Daily Drop (106)
4-16-22
Saturday, April 16, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club
Can Russia and the West Avoid a Major Cyber Escalation?
FROM THE MEDIA: Since the beginning of the war in Ukraine, many experts and cybersecurity agencies have issued warnings about possible Russian cyberattacks against critical infrastructure. So far, this threat has not materialized, although there have been attempted attacks. Additionally, many pro-Ukrainian and pro-Russian hacktivists and cybercriminals have aligned themselves with the warring parties. These non-state actors have engaged in indiscriminate cyber operations against organizations associated with “the enemy," including Western companies such as Nestlé. At the same time, Russia has announced that it will respond to this “cyber aggression” by the “collective West.” This begs the question of whether the cyber conflict surrounding the Russo-Ukrainian war will escalate. Moreover, is it possible that cyber operations will cross the conventional threshold and draw NATO directly into the conflict? Escalation dynamics are often described in terms of a ladder, where certain activities either escalate up the ladder or de-escalate down it. Escalation can also widen the scope by opening up new theaters of war, for example. Analyzing over 300 collected cyber incidents during the war in Ukraine, two things can be preliminary concluded regarding escalation in the cyber domain. First, most cyber operations seem to have occurred in the first three weeks of the war, with the tempo slowing down somewhat in early April. The majority of visible cyber operations were website defacement attacks, distributed denial of service attacks (DDoS), and hack and leak operations. However, the impact of most of these attacks has been rather limited. Most of this activity is conducted by hacktivists who go after vulnerable targets. Once this low-hanging fruit is exploited, however, cyber actors have to turn to more secure targets, which slows down operational speed.
READ THE STORY: National Interest
The FBI Disrupted Russian Gru Botnet Malware Through a Court Order Before It Could Be Weaponized
FROM THE MEDIA: The Federal Bureau of Investigation (FBI) said it shut down a Russian GRU botnet malware through a court-authorized operation before it could be weaponized. The botnet targeted Firebox firewall hardware used by many small and midsized businesses from WatchGuard Technologies. The DOJ said the operation involved copying and removing “malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.” U.S. Attorney General Merrick Garland also disclosed that US authorities worked with WatchGuard to analyze the malware, remove it before it could be used, and create detection and remediation techniques. FBI said the botnet used Cyclops Blink malware associated with Sandworm (also Voodoo Bear) team. The group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). “This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses,” FBI Director Christopher Wray, said in a press statement.
READ THE STORY: CPO Magazine
Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector
FROM THE MEDIA: The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity's Ronin Network last month. On Thursday, the Treasury tied the Ethereum wallet address that received the stolen funds to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals (SDN) List. "The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK's use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime," the intelligence and law enforcement agency said in a statement. The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their digital assets from one crypto network to another, on March 23, 2022. "The attacker used hacked private keys in order to forge fake withdrawals," the Ronin Network explained in its disclosure report a week later after the incident came to light.
READ THE STORY: The Hacker News
GitHub: Attacker breached dozens of orgs using stolen OAuth tokens
FROM THE MEDIA: GitHub revealed today that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories. Since this campaign was first spotted on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm. "The applications maintained by these integrators were used by GitHub users, including GitHub itself," revealed today Mike Hanley, Chief Security Officer (CSO) at GitHub. "We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. "Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure."
READ THE STORY: Bleeping Computer
How vx-underground is building a hacker’s dream library
I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, “Well, if you miss it so much, why don’t you make your own?” I thought this was a good idea — why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a “lone wolf” for nearly a decade at this point — I was a “nobody.” However, I decided this shouldn’t be a restraining factor so I bought some random bullshit hosting, purchased the domain name ‘vx-underground’ and got to work. I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.
READ THE STORY: The Record
Hackers Gang Gives Away ZingoStealer Malware to Other Cybercriminals for Free
FROM THE MEDIA: A crimeware-related threat actor known as Haskers Gang has released an information-stealing malware called ZingoStealer for free on, allowing other criminal groups to leverage the tool for nefarious purposes. "It features the ability to steal sensitive information from victims and can download additional malware to infected systems," Cisco Talos researchers Edmund Brumaghin and Vanja Svajcer said in a report shared with The Hacker News. "In many cases, this includes the RedLine Stealer and an XMRig-based cryptocurrency mining malware that is internally referred to as 'ZingoMiner.'" But in an interesting twist, the criminal group announced on Thursday that the ownership of the ZingoStealer project is changing hands to a new threat actor, in addition to offering to sell the source code for a negotiable price of $500. Since its inception last month, ZingoStealer is said to be undergoing consistent development and deployed specifically against Russian-speaking victims by packaging it as game cheats and pirated software. Haskers Gang is known to be active since at least January 2020. Besides harvesting sensitive information such as credentials, stealing cryptocurrency wallet information, and mining cryptocurrency on victims' systems, the malware leverages Telegram as both an exfiltration channel as well as a platform to distribute updates.
READ THE STORY: The Hacker News
HHS/OCR Seeks Comment on Scope and Implementation of “Recognized Security Practices”
FROM THE MEDIA: On April 6, the U.S. Department of Health and Human Services, Office of Civil Rights (HHS) called for public comment on an existing statutory provision that provides a safe harbor for entities that have voluntarily implemented “recognized security practices” as part of their compliance with the Health Insurance Portability and Accountability Act (HIPAA). The scope of the safe harbor has practical and legal consequences for HIPAA-regulated entities subject to enforcement actions, audits, and fines from HHS. In 2021, Congress passed the HIPAA Safe Harbor Act, Public Law 116-321 (Safe Harbor Act), which requires the HHS secretary to consider whether an entity has “recognized security practices” in place when determining fines, audits, and remedies of potential HIPAA violations. Covered entities and business associates that can demonstrate compliance with recognized security practices for the 12 months prior to an audit or investigation may benefit from lower financial penalties and reduced scrutiny by the agency. Furthermore, the law does not give HHS the authority to increase fines or extend an audit should an entity be found “out of compliance” with recognized security practices. In essence, the law incentivizes regulated entities to follow industry-standard best practices when it comes to information security.
READ THE STORY: JDSUPRA
Microsoft intercepts ransomware-spreading botnet
FROM THE MEDIA: Microsoft has taken yet another action against cybercriminals, this time to dismantle the ZLoader botnet infrastructure. The ZLoader malware infected thousands of organizations primarily in the US, Canada, and India. He is known for distributing Conti ransomware. Microsoft has now received a court order from the US District Court for the Northern District of Georgia, allowing it to seize 65 domains that the ZLoader gang was using command and control (C&C) for their botnet , which is created with malware that infects businesses, hospitals. school and home. These domains now point to a Microsoft location outside the control of the ZLoader gang. Microsoft also gained control of the domains that ZLoader used for its domain generation algorithm (DGA), which is used to automatically create new domains for the botnet’s C2. Microsoft leads the action against ZLoader in partnership with researchers ESET, lumen‘s Black Lotus Labs And Palo Alto Network Unit 42, Avast also helped with the European investigation of Microsoft’s DCU. According to ESET, Zloader had approximately 14,000 unique samples and over 1,300 unique C&C servers. Microsoft acknowledges that ZLoader is not finished and is also working with ISPs to identify and remove infections on infected systems. The matter is also referred to law enforcement.
READ THE STORY: Sprout Wired
Shady apps reach Apple Mac users, won’t let them quit unless paid
FROM THE MEDIA: Shady apps have reached Apple Mac computers using pop-ups, and seamsters are making it difficult for Mac users to quit an app without paying outrageous subscription prices. According to The Verge, scammy apps have made their way through the App Store, without Apple noticing, despite a stringent App Review process in place to keep users safe from bad apps. Scam app hunter and developer Kosta Eleftheriou saw one such app called ‘My Metronome’ that locks up and won’t let users quit it until you agree to a $9.99 per month subscription.“This App Store app immediately asks you for money and then disables the ‘Quit’ option so that you can never close it! And it’s been like that on the App Store for years!,” Eleftheriou tweeted. “This app literally locks your machine until you pay the fee. It is almost ransomware. No way to report it,” tweeted Edoardo Vacchi who first discovered the app. The ‘My Metronome’ has now been removed from the App Store. Another developer Jeff Johnson discovered that the firm behind My metronome app called Music Paradise is connected to another App Store developer, Groove Vibes. “The privacy policies listed on both developers’ websites say they’re registered at the same address, and both mention the same legal entity, Akadem GmbH,” the report noted.“Apple has let plenty of other scammy apps that flagrantly break its rules slip through the cracks,” it added.
READ THE STORY: Siasat
Russia’s Crypto Regulation is Advancing But There is a Catch
FROM THE MEDIA: Russia’s Ministry of Finance is heading closer to finalizing the bill on the mining and circulation of digital assets. As per coverage by Kommersant, the bill contains a comprehensive regulatory framework and for the first time dealt with the mining aspect, at length. Kommersant revealed that the current version of the draft law of the Ministry of Finance “On digital currency”, prescribes the rules for trading and mining for such assets. The authenticity of the document was confirmed by two Kommersant sources close to the industry. The Ministry of Finance did not immediately provide a comment. Coming back to its contents, the draft established a number of aspects such as the terminology associated with digital currency, the legal framework for its circulation, issues, and so forth. Additionally, the document introduces a large number of stringent requirements for identification, accounting, and certification. Sources close to the industry sought to dispel the fear by saying that these requirements will not affect operations with cryptocurrency outside the Russian information infrastructure. However, Sergei Mendeleev, CEO of InDeFi Smart Bank feels that interpretation of the latter aspect is confusing. Citing an example of the tether website which states that “it does not have an obligated person, but Russian law enforcers believe that it is Tether LTD”. Apart from that, the document allows only domestic legal entities to carry out the role of both operators. Foreign crypto exchanges, in order to obtain a license to operate in the Russian Federation, must create a business entity. While many experts hailed the move, believing that the document would provide new opportunities for miners, looking for a way out of “the gray zone,” others, however, feel that this would instead push investors to the black market. The concerns raised hold weight to a certain extent as Russia is known for its high-profile illegal market and has grabbed attention lately due to the current geopolitical situation.
READ THE STORY: Tron Weekly
Why Art Buyers Fear Their Information is a Cyber Risk When Sharing Their ID Documents Via Email
FROM THE MEDIA: For auctioneers like Christie’s and Sotheby’s, this is business as usual. Major auction houses have been asking for ID and proof of address documents for decades. For the UK, EU and US galleries, however, new regulations mean they need to do the same. In the UK the regulations are unavoidable. Since being announced in January 2020, the business is required to comply with all relevant sales above €10,000. This entails taking receipt of information about the buyer, building a report, and storing this information for a minimum of 5 years. Much to the surprise of art buyers who are now being asked to share sensitive information about themselves when they previously didn’t have to. Amongst this sensitive information are their ID documents (such as a passport or driving license) and proof of address (a utility bill or similar.) Naturally, art buyers are skeptical about the systems and processes a gallery has in place to ensure the safety of their information in an increasingly volatile online environment where phishing scamsand cyber-attacksare a constant threat and becoming all too common. “We hear horror stories about how art businesses are handling this information on a daily basis, including questions from buyers about where and how the information will be stored,” said Matthew Whiteley, Head of Product at Art Market Due Diligence Platform, Arcarta “Galleries must focus on doing what they do best, dealing in works of art. There are services available that can take the work of data security and infrastructure off of their shoulders. It is completely unrealistic to think that gallery staff become experts in data security and encryption overnight to safeguard the information they are now legally required to store.”
READ THE STORY: Digital Journal
Items of interest
CIA Chief Addresses Dual Threat of China, Russia in Georgia Tech Speech
FROM THE MEDIA: In a Thursday speech at Georgia Tech, Central Intelligence Agency Director William Burns called China a “silent partner” in Russia’s war against Ukraine and outlined how the spy agency is enhancing its commitment to innovation to address new challenges in a world undergoing rapid technological change. In his first public speech since being appointed spy chief just over a year ago, Mr. Burns denounced Russia’s “raw brutality” and the “cruel pain and damage” it has inflicted upon the Ukrainian people. Last November, President Joe Biden sent the CIA Director to Moscow to dissuade Russian President Putin from attacking Ukraine. “I was troubled by what I heard,” said Mr. Burns, who served 33 years in the U.S. diplomatic service before taking up his new post. “While it did not yet seem that he had made an irreversible decision to invade Ukraine, Putin was defiantly leaning in that direction, apparently convinced that his window was closing for shaping Ukraine’s orientation.” Mr. Burns recounted how Putin seemed “convinced that this winter offered a favorable landscape.” In Putin’s view, Ukrainian President Volodymyr Zolensky and the Ukrainians were unlikely to put up effective resistance; the Russian military seemed capable of a quick and decisive victory at low cost; the U.S.’s European allies appeared distracted by their internal politics and were risk averse; and the Russian economy would be resistant to sanctions due to its large foreign currency reserves.
READ THE STORY: Global Atlanta
Are governments and legislation ready for the new era of cyber threats? (Video)
FROM THE MEDIA: Smile FM speaks to GoldPhish CEO Dan Thornton on whether governments and legislation are equipped and ready for the new era of cyber threats.
Spring4Shell Patches Released; Hydra Is Beheaded (Video)
FROM THE MEDIA: The blackmarket site Hydra is beheaded, Spring4Shell patches are available, and CashApp discloses a data breach! All that coming up now on ThreatWire. #threatwire #hak5 Weekly security and privacy news, brought to you by Shannon Morse. ThreatWire is a weekly news journalism show covering cybersecurity topics for network admins, information security professionals, and consumers.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com