Saturday, July 30, 2022 // (IG): BB //Buy Me: The Hawk Enigma
German prosecutors issue warrant for Russian government hacker over energy sector attacks
FROM THE MEDIA: Prosecutors in Germany have issued a warrant for the arrest of Pawel A, a Russian national they accuse of being part of the Berserk Bear hacking group within Russia’s Federal Security Service (FSB), according to German public broadcasters BR and WDR. The prosecutors accused Pawel of engineering a 2017 attack on Netcom BW – which manages the routers for the EnBW energy company – and another attack on electricity company E.ON. Neither company responded to requests for comment.
READ THE STORY: The Record
The commercial satellite boom is leaving space vulnerable to hackers
FROM THE MEDIA: Humanity’s imagination turned toward the heavens this month as the James Webb Space Telescope revealed images of distant galaxies. But John Crassidis, who worked on initial designs for the telescope at NASA during the 1990s, is focused on something closer to home: securing the thousands of human-made satellites orbiting the Earth — many of which are now controlled by the private sector. And Crassidis, now the director of the Center for Space Cyber Strategy and Cyber Security at the University of Buffalo, is waiting for one of them to be wiped out by a cyberattack.
READ THE STORY: The Record
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts
FROM THE MEDIA: A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that's capable of stealing email content from Gmail and AOL. Cybersecurity firm Volexity attributed the malware to an activity cluster it calls SharpTongue, which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky. SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who "work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea," researchers Paul Rascagneres and Thomas Lancaster said.
READ THE STORY: THN
Twitter investigates apparent data breach
FROM THE MEDIA: Twitter is looking into the possibility that data from a breach are now being posted on the dark web. Restore Privacy traces the incident to reports in HackerOne back in January of a breach that had the potential of exposing user information even when that information was hidden in privacy settings. Twitter closed the vulnerability and paid the researcher who reported it a bug bounty. But it appears possible that the vulnerability has been exploited to collect a very large tranche of user data. Restore Privacy says that at least some of the data released as a teaser are authentic, and that the criminal who holds them (nom-de-hack "devil") is offering the database for sale. Bidding starts at $30 thousand.
READ THE STORY: The CyberWire
Private-sector offensive actors
FROM THE MEDIA: Microsoft late Wednesday released a report (compiled by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and RiskIQ) that describes the activity of a threat group it tracks as "Knotweed." Knotweed is regarded as responsible for Subzero malware, which it provides to, or deploys on behalf of, its customers. The group has also exploited Windows and Adobe zero-days. The report explains why Microsoft views this threat actor as particularly egregious. In brief, it's a private company hiring out cyberattack services: "PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire.
READ THE STORY: The CyberWire
Twitter investigates apparent data breach
FROM THE MEDIA: Twitter is looking into the possibility that data from a breach are now being posted on the dark web. Restore Privacy traces the incident to reports in HackerOne back in January of a breach that had the potential of exposing user information even when that information was hidden in privacy settings. Twitter closed the vulnerability and paid the researcher who reported it a bug bounty. But it appears possible that the vulnerability has been exploited to collect a very large tranche of user data. Restore Privacy says that at least some of the data released as a teaser are authentic, and that the criminal who holds them (nom-de-hack "devil") is offering the database for sale. Bidding starts at $30 thousand.
READ THE STORY: The CyberWire
Stolen money from cyberattacks makes up a third of the funds for North Korea's missile program, US official says
FROM THE MEDIA: Millions of dollars stolen by North Korean hackers in cyberattacks, a major component of North Korea's asymmetric warfare capabilities, are being funneled into the country's illegal missile development programs, according to statements made by a White House official this week. Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, said Thursday the US estimates one-third of North Korea's missile program is funded by stolen money from cyberattacks.
READ THE STORY: Business Insider
CISA warns of critical Confluence bug exploited in attacks
FROM THE MEDIA: CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation. As Australian software firm Atlassian revealed last week, unpatched versions of the Questions for Confluence app (installed on more than 8,000 servers) create an account with hardcoded credentials. One day after patching the vulnerability, the company notified admins to fix their servers immediately, seeing that the hardcoded password had been found and shared online.
READ THE STORY: BleepingComputer
Malicious Macro-Enabled Docs Delivered via Container Files to Bypass Microsoft Protections
FROM THE MEDIA: Initially announced in February, the macro-blocking feature is meant to prevent phishing attacks by making it more difficult for users to enable macros in documents received from the internet. Small snippets of code embedded in Office documents, macros have long been abused by threat actors in phishing attacks and for malware delivery. In 2016, Microsoft disabled the automated execution of macros in Office documents received from the Internet, but has allowed users to enable them with a single click.
READ THE STORY: SecurityWeek
LockBit actors using Microsoft Defender to infect PCs with Cobalt Strike beacon
FROM THE MEDIA: Cybersecurity research company SentinelOne has published news today that should put Microsoft on high alert if it's not already. The former has discovered that the Redmond's giant in-house anti-malware solution is being abused to load Cobalt Strike beacon on to potential victims. The threat actors in this case are LockBit Ransomware as a Service (RaaS) operators and affiliates who are using the dedicated command-line tool in Defender dubbed "mpcmdrun.exe", among other things, to infect victim PCs.
READ THE STORY: NEOWIN
Raccoon Stealer v2: The Latest Generation of the Raccoon Family
FROM THE MEDIA: Raccoon is a malware family that has been sold as malware-as-a-service on underground forums since early 2019. In early July 2022, a new variant of this malware was released. The new variant, popularly known as Raccoon Stealer v2, is written in C unlike previous versions which were mainly written in C++. The Raccoon Malware is a robust stealer that allows stealing of data such as passwords, cookies, and autofill data from browsers. Raccoon stealers also support theft from all cryptocurrency wallets.
READ THE STORY: SecurityBoulevard
Russian national charged in sweeping influence operation to disrupt U.S. elections, sow discord
FROM THE MEDIA: A federal grand jury indicted a Russian national on charges of attempting to disrupt U.S. elections beginning as early as 2014, spreading disinformation to further Moscow’s political aims and infiltrating various American political organizations to carry out his plans. The indictment, unsealed Friday in Tampa, Florida, paints the portrait of a cunning Russian operative who was carrying out a sophisticated and potentially harmful campaign to damage American democracy and fuel extremism in the U.S.
READ THE STORY: CyberScoop
The GOP went to war against Google over spam — and may win
FROM THE MEDIA: The occasion was lunch. The setting was an ornate room off the Senate chamber. The hosts were some of the top Republican lawmakers in the country and the strategists responsible for filling their campaign coffers. Their guest, on a Wednesday in May, was Google’s top lawyer, invited to explain the company’s approach to email spam and answer charges that the tech giant was suppressing Republican solicitations.
READ THE STORY: WashingtonPost
911 Proxy Service Implodes After Disclosing Breach
FROM THE MEDIA: 911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.
READ THE STORY: SecurityBoulevard
Alleged spyware creator identified as 24yo
FROM THE MEDIA: A 24-year-old Australian man has been identified as the alleged mastermind behind intrusive spyware used by domestic violence perpetrators and other criminals. The Melburnian was 15 when he allegedly created the Imminent Monitor Remote Access Trojan which, once installed, let perpetrators control victims' computers, steal their personal information, and turn on their webcams and microphones. The program cost about $35, and was allegedly advertised on a forum dedicated to hacking.
READ THE STORY: Fairfield Champion
CHIPS Act Pushes Funding to Exascale App Dev and DevSecOpss
FROM THE MEDIA: Legislation aimed at helping the U.S. achieve chip sovereignty also has provisions for funding software efforts as chip design reaches physical limits. The U.S. House this week passed the U.S. CHIPS and Science Act of 2022, which is on its way for President Joe Biden to sign into law. The legislation opens up to $54 billion in funding for chip companies to open new factories, boost STEM efforts and develop the underlying infrastructure for software-defined computing.
READ THE STORY: The New Stack
Microsoft servers are being hijacked to boost proxies
FROM THE MEDIA: Hackers have been found installing malware on Microsoft SQL servers(opens in new tab) in order to monetize the endpoints’ bandwidth. Findings from Ahnlab discovered a special type of malware, called proxyware, which turns the host device into a proxy(opens in new tab) server that remote users can use for different things, from testing, to content distribution. To incentivize people to use proxyware, the malware owners pay them a portion of the proceedings, and according to the researchers, some can make as much as $6,000 a month for renting out excess bandwidth.
READ THE STORY: TechRadar
QAKBOT Attack Uses Email Threads Hijacked from Proxylogon Compromises
FROM THE MEDIA: Attackers are using hijacked email threads, harvested in bulk from previous Microsoft ProxyLogon attacks, in order to send messages to victims that deliver the Qakbot malware. The campaign utilizes a known tactic that researchers with Cisco Talos call external thread hijacking. Attackers first compromise third-party Exchange servers and exfiltrate their email threads for later use. At a later date, they then use a script to process these aggregated emails at bulk into spoofed responses to email contacts the victim had previously corresponded with, with links to malicious URLs that lead to the deployment of Qakbot.
READ THE STORY: DUO
The Attackers Use Tetra and Discord To Spread Malware
FROM THE MEDIA: Intel 471 claims attackers combine legitimate application features and malware to attack unsuspecting users. Some viruses that use Discord and Telegram roam the web and are available for download. The Inksia has a Discords Webhook. The system is similar to the AAP. Information thieves who use legitimate messaging apps steal valuable personal data, such as passwords, browser cookies, cryptocurrency wallets, payment card information, or operating system information.
READ THE STORY: Game News 24
This is what to expect when a managed service provider gets popped
FROM THE MEDIA: A Russian-language miscreant claims to have hacked their way into a managed service provider, and has asked for help monetizing what's said to be access to the networks and computers of that MSP's 50-plus US customers. These kinds of service providers typically remotely manage their many clients' IT infrastructure and software, and so infiltrating one MSP can unlock a route into a great number of organizations.
READ THE STORY: The Register
Founder of pro-Russian hacktivist Killnet quitting group
FROM THE MEDIA: The founder and leader of the crowdsourced pro-Russian hacktivists Killnet announced his plans to leave the group after an upcoming hack and leak operation against Lockheed Martin. Killnet is part of a new breed of cyberwarfare that emerged during Russia's invasion of Ukraine. While less surgical and less successful than their opposition equivalent, the I.T. Army of Ukraine, both are civilian groups disrupting non-combat organizations to pressure adversarial nations. Killnet is best known for DDoS attacks against a Connecticut airport, institutions in Lithuania and Norway and the official website of the U.S. Congress, which it took down for around two hours.
READ THE STORY: SCMAG
Canada’s major arts and culture organizations fall victim to cyberattack
FROM THE MEDIA: Top Canadian arts and cultural organizations are cautioning patrons that some of their personal data may have been exposed in a recent security incident involving their e-mail service provider. WordFly, which a sends e-mails on behalf of clients including the National Ballet of Canada, Toronto Sympathy Orchestra (TSO), Canadian Opera Company (COC), Canadian Stage and The Musical Stage Company, was hit by a ransomware attack on July 10, according to a statement by the marketing service’s business development director, Kirk Bentley.
READ THE STORY: The Globe and Mail
FakeUpdates malware delivered via Raspberry Robin has possible ties to EvilCorp
FROM THE MEDIA: Microsoft this week reported that the FakeUpdates malware it tracks as DEV-0206 has been delivered via existing Raspberry Robin infections. In a blog post, Microsoft explained that Raspberry Robin is a USB-based worm first discussed publicly by Red Canary. The DEV-0206 FakeUpdates activity on affected systems has since led to follow-on action resembling DEV-0243 pre-ransomware behavior.
READ THE STORY: SCMAG
Evolution of India’s Space Doctrine
FROM THE MEDIA: The 1999 Kargil War helped India realize the importance of space for intelligence gathering, reconnaissance, and mapping. Chinese space capabilities are one of the primary drivers of India’s space program. While China might be competing with the U.S., India and other Asian powers are shaping their space efforts according to their calculations of growing security-driven considerations. China’s military space capabilities were given political thrust after assessments of the importance of space technologies over 20 years ago.
READ THE STORY: International Policy Digest
Cyber attacks on national-security targets will never end. That’s why going analog is part of the solution
FROM THE MEDIA: The Council on Foreign Relations recently released a document that calls into question the “utopian vision” of an open, reliable and secure global network. According to the Independent Task Force Report No. 80, such a goal “has not been achieved and is unlikely ever to be realized. Today, the internet is less free, more fragmented and less secure.” Among its numerous claims, the document from the right-leaning think tank asserts that “[c]ybercrime is a national security risk, and ransomware attacks on hospitals, schools, businesses, and local governments should be seen as such.”
READ THE STORY: MarketWatch
Microsoft Connects USB Worm Attacks to 'EvilCorp' Ransomware Gang
FROM THE MEDIA: According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp. Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.
READ THE STORY: SecurityWeek
Information War Between Ukraine and Russia — Putin’s Propaganda Seems Less and Less Effective.
FROM THE MEDIA: The Russian propaganda would jam. In Ukraine, it would not have reached its objectives, according to a document “intercepted” at the beginning of June 2022 by the SBU, the Ukrainian intelligence service. This report would come from the FSB, the Russian service in charge of influence operations. Nothing proves the authenticity of the document, even if the American firm Recorded Future, that is specialized in intelligence and cyber, inclines to believe it according to an analysis published in early July 2022. In the information war, doubt is a weapon. It is a basic tactic for every belligerent.
READ THE STORY: Medium
US Federal Courts Data Breach: Justice Department Investigates Records System Cyberattack
FROM THE MEDIA: The United States (US) federal courts reportedly experienced a massive data breach in their records system. Now, the US Justice Department is probing the cyber breach that exposed the records management system of federal courts across the country. As per the latest news story by The Verge, the House Judiciary Committee Chair Jerrold Nadler says in his latest testimony that the document system of the US federal courts has been hit by a massive cyber breach. Nadler testifies that the data breach carries a "startling breadth and scope," which occurred way back in early 2020.
READ THE STORY: TechTimes
Items of interest
‘Unmanageable’: Authorities Hid Key Details About Massive Cyber Attack From Congress, Lawmaker Says
FROM THE MEDIA: A top Democratic lawmaker accused the U.S. Courts of delaying to reveal the dangerous extent a “sophisticated” cyberattack had on U.S. court systems in a letter Thursday.
Unidentified foreign attackers breached the judiciary’s case management systems in early 2020, but Congress did not hear of the “startling breadth and scope” of the incident until March of 2022, Democratic Rep. Jerrold Nadler of New York said at a House Judiciary Committee hearing Thursday. Finance Committee Chairman Democratic Sen. Ron Wyden of Oregon expressed concern that the U.S. federal courts chose to conceal its failures to protect personal data and adopt appropriate cybersecurity measures in a letter sent Thursday to the courts, arguing the courts’ systems had created “unmanageable security risks.”
READ THE STORY: Daily Caller
A Utopian World Where Humans, Robots, and AI Co-Exist (Video)
FROM THE MEDIA: Technological innovations in the field of artificial intelligence are making such enormously rapid progress it is often said that all production facilities will become unmanned and a large majority of clerical work will be taken over by AI. This has given rise to an extreme theory that either AI or robots will replace humans in many jobs, pushing the unemployment rate close to 50 percent.
How Hackers can Destroy any Country? Industrial Cybersecurity (Video)
FROM THE MEDIA: How Hackers can Destroy any Country? By attacking or destroying the industrial system. The critical infrastructure around the world is under cyberattack; the industrial systems are vulnerable, and we don't have the workforce to protect the most critical infrastructure. This video talks about some deadliest cyberattacks on industrial systems.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com