Monday, May 02, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Nobody Knows Where the Red Line Is for Cyberwarfare
FROM THE MEDIA: A common explanation for why the Soviet Union never used nuclear weapons during the Cold War was the expectation that any attack would likely prompt a devastating nuclear response. The fear of mutually assured destruction was enough to keep both the USSR and the U.S. from launching a nuclear attack, even as they spent decades building up huge stockpiles of weapons.
Cyberweapons are different. Cyberattacks by both governments and private hackers have exploded in recent years. Many of these are financially motivated, but others involve espionage or, in several high-profile cases, the sabotage of physical infrastructure. There’s broad agreement that at some point a cyberattack would be considered an act of war. Yet no one knows quite where the line is.
The situation is more dangerous than ever. Russia’s bloody invasion of Ukraine raises the specter of cyberattacks starting an escalatory spiral that results in an all-out war with the U.S. The Biden administration has already warned Russian President Vladimir Putin against targeting 16 sectors at the heart of U.S. economic and national security, including energy and finance. “We will respond with cyber,” Joe Biden told reporters last summer after meeting Putin face to face in Geneva. The president didn’t lay out exactly what that would entail but added, darkly, “he knows.”
READ THE STORY: Bloomberg
Russian hackers compromise embassy emails to target governments
FROM THE MEDIA: Security analysts have uncovered a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities. The APT29 is a state-sponsored actor that focuses on cyberespionage and has been active since at least 2014. Its targeting scope is determined by current Russian geopolitical strategic interests.
In a new campaign spotted by threat analysts at Mandiant, APT29 is targeting diplomats and various government agencies through multiple phishing campaigns. The messages pretend to carry important policy updates and originate from legitimate email addresses belonging to embassies. Another notable aspect in this campaign is the abuse of Atlassian Trello, and other legitimate cloud service platforms, for command and control (C2) communication.
The spear-phishing campaign started in January 2022 and continued through March 2022 in several waves that rotated to various topics and relied on multiple sender addresses.
READ THE STORY: Bleeping Computer
Ukraine : The Russia-US war by proxy
FROM THE MEDIA: The United States gathered on Tuesday, April 26, 2022 in Germany about forty allied countries to further arm Ukraine against the Russian invader. Context and objectives. U.S. will do anything to make Ukraine win against Russia, Pentagon chief says: “Ukraine clearly believes it can win and so does everyone else here.” (US Secretary of Defense Lloyd Austin). Because, since February 24, 2022, the war has changed dimension.
The USA is now directly involved in the Ukraine affair. They have unquestionably taken the lead, thanks to their global power: financial, economic, technological, military and… media. Volodymyr Zelensky, on the other hand, considers that the future of Ukraine depends solely on the USA, which means that, if the outcome of the crisis turns to his advantage, he will not be able to refuse them anything. The US and its European satellites have become strictly speaking cobelligerents. The conflict has evolved: it has become a conflict between Russia and the West, as President Putin himself admits.
READ THE STORY: French Daily News
A New Malware “Prynt” Comes Up As A Lethal Stealer, Keylogger, Clipper
FROM THE MEDIA: As elaborated in a recent report from Cyble, the “Prynt” stealer malware surfaces online as a new cyber threat. The malware exhibits numerous malicious capabilities to execute different operations as intended by the threat actors.
Presently, the malware is making rounds in the underground marketplaces where the authors are selling it for $100/month only. The sellers also lure customers by claiming that the malware is “fully undetectable” (FUD). This claim shows that the malware is a new player that remains undetected by the existing antimalware programs.
Technical analysis of the malware shows it as a .NET-based malware featuring obfuscated strings via AES256 and Rijndael encryption algorithm.
In brief, an obfuscated binary string is encoded via rot13 cipher. The malware doesn’t opt to drop a payload; instead, it executes it directly in the memory using AppDomain.CurrentDomain.Load() method. It then uses the ServicePointManager to communicate with the C&C via an encrypted channel.
Upon establishing itself on the target device, the malware creates a hidden directory in the AppData folder. It then creates several subfolders to store data stolen from the machine. Next, it scans the systems for all connected drives, including the removable ones, and steals information from them.
READ THE STORY: LHN
UK Foreign Office Alleges Russian Cyber Soldiers Targeting Foreign Leaders
FROM THE MEDIA: The United Kingdom on Sunday warned that Russia’s “cyber soldiers” have launched a new offensive related to the disinformation campaign that has been targeting social media platforms, seeking to legitimize the invasion of Ukraine. According to research funded by the UK, paid operatives have been working out of the offices in St. Petersburg to spread the disinformation campaign on the messaging app Telegram as well as other social media platforms to justify Russia’s invasion of Ukraine. Russia has been actively recruiting and coordinating with those hired to flood the social media accounts of Kremlin critics with pro-Russia narrative.
In a wide-ranging report, UK’s Foreign Office stated on Sunday that there has been a trend of comments supporting Russian President Vladimir Putin and the war in Ukraine on major social media platforms including Meta. The Russian trolls have developed advanced techniques to avoid detection by social media platforms. In recent weeks, the Russian disinformation campaign has amplified the pro-Kremlin narrative that appears to be made by legitimate users, the Foreign Office warned. “Traces of its activity have been found on eight social media platforms, including Telegram, Twitter, Facebook and TikTok,” it went on to add.
READ THE STORY: Republic World
Cyberattacks could affect planting season
FROM THE MEDIA: Citing ransomware attacks against six grain cooperatives during the fall 2021 harvest and two attacks already in early 2022, the FBI is advising that additional cyberattacks targeting farm cooperatives could affect the planting season by disrupting the supply of seeds and fertilizer.
Two attacks on grain co-ops — Iowa’s NEW Cooperative and Minnesota’s Crystal Valley — made headlines last fall, followed by another attack on Sandhills Global, which operates online platforms for auctioning farm equipment, that shut down the company’s operations on Oct. 4.
“Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production,” the FBI warned. “Although ransomware attacks against the entire farm-to-table spectrum of the FA sector occur on a regular basis, the number of cyberattacks against agricultural cooperatives during key seasons is notable.”
Brad Deacon, emergency management coordinator for the Michigan Department of Agriculture and Rural Development (MDARD), said the FBI alert underscores the potential impact of ransomware to food security.
READ THE STORY: Farm Progress
REvil ransomware returns: New malware sample confirms gang is back
FROM THE MEDIA: The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.
In October, the REvil ransomware gang shut down after a law enforcement operation hijacked their Tor servers, followed by arrests of members by Russian law enforcement. However, after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.
Soon after, the old REvil Tor infrastructure began operating again, but instead of showing the old websites, they redirected visitors to URLs for a new unnamed ransomware operation.
While these sites looked nothing like REvil's previous websites, the fact that the old infrastructure was redirecting to the new sites indicated that REvil was likely operating again. Furthermore, these new sites contained a mix of new victims and data stolen during previous REvil attacks.
READ THE STORY: Bleeping Computer
Researchers Claim RCE Vulnerability Could Affect VirusTotal Platform – VirusTotal Denies
FROM THE MEDIA: Researchers claim to have found a serious security vulnerability affecting Google’s VirusTotal platform that could allow remote code execution. They also shared the timeline of events, explaining how the vulnerability received a fix following the bug report. However, VirusTotal denies such claims, stating that the bug never affected VT machines. According to a recent post from CySource, their research team caught a remote code execution vulnerability affecting VirusTotal.
VirusTotal is a Google Chronicle-owned platform for virus scanning. The platform aggregates virus detection reports from various third-party anti-malware products and scan engines, facilitating the cybersecurity community in prompt malware detection. As elaborated, the vulnerability didn’t specifically exist in the VirusTotal platform. Instead, it resided in how the ExifTool processed the submitted image files.
The CySource team noticed that they could execute a malicious payload on the platform by uploading a maliciously crafted DjVu file. That’s because the platform would send the payload to the host scanners without detecting it.
READ THE STORY: LHN
Romania under cyberattack coming from Russia's Killnet
FROM THE MEDIA: The pro-Russian hacker group Killnet, which has already claimed several attacks that have taken place in recent days against some official sites in Romania, threatened on Saturday, April 30, that it would target almost 300 other sites, Economica.net reported. Newspapers, major public institutions, hotels, boarding houses, booking sites and political parties are considered.
Among the institutions whose sites are targeted are the Government, the Ministry of Finance, the Ministry of Defense, the Ministry of Health, the Ministry of Internal Affairs, and also those of the tax collection agency ANAF, the Romanian Gendarmerie or special telecommunications services STS.
According to the initial statements of the National Directorate of Cyber Security (DNSC), "the main objective of the attackers is the inactivation of websites and web services, the destruction of reputation and the panic of users in Romania."
By the evening of Sunday, May 1, they said that "there is a diversification of attacks by using new methods aimed at infecting with ransomware malware the computer systems of organizations already attacked by DDoS. In this context, the techniques used by attackers include spear phishing and spoofing."
READ THE STORY: Romania Insider
North Korean citizens are jailbreaking smartphones to bypass censorship
FROM THE MEDIA: In North Korea, utilizing the full capabilities of a smartphone is a complicated and dangerous task. Citizens are allowed to own smartphones, but only ones that run government-made software that monitors their activity and prohibits the installation of any unauthorized software or media, which, in the Hermit Kingdom, includes just about everything: South Korean soap operas, Western literature, and any journalism not approved by state media.
But government software is just one layer of restriction. Smartphones in North Korea can only connect to a state-run intranet called Kwangmyong, which is Korean for “bright star”; access to the global internet is granted only to elites and select government workers. Citizens caught consuming forbidden content can face penalties ranging from fines to death, especially those caught distributing “impure publications and propaganda,” according to the country’s 2020 Reactionary Ideology and Culture Rejection Law.
READ THE STORY: Freethink
Ukraine’s Digital Fight Goes Global
FROM THE MEDIA: A somewhat conventional war is underway in Ukraine, featuring organized and professional soldiers, a chain of command, advanced weapons such as drones and tanks, and state-crafted tactics and strategy. But a parallel war is also taking place, mostly in cyberspace, fueled by foreign volunteers fighting for either Russia or Ukraine. These online volunteer forces are loosely organized and don’t have a chain of command. They have grown exponentially since the war began in February—Ukrainian authorities estimate that some 400,000 hackers from numerous countries have aided the country’s digital fight so far. Several high-profile figures have offered to join the cause: the entrepreneur Elon Musk, for instance, has challenged Russian President Vladimir Putin to a “single combat” duel to decide the fate of Ukraine. Hundreds of thousands of people from around the world have begun to engage in cyberwarfare related to the conflict, in an impressive feat of grassroots mobilization.
For those rooting for a besieged country defending its territorial integrity, this arrangement may seem to have no downside: civilians from around the world are volunteering their time and skills to help Ukraine win without expecting remuneration or reward from its government. But there are serious risks involved in waging an informal cyberbattle against Russia, particularly since cyberwarfare may be one of the few remaining tools in the Kremlin’s playbook. This parallel war sets Russia and the West on a collision course—and risks spinning out of control into a chaotic, high-stakes contest that could spread beyond the cyber-domain.
READ THE STORY: Foreign Affairs
Google Mandates Play Store App Developers To Disclose The Data They Collect
FROM THE MEDIA: The tech giant has finally made all Google Play Store apps disclose the data they collect from app users. The move, that was first hinted at in 2021, now comes into action as the apps display such information on the Play Store. In May 2021, Google announced a new safety section for Android users, striving to increase transparency.
At that time, they announced that the apps would show information about the kind of data they collect from the users. Hence, this move would help the users know what data they would share with the apps before installation. Having such knowledge before app download would ultimately help the user decide better. In addition to this detail, the apps would also highlight prominent features, such as encryption, compliance with Google Families Policy, and independent security validation.
Then, in July 2021, they further described that app developers must also provide a “Privacy Policy”, especially for apps that collect data. This move even applied to Google-owned apps. And now, Google has rolled out this feature on Play Store, where the apps clearly list the data they collect. According to its support article, all app developers must ensure compliance with this policy by July 2022.
READ THE STORY: LHN
Cyberwar Is a Two-Way Street for Russia
FROM THE MEDIA: Russia’s well-known cyber attacks on Western nations could be setting the country up for a powerful backlash, offers a retired U.S. Army expert formerly based in Moscow. After years of relentless penetrations and attacks on databases and infrastructure in U.S. and NATO countries, Russia now is finding itself as much—if not more—of a target of reciprocal cyber assault capabilities increasingly wielded by the West.
Two factors are at play in this scenario. First, western countries such as the United States have built up offensive cyber weapons and tactics to use as they choose. Second, Russia has focused for so long on using its own offensive cyber capabilities that it has not given as much consideration to the defensive side of cyber operations, not realizing the countries they might attack digitally have been developing their own capabilities to use on an increasingly vulnerable Russian cyberspace.
Russia may already have felt the potential wrath of offensive U.S. cyber operations, suggests Brig. Gen. Peter B. Zwack, USA (Ret.), former U.S. defense attache in the Moscow embassy from 2012-2014 and currently a Wilson Center global fellow in the Kennan Institute.
“I think the Russians have been tapped on the shoulders a few times,” the general states. “‘You go this way, and we will unleash cyber hell on you back. Don’t do it,’” he says, offering his interpretation of what the U.S. dialogue might have been.
READ THE STORY: AFCEA
New Onyx Ransomware Skips Encrypting Large Files; Instead, Deletes Them
FROM THE MEDIA: Security researchers have found peculiar ransomware in the wild disrupting the ransomware business. Identified as “Onyx”, the ransomware doesn’t encrypt large files but deletes them to prevent recovery. This irreversible data loss can be even more devastating for the victims even if they choose to pay the ransom.
Researchers from the MalwareHunterTeam have discovered the Onyx ransomware in the wild. As revealed through their analysis (shared via a series of tweets), Onyx isn’t ransomware technically. Instead, it is, what the researchers called, a “skidware” with poor functionalities. As explained, they first spotted a ransom note mentioning Onyx, without an actual malware sample. That note replicated the infamous Conti ransomware note. Nonetheless, despite the apparent weakness, the threat actors behind Onyx still managed to target numerous companies, listing at least 6 different businesses on their victim list.
The reason why the researchers called it a “skidware” is the malware’s failure to function as actual ransomware that encrypts data. Instead, the malware code shows that it fails to encrypt files larger than 2MB, and so, it instead overwrites them with junk data. It means the malware deletes the actual file during encryption. Thus, an Onyx attack means that the victims won’t be able to recover their data even if they choose to pay the ransom.
Nonetheless, that doesn’t mean that the victims can decide to not pay at all. That’s because the threat actors do not fail to steal data before encryption. Hence, this double extortion strategy with failed data recovery means a doubled loss for Onyx victims – money and data both.
READ THE STORY: LHN
Items of interest
Spain: 2021 spyware attack targeted prime minister's phone
FROM THE MEDIA: Spanish officials said Monday that the cellphones of the prime minister and the defense minister were infected last year with Pegasus spyware that is only available to government agencies in an unauthorized operation.
Prime Minister Pedro Sánchez’s mobile phone was breached twice in May 2021, and Defense Minister Margarita Robles’ device was targeted once the following month, Presidency Minister Félix Bolaños said Monday in a hastily convened news conference.
He said the breaches resulted in a significant amount of data being obtained, and that reports detailing the hacking have been transferred to Spain’s National Court for further investigation.
“We have no doubt that this is an illicit, unauthorized intervention,” Bolaños said. “It comes from outside state organisms and it didn’t have judicial authorization.”
Spain’s Socialist-led government is under pressure to explain why the cellphones of dozens of people connected to the separatist movement in the northeastern Catalonia region were infected with Pegasus between 2017 and 2020, according to Citizen Lab, a cybersecurity group of experts affiliated with the University of Toronto.
The revelations involve at least 65 people, including elected officials, lawyers and activists, targeted with the software of two Israeli companies, Candiru and NSO Group, the developer of Pegasus.
READ THE STORY: Spectrum Local News
Threat Actor of in-Tur-est: Unveiling Balkan Targeting (Video)
FROM THE MEDIA: Who would want to recompile Open Hardware Monitor and backdoor it? In 2020, the PwC Cyber Threat Intelligence team identified an espionage threat actor, which we’ve named ‘White Tur’, targeting government and defense organizations in Serbia and Republika Srpska from 2017-2021. In early 2020 we identified some initial tools, techniques and procedures which provided us with greater understanding of this threat actor. In particular, we observed attempts to recompile Open Hardware Monitor with a backdoor, connections to criminally motivated threat actors, and multiple custom backdoors to gain access to victim networks. In this talk we take a deep dive into the backdoors, PowerShell scripts, and weaponized documents used by White Tur. From these technical findings, we then discuss the strategic implications of this threat actor and some of the geopolitical factors at play in this part of the world, an area which often flies ‘under the radar’. Whilst we often observe case studies from Russia-based and China-based threat actors in threat intelligence, gaining insight into other intrusion sets - particularly those which have limited public reporting - can help to challenge frequent attribution biases.
Americans need to put this at the front of their daily thought (Video)
FROM THE MEDIA: You need to learn how to hack APIs in 2022. This is the future battlefront! Ignore this at your own peril.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com