Tuesday, April 12, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco
Kenosha-based toolmaker Snap-on Inc. is the victim of a large data theft, according to a report
FROM THE MEDIA: Kenosha-based toolmaker Snap-on Inc. is the victim of a large data theft, according to a report. The Conti ransomware gang is responsible for the theft, according to a Twitter account maintained by VxThreat, a ransomware monitoring platform. More than 10 gigabytes of data was leaked in the attack and 90% of the files were published, according to the tweet issued Monday by TxThreat. Representatives from Snap-on didn't immediately respond to the Milwaukee Journal Sentinel's requests for comment on the report. Snap-on makes high-end tools for automotive mechanics, aviation and aerospace workers and other trades people. The company has 12,500 employees worldwide and posted sales of $4.25 billion in 2021, according to its website. "Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000," according to a February advisory issued by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
READ THE STORY: Milwaukee Journal Sentinel
Mandatory cyber security incident reporting now in force
FROM THE MEDIA: AU - Home Affairs minister Karen Andrews has published the implementation of Australia's critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors. Under the Security of Critical Infrastructure 2018 Act, multiple industry assets are deemed to be critical. These range from telcos and internet service providers to fuel companies, data storage and processing organizations, freight forwarders, banking, insurance and finance, along with food and grocery assets. Domain name systems are deemed critical, for resolving consumer queries of links to internet protocol addresses. Four Queensland sugar mills are also covered by the law. ACSC asks that critical cyber security incidents that have significant impact on the availability of assets covered by the Act are reported within 12 hours after the operators become aware of the issue. Verbal reports to ACSC must be accompanied by written notifications with in 84 hours, the government says.
READ THE STORY: iT News
Russia's space programme hit by western cyber attack
FROM THE MEDIA: Western hackers have turned Russia's own ransomware against it in a cyber attack on the country's space agency, data obtained by security experts suggests. A group of hackers linked to the cyber activist organization Anonymous boasted of stealing files from Roscosmos, Russia’s space agency, in a series of posts on Twitter last month. The hacking group, called Network Battalion 65, or NB65, posted images of server information that it claimed to show it had shut down a monitoring system used by the Russian space agency. The chief of Roscosmos, Putin ally Dmitry Rogozin, hit back at the claims describing NB65 as “scammers and petty swindlers”. “All our space activity control centers are operating normally,” said Mr Rogozin in a tweet last month. However, analysis of a file containing source code claims to have found that the hackers used 66pc of the same code as that of Conti, the Russian cybercrime group known for using ransomware to extort millions of dollars from US and European companies. Conti was behind a hack that paralyzed Ireland’s health service and hospitals by scrambling key servers which prevented clinical staff from using online systems. Ransomware is among the most feared online threats, being used to cause thousands of pounds of damage and paralyze businesses for weeks. The file was uploaded to anti-malware website VirusTotal and analyzed by Intezer Analyze.
READ THE STORY: Telegraph UK
Lapsus$ Group Exposes Internal Threats Are Also External Threats
FROM THE MEDIA: The threat actor known as Lapsus$ Group has recently made the news for targeting and succeeding in their efforts to compromise both Microsoft and Okta. The goal of the attack was to execute what is called a “double-extortion” attack, which exfiltrates data and threatens the organization to expose the data unless a ransom is paid, all the while selling the data privately. This attack also exposed Lapsus$ Group of brazenly attempting to “publicly” recruit employees of their targets to assist them in gaining access to internal networks. While this isn’t the first time this has occurred, it has typically been done by nation state groups attempting to get access to government employees or contractors. This bold move by a threat actor group has shown organizations that insider threats can rapidly turn into external threats. Security teams must have programs in place to detect, validate, and respond jointly. It also shows that cloud environments are ripe for threat actor groups to target as they are often considered less secure. This is due to lift and shift approaches by vendors to support cloud environments versus purpose-built solutions that can span across any infrastructure. However, the start of the compromise begins with the changes in today’s workforce and “The Great Resignation” as worker loyalty drops, and employees change job changes more frequently.
READ THE STORY: Security Boulevard
BlackCat Attack on Betting Company Disrupts Service
FROM THE MEDIA: Nigerian betting platform Bet9ja has suffered a ransomware attack perpetrated by the BlackCat ransomware group, the company confirmed on Sunday. The attack disrupted its regular operations, and many users complained of not being able to log into their accounts, but CEO Ayo Ojuroye maintains that "all accounts, data and funds" are "safe." On Wednesday, Bet9ja tweeted that its website was experiencing a technical issue and restricted its users from logging in to their accounts. The company promised customers that its IT team was working on the issue as a priority, but the platform continued to face downtime. According to recent reports, however, services have finally been restored. On Sunday, the company issued a statement on the "criminal cyberattack." In the announcement, Bet9ja says it has hired independent cyber forensics and cybercrime experts to investigate and resolve the situation. Ojuroye also tweeted a confirmation of the "unprovoked and unjustified" attack on Wednesday, adding that the company continued to be in control of the situation and that all customer accounts, data and funds were secure.
READ THE STORY: Gov Info Security
SafeGuard Cyber Provides Security Advice for Defending Against Browser-in-the-Browser (BitB) Attacks
FROM THE MEDIA: A clever new credential phishing attack known as "Browser-in-the-Browser" (BitB) has recently emerged which could catch many employees off-guard, leading to dangerous account takeover attacks that impact corporations. The BitB attack, which is now being used by the Ghostwriter hacking group, is nearly invisible to its victims since it deftly exploits the single sign-on (SSO) authentication method common on websites. The attack imitates a legitimate SSO popup window, such as "Sign in with Google" or "Sign in with Facebook," and is even able to spoof a real URL address, which makes it difficult to tell if the login window is fake. SafeGuard Cyber is warning companies to expect more targeted BitB attacks, since this credential phishing tactic is extremely convincing and easy for criminal hackers to implement. As the world's leading provider of security and compliance solutions for today's communications-based threats, SafeGuard Cyber has created a helpful online explainer of the BitB attack method, along with key security advice for companies to follow. "BitB is a new social engineering tactic that only recently came to light, but it is likely to become a popular tactic among many criminal and nation-state groups due to its effectiveness and ease of use," said Chris Lehman, CEO of SafeGuard Cyber. "This is part of a larger strategy shift we are seeing among threat actors to target companies through the periphery, such as employees' personal accounts, where there is less security monitoring in place. By attacking an employee's personal email or social media account, the threat actor can more easily harvest a credential that may be reused on a corporate account. But they can also utilize these personal email and social media accounts as a staging ground for secondary social engineering attacks on other employees within the company."
READ THE STORY: Darkreading
EU Officials Targeted with Pegasus Spyware
FROM THE MEDIA: Senior European Union (EU) officials were targeted with Pegasus spyware last year, according to a report by Reuters. These include current European Justice Commissioner Didier Reynders and at least four other commission staffers. The news agency said it was notified of the claims by two EU officials and documentation it had reviewed. The EU commission apparently became aware that members of its staff were being targeted by Pegasus spyware after being contacted by Apple in mass messages sent by the tech giant iPhone owners in November 2021. This warned recipients that they were “targeted by state-sponsored attackers.” Following the warning, a senior tech staffer at the commission sent a message to colleagues to provide a background on spyware tools and emphasize the need to look out for additional warnings from Apple. The email, which Reuters reviewed, stated: “Given the nature of your responsibilities, you are a potential target.” There is currently no information on who targeted Reynders and his colleagues with Pegasus and whether or not the attempts were successful. NSO Group, the Israeli firm that developed Pegasus, said in a statement that it was not responsible for the hacking attempts described in the report, claiming the alleged targeting “could not have happened with NSO’s tools.” It added that it is in favor of an investigation into the matter.
READ THE STORY: Infosecurity Magazine
Android banking malware intercepts calls to customer support
FROM THE MEDIA: A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a bank’s customer support number and connect the victim directly with the cybercriminals operating the malware. Disguised as a mobile app from a popular bank, Fakecalls displays all the marks of the entity it impersonates, including the official logo and the customer support number. When the victim tries to call the bank, the malware breaks the connection and shows its call screen, which is almost indistinguishable from the real one. While the victim sees the bank’s real number on the screen, the connection is to the cybercriminals, who can pose as the bank’s customer support representatives and obtain details that would give them access to the victim’s funds. Fakecalls mobile banking trojan can do this because at the moment of installation it asks for several permissions that give it access to the contact list, microphone, camera, geolocation, and call handling. The malware emerged last year and has been seen targeting users in South Korea, customers of popular banks like KakaoBank or Kookmin Bank (KB), security researchers at Kaspersky note in a report today.
READ THE STORY: Bleeping Computer
Threat actors can exploit Spring4Shell to launch botnets that target cloud-based IoT systems
FROM THE MEDIA: Researchers on Friday reported active exploitation of the Spring4Shell vulnerability that allows threat actors to weaponize and execute the Mirai botnet malware, which tends to launch DDoS attacks on cloud-based IoT systems such as security cameras, agricultural systems, medical devices, and vehicles. In a blog post, Trend Micro researchers said malicious actors were executing the Mirai botnet malware primarily in the Singapore region. The researchers said they saw the exploitation of CVE-2022-22965 at the start of April 2022. The researchers say the RCE vulnerability gives threat actors full access to compromised devices, making it a dangerous and critical vulnerability. Spring has released patches for this vulnerability with complete details here. The industry had expected to see threat actors leverage the Spring4Shell vulnerability since it was announced, and Trend Micro’s research proves this out, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said thus far, Spring4Shell hasn’t blown up into a massive issue, but it still has the potential to become a higher-profile problem. “It also reinforces the ‘you are responsible for your own applications’ security structure in the cloud,” Parkin said. “Cloud vendors usually do an excellent job securing their platforms, however, if you deploy vulnerable software, then it’s your responsibility to fix it, not theirs.”
READ THE STORY: SC Magazine
CISA warns orgs of WatchGuard bug exploited by Russian state hackers
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances. Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw (CVE-2022-23176) to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office (SOHO) network devices. "WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access," the company explains in a security advisory rating the bug with a critical threat level. The flaw can only be exploited if they are configured to allow unrestricted management access from the Internet. By default, all WatchGuard appliances are configured for restricted management access. Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these security flaws according to November's binding operational directive (BOD 22-01).
READ THE STORY: Bleeping Computer
Iranian cyberattacks on Israel are unsophisticated, but remain a constant and serious nuisance
FROM THE MEDIA: Iran continues to demonstrate that, while it lags far behind other adversaries like Russia, China and North Korea as a cyber actor, it still has the capacity to be a major nuisance in this sphere. In mid-March, a cyberattack briefly blocked access to several Israeli government websites. Initially described by one source as the largest cyberattack in Israeli history, it turned out to be nothing but an unsophisticated distributed denial-of-service (DDoS) attack, one which may not even have been targeting Israeli government websites specifically. Erez Tidhar, head of the Israeli cyber authority’s Computer Emergency Response Team (CERT), told Haaretz, “This was a routine attack – albeit one with serious volume – but not rare or significant.” While the attack has not been officially attributed to Iran, it is the most likely culprit given the timing, targets and lack of sophistication. Shortly thereafter, Iranian-linked hackers published material allegedly stolen from the hacked phone, apparently old, of Mossad chief David Barnea’s wife. The group is most likely linked to “Moses Staff” which, according to cybersecurity company Cybereason, “leverages cyberespionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear.” The hacking of the old phone is not a security threat, and cybersecurity experts have been warning officials and commentators not to play up what is essentially Iranian trolling, the purpose of which is propagandistic – to make it seem like Iran is capable of effective cyberattacks against Israel. These hacks, leaks and DDoS attacks, in reality, are actually evidence that it probably is not.
READ THE STORY: AIJAC
Items of interest
Ukrinform to organize briefing on cyber threats in wartime(Zoom Meeting)
FROM THE MEDIA: On April 12, at 4 pm, there will be an online briefing on the topic: "Cyber threats in the conditions of war: cyber attacks on Oblenergo of Ukraine" (Zoom).
Organizer: Ukrinform.
Speakers: Farid Safarov - Deputy Minister of Energy for Digital Development, Digital Transformation and Digitization; Victor Zhora is the Deputy Head of the State Special Service for Digital Development, Digital Transformations and Digitization.
Event format - online (Zoom)
Journalists will be able to ask questions online through ZOOM
Accreditation of media representatives: pressroomu@gmail.com
Accreditation will last until 15:00 on April 12, to confirm it is necessary to indicate the name, surname, title of the publication.
Accredited media will receive links to ZOOM to the specified e-mail.
The event will be broadcast on Ukrinform's YouTube channel: https: //www.youtube.com/user/UkrinformTV
READ THE STORY: Ukrinform
Popular NPM package spreads Malware on Purpose (Video)
FROM THE MEDIA: Discussion about the scandal around the widely used JavaScript dependency node-ipc being sabotaged as an act of protest by the maintainer who added malicious code on purpose, risking the destruction of thousands of innocent users' systems.
Anonymous collective breached several Russian companies (Video)
FROM THE MEDIA: Three Russian firms have over 400 GB worth of emails leaked.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com