Daily Drop (113)

4-23-22

Saturday, April 23, 2022 // (IG): BB //Weekly Sponsor: Philly Tech Club

Conti ransomware attack was aimed at destabilizing government transition, Costa Rican president says

FROM THE MEDIA: Several systems operated by the government of Costa Rica were hit with a ransomware attack this week, according to the country’s president Carlos Alvarado Quesada.

The Conti ransomware group added systems connected to several government agencies to its list of victims on Tuesday and Wednesday. Government officials confirmed Conti’s involvement. 

Quesada said the attack was meant to “threaten the stability of the country in a transition situation.” The country elected a new president – former World Bank official Rodrigo Chaves – on April 4. 

Quesada released a video addressing the ransomware attack on Thursday, telling the public that the country will not pay the ransom, which some have said is $10 million.

“It is not just an attack on the institutions affected, the government or importers and exporters. It is a criminal cyberattack on the state and the entire country. It cannot be separated from the complex global geopolitical situation in a digitalized world,” he said. 

READ THE STORY:  The record

Take this $15m and make us some ultra-energy-efficient superconductor chips, scientists told

FROM THE MEDIA: Researchers in the US have received a $15 million National Science Foundation (NSF) award to develop superconductor chips that ought to be much faster and use significantly less energy than the hardware the world today relies on for computing.

A team at the University of Southern California's Viterbi School of Engineering is leading the effort, and it goes by the name DISCoVER, a rather fun acronym that stands for Design and Integration of Superconductive Computation for Ventures beyond Exascale Realization.

As the name suggests, the scientists are looking to use superconducting materials as an alternative to today's semiconductors to develop new kinds of superfast and highly energy efficient integrated circuits that can enable sustainable and large-scale exascale computing.

Creating supercomputers that can deliver more than one exaflop, or one quintillion floating-point operations per second, has been a strategically important goal for the United States and other countries, including China, as they can dramatically speed up critical research projects, ranging from drug development to climate change modeling.

READ THE STORY:  The Register

Rio de Janeiro finance department hit with LockBit ransomware

FROM THE MEDIA: The Secretary of State for Finance of Rio de Janeiro confirmed on Friday that it was dealing with a ransomware attack on its systems.

The LockBit ransomware group claimed to have attacked systems connected to the government offices, stealing about 420 GB. The group threatened to leak the stolen data on Monday. 

In a statement to The Record, a spokesperson for the Secretary of State for Finance of Rio de Janeiro said they contacted the law enforcement agency that manages digital crimes in Brazil after they were threatened by a cybercriminal who breached their systems.  

“In the threat, sent this Thursday, the attacker asks for a payment not to disclose data allegedly stolen from the systems of Sefaz-RJ. This data would correspond to only 0.05% of the data stored by the Secretariat,” the spokesperson said. 

READ THE STORY:  The Record

US Space Force unit to monitor region beyond Earth's geosynchronous orbit

FROM THE MEDIA: The US Space Force has created a unit, the 19th Space Defense Squadron, to monitor activity in the region beyond Earth's geosynchronous orbit, all the way out to the Moon and yonder.

Commander of the 18th SDS, Lt. Col. Matt Lintker, confirmed the launch of the task force during a panel discussion at the intelligence and defense-focused C4ISRNet conference held virtually this week.

Lintker said the 19th SDS will be in charge of monitoring the area of space further out than our planet's geosynchronous equatorial orbit, a region officials called "xGEO" space. Space Force is mostly concerned with the operation and defense of its satellites for communications and navigation purposes, but it also keeps an eye on space for any military activity from foreign adversaries and also tracks space junk that could cause a risk to American interests.

Space Force also works closely with NASA, providing airspace security, search and rescue capabilities for the International Space Station crew, and more. In return, NASA conducts scientific research on behalf of the military. As NASA hopes to team up with private corporations to colonize the Moon, Space Force also needs to expand its remit further out into cislunar space to support future missions and capabilities.

READ THE STORY:  The Register 

US DOJ probes Google's $5.4b Mandiant acquisition

FROM THE MEDIA:  Federal regulators are taking a closer look at Google's planned $5.4 billion acquisition of Mandiant, a deal designed to boost the web giant's public cloud's cybersecurity capabilities.

In a filing [PDF] with the SEC this week, Mandiant officials said that both their company and Google received a request from the Department of Justice for more information, though no details about what data is being sought was disclosed.

Both companies expect to respond to this request promptly and continue to work with the DOJ's review of the proposed deal, which was announced in early March, they stated in the SEC filing. The merger is still expected to go ahead this year.

In announcing its bid March 8, Google Cloud CEO Thomas Kurian said in a statement that "organizations around the world are facing unprecedented cybersecurity challenges as the sophistication and severity of attacks that were previously used to target major governments are now being used to target companies in every industry."

READ THE STORY:  The Register

Cryptomining botnet targeting Docker on Linux systems

FROM THE MEDIA: LemonDuck, a well-known cryptomining botnet, is targeting Docker on Linux systems to coin digital money, CloudStrike reported Thursday.

The company's threat research team revealed in a blog written by Manoj Ahuje that the botnet is leveraging Docker APIs exposed to the internet to run malicious containers on Linux systems.

Docker is used to build, run, and mange containerized workloads. Since it runs primarily in the cloud, a misconfigured instance can expose a Docker API to the internet where it can be exploited by a threat actor, who can run a crypto miner inside an outlaw container.

Mike Parkin, an engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that one of the main ways attackers compromise containerized environments is through misconfigurations, which just shows how many organizations are failing to follow industry best practices.

READ THE STORY:  CSO Online

T-Mobile Admits Lapsus$ Hackers Gained Access to its Internal Tools and Source Code

FROM THE MEDIA: Telecom company T-Mobile on Friday confirmed that it was the victim of a security breach in March after the LAPSUS$ mercenary gang managed to gain access to its networks.

The acknowledgment came after investigative journalist Brian Krebs shared internal chats belonging to the core members of the group indicating that LAPSUS$ breached the company several times in March prior to the arrest of its seven members.

T-Mobile, in a statement, said that the incident occurred "several weeks ago, with the "bad actor" using stolen credentials to access internal systems. "The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value," it added.

READ THE STORY:  The Hacker News

As of the end of last year, 67 percent of Android phones were vulnerable to remote attack

FROM THE MEDIA: Late last year, a pair of vulnerabilities identified in Qualcomm and MediaTek chipsets were finally patched, but not before an attacker had access to media and audio conversations on two-thirds of Android handsets. The Apple Lossless Audio Codec (ALAC), which enables for lossless data compression of digital audio streams, is used by both Qualcomm and MediaTek. Apple declared ALAC open-source little over a decade ago, allowing it to be utilised on non-Apple devices like Android phones. Several updates have been made, however it had not been patched since 2011.

Qualcomm and MediaTek chips were affected by the vulnerabilities – 67% of Android phones were at risk for a remote attack until late last year. Qualcomm and MediaTek chips were affected by the vulnerabilities. Check Point Research has discovered that Qualcomm and MediaTek ported vulnerable ALAC code into their audio decoders which it says are used on over half of all smartphones worldwide. Check Point notes that the latest IDC numbers show that a leading 48.1% share of all Android phones in the states are equipped with a MediaTek chipset with 47% using Qualcomm.

READ THE STORY:  Bolly Inside

OKTA ENDS INVESTIGATION INTO LAPSUS$ BREACH

FROM THE MEDIA:  A month after initially disclosing a breach at one of its third-party contractors that led to attackers from the Lapsus$ group accessing some customer information, Okta officials said they have finished their investigation into the intrusion, and have cut ties with the contractor, Sitel, and are making changes to the way that the company works with outside service providers.

The initial intrusion by Lapsus$ occurred in January and during the original disclosure of the incident, Okta officials estimated that about 2.5 percent of the company’s customers were affected. But this week, Okta CSO David Bradbury said the attackers were only able to access two Okta customer tenants during the 25-minute window of time in which they had access to a Sitel workstation.

“During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” Bradbury said in a post.

“The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support ‘impersonation’ events. The threat actor was unable to authenticate directly to any Okta accounts.”

Bradbury said that Okta has ended its relationship with Sitel, a large international provider of managed support services, as a result of the intrusion and subsequent investigation. Also, Okta is changing some of the requirements for outside companies who perform support and other services on the company’s behalf in order to strengthen security.

READ THE STORY:  DUO

Early Discovery of Pipedream Malware a Success Story for Industrial Security

FROM THE MEDIA:  The recent discovery of a malware framework — referred to as both Pipedream and Incontroller — targeting industrial control systems (ICS) highlights what can happens when everything goes right, ICS security professionals stressed at a panel discussion hosted by the Atlantic Council on April 22.

Unlike as in previous attacks, cybersecurity experts detected components of the malware, researching the attackers' techniques, and erected defenses against Pipedream, before it was even deployed. In its current state, the framework boasts capabilities that can scan for and communicate with some programmable logic controllers from Schneider Electric and Omron, as well as scan and profile unified communication servers based on the OPC Unified Architecture specification.

The expertise and capabilities encapsulated in the framework point to a nation-state actor as the source, making the coordinated investigation a significant win, and the best argument for the return on investment (ROI) of cybersecurity, says Danielle Jablanski, operational technology cybersecurity strategist at Nozomi Networks and a former consultant for the US Department of Defense.

READ THE STORY:  Darkreading

Hackers Claim to Target Russian Institutions in Barrage of Cyberattacks and Leaks

FROM THE MEDIA: Hackers claim to have broken into dozens of Russian institutions over the past two months, including the Kremlin’s internet censor and one of its primary intelligence services, leaking emails and internal documents to the public in an apparent hack-and-leak campaign that is remarkable in its scope.

The hacking operation comes as the Ukrainian government appears to have begun a parallel effort to punish Russia by publishing the names of supposed Russian soldiers who operated in Bucha, the site of a massacre of civilians, and agents of the F.S.B., a major Russian intelligence agency, along with identifying information like dates of birth and passport numbers. It is unclear how the Ukrainian government obtained those names or whether they were part of the hacks.

Much of the data released by the hackers and the Ukrainian government is by its nature impossible to verify. As an intelligence agency, the F.S.B. would never confirm a list of its officers. Even the groups distributing the data have warned that the files swiped from Russian institutions could contain malware, manipulated or faked information, and other tripwires.

READ THE STORY:  NY Times

Oil India cyber attack: Russian malware planted from Nigeria

FROM THE MEDIA: The cyber-attack of Ransom that occurred on public sector oil company, Oil India Limited (OIL) was carried by a Russian malware planted from a server in Nigeria.

A senior police official said that it was a Russian malware planted from a server in Nigeria.

Oil stated due to the attack it has suffered no financial losses and it's operation is running smoothly.

Oil has lodged an FIR in Duliajan police station. Cyber attacker has demanded US$ 7500000 as a ransom through a note from the infected PC. Oil is roping in international cyber security expert as a consultant.

Police stated, "with due respect, it is informed that we have received an email on 12.04.2022 from Keshab Bora DGM-IT of IT Department stating that on 10.04.2022 a cyber attack of Ransom ware has been occurred on OlL's one of the work station of G&R department. After their preliminary investigation, it came to their notice that OlL's network, server and clients PCs are facing network outage".

READ THE STORY:  Economic Times

Aid groups helping Ukraine face both cyber and physical threats

FROM THE MEDIA: Employees at Insecurity Insight, a Switzerland-based nonprofit, received a string of malicious links and pornographic material on their cell phones after publishing a report last month on Russian attacks on hospitals in Ukraine.

The phishing messages were "on a scale we had never experienced" and came as staff members spent late nights documenting the war's destruction, Christina Wille, the director of Insecurity Insight, told CNN. She suspects it was an (unsuccessful) attempt to deter her team from reporting on Russia's war in Ukraine.

It's just one example of a range of digital threats facing humanitarian-focused organizations as Russian President Vladimir Putin shows no sign of ending his brutal war on Ukraine.

In several other cases, malicious software has been used to target charities and aid organizations working on Ukraine "in order to spread confusion and cause disruption" to the provision of medical supplies, food or clothing, according to Amazon Web Services, Amazon's cloud-computing division.

READ THE STORY:  CNN

Items of interest

Kronos cyber attack sparks lawsuits against employers

FROM THE MEDIA: Like malware and computer viruses themselves, the consequences of cyberbreaches have a way of spreading in unpredictable ways.

A recent ransomware attack on third-party payroll and timekeeping software provider Kronos has led to several wage-and-hour class actions in recent weeks against everyone from PepsiCo to The Giant Company, alleging that the hack resulted in overtime pay violations for hourly workers.

As of April 6, there have been seven lawsuits  (most in April, though a few were filed in late March) all stemming from the December 2021 cyberattack on Kronos.

While plenty has been written about potential cyber liability exposure for companies whose vendors are compromised, this latest crop of litigation shows how third-party cyberbreaches can also lead to other causes of action, such as labor & employment claims.

All of the complaints allege that hourly employees were shorted on overtime pay as a result of the Kronos breach.

Johnson Controls International, an Ireland-headquartered building equipment manufacturer, was sued April 3 in the Eastern District Court for the District of Wisconsin on behalf of a putative class of current and former non-exempt hourly employees. The case is Henderson v. Johnson Controls, Inc.  

READ THE STORY:  Benefitspro

Danger in Your Ranks and the Evolving Cyber Threat Landscape (Video)

FROM THE MEDIA: Learn strategies to reduce your cyber risk in this joint webinar panel discussion presented by the Salt Lake Chamber, The Buckner Company, Nexus IT Consultants, and Strong Connexions. Gain insights into how employees cause 95 % of all breaches and how to implement a strategy to reduce cyber risk by combining a proactive security program with cyber insurance coverage.

Resilience to Cyber Threats in The Financial Sector (Video)

FROM THE MEDIA: Resilience to Cyber Threats in The Financial Sector.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com