Wednesday, April 20, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club
Night Sky: A Short-Lived Threat from a Long-Lived Threat Actor
FROM THE MEDIA: In a new threat briefing report, Vedere Labs analyzes the behavior of the Night Sky malware on two samples, presents a list of IoCs extracted from the analysis and discusses mitigation.
The Night Sky ransomware was first reported on January 1, 2022. Victims were asked to contact the attackers to pay for the ransom. If the victims refused to pay, attackers threatened to expose their data on a leak site. This is known as double extortion ransomware, which was first used by Maze and is now used by several ransomware groups.
Previous reports suggest that Night Sky has been distributed by exploiting the Log4Shell vulnerability and is connected to a threat actor based in China, which is tracked by Microsoft as DEV-0401. The Night Sky campaign was short and compromised two victims in Bangladesh and Japan. Currently, the Night Sky infrastructure is offline, which suggests the threat actor may have rebranded.
Night Sky provides an interesting view into the relationships among several ransomware families. Night Sky was discovered to be a fork of a ransomware family called Rook, which was itself derived from the leaked source code of Babuk and deployed by the same threat actor that used LockFile and AtomSilo, which are so close they share the same decryption tool.
READ THE STORY: Security Boulevard
Okta Closes Lapsus$ Breach Probe, Adds New Security Controls
FROM THE MEDIA: Identity and access management tech firm Okta says it has concluded an investigation into the embarrassing Lapsus$ hacking incident and has severed ties with a third-party company at the center of the breach.
Facing public criticism for communications hiccups after the breach was detected, Okta issued a public statement Wednesday to stress that the impact from the incident was “significantly smaller than we initially scoped.”
A statement from Okta’s Chief Information Security Officer (CISO) David Bradbury said the company initially determined that about 366 customers were affected but a third-party forensic audit showed the damage was contained.
READ THE STORY: Security Week
Ransomware targeting virtualization platforms is on the rise, Mandiant says
FROM THE MEDIA: Mandiant has observed a “significant increase” in the number of incidents involving a ransomware attack targeted against virtualization infrastructure, an expert at the cybersecurity firm told VentureBeat.
The increase has come over the past six to 12 months, and represents an adjustment of threat actor tactics —enabling them to “more rapidly and efficiently encrypt a large number of hosts,” said Greg Blaum, a principal consultant at Mandiant.
On Tuesday, Mandiant released M-Trends 2022, the firm’s 13th annual threat report. Among the major findings is that Mandiant has observed ransomware-focused threat actors “increasingly targeting virtualization infrastructure,” the firm disclosed in the M-Trends 2022 report.
While a traditional ransomware attack requires deploying the malicious payload across multiple hosts in a victim’s environment, an attack on virtualization infrastructure can potentially infect hundreds of virtual machines at once. With this variety of attack, “hitting one machine is much more effective,” Blaum said.
READ THE STORY: Venture Beat // ARN
What is Conversation Hijacking? Exploring This Emerging Form of Phishing
FROM THE MEDIA: Social engineering attacks like phishing emails regularly yield good results for threat actors as an initial entry point into business networks. By exploiting human psychology rather than relying on sophisticated technical skills, hackers regard phishing campaigns as low-hanging fruit, and they are easy to scale. In fact, one analysis of cyber incidents found that phishing was involved in 90% of data breaches.
The relative technical simplicity of phishing does not mean there is no room for evolution in methods. In the last couple of years, a new form of phishing dubbed conversation hijacking has emerged. This article goes into detail on what conversation hijacking is, why it’s worth paying attention to as a cyber threat and some strategies for defending against it.
Conversation hijacking is a newer type of phishing attack where threat actors insert themselves into business email conversations. The motivation for conversation hijacking could be leveraging intelligence to send fake invoices and receive large payouts or to snoop on sensitive business information.
Reports about conversation hijacking stretch back to 2019 when a hacker managed to get in the middle of communications between a Chinese venture capital firm and an Israeli startup. The result of this attack was the loss of $1 million in funding. If this sounds like a man-in-the-middle attack, well, it kind of is, except that it exploits human psychology rather than insecure communication channels.
READ THE STORY: Security Boulevard
China aims to form international standard organizations for cyber dominance
FROM THE MEDIA: Beijing's aspiration to become a great cyber power is reflected in its policies directed at competing with the West in next-generation technology and as part of this effort, it is trying to strengthen its influence in international standards development groups.
China has lobbied hard for key positions in foreign SDO bureaucracies in an attempt to persuade the international standards process aimed to eventually regulate the use of key strategic technology, according to Tibet Press.
Beijing has considerably improved its ability to secure approval for its initiatives and to reject those that it does not support using a variety of strategies.
The purposeful strategy is to strengthen China's influence within international standards development groups.
Notably, the Belt and Road Initiative has garnered considerable attention, along with the Asia Society Policy Institute's (ASPI) "Navigating the Belt and Road" series, the Digital Silk Road (DSR), which supports the export of Chinese telecommunication technologies as well as other high-tech systems, had gotten far less.
The process of standard-setting, according to China's authorities, is a sign of a leading technical power.
READ THE STORY: Business Standard
China to Study Earth’s Pollution via a New Satellite
FROM THE MEDIA: Much is needed to address Earth’s drastic climate changes and China is sending a satellite to do an in-depth study toward that end. In time, Chinese scientists will soon have a new space-based tool to advance their research on the atmospheric environment and pollution.
The AES is a 2.6-metric ton satellite and was launched by a Long March 4C carrier rocket recently from the Taiyuan Satellite Launch Center in Shanxi province. Accordingly, it entered a sun-synchronous orbit 705 kilometres above Earth. The satellite is designed to observe the planet’s health from above. It is the world’s first satellite using laser radar to detect carbon dioxide.
After in-orbit tests, the Atmospheric Environmental Surveyor (AES) satellite will start its monitoring operations and send data to scientists, according to its designers at the Shanghai Academy of Spaceflight Technology.
AES shall be focused on studying different key aspects of the planet’s health. It will be used to observe air pollution, greenhouse gases and other environmental elements. By doing so, it will provide data for research on climate change and ecological changes, and will help to forecast agricultural yields and hazards, the designers said.
READ THE STORY: Open Gov Asia
Decoding the cyber executive order
FROM THE MEDIA: As the administration and the security community have been closely monitoring the potential threat of nation-state cyberattacks from Russia and advising organizations to bolster their cyber defenses, it's important to remember that President Joe Biden's Executive Order on Improving the Nation's Cybersecurity provides an excellent framework for shoring up federal security systems. The EO establishes new cybersecurity directives that when successful will radically change the security architecture and IT culture across the federal government.
By mandating the adoption of zero trust principles, the White House has mandated government IT organizations to make wholesale changes to their culture and approach to cybersecurity. Simply put, compliance and network-centric security models must give way to risk and data-centric models. Organizations will no longer be able to segment security teams, but instead will have to view their security solution as one system. Interestingly, these requirements look a lot like the purpose of extended detection and response (XDR).
While the expectation of the EO is for the federal government to meet specific objectives toward eventual adoption of a mature zero trust architecture by 2024, the real ask is that agencies make significant changes to how they view, manage and report on their cybersecurity programs. For over three decades, the government has operated on "check box"-based security—setting minimum security standards and benchmarks and then scoring the ability to stay compliant. Zero trust cannot succeed in a compliance-centric security model. In a zero trust architecture, compliance is a telemetry point to assess risk, but simply being compliant doesn't eliminate risk. The challenge before many federal agencies is transforming a security platform that continuously evaluates risk for every resource request, while at the same time avoiding throwing everything out and starting over.
READ THE STORY: FCW
Funky Pigeon Suspends Orders Following Cyber-Attack
FROM THE MEDIA: Gift card retailer Funky Pigeon has experienced a cyber-attack, leading the firm to temporarily suspend orders.
Funky Pigeon, which is owned by WHSmith, revealed it had taken its systems offline as a precaution, preventing it from fulfilling customer orders. The firm’s website currently carries the message: ‘Oops! We’re experiencing some issues and we can’t accept new orders at the moment. Please try again later!’
The retailer said it had informed regulators and law enforcement of the incident, which it is currently investigating with the help of external cybersecurity experts. However, it assured customers that no payment data was at risk and did not believe any account passwords were compromised.
In a statement, Funky Pigeon said: “As soon as we discovered the incident last Thursday, we launched a forensic investigation led by external experts to understand the incident and whether there has been any impact on customer data.
READ THE STORY: Info Security Magazine
Spain: Hacked Catalans to launch a legal bid on spyware use
FROM THE MEDIA: Separatist politicians and activists from Catalonia on Tuesday announced a legal offensive in half a dozen countries against the Spanish state and the Israeli owners of a controversial spyware allegedly used to snoop on them.
The head of the Catalan and Spanish-speaking northeastern region also announced that relations with central authorities in Spain would remain strained until Madrid conducts a full investigation and punishes those found responsible for the alleged surveillance.
A spokeswoman for the Spanish government said there was no illegal spying happening in the country.
Citizen Lab, a team of cybersecurity experts affiliated with the University of Toronto, had revealed a day before what is believed to be the largest to date forensically documented cluster of hacking attempts with Pegasus, a program that silently infiltrates phones to harvest their data and potentially spy on their owners.
READ THE STORY: Local SYR
Secret Service has seized more than $100 million in crypto
FROM THE MEDIA: The Secret Service has reportedly seized more than $100 million in cryptocurrency since 2015 in an effort to crack down on fraudulent digital currency transactions.
David Smith of the Secret Service told CNBC that his office has been tracking the flow of Bitcoin and other cryptocurrencies on the blockchain to prevent and combat fraudulent activities.
“When you follow a digital currency wallet, it’s not different than an email address that has some correlating identifiers,” Smith, the assistant director of the agency’s Office of Investigations, told the outlet.
“And once a person and another person make a transaction, and that gets into the blockchain, we have the ability to follow that email address or wallet address, if you will, and trace it through the blockchain,” he added.
CNBC reported Tuesday, citing data from the agency, that the Secret Service has seized $102 million in crypto funds across more than 250 cases over the past seven years.
READ THE STORY: The Hill
LAZARUS APT TARGETING BLOCKCHAIN ORGS WITH TRADERTRAITOR MALWARE
FROM THE MEDIA: The prolific and rapacious Lazarus North Korean APT group is running an ongoing campaign targeting cryptocurrency investors, exchanges, trading companies, and blockchain organizations to gain access to valuable keys and other information, install malware, and steal funds and other data.
The campaign uses a number of tactics, including spear phishing, social engineering, and the installation of a new set of malicious applications called TraderTraitor that steal system data, install a remote access trojan, and perform other malicious activities. The Cybersecurity and Infrastructure Security Agency, FBI, and Department of Treasury issued a new advisory about the Lazarus Group campaign Tuesday and warned that the group is using cryptocurrency apps modified with the AppleJeus backdoor to gain a foothold on target machines.
“The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency,” the advisory says.
“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”
READ THE STORY: DUO
Items of interest
Is Bashar al-Assad’s Army of Hackers Gone for Good?
FROM THE MEDIA: In April 2013, pro-Assad online activists from Syria hacked into the Twitter account of the Associated Press and tweeted about a fake explosion at the White House that supposedly injured President Barack Obama, leading the U.S. stock market to temporarily dip by $136 billion. This elite hacker unit of Syrian regime loyalists—known as the Syrian Electronic Army (SEA) and possibly funded by Rami Makhlouf, Bashar al-Assad’s billionaire cousin—also targeted Harvard University, the U.S. Marine Corps, Human Rights Watch, and other national news outlets in separate cyberattacks.
From 2011 to 2014, the SEA carried out an extremely active cyber campaign aimed at disseminating pro-Assad propaganda and defacing websites that were hostile to the Syrian dictatorship. However, after 2014, the SEA became much less active, even going silent on its social media pages. For example, the official SEA Twitter page has not been updated since 2015, while its YouTube page has been dormant for more than eight years. News reports of SEA-claimed hacks have also been few and far between in recent years. The SEA’s rapid downturn in cyber activity is startling, given the fact that the hacker group was once considered one of the more sophisticated international hacker groups and was routinely mentioned in international news headlines. So, what happened to the SEA?
READ THE STORY: National Interest
Infrastructure Attacks Target Ukraine & US (Video)
FROM THE MEDIA: Pipedream could target US infrastructure, Ukrainian Cybersecurity prevented a major energy sector attack, and RaidForums is seized by law enforcement!
Discussing the Russia-Ukraine Cyber War (Video)
FROM THE MEDIA: Amy chats with Eran Fine, the CEO and Co-founder of Nanolock Security, about the ongoing cyber war in Ukraine. They also chat about the history of Russian-Ukrainian cyber attacks, ransomware, the Colonial Pipeline attack, and moreomers really have to their privacy, and what the future of the internet age looks like.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com