Daily Drop (118)
4-28-22
Thursday, April 28, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Who tried to hack Hawaii’s undersea cable?
FROM THE MEDIA: Was a recently-thwarted cyberattack on a Hawaii undersea cable the work of financially-motivated cybercriminals, government-linked hackers, or someone else? Hawaii officials are working with federal agents to determine exactly that, according to Frank Pace, the administrator of the Hawaii Office of Homeland Security.
“That’s what we’re trying to figure out,” he said, adding even their intention is unclear. “Whether it was just a known cybercriminal group that wanted to compromise individuals or executives within the organization, or to install various forms of ransomware to hold their systems hostage.”
The threat actors allegedly hacked a private company on the mainland, which had access to the underwater cable’s servers, among other credentials.
Pace spoke with Dina Temple-Raston and Sean Powers of the Click Here podcast about the thwarted hack. The interview has been edited for length and clarity, and an excerpt is available in this week’s episode of the Click Here podcast.
READ THE STORY: The Record
US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks
FROM THE MEDIA: The U.S. government has stepped up its hunt for six Russian intelligence officers, best known as the state-backed hacking group dubbed “Sandworm,” by offering a $10 million bounty for information that identifies or locates its members.
The Sandworm hackers — who work for a division of Russia’s GRU, the country’s military intelligence division — are known for launching damaging and destructive cyberattacks against critical infrastructure, including food supplies and the energy sector.
Sandworm may be best known for the NotPetya ransomware attack in 2017, which primarily hit computer systems in Ukraine and disrupted the country’s power grid, leaving hundreds of thousands of residents without electricity during the depths of winter. In 2020, U.S. prosecutors indicted the same six Sandworm hackers, who are believed to still be in Russia, for the NotPetya attack, as well as several other attacks that targeted the 2018 PyeongChang Winter Olympics in South Korea and for running a hack-and-leak operation to discredit France’s then-presidential frontrunner Emmanuel Macron.
READ THE STORY: TechCrunch
New critical infrastructure malware is unlike anything cyber experts have seen
FROM THE MEDIA: Newly discovered malware capable of disrupting critical infrastructure incorporates learnings from high-profile energy sector cyberattacks and presents a new level of threat, according to industrial cybersecurity firm Dragos Inc.
Pipedream is the latest cyberweapon specifically designed to target industrial control systems, or ICS, which control industrial operations. The rise of ICS-focused malware has long raised concerns about devastating and deadly attacks on energy infrastructure, following successful disruptions to the Ukrainian electric grid, which the U.S. attributed to Russian nation-state actors.
The U.S. issued a warning April 13 that Pipedream has the ability to compromise widely used ICS equipment made by Schneider Electric SE and Omron. However, Dragos believes Pipedream can target controllers from hundreds of other vendors, many of which rely on a few common communication protocols.
READ THE STORY: SP Global
Privateering against Western brands.
FROM THE MEDIA: Some recent ransomware attacks are being interpreted as privateering. Two groups in particular, the gangs behind Conti and Stormous, have been particularly active in the Russian interest. Conti, the better known of the two, has sustained doxing and compromise of internal chatter by hacktivists and (probably) Ukrainian intelligence services, but these seem not to have slowed it down, whatever fleeting embarrassment and reputational damage it may have suffered in the underworld. SecurityWeek reports that at least thirty new victims of Conti have been claimed on the gang's site in the month of April alone.
The other operation, Stormous, only came to prominence around the outset of Russia's invasion of Ukraine. This group has claimed, according to Security Affairs, to have successfully obtained access to some of the Coca-Cola Company's servers from which they've stolen some 116 gigabytes of information. Cybernews says that the filenames mentioned by Stormous suggest that the gang is claiming to have taken "financial data, passwords, commercial accounts, email addresses, and other data." Stormous crowed large on its site:
READ THE STORY: The Cyberwire
Microsoft uncovers extensive Russian cyber operations in Ukraine
FROM THE MEDIA: Microsoft released a report on Wednesday detailing how Russian-backed hackers unleashed a series of cyber operations against Ukraine as early as March 2021.
According to the report, at least six separate Russian-backed hacking groups have launched more than 200 cyber operations against Ukraine, including destructive attacks that have threatened civilian welfare. The report also found that the hackers engaged in a broad range of espionage and intelligence activities.
Microsoft found nearly 40 destructive attacks, 32 percent of which directly targeted Ukrainian government organizations while 40 percent were aimed at critical sectors.
READ THE STORY: The Hill
Emotet is Back From ‘Spring Break’ With New Nasty Tricks
FROM THE MEDIA: Emotet malware attacks are back after a 10-month “spring break” – with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. That new approach includes more targeted phishing attacks, different from the previous spray-and-pray campaigns, according to new research.
Proofpoint analysts linked this activity to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a Tuesday report.
Emotet, once dubbed “the most dangerous malware in the world” is being leveraged in its most recent campaign to deliver ransomware. Those behind distributing the malware have been in law enforcement’s crosshairs for years. In January 2021, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”
READ THE STORY: ThreatPost
Chinese APT Bronze President Mounts Spy Campaign on Russian Military
FROM THE MEDIA: China's tacit support for Russia's war in Ukraine apparently doesn't preclude likely China-backed cyber actors from mounting espionage campaigns on the Russian military.
Researchers from SecureWorks' Counter Threat Unit this week said they recently discovered malware that suggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting Russian military personnel and officials. The security vendor described the effort as an example of how political changes can push countries into new territory for surreptitious information-gathering efforts, even against friends and allies.
According to the report, the heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia's 56th Blagoveshchenskiy Red Banner Border Guard Detachment (which is deployed near Russia's border with China). The file is designed so that default Windows settings do not display its .exe extension, SecureWorks said.
READ THE STORY: Dark Reading
Russian Hackers Are Targeting Europe's Renewable Energy Infrastructure
FROM THE MEDIA: Cyberattacks have hit at least three wind power firms in Germany in the two months since Russia invaded Ukraine. A European wind power industry association says the timing of the hacks suggests possible links to hackers sympathetic with Russia aiming to wreak havoc on European renewable energy systems as Europe looks to cut its reliance on Russian fossil fuels. German firms Enercon, Nordex Group, and Deutsche Windtechnik have all reported cyber incidents in recent weeks. Earlier this month, Conti, a group that declared support for Russia at the start of the war in Ukraine, claimed responsibility for the attack on Nordex.
The cyberattacks on Germany-based wind power companies began on the day on which Russia invaded Ukraine—February 24.
Turbine maker Enercon GmbH announced a massive disruption of the satellite communication following a cyberattack on a satellite that day.
“Communication services provided via the satellite went down at almost exactly the same time that Russian troops invaded Ukraine,” Enercon said last week in its latest update on the cyber incident. Around 30,000 satellite terminals used by companies and organizations from various sectors were affected across Europe, including 5,800 Enercon wind energy converters (WECs) in central Europe with a total installed power of more than 10 gigawatts.
READ THE STORY: Oilprice
Hackers Linked to Russia Launched Hundreds of Cyberattacks in Ukraine, Microsoft Says
FROM THE MEDIA: At least six hacking groups linked to the Russian government have attempted hundreds of cyberattacks in Ukraine since Russia’s invasion in February, including dozens intended to destroy computer systems, according to new research from Microsoft Corp.
Moscow’s hacking activity amounts to a relentless onslaught of disruptive and destructive operations, often tactically paired with kinetic military maneuvers, in addition to traditional cyber espionage, Microsoft said. Though many attacks have been successful, Ukraine’s cyber defenses have repelled others, and Ukraine has so far largely evaded the kind of debilitating or nationwide cyber disruption that Western officials feared at the onset of the war.
“The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services, and have attempted to shake confidence in the country’s leadership,” Tom Burt, Microsoft’s vice president of customer security and trust, said in a blog post accompanying the research.
READ THE STORY: WSJ
Detectives on the trail of this unknown hacker are leaving him cryptic messages
FROM THE MEDIA: In the cybercrime sector, there’s a new threat actor who appears to be taking researchers’ counterattacks personally.
Checkmarx cybersecurity researchers recently published a blog post about a threat actor known as RED-LILI. This group has been spotted sending malicious NPM packages using user accounts that were generated automatically.
Checkmarx has since publicized its findings on this threat actor’s approaches and procedures, and even launched the RED-LILI Tracker to share information on the attacker’s packages and analytical findings with the community.
This move did not sit well with the group, which responded by changing up its tactics a bit. Besides trying to make the malicious packages seem more credible, and to obfuscate the malicious code as well as it can, the group also started leaving messages to the researchers.
READ THE STORY: Bollyinside
New Ransomware Gang ‘Black Basta’ Emerges — Here’s How To Fight Them
FROM THE MEDIA: Black Basta, a new ransomware gang has emerged in the scene causing massive breaches to companies and organizations for hundreds of thousands to millions of dollars.
The threat actor has quickly risen to prominence this month, infiltrating at least twelve different companies in a matter of weeks.
The Black Basta virus used by the gang is extremely difficult to detect because it operates in complete stealth and rarely manifests any symptoms. Thus, the majority of antivirus software is unable to detect ransomware such as the Black Basta virus.
READ THE STORY: iTechpost
More than 10,000 Redline malware attacks in April targeting Internet Explorer vulnerability
Hackers deploying the Redline malware launched thousands of attacks against systems in more than 150 countries and territories in April, according to data from cybersecurity firm Bitdefender.
In a report released on Wednesday, Bitdefender said that at the start of the year, it noticed a campaign using CVE-2021-26411 exploits found in Internet Explorer to deliver the RedLine Stealer, a low-cost password stealer sold on underground forums.
RedLine allows attackers to gain access to system information like usernames, hardware, browsers installed, and anti-virus software before then exfiltrating passwords, credit cards, crypto wallets and VPN logins to a remote command and control server.
READ THE STORY: The Record
Apple's self-repair service finally launches after months of silence
FROM THE MEDIA: After five months of silence on the state of its self-service repair program, Apple has finally launched it for US customers.
Apple initially made the world aware of its intention to launch a self-service repair program in November 2021, surprising many an Apple watcher used to the company's checkered history with the right-to-repair movement.
Cupertino was mum on the progress of the service before being beaten to the punch earlier this month when Google confirmed a partnership with iFixit to sell parts for Pixel devices online.
When Apple first set out the Self Service Repair it said there would be more than 200 parts and tools available for iPhone 12 and 13 models, and the company indicated today that's still the case. In particular, the Self Service Repair Store sells parts for all iPhone 12 and 13 series models, as well as the third-generation iPhone SE. Parts include battery, bottom speaker, camera, display, SIM tray and Taptic Engine repairs. Apple said components for Macs with Apple silicon would be added later.
READ THE STORY: The Register
North Korean Hacking Group Continues Laundering Despite US Sanctions
FROM THE MEDIA: Lazarus Group, the North Korean hacking group linked to the Axie Infinity hack in March, is still freely laundering funds despite sanctions imposed by the US. According to blockchain analytics firm Elliptic, they work primarily through Tornado Cash, a service that attempts to hide the origin of funds.
As of April 14, exploiters had laundered 18% of their loot or over $100 million of the proceeds. Around $80.3 million was laundered via Tornado Cash.
Binance CEO Changpeng Zhao announced in a tweet the recovery of $5.8 million stolen by Axie Infinity hackers. The funds seized by Binance had been spread across 86 accounts on the platform. The exchange, however, did not disclose the names of the owners.
READ THE STORY: Investing
Plan for $1M bug bounties and double the nodes in wake of $600M Ronin hack
FROM THE MEDIA: The Ronin Network and Sky Mavis have vowed to upgrade their smart contracts, offer lucrative bug bounties and ramp up security following the $600 million hack late last month.
As Cointelegraph previously reported, the Ethereum sidechain developed for the popular NFT game Axie Infinity was the victim of an exploit for 173,600 Ether (ETH) and 25.5 million USD Coin (USDC), worth more than $612 million at the time.
Earlier this month, the Federal Bureau of Investigation (FBI) attributed the attack to North Korea-based and state-sponsored hacking group Lazurus, as it fired off a warning to other crypto and blockchain organizations.
READ THE STORY: Coin Telegraph
Items of interest
GitHub: How stolen OAuth tokens helped breach dozens of orgs
FROM THE MEDIA: GitHub has shared a timeline of this month's security breach when a threat actor gained access to and stole private repositories belonging to dozens of organizations.
The attacker used stolen OAuth app tokens issued to Heroku and Travis-CI to breach GitHub.com customer accounts with authorized Heroku or Travis CI OAuth app integrations.
GitHub's Chief Security Officer Mike Hanley says the company has yet to find evidence that its systems have been breached since the incident was first discovered on April 12th, 2022.
GitHub is still working on alerting all impacted users and organizations, with the company being in the process of sending the final notifications to affected GitHub.com users as of today.
An analysis of the attacker's behavior, while he had access to compromised Github accounts, shows that the following activities were carried out on GitHub.com using the stolen OAuth app tokens:
The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI.
For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user's organizations.
The attacker then selectively chose targets based on the listed organizations.
The attacker listed the private repositories for user accounts of interest.
The attacker then proceeded to clone some of those private repositories.
"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub said.
"GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku."
READ THE STORY: Bleeping Computer
S4x22 Interview With CISA Director Jen Easterly(Video)
FROM THE MEDIA: What are CISA's major goals in ICS Security for 2022/23 and how will they measure progress? Jen goes over people, process and partnerships goals, and highlights the hiring they are doing in the ICS security area. Also, Jen announces the new JCDC ICS.
How Companies Lie To You About End-to-End Encryption (Video)
FROM THE MEDIA: This is a talk with realguyman, a privacy researcher and a contributor to privacyguides.org. https://github.com/orgs/privacyguides...
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com