Friday, January 14, 2022
Ukrainian police arrests ransomware gang that hit over 50 firms
FROM THE MEDIA: Ukrainian police officers have arrested a ransomware affiliate group responsible for attacking at least 50 companies in the U.S. and Europe. It is estimated that the total losses resulting from the attacks is in excess of one million U.S. dollars. A 36-year-old resident of Ukraine’s capital Kiev was identified as the leader of the group, which included his wife and three other acquaintances, the police states. It is unclear what ransomware strain the gang used to encrypt data on victim computers but they delivered the malware through spam emails. Three members of the gang received the ransoms from paying victims in cryptocurrency. In exchange, they provided the decryption tool to restore data, the Ukrainian police says in an announcement today. “According to preliminary data, more than 50 companies were affected by the attacks, the total amount of damage reaches more than one million US dollars,” the police adds.
READ THE STORY: Cyber Reports
A QUICK LOOK:
Fighting Back Against Pegasus, Other Advanced Mobile Malware
FROM THE MEDIA: One of the biggest stories of 2021 — an investigation by the Guardian and 16 other media organizations, published in mid-July — suggested that over 30,000 human rights activists, journalists, and lawyers across the world may have been targeted using Pegasus. The list of targeted individuals includes world leaders and many activists, human rights advocates, dissidents, and opposition figures. The report, called the Pegasus Project, alleged that the malware was deployed widely through a variety of exploits, including several iOS zero-click zero days. Most recently, Amnesty International identified Pegasus in use against "journalists and members of civil society organizations" in El Salvador. Based on forensic analysis of numerous mobile devices, Amnesty International’s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. Over the past year, representatives from the Israeli government visited NSO’s Herzliya office to investigate the claims, and India’s Supreme Court commissioned a technical committee to investigate the national government’s use of Pegasus to spy on its own citizens. In November, Apple announced that it was taking legal action against NSO Group for developing software that targets its users with “malicious malware and spyware.” And in December, Reuters published that several US State Department iPhones were hacked using NSO Pegasus malware.
READ THE STORY: Dark Reading
A QUICK LOOK:
Microsoft Defender weakness lets hackers bypass malware detection
FROM THE MEDIA: Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2. Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans. People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware. Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected. Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it. Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
The ransomware unicorn
FROM THE MEDIA: When the final numbers are tallied for 2021, ransomware will pass a grim milestone: Reported payments to ransomware groups last year will top $1 billion, making ransomware the most unwelcome unicorn enterprise. This exponential growth is explained in part by the rise of ransomware groups operating like enterprises — offering ransomware-as-a-service, a business model through which ransomware groups lease their malware to affiliated groups for a fee or a share of the profits. The nature of threat – as an enterprise rather than an ideology – presents an opportunity. Ransomware groups by and large have shown themselves to be rational actors that engage in cost-benefit calculus, affording the government and private sector levers to change their behavior. If 2022 is to mark an inflection point in the fight against ransomware, we must do more to change the incentives. First, the U.S. government needs to enforce the red lines it has drawn to protect critical infrastructure. The Biden administration made it clear which targets raise heightened levels of concern when it provided Russian President Vladimir Putin with a list of 16 areas of critical infrastructure that it considers off-limits, including the energy, health care and agriculture sectors.
READ THE STORY: The Hill
A QUICK LOOK:
Hackers buying space from major cloud providers to distribute malware
FROM THE MEDIA: Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users’ information. According to Cisco, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. Threat actors, Cisco says, are increasingly using cloud technologies to achieve their objectives without resorting to hosting their own infrastructure, allowing them to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track the attackers’ operations. The threat actor, in this case, used cloud services to deploy and deliver variants of commodity RATs with the information-stealing capability starting around Oct. 26, 2021.
READ THE STORY: Security Magazine
A QUICK LOOK:
Securing Taiwan Requires Immediate Unprecedented Cyber Action
FROM THE MEDIA: The prospect of a Chinese invasion of Taiwan echoes some of the most disastrous 20th century instances of great power expansion—reminiscent, perhaps, of Nazi Germany’s Anschluss or even its subsequent invasion of Poland. Given that the latter ignited World War II, America’s strategic community has been rightly fixated on the vast military and political contingencies of a Chinese invasion that would remake Asia. But Taiwan is not just the geopolitical fulcrum of the Indo-Pacific; it is also the nexus of a rapidly evolving Sino-American technological competition. And if 20th century great power competition is any guide, tech races are just as important to long-term competition as territorial military contests. The U.S. needs to act now to secure the technological dimensions of a looming Taiwan crisis, or risk losing far more than the island. In the domain of Sino-American tech rivalry, Taiwan is unique in two aspects: First, the Taiwan Semiconductor Manufacturing Corporation (TSMC) remains the world’s tightest bottleneck in the global high-tech ecosystem, with exclusive capabilities to construct the most valuable, sophisticated computer chips in existence.
READ THE STORY: LAWFARE
A QUICK LOOK:
Belarus: Cyber upstart, or Russian staging ground?
FROM THE MEDIA: As the prospect of further Russian aggression in Ukraine looms, the Biden administration is concerned about Russian cyber operations against the U.S. and its allies. Yet as the White House engages with Moscow and builds out plans around these risks, it must watch an overlooked development in Russia’s near-abroad: growing cyber integration between Belarus and the Kremlin. In November 2021, Mandiant published a report assessing with “high confidence” that the UNC1151 cyber group, which assisted the longstanding “Ghostwriter” campaign — stealing government credentials and spreading disinformation in Europe — is linked to the Belarusian government. It also assessed with “moderate confidence” that Belarus “is also likely at least partially responsible for the Ghostwriter campaign.” Significantly, the report’s authors added: “We cannot rule out Russian contributions to either UNC1151 or Ghostwriter.”
READ THE STORY: Cyber Scoop
A QUICK LOOK:
Android users can now disable 2G to block Stingray attacks
FROM THE MEDIA: Google has finally rolled out an option on Android allowing users to disable 2G connections, which come with a host of privacy and security problems exploited by cell-site simulators. The addition of the option was spotted by EFF (Electronic Frontier Foundation), which calls the development a victory for privacy protection. A cell-site simulator, also known as “stingray” or IMSI Catcher, is a device that masquerades as a cell tower, forcing cell phones in their range to connect to it. This connection enables the operators of these Stingrays to perform man-in-the-middle attacks and intercept sensitive personal information such as: Device IMSI (international mobile subscriber identity), call metadata like dialed number and duration, SMS and voice call content and data usage and web browsing history. Unfortunately, this method of data interception has been repeatedly and indiscriminately deployed by law enforcement authorities during peaceful protests in otherwise democratic countries where strict data protection laws apply.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
FBI Officials Clarify What the Bureau Wants in Cyber Incident Reporting Bill
FROM THE MEDIA: The need for legislation requiring companies to report cybersecurity incidents to the government is obvious, but it should be tweaked to explicitly include the FBI, according to officials from the law enforcement agency. Last year the House passed incident reporting legislation that would require reports to the Cybersecurity and Infrastructure Security Agency 72 hours after an incident, but corresponding legislation failed to make it into the annual “must-pass” National Defense Authorization Act. The FBI expressed concern with some of the language in the bill but lawmakers said it was mostly just a matter of running out of time on the clock to clear the provisions with all the relevant committees of jurisdiction. “There seems to be a misunderstanding that the FBI specifically is looking for a dual seal program with the legislation meaning that companies would have to report to both CISA and the FBI and that isn't true,” said Bryan Vorndran, assistant director of the FBI’s cyber division. “What the Department of Justice and FBI [are] looking for is legislation that includes language about the FBI having real-time and unfiltered access to incident information that is reported to CISA. It can likely be accomplished by a few words or a sentence in proposed legislation.”
READ THE STORY: NextGov
A QUICK LOOK:
GootLoader Hackers Targeting Employees of Law and Accounting Firms
FROM THE MEDIA: Operators of the GootLoader campaign are setting their sights on employees of accounting and law firms as part of a fresh onslaught of widespread cyberattacks to deploy malware on infected systems, an indication that the adversary is expanding its focus to other high-value targets. "GootLoader is a stealthy initial access malware, which after getting a foothold into the victim's computer system, infects the system with ransomware or other lethal malware," researchers from eSentire said in a report shared with The Hacker News. The cybersecurity services provider said it intercepted and dismantled intrusions aimed at three law firms and an accounting enterprise. The names of the victims were not disclosed. Malware can be delivered on targets' systems via many methods, including poisoned search results, fake updates, and trojanized applications downloaded from sites linking to pirated software. GootLoader resorts to the first technique.
READ THE STORY: THN
A QUICK LOOK:
Items of interest
Cyber Threat Four scenarios for Belarus by the end of 2022(Paper)
FROM THE MEDIA: This Policy Paper outlines four possible scenarios for the future of the political system in Belarus by the end of 2022. The scenarios are based on two key drivers that are crucial for political developments in Belarus: the level of social mobilization and democratic transition. The Policy Paper creates a framework for alternative thinking and outlines important insights, opportunities, and risks. It also formulates desirable normative options for political developments in Belarus in the upcoming twelve months and gives policy recommendations on how to make them possible.
READ THE STORY: SSOAR
Gen. H.R. McMaster on the USA's Economic Competition with China(Video)
FROM THE MEDIA: Great episode - the General is a great interview and the views on China are refreshing and timely - it’s time they were called out on their duplicity. The interview was a little light though on calling out where there are real issues with the US military, however, like with Cost Plus; if we want an efficient military it’s time the weapons manufacturing and finance sector stopped bleeding the system with bloated profiteering.
Overlaps between Cyber, Information, and Intelligence Operations(Video)
FROM THE MEDIA: About the lecture: A discussion of the challenges presented by the increasingly complex environment created when cyber, information, and intelligence operations overlap and collide. This presentation will explore case studies where the lines between various concepts become blurred, complicating the response and implications. Specifically, we will explore recent items of interest from the increasingly contentious relationship between the US, Russia, and China. How will leaders and managers operative effectively in this environment? What are the important aspects of decision-making in these situations? Why is it even important to get a handle on these dynamics?
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com