Saturday, February 12, 2022 // (IG): BB //Weekly Sponsor: BLKTRIANGLE
Cybercrooks Frame Targets by Planting Fabricated Digital Evidence
FROM THE MEDIA: The ‘ModifiedElephant’ threat actors are technically unimpressive, but they’ve evaded detection for a decade, hacking human rights advocates’ systems with dusty old keyloggers and off-the-shelf RATs. Threat actors are hijacking the devices of India’s human rights lawyers, activists and defenders, planting incriminating evidence to set them up for arrest, researchers warn. The actor, dubbed ModifiedElephant, has been at it for at least 10 years, and it’s still active. It’s been shafting targets since 2012, if not sooner, going after hundreds of groups and individuals – some repeatedly – according to SentinelLabs researchers. The operators aren’t what you’d call technical prodigies, but that doesn’t matter. Tom Hegel, threat researcher at SentinelOne, said in a Wednesday post that the advanced persistent threat (APT) group – which may be tied to the commercial surveillance industry – has been muddling along just fine using rudimentary hacking tools such as commercially available remote-access trojans (RATs). The APT is snaring victims with spearphishing, delivering malware via rigged documents.
READ THE STORY: Threatpost
A QUICK LOOK:
The Quixotic Quest to Tackle Global Cybercrime
FROM THE MEDIA: In mid-January, the United Nations was formally set to begin a process to develop a global treaty on cybercrime. Given the numerous headlines in 2021 about ransomware attacks on infrastructure, from health care systems in Ireland to fuel lines in the United States, one might assume this process is being driven by the United States and its Western allies. It isn’t. It was pushed by Russia and approved by vote in the U.N. General Assembly in 2019, with Western countries voting against the process. The meeting in January was delayed due to the omicron coronavirus variant, but political maneuvering around the delay reveals that the process continues to advance without a shared sense of cooperation. In late January, Russia submitted a resolution in the General Assembly to hold the meeting the following week in New York. This was met with resistance by a number of states; the Dominican Republic, with mostly European and Central American co-sponsors alongside Australia, Japan, New Zealand, and the United States, then submitted an amendment proposing an entirely different plan. Russia’s preference lost out during the voting process. This was the second time in a year that Russia has tried to vote its preferences through for this agenda and lost. While Russia clearly sees itself as the leader of this initiative, it is being met with increasing resistance when it tries to impose its preferences.
READ THE STORY: FP
A QUICK LOOK:
Ransomware routed by fast-acting, info-sharing Texans
FROM THE MEDIA: Streamlining communication between federal, state and local agencies can help departments prepare for and respond to ransomware attacks, Texas State Chief Information Security Officer Nancy Rainosek said. Speaking during NextGov’s Feb. 10 CyberDefenders webinar, she discussed the August 2019 coordinated ransomware attack that targeted more than 40 Texas municipalities and impacted 23 local governments, interrupting their ability to process licenses and certificates, collect payments for services or conduct payroll activities. Attackers collectively demanded $2.5 million in ransom payments, but no Texas entities paid the ransom, Rainosek said. A swift response from Gov. Greg Abbott and the Texas Department of Information Resources (DIR) allowed officials to declare the event as a cybersecurity disaster, the first of such events deemed a statewide disaster. “This enabled us to join our Texas Division of Emergency Management, Department of Public Safety and Texas Military Department in responding and helping these 23 local entities,” Rainosek said. “We were able to then send our teams out into the field and had all these folks back to recovery and operational within eight days.”
READ THE STORY: GCN
A QUICK LOOK:
U.S. issues blanket warning on potential of destructive Russian hacks
FROM THE MEDIA: The lead U.S. cyber defense agency released a broad national warning Friday night that Russia’s potential invasion of Ukraine could spill into hacks against American computer networks. The “Shields Up” advisory, issued by the Cybersecurity and Infrastructure Security Agency, said it was not responding to any specific threats, but acting as a general precaution that conflict with Russia could lead to cyberattacks. “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for Russia to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine,” it reads. Noting the broad vulnerability of many U.S. computer networks to hackers, it warned that “Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.” The White House believes Russia, which has stationed troops around its border with Ukraine, could invade the country imminently. National security adviser Jake Sullivan told reporters Friday afternoon that the administration believes there is a “distinct possibility” that could happen before the conclusion of the Olympics on Feb. 20.
READ THE STORY: NBC
A QUICK LOOK:
Europe's biggest car dealer hit with ransomware attack
FROM THE MEDIA: One of Europe's biggest car dealers, Emil Frey, was hit with a ransomware attack last month, according to a statement from the company. The Swiss company showed up on the list of victims for the Hive ransomware on February 1 and confirmed that they were attacked in January. "We have restored and restarted our commercial activity already days after the incident on January 11, 2022," a spokesperson said, declining to answer more questions about whether customer information was accessed. The company -- which has about 3,000 employees -- generated $3.29 billion in sales in 2020 thanks to a variety of automobile-related businesses. It was ranked as the number 1 car dealership in Europe based on revenue and the total number of vehicles for sale. The FBI spotlighted the Hive ransomware group in August 2021 after their members attacked dozens of healthcare organizations last year. In 2021, Hive attacked at least 28 healthcare organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The FBI alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group's "sales department" that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms.
READ THE STORY: ZDnet
A QUICK LOOK:
Microsoft, Oracle, Apache and Apple vulnerabilities added to CISA catalog
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known exploited vulnerabilities this week, adding 15 vulnerabilities based on evidence that threat actors are actively exploiting them. The list includes a Microsoft Windows SAM local privilege escalation vulnerability with a remediation date set for February 24. Vulcan Cyber engineer Mike Parkin said the vulnerability -- CVE-2021-36934 -- was patched in August 2021 shortly after it was disclosed. "It is a local vulnerability, which reduces the risk of attack and gives more time to deploy the patch. CISA set the due date for Federal organizations who take direction from them, and that date is based on their own risk criteria," Parkin said. "With Microsoft releasing the fix 5 months ago, and given the relative threat, it is reasonable for them to set late February as the deadline." The rest of the list covers a range of Microsoft, Apache, Apple, and Jenkins vulnerabilities with remediation dates of August 10.
READ THE STORY: ZDnet
A QUICK LOOK:
FBI: Ransomware Attackers Have Code to Halt Critical Infrastructure
FROM THE MEDIA: Cyber attackers who hold a victim’s system hostage by encrypting its data until their demands are met may be laying off “big game” in the U.S., but they’ve been working on code that could threaten a lot more real-world damage against those they do choose to target, according to a joint advisory from the FBI and domestic and international partner agencies. “Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes,” reads the advisory released Wednesday. The joint advisory, released along with the National Security Agency and Cybersecurity and Infrastructure Security Agency, as well as their counterparts in Australia and the United Kingdom, examines ransomware trends that emerged in 2021 and offers mitigation strategies for network defenders. In May, after Colonial Pipeline paid ransomware attackers $5 million to release their system, the company said it had proactively disconnected the operational technology—think valves, and pressure gauges—that control its physical processes, and federal agencies said there was no evidence the hackers got beyond their information technology realm.
READ THE STORY: NextGov
A QUICK LOOK:
Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa
FROM THE MEDIA: A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. Critical security vulnerabilities in Moxa’s MXview web-based network management system open the door to an unauthenticated remote code execution (RCE) as SYSTEM on any unpatched MXview server, researchers warned this week. The five bugs, affecting versions 3.x to 3.2.2, score a collective 10 out of 10 on the CVSS vulnerability-severity scale, according to Claroty’s Team82 research team. Three of them can be chained together to achieve the aforementioned RCE (CVE-2021-38452, CVE-2021-38460 and CVE-2021-38458), but the others can be used to lift passwords and other sensitive information (CVE-2021-38456, CVE-2021-38454). Moxa’s MXview network management software is designed for configuring and monitoring networking devices in industrial control systems (ICS) and operational technology (OT) networks. It has multiple components, Team82 noted in its Thursday advisory, including an MQTT message broker named Mosquitto that transfers messages to and from different components in the MXview environment.
READ THE STORY: Threatpost
A QUICK LOOK:
EU Parliament Adopts Amended Digital Services Act by a Wide Margin
FROM THE MEDIA: On January 21, 2022, the members of the EU Parliament approved by a large majority (77%) an amended draft of the Digital Services Act (“DSA”). The DSA proposal, put forward by the EU Commission back in December 2020, aims to provide for a common set of obligations and accountability rules for online intermediaries while safeguarding consumers’ fundamental rights. Key provisions of the DSA relate to the control of illegal goods, services or online content and better traceability and transparency. The DSA would apply to various types of online intermediary services providers (Internet providers, cloud services providers, etc.), with a strong focus on online platforms (marketplaces, app stores, collaborative economy platforms and social media platforms) and very large online platforms (i.e., reaching more than 45 million consumers in the EU). Once in force, online intermediary services providers would need to comply with this new set of rules or risk facing fines of up to 6 percent of their annual turnover. The EU Parliament’s approval signals the start of the “trialogue”, i.e., negotiations between the EU Council (representing Member States governments), the EU Commission and the EU Parliament to reach an agreement on the final version of the text. Debates are likely to be lively, in particular with regards to targeted advertising, as lawmakers will need to arbitrate between NGOs’ demands for a complete prohibition of target advertising versus the need to avoid harming companies that rely on this tool for their business. Recent claims that the contemplated EU rules discriminate against US companies will also likely figure in the discussions. Finally, it remains to be seen how the new DSA will interact with other pending regulations, such as the Digital Markets Act or the e-Privacy Regulation (for more detail, see our OnPoint).
READ THE STORY: JDsupra
A QUICK LOOK:
Coinbase Trading Vulnerability Exposed by White-Hat Hacker
FROM THE MEDIA: Cryptocurrency exchange Coinbase was notified of a vulnerability in its trading systems on Friday afternoon by the pseudonymous white hat hacker “Tree of Alpha,” and temporarily suspended trading on its new Advanced Trading platform. Around 6 p.m. UTC (1 p.m. ET) on Friday, @Tree_of_Alpha caught the attention of Coinbase leadership after tweeting that they found a “potentially market-nuking” exploit and was submitting a HackerOne report. “The issue is sensitive and could allow malicious users to send all Coinbase order books to arbitrary prices,” the white-hat hacker told CoinDesk via Twitter. Coinbase is one of the largest cryptocurrency exchanges, and its price feeds are also used as inputs for oracles, which determine the true prices of tokens for applications such as DeFi protocols. After the initial tweet sparked alarm in the crypto community, Tree of Alpha posted a follow-on tweet saying, “No actual Coinbase storages (cold or otherwise) are impacted.”
READ THE STORY: Coindesk
A QUICK LOOK:
Items of interest
Russia’s Wagner Group in Africa: Influence, commercial concessions, rights violations, and counterinsurgency failure(Article)
FROM THE MEDIA: Russia is intensifying its competition with the United States in Africa. In its asymmetric race, Russia uses nominally private, but in fact state-linked actors such as the private security company the Wagner Group and the infamous St. Petersburg “troll farm” the Internet Research Agency (IRA). Both are a major threat to democracy and rule of law in Africa and beyond. In its African strategy, the Kremlin is motivated foremost by a desire to thwart U.S. policy objectives, almost irrespective of their substance. Considering Africa “one of Russia’s foreign policy priorities,” Russian President Vladimir Putin also seeks to create African dependencies on Moscow’s military assets and access African resources, targeting countries that have fragile governments but are often rich in important raw materials, such as oil, gold, diamonds, uranium, and manganese. Russian private security companies such as the Wagner Group purport to redress complex local military and terrorism conflicts with which African governments have struggled. They also offer to these governments the ability to conduct counterinsurgency and counterterrorism operations unconstrained by human rights responsibilities, unlike the United States, allowing African governments to be as brutish in their military efforts as they like. In turn, Russia seeks payment in concessions for natural resources, substantial commercial contracts, or access to strategic locations, such as airbases or ports.
READ THE STORY: Brookings
Sim Jacking/Sim Swapping: Everything You Need to Know(Video)
FROM THE MEDIA: A Hacker can HIJACK your phone number with just a call to your cell phone carrier. They then control YOUR phone number!!!! This action is called Sim Jacking or Sim Swapping. This video will describe everything you need to know about Sim Jacking/Sim Swapping. What it is, why it's a bad thing, real world cases, and most importantly what to do to avoid it or protect yourself if it happens to you.
Confessions of a Hacker known as Kingpin - Joe Grand Story(Video)
FROM THE MEDIA: Explore Joe Grand’s life journey as a hardware hacker. Known as Kingpin, his curiosity has been manipulating electronic devices since the 1980s. Learn more about his hacker lifestyle and get a glimpse inside Joe’s mind as he explains how hacking, technology and engineering fuels his passion.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com