Daily Drop(18)

1-16-2022

Sunday, January 16, 2022

Prominent Carding Marketplace UniCC announced it’s shutting down

FROM THE MEDIA: The news of the shutdown was announced by the UniCC administrators on underground carding sites in both English and Russian, they are giving 10 days to their members to spend their balances. “Don’t build any conspiracy theories about us leaving, it is (a) weighted decision, we are not young and our health do not allow to work like this any longer.” reads the message. “We ask you to be smart and not follow any fakes tied to our comeback and other things.” According to Elliptic Threat Intel team, after the shutdown of the UniCC marketplace other carding platforms will attempt to fill the gap in a market that overall surpassed more than $1.4 billion in sales with Bitcoin alone. On the other side, the operators behind UniCC will be seeking to cash out their millionaire profits. But in recent months, Elliptic pointed out that other underground marketplaces appear to be hanging up the towel. The White House Market announced it was shutting down in October; and by November, Cannazon went dark.

READ THE STORY:  Security Affairs

A QUICK LOOK: 

EXCLUSIVE Ukraine suspects group linked to Belarus intelligence over cyberattack

FROM THE MEDIA: KYIV, Jan 15 (Reuters) - Kyiv believes a hacker group linked to Belarusian intelligence carried out a cyberattack that hit Ukrainian government websites this week and used malware similar to that used by a group tied to Russian intelligence, a senior Ukrainian security official said. Serhiy Demedyuk, deputy secretary of the national security and defense council, told Reuters that Ukraine blamed Friday's attack - which defaced government websites with threatening messages - on a group known as UNC1151 and that it was cover for more destructive actions behind the scenes. "We believe preliminarily that the group UNC1151 may be involved in this attack," he said. His comments offer the first detailed analysis by Kyiv on the suspected culprits behind the cyberattack on dozens of websites. Officials on Friday said Russia was probably involved but gave no details. Belarus is a close ally of Russia. The cyberattack splashed websites with a warning to "be afraid and expect the worst" at a time when Russia has massed troops near Ukraine's borders, and Kyiv and Washington fear Moscow is planning a new military assault on Ukraine.

READ THE STORY:  Reuters

A QUICK LOOK:

Hackers disrupt payroll for thousands of employers — including hospitals

FROM THE MEDIA: A month-old ransomware attack is still causing administrative chaos for millions of people, including 20,000 public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and medical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages. In the weeks since the attack knocked out Kronos Private Cloud — a service that includes some of the nation's most popular workforce management software — employees from Montana to Florida have reported paychecks short by hundreds or thousands of dollars, as their employers have struggled to manage schedules and track hours without the help of the Kronos software.

READ THE STORY:  NPR

A QUICK LOOK:  

One of the REvil members arrested by FSB was behind Colonial Pipeline attack

FROM THE MEDIA: Russian authorities on Friday arrested the hacker behind last year's ransomware attack which forced Colonial Pipeline to halt operations for days and caused a temporary fuel shortage in the United States, a senior Biden administration official said during a press briefing. The arrest, made by the Russian Federal Security Service after an appeal by U.S. authorities including President Joe Biden, marks a significant collaboration between the two governments despite rising tensions between the countries over Ukraine. The FSB said Friday that it had arrested 14 members of the organized criminal community during a sting on REvil, the ransomware gang behind the attacks on food processing company JBS and software provider Kasaya. DarkSide, another hacking group tied to Russia, was linked to the Colonial Pipeline attack. It was not immediately clear what level of connection the REvil hackers arrested Friday had to the attacks on JBS and Kasaya, or the Colonial Pipeline ransomware.

READ THE STORY:  UPI

A QUICK LOOK: 

Ransomware attack on New Mexico jail put prisoners in lockdown

FROM THE MEDIA: The Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico went offline due to a ransomware attack, and prisoners were confined to their cells. On January 5th, 2022, the IT infrastructure of the Metropolitan Detection Center in Bernalillo Country, New Mexico was hit by a crippling ransomware attack that forced its network to go offline. Reportedly, the ransomware attack triggered an emergency as the facility’s automatic doors, and security cameras mechanisms went offline. Resultantly, inmates were confined to their cells as technicians tried to bring the systems back online. As per a report from Source New Mexico, the MDC’s visitor access was also suspended, and the jail went into complete lockdown. Its internet service also went offline so prison staff couldn’t access inmate records, and prisoners had to be controlled manually.

READ THE STORY:  Hackread

A QUICK LOOK:

Threat actors stole $18.7M from the Lympo NTF platform

FROM THE MEDIA: Threat actors hacked the hot wallet of the NFT platform Lympo and managed to steal 165.2 Million LMT (worth $18.7 million). NFT and DeFi platforms are privileged targets for cybercriminals, and the NFT platform Lympo was the last platform in order of time to suffer a security breach. Lympo is building a sports NFTs ecosystem including NFTs with IP rights of world-famous athletes and clubs. The ecosystem will also include custom sports characters created by various artists and sports influencers. Threat actors stole $18.7 million from several hot wallets of the platform. “On 10 January 2022 at approximately 2:32 PM (UTC +2), hackers managed to gain access to Lympo’s operational hot wallet and stole a total of approximately 165.2 million LMT from it.” reads the alert published by Lympo on Medium. In response to the security breach, Lympo enhanced safeguards to prevent the theft of other LMT, the company also temporarily removed LMT from various liquidity pools in order to minimize the impact of the attack. The stolen tokens were sent to a single address used by the attackers to swap them for Ether on SushiSwap or Uniswap, then they were sent to other addresses.

READ THE STORY:  Security Affairs

A QUICK LOOK:

Defense contractor Hensoldt confirms Lorenz ransomware attack

FROM THE MEDIA: Hensoldt, a multinational defense contractor headquartered in Germany, has confirmed that some of its UK subsidiary's systems were compromised in a ransomware attack. The defense multinational develops sensor solutions for defense, aerospace, and security applications, is listed on the Frankfurt Stock Exchange, and had a turnover of 1.2 billion euros in 2020. It operates in the US under a special agreement that allows it to apply for classified and sensitive US government contracts. Its products include radar arrays, avionics, and laser rangefinders used on M1 Abrams tanks, various helicopter platforms, and LCS (Littoral Combat Ship) by the US Army, US Marine Corps, and the US National Guard. Hensoldt announced on Thursday that it's equipping German-Norwegian U212 CD submarines built by the kta consortium with next-generation fully digital optronics equipment. While the company is yet to issue a public statement regarding this incident, the Lorenz ransomware gang has already claimed the attack. On Wednesday, a Hensholdt spokesperson confirmed Lorenz's claims after BleepingComputer reached out over email.

READ THE STORY:  Bleeping Computer

A QUICK LOOK:

BlueNoroff hackers steal crypto using fake MetaMask extension

FROM THE MEDIA: The North Korean threat actor group known as 'BlueNoroff' has been spotted targeting cryptocurrency startups with malicious documents and fake MetaMask browser extensions. The motive of this group is purely financial, but its sophistication in carrying out objectives has previously led researchers to conclude that this is a sub-group of the North Korean Lazarus gang. Although BlueNoroff has been active for several years, its structure and operation have been shrouded by mystery. A report by Kaspersky attempts to shed some light by using intelligence collected during the most recent activity observed, dating back to November 2021. The latest attacks are focused on cryptocurrency startups located in the US, Russia, China, India, the UK, Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong. The threat actors attempt to infiltrate the communications of these firms and map the interactions between the employees to derive potential social engineering pathways.

READ THE STORY:  Security Affairs

A QUICK LOOK:

New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking

FROM THE MEDIA: A software bug introduced in Apple Safari 15's implementation of the IndexedDB API could be abused by a malicious website to track users' online activity in the web browser and worse, even reveal their identity. The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021. IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database of structured data objects such as files and blobs. "Like most web storage solutions, IndexedDB follows a same-origin policy," Mozilla notes in its documentation of the API. "So while you can access stored data within a domain, you cannot access data across different domains." Same-origin is a fundamental security mechanism that ensures that resources retrieved from distinct origins — i.e., a combination of the scheme (protocol), host (domain), and port number of a URL — are isolated from each other. This effectively means that "https://example[.]com/" and "https://example[.]com/" are not of the same origin because they use different schemes.

READ THE STORY:  The Hacker News Network

A QUICK LOOK:

A New Destructive Malware Targeting Ukrainian Government and Business Entities

FROM THE MEDIA: Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia. "The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, corporate vice president of customer security and trust at Microsoft, said, adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions. Also targeted is an IT firm that "manages websites for public and private sector clients, including government agencies whose websites were recently defaced," Burt noted. The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenamed "DEV-0586," with no observed overlaps in tactics and procedures to other previously documented groups. It further said the malware was found on dozens of impacted systems, a number it expects to increase as the investigation continues.

READ THE STORY:  The Hacker News Network

A QUICK LOOK:

Items of interest

A First Look: Using Linux Containers for Deceptive Honeypots(Paper)

FROM THE MEDIA: The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive “honeypots” for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

READ THE STORY:  West Point

How Russian Hackers Compromised the U.S. Government and Reducing the Chances of It Happening Again(Video)

FROM THE MEDIA:  Described as the ‘largest and most sophisticated attack ever,’ the hacking of SolarWinds Inc. shocked the cybersecurity world and led to a massive compromise of networks owned by the U.S. government and Fortune 500 companies. After breaching SolarWinds, a top tier technology company, the hackers used their access to infiltrate its many clients. The list of exposed organizations included the Department of Defense, Department of the Treasury, Department of Justice, and many others. The most likely culprit is a hacking organization affiliated with the Russian military, often referred to as “Cozy Bear.” The full extent of the breach remains unknown, but the hackers operated in the networks for months before being detected. The amount of sensitive information stolen is likely massive. To protect the American people, it is critical that we understand this hack and what the Russian government hopes to get out of it. The United States must know how to confront this threat going forward, as it is only a matter of time before Cozy Bear, or another group like it, strikes again.

Did China carry out a cyberattack on Israel?(4-30-21)(Video)

FROM THE MEDIA: A coordinated cyberattack, which most likely originated in China, hit dozens of Israeli government and private organizations, according to an announcement Monday by the international cybersecurity company FireEye. This is the first documented case of a large-scale Chinese attack on Israel. It was part of a broader campaign that targeted many other countries, including Iran, Saudi Arabia, Ukraine, Uzbekistan and Thailand. FireEye has been monitoring the operation for two years.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com