Tuesday, April 19, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club
Stolen OAuth tokens lead to 'dozens' of breached GitHub repos
FROM THE MEDIA: Salesforce-owned PaaS vendor Heroku and GitHub have both warned that compromised OAuth user tokens were likely used to download private data from organizations using Heroku and continuous integration and testing service Travis CI, according to statements issued late last week.
It's unlikely that GitHub itself was compromised, according to the ubiquitous source code repository's blog post, since the OAuth tokens in question aren't stored by GitHub in usable formats, and more likely that they were taken from Heroku and Travis CI's applications that use the OAuth framework for authentication.
GitHub said Friday that five specific OAuth applications were affected — four versions of Heroku Dashboard, and Travis CI (IDs 145909, 628778, 313468, 363831 and 9261).
READ THE STORY: CSO
Pegasus spyware discovered UK government networks
FROM THE MEDIA: Computers used by staffers in the UK Prime Minister's office were infected with NSO Group spyware, according to Citizen Lab.
The academic research lab at the University of Toronto issued a statement Monday confirming a New Yorker report regarding the discovery of Pegasus spyware on a device that was connected to UK Prime Minister Boris Johnson's office. According to Citizen Lab, a threat actor based in the United Arab Emirates (UAE) was behind an attack that began with targeted infections on systems used by the British Foreign Commonwealth Office (FCO) and ended up with compromised systems within the network at the Prime Minister's Office at 10 Downing Street in London.
Citizen Lab director Ronald Deibert said that in 2020 and 2021 its researchers caught wind of suspected Pegasus activity on networks operated by the UK government. After some investigation, Citizen Lab researchers discovered multiple infections from threat actors in a variety of countries.
"The suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus, and Jordan," Deibert said in the statement. "The suspected infection at the UK Prime Minister's Office was associated with a Pegasus operator we link to the UAE."
READ THE STORY: TechTarget
FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies.
Calling the activity cluster TraderTraitor, the infiltrations involve the North Korean state-sponsored advanced persistent threat (APT) actor striking entities operating in the Web3.0 industry since at least 2020.
Targeted organizations include cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
READ THE STORY: The Hacker News
Security Lessons From a Payment Fraud Attack
FROM THE MEDIA: On April 10, 2020, Atlanta-based fintech firm Brightwell was navigating more than the deadly COVID-19 pandemic.
It all started with a series of customer phone calls. That morning sometime between 7 a.m. and 8 a.m., Brightwell received word from the customer service team that customers called to complain about missing funds, says Ernie Moran, at the time Brightwell's senior vice president of risk. Under normal circumstances, if users noticed a discrepancy upon logging into their app, the company typically would look into the problem to determine whether the customer mistakenly overspent or a fraud had occurred. Unfortunately for Brightwell, it was the latter.
"I would say the next 24 hours was the most insane 24 hours I think we've ever had at Brightwell," Moran says. "From that point forward, we started hearing from more and more customers. And you start the research process, and you start going into the platform, the processor platform, and looking at the data."
READ THE STORY: DarkReading
NATO-Linked Center to Hold ‘Live-Fire’ Cyber Drills as War Rages
FROM THE MEDIA: A cyber organization accredited by the North Atlantic Treaty Organization will conduct what it bills as the largest and most complex “live-fire” cyber defense exercises in the world beginning on Tuesday.
The NATO Cooperative Cyber Defense Center of Excellence, which is based in Estonia, said the annual event, called Locked Shields, is intended to boost the skills of cybersecurity experts defending national IT systems and critical infrastructure under real-time attacks.
The participants are deployed to assist a fictional country handle a large-scale cyberattack. More than 2,000 people from 32 nations, including Ukraine, are expected to be involved.
This year’s Locked Shields event comes amid the ongoing war in Ukraine, in which hacking has had a constant, if relatively muted, role in Russia’s invasion. Russian state-sponsored hackers have been accused of attacking Ukrainian government agencies and attempted to breach the power grid. Ukrainian companies have also been subject to regular cyberattacks, according to government officials.
READ THE STORY: Bloomberg
Free decryptor released for Yanluowang ransomware victims
FROM THE MEDIA: Kaspersky today revealed it found a vulnerability in Yanluowang ransomware's encryption algorithm, which makes it possible to recover files it encrypts.
The Russian cybersecurity firm has added support for decrypting files locked by the Yanluowang ransomware strain to its RannohDecryptor utility.
"Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack," the company said today.
This ransomware strain encrypts files bigger than 3GB and those smaller than 3GB using different methods: larger ones are partially encrypted in 5MB stripes after every 200MB, while smaller ones are entirely encrypted from start to end.
Because of this, "if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted."
READ THE STORY: Bleeping Computer
New BotenaGo Variant Discovered by Nozomi Networks Labs
FROM THE MEDIA: According to AT&T Alien Labs, BotenaGo malware has been deployed with over 30 exploit functions, putting millions of IoT devices at risk of potential cyberattacks. BotenaGo is written in “Go”, which is a Google open-source programming language. While the use of open-source programming languages has its benefits, attackers have equally taken advantage, using Go to code malicious malware.
Our research highlights Nozomi Networks Labs’ discovery of a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices. We have named this sample “Lillin scanner” because of the name the developers used for it in the source code: /root/lillin.go
. Let’s dive deeper into the functionality of this sample to show step-by-step how these kinds of scanners work.
READ THE STORY: Security Boulevard
Pakistan takes cue from Russia in exploiting weakness of neighbouring Afghanistan
FROM THE MEDIA: With Pakistan launching an “unprovoked airstrike” against Afghanistan, killing innocent civilians under the guise of taking out the terrorist group, Tehrik-e-Taliban Pakistan (TTP), it seems that Pakistan is inspired by its new friend Russia in exploiting the weakness of its neighbouring countries, said a media report.
Getting inspiration from new friend Russia and its President Vladimir Putin, Pakistan Army is exploiting the Taliban regime’s military weakness and over-dependence on Pakistan to launch airstrikes against civilian targets with impunity, writes Kaliph Anaz.
Drawing similarities between Ukraine and Afghanistan, Anaz opines that like Ukraine, the Taliban neither has the military power nor resources to counter the Pakistan Army and despite deep suspicion about the Taliban regime, the international community cannot allow Pakistan to target the civilian population in Afghanistan.
READ THE STORY: The Print
Lenovo patches UEFI firmware vulnerabilities impacting millions of users
FROM THE MEDIA: Lenovo has patched a trio of bugs that could be abused to perform UEFI attacks.
Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.
Discovered by ESET researcher Martin Smolár, the vulnerabilities, assigned as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, could be exploited to "deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter" in the Lenovo Notebook BIOS.
In UEFI cyberattacks, malicious operations are loaded on a compromised device at an early stage of the boot process. This means that malware can tamper with configuration data, establish persistence, and may be able to bypass security measures that are only loaded at the OS stage.
On Tuesday, ESET said the vulnerabilities impact "more than one hundred different consumer laptop models with millions of users worldwide" and were caused by drivers only meant to be used during Lenovo's product development stage.
READ THE STORY: ZDNET
Conti’s Ransomware Toll on the Healthcare Industry
FROM THE MEDIA: On April 13, Microsoft said it executed a legal sneak attack against Zloader, a remote access trojan and malware platform that multiple ransomware groups have used to deploy their malware inside victim networks. More specifically, Microsoft obtained a court order that allowed it to seize 65 domain names that were used to maintain the Zloader botnet.
Microsoft’s civil lawsuit against Zloader names seven “John Does,” essentially seeking information to identify cybercriminals who used Zloader to conduct ransomware attacks. As the company’s complaint notes, some of these John Does were associated with lesser ransomware collectives such as Egregor and Netfilim.
But according to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti, acting as a preferred distribution platform for deploying Ryuk/Conti ransomware.
Several parties backed Microsoft in its legal efforts against Zloader by filing supporting declarations, including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.
READ THE STORY: Krebs on Security
Microsoft Is on the Hunt for Cyber Criminals
FROM THE MEDIA: One of the biggest tech companies in the world is hunting cyber criminals, as Microsoft has established a Digital Crime Unit (DCU) to eliminate threats online. And they've already taken down a few key players in the cyber crime world.
If you've been online in the last few years, you've likely noticed that cyber threats are lurking around virtually every corner. From ransomware threats to security breaches, it's getting to a point where businesses need to be on constant lookout for hackers trying to steal their information.
Fortunately, Microsoft's DCU is on the case, having already dismantled some of the worst cyber criminals plaguing the business world today.
READ THE STORY: Tech
Items of interest
U.S. Cyber Command gives Congress $236M unfunded priorities wish list
FROM THE MEDIA: A U.S Cyber Command wish list shared with Congress shows $236 million worth of unfunded priorities, including about $168 million to support its Cyber Mission Force, a group of 6,200 personnel charged with conducting offensive and defensive cyber operations.
The administration’s fiscal year 2023 spending request for Cyber Command did not include the unfunded priorities, and were shared as Congress begins to weigh its $773 billion budget request for the Pentagon next year.
The $168 million to support the Cyber Mission Force comprises the bulk of the unfunded priorities and is especially significant. The CMF includes 133 teams that defend Defense Department networks, support military objectives, provide analytic support to combat missions and defend U.S. critical infrastructure.
READ THE STORY: Cyberscoop
Dissecting Russia's SANDWORM Hacking Group & The INDUSTROYER2 Malware Attack (Video)
FROM THE MEDIA: Sandworm, a name given to what is likely a cell within the cyber arm of the Russian military intelligence (GRU)'s cyber arm, is one of the most infamous Advanced Persistent Threats (APTs) on the internet today. This group is responsible for some of the most destructive cyber attacks to date. We dive into the group as well as their most recent attack on Ukraine's electrical grid.
The Regulation of Social Media and Privacy in the Internet Age (Video)
FROM THE MEDIA: On this month's episode of Emphasis Added, future hosts Brock Jones and Matt Chelf joined me to speak with University of Texas School of Law Professor Joe Cosgrove, Jr. about the regulation of social media and privacy rights. Professor Cosgrove has over 35 years of legislative, regulatory, and legal experience including time spent as legal counsel for AT&T. Professor Cosgrove currently teaches Internet and Telecommunications Regulation at Texas Law, and has written on internet law topics like Section 230 and Net Neutrality. We discussed topics like what laws currently govern social media content and why some social media companies might be advocating for stricter regulation, what rights customers really have to their privacy, and what the future of the internet age looks like.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com