Friday, January 21, 2022
Ukraine Hacks Signal Broad Risks of Cyberwar Even as Limited Scope Confounds Experts
FROM THE MEDIA: A recent cyberattack in Ukraine has heightened concerns in Kyiv that Moscow is plotting to support a land invasion with destructive hacks, although some experts remain puzzled about the Kremlin’s intentions. Last week, hackers defaced the websites of more than 70 government agencies, according to Viktor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection. More worryingly, the hackers also installed destructive “wiper” software designed to render computer systems inoperable in at least two government agencies, he said. Russia has denied any involvement in the cyberattacks. The attack was at least several weeks in the making, and perhaps more, according to experts. Mr. Zhora said the first signs of a hack date back to late 2021. Data from Cisco Systems Inc. shows that the software was present in some networks even earlier. Cisco initially traced the intrusion to November, but on Thursday, the company said new data analysis indicated it may have begun in late summer, according to Matthew Olney, Cisco’s director of threat intelligence and interdiction.
READ THE STORY: WSJ
A QUICK LOOK:
Ukraine asks Australia for more 'technical assistance' to combat increasing Russian cyber attacks
FROM THE MEDIA: Ukraine is pressing Australia to provide expanded technical assistance to help repel devastating Russian cyber attacks as fears mount that Russian President Vladimir Putin is on the brink of launching a fresh military invasion. Tensions between Russia and Ukraine have escalated rapidly in recent weeks as Moscow continues its military build-up, moving tens of thousands of troops to border regions. Yesterday, US President Joe Biden said he believed Mr Putin was preparing to "move in" on Ukraine and warned an invasion would be a "disaster" for Russia. Foreign Minister Marise Payne said she "reaffirmed Australia's steadfast support for Ukraine's sovereignty and territorial integrity" during a phone call with Ukraine's Foreign Minister Dmytro Kuleba on Wednesday. She reiterated that Australia backed US and European Union efforts to deter Russian aggression.
READ THE STORY: ABC
A QUICK LOOK:
Athlete surveillance warnings cloud China's Winter Olympics
FROM THE MEDIA: A growing number of Western nations and cybersecurity groups have issued digital surveillance warnings for next month's Winter Olympics in Beijing, with some advising foreign athletes to leave personal phones and laptops at home. China hopes to pull off a successful, coronavirus-free Games that will burnish its international reputation. But the run-up has been fraught with political controversies including diplomatic boycotts over Beijing's rights record and worries about the safety of tennis star Peng Shuai, who was not seen for weeks after accusing a former Communist Party leader of sexual assault. Now concerns are focusing on whether the tens of thousands of foreign athletes, dignitaries and media workers will be safe from China's vast array of surveillance tools. Everyone taking part in the Games will operate in a bubble that separates them from the rest of the population, to reduce the chances of the coronavirus spreading into China, which sticks to a strict zero-COVID policy. Earlier this week, researchers at the University of Toronto's Citizen Lab said a virus-monitoring app all attendees must use was found to have a "simple but devastating" encryption flaw that could allow personal data including health information and voice messages to leak.
READ THE STORY: Japan Today
A QUICK LOOK:
CSE warns Canadian critical infrastructure of Russian-backed cyber threat activity
FROM THE MEDIA: The Canadian Centre for Cyber Security issued a bulletin warning operators of critical infrastructure in Canada to be aware and take steps to mitigate Russian state-sponsored cyber threat activity. The Communications Security Establishment (CSE), through Canada’s Cyber Centre, said Wednesday it is aware of foreign cyber threat activities, including Russian-backed actors, to target Canadian critical infrastructure network operators and their operational and information technology. Citing partners in the U.S. and U.K., the bulletin urges operators to be prepared to isolate critical infrastructure components and services from the internet and internal networks if those components could be considered attractive for a hostile threat to disrupt.
READ THE STORY: CTV
A QUICK LOOK:
Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyberespionage(APT41)
FROM THE MEDIA: Antivirus provider Kaspersky discovered the malware, dubbed MoonBounce, on a computer's UEFI firmware. A new malware strain that can survive operating system reinstalls was spotted last year secretly hiding on a computer, according to the antivirus provider Kaspersky. The company discovered the Windows-based malware last spring running on a single computer. How the malicious code infected the system remains unclear. But the malware was designed to operate on the computer’s UEFI firmware, which helps boot up the system. The malware, dubbed MoonBounce, is especially scary because it installs itself on the motherboard’s SPI flash memory, instead of the computer’s storage drive. Hence, the malware can persist even if you reinstall the computer’s OS or swap out the storage. “What’s more, because the code is located outside of the hard drive, such bootkits’ activity goes virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device,” Kaspersky said. The discovery marks the third time the security community has uncovered a UEFI-based malware that’s designed to persist on a computer’s flash memory. The previous two include Lojax, which was found infecting a victim’s computer in 2018, and Mosaic Regressor, which was found on machines belonging to two victims in 2020.
READ THE STORY: PCMAG
A QUICK LOOK:
Revealed: Malware from Fake Source, Whistleblower's Gratitude and the Story of the Tek Fog Story
FROM THE MEDIA: (India) Days after The Wire’s exclusive on the Tek Fog app, an intriguing email from a person claiming to be a Persistent Systems insider arrived. It had a malware payload and Protonmail successfully got rid of it. Last week, The Wire revealed the existence of a highly sophisticated secret app called ‘Tek Fog’, used by cyber troops affiliated with India’s ruling party to hijack major social media and encrypted messaging platforms. The 20-month-long investigation shows how the app automates hate and targeted harassment, spreads propaganda and is a marriage of big tech and dirty politics. Read all the three parts of the investigation here, here and here. Tek Fog may be an app that aims to dehumanize and divide people, but our investigation into its use in 2020 also marked the beginning of our friendship. On March 1, 2020, Ayushman and Kumhar met for the first (and only) time in person, outside a local market in Noida. The purpose of this meeting was to discuss a report Kumhar had independently published a few months earlier that highlighted the massive tweet volumes and complex hierarchies of the BJP and Congress IT Cells on Twitter. Ayushman was interested in finding common ground between his work as a research analyst at a digital forensic lab and the dataset that Kumhar had used to analyze the network of IT Cells. A day before we met, he was working on a two-part investigation into neo-Nazi groups on Telegram and was amazed at how the BJP network graph looked in one of my reports.
READ THE STORY: The Wire
A QUICK LOOK:
Redline Malware Used to Steal Saved Credentials
FROM THE MEDIA: Passwords are so difficult to remember. We all know we shouldn’t use the same or similar passwords across platforms. Stolen password credentials are dumped on the dark web and criminals use the stolen passwords to steal other data from victims, including frequent flyer miles, online banking credentials, cryptocurrency and other digital assets, and to get into employers’ systems. But passwords are so hard to remember….so we may be tempted when our chrome browser pop-up asks us if we want to save them. A relatively new malware, dubbed Redline Stealer, gives us another reason why we shouldn’t be saving those passwords on our chrome (or other) browser. According to AhnLab ASEC, “Redline Stealer is an infostealer that collects account credentials saved to web browsers, which first appeared on the Russian dark web in March 2020. In the case that Ahn Lab researched, the user had saved credentials to the company VPN through the browser on the laptop. The user, who was working from home, allowed everyone in the household to use the company laptop. It was infected with the malware through lax security measures, which allowed the threat actor access to the saved credentials to the company VPN and the attacker was able to infiltrate the company’s system through the compromised credentials.
READ THE STORY: National Law Review
A QUICK LOOK:
‘Anomalous’ spyware stealing credentials in industrial firms
FROM THE MEDIA: Researchers have uncovered several spyware campaigns that target industrial enterprises, aiming to steal email account credentials and conduct financial fraud or resell them to other actors. The actors use off-the-shelf spyware tools but only deploy each variant for a very limited time to evade detection. Kaspersky calls these spyware attacks ‘anomalous’ because of their very short-lived nature compared to what is considered typical in the field. More specifically, the lifespan of the attacks is limited to roughly 25 days, whereas most spyware campaigns last for several months or even years. The number of attacked systems in these campaigns is always below one hundred, half of which are ICS (integrated computer systems) machines deployed in industrial environments. Another unusual element is using the SMTP-based communication protocol for exfiltrating data to the actor-controlled C2 server. Unlike HTTPS, which is used in most standard spyware campaigns for C2 communication, SMTP is a one-way channel that caters only to data theft. SMTP isn’t a common choice for threat actors because it can’t fetch binaries or other non-text files, but it thrives through its simplicity and ability to blend with regular network traffic.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
The Federal Bureau of Investigation (FBI) officially linked the Diavol ransomware operation to the infamous TrickBot gang
FROM THE MEDIA: The FBI officially linked the Diavol ransomware operation to the infamous TrickBot gang, the group that is behind the TrickBot banking trojan. “The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan. Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments.” reads the flash alert published by the FBI. “The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.” TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model.
READ THE STORY: Security Affairs
A QUICK LOOK:
U.S. Sanctions 4 Ukrainians for Working with Russia to Destabilize Ukraine
FROM THE MEDIA: The U.S. Treasury Department on Thursday announced sanctions against four current and former Ukrainian government officials for engaging in "Russian government-directed influence activities" in the country, including gathering sensitive information about its critical infrastructure. The agency said the four individuals were involved in different roles as part of a concerted influence campaign to destabilize the nation, while also accusing Russia's national security authority, the Federal Security Service (FSB), of recruiting Ukrainians in key positions to create instability. Two of the officials, Taras Kozak and Oleh Voloshyn, are alleged to have worked to amplify false narratives and undermine confidence in the Ukrainian government, while Vladimir Sivkovich, former Deputy Secretary of the Ukrainian National Security and Defense Council, attempted to build support for Ukraine to officially cede Crimea to Russia. "Russia has directed its intelligence services to recruit current and former Ukrainian government officials to prepare to take over the government of Ukraine and to control Ukraine's critical infrastructure with an occupying Russian force," the Treasury Department said.
READ THE STORY: THN // Aljazeera
A QUICK LOOK:
Items of interest
First Person Observations of How HUMINT (Human Source Collection) Operations are a Reflection of Culture in China and the U.S.(Paper)
FROM THE MEDIA: This article examines HUMINT (Human Source Collection) operations as a reflection of cultural practices in China and the U.S. As such it begins by describing the role of context within daily life in China and then provides theoretical explanation for this Chinese context emphasis by clarifying the U.S. as more of a low-context culture and China as being more of a high-context culture. This is then used as foundation to compare and contrast Chinese HUMINT (Human Source Collection) practices with U.S. HUMINT practices. The fundamental finding from this analysis is that Chinese HUMINT practices tend to be reflective of Chinese high-context communication norms in contrast with U.S. HUMINT practices that are more reflective of U.S. low-context communication norms. The author draws from over 35 years service in the U.S. intelligence community, as both uniformed military and civilian. He retired from the U.S. Air Force (Reserve) in 2007, at the rank of Colonel, with his final 14 years serving as an Assistant Air Force Attache at the U.S. Embassy in Beijing, China. Since that time he has continued to work, teach and do research focusing on national security and intelligence issues.
READ THE STORY: PUBS
How Sanctions Work and the Power of U.S. Sanctions(Video)
FROM THE MEDIA: The power of U.S. sanctions holds tremendous sway in international trade and finance. As long as the U.S. dollar remains the world's reserve currency, the power of American sanctions probably won't lose its teeth any time soon. But the United States should not assume it will be the world's financial hub forever if it continues to sanction countries without prudence.
Pentagon Explains What The Purpose Of Ukraine Cyber Attack Could Be(Video)
FROM THE MEDIA: Jen Psaki responds to a question about Russia and cyber attacks during a White House Press Briefing
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com