Daily Drop(26)

1-24-22

Monday, January 24, 2022 // Contact: Bob Bragg-IG //Weekly Sponsor: T&R

New Chinese Malware Found To Be Difficult To Remove From A PC

FROM THE MEDIA: Kaspersky’s security researchers have found another malware, MoonBounce, that can infect a computer’s UEFI firmware. Researchers believe the malware is from APT41, a cyber-espionage group working for the Chinese government. Unlike other bootkits, MoonBounce does not hide in the hard drive but instead in the SPI memory of the motherboard. Due to this, the malware will remain on the PC even after reinstalling the OS or replacing the hard drive. The only way to remove the MoonBounce is to reflash the SPI memory or replace the motherboard. Researchers found MoonBounce bootkit on the network of a transportation services company. Based on other malware deployed on the infected network, they believe it was the work of APT41, a cyber-espionage group working for the Chinese government. As a safety measure, the team at Kaspersky suggests updating the UEFI firmware regularly. They also mention enabling BootGuard and Trust Platform Modules. For now, these are the only measures we can take other than leaving it to our antivirus software.

READ THE STORY:  Fossbytes

A QUICK LOOK: 

Emotet Now Using Unconventional IP Address Formats to Evade Detection

FROM THE MEDIA: Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers," Trend Micro's Threat Analyst, Ian Kenefick, said in a report Friday. The infection chains, as with previous Emotet-related attacks, aim to trick users into enabling document macros and automate malware execution. The document uses Excel 4.0 Macros, a feature that has been repeatedly abused by malicious actors to deliver malware. Once enabled, the macro invokes a URL that's obfuscated with carets, with the host incorporating a hexadecimal representation of the IP address — "h^tt^p^:/^/0xc12a24f5/cc.html" — to execute an HTML application (HTA) code from the remote host.

READ THE STORY:  THN

A QUICK LOOK: 

CISA adds 17 vulnerabilities to list of bugs exploited in attacks

FROM THE MEDIA: The ‘Known Exploited Vulnerabilities Catalog’ is a list of vulnerabilities that have been seen abused by threat actors in attacks and that are required to be patched by Federal Civilian Executive Branch (FCEB) agencies. “Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise,” explains CISA. “BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.” The vulnerabilities listed in the catalog allow threat actors to perform a variety of attacks, including stealing credentials, gaining access to networks, remotely executing commands, downloading and executing malware, or stealing information from devices.

READ THE STORY:  Cyber Reports

A QUICK LOOK:  

The Dutch National Cybersecurity Centre (NCSC) warns organizations of risks associated with cyberattacks exploiting the Log4J vulnerability.

FROM THE MEDIA: According to the Dutch agency, threat actors the NCSC will continue to attempt to exploit the Log4Shell flaw in future attacks. “Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn’t mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant.” states the Dutch NCSC agency. “The NCSC advises organizations to continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary. In addition, the NCSC advises directors to stay alert by informing themselves about Log4j and the possible impact of abuse on business continuity.” The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high. Recently Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.

READ THE STORY:  Security Affairs

A QUICK LOOK: 

Hackers behind cyber attack on Ukraine gov’t sites affiliated with Russian security services – Polish envoy

FROM THE MEDIA: The Polish government believes it was a group of hackers linked to the Russian secret services recently that recently attacked the websites of Ukrainian government agencies. Earlier, the group carried out a cyber attack on the Bundestag and targeted e-mails of some Polish officials, as stated by the Permanent Representative of Poland to the EU, Ambassador Andrzej Sados, who spoke with journalists late last week, an Ukrinform correspondent reports. "According to the information available to us, the cyber attack on Kyiv last week, January 14-15, was carried out by a group of hackers affiliated with the Russian services. The same group of hackers is responsible for leaking and publishing government correspondence of Polish government officials. Last summer, the same group of hackers ran a cyber attack on the German Bundestag, ahead of the September elections. It was this group that was involved in the recent attacks on Ukraine's government portals," said the Polish diplomat.

READ THE STORY:  Ukrinform

A QUICK LOOK:

FBI issues warning about 'smishing' scams

FROM THE MEDIA:  “Smishing” might be a funny-sounding word, but Aaron Rouse, the FBI’s Special Agent in Charge of its Las Vegas office, says it’s a serious problem. Like “phishing,” when scammers try to entice victims to click on an email link, smishing involves Short Message Service (SMS) as a text message on your cell phone. “Smishing is is the latest form of scams out there in the very useful world of telecommunications,” said Rouse. “We love our devices. We love being able to go online and communicate with anyone we want and have access to all of these things. But that provides a portal for bad guys to do bad things.” It all begins when the person receiving the text clicks on the link. “You'll have a loss of access to your device, sometimes. You'll have afforded somebody access to your device, and you'll possibly lose personally identifiable information.

READ THE STORY:  KSNV

A QUICK LOOK:

Shady Network of Fake Mossad Job Sites Targets Iranian Spies

FROM THE MEDIA: The job hunters at VIP Human Solutions have a unique pitch for those working in sensitive security jobs in Hezbollah and the Assad regime: come work for us in Israel. Underneath a picture of the Israeli flag and a contact number with an Israeli country code, VIP Human Solutions’ website advertises itself as “VIP center for recruitment of the most distinguished in the military and security services of Syria and Hezbollah in Lebanon” that “specializes in research and consultancies in the studies of security and political science in all corners of the world." For those with the right experience, Human Solutions’ headhunters promise fast hiring and big salaries. Intelligence experts say the crude and clumsy sites are fakes, with no plausible connection to Israel’s spy services. But the bogus recruiters’ websites have nonetheless endured, surfacing and disappearing at a number of hosts over the same four year period to pitch to Internet users in Iran, Syria, and Lebanon through Google Ads. Amin Sabeti, a cybersecurity expert and the director of Computer Emergency Response Team in Farsi (CERTFA), believes the job sites are “a honey trap by the [Iranian] regime to identify the potential people interested in working with the foreign intelligence services.”

READ THE STORY:  The Daily Beast

A QUICK LOOK:

Crypto YouTubers fall victim to hacking and scamming attempt

FROM THE MEDIA: Hackers attacked a number of popular crypto YouTuber accounts at some point during the afternoon of Jan. 23. The accounts posted unauthorized videos with text directing viewers to send money to the hacker's wallet. Accounts who appear to have been targeted by the attack include: ‘BitBoy Crypto’, ‘Altcoin Buzz’, ‘Box Mining’, ‘Floyd Mayweather’, ‘Ivan on Tech’, and ‘The Moon’ among others. The Binance Smart Chain wallet address that was listed on the fraudulent videos only had a total of 9 transactions in BNB at the time of writing, with a total value of around $850. Michael Gu told Cointelegraph that his YouTube channel Boxmining posted a video without his permission. “Luckily we caught it within two mins of the video going live and managed to delete it,” he said. “By that time there were already views and comments from my community.” He added that he had done an internal sweep and found no viruses or bugs that may have given the hackers access to his account. “Seems like YouTube might be responsible,” he said.

READ THE STORY:  Cointelegraph

A QUICK LOOK:

China accused of hijacking Australia Prime Minister Scott Morrison's WeChat account

FROM THE MEDIA: The Australian Prime Minister is still yet to retrieve access to his WeChat despite making contact with the 'Chinese community' hours ago. A Liberal member of parliament has accused the Chinese government of foreign interference after Prime Minister Scott Morrison's account on WeChat was hijacked. "It is a matter of record that the platform has stopped the Prime Minister's access, while Anthony Albanese's account is still active featuring posts criticizing the government," Liberal representative Gladys Liu said. "In an election year especially, this sort of interference in our political processes is unacceptable, and this matter should be taken extremely seriously by all Australian politicians." As part of the accusations against the Chinese government, Liu said she would boycott using her official and personal WeChat accounts until an explanation was provided by the platform about the incident. Various Coalition members have also backed Liu's accusations and boycott, with Parliamentary Joint Committee on Intelligence and Security chair and Liberal Senator James Paterson calling for Opposition Leader Anthony Albanese to follow suit in boycotting WeChat.

READ THE STORY:  ZDnet

A QUICK LOOK:

American athletes told to use burner phones at Beijing Winter Olympics

FROM THE MEDIA: The advisory was reportedly sent out twice last year to warn athletes about the possibility of digital surveillance while in China. “Every device, communication, transaction and online activity may be monitored,” the bulletin states. “Your device(s) may also be compromised with malicious software, which could negatively impact future use.” As noted by the WSJ, Great Britain, Canada, and the Netherlands have also cautioned athletes against bringing their personal electronics into the country. The Committee’s fears aren’t unfounded. In 2019, China was caught secretly installing spyware on tourists’ phones who entered from the Xinjiang region. This heavily-surveilled area is populated by the Uyghurs, a predominantly Muslim ethnic minority that China has subjected to imprisonment and torture. In addition, research group Citizen Lab found that China’s My2022 Olympic app, which all attendees are required to install, is full of security holes that could lead to privacy breaches, surveillance, and hacking. US athletes told to use burner phones at Beijing Winter Olympics Back when Beijing held the 2008 Summer Olympics, the US Department of Homeland Security issued a similar advisory for any travelers headed to China, warning that bringing any devices potentially exposes them to “unauthorized access and theft of data by criminal or foreign government elements.”

READ THE STORY:  BI

A QUICK LOOK:

Items of interest

Measuring and visualizing cyber threat intelligence quality(Paper)

FROM THE MEDIA: The very raison d’être of cyber threat intelligence (CTI) is to provide meaningful knowledge about cyber security threats. The exchange and collaborative generation of CTI by the means of sharing platforms has proven to be an important aspect of practical application. It is evident to infer that inaccurate, incomplete, or outdated threat intelligence is a major problem as only high-quality CTI can be helpful to detect and defend against cyber attacks. Additionally, while the amount of available CTI is increasing it is not warranted that quality remains unaffected. In conjunction with the increasing number of available CTI, it is thus in the best interest of every stakeholder to be aware of the quality of a CTI artifact. This allows for informed decisions and permits detailed analyses. Our work makes a twofold contribution to the challenge of assessing threat intelligence quality. We first propose a series of relevant quality dimensions and configure metrics to assess the respective dimensions in the context of CTI. In a second step, we showcase the extension of an existing CTI analysis tool to make the quality assessment transparent to security analysts. Furthermore, analysts’ subjective perceptions are, where necessary, included in the quality assessment concept.

READ THE STORY:  International Journal of Information Security

Cyber Threat Intelligence Explained(Video)

FROM THE MEDIA:  In this video walk-through, we covered the definition of Cyber Threat Intelligence from both the perspective of red and blue team. we explained also Threat Intelligence frameworks and what are TTPs. We used TryHackMe Red Team Threat Intel for demonstration of the practical scenario.

Five online scam red flags(Video)

FROM THE MEDIA: Scammers approach everyone, including crypto investors, gamers, and internet shoppers. But, no matter who the target is or how clever the scamming plan is, fraud can always be detected before it's too late. Online fraud affects almost every brand that has a value. In 2019, a phishing and counterfeiting report examined fraudulent websites across 100+ industries and found that 4.2 million sites were scamming others. Legal, territorial, and ownership difficulties make it extremely difficult to remove such sites once they've been put online. Hosting and registrars that are slow or uncooperative make the takedown process more difficult, and human verification and removal of fraudulent sites adds to the difficulty. Unfortunately, if these sites are left online, they can cause huge problems for businesses, as well as their connection with customers. In this video, you'll find some clues that can help you determine if the person you're dealing with is legitimate or a SCAMMER.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com