Tuesday, April 26, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Conti ransomware cripples systems of electricity manager in Costa Rican town
FROM THE MEDIA: Conti’s wide-ranging ransomware attack on Costa Rica has expanded, taking down the administrative systems of the government agency managing the electricity in Cartago.
Junta Administrativa del Servicio Eléctrico de Cartago (JASEC), which runs the electricity in the city of about 160,000 people, has released several notices on Facebook explaining that all of its administrative systems were encrypted this weekend.
General manager Luis Solano said in a statement that the attack began on Saturday and encrypted the servers used to manage the organization’s website, e-mail, administrative collection systems and more.
Experts have been hired to determine if customer data was extracted by Conti operators. The ransomware group has cut off the ability of customers to pay for electricity and internet bills. JASEC has suspended all bill paying until the situation is resolved.
“It is important to emphasize to all our customers that electricity and internet services operate normally,” Solano said.
READ THE STORY: The Record // Techmonitor
Threat Actors Lurked on a Government Agency Network for 6 Months Before Deploying LockBit Ransomware
FROM THE MEDIA: Attackers breached the network of a regional U.S. government agency and lurked in the network for six months before deploying LockBit ransomware, Sophos researchers found.
The intrusion involved a seeming novice attacker who gained the initial entry before transferring control to a more sophisticated threat actor who deployed ransomware.
The attacker searched for free hacking tools using the compromised server, sometimes self-infecting with adware from dodgy download sites.
Additionally, they tried to maintain persistence by creating user accounts and installing free and commercial remote access tools.
READ THE STORY: CPO Magazine
T-Mobile breached in apparent Lapsus$ attack
FROM THE MEDIA: T-Mobile confirmed a recent data breach after reports tied cybercrime gang Lapsus$ to the theft of the telecom company's source code.
In a statement shared with SearchSecurity on Monday, T-Mobile said its monitoring tools detected an unnamed threat actor "several weeks ago," who stole credentials and used them to "access internal systems that house operational tools software."
Though the company named no threat actor behind the attack, T-Mobile's attacker appears to have been Lapsus$, an emerging threat group that breached multiple enterprises in recent months including Microsoft, Okta, Samsung and Nvidia.
Information tying the group to the attack came from cybersecurity reporter Brian Krebs, who broke news of the hack Friday. Krebs had reportedly found internal Telegram memos from key members of Lapsus$, who discussed breaching T-Mobile and stealing source code in March. This was, according to Krebs, shortly before London police arrested seven teenagers connected to the gang.
READ THE STORY: TechTarget
Experts warn that Hive ransomware gang can detect unpatched servers
FROM THE MEDIA: The Hive threat group has been targeting organizations across the finance, energy and healthcare sectors as part of coordinated ransomware attacks since June 2021.
During the attacks, the group exploits ProxyShell vulnerabilities in MSFT Exchange servers to remotely execute arbitrary commands and encrypt the data of companies with this unique ransomware strain.
The group is highly organized, with the Varonis research team recently discovering that a threat actor managed to enter an organization’s environment and encrypt the target data with the ransomware strain in less than 72 hours.
These attacks are particularly concerning, as unpatched exchange servers are publicly discoverable via web crawlers. “Anyone with an unpatched exchange server is at risk,” said Peter Firstbrook, a Gartner analyst.
“Even organizations that have migrated to the cloud version of Exchange often still have some on-premises Exchange servers that could be exploited if unpatched. There are circulating threats already and unpatched servers can be detected with a web crawler, so it is highly likely that unpatched servers will be exploited,” Firstbrook added.
READ THE STORY: Venturebeat
Russia spins disinformation, claiming its forces seize “OSCE archive” in Mariupol
FROM THE MEDIA: Russian propaganda pundits are circulating misinformation about the alleged seizure of documents from the OSCE archives in Mariupol, which allegedly testify to the "crimes committed by the Armed Forces of Ukraine."
That’s according to Ukraine’s Center for Countering Disinformation at the National Security and Defense Council, Ukrinform reports.
The CCD posted an update on the main fake reports that Russia is spreading as of the morning of April 26.
One of them claims that the Russian proxy forces seized in Mariupol “OSCE archives” holding reports which had allegedly documented war crimes, committed by the Armed Forces of Ukraine but not included in official reports." Also, mines were allegedly found, suggesting the OSCE's involvement in arms supplies to Ukraine. The CCD has decried the report as fake news.
The Russian defense ministry also claimed that "neo-Nazis" had set up a base in an apartment block in Avdiyivka, setting up firing positions on the upper floors and putting heavy equipment in the backyard, while exploiting local residents as "human shields."
READ THE STORY: Ukrinform
The Impact of the Ukraine War on Russian Espionage in Europe
FROM THE MEDIA: In the first part of this two-part series, we examined European countries' recent mass expulsions of Russian diplomats, many of whom are believed to be spies. While we highlighted the ways in which these moves will constrain Russian espionage, we also considered how Russian human intelligence, or ''humint,'' work is resilient. But there is an even bigger consideration: While spies on the ground in foreign countries are undoubtedly still major components of an effective intelligence collection and operations strategy, they are by no means as integral as they once were. Therefore, here we will evaluate whether Europe's mass diplomatic expulsions can really curb Russian espionage in the cyber age.
My colleagues have written extensively about Russia's cyber capabilities. However, aside from ultimately fleeting global media scrutiny in late 2020 and early 2021 of the massive SolarWinds cyberespionage operation, more recent coverage has instead focused on Russian cybercrime — especially the big uptick in ransomware attacks, and the potential for disruptive (and possibly destructive) cyberattacks in light of the Russian invasion of Ukraine. While this diversion of attention is understandable, it also misses a key component of Russia's intelligence prowess.
READ THE STORY: STRATFOR
Germany is trying to transition away from Russian fuel and hackers are now hitting German wind energy companies
FROM THE MEDIA: German wind turbine manufacturers Nordex and Enercon, as well as wind farm maintenance company Deutsche Windtechnik, all reported hacks in their company statements since the Ukraine war began. The first cyberattack on Enercon occurred on Feb. 24, the day Russia invaded Ukraine, and the following two cyberattacks on Nordex and Deutsche Windtechnik came on April 2 and April 11, respectively, as the war dragged on.
No group or government has claimed responsibility for all three, but the timing of the attacks suggests potential links to supporters of Russia’s invasion of Ukraine.
Criminal investigations have been launched regarding all three companies, but until more is known, neither analysts nor industry groups can claim the rising number of cyberattacks on German energy companies is associated with Russia’s war on Ukraine. But as Germany tries to wean itself off its reliance on Russian oil and gas, some analysts think that hackers sympathetic to Russia may be trying to cause chaos in the sector, which would threaten Russia’s geopolitical leverage.
READ THE STORY: Fortune // PCMAG
Anonymous hacks into Russian energy companies, exposing over 1 million emails
FROM THE MEDIA: Anonymous claims it hacked into Russian energy companies to expose emails and continue its cyberwar in support of Ukraine. The hacker collective posted on Twitter that it had published over 1 million emails from ALET, a Russian customs broker for fuel and energy companies. The leak was published in DDoSecrets, an organization cofounded by Emma Best, who believes in total transparency of data in the public interest.
ALET is a Russian customs broker. It works with companies in the fuel and energy industry and handles exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil. Since 2011, it has worked with 400 companies and filed 119,000 customs declarations. It has recommendations from Gazprom, Gazprom Neft, and Bashneft. The majority of its business comes from oil products.
Since the beginning of the Russia-Ukraine war, Anonymous vowed to wage a cyberwar against Putin. It has delivered on that promise so far.
The organization has not only exposed Russian information, it infiltrated Russian organizations to show citizens the truth about what is going on outside the country.
READ THE STORY: Fortune
Iranian Hacking Group Among Those Exploiting Recently Disclosed VMWare RCE Flaw
FROM THE MEDIA: An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMWare Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.
VMWare disclosed the remote code execution vulnerability (CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMWare identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.
Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.
Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers suggested a link to Rocket Kitten, the security vendor said.
READ THE STORY: Darkreading // The Hacker News
Brave and DuckDuckGo Browsers Block Google AMP Tracking
FROM THE MEDIA: Both Brave and DuckDuckGo stepped into the market as Google’s privacy-friendly rivals. Hence, both services keep introducing measures to strengthen users’ privacy, especially, against Google’s intrusive practices.
Continuing this effort, both Brave and DuckDuckGo have separately announced thwarting Google AMP tracking with their new measures.
Explaining quickly for the users, AMP Tracking links back to Google’s dedicated “Accelerated Mobile Pages” (AMP) – an open-source HTML framework. The tech giant launched this feature in 2015 in a bid to accelerate searching activities for mobile users.
Google claimed that AMP HTML would allow pages to load quickly on mobile devices. It even urged web developers to design AMP pages for a better user experience on mobile devices. However, it soon raised concerns for privacy-savvy users as the feature seemingly facilitated user tracking.
So now, to combat this problem, Brave has announced launching “De-AMP” to its browser. With this feature, Brave has intended to block interactions between the users and AMP pages to the maximum extent. As stated in its post,
READ THE STORY: LHN
Mailchimp Data Breach Led to Stolen Crypto, Class Action Says
FROM THE MEDIA: Intuit and its subsidiary Mailchimp failed to prevent a data breach earlier this month that resulted in millions of dollars of stolen cryptocurrency, a new class action lawsuit alleges.
Plaintiff Alan Levinson claims Intuit and Mailchimp failed to ensure its data systems were protected, prevent the breach from happening or disclose it in a timely manner.
Levinson claims unknown hackers were able to obtain the customer list of users of Trezor, which sells an offline hardware cryptocurrency wallet, due to the info being “negligently stored” by Mailchimp.
The hackers used the information to send out a phishing email purported to be from Trezor that stated their “data had been compromised” and that their cryptocurrency was “at risk of being stolen,” according to the Mailchimp class action.
Levinson claims users were directed to a fake Trezor website where they were “prompted to download a new version of the Trezor Suite desktop application,” which gave the hackers access to their account information.
READ THE STORY: Top Class Actions
Ukraine War Has Increased Cyber Risks for Advisors. Here’s How to Reduce Them
FROM THE MEDIA: The Russia-Ukraine war has resulted in increased cybersecurity threats that directly impact financial advisors.
Cyber warfare has already led to an increase in hacking and the introduction of malware to systems of organizations beyond Ukraine and Russia.
Advisors should be aware of these increased risks to their systems and harden their defenses. Knowing where they are vulnerable and what they need to do to protect themselves is a good place to start.
Russia has launched cyberattacks against Ukraine, and Ukraine in turn has unleashed its “volunteer IT army” to fight back. These skirmishes can result in collateral damage to organizations and individuals outside the immediate conflict zone because computer malware, like biological viruses, rarely remains confined to its intended target or space.
We have seen such cyber collateral damage before. In 2017 hackers thought to be affiliated with Russia targeted Ukrainian citizens, with malware known as NotPetya, that was tied to software Ukrainians are required to use to file their taxes. It spread to multiple corners of the world, affecting organizations as diverse as Maersk, Merck, FedEx , and Mondelez International .
There is legal risk for advisors in failing to take appropriate steps in light of a well-publicized threat such as that posed by the Ukraine War. Many laws and regulations require organizations that collect and store personal and financial information to secure that information. The standard of liability is failure to take reasonable steps to protect investor information, and “reasonable” is defined by the needs of the circumstances of the current cyber environment of elevated risk.
READ THE STORY: Barrons
Hack DHS: Homeland Security's first bug bounty turns up 122 vulnerabilities
FROM THE MEDIA: The US Department of Homeland Security (DHS)'s first bug bounty with external researchers called "Hack DHS" helped discover 122 vulnerabilities.
DHS announced the Hack DHS bounty in December and in phase one of the program invited more than 450 "vetted security researchers" to get involved. DHS suggests the program produced solid results: 27 or about 22% of the 122 vulnerabilities participants found were deemed "critical".
DHS offered participants between $500 and $5,000 per discovered vulnerability and in total awarded $125,600 for verified security flaws. It was the first federal agency to amend its bug bounty program to include Log4J flaws across all public-facing information system assets. This allowed it to identify and close vulnerabilities not surfaced through other means besides the bounty, the DHS said. It doesn't say how many of the flaws were related to Log4J or how many of the identified bugs were eligible for the $5,000 award.
This bug bounty invited approved hackers run a virtual assessment on select DHS systems. It concludes the first of DHS' three phase program. The second phase invites security researchers to join a live, in-person hacking event, while the third phase will be used by DHS to collect lessons that inform future bug bounty programs.
READ THE STORY: ZDNET
Items of interest
China again signals desire to shape IPv6 standards
FROM THE MEDIA: China's Central Cyberspace Administration has revealed a plan for further and faster adoption of IPv6 across the nation and outlined plans to drive new developments for the protocol.
The Middle Kingdom's updated IPv6 ambitions were detailed yesterday in an announcement of the "2022 Work Arrangement for Further Promoting the Large-scale Deployment and Application of IPv6", which set the following goals for local IPv6 adoption by the end of 2022:
700 million active IPv6 users;
180 million IPv6 connections for the Internet of Things;
13 per cent of fixed network traffic to use IPv6;
45 per cent of mobile traffic to use IPv6;
85 per cent IPv6 adoption by government and major commercial websites;
IPv6 to be enabled by default in all new home routers.
A ten-point plan to achieve those goals includes initiatives to encourage greater adoption of IPv6 by cloud platforms, video streamers, and in major industries such as financial services and agriculture.
That's the sort of stuff that gets some sections of the networking community excited because IPv6 has for decades been perceived as a necessary upgrade that's happening at bewilderingly slow speed. Others point out that carriers around the world have little incentive – or need – to change to IPv6 because the combination of network address translation (NAT) and IPv4 work well enough that they've delivered from the dial-up internet of the late 1990s to the mobile internet of today.
But China is all-in on IPv6 for advancement of the standard. The new plan calls for the nation to be "actively participating in the formulation of international standards for the next-generation internet," by accelerating R&D on key technologies for IPv6 security, including "network security management, supervision and inspection."
READ THE STORY: The Register
AFRL opens its Hack-A-Sat satellite hacking competition (Video)
FROM THE MEDIA: The idea is that the ethical challenge encourages security researchers to focus their skills on solving the cybersecurity challenges of space systems. Participants have to learn about ground system requirements, how spacecraft orbit, power management, orbit predictions and how best to defend craft from cycber attacks, among other areas, for example.
Hack-A-Sat 3 is based on the development of Moonlighter (scheduled to launch in 2023), a satellite currently being designed and built “for the purposes of advancing security researcher knowledge and skills in securing space systems”, says the U.S. Air Force Research Laboratory (AFRL), which is running the event. Source
Chip Flaws Left ‘A Third Of World Smartphones And IOT Devices Vulnerable (Video)
FROM THE MEDIA: A vulnerability in a chip manufactured by $60 billion market cap Taiwanese tech giant MediaTek left a third of all of the world’s smartphones and internet of things devices open to remote snooping of phone calls and spying via the device microphone, researchers have claimed. The problems lay in the part of MediaTek chips that handle audio signals, according to researchers at Israeli cybersecurity company Check Point. For a remote attack to work, a hacker would need to first have malware installed on the target Android phone, or smart device, or find some way to access the MediaTek audio firmware. Once installed, the malware could write malicious code to device memory by exploiting the ways in which the audio processor worked with Android. It would then have been possible to “steal the audio flow” on the device, allowing the hacker to eavesdrop on an Android user or install more malicious code on the device.“Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users,” said Slava Makkaveev, security researcher at Check Point.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com