Thursday, January 27, 2022 // Contact: Bob Bragg-IG //Weekly Sponsor: T&R
‘Dark Herring’ Billing Malware Swims onto 105M Android Devices
FROM THE MEDIA: The mobile malware heisted hundreds of millions of dollars from unsuspecting users, thanks to 470 different well-crafted malicious app in Google Play. Nearly 500 malicious apps lurking on the Google Play Store have successfully installed Dark Herring malware — a cash-stealer intended to add sneaky charges onto mobile carrier bills — on more than 100 million Android devices across the globe. Dark Herring malware was discovered by a research team with Zimperium, who estimate the amount the campaign has been able to steal totals in the hundreds of millions, in increments of $15 a month per victim. Google has since removed all 470 malicious applications from the Play Store, and the firm said the scam services are down, but any user with one of the apps already installed could still be actively victimized down the road. The apps are still available in third-party app stores too. Consumers across the world, particularly in under-banked areas, rely on direct carrier billing (DCB) as a mobile payment method, which adds charges for non-telecom services onto a consumer’s monthly phone bill. It’s a juicy target for adversaries.
READ THE STORY: Threatpost
A QUICK LOOK:
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub
FROM THE MEDIA: "BotenaGo" contains exploits for more than 30 vulnerabilities in multiple vendor products and is being used to spread Mirai botnet malware, security vendor says. The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns. Researchers at AT&T Alien Labs first spotted the malware last November and named it "BotenaGo." The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE. BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims.
READ THE STORY: Darkreading
A QUICK LOOK:
More intel emerges on WhisperGate malware that hit Ukraine
FROM THE MEDIA: Some of the bursts of traffic reached up to 10Gbps, reports noted, overwhelming the country’s only ISP, and crippling Andorran Squidcraft gamers along with the rest of the population. A massive Minecraft tournament styled after the Netflix blockbuster Squid Game (known, of course, as “SquidCraft”) apparently inspired a distributed denial of service (DDoS) attack that took down the sole (and state-owned) internet service provider in Andorra. Amulti-day Netflix’s Squid Game-inspired gaming tournament titled SquidCraft on Minecraft was held between January 19th to January 24th. The event was hosted by Twitch Rivals. But it impacted a small European country named Andorra in the most bizarre manner. For your information, Twitch Rivals is an esports tournament and online competitive event featuring Twitch streamers and former pro players. Unfortunately, during the event that ended just yesterday, Andorra’s only Internet service provider (ISP) Andorra Telecom, was targeted with a series of massive DDoS attacks causing the whole country’s internet to shut down. Reportedly, the DDoS attack happened during the tournament’s second day, when eight or more competitors got their connections disrupted simultaneously, and the country’s internet infrastructure went offline.
READ THE STORY: Computer Weekly
A QUICK LOOK:
TeaBot and FluBot banking trojans resurface, targeting Android devices
FROM THE MEDIA: Researchers on Wednesday reported that they found a resurgence of the TeaBot and FluBot banking trojans targeting Android devices, as well as an adaptation of the “Is it you in the video?” phishing campaign. In a blog post, Bitdefender researchers said the TeaBot and FluBot trojans — which first emerged last year — pose as ad-blockers and send SMS messages from already-compromised devices to spread the malware. The banking trojans steal banking, contact, SMS and other types of private data from infected devices. The researchers said the threats survive because they come in waves with different messages in different time zones. While the malware itself remains fairly static, the message used to carry it and the domains that host the dropper constantly change.
READ THE STORY: SC Mag
A QUICK LOOK:
Hackers Using New Evasive Technique to Deliver AsyncRAT Malware
FROM THE MEDIA: A new, sophisticated phishing attack has been observed delivering the AsyncRAT trojan as part of a malware campaign that's believed to have commenced in September 2021. "Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure, encrypted connection," Michael Dereviashkin, security researcher at enterprise breach prevention firm Morphisec, said in a report. The intrusions commence with an email message containing an HTML attachment that's disguised as an order confirmation receipt (e.g., Receipt-<digits>.html). Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process.
READ THE STORY: THN
A QUICK LOOK:
Senator: U.S. Needs More Cyber Plans, Money to Handle Russia
FROM THE MEDIA: Given that Washington, D.C., and Russia are at odds over Ukraine, U.S. Sen. Gary Peters said there's an urgent need for more federal cybersecurity programs and funding to prepare for any Russia-linked cyber attacks. U.S. Sen. Gary Peters again emphasized the need for a continued federal cybersecurity response Tuesday during a visit to a Grand Rapids career training facility.
Peters, D-Bloomfield Township, chairs the Senate Homeland Security and Governmental Affairs Committee in Washington. In recent months, Peters and other lawmakers have introduced a slate of bills focused on cybersecurity initiatives, from bolstering the ability of local governments to respond to cyber attacks to offering more protection to commercial satellites in the U.S., among other causes.
"Probably one of the most, if not the most, significant threats to the homeland now are cyber," Peters said. "Cyber attacks are constant, whether you're in healthcare, finance, whatever business you're in right now, including small business."
READ THE STORY: Govtech
A QUICK LOOK:
White House downplays concerns of Russian cyber strikes on US homeland
FROM THE MEDIA: The White House downplayed concerns that the United States could soon face Russian cyber strikes but said it is prepared to respond with retaliatory action as threats from Moscow escalate over Ukraine. “First of all, there’s no information we have at this point about any imminent threat against the U.S. homeland,” press secretary Jen Psaki told reporters on Wednesday. The Department of Homeland Security has warned that Russia could soon launch cyberattacks against the U.S. if it responds to an invasion of Ukraine. Psaki demurred over Russia specifically, but she said the U.S. is prepared to respond with retaliatory cyber strikes. “We have a range of tools at our disposal to use in reaction, and the president reserves the right to do that,” she said.
READ THE STORY: Washington Examiner
A QUICK LOOK:
DeepDotWeb Administrator Sentenced for Money Laundering Scheme
FROM THE MEDIA: Defendants Received Over $8 Million in Kickbacks from Purchases of Contraband on Darknet Marketplaces. An Israeli national was sentenced yesterday to 97 months in prison for operating DeepDotWeb (DDW), a website that connected internet users with Darknet marketplaces, where they purchased illegal firearms, malware and hacking tools, stolen financial data, heroin, fentanyl and other illicit materials. According to court documents, Tal Prihar, 37, an Israeli citizen residing in Brazil, pleaded guilty to conspiracy to commit money laundering in March 2021. Beginning in October 2013, Prihar owned and operated DDW, along with co-defendant Michael Phan, 34, of Israel. In addition to providing general information about the Darknet, DDW provided users with direct links to illegal Darknet marketplaces, which are not accessible through traditional search engines. For providing these links, Prihar and Phan received kickback payments from the marketplaces in the form of virtual currency, including approximately 8,155 bitcoins (worth approximately $8.4 million at the time of the transactions). To conceal the nature and source of these illegal kickback payments, Prihar transferred the payments from his DDW bitcoin wallet to other bitcoin accounts and to bank accounts he controlled in the names of shell companies.
READ THE STORY: DoJ
A QUICK LOOK:
NSA Releases Cyber Advisory to Secure VSAT Networks
FROM THE MEDIA: The National Security Agency provided a set of recommendations to help organizations protect very small aperture terminals and understand associated risks. The cybersecurity advisory titled “Protecting VSAT Communications” recommends enabling all available capabilities that secure transmissions across VSAT networks, NSA said Tuesday. These capabilities include encryption, which the agency advises to use on communications prior to transmissions. NSA also urges organizations to keep information technology hardware up to date; change default, vendor-specific credentials that come in VSAT systems; and isolate the network’s management plane via firewalls. Isolating the management plane or system would make it inaccessible to remote modems, which could be openings to threats. The agency noted that VSAT technology was not made with a strict security focus, and thus recommends precautionary steps to mitigate risks.
READ THE STORY: NSA
A QUICK LOOK:
Canada will not send Ukraine weapons but boost cyber support, training mission
FROM THE MEDIA: Emergency training at a restricted facility off Long Island has aimed to minimize the potentially catastrophic effects of a cyberattack on U.S. power infrastructure. Five times over three years, a desperate scenario has played out on Plum Island, an isolated spit of land just off the northeastern tip of New York’s Long Island. A large part of the power grid has gone down, leaving the population in the dark and critical facilities such as hospitals growing desperate. A team of utility operators and cybersecurity experts scrambles to get the grid back up, while hackers try to keep it down. Each emergency was a drill held by the Defense Advanced Research Projects Agency (Darpa), the Pentagon’s moonshot research arm. Its goal was to expose utilities accustomed to dealing with hurricanes, blizzards, and other challenges to the reality of a successful cyberattack on the U.S. electrical grid.
READ THE STORY: Bloomberg
A QUICK LOOK:
Items of interest
Structure of Iran’s Cyber Warfare(Paper)
FROM THE MEDIA: In Iran, the highest government body that deals with the cyberspace is a newly-established organization named the High Council of Cyberspace (Shoray-e Aali-e Fazaye Majazi). In March of 2012 this new structure was set up on the orders of Ayatollah Khamenei with the mission of instituting high-level policies on the cyberspace. After the foundation of the High Council of Cyberspace, all other Iranian organizations in charge of cyber operations are committed to implement the policies instituted by this new government body. This council comprises the highest-level Iranian authorities such as the president, the heads of the judicial power and the parliament, the head of the state-run radio-television, the commander-in-chiefs of the IRGC [1] and the police, the ministers of Intelligence, Telecommunication, Culture, Science, etc.
READ THE STORY: Strato
How a cyber attack crippled the Colonial Pipeline(Video)
FROM THE MEDIA: The Colonial Pipeline cyberattack caused a major blow to the gasoline industry in the southern and eastern parts of the United States, but it also showed how vulnerable the US energy grid is to more attacks in the future.
A Case Study of the Capital One Data Breach(Video)
FROM THE MEDIA: Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com