Thursday, April 14, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club
Leaked documents show notorious ransomware group has an HR department, performance reviews and an ‘employee of the month’
FROM THE MEDIA: A Russian group identified by the FBI as one of the most prolific ransomware groups of 2021 may now understand how it feels to be the victim of cyber espionage. A series of document leaks reveal details about the size, leadership and business operations of the group known as Conti, as well as what’s perceived as its most prized possession of all: the source code of its ransomware. Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years. In its “Internet Crime Report 2021,” the FBI warned that Conti’s ransomware was among “the three top variants” that targeted critical infrastructure in the United States last year. Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors,” the bureau said.
READ THE STORY: CNBC
How TikTok is being used as propaganda machinery during war time
FROM THE MEDIA: A dancing and lip- syncing app which served as a comfort source during the pandemic has now turned into a platform spreading major misinformation about the ongoing Russia-Ukraine war. When the Russia- Ukraine war started on February 20th, TikTok was bombarded with triggering videos of the war. TikTok has become a war time sensation. Ukraine President Volodymyr Zelensky himself appealed to influencers to stop the war. TikTok as a platform easily became the source of spreading misinformation. According to the director of the Stanford Internet Observatory, Alex Stamos, it is difficult to identify fake videos and remove them from the platform. No one has been spared from watching the atrocities of war posted on TikTok and there has been an increase in interaction with triggering content. The Russia- Ukraine war has been declared as “TikTok war” by several international newspapers and experts thereby offering insight into how the war is beyond the domain of reality and influenced deeply by virtual social networking platforms.
READ THE STORY: Modern Diplomacy
India’s second largest government-owned hydrocarbon producer hit by a major cyberattack, hackers demand 196 bitcoins in ransom
FROM THE MEDIA: The state-run Oil India Limited (OIL) has been hit by a major cyberattack that has compromised some of the servers of the company. The ransomware attack has hit the company’s headquarters in Assam. According to media reports, the hackers have demanded 196 bitcoins as ransom. At the current prices (approx. ₹31.35 lakh per bitcoin), that is a little more than ₹61 crore. According to a statement from the company’s spokesperson Tridiv Hazarika, while the breach is serious and the virus is severe, the company has disabled the affected systems as a precautionary measure. This should help the company prevent the virus from spreading to other servers, especially when the vector used for the cyberattack is still under investigation. Hazarika also added that the cyberattack has not had any impact on the company’s day-to-day operations so far and that the drilling activities are ongoing without any interruptions.
READ THE STORY: Business Insider
Taiwan, China square off over chip tech espionage laws
FROM THE MEDIA: Trouble is brewing over moves by Taiwan to prevent China from gaining access to its chip technology, as the island nation proposes tougher laws to deter the leaking of trade secrets outside the country. China has reportedly hit back after Taiwanese Premier Su Tseng-chang called this week for a speedier introduction of legislation designed to protect the local semiconductor industry from what it sees as Chinese industrial espionage. These efforts by Taiwan to prevent Chinese companies from acquiring chip secrets and poaching key talent were denounced as a "provocative smear". Changes to Taiwanese law were proposed in February when its Parliament, the Executive Yuan, approved draft amendments to Taiwan's National Security Act. As The Register reported at the time, these would introduce two new crimes, one of "economic espionage" and another of "extraterritorial use of national core technology trade secrets", which would carry jail sentences of 12 years and 10 years respectively. The laws would also require workers or organizations involved with things deemed critical national technologies to seek Taiwanese government approval before travelling to mainland China, or face steep fines.
READ THE STORY: The Register
U.S- NATO role in the cyber conflict and Taiwan to confront China after the Ukraine war
FROM THE MEDIA: The tension between the United States of America and China does not depend on geopolitical issues, especially in Taiwan and the South China Sea, as other issues, such as: (electronic security and cyber technology), are among one of the most prominent manifestations of tension between the two countries as well and cast a shadow on other features of political and economic competition and strategy between the two sides. The United States of America accused China of being behind several (electronic attacks and massive data breaches targeting American institutions and economic entities). Therefore, the United States of America linked this with opposition to China’s leadership in the communication technology of Chinese G5 networks. Therefore, it is expected that the US will continue to seek to limit Chinese technology markets and isolate them from the rest of the world, especially with Washington continuing to put obstacles in the way of Chinese companies obtaining industrial components and important American-made devices. The United States of America has already begun to implement stricter restrictions on technology transfer to China, so expectations indicate that more American restrictions will be imposed on China.
READ THE STORY: Modern Diplomacy
Supply chain attacks are becoming less sophisticated – which means more risk for businesses
FROM THE MEDIA: A supply chain cyber-attack targets an organization’s third-party supplier, rather than trying to hack its network directly. One of the biggest and most sophisticated supply chain attacks to date was the 2020 SolarWinds attack where the threat actor gained access to over 30,000 public and private organizations by breaching the SolarWinds IT management software they were all using. There is one simple reason that supply chain attacks are so difficult to identify and prevent: trust. Supply chain attacks take advantage of the knowledge that we inherently trust our vendors and third parties. We don’t always have visibility into who the weakest link in our business ecosystem might be. We don’t question an update that arrives with a strategic partner’s digital signature attached, as we have no reason to suspect that trusted services are compromised, Not all supply chain attacks are created equally. Some, like the recent Okta cyber-attack, may not even have been intended as supply chain attacks. However, in our hyper-connected world, an attack on one vendor can easily become an attack on its entire ecosystem – wreaking havoc on partners, third parties, and customers.
READ THE STORY: Geek Time
Windows under attack from Chinese threat actors: Microsoft
FROM THE MEDIA: The attack comes from Hafnium, the state-sponsored, China-based group that users may recall to be a big deal because of its involvement in the Microsoft Exchange meltdown of 2021. Tech giant Microsoft has alerted users about the latest malware campaigns and cyber threats and informed them that China-based state-sponsored threat actor group Hafnium is stirring the pot once again. According to Windows Central, this time, the alert is for Tarrask, a “defense evasion malware” that uses Windows Task Scheduler to hide a device’s compromised status from itself. “As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors,” the company said in a blogpost.
READ THE STORY: Siasat
US agencies: Industrial control system malware discovered
FROM THE MEDIA: Multiple U.S. government agencies issued a joint alert Wednesday warning of the discovery of a suite of malicious cyber tools created by unnamed advanced threat actors that are capable of sabotaging the energy sector and other critical industries. The public alert from the Energy and Homeland Security Departments, the FBI and National Security Agency did not name the actors or offer details on the find. But their private sector cybersecurity partners said the evidence suggests Russia is behind the industrial control system-disrupting tools — and that they were configured to initially target North American energy concerns. One of the cybersecurity firms involved, Mandiant, called the tools “exceptionally rare and dangerous.” In a report, it called the tools’ functionality was “consistent with the malware used in Russia’s prior physical attacks” though it acknowledged that the evidence linking it to Moscow is “largely circumstantial.” The CEO of another government partner, Robert M. Lee of Dragos, agreed that a state actor almost certainly crafted the malware, which he said was configured to initially target liquified natural gas and electric power sites in North America. Lee referred questions on the state actor’s identity to the U.S. government and would not explain how the malware was discovered other than to say it was caught “before an attack was attempted.” “We’re actually one step ahead of the adversary. None of us want them to understand where they screwed up,” said Lee. “Big win.” The Cybersecurity and Infrastructure Security Agency, which published the alert, declined to identify the threat actor.
READ THE STORY: WWNYTV
OldGremlin ransomware deploys new malware on Russian mining org
FROM THE MEDIA: OldGremlin, a little-known threat actor that uses its particularly advanced skills to run carefully prepared, sporadic campaigns, has made a comeback last month after a gap of more than one year. The group distinguishes itself from other ransomware operations through the small number of campaigns - less than five since early 2021 - that target only businesses in Russia and the use of custom backdoors built in-house. Despite being less active, which may suggest that the ransomware business is closer to moonlighting, OldGremlin has demanded ransoms as high as $3 million from one of its victims. The most recent OldGremlin activity consists of two phishing campaigns launched towards the end of March 2022. It is too early to assess how many companies were targeted but security researchers say that at least one Russian company in the mining sector is on the victim list. The adversary did not steer away from its previously observed tactic to obtain initial access and took advantage of trending news topics. Security researchers at Singapore-based cybersecurity company Group-IB say that this time OldGremlin impersonated a senior accountant at a Russian financial organization warning that the recent sanctions imposed on Russia would suspend the operations of the Visa and Mastercard payment processing systems.
READ THE STORY: Bleeping Computer
DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii
FROM THE MEDIA: Federal agents in Honolulu last week “disrupted” an apparent cyberattack on an unnamed telecommunication company’s servers associated with an underwater cable responsible for internet, cable service and cell connections in Hawaii and the region, the agency said in a statement Tuesday. Hawaii-based agents with Homeland Security Investigations, an arm of the Department of Homeland Security, received a tip from their mainland HSI counterparts that led to the disruption of a “significant breach involving a private company’s servers associated with an undersea cable.” The investigation revealed that “an international hacking group” was behind the attack, and “HSI agents and international law enforcement partners in several countries were able to make an arrest.” The statement did not identify the type of cyberattack alleged to have occurred, the hacking group responsible, the other law enforcement agencies or where any arrests took place. No damage or disruption occurred, and there is no immediate threat, the statement said. John Tobon, HSI’s special agent in charge in Hawaii, told a local news station that investigators found that the attackers had obtained credentials that allowed access to an unnamed company’s systems.
READ THE STORY: Cyberscoop
INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
FROM THE MEDIA: In early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools—which we call INCONTROLLER—built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction. INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010. To help asset owners find and defend against INCONTROLLER, we have included a range of mitigations and discovery methods throughout this report. As future modifications to these tools are likely, we believe behavior-based hunting and detection methods will be most effective.
READ THE STORY: Mandiant
Items of interest
Report gauges cyber readiness of German, British and French government agencies and CI providers
FROM THE MEDIA: NATO survey respondents identify software supply chain and cybersecurity skills shortages as key challenges; cyber defense coordination and threat data sharing identified as areas of opportunity for government leadership. Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), has released a global Cyber Readiness Report gauging technology adoption and perceptions of government cybersecurity leadership related to cybersecurity standards and the cooperation between the public and private sectors. The Trellix report shows 87% of respondents from NATO countries of Germany, France and the UK believe formalized, government-led initiatives can play an important role in improving their nations’ protection against cyberthreats. Respondents from these countries see opportunities for improvement in their partnerships with government in areas such as cyber defense coordination, threat information sharing and software supply chain integrity. The study, based on research conducted globally by Vanson Bourne, surveyed 900 cybersecurity professionals from organizations with 500 or more employees, including 200 respondents in the three European NATO countries of Germany, the UK and France. “Global tensions and cyber-warfare incidents in Ukraine sharpen our focus on the cyber-readiness of government and critical infrastructure,” said Bryan Palma, CEO of Trellix. “Our report assesses the progress of new technology implementation, like XDR. It also identifies areas of opportunity for stronger public-private partnerships, where increased coordination will keep us ahead of our adversaries.”
READ THE STORY: Intelligent CIO
Anonymous breached the Russian government institutions (Video)
FROM THE MEDIA: Anonymous leaked 700 GB of Russian government data.
Powergrid attacks, DDoS, and doxing in a hybrid war. Notes on botnets, and a threat actor changes (Video)
FROM THE MEDIA: Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com