Saturday, January 29, 2022 // Contact: Bob Bragg-IG //Weekly Sponsor: T&R
Lazarus APT Uses Windows Update to Spew Malware
FROM THE MEDIA: The group once again dangled fake job opportunities at engineers in a spear-phishing campaign that used Windows Update as a living-off-the-land technique and GitHub as a C2. Lazarus Group is using Windows Update to spray malware in a campaign powered by a GitHub command-and-control (C2) server, researchers have found. The focus of the campaign – in which the APT masqueraded as American global security and aerospace giant Lockheed Martin – is in keeping with Lazarus’ taste for infiltrating the military. Researchers consider Lazarus, which has been active since at least 2009, to be one of the world’s most active threat actors. The United States also refers to Lazarus as Hidden Cobra: a name used to refer to malicious cyber-activity by the North Korean government in general. “This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defense industry and cryptocurrency markets,” Kaspersky researchers have noted in the past.
READ THE STORY: Threatpost
A QUICK LOOK:
FTC Warns of 18-Fold Surge in Investment, ‘Romance’ Scams on Social Media
FROM THE MEDIA: More than 95,000 Americans were bilked over social media in 2021 resulting in losses approaching $1 billion. Be careful about lending that attractive new Facebook friend or Instagram follower money, the Federal Trade Commission warned this week. According to an FTC report, American consumers lost about $770 million to fraud schemes originating on social media in 2021, an 18-fold increase over money lost over social media in 2017. The “massive surge” of fraud originating on social platforms is being driven chiefly by investment scams involving cryptocurrency and “romance scams,” the agency warned. “Losses to romance scams have climbed to record highs in recent years. More than a third of people who said they lost money to an online romance scam in 2021 said it began on Facebook or Instagram,” the FTC reports. “These scams often start with a seemingly innocent friend request from a stranger, followed by sweet talk, and then, inevitably, a request for money.” While romance scams accounted for only 9% of total reports to the FTC, they were the most cost-effective for fraudsters, accounting for 24% of all money lost to fraud over 2021, or about $190 million.
READ THE STORY: Cyber Reports
A QUICK LOOK:
Cybercriminals increasingly utilizing Excel add-in files to spread malware: HP report
FROM THE MEDIA: According to HP's latest global Wolf Security Threat Insights Report, there was a near-sixfold surge (+588%) in attackers using malicious Microsoft Excel add-in (.xll) files to infect systems during Q4, 2021, compared to the third quarter, with the researchers expecting the trend to continue throughout 2022. The HP Wolf Security threat research team has identified a wave of attacks utilizing Microsoft Excel add-in files to spread malware and expose businesses and individuals to data theft and destructive ransomwares. This technique is particularly dangerous as it only requires one click to run the malware, the researchers say. The HP Wolf Security threat research team also highlighted a spam campaign, QakBot, that used Excel files to trick targets, using compromised email accounts to hijack email threads and reply with an attached malicious Excel (.xlsb) file. Once delivered, QakBot injects itself into legitimate Windows processes to evade detection.
READ THE STORY: Devdiscourse
A QUICK LOOK:
Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing
FROM THE MEDIA: Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim's network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials. The attacks took place in two stages. "The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand," Microsoft 365 Defender Threat Intelligence Team said in a technical report published this week. "Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam." The campaign started with users receiving a DocuSign-branded phishing lure containing a link, which, upon clicking, redirected the recipient to a rogue website masquerading as the login page for Office 365 to steal the credentials.
READ THE STORY: THN
A QUICK LOOK:
The Role of Cyber “Elves” Against Russian Information Operations
FROM THE MEDIA: Guerrillas of brave elves taking down hordes of dark trolls in an ideological conflict over the future of humanity. This is not the beginning of a fantasy novel but a somewhat accurate description of everyday realities in cyberspace across Europe. The “elves”—a group of cyber activists fighting pro-Kremlin propaganda and disinformation campaigns—are a growing yet little-known phenomenon. Having started in 2014 as less than 20 individuals in Lithuania, the movement expanded to 13 Central and Eastern European countries, and it counted about 4,000 volunteers by 2021. Given the size and the pace of growth of the elves, together with their successful yet unadvertised missions, it would be unwise to overlook or underestimate this movement. Russian information operations against the Western democracies will grow in number, scale, and sophistication in the coming years. This is partially caused by the worsening state of relations between the West and Russia, partially by the global trend of the gradual shift of social and public life from the analog to the digital world. Already short of capacity to effectively counter pro-Kremlin information operations, Western stakeholders must seek and support innovative means to counter Russian information war. Cyber activism is one of them.
READ THE STORY: German Marshall Fund
A QUICK LOOK:
Cyberattack Targets Belarus' Rail Network To Slow Flood Of Russian Forces Into The Country
FROM THE MEDIA: Portions of the computer networks that support Belarus' national railway infrastructure are reportedly still reeling from the effects of a cyberattack. An independent hacking group claimed responsibility for the incident, which they said was in part intended to hamper the movement of Russian forces into the country. The Kremlin has deployed thousands of troops to Belarus, along with a wide array of materiel, including tanks, short-range ballistic missiles, and combat aircraft, in recent weeks, much of it by rail. Although these forces are officially set to take part in large-scale exercises next month, there continue to be fears that this might actually be part of Russian preparations to launch a new invasion of Ukraine. The cyberattack was conducted by a group calling itself the Belarusian Cyber-Partisans in an effort to disrupt the ongoing flow of Russian military equipment into the country. In a message posted to Telegram on January 24, the hacktivist group wrote that the Belarusian Railway, or BelZhD, had allowed “occupying troops to enter our land” at the order of the “terrorist Lukashenko,” or Belarusian President Alexander Lukashenko.
READ THE STORY: Thedrive
A QUICK LOOK:
In Israel, ransomware attacks against private companies pose a new kind of national security threat
FROM THE MEDIA: This new generation of ransomware attacks underscores how a new front in the conflict between Iran and Israel is developing. Ostensibly financial crimes, ransomware has become a tool of statecraft with the geopolitical aim to damage the social bonds of Israeli society and public trust in the country’s institutions, rather than to damage infrastructure or extract a financial bounty. While the Israeli Cyber Directorate has issued multiple recommendations and warnings about this new “wave of attacks,” the responsibility to protect private computer systems still rests with companies. The advent of geopolitical ransomware exploits a structural vulnerability: a route to damage the social cohesion of a country via geopolitical attacks that bypass state defenses. Last October, in what is called the “Atraf” hack, Black Shadow, a group with links to Iran, hacked into the servers of CyberServe, an Israeli hosting company, accessing websites and applications of the company’s customers. Among its customers was the LGBTQ dating app, Atraf. The application’s databases were not encrypted, making it easier for hackers to get their hands on very sensitive personal information.
READ THE STORY: Rappler
A QUICK LOOK:
OpenSea Reimburses Users $1.8M Following Bug That Sold NFTs at Unbelievably Low Prices
FROM THE MEDIA: Earlier this week, OpenSea discovered that hackers had exploited an internal system bug to “steal” over $1 million worth of NFTs from the platform’s most sophisticated customers. According to data provided by OpenSea, it refunded a total of 750 Ether to over 130 wallet items, coming after major backlash that it had failed to properly address the user interface feature allowing unknown third parties to buy over $1 million worth of NFTs on discount. The feature that enabled unknown opportunists to take advantage of this loophole, affected users who had transferred their previously listed NFTs to other wallets without cancelling the old listings. Originally reported by the blockchain security company, Elliptic, the company said that hackers exploited the bug to exploit that ability to buy previously listed NFTs extremely cheap at their earlier listed prices, so they could in turn sell them at much higher market rates. However, OpenSea responded stating that this was “not an exploit or a bug” but rather “…an issue that arises because of the nature of the blockchain. OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings,” according to ZDNet.
READ THE STORY: Beincrypto
A QUICK LOOK:
Finnish diplomats’ mobile devices hacked with spyware
FROM THE MEDIA: The mobile devices of Finnish diplomats working abroad have been hacked with the use of sophisticated spyware, Finland’s government said Friday, and the Nordic country’s spy chief said a “state actor” was likely to blame. The Finnish Foreign Ministry said the victims were targeted through Pegasus software developed by Israeli spyware company NSO Group. The software can seamlessly infiltrate a mobile phone and allow its operators to gain access to the device’s contents and location history. “The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part,” the Foreign Ministry said in a statement which was also tweeted. “Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.”
READ THE STORY: SeattleTimes
A QUICK LOOK:
Dark Web Chatter Exposes Cybercriminals’ Arrest Fears After Russian FSB Detained REvil Ransomware Gang Members
FROM THE MEDIA: Cybersecurity firm Trustwave discovered that the January 14 Russian FSB takedown of the REvil ransomware gang caused fear and anxiety in the cybercrime underground. After analyzing dark web chatter on underground forums, Trustwave discovered that the cybercriminals believed they could end up in prison and considered relocating. The Russian domestic security service said the operation was at the request of US authorities to address ransomware attacks originating from the country. FSB says it seized 426 million rubles (approx. $5.6 million), $600,000 in US dollars, Є500,000 in Euros, and 20 luxury cars after detaining 14 members of the REvil ransomware gang.
READ THE STORY: CPO Magazine
A QUICK LOOK:
How Beijing's 2022 Winter Olympics 'sportswashing' propaganda mirrors Hitler's 1936 efforts in Berlin - as desperate Uyghurs speak out about China's brutal pre-Games crackdown on minorities
FROM THE MEDIA: When Adolf Hitler desperately needed to legitimize his tyrannical regime, he set his sights on hosting the Olympic Games - and now China's own totalitarian ruler Xi Jinping is about to do the same, an expert has claimed. Dubbed the 'Genocide Games' by its critics, the 2022 Winter Olympics will go ahead on February 4, despite what observers call the nation's 'systematic repression of ethnic minorities' and erosion of democratic freedoms in Hong Kong. Exiled members of China's Uyghur Muslim population told Daily Mail Australia they've been cut off from any communication with their families in the country's northwestern province of Xinjiang amid a brutal crackdown leading up to the Games. Western democracies have furiously debated whether to boycott the controversial event entirely, just like they did before Berlin's 1936 Summer Olympics. In the end, the Nazi Games went ahead and the same decision was also reached this time around with fears a pull-out would only punish hardworking athletes who've spent their entire lives training for a chance at gold.
READ THE STORY: Daily Mail
A QUICK LOOK:
Items of interest
How Soft Propaganda Persuades(Paper)
FROM THE MEDIA: An influential body of scholarship argues that authoritarian regimes design “hard” propaganda that is intentionally heavy-handed in order to signal regime power. In this study, by contrast, we link the power of propaganda to the emotional power of “soft” propaganda such as television dramas and viral social media content. We conduct a series of experiments in which we expose over 6,800 respondents in China to real propaganda videos drawn from television dramas, state-backed social media accounts, and state-run newscasts, each containing nationalist messages favored by the Chinese Communist Party. In contrast to theories that propaganda is unpersuasive, we show that propaganda effectively manipulates anger as well as anti-foreign sentiment and behavior, with heightened anti-foreign attitudes persisting up to a week. However, we also find that nationalist propaganda has no effect on perceptions of Chinese government performance or on self-reported willingness to protest against the state.
READ THE STORY: DM
Cyber-Espionage: Out of the shadows. Into the digital crosshairs(Video)
FROM THE MEDIA: Cyber-Espionage breaches pose a unique challenge. Through advanced techniques and a specific focus, Cyber-Espionage threat actors seek to swiftly gain access to heavily defended environments, laterally move with stealth, efficiently obtain targeted assets and data, and move out smartly (or even stay back and maintain covert persistence). The Verizon Cyber-Espionage Report (CER) is our first-ever data-driven publication that focuses on advanced cyberattacks as reflected in the DBIR “Cyber-Espionage” pattern. We've examined seven years (2014-2020) of Data Breach Investigations Report (DBIR) data for Cyber-Espionage breaches and all breaches.
Cyber Espionage: The Chinese Threat(Video)
FROM THE MEDIA: The Chinese government—officially known as the People’s Republic of China (PRC)—engages in malicious cyber activities to pursue its national interests. Malicious cyber activities attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT (including managed service providers), international trade, education, video gaming, faith-based organizations, and law firms. Additionally, Advisories published by CISA and other unclassified sources reveal that China is conducting operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations, including organizations involved in healthcare, pharmaceutical, and research sectors working on COVID-19 response.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com