Wednesday, April 13, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco
Microsoft says Windows under attack from Chinese threat actors using stealth malware
FROM THE MEDIA: Microsoft wants you to stay ahead of the curve when it comes to Hafnium's activities. Microsoft is once again sounding the alarm so that you, the user, stay informed about the latest malware campaigns and cyber threats. This time, the alert is for Tarrask, a "defense evasion malware" that uses Windows Task Scheduler to hide a device's compromised status from itself. The attack comes from Hafnium, the state-sponsored, China-based group that you may recall to be a big deal because of its involvement in the Microsoft Exchange meltdown of 2021. The data gathered during that ordeal has been speculated to be fuel for AI innovations by the Chinese government. Microsoft is currently tracking Hafnium's activity when it comes to novel exploits of the Windows subsystem. Hafnium is using Tarrask malware to ensure that compromised PCs remain vulnerable, employing a Windows Task Scheduler bug to clean up trails and make sure that on-disk artifacts of Tarrask's activities don't stick around to reveal what's going on.
READ THE STORY: Windows Central
Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid
FROM THE MEDIA: The attack involved use of a new version of Industroyer tool for manipulating industrial control systems. Ukraine's computer emergency response team (CERT-UA), in collaboration with researchers from ESET and Microsoft, last week foiled a cyberattack on an energy company that would have disconnected several high-voltage substations from a section of the country's electric grid on April 8. The attack, by Russia's infamous Sandworm group, involved the use of a new, more customized version of Industroyer, a malware tool that the threat actor first used in Dec. 2016 to cause a temporary power outage in Ukraine's capital Kyiv. In addition to the ICS-capable malware, the latest attack also featured destructive disk-wiping tools for the energy company's Windows, Linux, and Solaris operating system environments that were designed to complicate recovery efforts. The Russian cyber-assault, in the middle of the country's grinding war in Ukraine, has stirred concern about similar attacks on other energy companies in Ukraine and outside the country as well. It prompted the CERT-UA to distribute indicators of compromise and other attack artifacts to energy companies in Ukraine and to what it described as a "limited number" of international partners.
READ THE STORY: Dark Reading
ESET Research discovers scheme to steal cryptocurrency from Android and iPhone users
FROM THE MEDIA: ESET Research discovered and backtracked a sophisticated malicious cryptocurrency scheme that targets mobile devices using Android or iOS operating systems (iPhones). Malicious apps are distributed through fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. These fake websites are promoted with ads placed on legitimate sites using misleading articles. Furthermore, the threat actors are recruiting intermediaries through Telegram and Facebook groups to further distribute this malicious scheme. The main goal of the malicious apps is to steal users’ funds and until now ESET Research has seen this scheme mainly targeting Chinese users. As cryptocurrencies are gaining popularity, ESET expects these techniques to spread to other markets. Starting in May 2021, our research uncovered dozens of trojanized cryptocurrency wallet apps. This is a sophisticated attack vector since the malware’s author carried out an in-depth analysis of the legitimate applications misused in this scheme, enabling the insertion of their own malicious code into places where it would be hard to detect while also making sure that such crafted apps had the same functionality as the originals. At this point, ESET Research believes that this is likely the work of one criminal group. “These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network,” says Lukáš Štefanko, ESET researcher who discovered the scheme. “We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play store,” he adds.
READ THE STORY: Zawya
CISA adds Google, Microsoft and QNAP bugs to exploited vulnerabilities list
FROM THE MEDIA: CISA added eight vulnerabilities to its catalog of exploited bugs on Monday, with each given a remediation date of May 2. All of the issues have patches or updates available except for CVE-2021-27852 – a deserialization of untrusted data vulnerability affecting Checkbox, a digital survey tool. Versions 7 and later of Checkbox Survey are not considered vulnerable to the issue but Version 6 and earlier are end-of-life and must be removed from agency networks, according to CISA. CVE-2022-23176 concerns a privilege escalation vulnerability in WatchGuard Firebox and XTM appliances that allows remote attackers with unprivileged credentials to access the system with a privileged management session via exposed management access. According to Ars Technica, WatchGuard fixed the issue in May 2021 but said they would not share technical details about it in order to keep threat actors from finding it. The vulnerability has a severity rating of 8.8 and WatchGuard faced significant backlash from security researchers because they waited months to give it a CVE. Last week, the vulnerability was implicated in a widespread botnet campaign disrupted by several US law enforcement agencies, bringing into question WatchGuard’s decision to effectively hide the vulnerability until this year. WatchGuard has estimated that the number of infected systems hovered around 250 devices.
READ THE STORY: The Record
China, Russia vying for space dominance, to exploit moon resources
FROM THE MEDIA: With China and Russia seeking to become leading space powers in the near future, a senior defense analyst for space and counter space of the US Defense Intelligence Agency (DIA), Keith Ryder warned on Tuesday that Moscow and Beijing plan to explore and exploit the natural resources of the moon and Mars over the next 30 years. "Both nations (China, Russia) seek to broaden their space exploration initiatives together and individually, with plans to explore the moon and Mars during the next 30 years, and if successful, these efforts will likely lead to attempts by Beijing and Moscow to exploit the moon's natural resources," Ryder said during a press briefing. This comes after the US Defense Intelligence Agency published a new report on challenges to security in space that focuses on Russia and China as the main competitors of the United States in this domain. According to this report, Russia and China seek to become leading space powers in the near future. "Beijing and Moscow seek to position themselves as leading space powers, intent on creating new global space norms. Through the use of space and counter-space capabilities, they aspire to undercut US global leadership," the agency said.
READ THE STORY: Business Standard
Russo-Ukrainian War Highlights Cyber Threats to Satellite Communications
FROM THE MEDIA: On February 24, the first day of the Russian invasion of Ukraine, large parts of American satellite company Viasat’s KA-SAT network of high speed satellite services experienced disruptions resulting in partial network outages throughout Ukraine and several European countries. Tens of thousands of terminals suffered permanent damage and many were still offline more than two weeks later. Viktor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection, described the satellite outage as “a really huge loss in communications in the very beginning of war.” Among others relying on KA-SAT are Ukraine’s military, intelligence, and police units. Other countries were affected too, including Germany, Greece, Hungary, and Poland. Germany acknowledged that approximately 5,800 wind turbines, presumably those remotely operated via a satellite communications (SATCOM) link in central Europe, were knocked offline by the outage. According to SentinelLABS, the turbines themselves were intact but “remote monitoring and control” was impossible due to issues with satellite communications. Additionally, many of Eutelsat's domestic broadband service customers in the affected countries lost Internet access (KA-SAT and its associated ground stations were purchased last year by Viasat from European company Eutelsat, and are operated by a Eutelsat subsidiary). Der Spiegel reported that German government agencies were investigating the incident as a cyberattack carried out through an automatic software update installed at 5 a.m. on February 24—notably coinciding with the beginning of Russia’s invasion of Ukraine.
READ THE STORY: National Interest
Microsoft Disrupts Russian-Backed Cyber Attacks on Ukraine, U.S. Groups
FROM THE MEDIA: Microsoft Corp. said it has disrupted cyberattacks from a group linked to the GRU – Russia’s foreign military unit – that were targeting Ukrainian entities and media organizations, as well as government institutions and foreign policy think tanks in the United States, according to an April 7 company blog. After observing cyberattack attempts by the GRU-sponsored attack group Strontium, Microsoft was able to obtain a court order and seize seven of the domains that the company had observed Strontium using to carry out these attacks. “We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.” Microsoft said Strontium had also targeted government institutions and think thanks in the European Union. The company said that prior to the latest domain seizure, it had gone through the process of filing for a court order 15 other times, resulting in the total seizure of more than 100 of the group’s domains.
READ THE STORY: Meritalk
U.S. Special Operations Command Hosting Cyber Challenge to Find Edge Security Tech
FROM THE MEDIA: The United States Special Operations Command (SOCOM) is hosting a Security at the Edge Cyber Challenge, with the multiple-phase challenge seeking to identify technologies that are capable of providing security-at-the-edge capabilities, according to a special notice posted on SAM.gov. SOCOM is specifically looking for technologies that can provide edge device endpoint security, cloud security capable of protecting data at the edge, and network edge security within Special Operations Forces (SOF) environments, according to the April 7 notice. “Edge computing devices can take essentially any form and endpoints are everywhere due to the proliferation of Internet of Things (IoT) devices,” SOCOM wrote in the notice. “The SOF Operator needs to ensure they are making decisions based on trusted data and have protections against zero-day attacks.” “The need for protection against advanced persistent threats (APTs), nation state-sponsored cyberattacks, data integrity capabilities, and overall zero trust solutions for the main three components of edge computing devices are critical for the current and future SOF operational environments,” the notice continued. The first phase of the challenge has already been completed, after SOF Works (SOFWERX) held a virtual collaboration event on April 5. The second phase is underway and interested entities can submit their automated edge security technologies to SOCOM until May 6. After that, SOCOM will take from May 9 to May 23 to decide which submissions should be eligible for the July 13 Cyber Challenge event.
READ THE STORY: Meritalk
Satellites to test-fly new cyber software
FROM THE MEDIA: As space systems face growing cyberattacks, the Aerospace Corp. and TriSept Corp. are preparing separate flight tests of software to alert satellite operators of anomalies detected onboard. “One of the major things we want to demonstrate is that you can add security without creating additional risk or significant cost,” said Ryan Speelman, Aerospace’s Information Systems and Cyber Division principal director. Beyond cyber hygiene, which is the day-to-day work organizations perform to secure their networks, Aerospace recommends an approach to satellite security called Defense in Depth. Defense in Depth is an architectural approach that relies on multiple layers of security, including safeguarding supply chains and software development processes, adopting intrusion-detection mechanisms and training employees to be on the lookout for cyber threats. Think of it like an onion. “We will try and stop you at the outer layer, but we assume that you can defeat some protections, and we will continue to try and stop you,” Speelman said. Commercial satellite operators can tailor their Defense in Depth strategies to fit their business models. “Depending on what type of vendor you are and what threats you are susceptible to, you may pick and choose different layers,” he said.
READ THE STORY: Spacenews
Paper Tigers: Proxy Actors Are the True Cyber Threats
FROM THE MEDIA: As the war in Ukraine evolves, a perplexing question remains: why did the world not witness the hybrid warfare projected in Russian doctrine? And further, as the United States has supplied weapons to Ukraine and waged economic warfare against Russia, why hasn’t Putin fought back against the United States in cyberspace? These questions go to the heart of Russia’s capabilities and intentions. Revealing itself to be the paper tiger it has always been, Russia continues to demonstrate its inability to achieve operational success in Ukraine. The latest such event is Russia’s failure to disrupt the Ukrainian power grid a month after the war began. There is a clear disconnect between Russia’s actual abilities and its willingness to wreak havoc, particularly when compared to the dramatic predictions before the war. It is essential to adopt a forward-looking strategy that looks beyond Russia and focuses on the actors that would be willing and able to cause cyber havoc.
READ THE STORY: National Interest
After suspected cyber-attack, OIL says production and drilling unaffected
FROM THE MEDIA: Oil India Limited (OIL) officials have informed that exploration and production work of the company have not been affected in the suspected cyber-attack in its field headquarters in Assam’s Duliajan. Work in some sections of the company’s offices in Duliajan has been hampered following the incident that was first detected on Sunday afternoon. A police complaint was filed on Tuesday evening. “Thankfully there has been no impact on our production and drilling activities. These activities, which are not heavily reliant on IT resources, are functioning normally,” said Tridiv Hazarika, PRO of the company. “The software which handles the key business functions of OIL in Duliajan like payments to vendors and contractors also hasn’t been affected and is functioning as usual,” he added. On Sunday afternoon, some employees who were working noticed that some computers experienced outages. The IT team, which was informed immediately, detected that it was a malware attack and got those affected computers out from the local area network (LAN). “There has been a cyber-attack in which some of our systems and few servers in Duliajan office were affected. As a precautionary measure, we are putting some of our systems down and beginning a restoration exercise,” said Hazarika.
READ THE STORY: Hindustan Times
Items of interest
Ukraine Says It Thwarted a Sophisticated Russian Cyberattack on Its Power Grid
FROM THE MEDIA: Ukrainian officials said on Tuesday that they had thwarted a Russian cyberattack on Ukraine’s power grid that could have knocked out power to two million people, raising fears that Moscow will increase its use of digital weapons in a country already pummeled by war. Ukraine’s power grid has been knocked offline twice before, in 2015 and 2016, causing widespread blackouts. Russia has long used online attacks alongside traditional warfare; just days before the Russian invasion began on Feb. 24, Ukraine said a cyberattack hit its Defense Ministry, its army and two of its banks. But experts said the latest hacking — while unsuccessful — was among the most sophisticated cyberattacks they have seen in the war so far. It used a complex chain of malware, including some custom-built to control utility systems, suggesting that Russia had planned the attack over several weeks and intended to maximize the damage by sabotaging computer systems that would be needed to restore the electrical grid. The attack was scheduled to begin on the evening of April 8 as civilians returned home from work, Ukrainian officials said, and could have made it impossible for them to go about their daily lives or gain access to information about the war. The breach targeted several electrical substations in the country, and had it been successful, it would have deprived roughly two million people of electricity and made it difficult to restore power.
READ THE STORY: NYTIMES
FBI says it disrupted Russian hackers (Video)
FROM THE MEDIA: Sandworm is attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU) - allegedly, a Russian cyber military unit A botnet is a network of hacked computers that can bombard other servers with rogue traffic. During the disruption operation authorized by the court, the malware known as Cyclops Blink was copied and removed from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet. The operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide. Therefore, law enforcement warns victims to take additional steps to remediate the vulnerability and prevent malicious actors from further exploiting unpatched devices. The United States attorney for the Western District of Pennsylvania said that - “Such activities are not only criminal but also threaten the national security of the United States and its allies” In February, an advisory identified Cyclops Blink malware targeted devices manufactured by WatchGuard and Asus.
Oil India limited cyber attack (Video)
FROM THE MEDIA: PSU major Oil India Limited (OIL)'s registered headquarters at Duliajan in Assam's Dibrugarh district is purportedly under a cyber attack which has lead to the company shutting down all its computers and IT systems at the office, a company spokesman said on Tuesday. The systems have been on shut down since Monday and efforts are on to resolve the issue, OIL spokesperson Tridiv Hazarika said. "We have been forced to withdraw all our computer system from LAN connection after it came to our knowledge that three to four computers were hit by a virus Monday." No computer at the headquarter now has access to internet connectivity, he said.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com