Daily Drop (100)

4-9-22

Saturday, April 9, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco

Weathering Russian Winter: The Current State of Russian APTs

FROM THE MEDIA: It’s no secret that Russian Advanced Persistent Threats (APTs) are a significant burden on cybersecurity teams. For years, organizations have been bombarding their systems with patches and configuration changes to dodge targeted attacks, and the focus on APTs specifically from Russia has never been higher. However, the Russian invasion of Ukraine has put the risk and incredible rate of advancement in Russian cyberattacks front and center – with much of the internet (and the world) caught in the crossfire. This article aims to create an understanding of the history of Russian APTs, some of their most common attack types, as well as ways in which the industry may change, and what enterprises can do to protect themselves from this ongoing bombardment. Espionage via digital medium started around the time that the computer began creeping into more regular use, but the idea of the advanced persistent threat is relatively new. According to Richard Bejtlich’s paper on the topic, ‘the United States Air Force coined the phrase ‘advanced persistent threat’ in 2006 because teams working within the service needed a way to communicate with counterparts in the unclassified public world.’ Though APTs were regularly seen from then on inside the industry, the term didn’t gain public consciousness until an attack on Google servers in 2010, the fault of which was assigned to Chinese APTs.

READ THE STORY:  Security Boulevard

Facebook Destroys Russian Trolls (Hey Hey Rise Up)

FROM THE MEDIA:  Meta says it’s eliminated countless fake Facebook accounts controlled by state actors from Russia and Belarus. The trolls have been spreading disinformation and hacking into Ukrainian military accounts. This is, of course, a good thing. But I wonder how many trolls are slipping through the net? If you’ve ever tried and failed to report bad actors on Facebook, you probably agree that Meta is really, really, laughably bad at removing “inauthentic behavior.” Facebook … has removed hacking campaigns, influence networks and scam operations amid the war in Ukraine [says] the social media company, which also said it was reviewing additional steps. … In its first quarterly adversarial threat report, Meta said government-linked actors from Russia and Belarus had engaged in cyber espionage and covert online influence operations, including an influence operation linked to the Belarusian KGB. It said there had been other continued attempts from networks it had previously disrupted, including further efforts by the threat actor Ghostwriter to hack the Facebook accounts of dozens of Ukraine military members. [And that it] removed a network of about 200 accounts operated from Russia that coordinated to falsely report people, mostly in Ukraine and Russia, for violations like hate speech or bullying. The mass reporting was primarily coordinated in a cooking-themed Facebook Group.

READ THE STORY:  Security Boulevard

Microsoft blocks Russian cyberattacks linked to Ukraine war

FROM THE MEDIA: Russian GRU nation-state hacking team known as Fancy Bear or Strontium, a Russian Military intelligence-linked threat actor, targeted Ukraine media, foreign policy think tanks and government agencies in the US and Europe. The disruption marks the latest effort by Microsoft to curb Strontium/Fancy Bear, noting that it has taken similar actions 15 times to seize more than 100 domains used by the threat actor. Strontium, more widely known in the national security space as Fancy Bear, has been linked to attacks against the U.S. since 2016, when it hacked the Democratic National Committee ahead of the U.S. presidential election. In 2020, Microsoft disclosed what it called strong evidence of credential harvesting by Strontium against U.S. and U.K. organizations directly involved in political campaigns. The new assault is the latest in a series of attacks linked to the invasion of Ukraine. The nation has been hit by numerous malware attacks, involving more than a half dozen malicious wipers that clean data from a targeted system as well as botnet attacks that hijack various devices to compromise computer systems. Microsoft researchers believe the recent campaign sought long term access to target organizations in order to help the war effort against Ukraine and to steal sensitive data.

READ THE STORY:  Darkreading // Cybersecurity Dive

Cyber Command’s force is growing, in part, to support space

FROM THE MEDIA:  As part of investments in the Future Years Defense Program, U.S. Cyber Command and its subordinate organizations are investing in a phased approach to contribute defensive and offensive teams to support space entities. Part of the growth of Cyber Command’s cyber mission force, in addition to the increased demand in cyberspace, is to support newly established space entities such as Space Command, the newest combatant command. “We continue to contribute to the persistent defense of U.S. space-based assets and capabilities with a dedicated Cyber Protection Force (CPF) team; however we are adding to that capability in the Future Years Defense Program (FYDP),” an Air Force spokesperson said. The Future Years Defense Program is a five-year budget projection of the DOD’s costs for a current fiscal year and the four years following. 16th Air Force/Air Forces Cyber is responsible for supporting Space Command through what’s known as Joint Force Headquarters-Cyber. The various Joint Force Headquarters-Cyber branches provide planning, targeting, intelligence and cyber capabilities to the combatant commands to which they’re assigned. The heads of the four service cyber components also lead their respective JFHQ-C and oversee the cyber teams that conduct operations for the combatant commands.

READ THE STORY:  FEDSCOOP

How Russia's Invasion Triggered a US Crackdown on Its Hackers

FROM THE MEDIA: The Biden White House is using “all of the levers of national power” to counter—or preempt—cyberattacks by Russia’s most dangerous hacker groups. Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin's most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities. Over the past two months, President Joe Biden's executive branch has taken more actions to deter and even temporarily disarm Russia's most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia's GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent "hunt forward" teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.

D THE STORY:  Wired

Fed Law Enforcement Warns Russian Hackers Could Target Wyoming Critical Infrastructure

FROM THE MEDIA: Federal law enforcement officials are warning that Russian hackers are targeting refineries, pipelines, power grids and other critical energy infrastructure in the United States, including in Wyoming. However, historically, the weather has posed a bigger  threat to Wyoming’s energy infrastructure than hackers, according to records. In late March, the Department of Energy and other federal agencies issued a joint Cybersecurity Advisory (CSA) warning regarding state-sponsored Russian cyberattacks on the energy sector in the U.S. and elsewhere. The warning follows an investigation by the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation and the U.S. Department of Energy (DOE) that identified multiple targeted attacks on the energy infrastructure between 2011 and 2018. Pipelines have historically been a target of hackers, according to Ryan McConnaughey, communications director for the Petroleum Association of Wyoming (PAW), who pointed to the 2021 ransomware on the Texas-based Colonial Pipeline that was tied to a Russia-linked cybercrime network. So far, to McConnaughey’s knowledge, Wyoming’s energy sector has not been hit by Russian or other hackers. “The individual energy companies and industry as a whole and their partners work with CISA and DOE to look into the future to try to mitigate the risks,” he said.

READ THE STORY:  Cowboy State Daily

Fin7 hacker sentenced to 5 years in prison

FROM THE MEDIA: A Ukrainian man has been sentenced to five years in prison after being convicted as one of the primary hackers behind the notorious Fin7 financial malware ring. A Ukrainian national will be spending the next five years behind bars for his role in the notorious Fin7 hacking operation. Denys Iarmak, 32, was handed the prison term Thursday after being found guilty on counts of conspiracy to commit wire fraud and conspiracy to commit computer hacking. According to the U.S. Department of Justice (DOJ), Iarmak was one of the more technically inclined members of the Fin7 hacking crew, conducting the intrusions and managing the networks that had been compromised by attackers. "Iarmak was involved with FIN7 from approximately November 2016 through November 2018," the DOJ said in the announcement. "Iarmak frequently used project management software such as JIRA, hosted on private virtual servers in various countries, to coordinate FIN7 malicious activity and to manage the assorted network intrusions." The sentencing comes after Iarmak had tried to fight extradition and charges in the U.S. following his 2019 arrest in Thailand. The Fin7 crew is believed to have been behind account thefts and bank fraud schemes that added up to more than $1 billion, according to the DOJ. Also known as Carbanak, the hacking crew managed to steal some 15 million account credentials and then drain them of funds. The DOJ said that Iarmak and other Fin7 hackers would begin their intrusions by sending their targets phishing emails. Once the targeted individuals opened the malicious attachments, their machines would be infected with the Carbanak malware.

READ THE STORY:  Tech Target

Solarium co-chairs urge White House to maintain Trump-era cyber authorities

FROM THE MEDIA:  Lawmakers expressed concern that rolling back the authorities from a 2018 presidential memorandum would jeopardize national security efforts. The Biden administration has launched a probe into a Trump-era policy solidified in 2018 that broadened the Pentagon's authority to approve offensive and defensive cyber operations, a move Cyberscoop first reported.  Lawmakers expressed concern that rolling back the authorities would jeopardize national security efforts. Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), co-chairs of the Cyberspace Solarium Commission, penned a letter to President Joe Biden urging reconsideration of any potential rollback of the policy because they helped greatly "limit Russian cyber-enabled information operations" during the U.S. midterm elections in 2018 and presidential election in 2020. The authorities have also bolstered the command's "persistent engagement" policy. During a Senate Armed Services Committee hearing on April 5, Gen. Paul Nakasone, the commander for U.S. Cyber Command, testified that enhanced authorities have been key to defending national elections from foriegn-led cyberattacks and information operations.  

READ THE STORY:  FCW

Expect the Ukraine war’s cyber fallout to spread

FROM THE MEDIA:  While the United States continues to send billions of dollars in military aid to support Ukraine in its fight against Russia, an unseen parallel conflict has simultaneously been taking place in cyberspace. At the very start of the conflict, the Biden administration earmarked $10 billion in emergency funding from Congress in aid, including support of Ukraine’s cyber defenses, plus $28 million to bolster the FBI’s response to Russian cyber threats stemming from the war in Ukraine. Even criminal cyber groups are joining in the escalating cyber conflict. The romantically-named Belarusian Cyber Partisans, for example, were previously known as the Belarusian Railway Ransomware gang. Early in the conflict, the Cyber Partisans used a back-door vulnerability they had identified while conducting a previous ransomware scam to take down the systems running the Belarusian national rail system, thus forcing Belarus to manage its national rail system manually and crucially delaying the delivery of much-needed arms, supplies and food rations to the Russian forces fighting in the Ukraine. But not all cyber groups are pro-Ukraine. The Conti group, the most active of the international ransomware gangs, who were last year alone responsible for 505 major cyber-attacks on financial institutions in the United States, has already threatened America with “retaliatory measures” for its support of Ukraine. However, close to the start of the conflict, a Ukrainian cyber researcher managed to hack extremely sensitive data from Conti, thereby allowing the authorities to identify the gang’s ringleaders. Unfortunately, Conti has since regrouped.

READ THE STORY:  SC Media

Supply Chain Cyber Attacks Continue to Increase

FROM THE MEDIA: Organizations have an opportunity to reduce their third-party risk by clarifying whether they or their suppliers are responsible for supply chain risk management, according to new global research of 1400 cybersecurity decision makers by NCC Group. Around one in three (36%) said that they are more responsible for preventing, detecting and resolving supply chain attacks than their suppliers. Just over half (53%) said that their company and its suppliers are equally responsible for the security of supply chains. This could affect organizations’ third-party risk if it means that they are not conducting appropriate due diligence on their suppliers, and could expose them to regulatory penalties. The EU’s Digital Operational Resilience Act (DORA) mandates that financial entities include key security requirements in their contracts with third parties, indicating that regulators are increasingly emphasizing the organization’s role in supplier risk management. Despite this, half (49%) of the organizations surveyed said that they did not stipulate security standards that their suppliers must adhere to as part of their contracts. One in three (34%) said that they do not regularly monitor and risk assess their suppliers’ cybersecurity arrangements.

STORY:  Security Today

Cyber security company supports Rakia mission to space

FROM THE MEDIA: A cyber security solutions company is supporting the Rakia Israeli space mission by hosting the communication to the specialized control centre, located at its headquarters in Tel Aviv. It will also be accommodating a visitor centre. On Friday, Israeli astronaut Eytan Stibbe blasted off from Cape Canaveral, Florida, on a mission to the International Space Station (ISS), where he will conduct 35 experiments, ranging from research in food and agriculture, medical testing and the impact of microgravity on plastic degradation. The mission is set to last eight to 10 days. As part of the undertaking, a unique Rakia Mission Centre has been built at the Check Point Software offices in Tel Aviv. This will include a control room, from which scientists, artists and educators can monitor the activities of Stibbe and make necessary changes to experiments in real-time, while conducting a direct dialogue with the control room of the ISS in the United States. Oded Vanunu, head of product vulnerabilities research at Check Point Software Technologies, said in recent years, civilian companies have spent billions of dollars trying to create an ‘easy’ path into space, which has created new technologies. But, in turn, new challenges for cyber security have emerged. “With a huge amount of communication and data between spacecraft and Earth, every phase of the Rakia mission needs to be protected. We are proud to secure this vital communications between the space station and our control centre on Earth.”

READ THE STORY:  Citizen

Items of interest

Anonymous Publish 28 GB Data Dump Stolen From Russia Central Bank Detailing Secret Agreements and High Profile Client Information

FROM THE MEDIA: Hacktivist group Anonymous claims to have hacked the Russia Central Bank and accessed 35,000 files promising a data dump within 48 hours. The anonymous hacker claims the documents contain “secret agreements” that would affect Russian politics. A Twitter account linked to the hacker group Black Rabbit world (@Thblckrbbtworld) later announced that Anonymous had leaked 28 GB stolen from the Central Bank of Russia. “The Central Bank of Russian Federation leak (28 GB) has been published by Anonymous,” the account tweeted. The group hacked the Central Bank of Russia in retaliation for the invasion of Ukraine, declaring cyber war on Vladimir Putin in a video released about a month ago.

READ THE STORY:  CPO Magazine

Void Balaur: A Cyber Mercenary From The Underground (Video)

FROM THE MEDIA: Void Balaur: A Cyber Mercenary From The Underground by Feike Hacquebord.

Modern Day Cyber Mercenaries (Video)

FROM THE MEDIA: Chris Rock, CEO of SIEMonster, delivers the keynote address at NetDiligence Cyber Risk Summit Philadelphia on June 13, 2019.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com