Daily Drop(35)

2-2-22

Wednesday, February 2, 2022 // Contact: Bob Bragg-IG //Weekly Sponsor: T&R

Cyberspies linked to Memento ransomware use new PowerShell malware

FROM THE MEDIA: The PowerLess backdoor features encrypted command-and-control communication channels, and it allows executing commands and killing running processes on compromised systems. It also evades detection by running in the context of a .NET application which allows it to hide from security solutions by not launching a new PowerShell instance. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy. At the time of writing this report, some of the IOCs remained active delivering new payloads," the Cybereason researchers said. In January, APT35 operators were also deploying another previously undocumented PowerShell backdoor dubbed CharmPower in attacks leveraging Log4Shell exploits.

READ THE STORY:  Bleeping Computer

A QUICK LOOK: 

"Mars Stealer" Malware Can Grab Your Crypto

FROM THE MEDIA: An improved copy of the Oski Stealer malware (first introduced in November 2019) known as “Mars Stealer” has appeared in the wild and is capable of stealing crypto from popular browser extensions. Mars Stealer is a lightweight malicious program of just 95KB in size, but the security issue it represents is no small thing. Mars Stealer uses a custom grabber to retrieve its configuration from the command and control infrastructure and then proceeds to target application data from popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets. The Trojan malware began circulating on Russian-speaking hacking forums in the summer of 2021 and is able to infect systems through dubious download channels (e.g., unofficial and free file-hosting websites, peer-to-peer sharing networks such as torrent clients, and other third-party downloaders).

READ THE STORY:  Crypto Briefing

A QUICK LOOK: 

U.S. Sends Top Security Official to Help NATO Brace for Russian Cyberattacks

FROM THE MEDIA: The White House dispatched its top cybersecurity official to NATO on Tuesday in what it described as a mission to prepare allies to deter, and perhaps disrupt, Russian cyberattacks on Ukraine, and to brace for the possibility that sanctions on Moscow could lead to a wave of retaliatory cyberattacks on Europe and the United States. The visit by the official, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, underscored recent intelligence assessments that an invasion of Ukraine would almost certainly be preceded by renewed cyberattacks on Ukraine’s electric grid, its communications systems and its government ministries. All of those systems have been Russian targets in the past six years. Ukraine has often been President Vladimir V. Putin’s testing ground for Russia’s arsenal of cyberweapons.

READ THE STORY:  NYtimes

A QUICK LOOK: 

FBI says cyber actors could 'disrupt' Beijing Olympics, Paralympics

FROM THE MEDIA: The FBI’s cyber division warned in a private industry notification dated Monday that cyber actors could “disrupt” the 2022 Beijing Winter Olympics set to start on Friday, in addition to next month’s Paralympics. “The FBI is warning entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities to disrupt these events,” the agency said. The FBI noted that some of those activities could include ransomware, phishing campaigns, malware and distributed denial of service attacks, among other actions. The agency also warned against installing apps made by “untrusted vendors,” which “could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware.” The FBI noted it was not aware of any specific cyberattacks that were planning on being carried out but emphasized that athletes and others associated with the Games should remain vigilant, including by recommending that people leave their personal devices at home and use a temporary phone while in China.

READ THE STORY:  Thehill // WION

A QUICK LOOK: 

Zelensky enacts NSDC’s decision on implementing cyber security strategy

FROM THE MEDIA: President Volodymyr Zelenskyi put into effect the decision of the National Security and Defense Council of Ukraine of December 30, 2021 "On the Plan of Implementation of the Cyber ​​Security Strategy of Ukraine". According to Ukrinform, the relevant decree №37 / 2022 of February 1 was published on the website of the head of state. "Implement the decision of the National Security and Defense Council of Ukraine of December 30, 2021" On the Implementation Plan of the Cyber ​​Security Strategy of Ukraine "(attached)", - said in a statement. Control over the implementation of the decision of the National Security and Defense Council , enacted by this decree, is entrusted to the Secretary of the National Security and Defense Council of Ukraine.

READ THE STORY:  Ukrinform // Ukrinform Partners

A QUICK LOOK:

Malicious CSV text files used to install BazarBackdoor malware

FROM THE MEDIA:  A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware. A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column. Using CSVs is a popular method to export data from applications that can then be imported into other programs as a data source, whether that be Excel, a database, password managers, or billing software. Since a CSV is simply text with no executable code, many people consider these types of files harmless and may be more carefree when opening them. However, Microsoft Excel supports a feature called Dynamic Data Exchange (DDE), which can be used to execute commands whose output is inputted into the open spreadsheet, including CSV files.

READ THE STORY:  Cyber Reports

A QUICK LOOK:

Massive social engineering waves have impacted banks in several countries

FROM THE MEDIA: A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança Informática publication, the malicious waves have impacted banking organizations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil. In short, criminal groups are targeting victims’ from different countries to collect their homebanking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails. Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.

READ THE STORY:  Security Affairs

A QUICK LOOK:

U.S. Companies Face More Restrictions After Privacy Ruling Against Google

FROM THE MEDIA: American technology providers are under intense pressure in Europe after a regulator there found Google Analytics’ services illegal. The decision is expected to spur a domino effect that could result in similar restrictions for other U.S. tech providers. The recent ruling means American companies beyond big tech firms will have more difficulties moving data from Europe to the U.S., and could lead to tougher scrutiny from privacy regulators of banks, airlines and other sectors, privacy experts say. Regulators in several EU countries have said in recent weeks they are examining Alphabet Inc.’s Google Analytics services and expect to publish findings in the coming months. The announcements come after Austria’s privacy regulator said an Austrian website violated the bloc’s General Data Protection Regulation by using Google Analytics to track how people use websites. Google could be forced to provide U.S. intelligence authorities with Europeans’ data because it is subject to the Foreign Intelligence Surveillance Act, the Austrian authority said.

READ THE STORY:  WSJ

A QUICK LOOK:

China poses bigger threat to US than any other nation, FBI says

FROM THE MEDIA: FBI Director Christopher Wray said Monday that no country poses more danger to the US than China, and warned threats from the ruling Communist Party have become “more brazen, more damaging” than ever. In a stern rebuke days before the opening of the Beijing Winter Olympics, Wray said the Chinese government constitutes a threat “to our economic security and to our freedoms: Our freedom of speech, of conscience, our freedom to elect and be served by our representatives without foreign meddling, our freedom to prosper when we toil and invent.” In his remarks at the Ronald Reagan Presidential Library & Museum in California, Wray added that malevolent actions by China’s Communist Party “are happening right here in America, literally every day.” “I’ve spoken a lot about this threat since I became FBI director,” he said. “But I want to focus on it here tonight because in many ways it’s reached a new level — more brazen, more damaging than ever before, and it’s vital, vital, that all of us focus on that threat together.”

READ THE STORY:  NYPOST

A QUICK LOOK:

European Fuel Terminals Halted by ‘IT Issues’ Amid German Hack

FROM THE MEDIA: Multiple fuel terminals in Europe’s oil-trading hub have been forced to halt operations because of ‘IT issues’, according to a broker. “Numerous terminals in ARA have been impacted by IT issues,” Riverlake, which organizes barge shipments, said in a note. ARA stands for Amsterdam, Rotterdam and Antwerp -- the nerve center of Europe’s oil and fuel-trading network. “The waiting queue is still building up since Sunday, with currently no prospects when the operations can resume” The incident suggests that a cyberattack at the weekend in Germany -- which only affected inland German fuel distribution -- might be more widespread and impactful for Europe’s trade in oil and fuels. ARA is vital because it’s the heartland of northwest Europe’s oil refining industry, and a starting point for getting barge-loads of fuel up the Rhine river to inland Europe. The German cyberattack affected a company that had about 18 million tons of fuel throughput through its storage sites in 2020. Riverlake said that the incident in Germany is causing limited operations and rerouting of supplies.

READ THE STORY:  Bloomberg

A QUICK LOOK:

Hactivists Interrupt Live Streaming Of Iran State TV, Air Call For Protests

FROM THE MEDIA: A website for the online streaming of Iran’s state television was hacked less than a week after another similar incident disrupted a few TV and radio channels. Hacktivist group Edalat-e Ali (Ali's Justice) hacked the television website and broadcasted a video with a strong opposition message Tuesday afternoon. The video started with footage of people in Tehran’s Azadi stadium shouting “death to dictator” referring to Supreme Leader Ali Kamenei, then it cut into a close up of a masked man similar to the protagonist of the movie V for Vendetta, who said “Khamenei is scared, the regime’s foundation is rattling”. The voice in the one-minute video continued that the Islamic Republic cannot silence them as they plan to turn the ten-day celebration of the 1979 revolution into mourning for Islamic Republic. The 10-day Dawn – also known as Fajr -- is an expression used by the authorities to refer to the ten-day period between Ruhollah Khomeini's return to Iran on February 1 and to the day revolutionaries gained victory against Bakhtiar's government, the last remnant of the Pahlavi rule.

READ THE STORY:  Iranintl

A QUICK LOOK:

Items of interest

Estimating Economic Losses from Cyber-Attacks on Shipping Ports: An Optimization-Based Approach(Paper)

FROM THE MEDIA: The Maritime Transportation System (MTS) accounts for more than 80% of global merchandise trade in volume and roughly a sixth of the Total Gross Output of the United States. Given that national and global economies depend upon efficient supply chains, port stakeholders must develop security plans to respond to all hazards, natural and manmade. Given recent cyber attacks affecting shipping ports, along with the multi-billion dollar cyber insurance gap, ports need to understand the tradeoffs between increased competitiveness and increased risk through investment in automation and advanced logistics technologies. This article addresses the need to understand the economic impact of cyber attacks that affect shipping port operations and thereby enable risk assessments that holistically evaluate interactions among port Information Technology (IT) and Operational Technology (OT) systems. We extend Boland et al's Dynamic Discretization Discovery (DDD) algorithm to include capacity constraints and delay arcs to accommodate commodities arriving late due to disruption.

READ THE STORY:  SSRN

Cyber Security in Supply Chains(Video)

FROM THE MEDIA:  Of all recent cyber breaches, approximately 60 percent are supply chain-based. A new CAPS Research report identifies five supply network vulnerability archetypes. They are intended to help companies understand the malicious actors who search for the "path of least resistance" into their networks. The report offers an in-depth examination of publicly disclosed cyber breaches, details the various methods of cyberattacks, and demonstrates the key role procurement plays in ensuring a company's cybersecurity.

DHL Phishing Scam Case Study(Video)

FROM THE MEDIA: Heff and Forrest teach about the DHL phishing scams, as well as share their first-hand experience of a customer being hit with this DHL scam.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com