Tuesday, January 18, 2022
Ukraine: Wiper malware masquerading as ransomware hits government organizations
FROM THE MEDIA: In the wake of last week’s attention-grabbing defacements of many Ukrainian government websites, Microsoft researchers have revealed evidence of a malware operation targeting multiple organizations in Ukraine, deploying what seems to be ransomware but is actually Master Boot Records (MBR) wiper malware. “On the night of January 13-14, a number of government websites, including the Ministry of Foreign Affairs, the Ministry of Education and Science and others, were hacked. Provocative messages were posted on the main page of these sites. The content of the sites was not changed and the leakage of personal data, according to preliminary information, did not occur,” the Computer Emergency Response Team of Ukraine (CERT-UA) said. The team noted that it’s possible that the attackers exploited CVE-2021-32648, a vulnerability in the October CMS, to reset the admin account password and gain access to it, allowing them to post the taunting messages.
READ THE STORY: HelpNet
A QUICK LOOK:
Pegasus Spyware Emerges Again as Journalists “Extensively” Targeted in El Salvador
FROM THE MEDIA: A new report from watchdog Citizen Labs (with assistance from the Amnesty International Security Lab) documents an extensive campaign involving the Pegasus spyware in El Salvador. “Project Torogoz” reveals the targeting of at least 35 journalists and political activists from June 2020 to November 2021, with most of the country’s major media outlets affected during a period in which there was critical coverage of the policies of the sitting government. Pegasus spyware found on phones of numerous journalists, with connections to negative press for Bukele administration. The University of Toronto-based watchdog group has been instrumental in revealing the scope of use of Pegasus spyware by authoritarian governments for purposes of repression. The latest case of this appears to come from El Salvador, where the current administration has some documented autocratic tendencies in spite of coming to power in a crusade against corrupt elements in the country’s traditional political parties.
READ THE STORY: CPO Magazine
The Pentagon’s new cybersecurity model is better, but still an incremental solution to a big challenge
FROM THE MEDIA: The Pentagon announced in November a new “strategic direction” for its Cyber Maturity Model Certification, calling it CMMC 2.0 and essentially admitting the first iteration was overly complex and costly. The new version better aligns to existing federal standards and requirements but falls well short of being the “bold change” President Biden called for in his much-touted May cybersecurity executive order. Prior to the creation of CMMC, federal acquisition regulations required all defense contractors that interacted with controlled unclassified information (CUI) to implement the basic cyber hygiene safeguards listed in the National Institute of Standards and Technology guidelines, NIST Special Publication (SP) 800-171. Companies would then conduct self-assessments of their compliance. Predictably, not all companies assessed themselves equally or honestly, or addressed the issues they self-identified.
READ THE STORY: Federal News Network
A QUICK LOOK:
High-Severity flaw in 3 WordPress plugins impacts 84,000 websites
FROM THE MEDIA: Researchers discovered a high-severity vulnerability in three different WordPress plugins that impact over 84,000 websites. Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8. “On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites.” reads the advisory published by Wordfence. “This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.”
READ THE STORY: Security Affairs
A QUICK LOOK:
REvil Bust: Is Russian Cybercrime Crackdown Just A Decoy From Ukraine?
FROM THE MEDIA: This weekend’s unprecedented operation to dismantle the cybercriminal REvil network in Russia was carried out on a request and information from Washington. Occurring just as the two countries face off over the Russian threat to invade Ukraine raises more questions than it answers. The world’s attention was gripped last week by the rising risk of war at the Russia-Ukraine border, and what some have called the worst breakdown in relations between Moscow and Washington since the end of the Cold War. Yet by the end of the week, another major story was unfolding more quietly across Russia that may shed light on the high-stakes geopolitical maneuvering. By Friday night, Russian security forces had raided 25 addresses in St. Petersburg, Moscow and several other regions south of the capital in an operation to dismantle the notorious REvil group, accused of some of the worst cyberattacks in recent years to hit targets in the U.S. and elsewhere in the West. And by Saturday, Russian online media Interfax was reporting that the FSB Russian intelligence services revealed that it had in fact been the U.S. authorities who had informed Russia "about the leaders of the criminal community and their involvement in attacks on the information resources of foreign high-tech companies.”
READ THE STORY: World Crunch
A QUICK LOOK:
China leads in hosting DDoS cyber attack weapons
FROM THE MEDIA: China continues to lead in hosting the highest number of potential Distributed Denial of Service (DDoS) cyber attack weapons, including both amplification weapons and botnet agents, to install modern malware on organizations globally, a new report showed on Tuesday. The number of total botnet agents was almost halved in the first half of 2021, with China hosting 44 per cent of the total number of drones available worldwide, according to the report by US-based tech firm A10 Networks. The total number of DDoS weapons increased by approximately 2.5 million in the reporting period. The US remains the second largest source of DDoS weaponry, particularly amplification weapons. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources." DDoS attacks are not limited to a specific geographical location and can originate from and attack organizations anywhere in the world. These attacks are powered by weapons that are distributed globally, with higher concentrations found where internet-connected populations are most dense," said the report.
READ THE STORY: Daiji World
A QUICK LOOK:
Microsoft releases emergency fixes for Windows Server, VPN bugs
FROM THE MEDIA: Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. "Microsoft is releasing Out-of-band (OOB) updates today, January 18, 2022, for some versions of Windows," the company said. "This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount." All OOB updates released today are available for download on the Microsoft Update Catalog, and some of them can also be installed directly through Windows Update as optional updates. You will have to manually check for updates if you want to install the emergency fixes through Windows Update because they are optional updates and will not install automatically.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
DHL dethrones Microsoft as most imitated brand in phishing attacks
FROM THE MEDIA: DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth. This isn't surprising considering that the final quarter of every year includes the Black Friday, Cyber Monday, and Christmas shopping season, so phishing lures based on package deliveries naturally increase. DHL is an international package delivery and express mail service, delivering over 1.6 billion parcels per year. As such, phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season. The specific lures range from a package that is stuck at customs and requires action for clearance to supposed tracking numbers that hide inside document attachments or embedded links.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
Cyber espionage campaign targets renewable energy companies
FROM THE MEDIA: A large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organizations have been discovered to be active since at least 2019, targeting over fifteen entities worldwide. The campaign was discovered by security researcher William Thomas, a Curated Intelligence trust group member, who employed OSINT (open-source intelligence) techniques like DNS scans and public sandbox submissions. Thomas’ analysis revealed that the attacker uses a custom ‘Mail Box’ toolkit, an unsophisticated phishing package deployed on the actors’ infrastructure, as well as legitimate websites compromised to host phishing pages. Most of the phishing pages were hosted on “*.eu3[.]biz”, “*.eu3[.]org”, and “*.eu5[.]net” domains, while the majority of the compromised sites are located in Brazil (“*.com[.]br”).
READ THE STORY: Cyber Reports
A QUICK LOOK:
Crypto.com confirms suspicious activity after users report stolen funds
FROM THE MEDIA: Crypto.com, a popular app-based cryptocurrency exchange headquartered in Singapore has confirmed that a “small number” of its users experienced unauthorized activity in their accounts earlier on Monday (17th) morning. Although Crypto.com did not confirm the exact number of impacted customers, in a series of tweets, the exchange did assure that “all funds are safe.” It all started when several tweets emerged from users reporting stolen funds as a result of suspicious activity on their Crypto.com account. According to a tweet by actor Ben Baller, a Crypto.com user, he informed the exchange about suspicious activity hours ago that bypassed 2FA protection on his account resulting in a loss of 4.28 ETH ($13,769). Another user going by the Twitter handle of @qudah_mohamed claimed that they witnessed multiple transactions of .12 BTC ($5000). @NickDushko tweeted that his Crypto.com wallet was hacked and someone made 7 transactions of .27 BTC ($11,000). One Crypto.com user @yougesify shared their side of the story and claimed that his wife had 17.43 ETH ($56,114) wiped from her wallet even though she had 2FA on.
READ THE STORY: Hackread
A QUICK LOOK:
Items of interest
Review Paper on Phishing Attacks(Paper)
FROM THE MEDIA: Phishing may be a cybercrime, which involves luring the user into providing sensitive and confidential information to the attacker. the data could include Mastercard details, username and passwords, bank details, etc. After obtaining the knowledge, the attacker could commit crimes like financial losses and identity thefts. The target might be a private, a corporation or a cluster in a company. This paper provides an evidence on phishing attacks to make awareness and several other countermeasures to beat them. A field of knowledge Technology is Cyber Security that aims at the protection of knowledge, systems, network, etc., from the varied attacks. Cyber Security is one in all the key concerns in today’s information technology world. It also aims at the prevention of unauthorized access to sensitive data. Data is prone to various attacks while in transit and while stored. These attacks, both existing and upcoming, pose a wonderful threat to industries and individuals. Since, industries rely heavily on computers for his or her functionalities, confidential and sensitive information must be protected. Various Cyber Security techniques and tools provide this protection of knowledge while it's stored and in transit.
READ THE STORY: Engpaper
Phish Stories 10: Phishing + Ransomware —The Dream Team of Exploits(Video)
FROM THE MEDIA: This deadly combination is spreading tentacles and wreaking havoc on organizations of all sizes 2021 was another year of record-breaking ransomware attacks and payouts. Ransomware has increased with an attack happening every 11 seconds with global recovery costs exceeding $20B in 2021. Phishing is the start of the ransomware attack chain with 60% of ransomware cases involves direct install using stolen credentials, according to Verizon 2021 DBIR.
Industroyer: The cyber attack that blinded Ukraine in 2015 (Power Grid Disruption)(Video)
FROM THE MEDIA: This video is about the industrial cyber attack launched on smart power grids that caused a mass blackout in Ukraine in 2015. I did a kill-chain analysis of the Industroyer or the crash override malware and explained how the attackers succeeded in launching such a planned and coordinated attack. It also includes some explanation of the Black energy components too.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com