Daily Drop (112)

4-22-22

Friday, April 22, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club

Okta says two customers breached during January security incident

FROM THE MEDIA: Okta this week concluded its investigation into a headline-grabbing security incident that came to light in March, finding that two of its customers were breached through its customer support partner Sitel.

The access management company initially said 366 customers were affected by the incident, which took place between January 16 and January 21. Okta landed on the 366 figure because those were Okta customers whose tenants were accessed by any Sitel customer support engineer within that time frame.

But in a statement this week, Okta revised that assessment, determining that the access was limited to two of its customers. It also announced that it has “terminated its relationship with Sykes/Sitel.” 

“The threat actor actively controlled a single workstation, used by a Sitel support engineer, with access to Okta resources. Control lasted for 25 consecutive minutes on January 21, 2022. During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” Okta Chief Security Officer David Bradbury said.  

READ THE STORY:  The record

North Korea targeting blockchain, cryptocurrency companies

FROM THE MEDIA: A new Cybersecurity Advisory has been released by the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury. The advisory describes the recent activities of the Lazarus Group, who specialize in advanced persistent threats and target organizations in the blockchain and cryptocurrency industries.

Lazarus Group, also known as APT38, BlueNoroff and Stardust Chollima, is a long-known state-sponsored threat actor from North Korea. The group has been active since 2009. While initially focused on South Korean targets, disrupting and damaging computers from various organizations, the group then began focusing on international financial crime.

A previous advisory has already been published about cryptocurrency exchanges and financial service companies being targeted by Lazarus. The FBI also announced that Lazarus was responsible for the theft of $620 million worth of Ethereum in March 2022.

READ THE STORY:  TechRepublic

Hackers Sneak 'More_Eggs' Malware Into Resumes Sent to Corporate Hiring Managers

FROM THE MEDIA: A new set of phishing attacks delivering the more_eggs malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers.

"This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement.

The Canadian cybersecurity company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a U.S.-based aerospace company, an accounting business located in the U.K., a law firm, and a staffing agency, both based out of Canada.

The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.

READ THE STORY:  The Hacker News 

Cyber Nukes Could Be Our Path to Digital Peace

FROM THE MEDIA:  Two world wars had raged within three decades, costing over 100 million lives, when history’s most destructive weapon was deployed in August 1945. The horrific prospect of nuclear-fueled, mutually assured destruction has kept superpowers in check since then, and a cyber equivalent may be just what’s needed as global hostilities turn digital.

Russia’s invasion of Ukraine in February has been accompanied by a barrage of cyber attacks on the nation’s power and communications infrastructure, reminding us that the Kremlin views its digital arsenal as being no less important than its aging stock of tanks and missiles. Yet none of these incursions dealt a knock-out blow. One explanation is that Kyiv built up its defenses over the past decade and is now a world leader at fending off such online offensives.

Yet there’s also a sense that maybe Moscow has been holding back. Perhaps President Vladimir Putin has something bigger planned, goes that line of thought, with a devastating digital weapon we’ve yet to see. He’s already issued veiled threats about deploying nuclear weapons as the conflict continues. The White House is certainly cautious about cyber warfare, and has warned that the U.S. itself is under threat due to its ongoing support for Ukraine and its leader Volodymyr Zelenskiy.

READ THE STORY:  Washington Post

Beanstalk DeFi project robbed of $182 million in flash loan attack

FROM THE MEDIA: Decentralized finance (DeFi) project Beanstalk has lost $182 million in a flash loan attack.

It might seem more like a corporate heist than a typical cyberattack. Still, this security incident was possible after the unknown threat actor secured the project voting rights necessary to transfer reserve funds away from the project's liquidity pools.

On April 19, Beanstalk, a credit-based stablecoin protocol project based on Ethereum, said the platform was subject to a flash loan attack two days previously.

The cyberattack exploited the project's protocol governance mechanism. According to a post-mortem conducted by Omniscia, the exploit occurred due to the recent implementation of the Curve LP Silos, "ultimately permitting the attacker to conduct an emergency execution of a malicious proposal siphoning project funds."

READ THE STORY:  ZDNET

The modern bank heist is an endgame for financial institutions

FROM THE MEDIA: Financial institutions continue to be heavily targeted by cyberattacks. Despite increasing their cybersecurity protections, the changing and evolving tactics of cybercriminals are making it harder for financial institutions to remain secure.

According to VMware’s fifth annual Modern Bank Heists Report, 63% of financial institutions admitted experiencing an increase in destructive attacks, with cybercriminals leveraging this method as a means to burn evidence as part of counter incident response. Additionally, 74% experienced at least one ransomware attack over the past year, with 63% paying the ransom.

The report highlights the issues the financial industry’s CIOs and security leaders face, especially on the changing behavior of cybercriminal cartels, including the defensive shift of the financial sector. As financial institutions face increased destructive attacks and fall victim to ransomware more than in previous years, sophisticated cybercrime cartels are also evolving beyond wire transfer fraud to now target market strategies, take over brokerage accounts, and island-hop into banks.

READ THE STORY:  Techwire Asia

International security agencies brace for Russian state-sponsored hacks

FROM THE MEDIA: Ever since Russia launched its invasion of Ukraine earlier this year, there has been a cascade of consequences felt around the world. The people of Ukraine have suffered some devastating losses in their home country, but global fallout is affecting everything from gas prices to Netflix's stock performance. While many of us have remained relatively insulated from the nastiest components of Putin’s aggression, some new warnings suggest we should all be worried about a possible wave of Russian-sponsored cyberattacks.

An alert issued by the Cybersecurity & Infrastructure Security Agency is warning of increased cyberattacks against critical infrastructure in Australia, Canada, New Zealand, the UK, and the US. The warning advises companies to prepare for “destructive malware, ransomware, DDoS attacks, and cyber espionage.”

As much as we love to hate Russian hacker groups, the alert has a pretty good rundown of some of their awesome names: there's Berserk Bear with the FSB, Fancy Bear (aka Iron Twilight) with GRU military intelligence, or Voodoo Bear (Iron Viking) for the GRU’s Center of Special Technologies. The whole alert could almost be used as the inspiration for a (cyber) bear-themed D&D campaign.

READ THE STORY:  Android Police

Wealthy cybercriminals are using zero-day hacks more than ever

FROM THE MEDIA:  Organized cybercriminals with money to burn are fueling a spike in the use of powerful, expensive zero-day hacking exploits, new research has found.

Zero-days exploits, which help grant a hacker access to a chosen target, are so called because cyber-defenders have had zero days to fix the newly discovered holes—making the tools extraordinarily capable, dangerous, and valuable. At the highest end, zero-days can cost more than a million dollars to buy or develop. For that reason, they have historically been found in the arsenals of the most sophisticated state-sponsored cyberespionage groups on Earth. 

But new research from the cybersecurity firm Mandiant shows that in a record-breaking year for hacking attacks, the proportion of zero-days exploited by cybercriminals is growing. One-third of all hacking groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to Mandiant’s research. During the last decade, only a very small fraction of zero-days were deployed by cybercriminals. Experts believe the rapid change has to do with the illicit, multibillion-dollar ransomware industry. 

READ THE STORY:  Technologyreview

BlackCat Ransomware Breached 60 Organizations Worldwide — What is Its Connection to BlackMatter?

FROM THE MEDIA:  BlackCat Ransomware gang is now under the close monitoring of the Federal Bureau of Investigation (FBI), which prompted the release of a White Flash alert warning.

BlackCat ransomware gang, also known as ALPHV, has already compromised 60 entities worldwide. The Ransomware-as-a-service (RaaS) group breached these networks worldwide between November 2021 and March 2022.

The recently established BlackCat group is known for demanding ransom payments in the millions of dollars and for carrying out cyberattacks using Rust, an extremely sophisticated coding language.

This warning, issued by the FBI Cyber Division, is one of several reports the FBI is issuing about the rise in ransomware cases. The warning, according to the FBI, emphasizes the need for increased business awareness in the face of increasingly sophisticated cyberattacks, such as ransomware.

READ THE STORY:  itechpost

Lazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

FROM THE MEDIA: The FBI, CISA, and the U.S. Department of Treasury have issued a joint statement about the cryptocurrency theft and the tactics used by the North Korean State-Sponsored APT hacker group since 2020.

This group is commonly known as the Lazarus group, APT 38, Stardust Chollima, and BlueNoroff.

Several organizations relating to cryptocurrency, blockchain, DeFi, Play-to-earn cryptocurrency video games, trading companies, venture capital funds, and valuable non-fungible token holders (NFTs) were targeted.

The attack vector was based on social engineering through various communication platforms and making the victims install trojans in their systems in the name of cryptocurrency applications.

READ THE STORY:  Gbhackers

FBI Puts Ag on Alert: Ransomware Attack Potentially Timed to Critical Seasons

FROM THE MEDIA: Farmers and ag cooperative employees need to be on high alert this spring. That’s according to the FBI, which is predicting cyber criminals might attack the industry during planting and harvesting seasons. 

Why? Cyber criminals believe their prey could be more vulnerable and willing to pay off the extortion.

Since 2021, FBI reports multiple agricultural cooperatives have been impacted by a variety of ransomware variants: In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season. 

In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of its systems and may have attempted to initiate a ransomware attack. The attempts were detected and stopped before encryption occurred. 

Between Sept. 15 and Oct. 6, 2021, six grain cooperatives experienced ransomware attacks. A variety of ransomware variants were used, including Conti, BlackMatter, Suncrypt, Sodinokibi, and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions. 

In July 2021, a business management software company found malicious activity on its network, which was later identified as HelloKitty/Five Hands ransomware. The threat actor demanded a $30 million ransom. The ransomware attack on the company led to secondary ransomware infections on a number of its clients, which included several agricultural cooperatives.

READ THE STORY:  AGweb

New Five Eyes alert warns of Russian threats targeting critical infrastructure

FROM THE MEDIA: In a move demonstrative of international cooperation and partnership, the Five Eyes (United States, Australia, Canada, New Zealand, and United Kingdom) issued an alert giving a “comprehensive overview of Russian state-sponsored and cyber criminal threats to critical infrastructure.” The alert also includes remediation guidance, which CISOs will find of particular import.

Alert AA22-110A – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, provides details on the cyber operations attributable to Russian state actors, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM).

The alert also identifies cyber criminal organizations, including some which have expressed fealty to the Russian Federation, that have pledged to conduct cyber operations against entities that are providing support to Ukraine.

Thus, a company’s position on Russia’s invasion of Ukraine very well may place said company in the target sights of Russian state actors or their cyber criminal cronies.

READ THE STORY:  Arnet

Items of interest

Docker servers hacked in ongoing cryptomining malware campaign

FROM THE MEDIA: Docker APIs on Linux servers are being targeted by a large-scale Monero crypto-mining campaign from the operators of the Lemon_Duck botnet.

Cryptomining gangs are a constant threat to poorly secured or misconfigured Docker systems, with multiple mass-exploitation campaigns reported in recent years.

LemonDuck, in particular, was previously focusing on exploiting vulnerable Microsoft Exchange servers, and before that it targeted Linux machines via SSH brute force attacks, Windows systems vulnerable to SMBGhost, and servers running Redis and Hadoop instances.

According to a Crowdstrike report published today, the threat actor behind the ongoing Lemon_Duck campaign is hiding their wallets behind proxy pools.

READ THE STORY:  Bleepingcomputer

Trolls: Threat to Society or Protectors of Free Speech? Cyberbullying Documentary (Video)

FROM THE MEDIA: Hiding behind a veil of anonymity, trolls indulge their darkest impulses, attacking whoever they want with impunity. Once you become the target of a Troll, what starts as a minor annoyance can escalate into a living nightmare. But who are Trolls? And will the fight to stop them destroy our personal freedoms? Smartphones have put the internet into our pockets and billions of people around the world are now connected online. Our lives have improved greatly, but this “freedom” has also made us vulnerable to a new kind of predator – the internet troll.

The Geopolitics of Cybersecurity: A Conversation With Chris Inglis (Video)

FROM THE MEDIA: This symposium convenes senior government officials and experts from think tanks, academia, and the private sector to address the interaction of cyber conflict and foreign policy goals, examining the current state of Russian, Chinese, Iranian, and North Korean cyber operations, as well as how the United States is responding and its own vulnerability to cyberattacks as a symptom of a broken geopolitical order.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com