Monday, April 18, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club
New Hacking Campaign Targeting Ukrainian Government with IcedID Malware
FROM THE MEDIA: The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new wave of social engineering campaigns delivering IcedID malware and leveraging Zimbra exploits with the goal of stealing sensitive information.
Attributing the IcedID phishing attacks to a threat cluster named UAC-0041, the agency said the infection sequence begins with an email containing a Microsoft Excel document (Мобілізаційний реєстр.xls or Mobilization Register.xls) that, when opened, prompts the users to enable macros, leading to the deployment of IcedID.
The information-stealing malware, also known as BokBot, has followed a similar trajectory to that of TrickBot, Emotet, and ZLoader, evolving from its earlier roots as a banking trojan to a full-fledged crimeware service that facilities the retrieval of next-stage implants such as ransomware.
READ THE STORY: The hacker News
Russian hacking group compromised U.S. power companies
FROM THE MEDIA: The Biden administration is warning about the potential for Russian cyberattacks on American soil, and in newly unsealed indictments, the Justice Department has released details about cyberattacks it says Russians have launched in the past.
"The Russians pose a serious and persistent threat," Deputy Attorney General Lisa Monaco told correspondent Bill Whitaker for a report on 60 Minutes this week. "It is very much the type of activity that we are warning about today when it comes to Russia's response to the world's response to the horror in Ukraine."
Between 2012 and 2017, the Justice Department says, three Russian intelligence agents and accomplices targeted the energy sector, hacking hundreds of companies and organizations around the world. Russian hackers also managed to get inside the computer network at a nuclear power company in Kansas, the indictment says.
READ THE STORY: CBS News
Beanstalk Hacker Steals $76M in Flash Loan Exploit
FROM THE MEDIA: Beanstalk, a credit-based stablecoin protocol built on Ethereum, is the latest DeFi project to suffer a major exploit.
An attacker used a flash loan exploit to drain the protocol’s funds early Sunday. Etherscan data shows that they leveraged Aave’s flash loan feature to withdraw liquidity from the protocol and then used Uniswap to trade DAI, USDC, and USDT for Ethereum. They got away with 24,830 Ethereum worth around $76 million at current prices, but the protocol’s losses are estimated to be much higher. They’ve already started siphoning the funds through the Ethereum mixer Tornado Cash to obfuscate their transaction history.
The blockchain security firm PeckShield first posted details of the attack on Twitter shortly after it occurred. Beanstalk, meanwhile, has not yet posted an official statement. Crypto Briefing reached out to both Beanstalk and PeckShield but had not received a response at press time.
READ THE STORY: Crypto Briefing
Crypto Fund Founder Warns Industry on North Korean Cyber Attacks
FROM THE MEDIA: Fifteen signatures of Iridium satellite phones, used by the US-led allied forces in Afghanistan, and Wi-Fi-enabled thermal imagery devices that help a terrorist to escape security cordons especially during night have been found in the militancy-hit Kashmir valley, officials here said on Sunday.
They said some of the signatures of Iridium satellite phones have been found in cyber space since February. It started from North Kashmir and now there have been some spots in parts of South Kashmir as well, they said.
These satellite phones could be part of the consignment dumped by the allied forces while leaving Afghanistan or may have been snatched by the Taliban or terrorists fighting there, the officials said.
They said there is no need to panic as the movement of these phones was being specially monitored and those using them would definitely be in custody soon or get neutralized, the officials said.
READ THE STORY: Bloomberg
Rideau Hall cyberbreach was ‘sophisticated’ incident, internal documents show
FROM THE MEDIA: Newly disclosed documents reveal the breach of an internal computer network at Rideau Hall was described to senior government officials as a “sophisticated cyber incident” in the days before the public was told of the security lapse.
Internal government emails, obtained by The Canadian Press through the Access to Information Act, also say officials were “unable to confirm the full extent of the information that was accessed.”
As a result, the Office of the Secretary to the Governor General was looking to make credit monitoring services available to employees due to concerns that sensitive personal information might have been pilfered.
READ THE STORY: Global News
Russia-backing Conti claims Nordex cyber attack
FROM THE MEDIA: Conti, a ransomware group siding with Russia, last week said it was responsible for the cyberattack on Nordex SE (ETR:NDX1) at the end of March.
The German wind turbine maker was hit by a cyber security incident on March 31. It shut down IT systems across multiple locations and business units and took measures to contain the issue. In a recent update Nordex said the incident had been limited to the internal IT infrastructure and had not spread to any third-party assets.
According to the latest Crypto Crime Report, Conti was the biggest ransomware strain in 2021, in terms of revenue. It collected at least USD 180 million (EUR 165.5m) from victims. Conti operates using the ransomware-as-a-service (RaaS) model and mainly targets large companies.
When Russia invaded Ukraine, Conti declared full support for the Russian government. Soon after that a Ukrainian IT specialist leaked thousands of files, chat logs and data from Conti, including evidence suggesting that Conti operatives were in contact with the Russian government, including the main internal security service – the FSB.
READ THE STORY: Renewables Now
Indian operator hit by cyberattack
FROM THE MEDIA: An investigation is under way after state-owned Oil India Limited (OIL) was the victim of a cyberattack and hit with a multi-million dollar ransom.
The Indian operator is working to restore its affected computing systems although no production or drilling activities have been affected.
The cyberattack, which disrupted operations at OIL’s assets in Assam, came with a ransom demand of US$7.5 million (upwards of 57 crore Indian rupees) in cryptocurrency.
OIL spokesperson Tridiv Hazarika told the Press Trust of India that the company is working on repairing the system in phases but "it will take time".
"Our online systems are down and we are working offline. The drilling and production work has been unaffected. The data are being saved offline now and will be uploaded later when the IT system will run again," said Hazarika.
“Thankfully there has been no impact on our production and drilling activities. These activities, which are not heavily reliant on IT resources, are functioning normally.”
READ THE STORY: Upstream Online
Russia’s Electronic Warfare Capability ‘Exposed’ In Ukraine War; Is Putin’s Techno-Savvy Army Losing The EW Battle?
FROM THE MEDIA: The media coverage of the ongoing war in Ukraine is largely focused on the use of missiles, artillery aircraft and armored vehicles, etc but there is an invisible war going on between the two sides for the control of the electromagnetic spectrum.
For lack of visual or emotional impact of the explosions caused by rockets or destruction caused by machine guns and rifles bullets, electronic warfare (EW) has not received much attention from the mainstream media, however, there has been a lot of discussion among experts about how the war in electromagnetic spectrum domain (ESD) has been progressing in Ukraine.
Russia considered a world leader in advanced electronic warfare capability and tactics has thus far not brought to bear its full might in the ESD which has left many experts baffled.
“The seeming lack of EW front line systems is puzzling to those of us who tracked Russian EW” tactics and concepts, said Samuel Bendett, an adjunct senior fellow at the Center for a New American Security (CNA).
READ THE STORY: The EurAsian times
Chinese social media to display user locations based on IP address
FROM THE MEDIA: Reports suggest that many Chinese social media outlets would soon showcase user locations based on internet protocol (IP) addresses. Platforms who would follow this are Quora-like Zhihu and the Duoyin, the domestic version of TikTok. They made the announcement on Friday, April 15, adding that users would not have the option to disable the feature.
Though not directed by the law, the platforms stated that the step is meant to control “netizens from pretending to be locals and spreading rumour.” TikTok owner, ByteDance’s news aggregator Jinri Toutiao, Duoyin rival Kuaishou, and lifestyle community Xiaohongshu implemented the change. They said locations would be visible on their profiles. Whereas, Zhihu said user location would be available beside each post made. Weibo has been displaying locations on user profiles since last month. They cited reasons of fake information related to current events such as the pandemic and the war in Ukraine.
In the past year, China central government has been coming forward in online content with progressing regulatory oversight. However, there is no such official regulation that needs platforms to necessarily showcase locations of users. Internet watchdog Cyber Administration of China mentioned in March that the campaign to clear online problems including clearing up rumours.
READ THE STORY: TechStory
What the war in Ukraine means for the internet
FROM THE MEDIA: The war in Ukraine has shown that the internet really can survive a devastating, violent conflict.
This is no accident. Survivability was built into the very idea of an internet, from its origins in the Cold War, when the US decided that it needed to share processing power between supercomputers. It was designed precisely not to have a centralised command centre. This makes the system less vulnerable to attack because there is no single point of failure.
And we’ve seen the effectiveness of this idea in practice in Ukraine. The Russian army has subjected Ukraine’s internet to deliberate physical and cyber attacks. And yet it is still up and running.
This is both the intentional and accidental outcome of the peculiarities of Ukraine’s telecom landscape. This consists of multiple fixed, cellular and satellite networks, and it has proved remarkably resilient. The survival of Ukraine’s internet has allowed the Ukrainian people to retain critical communications capabilities and then use them to combat the Russian invaders.
READ THE STORY: Spiked
Critical RCE Flaw Reported in WordPress Elementor Website Builder Plugin
FROM THE MEDIA: Elementor, a WordPress website builder plugin with over five million active installations, has been found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites.
Plugin Vulnerabilities, which disclosed the flaw last week, said the bug was introduced in version 3.6.0 that was released on March 22, 2022. Roughly 37% of users of the plugin are on version 3.6.x.
"That means that malicious code provided by the attacker can be run by the website," the researchers said. "In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard."
In a nutshell, the issue relates to a case of arbitrary file upload to affected websites, potentially leading to code execution.
READ THE STORY: The hacker News
Items of interest
Chinese vessel shadows two survey ships hired by PH firm
FROM THE MEDIA: A China Coast Guard (CCG) vessel tailed two ships hired by a Philippine-based firm to do a seismic survey in the West Philippine Sea earlier this month, Vietnamese maritime observer Duan Dang wrote last week in his newsletter South China Sea Brief.
Ship tracking data suggested that CCG vessel 4201 shadowed survey ship Geo Coral and its support vessel Mariska G in northwest Palawan where Service Contract (SC) 75 is located.
SC 75, which covers 6,160 square kilometers in the offshore northwest Palawan Basin, is operated by PXP Energy Corp., formerly Philex Petroleum Corp, which hired the two ships.
A Philippine government official confirmed the SC 75 incident to the Inquirer on the condition of anonymity due to the issue’s sensitivity.
The source said the CCG vessel monitored Geo Coral and Mariska G at SC 75 starting on April 4 but kept its distance and did not interfere with their activities until the ships left for El Nido on April 6. This was after the Department of Energy (DOE) suspended oil exploration activities in the area until the security cluster issues the “necessary clearance to proceed.”
READ THE STORY: Inquirer
The Weaponization of Everything: A Field Guide to the New Way of War (Video)
FROM THE MEDIA: Iain Martin talks to Mark Galeotti to discuss two of his recent books, 'The Weaponization of Everything' and 'We Need to Talk about Putin. They discuss a range of topics including Putin, the Ukraine war, the rise of hybrid, financial and meme warfare, and the future of European security. Mark has been researching Russian history and security issues since the late 1980s. Mark is the director of the consultancy firm Mayak Intelligence. He is also an Honorary Professor at UCL School of Slavonic & East European Studies, Ernest Bevin Associate Fellow in Euro-Atlantic Geopolitics with the Council on Geostrategy and a Senior Associate Fellow at RUSI, as well as a senior non-resident fellow at the Institute of International Relations Prague and an Associate Fellow of the Middle East Institute’s Frontier Europe programme. Mark's books include The Weaponization of Everything (Yale University Press, 2022), A Short History of Russia (HarperCollins, 2020/Ebury, 2021), We Need To Talk About Putin (Ebury, 2019) and The Vory: Russia’s super mafia (Yale University Press, 2018), and several Osprey books. He is a regular contributor to Jane’s Intelligence Review and The Spectator Coffee House blog, and is a columnist for Raam op Rusland, Intellinews Business New Europe and the Moscow Times.
Ransomware Hostage Rescue Checklist: Preventing & Surviving a Ransomware Attack (Video)
FROM THE MEDIA: Skyrocketing attack rates, double and triple extortion, increasing ransom demands… cybercriminals are inflicting pain in every way imaginable when it comes to today’s ransomware attacks. And you need to be prepared to protect your network, NOW. Find out the steps you need to take to minimize damage to your network and your organization when a ransomware attack strikes.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com