Sunday, February 6, 2022 // (IG): BB //Weekly Sponsor: BLKTRIANGLE//Podcast: DS
BlackCat (ALPHV) ransomware linked to BlackMatter, DarkSide gangs
FROM THE MEDIA: The Black Cat ransomware gang, also known as ALPHV, has confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation. BlackCat/ALPHV is a new feature-rich ransomware operation launched in November 2021 and developed in the Rust programming language, which is unusual for ransomware infections. The ransomware executable is highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments. While the ransomware gang calls themselves ALPHV, security researcher MalwareHunterTeam named the ransomware BlackCat after the image of a black cat used on every victim’s Tor payment page. Since then, the ransomware operation has been known as BlackCat when discussed in the media or by security researchers. Many ransomware operations are run as a Ransomware-as-a-Service (RaaS), where core members are in charge of developing the ransomware infection and managing servers, while affiliates (aka “adverts”) are recruited to breach corporate networks and conduct attacks. As part of this arrangement, the core developers earn between 10-30% of a ransom payment, while the affiliate earns the rest. The percentages change based on how much ransom revenue a particular affiliate brings to the operation.
READ THE STORY: Cyber-Reports
A QUICK LOOK:
A look at the new Sugar ransomware demanding low ransoms
FROM THE MEDIA: A new Sugar Ransomware operation actively targets individual computers, rather than corporate networks, with low ransom demands. First discovered by the Walmart Security Team, 'Sugar' is a new Ransomware-as-a-Service (RaaS) operation that launched in November 2021 but has slowly been picking up speed. The name of the ransomware is based on the operation's affiliate site discovered by Walmart at 'sugarpanel[.]space'. Unlikely most ransomware operations you read about in the news, Sugar does not appear to be targeting corporate networks but rather individual devices, likely belonging to consumers or small businesses. As such, it is not clear how the ransomware is being distributed or infecting victims. When launched, the Sugar Ransomware will connect to whatismyipaddress.com and ip2location.com to get the device's IP address and geographic location. It will then proceed to download a 76MB file from http://cdn2546713.cdnmegafiles[.]com/data23072021_1.dat, but it is unclear how this file is used. Finally, it will connect to the ransomware operation's command and control server at 179.43.160.195, where it transmits and receives data related to the attack. The ransomware will continue to call back to the command and control server as it is executed, likely updating the RaaS with the status of the attack.
READ THE STORY: Bleeping Computer
A QUICK LOOK:
FBI Shared Technical Details of LockBit Ransomware
FROM THE MEDIA: FBI has shared critical detection and defense tips against the LockBit ransomware, which has grown to be one of the infamous actors in the cybercrime space. Asking the relevant personnel to share any more details available for better understanding, the FBI reiterated that it would never encourage paying ransoms and asked any victim to report the incident to their nearest FBI cyber crime department. Starting in 2019, the LockBit ransomware has grown to be one of the nastiest threat actors in the underworld. It started the work as Ransomware-as-a-service, where it hires hackers to hit targets and shares the ransom profits earned from it with them. When it was banned from advertising in cybercrime groups, LockBit group in June 2021 came up with a LockBit 2.0 version, that added capabilities like automatic encryption of devices across Windows domains via Active Directory group policies.
READ THE STORY: Techdator
A QUICK LOOK:
Iranian APT group uses previously undocumented Trojan for destructive access to organizations
FROM THE MEDIA: Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organisations in Israel but also other countries since last year with the intention of damaging their infrastructure. The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain. Moses Staff's malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting businesses in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political. While not a lot was known about the reconnaissance stage, researchers from Cybereason now think they found the missing link: a remote access Trojan (RAT) that the Moses Staff attackers deploy but later remove in later stages of the attack. Dubbed StrifeWater, the Trojan is deployed with the name calc.exe, which is why some infected systems are later found without the Windows Calculator tool, also named calc.exe and possibly removed during the group's cleanup routine.
READ THE STORY: ResellerNews
A QUICK LOOK:
Scam alert! Binance CEO warns users of massive SMS phishing scam
FROM THE MEDIA: The scam involves sending users a text message with a link to cancel withdrawals, leading users to a fake website designed to harvest their login credentials. Binance CEO Changpeng “CZ” Zhao has alerted the crypto community against a “massive” SMS phishing scam targeting Binance customers. Tweeting on Friday, CZ alerted users of a phishing scam campaign directed at Binance users through SMS. Per the screenshot shared by CZ, the scam involves sending users a text message with a link to cancel withdrawals, leading users to a fake website designed to harvest their login credentials. The CEO has warned Binance users not to click on any links from SMS messages and advised them to always type the URL for the exchange into their browsers manually. Several cases of hacking and phishing have emerged so far in 2022, with some platforms suffering significant losses as a result of these attacks.
READ THE STORY: Cointelegraph
A QUICK LOOK:
Inside China’s nightmarish spy state with cameras checking emotions and phone data heists as Winter Olympians warned
FROM THE MEDIA: CHINA has developed a shocking surveillance system watching the every move of citizens - with athletes landing in Beijing for the Winter Olympics even warned to watch their backs. With streets filled with cameras and super high-tech systems, the Communist regime has been accused of running "an Orwellian surveillance state" that "touches every part of life" and "endangers privacy". Highly advanced and "invasive" digital technologies have become a central part of the Chinese state - with people both online and offline kept under constant observation as the government tightens its controlling grip. And while the eyes of the world turn to China as the Winter Olympics get underway, it's feared athletes landing in Beijing will have unwanted eyes snooping on them too. Security expert Will Geddes, founder of International Corporate Protection, told the Sun Online that China's Big Brother-like surveillance is a "huge concern" for competitors. "Inevitably, when you go overseas to somewhere like China, the moment you get off the plane your phone will be intercepted," he said. "If I'm sending any clients out to China, I will generally send them out with a burner phone, so it will be a phone which will be sterilized. "It won't have all their precious life and secrets on it. When we bear in mind we have our inhabited on our phones nowadays - we have all our emails, social media, our messages, our notes, our emails - our entire lives are encapsulated within this small device we keep in our pockets.
READ THE STORY: The Sun
A QUICK LOOK:
The rise of defense tech is bringing Silicon Valley back to its roots
FROM THE MEDIA: The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics. The timeless quest for national competitive advantage has accelerated with globalization. During the Cold War, the United States and the U.S.S.R. fought an ideological and a military race, but never one over consumer products: No American was interested in buying a Soviet toaster. Now, the lines are blurred; countries are fighting across their entire economies and every domain of warfare for advantage. Technological supremacy in consumer and enterprise products feeds directly into the great power race for air, land, sea, space and cyber. Startup founders and engineers are increasingly recognizing their role in this fight, as well. These people are not George W. Bush-style jingoists, but they do want to support liberal democracy and make sure people on the frontlines have the best tools to do their jobs. That’s a major shift from the last several decades when antiwar sentiment in the Bay Area that originated in the protests over the Vietnam War intensified into antiwar protests against the wars in Afghanistan and particularly Iraq.
READ THE STORY: Techcrunch
A QUICK LOOK:
North Korea grows nuclear, missiles programs, profits from cyberattacks: UN report
FROM THE MEDIA: UNITED NATIONS, Feb 5 – North Korea continued to develop its nuclear and ballistic missile programs during the past year and cyberattacks on cryptocurrency exchanges were an important revenue source for Pyongyang, according to an excerpt of a confidential United Nations report seen on Saturday by Reuters. The annual report by independent sanctions monitors was submitted on Friday evening to the U.N. Security Council North Korea sanctions committee. “Although no nuclear tests or launches of ICBMs (intercontinental ballistic missiles) were reported, DPRK continued to develop its capability for production of nuclear fissile materials,” the experts wrote. North Korea is formally known as the Democratic People’s Republic of Korea (DPRK). It has long-been banned from conducting nuclear tests and ballistic missile launches by the U.N. Security Council. “Maintenance and development of DPRK’s nuclear and ballistic missile infrastructure continued, and DPRK continued to seek material, technology and know-how for these programs overseas, including through cyber means and joint scientific research,” the report said. Since 2006, North Korea has been subject to U.N. sanctions, which the Security Council has strengthened over the years in an effort to target funding for Pyongyang’s nuclear and ballistic missile programs.
READ THE STORY: NY Post
A QUICK LOOK:
Gardai vow to continue global fight against Russian hackers behind HSE cyber attack as cyber cops join with FBI
FROM THE MEDIA: ARDAI have vowed to continue the global fight against the Russian-based gang behind last year’s cyber attack on the HSE. And Det Chief Supt Paul Cleary from the Garda National Cyber Crime Bureau also outlined how the Conti Cyber Organized Crime Group will be hit with further disruption operations and sanctions. The commitment from the senior Garda comes as we reveal how specialists investigating the cyber attack on the HSE recovered over 500GB of stolen data from a major US insurance company. GNCCB investigators made the discovery when probing the activities of the cyber crime gang. The data — stolen from a firm based in the US State of Pennsylvania — has now been returned to the company after the GNCCB team worked closely with the FBI. And as part of their investigation into the Conti group’s ransomware attack on the HSE on May 14, 2021, detectives are also in the process of returning data stolen from a transport firm in the US and an engineering company in Ontario, Canada. And since the launch of the investigation in 2021, gardai have also prevented 753 further cyber attacks on unsuspecting victims. Det Chief Supt Cleary said: “The GNCCB continues to target those we believe to be behind the ransomware attack on the HSE.
READ THE STORY: The Sun
A QUICK LOOK:
CISA has ordered federal entities to patch a Windows flaw that is being actively exploited
FROM THE MEDIA: Federal entities have been ordered by the Cybersecurity and Infrastructure Security Agency (CISA) to update their systems against an intensively exploited Windows vulnerability that allows hackers to bypass SYSTEM rights. All Federal Civilian Executive Branch Agencies (FCEB) are now obligated to update all systems against this weakness, identified as CVE-2022–21882, within two weeks, until February 18th, according to a binding operational directive (BOD 22–01) published in November and today’s notification. Although BOD 22–01 primarily applies to FCEB agencies, CISA strongly advises all private and public sector entities to follow this Directive and concentrate remediation of vulnerabilities in its database of widely exploited security weaknesses to limit their susceptibility to current cyberattacks. “Based on indications that threat actors are actively exploiting the vulnerabilities described in the table below, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog,” the cybersecurity agency announced today. “These types of vulnerabilities are a common attack vector for all types of malicious cyber actors and constitute a major danger to the federal organization,” says the report.
READ THE STORY: David Artykov
A QUICK LOOK:
Beware AI's negative impact on our world, warns former Google CEO Eric Schmidt
FROM THE MEDIA: Does Big Tech really understand AI? Ian Bremmer talks to former Google CEO Eric Schmidt & co-author of “The Age of AI: And Our Human Future,” who believes we need to control AI before it controls us. What's troubling about AI, he says, is that it’s like nothing we’ve seen before, it's still very new. Instead of being precise, AI learns by doing– exactly like humans. The coronavirus pandemic drove people’s lives even more online– we are now more connected than ever before. But we don't always know who runs our digital world. The problem is that instead of governments, tech companies are writing the rules through computer algorithms powered by artificial intelligence. The US and China competition in AI is intensifying. China is already doing pretty scary stuff with it, like surveillance of Uyghurs in Xinjiang (and also some fun stuff, like publicly shaming jaywalkers). Schmidt explains that it's because the Chinese ensures their internet reflects the priorities of the Communist Party --- he’s not a big fan of those values shaping the AI on apps his children use. Yet, he blames algorithms, not China, for the polarization on social media. Schmidt is all for free speech, but not for robots.
READ THE STORY: Gzero Media
A QUICK LOOK:
Items of interest
Out-of-Control Cybercrime Will Cause More Real-World Harm(Article)
FROM THE MEDIA: CYBER incidents will cause real and sustained disruption to our everyday comforts—and maybe kill people. This won’t be because of any great geopolitical development, but because a bunch of semi-sophisticated, well-organized, and mostly Russian criminals are increasingly out of control. For some years now, a strange combination of Hollywood and the military-industrial complex has been telling us that cyberattacks present an existential threat to humanity, but the reality has been different. Cyber harms inflicted by bad people have turned out to be very serious, but mostly in boring and largely invisible ways. The closest most ordinary people come to encountering a cyber “attack” is either by losing a small amount of money or by getting a letter from a company they do business with, telling them that some personal data they don’t understand the value of has been stolen by people in another continent whose identity no one really knows. There’s the odd exception—the Russian state is fond of battering Ukraine, for example—but for most people in most countries, cyber has not been much to get worked up about.
READ THE STORY: Wired
Unheard, Unknown & Unseen Cyber-crimes(Video)
FROM THE MEDIA: Mr. Ritesh is a Cybersecurity consultant and a well known Cybercrime Investigator. He is the founder of V4WEB cybersecurity services. He is popularly known for his Cybercrime Investigations and has been successful in solving many cases for corporates, law enforcement agencies and individuals in India and abroad. He has been a distinguished speaker at many national and international conferences and organizations such as the United Nations, UNICEF, RBI, Anti Narcotics Cell, Economic Offences Wing, Indian Air Force and many more where he spoke on new age cybercrimes, data privacy and dark web. Mr. Ritesh is a well known Cybercrime Investigator and Cybersecurity Consultant with an experience of 20 years in cyberspace and has been successful in solving many cases for corporates, law enforcement agencies and individuals in India and abroad. His recent case on busting a WhatsApp group that was circulating child sexually abusive material was well appreciated not just by the Indian police but also by Interpol.
The most dangerous cyber weapon explained(Video)
FROM THE MEDIA: STUXNET, one of the first cyber weapons targeting nuclear systems in Iran. Who was behind this cyber weapon, how did it work, and most importantly - what is the future of cyber warfare?
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com