Friday, February 4, 2022 // Contact: Bob Bragg-IG //Weekly Sponsor: T&R
Mac Malware-Dropping Adware Gets More Dangerous
FROM THE MEDIA: The latest version of a Mac Trojan called UpdateAgent, aka WizardUpdate, provides fresh evidence of the growing effort that some threat actors are putting into targeting Apple technologies. The malware, which impersonates legitimate software, such as support agents and video software, first surfaced in September 2020. It is commonly distributed via drive-by downloads or pop-ups for advertisements and fake updates for tools like the long-discontinued Adobe Flash Player. Since it first emerged, UpdateAgent's authors have constantly updated it with significant new functionality. The most recent update in October was no exception. Researchers from Microsoft analyzed the latest variant and found it contained an expanded capability for installing secondary payloads hosted on trusted public cloud infrastructures, such as Amazon S3 and CloudFront. Instead of using either .zip files or mountable disk images (DMG files) to fetch additional payloads like it had previously, the new version of UpdateAgent now can use both file types.
READ THE STORY: Darkreading
A QUICK LOOK:
NPM JavaScript registry suffers massive influx of malware, report says
FROM THE MEDIA: The popular NPM JavaScript package manager and registry has been hit with an influx of malicious packages, the most harmful of which are related to data theft, crypto mining, botnets, and remote code execution, according to research from security company WhiteSource. WhiteSource's automated malware detection platform, WhiteSource Diffend, detected a total of 1,300 malicious packages on NPM, within a period of six months ended December 2021. All the malicious packages identified by WhiteSource were notified to NPM and were subsequently removed from the package registry. NPM is a widely used package manager and registry with more than 1.8 million active packages, each package having a little more than 12 versions on average. A package is a prewritten set of useful functions that can be called into a programming environment without having to write each and every line of code from scratch. A package manager is an enabler created with open-source code that helps install or update these packages. NPM is a default package manager for the widely used JavaScript runtime environment Node.js.
READ THE STORY: CSO Online
A QUICK LOOK:
Iranian APT group uses previously undocumented Trojan for destructive access to organizations
FROM THE MEDIA: Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organizations in Israel but also other countries since last year with the intention of damaging their infrastructure. The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.Moses Staff's malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting organizations in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political. The group has openly stated that its goal is to damage Israeli organizations by leaking their data and damaging their operations with no ransom demands.
READ THE STORY: CSO Online
A QUICK LOOK:
European governments targeted by Chinese hackers with a Zimbra webmail zero-day
FROM THE MEDIA: A new Chinese cyber-espionage group has been seen abusing a zero-day vulnerability in the Zimbra collaboration suite to gain access to the email inboxes of European governments and media agencies. The attacks were spotted last month by security firm Volexity, and even if the security firm notified Zimbra on December 16, the company has not yet released a patch for its product. Earlier today, Volexity has released a technical report about the attacks in the hopes to raise awareness of this issue and allow organizations that use a Zimbra email server to review if they have been targeted. According to Volexity, the attackers first began exploiting this zero-day on December 14, when its researchers spotted the initial attacks on some of its customers. Volexity said the attacks were split into two stages. In the first, the hackers sent a benign email meant to perform reconnaissance and determine if accounts were active and if users would be willing to open strange emails from unknown entities.
READ THE STORY: The Record
A QUICK LOOK:
Cyberattack was attempted against a western government ‘entity’ in Ukraine, researchers say
FROM THE MEDIA: Last month, a Russia-linked threat actor attempted a cyberattack in Ukraine against an “entity” that’s part of an unidentified western government, according to researchers in Palo Alto Networks’ Unit 42 organization. The attempted attack took place on January 19, and was carried out by a group that Unit 42 calls “Gamaredon.” The group’s leadership includes five Russian Federal Security Service officers, the Security Service of Ukraine said previously. In a blog post today, Unit 42 researchers said that Gamaredon has “primarily focused its cyber campaigns against Ukrainian government officials and organizations” since 2013. The researchers said they have been closely monitoring Gamaredon’s activities because of the geopolitical situation and the group’s target focus. The disclosure of the attempted attack came amid estimates that Russia has stationed more than 100,000 troops on the eastern border of Ukraine. On Wednesday, President Joe Biden approved sending an additional 3,000 U.S. troops to Eastern Europe.
READ THE STORY: Venture beat
A QUICK LOOK:
North Korean hacking group targets defense contractors
FROM THE MEDIA: A new cyber attack campaign launched by North Korean APT Lazarus Group is targeting the military defense industry. Lazarus weaponized two documents related to job opportunities from Lockheed Martin in the spear phishing attack. The discovery was made January 18, 2022. Here’s what you need to know: North Korea has a long history of offensive Cyber operations and has typically focused on three strategic objectives: revenue generation, disruption, and espionage. Often, these objectives overlap, and so it’s difficult to know exactly what the strategic goals of a campaign are. However, when we see a defense contractor in the mix, one would be forgiven for thinking that there’s an espionage element involved.
READ THE STORY: Homeland Sec // Washington Examiner
A QUICK LOOK:
Antlion APT group used a custom backdoor that allowed them to fly under the radar for months
FROM THE MEDIA: aimed at financial organizations and manufacturing companies, Symantec researchers reported. The backdoor was undetected for at least 18 months in a cyberespionage campaign against entities in Taiwan between 2020 and 2021. “The attackers deployed a custom backdoor we have called xPack on compromised systems, which gave them extensive access to victim machines.” reads the analysis published by the Broadcom-owned company Symantec. “The backdoor allowed the attackers to run WMI commands remotely, while there is also evidence that they leveraged EternalBlue exploits in the backdoor.” xPack allowed threat actors to run WMI commands remotely and mount shares over SMB to transfer data from C2 servers to them. The malware was also used by the attackers to browse the web, likely using it as a proxy to mask their IP address. Symantec researchers analyzed one of the attacks carried out by the APT group that remained in the compromised network of a manufacturing organization for 175 days. In another attack against a financial organization, the APT group spent 250 days in the target’s network.
READ THE STORY: Bleeping Computer // Security Affairs
A QUICK LOOK:
Second Israeli company exploited Apple flaw to hack into iPhones
FROM THE MEDIA: A second Israeli spy firm exploited a flaw in Apple’s security to hack into iPhones, numerous sources told Reuters on Thursday. Five individuals with knowledge of the matter said Quadream gained the ability last year, around the same time as the NSO Group, letting the two companies break into iPhones without the user needing to click any link. Bill Marczak, a security researcher with Citizen Lab, told Reuters that the company’s so-called “zero-click” abilities appeared to be “on par” with NSO’s. Three of the sources said NSO and Quadream’s exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple’s instant messaging platform and used a comparable approach to plant malicious software on targeted devices, in order to gain unauthorized access to data. The exploits were so similar that when Apple fixed the underlying flaws in September 2021 it rendered both NSO and Quadream’s software ineffective, two people familiar with the matter told the news agency.
READ THE STORY: The Times of Israel
A QUICK LOOK:
New research reveals vicious tactics of ransomware groups
FROM THE MEDIA: Hackers are increasingly targeting zero day vulnerabilities and supply chain networks for maximum impact. This is according to the results of the Ransomware Spotlight Year End Report that Ivanti conducted with Cyber Security Works, a Certifying Numbering Authority (CNA) and Cyware, the provider of Cyber Fusion, next-generation SOAR and threat intelligence solutions. The report identified 32 new ransomware families in 2021, bringing the total to 157 and representing a 26% increase over the previous year. The report also found that these ransomware groups are continuing to target unpatched vulnerabilities and weaponize zero-day vulnerabilities in record time to instigate crippling attacks. At the same time, they are broadening their attack spheres and finding newer ways to compromise organizational networks and fearlessly trigger high-impact assaults. Below are a few top observations and trends from the Ransomware Spotlight Year End Report: Unpatched vulnerabilities remain the most prominent attack vectors exploited by ransomware groups. The analysis uncovered 65 new vulnerabilities tied to ransomware last year, representing a 29% growth compared to the previous year and bringing the total number of vulnerabilities associated with ransomware to 288. Alarmingly, over one-third (37%) of these newly added vulnerabilities were actively trending on the dark web and repeatedly exploited.
READ THE STORY: IT Brief
A QUICK LOOK:
White House creates board to review cybersecurity incidents, members to start with Log4J
FROM THE MEDIA: The Department of Homeland Security announced the creation of a new Cyber Safety Review Board that will bring together cybersecurity experts from public and private organizations to "review and assess significant cybersecurity events." The board was part of the executive order that President Joe Biden signed last year. Experts have long urged the federal government to create an organization for cybersecurity incidents akin to the National Transportation Safety Board, which investigates airplane crashes and transportation incidents. Homeland Security secretary Alejandro Mayorkas said the board will "thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors." DHS said the board will start its first work on issues related to Log4J because vulnerabilities associated with the software library "are being exploited by a growing set of threat actors" and "present an urgent challenge to network defenders." "As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB's expertise," DHS explained.
READ THE STORY: ZDnet
A QUICK LOOK:
String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say
FROM THE MEDIA: European prosecutors and cybersecurity officials are investigating a ransomware attack affecting several major oil port terminals that occurred just days after a separate hack on two German companies forced oil suppliers to reroute their products to alternative depots. The attacks targeted organizations in Belgium, the Netherlands, and Germany, including some of the largest ports in the region. Cybersecurity officials from those countries on Thursday said they do not have reason to believe that the attacks are linked to one another. One European government official who is involved in the investigation but is not authorized to speak about it publicly told The Record that the port incidents are ransomware attacks believed to be linked to the BlackCat and Conti families. An internal report from Germany’s Federal Office for Information Security (BSI) said the BlackCat group, which has been implicated in a number of recent compromises, was behind the recent attack on the two German oil industry companies, Handelsblatt reported on Wednesday. “A judicial investigation is ongoing at the public prosecutor’s office in Antwerp. Attribution of such a cyberattack is, as you know, very difficult and it is now far too early for that. We have no technical indications that the attacks are linked,” Katrien Eggers, a spokesperson for the Centre for Cyber Security Belgium, told The Record. The Centre serves as the country’s central authority for cybersecurity.
READ THE STORY: The Record
A QUICK LOOK:
Items of interest
Ukraine reconsiders bug bounties after latest cyberattacks. But are they enough?(Article)
FROM THE MEDIA: Ukrainian ethical hackers prefer to work with clients abroad: foreigners are more open to investing in cybersecurity—and they pay more. In Ukraine, in turn, only few private companies are ready to spend money on bug bounties, while the public sector isn’t allowed to hire ethical hackers by law. But recent cyberattacks amidst a buildup of Russian forces along Ukraine’s border is changing that. Ukraine has failed to adjust regulations to new challenges in cyberspace, local experts told The Record. At the moment, ethical hackers could face fines of up to $42,000 USD or even three years in prison for trying to detect bugs in the computer systems of the Ukrainian parliament, ministries, or state companies. But as the digital conflict between Ukraine and Russia continues to escalate, the Ukrainian government decided to be more radical—it promised to decriminalize bug bounties, allowing ethical hackers to try to breach state-owned computer systems to detect security vulnerabilities.
READ THE STORY: The Record
The Ultimate RF Hacking Tool?HackRF Portapack H2(Video)
FROM THE MEDIA: The PortaPack is a US$220 add-on for the HackRF software defined radio (HackRF + PortaPack + Accessory Amazon bundle) which allows you to go portable with the HackRF and a battery pack. It features a small touchscreen LCD and an iPod like control wheel that is used to control custom HackRF firmware which includes an audio receiver, several built in digital decoders and transmitters too. With the PortaPack no PC is required to receive or transmit with the HackRF. Of course as you are fixed to custom firmware, it's not possible to run any software that has already been developed for Windows or Linux systems in the past. The official firmware created by the PortaPack developer Jared Boone has several decoders and transmitters built into it, but the third party 'Havoc' firmware by 'furrtek' is really what you'll want to use with it since it contains many more decoders and transmit options. As of the time of this post the currently available decoders and transmit options can be seen in the screenshots below. The ones in green are almost fully implemented, the ones in yellow are working with some features missing, and the ones in grey are planned to be implemented in the future. Note that for the transmitter options, there are some there that could really land you in trouble with the law so be very careful to exercise caution and only transmit what you are legally allowed to.
Hacking Banks For Money(Video)
FROM THE MEDIA: Penetration testing is a form of ethical hacking that exposes a system’s biggest vulnerability: the people operating it. We created this story in partnership with Tomorrow Unlocked. Subscribe here: http://freeth.ink/youtube-subscribe-p... When it comes to organizational cybersecurity, sometimes the only way to know your weaknesses is to exploit them. This can be accomplished through a unique form of social engineering known as penetration testing. Pen testing is a type of ethical hacking. Organizations can use a pen test to identify and correct security weaknesses in their computer systems, networks, and applications. Pentesters use the same methods of breaching as criminal hackers, with one key distinction: they’re hired by the owner of the system and perform the attack with permission. Jayson E. Street is one of these white hat hackers.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com