Thursday, April 21, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club
FBI warns agricultural sector of heightened risk of ransomware attacks
FROM THE MEDIA: The FBI on Wednesday alerted food and agriculture companies to be prepared for ransomware operatives to potentially attack agricultural entities during planting and harvest seasons — a time frame the feds warned is more likely to draw the attention of ransomware actors bent on leveraging the sector at its most vulnerable, including now as the spring planting season gets underway.
The FBI’s notice to industry asserted that ransomware hackers are bent on “disrupting operations, causing financial loss, and negatively impacting the food supply chain,” and noted there were ransomware attacks against six grain cooperatives during the fall 2021 harvest, along with two attacks in early 2022 against targets the bureau did not name that could affect the planting season by disrupting the supply of seeds and fertilizer.
Wednesday’s FBI notice revealed for the first time how extensive ransomware attacks against agricultural targets were last year and earlier this year, according to Allan Liska, an intelligence analyst at Recorded Future.
READ THE STORY: CyberScoop
Okta: Just Two Customers Impacted by Lapsus Breach
FROM THE MEDIA: Okta has revealed that just two of its customers were affected by an incident in January in which threat actors compromised a third-party vendor’s workstation.
The authentication specialist completed its investigation into the events that took place between January 16 and 21 this year, when it was believed that a hacker from the Lapsus group gained access to back-end systems.
Previously, Okta estimated that 366 customers may have had their tenants accessed by the attackers via a Sitel support engineer’s machine.
However, in an update yesterday, Okta CSO David Bradbury said that just two customers were impacted, with the attackers having access to the workstation for only 25 minutes.
“During that limited window of time, the threat actor … viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” he continued.
READ THE STORY: Infosecurity Magazine
NFTs: Functional Innovation or Cyber Weapons of Mass Destruction?
FROM THE MEDIA: Few trends in the tech world have ever garnered as much feverish devotion as Web3 and its partially realized stack of components, including the “Metaverse,” cryptocurrency and non-fungible tokens (NFTs). These are heralded as a panacea for problems endemic to the modern Web, promising to usher in a more decentralized (and – by implication – “safer”) online experience. Chris Olson, Chief Executive Officer and Co-founder of The Media Trust, shares insights on the implications of NFTs today and in the years to come.
While the culture and buzz surrounding Web3 can be overwrought, it’s more than hype: after all, the concept has won enthusiastic support from Silicon Valley giants and venture firms alike. Unfortunately, there is a darker side to the technology, that has been overlooked, especially when it comes to Web3’s novel file-exchange format: NFTs.
Despite lofty claims, Web3 will not be invulnerable to cyberattacks and malicious or fraudulent activity. And – unless cybersecurity is built into the technology before it becomes mainstream – it will not be able to deliver on its promises of a safer Internet. NFTs are a ticking time bomb waiting to explode, and the time to fix that is now.
READ THE STORY: Toolbox
Electric vehicles are taking over. Hackers are waiting
FROM THE MEDIA: Electric vehicles (EV) are a vital part of the present (and future) state of the U.S. auto market. After decades of hope and hype, the rapid adoption of electric vehicles is finally upon us. In 2011, there were only 16,000 battery and plug-in hybrid electric vehicles on the road. In mid-2021, that number had grown to over 2 million vehicles. In fact, auto executives expect over 50% of U.S. vehicles to be all-electric by 2030.
The Bipartisan Infrastructure Deal includes $7.5 billion to plan and build a robust network of EV charging stations, a sizeable down payment toward developing a nationwide system. But of what of the extensive and complicated network needed to service those electric vehicles?
It took decades for a hodgepodge network of gas stations to crisscross the nation, with policies and procedures created by individual oil companies before proper government oversight or planning ensued. A state or nationwide electric vehicle charging network will require thorough planning and significant investment. Despite lofty goals, projected EV usage increases and plans to keep them rolling along America’s highways, one crucial challenge remains woefully undiscussed: EV charging station cybersecurity.
READ THE STORY: Security Magazine
Brokers' sales of U.S. military personnel data overseas stir national security fears
FROM THE MEDIA: The multibillion-dollar data brokerage industry is virtually unregulated and poses a grave national security threat by advertising and selling information it has culled on military personnel, cybersecurity experts and a U.S. senator say.
Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative and a cyber policy fellow at the Duke Tech Policy Lab, has been tracking — and sounding an alarm over — data brokers’ practices since last year. He said three large data brokerage companies — Axciom, LexisNexis and NielsenIQ — market data on current or former military personnel specifically.
Data for sale can include individual web searches, family members, home addresses and even real-time GPS locations. LexisNexis markets the fact that it can search an individual and identify whether they are active-duty military, Sherman said.
READ THE STORY: CyberScoop
Why are Chinese APT groups increasing their global footprint and cyber attacks?
FROM THE MEDIA: For the last couple of weeks, we have been hearing about increased Chinese APT activity in APAC. One of the APT groups involved is Deep Panda (a.k.a. purple ghost, Kungfu Kitten), and the countries affected are India, Australia, and Vietnam. Deep Panda is among the older APT groups and has been around in one form or another since 2011. The group was among the first ones to be trained to target high-value targets and complex installations such as those connected with governments, telecom, defense, and parts of critical infrastructure.
Deep Panda’s primary mission is to snoop on official channels to exfiltrate data of importance to the group’s sponsors. Deep Panda is also known to maintain a very high level of interest in intercepting communication between various government departments including state secrets and data such as those linked to Covid-19 numbers (sometimes it harvests and transmits terabytes of data to global C&C servers which is handed over to a team that sorts the information manually). It has known links with other Chinese APT groups and has collaborated on at least one project with the notorious North Korean APT group Lazarus.
Deep Panda uses a wide array of tools including multi-phase RATs and also uses various Zero Day exploits to push malware into target networks. Recently we came across many instances of the group trying to infect servers with the Fire Chili rootkit. Deep Panda’s expertise lies in running complex social engineering campaigns to lure multiple victims in the target organization to activate more lines of data interception.
READ THE STORY: Security Boulevard
Chinese Cyber Espionage APTs Refocus Strategy
FROM THE MEDIA: Chinese cyber espionage actors have evolved their operations to closely align with national-level priorities around economic development and national defense, a recent report revealed.
In Mandiant’s M-Trends report released this week, researchers said in 2021 the number of Chinese espionage groups in the landscape dropped from at least 244 separate Chinese actor sets, tracked over the last five years, to 36 active groups, pointing to a “more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors.”
This smaller set of groups, which include existing and known groups like APT10, APT41, and the Conference Crew group, have retooled and pivoted their strategies to better align with China’s overall strategy, which is encapsulated by its most recent Five Year plan, launched in early 2021. This plan focuses on supporting the nation’s Belt and Road Initiative, its long-term policy and investment program that centers on infrastructure and economic development, which aims for national self-reliance through growing domestic markets versus a previous strategy that relied on trade agreements. The plan also focuses on markets like technology, financials, energy, telecommunications and healthcare.
READ THE STORY: DUO
REvil's TOR sites come alive to redirect to new ransomware operation
FROM THE MEDIA: REvil ransomware’s servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year.
It is unclear who is behind the new REvil-connected operation but the new leak site lists a large catalog of victims from past REvil attacks plus two new ones.
A few days back, however, security researchers pancak3 and Soufiane Tahiri noticed the new REvil leak site being promoted on RuTOR, a forum marketplace that focuses on Russian-speaking regions.
The new site is hosted on a different domain but leads to the original one REvil used when active, BleepingComputer confirmed today, while the two researchers captured the redirect.
The leak site provides details on the conditions for affiliates, who allegedly get an improved version of REvil ransomware and an 80/20 split for affiliates collecting a ransom.
READ THE STORY: Bleeping Computer
Ukraine-Russia Cyber ‘Trench’ Warfare Intensifies
FROM THE MEDIA: Ukrainian officials said they stopped an attack on high-voltage electrical substations with the help of cybersecurity firm ESET and Microsoft. While thwarting the attack, they discovered a new variant of the Industroyer malware, which was used in a 2016 Ukraine grid attack and is tied to a notorious hacking unit within Russia’s GRU military intelligence agency known as Sandworm.
This kind of attack is typical of the tactics used by Russia in the ongoing cyberwarfare between Ukraine and Russia, which the Wall Street Journal has described as trench warfare: “a grinding conflict of relentless, if sometimes unsophisticated attacks that have taken casualties but had limited impact on the course of the fight.”
And a report this week from Symantec underscores a trend in persistent yet relatively unsophisticated Russian attacks. The report cites the Russian Shuckworm Espionage Group, which is continuing to conduct an “intense” yet unsophisticated campaign against Ukraine.
READ THE STORY: Security Boulevard
Microsoft Exchange servers hacked to deploy Hive ransomware
FROM THE MEDIA: A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.
From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload.
The details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one of its customers.
ProxyShell is a set of three vulnerabilities in the Microsoft Exchange Server that allow remote code execution without authentication on vulnerable deployments. The flaws have been used by multiple threat actors, including ransomware like Conti, BlackByte, Babuk, Cuba, and LockFile, after exploits became available.
The flaws are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297, and their severity rating ranges from 7.2 (high) to 9.8 (critical).
READ THE STORY: Bleeping Computer
AWS Log4Shell Patch Has 'Severe Security Issues:' Unit 42
FROM THE MEDIA: Researchers with Palo Alto Networks' Unit 42 said Tuesday that every container in a server or cluster environment could exploit the AWS patch to take over its underlying host. For instance, containers in a Kubernetes cluster in which the hot patch is installed can escape until either the hot patch is disabled or an upgrade is made to the fixed version, according to Principal Security Researcher Yuval Avrahami.
"We realized quickly this is something big," Ariel Zelivansky, Palo Alto Networks' director of security research, tells Information Security Media Group. "This is something that affects many users, not only on AWS, and it's something that will be hard to mitigate as well. So the impact was great."
Containers can escape regardless of whether they run Java applications or whether their underlying host runs Bottlerocket, AWS' hardened Linux distribution for containers, Palo Alto Networks found. The hot patches released by AWS cover stand-alone servers, Kubernetes clusters, Elastic Container Service clusters and Fargate, and can be installed on any cloud or on-premises environment, not just AWS (see: Crypto Platform Suffers Log4j-Related Ransomware Attack).
READ THE STORY: Govinfo Security
Items of interest
China Asks US To Explain Use Of CIA's 'Beehive' For Espionage Via 'neighbouring Nation’
FROM THE MEDIA: China on Tuesday expressed “grave concerns” about what it labelled “irresponsible and malicious” cyber activities of the US government using the cyber weapon “Beehive” for espionage and deploying it in the neighbouring countries to China. Demanding an answer, Chinese Wang Wenbin asserted at a briefing: “We urge the US side to explain itself and immediately stop such malicious activities.”
He went on to add that Beijing’s National Computer Virus Emergency Response Center has pointed out that if existing international internet backbone network and critical information infrastructure contain software or hardware provided by US companies, it is highly likely that they have become the targets of Washington government’s covert cyber compromises and data stealing.
China’s report on the so called “CIA using a powerful platform ‘Beehive’ as cyber warfare,” has come out at a time when India and Washington have finalised signing of a new Space Situational Awareness arrangement (SSA) and extension of the US-India Artificial Intelligence initiative, or USIAI. “It’s clear India has got an interest in bringing AI into national security,” the retired Air Force lieutenant general John N.T. Shanahan reportedly said.
READ THE STORY: Republic World
Ransomware Battleground Double Extortion (Video)
FROM THE MEDIA: Airgap is the only vendor that offers an agentless segmentation solution that protects your organization against ransomware threats. Airgap's "Ransomware Kill Switch" is the most potent ransomware response for the IT organization. And, Airgap’s Zero Trust access controls protect enterprise’s high value assets against cyber threats. Proven and specially designed to protect Manufacturing, Healthcare, and Critical Infrastructure, Airgap Security Platform is the easiest to implement and manage.
Tracking Developments in Counterspace Weapons (Video)
FROM THE MEDIA: Aerospace Security Project and the Secure World Foundation as they discuss tracking developments in counterspace weapons. The conversation is on the heels of reports published by each organization, the Space Threat Assessment 2022 and Global Counterspace Capabilities Report. Experts from each organization will also be joined by Michael Minero of HawkEye 360, Inc. who will give a keynote presentation focused on the role of counterspace capabilities in Russia and Ukraine.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com