Saturday, January 22, 2022 Contact: Bob Bragg-IG Weekly Sponsor: I.D. Sec
Phishing impersonates shipping giant Maersk to push STRRAT malware
FROM THE MEDIA: A new phishing campaign using fake shipping delivery lures installs the STRRAT remote access trojan on unsuspecting victim's devices. Fortinet discovered the new campaign after spotting phishing emails impersonating Maersk Shipping, a giant in the global shipping industry, and using seemingly legitimate email addresses. If the recipient opens the attached document, the macro code that runs fetches the STRRAT malware onto their machine, a powerful remote access trojan that can steal information and even fake ransomware attacks. As seen in the header information of the phishing emails, the messages are routed through recently registered domains that increase the risk of being flagged by email security solutions. The email claims to be information about a shipment, changes in delivery dates, or notices regarding a fictitious purchase and includes an Excel attachment or links to one that pretends to be the related invoice.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
CISA, Microsoft Warn of Wiper Malware Amid Russia-Ukraine Tensions
FROM THE MEDIA: The U.S. government agency overseeing cybersecurity is urging the country’s businesses and other organizations to take the necessary steps to protect their networks from any spillover that might occur from the ongoing cyberattacks aimed at Ukraine government agencies and private companies. In an alert issued this week, the Cybersecurity and Infrastructure Security Agency (CISA) cited a series of cyberattacks perpetrated against public and private Ukrainian organizations as tensions between Ukraine and Russia grow despite talks between U.S. and Russian government leaders. Government and private entities in Ukraine have been targeted this month by a barrage of malware that has defaced websites and wiped or corrupted data from Windows- and Linux-based systems. Microsoft’s Threat Intelligence Center, in a blog post Jan. 15, outlined the malware operation that began hitting Ukrainian organizations days before.
READ THE STORY: Esecurity Plant
A QUICK LOOK:
Microsoft Restricts Excel 4.0 Macros by Default to Protect Users from Malware
FROM THE MEDIA: Microsoft unveiled its plans to disable Excel 4.0 XLM macros by default back in October 2021. The company has now announced that this application policy change is now rolling out to all Microsoft 365 tenants and it aims to protect customers from malicious documents. For those unfamiliar with Excel 4.0 macros (XLM), this is a record-and-playback feature that was first introduced in Excel version 4.0 back in 1992. It lets enterprise customers create programming code (macros) to help them automate their repetitive tasks. Microsoft has been encouraging organizations to migrate to the secure Visual Basic for Applications (VBA) macros in response to increased XLM-based malware attacks, including Qbot, TrickBot, Zloader, and Dridex. Microsoft disables Excel 4.0 macros in all tenants. Now, Microsoft plans to reduce the attack surface by actively restricting XLM macros by default for all Excel users. However, IT Administrators will be able to manage this policy setting via Group, Cloud and ADMX policies, and you can find more details in the Microsoft Excel blog post.
READ THE STORY: Petri
A QUICK LOOK:
Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes
FROM THE MEDIA: In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations. "The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites," security researchers from JetPack, a WordPress plugin suite developer, said in a report published this week. "The same extensions were fine if downloaded or installed directly from the WordPress[.]org directory." he vulnerability has been assigned the identifier CVE-2021-24867. Website security platform Sucuri, in a separate analysis, said some of the infected websites found utilizing this backdoor had spam payloads dating back almost three years, implying that the actors behind the operation were selling access to the sites to operators of other spam campaigns.
READ THE STORY: THN
A QUICK LOOK:
Russia operates in the grey zone against Ukraine
FROM THE MEDIA: Russia operates in the grey zone against Ukraine. Microsoft said last Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. The operation is being called "WhisperGate." Microsoft has given the threat actor the temporary tracking identifier DEV-0586. The Wall Street Journal sees last week's cyberattacks against Ukrainian targets as pointing to a broader risk of more general cyberwar. WhisperGate was, like NotPetya a few years ago, a pseudo-ransomware attack that delivered a wiper behind defacements and spurious ransom demands. It was, however, less sophisticated than its predecessor, and in particular it lacked the self-propagating worm features that made NotPetya a general danger. Security firm Mandiant has outlined the form it expects Russian cyber operations to assume. 'Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine."
READ THE STORY: The Cyber Wire
A QUICK LOOK:
Russia Detains Four Infraud Cybercrime Members, Tass Reports
FROM THE MEDIA: Russia has detained four members of the Infraud Organization, an international cybercrime ring, the state-run Tass news service reported. The individuals were identified and detained with the support of U.S. authorities, Tass reported, citing a person in Russian law enforcement familiar with the situation who it didn’t identify. The alleged founder of Infraud will be detained for two months while the other three were put under the house arrest, the person said. Infraud is known to have used stolen identities and banking information along with malware to commit fraud for at least a decade. Earlier this month, Russia’s law enforcement raided the homes of 14 members of the ransomware gang REvil, short for Ransomware-Evil, and seized currencies worth nearly $7 million, cryptowallets, and 20 luxury cars, according to Russia’s Federal Security Service, known as FSB. The Biden administration praised the Kremlin at the time for making the arrests at the request of the U.S. The U.S. and Russia set up an experts group on ransomware in June and have been sharing information, including about attacks on American critical infrastructure.
READ THE STORY: Bloomberg
A QUICK LOOK:
Russia’s Top Five Persistent Disinformation Narratives
FROM THE MEDIA: Over many years, Russia has fabricated a set of false narratives that its disinformation and propaganda ecosystem persistently injects into the global information environment. These narratives act like a template, which enables the Kremlin to adjust these narratives, with one consistency – a complete disregard for truth as it shapes the information environment to support its policy goals. Russian military and intelligence entities are engaging in this activity across Russia’s disinformation and propaganda ecosystem, to include malign social media operations, the use of overt and covert online proxy media outlets, the injection of disinformation into television and radio programming, the hosting of conferences designed to influence attendees into falsely believing that Ukraine, not Russia, is at fault for heightened tensions in the region, and the leveraging of cyber operations to deface media outlets and conduct hack and release operations.
READ THE STORY: US Embassy
A QUICK LOOK:
Analysis of Xloader’s C2 Network Encryption
FROM THE MEDIA: Xloader is an information stealing malware that is the successor to Formbook, which had been sold in hacking forums since early 2016. In October 2020, Formbook was rebranded as Xloader and some significant improvements were introduced, especially related to the command and control (C2) network encryption. With the arrival of Xloader, the malware authors also stopped selling the panel’s code together with the malware executable. When Formbook was sold, a web-based command and control (C2) panel was given to customers, so they could self-manage their own botnets. In 2017, Formbook’s panel source was leaked, and subsequently, the threat actor behind Xloader moved to a different business model. Rather than distributing a fully functional crimeware kit, Xloader C2 infrastructure is rented to customers. This malware-as-a-service (MaaS) business model is likely more profitable and makes piracy more difficult.
READ THE STORY: Security Boulevard
A QUICK LOOK:
Contextualizing Last Week’s Malicious Cyber Activities Against Ukrainian Government Websites and Systems
FROM THE MEDIA: As reported in the New York Times on Jan. 14, “[h]ackers brought down dozens of Ukrainian government websites,” posting a message on dark screens that read: “Be afraid and expect the worst.” To augment its intimidating effect, the message taunted its intended audience more specifically, “Ukrainians! All your personal data ... have been deleted and are impossible to restore.” Ukraine’s communication intelligence service indicated that “as many as 70 central and regional authority websites were targeted.” The menacing message was published in multiple languages—Ukrainian, Russian and Polish—which the Times’s article speculates is an attempt to “obfuscate” the perpetrators’ origin and motive. In the context of the evolving crisis, U.S. government officials and other experts have anticipated that Russia would engage in offensive cyber operations against Ukraine, but discerning the source and entity responsible for such actions can be difficult. Nevertheless, as reported by the Times, a Ukrainian government agency, the Center for Strategic Communications and Information Security, issued a statement directly blaming Russia for the hack: “We have not seen such a significant attack on government organizations in some time,” it said. “We suggest the current attack is tied to the recent failure of Russian negotiations on Ukraine’s future in NATO,” referring to Moscow’s talks with the West.
READ THE STORY: Lawfare
A QUICK LOOK:
European Commission launches new open source software bug bounty program
FROM THE MEDIA: The European Commission (EC) has launched a bug bounty program for open source projects that underpin its public services. Bug bounty hunters will be offered up to €5,000 ($5,600) for finding security vulnerabilities in open source software used across the European Union (EU), including LibreOffice, LEOS, Mastodon, Odoo, and CryptPad. The program, led by European bug bounty platform Intigriti, will also offer a 20% bonus if a code fix for the bugs it is provided by researchers. In a statement released on January 19, the EC said it is looking for reports of security vulnerabilities such as leaks of personal data, horizontal/vertical privilege escalation, and SQL injection. The highest reward will be paid out for “exceptional vulnerabilities”. This latest program comes in the wake of the EU FOSSA program, which paid out more than $220,000 in its 18 months in operation, and was heralded a “remarkable success”. Speaking to The Daily Swig, Inti De Ceukelaire, head of hackers at Intigriti, said the partnership came about last year, when Intigriti led a program funded by the EC’s ISA2 program.
READ THE STORY: The Port Swigger
A QUICK LOOK:
Items of interest
An Efficient Mechanism to Prevent the Phishing Attacks(Paper)
FROM THE MEDIA: In the era of modern trends such as cloud computing, social media applications, emails, mobile applications, and URLs that lead to increased risks for defrauding authorized users, and then the attackers try to gain illegal access to accounts of users through a malicious attack. The phishing attack is one of the dangerous attacks caused to access of authorized account illegally way. The finances, business, banking, and other sensitive in states are faces by this type of attacks due to the important information they have. In this paper, we propose a secure verification scheme that can overcome the above-mentioned issues. Additionally, the proposed scheme can resist famous cyberattacks such as impersonate attacks, MITM attacks. Moreover, the proposed scheme has security features like strong verification, forward secrecy, user’s identity anomaly. The security analysis and the experimental results proved the strongest of the proposed scheme compared with other related works. Finally, our proposed scheme balanced between the performance and the security merits.
READ THE STORY: Iraqi EEE
The Truth about Bug Bounties(Video)
FROM THE MEDIA: The Truth About Bug Bounties - unless you are on the top tier you’ll need a supplementary income.
The Dark Side of Bug Bounties(Video)
FROM THE MEDIA: Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws. Across the tech industry, similar “bug bounty” programs have become a prized tool in maintaining security — a way to find vulnerabilities and encourage hackers to report them rather than abuse them.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com