which has typically been segmented into forces on land, sea, and air. However, officers from numerous branches of the IDF contribute to cyber defense efforts.
READ THE STORY: National Interest
A QUICK LOOK:
OceanLotus hackers turn to web archive files to deploy backdoors
FROM THE MEDIA: The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems. The goal is to evade detection by antivirus solutions tools which are more likely to catch commonly abused document formats and stop the victim from opening them on Microsoft Office. Also tracked as APT32 and SeaLotus, the hackers have shown a tendency in the past to try out less common methods for deploying malware. A report from Netskope Threat Labs shared with Bleeping Computer in advance notes that OceanLotus’ campaign using web archive files is still active, although the targeting scope is narrow and despite the command and control (C2) server being disrupted.
READ THE STORY: Cyber Reports
A QUICK LOOK:
Fingers point to Lazarus, Cobalt, FIN7 as key hacking groups attacking finance industry
FROM THE MEDIA: The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organizations today. According to "Follow the Money," a new report (.PDF) published on the financial sector by Outpost24's Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today. The financial sector has always been, and possibly always will be, a key target for cybercriminal groups. Organizations in this area are often custodians of sensitive personally identifiable information (PII) belonging to customers and clients, financial accounts, and cash. They also often underpin the economy: if a payment processor or bank's systems go down due to malware, this can cause irreparable harm not only to the victim company in question, but this can also have severe financial and operational consequences for customers. PII for identity theft, bank accounts to make fraudulent purchases, a high probability a financial firm would rather submit to a ransomware blackmail demand rather than disrupt operations: these potential attack vectors mean that it is no surprise cyberattackers are relentless in their quest to compromise players in the sector. The COVID-19 pandemic, and the disruption to operations and training it has caused, has only made the situation worse.
READ THE STORY: ZDnet
A QUICK LOOK:
How to Stop Ransomware: Breach Prevention vs. Cobalt Strike Backdoor
FROM THE MEDIA: With a year-on-year increase of over 161%, malicious usage of cracked versions of Cobalt Strike (a legitimate penetration test tool) is skyrocketing. For organizations that still rely on signature-based next generation antivirus (NGAV) solutions to protect their endpoints from ransomware and other advanced attacks, this is terrible news. Developed in 2012 to give pen testers and red teams the capability to conduct hard-to-spot test attacks, Cobalt Strike is designed to be dynamic and evasive. Over the years we have seen cybercriminals use Cobalt Strike to facilitate a range of threats, including attacks on point of sale systems. In 2020, 66% of all ransomware attacks used Cobalt Strike. The platform was also used in last year’s SolarWinds attack. With the average ransom now exceeding $240,000, and remediation costs soaring beyond $4 million, a malicious Cobalt Strike attack can be devastating for any business. The good news is that Cobalt Strike cannot evade Morphisec’s unique Moving Target Defense (MTD) technology. In this blog post, I will explain why Cobalt Strike is so dangerous, why NGAV solutions are unable to stop it, and how MTD can defeat these attacks — referencing a recent investigation report from a Morphisec client.
READ THE STORY: Security Boulevard
A QUICK LOOK:
KCodes NetUSB flaw impacts millions of SOHO routers
FROM THE MEDIA: NetUSB is a product developed by KCodes to allow remote devices in a network to interact with USB devices connected to a router. Users could interact with a printer or a hard drive plugged into a router via network using a driver on their computer that allows communication with the network device. The flaw is a buffer overflow vulnerability that can be exploited by remote attackers to execute code in the kernel and carry out malicious activities. According to the report published by SentinelOne, a threat actor could send crafted commands to internet-connected routers on port 20005. “While going through various paths through various binaries, I came across a kernel module called NetUSB. As it turned out, this module was listening on TCP port 20005 on the IP 0.0.0.0.” reads the report. “Provided there were no firewall rules in place to block it, that would mean it was listening on the WAN as well as the LAN. Who wouldn’t love a remote kernel bug?”
READ THE STORY: Security Affairs
A QUICK LOOK:
Apple fixes doorLock bug that can disable iPhones and iPads
FROM THE MEDIA: Apple has released security updates to address a persistent denial of service (DoS) dubbed doorLock that would altogether disable iPhones and iPads running HomeKit on iOS 14.7 and later. HomeKit is an Apple protocol and framework that allow iOS and iPadOS users to discover and control smart home appliances on their network. As the company explained in a security advisory issued today, the doorLock vulnerability tracked as CVE-2022-22588 will crash affected iOS and iPadOS devices when processing maliciously crafted HomeKit accessory names. Apple has addressed this severe resource exhaustion issue in iOS 15.2.1 and iPadOS 15.2.1 by adding improved input validation which no longer allows attackers to disable vulnerable devices. Devices that received security updates today include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). "Four months ago I discovered and reported a serious denial of service bug in iOS that still remains in the latest release. It persists through reboots and can trigger after restores under certain conditions," Trevor Spiniolas, the programmer and "beginning security researcher" who spotted and reported the bug. "All the requirements are default settings. When someone sets up their iOS device, everything is already in order for the bug to work. If they accept a malicious home invitation from there, their device stops working."
READ THE STORY: Bleeping Computer
A QUICK LOOK:
Items of interest
Cyber Threat Intelligence for Banking & Financial Services FOLLOW THE MONEY(Paper)
FROM THE MEDIA: Banks and other financial institutions handle some of the most valuable information to cybercriminals, from account and credit card data to sensitive PII (personally identifiable information). As such, these organizations remain at the forefront for risk as cybercriminals become increasingly sophisticated and malicious in their methods. A new generation of cybercriminals is also evolving - no longer satisfied with simply stealing funds and holding companies’ information hostage, instead, aiming to infiltrate and manipulate companies and environments, threatening the credibility and integrity of the institution, leaking sensitive information to the public, or committing fraud at different levels. The COVID-19 pandemic has only bolstered these threats, as financial institutions’ already large exposure to such risks has been amplified by sudden shifts to remote working practices and other operational challenges. As a result, many financial organizations saw employees access data from remote, unprotected networks, compared to the highly regulated and sophisticated environment they had typically used in the office. This exposed their systems to a plethora of threats that could infiltrate the enterprise’s network easier than ever before.
READ THE STORY: Blueliv
Iran's alleged secret cyber files revealed (Video)
FROM THE MEDIA: Classified documents, allegedly from Iran, reveal secret research into how a cyber attack could be used to sink a cargo ship or blow up a fuel pump at a petrol station. The internal files, obtained by Sky News, also include information on satellite communication devices used by the global shipping industry as well as a computer-based system that controls things like lights, heating and ventilation in smart buildings across the world.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at firstname.lastname@example.org