Daily Drop(38)

1-5-22

Saturday, February 5, 2022 // Contact(IG): BB //Weekly Sponsor: BLKTRIANGLE

Hungary blocked Ukraine’s accession to NATO cyber defense center

FROM THE MEDIA: It has surfaced that Hungary was the NATO Ally responsible for blocking Ukraine’s accession to the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), an institution Kyiv keeps seeking closer ties with following the recent cyberattacks, even after the official rejection of Ukraine’s membership status last year. Oleksiy Danilov, Secretary of the National Security and Defense Council of Ukraine (NSDC), mentioned on a political live TV show that one of the Allies vetoed Ukraine’s accession to the Center, while an unnamed source told European Pravda that that country was Hungary. On 3 February, on 1+1 TV channel’s evening political talk show Right for Power, NSDC Secretary Oleksiy Danilov mentioned that one of the EU countries blocked Ukraine from joining the NATO Cooperative Cyber Defense Centre of Excellence, which he referred to as “Cyber-NATO.” Mr. Danilov mentioned it only in passing, commenting on a critical remark regarding his wording, “There is an institution called Cyber-NATO. And we had submitted the relevant documents there last summer, all the relevant verifications were passed. And there, just like in NATO, decisions are made by consensus. And so one of the European countries denied our country’s accession to this respectable institution. This is taking into account the fact that we’ve been at war with the Russian Federation for the eighth year, and we have constant attacks on us in the cyber [domain]. The most recent one was on January 13-14. This is an EU country, they are our neighbor, they denied it us. So tell me, do I have the right to say that these are ‘quote-unquote partners’?” he said.

READ THE STORY:  Euromaidan Press

A QUICK LOOK: 

Now is the Time to Take Port Cyber Security Seriously

FROM THE MEDIA: If you think COVID-related supply chain issues at ports are bad, wait until a malicious actor wants to inflict similar chaos on purpose. Locomotives, airplanes, container ships and bulk freighters, long-haul and short-haul trucks, anything that rolls, flies, or floats. No matter the vehicle, and no matter how it’s powered, chances are a port plays a critical role in beginning or ending its journey. From paying more at the gas pump to finding things from baby formula to cat food, we have witnessed firsthand what happens when the push and pull of supply and demand starts to break down. Ports are dedicated to ensuring that supply meets demand both in terms of finished goods and the raw materials for making them. When they break down, the ripples spread across the entire economy. At this moment, on the periphery of the crisis unfolding in Ukraine, major bulk fuel suppliers in the ports of Antwerp and Hamburg are experiencing work stoppages because of cyber attacks. Regardless of the motive or responsible party, what occurred this week is an explicit example of how bad actors use attacks such as these to take advantage of a dire situation. While this attack may not have been on our shores, it can directly impact the United States’ and its allies’ ability to operate in the region, as well as apply needless stress on an already taxed economy. 

READ THE STORY:  Maritime Executive

A QUICK LOOK: 

Suspected Chinese hackers hit News Corp with 'persistent cyberattack'

FROM THE MEDIA: News Corp suffered a "persistent cyberattack," the company said Friday, and investigators believe Chinese spies may be responsible. Dozens of journalists at the News Corp-owned Wall Street Journal were targeted in the hack, which appeared to focus on reporters and editors covering China-related issues, two people familiar with the matter told CNN. Cybersecurity firm Mandiant (MNDT), which News Corp (NWS) hired to investigate the breach, believes the hackers are "likely involved in espionage activities to collect intelligence to benefit China's interests," said David Wong, vice president of consulting at Mandiant. The intrusion, which appeared to date to at least February 2020, compromised email accounts and Google Drive documents used by certain Wall Street Journal journalists, one of the people familiar with the investigation said. The Wall Street Journal first reported on the timeline of the hack. Journalists are frequent targets of various state-backed hackers in search of intelligence on governments and corporations. For this reason, many journalists do not mention sensitive information over email. Wall Street Journal management held a series of briefings on Thursday with the journalists affected by the hack, the two sources familiar with the investigation said. Journal staff are going through forensic data to determine what information was taken from individual journalists, one of those people said.

READ THE STORY:  CNN

A QUICK LOOK: 

Hacking team tied to Russia targeted Western 'government entity' in Ukraine

FROM THE MEDIA: A hacking team that Ukraine says is controlled by Russian intelligence has targeted a wide range of organizations in the country, including a "western government entity," according to cybersecurity research published on Thursday and Friday. The United States and other allies have sent military advisers and cybersecurity experts to Ukraine in recent months to help defend against Russian forces, now massed on the neighboring country's borders. In a report issued on Friday, Microsoft Corp (MSFT.O) said a group called "Gameredon" had tried to obtain sensitive information from a wide range of military, governmental and nongovernmental organizations in Ukraine since last October. The report included a screen shot of one such attempt, which showed an email, embedded with malicious code, disguised as an official update on the COVID-19 pandemic from the World Health Organization (WHO).

READ THE STORY:  Reuters

A QUICK LOOK: 

CoinDesk CMS Vulnerability Let Hackers Trade on Nonpublic Info

FROM THE MEDIA: A vulnerability in the content management system, or CMS, of leading cryptocurrency news site CoinDesk allowed hackers “to trade on nonpublic information ahead of the publication of at least one article,” according to the publication. CoinDesk disclosed the breach in an article on Friday. “CoinDesk has fixed an issue that exposed the headlines of articles saved as drafts in the crypto news publication’s content management system (CMS). The exploit, which was brought to CoinDesk’s attention by a white-hat hacker, may have allowed unidentified actors to profit from nonpublic information by making trades ahead of the publication of at least one article,” CoinDesk’s CEO Kevin Worth wrote in the article. “The issue is now fixed and added safeguards have been put in place. We regret this unintended deviation from our commitment to level playing fields in crypto markets,” Worth added. CoinDesk is one of the longest-running and most prominent news sources that focuses specifically on cryptocurrency and blockchain technology. It's also a trade publication that frequently posts industry news such as investment rounds. The company says its mission is to build “the most influential, trusted information platform for a global community engaged in the transformation of the financial system and the emerging crypto economy.”

READ THE STORY:  Vice

A QUICK LOOK:

Lone U.S. hacker claims credit for North Korea’s countrywide internet outages

FROM THE MEDIA:  He’s dictating the terms. A U.S. hacker working solo claims he’s the person behind multiple internet outages across North Korea in the past month. The man, identified only by the handle “P4X,” said he was targeted by a North Korean government hacking scheme last year and was upset enough to fight back, tech magazine Wired reported. North Korea experts noted the various countrywide internet down periods in January. Some suspected the outages were connected to the country’s recent missile launches, perhaps a “please stop” signal from the U.S. But P4X’s screen recordings proved he was behind the attacks, according to Wired. The man claimed that because of the tiny dictatorship’s outdated internet technology and small cyber infrastructure, it wasn’t really that hard. “For me, this is like the size of a small-to-medium (cybersecurity beaching test),” he told Wired. “It’s pretty interesting how easy it was to actually have some effect in there.” Access to the internet is severely limited in North Korea, and observers believe only a few dozen websites are hosted inside the isolated nation, Wired reported. But P4X was still able to take them all down in his revenge campaign.

READ THE STORY: NY Daily News

A QUICK LOOK:

FBI's warning about Iranian firm highlights common cyberattack tactics

FROM THE MEDIA: One known tactic is conducting reconnaissance on potential targets, then working to identify entry points including vulnerable software or systems. The US Federal Bureau of Investigation (FBI) has released a warning outlining the TTP (tactics, techniques, and protocols) of Iran-based Emennet Pasargad, reportedly a cybersecurity and intelligence firm servicing Iranian government agencies, to help recipients inform and defend themselves against the group’s malicious activities. In the FBI's Private Industry Notification, the agency confirms that two Iranian nationals employed by Emennet were charged with cyberintrusion and fraud, voter intimidation, interstate threats, and conspiracy by the US Department of Justice. Additionally, the Department of Treasury Office of Foreign Assets Control alleges that  Emennet, along with the two accused Iranian nationals, attempted to influence the 2020 US presidential elections. The notification pointed out that Emennet ran an interference campaign in the election, obtaining confidential voter information from state election websites, sending intimidating emails to voters, crafting and distributing misinformation videos about voting vulnerabilities, and hacking into media companies' computer networks. During the campaign, the bad actors masqueraded as members of the Proud Boys, an American far-right, neofascist, and exclusively male organization. 

READ THE STORY:  CSO

A QUICK LOOK:

EvilModel: Malware that Hides Undetected Inside Deep Learning Models

FROM THE MEDIA: A team of researchers from the University of California, San Diego, and the University of Illinois has found that it is also possible to hide malware in deep learning neural networks and deliver it to an unsuspecting target, without it being detected by conventional anti-malware software. Not surprisingly, this new work is highlighting the need for better cybersecurity measures to counteract and protect users from the very real possibility of AI-assisted attacks, especially as individuals and businesses become increasingly reliant on AI in their daily activities. In a pre-print paper outlining EvilModel — the team’s ominously named method for embedding malware in deep learning neural networks — the team discovered that it was possible to infect a deep learning model with malware, and have it fool anti-malware detectors, all without significantly affecting the model’s performance.

READ THE STORY:  The New Stack

A QUICK LOOK:

U.S. Authorities Charge 6 Indian Call Centers Scamming Thousands of Americans

FROM THE MEDIA: A number of India-based call centers and their directors have been indicted for their alleged role in placing tens of millions of scam calls aimed at defrauding thousands of American consumers. The indictment charged Manu Chawla, Sushil Sachdeva, Nitin Kumar Wadwani, Swarndeep Singh, Dinesh Manohar Sachdev, Gaje Singh Rathore, Sanket Modi, Rajiv Solanki and their respective call centers for conspiring with previously indicted VoIP provider E Sampark and its director, Guarav Gupta, to forward the calls to U.S. citizens. "Criminal India-based call centers defraud U.S. residents, including the elderly, by misleading victims over the telephone utilizing scams such as Social Security and IRS impersonation as well as loan fraud," the U.S. Justice Department said in a release. According to the November 2020 indictment issued against E Sampark and Gupta, the calls from India-based phone scammers led to reported losses of over $20 million from May 2015 to June 2020, with the company maintaining roughly 60 servers in the U.S. state of Florida for this purpose and which contained over 130,000 recordings of scam calls. The scheme involved the callers posing as Internal Revenue Service (IRS) employees to dupe the victims into transferring money, threatening them with arrest and fines should they fail to pay back taxes. The illegally amassed funds were then laundered through an overseas fraud network.

READ THE STORY:  THN

A QUICK LOOK:

OpenSea launches new contract-clearing system to protect against recent bug

FROM THE MEDIA: On Thursday evening, blockchain platform OpenSea launched a new system that will help users clear out unclaimed sale offers, set to roll out over the next two weeks. In an announcement post, CEO Devin Finzer described the changes as made to “ensure old, inactive listings expire.” The move comes after a bug that allowed attackers to exploit old contracts to buy tokens for hundreds of thousands of dollars below market price. In one particularly attention-getting case in January, a Bored Ape Yacht Club token was purchased for less than $2,000 and resold immediately for over $192,000. The bug was a result of how OpenSea’s platform interacts with the Ethereum blockchain, often saving gas fees by listing offers locally rather than coding them into the broader chain. An oversight in that system allowed old contracts to sometimes linger on the blockchain without appearing in the OpenSea interface. By making offers against those contracts, which were often years old, attackers could take advantage of badly out-of-date prices — usually taking token-owners by surprise.

READ THE STORY:  The Verge

A QUICK LOOK:

Microsoft disables MSIX protocol handler abused in Emotet attacks

FROM THE MEDIA: Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability. Today's decision comes after the company released security updates to address the flaw (tracked as CVE-2021-43890) during the December 2021 Patch Tuesday and provided workarounds to disable the MSIX scheme without deploying the patches. The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds. "We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer," said Microsoft Program Manager Dian Hartono. "We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner. "We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations."

READ THE STORY:  Bleeping Computer

A QUICK LOOK:

Items of interest

NSA touts collaboration wins following year of massive hacks(Article)

FROM THE MEDIA: After a year marked by several unprecedented hacks, the National Security Agency’s Cybersecurity Directorate on Thursday issued an annual report to showcase its collaboration within the federal government and the U.S. private sector and warn that the digital threat landscape remains volatile. The directorate, established in 2019, was created as a part of an overarching shift by the NSA — once nicknamed “No Such Agency” — to share its technical expertise with the public and private sectors about the kind of attacks hackers are launching and help organizations better defend against digital assaults from nation states like Russia, China and Iran — all of whom continue to improve their tradecraft. Last year was roiled by rapid, sweeping cyberattacks, beginning with the SolarWinds espionage campaign that impacted at least nine federal agencies to the ransomware strikes on the Colonial Pipeline, food processing giant JBS and software firm Kaseya before concluding with the discovery of the massive Log4j vulnerability that sent entities around the globe scrambling to button up their networks. In a letter prefacing the annual report, NSA Cybersecurity Directorate chief Rob Joyce warned that the specter of online threats is likely to grow.

READ THE STORY:  The Record

Ex-NSA hacker tools for real world pentesting(Video)

FROM THE MEDIA:  Learn real world pentesting plus which tools are the best to use with Ex-NSA Hacker Neal Bridges. Neal tells us what he carries in his backpack when doing real world pentests.

Tactics of Physical Pen Testers(Video)

FROM THE MEDIA: This presentation will highlight some of the most exciting and shocking methods by which my team and I routinely let ourselves in on physical jobs. Many organizations are accustomed to being scared at the results of their network scans and digital penetration tests, but seldom do these tests yield outright "surprise" across an entire enterprise. Some servers are unpatched, some software is vulnerable, and networks are often not properly segmented. No huge shocks there. As head of a Physical Penetration team, however, my deliverable day tends to be quite different. With faces agog, executives routinely watch me describe (or show video) of their doors and cabinets popping open in seconds.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com