Thursday, January 20, 2022
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets
FROM THE MEDIA: A new evasive crypto wallet stealer named BHUNT has been spotted in the wild with the goal of financial gain, adding to a list of digital currency stealing malware such as CryptBot, Redline Stealer, and WeSteal. "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. The campaign, distributed globally across Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the U.S., is suspected to be delivered to compromised systems via cracked software installers.
READ THE STORY: The Cyber Security News
A QUICK LOOK:
FBI: Hackers Are Compromising Legit QR Codes to Send You to Phishing Sites
FROM THE MEDIA: The scheme exploits how QR codes have grown in popularity during the pandemic. Watch out for fake QR codes at your favorite restaurant or shop. The FBI is warning that cybercriminals have been tampering with legitimate QR codes to try and trick unsuspecting users into loading up scam websites. On Tuesday, the FBI issued the alert, warning that cybercriminals have been targeting both physical and digital QR codes. The scheme exploits how QR codes have grown in popularity during the pandemic as a contactless way to access information. The tactic is basically a spin-off of phishing scams, in which hackers use fake emails and messages from legitimate companies to trick victims into giving up their password or downloading malware. The culprits are now pasting their phishing scams on top of legitimate QR codes, including those found on parking meters, as police in Texas recently found.
READ THE STORY: PCMAG
A QUICK LOOK:
Nigerian Police Arrest 11 Individuals in BEC Crackdown
FROM THE MEDIA: Police in Nigeria, with the help of Interpol, have arrested 11 individuals in the country for their alleged involvement in business email compromise (BEC) scams associated with more than 50,000 targets worldwide. Six of those arrested were identified as members of SilverTerrier, a known BEC gang that is thought to have harmed thousands of companies globally and has successfully evaded prosecution for more than five years. A laptop belonging to one of the 11 alleged BEC operatives contained some 800,000 user names and credentials belonging to potential victim organizations. Another arrested individual was found to have been monitoring conversations between 16 companies and their customers, as well as attempting to divert money to SilverTerrier accounts when transactions between them were about to be made, Interpol said Wednesday. The ten-day Operation Falcon II (13-22 December) saw 10 NFP officers deployed from the Abuja headquarters to Lagos and Asaba to arrest target suspects identified ahead of time with intelligence provided by INTERPOL. Field operations were preceded by an intelligence exchange and analysis phase, where Nigeria used INTERPOL’s secure global police communications network, I-24/7, to work with police forces across the world also investigating BEC scams linked to Nigeria.
READ THE STORY: Interpol
A QUICK LOOK:
FIN8 Hackers Spotted Using New 'White Rabbit' Ransomware in Recent Attacks
FROM THE MEDIA: The financially motivated FIN8 actor, in all likelihood, has resurfaced with a never-before-seen ransomware strain called "White Rabbit" that was recently deployed against a local bank in the U.S. in December 2021. That's according to new findings published by Trend Micro, calling out the malware's overlaps with Egregor, which was taken down by Ukrainian law enforcement authorities in February 2021. "One of the most notable aspects of White Rabbit's attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine," the researchers noted. "This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis." Egregor, which commenced operations in September 2020 until its operations took a huge hit, is widely believed to be a reincarnation of Maze, which shut down its criminal enterprise later that year. Besides taking a leaf out of Egregor's playbook, White Rabbit adheres to the double extortion scheme and is believed to have been delivered via Cobalt Strike, a post-exploitation framework that's put to use by threat actors to reconnoiter, infiltrate, and drop malicious payloads into the affected system.
READ THE STORY: THN
A QUICK LOOK:
DoNot Hacking Team Targeting Government and Military Entities in South Asia
FROM THE MEDIA: ESET offers an account of an APT (the "DoNot Team") which it regards as unsophisticated, but highly focused and tenacious. The researchers make no attribution, but the DoNot Team's focused list of targeted countries is suggestive: Pakistan, Bangladesh, Nepal, and Sri Lanka. A post at BushidoToken Threat Intel describes what appears to be a cyberespionage campaign against industrial control system vendors, government agencies, non-governmental organizations, and university researchers in several countries. Attribution is unclear, beyond some circumstantial code similarities to tools used by Russian and North Korean intelligence services. Operating since at least 2016, Donot Team (also known as APT-C-35 and SectorE02) has been linked to a string of intrusions primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware. In October 2021, Amnesty International unearthed evidence tying the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs, raising suspicions that the threat actor may be selling the spyware or offering a hackers-for-hire service to governments of the region.
READ THE STORY: We Live Security
A QUICK LOOK:
Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware
FROM THE MEDIA: Cybercrime is fueled by a complex ecosystem of criminal groups that specialize on different pieces of the final attack chains experienced by victims. There are the malware developers, the access brokers, the spammers, the private information sellers, the botnet operators, the malvertizers and more. Possible connections concerning a subscription-primarily based crimeware-as-a-services (Caas) alternative and a cracked copy of Cobalt Strike have been recognized in what the scientists suspect is becoming provided as a software for its prospects to stage article-exploitation routines. Prometheus, as the provider is known as, initial arrived to light-weight in August 2021 when cybersecurity enterprise Group-IB disclosed aspects of destructive program distribution strategies undertaken by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in Belgium and the U.S. Costing $250 a month, it is really promoted on Russian underground forums as a site visitors distribution service (TDS) to help phishing redirection on a mass scale to rogue landing webpages that are built to deploy malware payloads on the focused techniques.
READ THE STORY: The Cyber Security // CSO
A QUICK LOOK:
Sophisticated cyber-attack targets Red Cross Red Crescent data on 500,000 people
FROM THE MEDIA: A sophisticated cyber security attack against computer servers hosting information held by the International Committee of the Red Cross (ICRC) was detected this week. The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. The data originated from at least 60 Red Cross and Red Crescent National Societies around the world. The ICRC's most pressing concern following this attack is the potential risks that come with this breach -- including confidential information being shared publicly -- for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families. When people go missing, the anguish and uncertainty for their families and friends is intense. "An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised," said Robert Mardini, ICRC's director-general. "This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk."
READ THE STORY: Relief Web
A QUICK LOOK:
How CISA can help bolster cyber defense of small businesses
FROM THE MEDIA: Ensuring the security of our cyberspace is vital to a thriving economy and strong national security. Technology touches all facets of our lives and as our society continues to rely more on technological advancements, the risk from cyber-attacks grows larger. In recent years, cyber-attacks have steadily grown as a concern in our home states and across our nation. Whether it’s hackers in their basement or nefarious actors working for or with the implicit compliance of nations such as Russia or China, these criminals are constantly targeting vulnerable businesses, hospitals, and governments across the globe. In Kansas and Iowa alone, health care facilities, grain elevators, local governments, and small businesses have all been targeted in recent cyber-attacks. We continually hear from constituents who feel ill-equipped to deal with this growing threat. Last year, our nation’s transportation systems sector suffered a ransomware cyber-attack that impacted Colonial Pipeline and caused a nationwide energy crisis. The cyber-attack led to gasoline shortages and volatile fuel prices.
READ THE STORY: The Hill
A QUICK LOOK:
Biden threatens 'cyber' response after Ukraine says computers wiped during attack
FROM THE MEDIA: US President Joe Biden responded forcefully to reports of a wide-ranging cyberattack on Ukrainian government systems Wednesday afternoon, telling reporters that the US would respond with its own cyberattacks if Russia continues to target Ukraine's digital infrastructure. "The question is if it's something significantly short of an...invasion or major military forces coming across," Biden said in response to a question about how the US would respond to a Russian invasion of Ukraine. "For example, it's one thing to determine that if they continue to use cyber efforts, well, we can respond the same way, with cyber." The Daily Beast later asked White House Press Secretary Jen Psaki and she confirmed that if Russia continued to launch cyberattacks, they would be answered with a "decisive, reciprocal, and united response."
READ THE STORY: ZDNET
A QUICK LOOK:
Ukraine Government Websites Weather Cyber Attack Campaign, Strongly Suspected to Come From Russia
FROM THE MEDIA: Many cybersecurity experts had predicted that Russia’s current conflict with Ukraine would largely play out in the form of cyber attacks rather than physical warfare. A series of attacks on that country’s government websites appears to be the opening salvo, as suspected Russian hacking teams left messages threatening the country’s residents. Attackers briefly knocked out the public-facing websites for several of Ukraine’s government agencies, and defaced some sites with pro-Russia messages that brought up Ukrainian history. The hackers also left a warning on at least one page claiming that the country’s personal information was not safe and might be made public. The spate of cyber attacks against the Ukraine government websites came shortly after talks between Russia and NATO broke down, and Russia raised the possibility of military deployments to Cuba and Venezuela in response to United States actions. A spokesperson for Ukraine said that about 70 websites were impacted including those of regional governments. The attacks briefly took down the Ukraine ministry of foreign affairs and the education ministry websites among others. The threat to dox residents of Ukraine was left on the foreign affairs ministry website, reading as follows: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.”
READ THE STORY: CPO
A QUICK LOOK:
Items of interest
Analyzing Cyberattacks Sponsored by State-Actors Under the Global Political and Legal Frameworks(Paper)
FROM THE MEDIA: There is disagreement on whether the state-sponsored cyber-attack should be considered an act of war or mere crimes; even with the view that advocates that cyber-attack is a crime, there is no consensus on whether these acts should be subjected to international or national jurisdictions. Regardless of this methodical schism between the two sides on the nature of the cyberspace attacks, there is almost unanimity in the Western school of thought that using cyberspace as a vehicle to attack other nations maliciously violates both national and international laws. Nearly every nation has incorporated its criminal procedures to extradite a suspect of a crime to stand trial.
READ THE STORY: ICCWS 2021
Charity Fraud and Cyber-crime: the impact of the pandemic(Video)
FROM THE MEDIA: At the very end of last year a firm that handles payroll software known as Kronos was hit with ransomware that's still reeling through the company. In Krono's case they handle the payroll and management of many companies around the planet and in some cases the paychecks of the average worker is now thrown into question until Kronos can identify and rectify their own systems. This is a cautionary tale for cloud services and a reminder to keep yourself safe in the world of cybersecurity!
Pentagon Explains What The Purpose Of Ukraine Cyber Attack Could Be(Video)
FROM THE MEDIA: JSOU SOF Q1 Forum - Panel 5 - Strategic Cultures of Resilience and Resistance - Ally and Partner Perspectives
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com