Saturday, April 30, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Iran's Cyber Assault on America, a publication from the Enemy of the State Book Series, Warns of the Ayatollah's Increasing "Soft War" Activities Against America
FROM THE MEDIA: Iran's Cyber Assault on America chronicles the origins of the Ayatollah's "soft war" doctrine calling for cyber warfare and the relentless barrage of attacks now playing out against the United States by Iranian hackers. In Iran's Cyber Assault on America, Charles Denyer chronicles Iran's nefarious cyber-attacks against the United States, while also offering his personal perspective on the immense challenges that lie ahead from this growing cyber threat.
Emboldened by the attack on the Natanz nuclear facility in 2010 by the United States and Israel with the Stuxnet virus, Iran is hitting America with a wave of cyberattacks that just keep coming.
READ THE STORY: WFMZ
Romania DDoS attack shows Ukraine allies are in Russia’s crosshairs
FROM THE MEDIA: Government websites in Romania have been crippled by a distributed denial of service (DDoS) cyber attack carried out by Russia-supporting cybercrime gang Killnet, the country’s prime minister confirmed today. The attack is the latest sign that Russia is targeting neighboring countries, which have offered support to Ukraine during the ongoing war in Eastern Europe.
Prime Minister Nicolae Ciuca said several government websites were knocked out by the DDoS attack, including Romania’s border police site, several financial institutions and the railway company CFR Calatori. The attacks began at 4am and, at the time of writing, the sites remain offline, though local media reports suggest back office functions remain operational.
READ THE STORY: TechMonitor // NewAge News
North Korea’s Lazarus APT Is Targeting Blockchain Companies With Crypto-Stealer Malware
FROM THE MEDIA: A joint cybersecurity advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department is warning about North Korea’s Lazarus APT targeting blockchain companies.
The advisory says Lazarus advanced persistent threat (APT) group targets cryptocurrency companies with trojanized Windows and macOS cryptocurrency applications.
The malicious apps steal private keys and exploit other security vulnerabilities to execute subsequent attacks and fraudulent transactions.
U.S. authorities linked Lazarus to Ronin’s $625 million worth of Ethereum and USDC theft. North Korean hackers have stolen at least $1.7 billion in cryptocurrency in the past few years.
READ THE STORY: CPO
Hack The Department of Homeland Security Major Success, Illustrates Way Forward for Crypto
FROM THE MEDIA: The Department of Homeland Security announced that their Hack DHS program resulted in fixing more than 120 security vulnerabilities – 27 of them being rated as critical. More than 450 security researchers and ethical hackers cashed in for more than $125,000 in totality, with $5,000 rewards per bug for those which were most severe.
It is hard to quantify the savings of this program. Any one exploit could cost hundreds of millions of dollars in the private sector. In terms of national security, technological bugs could cost state secrets – or even lives.
As we continue to see enhanced cybercrime, in part due to cyberwar breaking out in Eastern Europe, the DHS program is one that should be wholly embraced throughout the digital assets industry.
READ THE STORY: Daily Hodl
Russia cyber case prompted big portion of FBI’s surveillance database searches in 2021
FROM THE MEDIA: A Russian cyberthreat against U.S. critical infrastructure in the first half of 2021 prompted the FBI to query the database of a warrantless surveillance program nearly 2 million times as the bureau cast a wide net for useful information, officials said Friday.
That single national security threat alone accounted for more than half of the total number of the roughly 3.4 million searches the FBI made in 2021 using terms likely to identify an American citizen, the officials said. The repository captures information from electronic surveillance tools authorized under Section 702 of the Foreign Intelligence Surveillance Act.
READ THE STORY: The Record
Questions around metadata on video of Kherson explosion aftermath
FROM THE MEDIA: On April 27, residents of Russian-occupied Kherson held a pro-Ukraine rally that ended with protesters being dispersed by tear gas and stun grenades. At least four people were injured. Later that night, starting around 11:00 p.m. local time (8:00 p.m. UTC), the first reports of explosions in the city began to appear on Telegram. Ukrainian outlet Pravda reported that an antenna was struck, resulting in residents losing the signal to Russian TV channels that began broadcasting one week ago. However, the TV channels resumed broadcasting almost immediately.
A journalist with Izvestia, a Russian outlet previously identified as spreading disinformation, released footage showing the aftermath of the explosions. In the footage, the journalist claims that Russian anti-air defenses shot down a Ukrainian Tochka U missile that, he speculates, was aiming at the TV antennas. The claims were yet another example of pro-Kremlin media alleging that Ukraine was firing on its own citizens in occupied portions of the country as a means of inculcating pro-Russian and anti-Ukrainian sentiment.
Ukrainian Telegram channels conducted a metadata analysis of the video, but they did not disclose how they retrieved and analyzed the metadata. Based off of their reading of the metadata, however, the channels concluded that the video had been created two hours before the explosions started. The DFRLab independently analyzed the metadata and found that the Telegram channels likely failed to consider the timezone in their readout.
READ THE STORY: Atlantic Council
Don’t expect to get your data back from the Onyx ransomware group
FROM THE MEDIA: Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid.
The group behind the Onyx operation is overwriting the data in those files with trash data rather than encrypting it, so the data cannot be recovered via a decryption key. Given that, victims of Onyx ransomware attacks are being urged not to pay the ransom.
"There's a big problem: as the ransomware they are using is a trash skidware, it's destroying a part of the victims' files," analysts at the Malware Hunter Team wrote in a tweet. "Would say, no company should pay to these idiots as smaller files decryptable, big they can't decrypt, but they are stealing files too."
READ THE STORY: The Register
Russian Military Hackers—$10 Million Reward Offered By U.S. Government
FROM THE MEDIA: The U.S. Department of State has announced that it is offering a reward of up to $10 million for information that leads to the "identification or location" of six Russian GRU hackers. The six named individuals, all officers within the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), are sought for their alleged involvement in malicious cyber activity affecting U.S. critical infrastructure, the announcement stated. The $10 million offered comes as part of the 'Rewards for Justice' program administered by the Diplomatic Service.
The six, named by the Department of State as Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin, were said to be part of GRU Unit 74455. This unit is perhaps better known as Sandworm, the hacking group behind the NotPetya cyberattacks against hospitals and medical facilities in 2017 which resulted in losses of nearly $1 billion according to the Department of State's press release.
READ THE STORY: Forbes
Why Is the Disinformation Czar Singing Instead of Hacking the Troll Farms?
FROM THE MEDIA: When considering the Department of Homeland Security’s Disinformation Governance Board, one big question is whether the DHS is really the best entity to “monitor and prepare for Russian disinformation threats as this year’s midterm elections near and the Kremlin continues an aggressive disinformation campaign around the war in Ukraine,” as the agency described itself to the AP.
If the threat is coming from overseas, we don’t need to spend a lot of time having a domestic law-enforcement agency monitoring Americans’ social-media use. In the past, the U.S. government used much more direct and effective tools against foreign disinformation campaigns: Before Election Day 2018, the U.S. Department of Defense’s Cyber Command announced that it would be sending text messages, emails, and pop-ups to Russian operatives meddling in the midterm elections, informing them that their actions were being monitored — sort of a “shot across their bow” to signal that we know who they are, what they’re doing, and how to find them.
READ THE STORY: National Review
Tech companies took a hit from war and supply chain disruption
FROM THE MEDIA: Some tech companies reported big profits, but supply chain constraints, streaming churn and the war in Ukraine also had ramifications. That’ll likely continue into Q2.
Here are some of the top takeaways from the major companies' earnings this month.
Netflix, once the king of streaming services, was dethroned last week after disclosing that it had lost 200,000 subscribers in the last quarter, leading to a 35% drop in share prices. Now the company is scrambling, looking at options like monetizing shared accounts and a lower-priced ad-supported tier. CFO Spencer Neumann said that the company is working on getting its spending under control. Days after the earnings came out, Netflix laid off a number of reporters it had hired for Tudum, an online entertainment magazine focused on content streaming on its service.
But not all streaming services are feeling the burn of churn: HBO Max and HBO added 3 million subscribers during the quarter, ending the quarter with 76.8 million total.
READ THE STORY: Protocol
German wind farm operator confirms cybersecurity incident
FROM THE MEDIA: German wind farm operator Deutsche Windtechnik confirmed that it was hit with a cyberattack earlier this month, becoming the latest in a string of German energy providers to face disruptions from a cybersecurity incident.
In a statement, the company said its IT systems were targeted by a cyberattack on the night between April 11 and 12.
“As we previously reported, we were able to reactivate the remote data monitoring connections to the wind turbines after 1-2 days, which had been switched off for security reasons,” the company explained.
“We are very happy that the wind turbines that we look after did not suffer any damage and were never in danger. Deutsche Windtechnik’s operational maintenance activities for our clients resumed again on April 14 and are running with only minor restrictions.”
The company’s IT team was able to isolate the problems and the company noted that its forensic analysis showed it was a “targeted professional cyberattack.”
READ THE STORY: The Record
Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues
FROM THE MEDIA: On 9 March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added 98 indicators of compromise (IoCs) to their Conti ransomware alert page. WhoisXML API researchers examined these flagged domain names for recurring characteristics to uncover more artifacts. Among our findings are: 270+ domains added since 1 March 2022 that share exact WHOIS details with the IoC domains, 25+ unique IP address resolutions of the 98 domain IoCs, 300+ additional domains resolving to the same IP addresses as the domain IoCs, over a dozen connected domains flagged as malicious.
You may download a sample of the data related to Conti ransomware from our website.
READ THE STORY: CircleId
New US Breach Reporting Rules for Banks Take Effect May 1
FROM THE MEDIA: New cyber incident reporting rules are set to come into effect in the U.S. on May 1. Banks in the country will be required to notify regulators within the first 36 hours after an organization suffers a qualifying "computer-security incident." The regulation was first passed in November 2021.
The rule was passed by a collective of U.S. regulators, including the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency.
Financial services and institutions, which are the backbone of the U.S. economy, are one of the most targeted sectors by global cyber adversaries, Marcus Fowler, senior vice president of strategy engagements and threats at cybersecurity AI firm Darktrace, tells Information Security Media Group.
READ THE STORY: GovInfo Security
Eliminate the data packrat mentality
FROM THE MEDIA: Millions of companies are hoarding old and unnecessary data. And the data they’re hoarding could be putting their organizations at risk, increasing storage costs and souring their analytics.
If you’ve ever walked into a hoarder’s home, you were likely met by endless piles of seemingly worthless things like newspapers, books, photographs and clothing. To the owner, though, these items are invaluable.
Now apply that same lens to the data on your computer. Could your organization be a data pack rat?
Psychology Today says people hoard for two reasons: they feel that they do not have permission to get rid of something or can’t imagine how to live without it. Those reasons can easily be attributed to hoarding multiple versions of the same letter, past reports, or old spreadsheets on your computer.
Most of us hoard data because we don’t know what to do with it. Often, we don’t even know what’s included in data from three, five, or even 10 years ago.
READ THE STORY: VentureBeat
Items of interest
Keeping Europe united: A roadmap for avoiding Russia’s trap
FROM THE MEDIA: With less than twenty-four hours of notice, Russia delivered on its promise to halt all natural gas exports to Poland and Bulgaria, launching a direct attack on European energy security and tarnishing the remnants of its spotty energy supplier reputation in the eyes of millions of Europeans. These unprecedented contractual breaches came on the heels of Russia’s warning that “unfriendly countries”—particularly those supporting sanctions against Russia and providing military and humanitarian support for Ukraine—must pay for natural gas imports in rubles, despite the fact that 97 percent of natural gas contracts were denominated in euros or dollars.
It is likely that Kremlin aimed to achieve several pressing objectives through these abrupt actions, including the need to stabilize the ruble, exacerbate uncertainty across global energy markets with regard to potential price spikes, send a warning to other countries reliant on Russian gas imports, and—most importantly—sow divisions across Europe, something Russia has thus far failed to do in the wake of the war against Ukraine. Therefore, it is crucial for Europe to avoid this trap and respond to the Kremlin’s blackmailing efforts with a unified voice and coordinated actions to manage market uncertainty and mitigate supply security risks, escalate sanctions against Russia, and maintain robust support for the people of Ukraine.
This piece focuses on key opportunities for defending European energy security: expediting completion of key infrastructure projects; securing alternative LNG supplies; pursuing legal action against Russia; reinforcing cybersecurity defense mechanisms and cooperation; and expeditiously developing a comprehensive, coordinated strategy for responding to any potential future shutoffs. Moreover, the EU needs to provide further clarity on how countries can continue paying for Russian energy imports without breaching sanctions against the Kremlin.
READ THE STORY: Atlantic Council
The World's Most Dangerous Malware Is Back… Emotet (Video)
FROM THE MEDIA: The resurgence of "Emotet", the malware from the last decade that was dubbed to be highly dangerous for it's means of infection and the ability to turn it into a service that allowed numerous groups to use it for unsavory reasons. It's back and alive and here's how you can keep your systems safe from it.
Responding To Ransomware How To Leverage Threat Intelligence And Threat Hunting (Video)
FROM THE MEDIA: How do the threat hunting team and the Cyber Threat Intelligence (CTI) team collaborate in real time during a ransomware attack? What are the key points that need to be investigated and what process is taken to obtain answers quickly when time is short? In this session, we’ll look at how these two expert teams at CyberProof worked together in a recent ransomware incident to quickly get to the root of questions such as: What was the initial attack vector used? Was the exfiltration accomplished? Do the threat actors still have access to the network? Learn more in this session by CyberProof’s Asaf Haski, Senior Cyber Threat Intelligence Analyst, and Karina Daniel, Cyber Threat Hunter.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com