Tuesday, January 25, 2022 // Contact: Bob Bragg-IG //Weekly Sponsor: T&R
Taking Control of Ransomware and Other Malware with a Zero-Trust Strategy
FROM THE MEDIA: Antivirus, sandboxing and similar detection techniques can’t keep up. It’s time for agencies to transform their approach to thwarting malware. In a classic “I Love Lucy” skit, Lucille Ball works at a chocolate factory. Her job is to wrap chocolates as they travel down a conveyor belt, without letting a single candy past. To keep up with the surging volume, she resorts to stuffing chocolates in her hat, her blouse and, finally, her mouth. Cybersecurity pros dealing with malware at today’s government agencies might feel like they face a similar situation. Taking ransomware as an example, 79 successful attacks struck U.S. government organizations in 2020, affecting 71 million people, according to Comparitech. Downtime and recovery costs reached an estimated $18.88 million, with downtime sometimes stretching several months. Overall, the United States suffered 65,000 attacks last year, more than seven per hour, NPR reports.
READ THE STORY: Nextgov
A QUICK LOOK:
DTPacker malware steals data, loads second-stage payloads
FROM THE MEDIA: Researchers have uncovered a malware packer being used by multiple threat actors to distribute remote access trojans (RATs) used to steal information, and load follow-on payloads like ransomware. Researchers with Proofpoint in a Monday analysis said that the .NET commodity packer, which they call DTPacker, has been associated with dozens of campaigns and multiple threat groups since 2020, and is likely distributed on underground forums. DTPacker uses multiple obfuscation techniques to avoid analysis, sandboxing and antivirus detection. However, what makes the malware unique is its ability to operate as both a packer and a downloader in order to distribute multiple RATs and information stealers, including Agent Tesla, AsyncRAT and FormBook. “The main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter,” said researchers with Proofpoint. “DTPacker uses both forms. It is unusual for a piece of malware to be both a packer and downloader.”
READ THE STORY: Decipher
A QUICK LOOK:
Trickbot Injections Get Harder to Detect & Analyze
FROM THE MEDIA: The authors of the infamous malware family have added measures for better protecting malicious code injections against inspection and research. The authors of the Trickbot Trojan have added multiple layers of defenses around the malware to make it harder for defenders to detect and analyze the injections it uses during malicious operations. The improvements coincide with escalating activity around the malware and appear designed for attacks in which Trickbot is being used to conduct online banking fraud — something the tool was originally designed for before it was repurposed for malware distribution purposes. Researchers from IBM Trusteer analyzed the most recent code injections that Trustbot uses in the process of stealing information for conducting banking fraud. They discovered new tweaks to it of the type that the operators of the malware have been making since it was first released in 2016.
READ THE STORY: Darkreading
A QUICK LOOK:
Concerns grow over potential new Russian cyberattacks
FROM THE MEDIA: As the tensions between Russia and Ukraine continue to deepen, security researchers have discovered more about the tactics and malware used in the wiper attacks on Ukrainian organizations and government officials are warning enterprises in the United States to be prepared for potential intrusions if the U.S. becomes involved in the conflict in some way. The attacks that hit several Ukrainian organizations and government agencies 10 days ago used a piece of malware known as WhisperGate that has multiple stages and is designed to overwrite the master boot record (MBR) of infected computers and delete all of the data on those machines. The malware disguises itself as ransomware, displaying a ransom note after the wiping operations complete. But there’s no way to recover the data and no ransom mechanism. This is quite similar to the 2017 NotPetya attacks in Ukraine, which also used ransomware as a facade for a destructive malware infection and was more widespread than the WhisperGate intrusions. Researchers with Cisco Talos, who have worked on incident response in Ukraine for many years, found that the attackers had access to the target networks for several months before actually deploying the WhisperGate malware, and probably used stolen legitimate credentials for initial access.
READ THE STORY: Decipher
A QUICK LOOK:
Malicious PowerPoint files used to push remote access trojans
FROM THE MEDIA: Since December 2021, a growing trend in phishing campaigns has emerged that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. According to a report by Netskope’s Threat Labs shared with Bleeping Computer before publication, the actors are using PowerPoint files combined with legitimate cloud services that host the malware payloads. The families deployed in the tracked campaign are Warzone (aka AveMaria) and AgentTesla, two powerful RATs and info-stealers that target many applications, while the researchers also noticed the dropping of cryptocurrency stealers. The malicious PowerPoint phishing attachment contains obfuscated macro executed via a combination of PowerShell and MSHTA, both built-in Windows tools. The VBS script is then de-obfuscated and adds new Windows registry entries for persistence, leading to the execution of two scripts. The first one fetches AgentTesla from an external URL, and the second disables Windows Defender.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
Log4j: Mirai botnet found targeting ZyXEL networking devices
FROM THE MEDIA: An Akamai researcher has discovered an attempt to use Log4j vulnerabilities in ZyXEL networking devices to "infect and assist in the proliferation of malware used by the Mirai botnet." Larry Cashdollar, a member of the Security Incident Response Team at Akamai Technologies, explained that Zyxel may have been specifically targeted because they published a blog noting they were impacted by the Log4j vulnerability. "The first sample I examined contained functions to scan for other vulnerable devices," Cashdollar wrote in an Akamai blog post. "The second sample... did contain the standard Mirai attack functions," he added. "It appears the... attack vectors had been removed in favor of Log4j exploitation. Based on the attack function names and their instructions, I believe this sample is part of the Mirai malware family."
READ THE STORY: ZDnet
A QUICK LOOK:
MoleRats APT Launches Spy Campaign on Bankers, Politicians, Journalists
FROM THE MEDIA: State-sponsored cyberattackers are using Google Drive, Dropbox and other legitimate services to drop spyware on Middle-Eastern targets and exfiltrate data. Malicious files doctored up to look like legitimate content related to the Israeli-Palestine conflict are being used to target prominent Palestinians, as well as activists and journalists in Turkey, with spyware. That’s according to a disclosure from Zscaler, which attributes the cyberattacks to the MoleRats advanced persistent threat (APT). Zscaler’s research team was able to tie MoleRats, an Arabic-speaking group with a history of targeting Palestinian interests, to this campaign because of overlap in the .NET payload and command-and-control (C2) servers with previous MoleRats APT attacks. This campaign started last July, Zscaler reported. MoleRats used the Dropbox API for C2 communications in both this and previous campaigns, as well as Google Drive and other established cloud-hosting services to host the payloads, according to Zscaler.
READ THE STORY: Threatpost
A QUICK LOOK:
The Ransomware Files, Episode 4: Maersk and NotPetya
FROM THE MEDIA: What if malware disguised as ransomware destroyed every copy of a company's Active Directory except for one? That's exactly what happened to global shipping and logistics company Maersk on June 27, 2017. Maersk was one of dozens of organizations crippled by the NotPetya malware in one of the strangest and most devasting global cyberattacks. Gavin Ashton was Maersk's identity and access management service owner at the time. "We talk about milestones and project plans and three, five-year plans," Ashton says. "And the thing about ransomware, or extortion, where whatever you want to call it these days, is it doesn't really care about any of that. It could literally strike this afternoon. That was our wake up call." Bharat Halai was Maersk's former head of identity and access management. The attack knocked out all of Maersk's copies of Active Directory. Halai's quick thinking uncovered the last remaining uncorrupted copy in Lagos, Nigeria, which had experienced a wide area network outage.
READ THE STORY: Govinfo security
A QUICK LOOK:
Kaspersky finds firmware bootkit MoonBounce shows major advancement
FROM THE MEDIA: Kaspersky researchers found that firmware bootkit MoonBounce hides in one of the computer’s essential parts: Unified Extensible Firmware Interface (UEFI) firmware. According to the cybersecurity solutions company, MoonBounce was first detected in 2021 and demonstrated a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits. It was linked to well-known advanced persistent threat (APT) actor APT41. According to Kaspersky, MoonBounce is only the third reported UEFI bootkit found in the wild that has been found using the firm’s Firmware Scanner. When compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce has a more complicated attack flow and greater technical sophistication.
READ THE STORY: Backendnews
A QUICK LOOK:
Port of LA Launches Cyber Resilience Center
FROM THE MEDIA: North America's largest seaport said it is bolstering its cybersecurity readiness and enhancing its threat-sharing and recovery capabilities among supply chain stakeholders with the launch of its new state-of-the-art port community cyber defense solution. The Port of Los Angeles' Cyber Resilience Center (CRC) was designed through a collaborative process with participating stakeholders and will be operated by International Business Machines (IBM). “We must take every precaution against potential cyber incidents, particularly those that could threaten or disrupt the flow of cargo,” said Port of Los Angeles Executive Director Gene Seroka. “This new Cyber Resilience Center provides a new level of awareness for our stakeholders by providing enhanced intelligence, better collective knowledge sharing and heightened protection against cyber threats within our supply chain community.”
READ THE STORY: Marinelink
A QUICK LOOK:
Items of interest
A Super Dragon Taming the Flood - Why the Cyberspace Administration of China Has Become a Globally Important Government Agency(Paper)
FROM THE MEDIA: READS LIKE PROPAGANDA W/ RU LINKS - Speaks of CCP Cyberspace Administration
Water was central to life in ancient China, as it was the source of life and prosperity but also brought calamity. Not surprisingly, the ability to control water became the central task of China’s rulers, as it was central to the nation’s survival as well as their political legitimacy. This dynamic has also given rise to a saying: “Nine dragons trying to tame the flood,” which refers to multiple entities fighting to solve a single problem but falling short because of an inability to coordinate and cooperate.
READ THE STORY: Valdaiclub(propaganda)
Security Flaws in China’s My2022 Olympics App Could Allow Surveillance(Video)
FROM THE MEDIA: Marietje Schaake, International Policy Director at Stanford's Cyber Policy Center, Eurasia Group senior advisor and former MEP, discusses trends in big tech, privacy protection and cyberspace: Does the Beijing 2022 Olympics app have security flaws? Well, the researchers at the Citizen Lab of the University of Toronto do believe so. And if their revelations, this time, will set off a similar storm as they did with the forensics on NSO Group's spyware company, then there will be trouble ahead for China. The researchers found that the official My2022 app for the sports event, which attendees are actually required to download and to use for documenting their health status, has flaws in the security settings. Loopholes they found could be used for intrusion and surveillance.
China and Russia: MI6’s top concerns(Video)
FROM THE MEDIA: MI6 chief Richard Moore speaks to the “The Economist Asks” podcast about the world's biggest threats—from a possible Russian invasion of Ukraine to China’s increasing access to personal data.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com