Tuesday, May 03, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
There’s a Chinese ‘storm’ coming. India needs to consider 5 factors to face this challenge
FROM THE MEDIA: In squaring up to the China challenge, India has done a great deal. It has re-balanced force levels majorly to the North, increased infantry, mechanized forces, artillery, force multipliers, aerial assets and reserves, giving our military deployment added tactical punch and operational flexibility. A renewed infrastructural push is also underway.
The proposed theatre commands and key organizational restructuring—which includes the appointment of a Chief of Defense Staff to head the Department of Military Affairs—will also add value to India’s strategic-military posture. Accompanying diplomatic initiatives have sent clear signals to the Chinese and the Peoples Liberation Army that acts of aggression will not go unanswered, and that there will be costs to pay. However, given the sheer scale and depth of the China challenge, India perhaps needs to do a lot more.
READ THE STORY: The Print
Seeing hack attacks on the rise, Israel orders telecoms to erect ‘cyber Iron Dome’
FROM THE MEDIA: Israeli communications firms were instructed Monday to bolster cybersecurity, as the government rolled out a new initiative to guard the country against online attacks amid an uptick in
Officials rolling out the program Monday said they were hoping to create a cyber defense umbrella as effective against hackers as the Iron Dome system is against missiles.
“This joint venture will take the country’s security capabilities to the next level and will provide a kind of an Iron Dome system for an additional layer of protection covering the entire country,” National Cyber Directorate head Gaby Portnoy told a press conference, alongside Communications Minister Yoaz Hendel.
READ THE STORY: Time Of Israel
New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions
FROM THE MEDIA: A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.
Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.
"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a Monday report.
The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.
Remote Lockouts Reportedly Stop Russian Troops From Using Stolen Ukrainian Farm Equipment
FROM THE MEDIA: Russian troops stole almost $5 million worth of farm equipment from a John Deere dealer in the occupied city of Melitopol, Ukraine, only to discover that the machines have been shut down remotely, making them inoperable, according to a report from CNN. Some of the equipment, which comes with a remote locking feature and a built-in GPS, was tracked over 700 miles away in the Zakhan Yurt village of Chechnya.
A source close to the situation told CNN that Russian troops gradually began taking machinery away from the dealer following their occupation of Melitopol in March. It reportedly started with two combine harvesters worth $300,000 each, a tractor, and a seeder, until troops hauled away all 27 pieces of equipment. Some of the equipment went to Chechnya, while others reportedly landed in a nearby village.
“When the invaders drove the stolen harvesters to Chechnya, they realized that they could not even turn them on, because the harvesters were locked remotely,” CNN’s source told the outlet. Not the first time looting backfired on Russian troops
Although the pieces of equipment were remotely disabled, CNN’s source says that Russian troops may be trying to find a way around the block, as they’re in contact with “consultants in Russia who are trying to bypass the protection.” In addition to farm equipment, Russian troops have also reportedly been stealing grain in the area, one of Ukraine’s biggest exports.
READ THE STORY: Verve Times
Pentagon contractors go looking for software flaws as foreign hacking threats loom
FROM THE MEDIA: A year-long Pentagon pilot program found an array of software vulnerabilities at dozens of defense contractors as Russian and Chinese hackers continue to try to steal sensitive data from the US defense industrial base.
The goal of the "Vulnerability Disclosure Program" (VDP) is to find and fix flaws in the email programs, mobile devices and industrial software used by Pentagon contractors before malicious hackers can take advantage of the vulnerabilities.
"We really wanted to focus on those smaller defense contractors that may not have all the budgets and resources," said Melissa Vice, interim director of the Department of Defense Cyber Crime Center's DOD Vulnerability Disclosure Program. The Pentagon declined to identify the participating contractors, or the exact software that was probed.
VDPs, in which vetted cyber specialists scour systems for flaws and report them internally, are common practice in the private sector. The Pentagon has been running a VDP since 2016, but the goal is to permanently expand the program to defense contractors following the pilot.
READ THE STORY: NCN
Chinese cyber-espionage group Moshen Dragon targets Asian telcos
FROM THE MEDIA: Researchers have identified a new cluster of malicious cyber activity tracked as Moshen Dragon, targeting telecommunication service providers in Central Asia.
While this new threat group has some overlaps with "RedFoxtrot" and "Nomad Panda," including the use of ShadowPad and PlugX malware variants, there are enough differences in their activity to follow them separately.
According to a new report by Sentinel Labs, Moshen Dragon is a skilled hacking group with the ability to adjust its approach depending on the defenses they're facing.
The hackers engage extensively in trying to sideload malicious Windows DLLs into antivirus products, steal credentials to move laterally, and eventually exfiltrate data from infected machines.
At this time, the infection vector is unknown, so Sentinel Lab's report begins with the antivirus abuse, which includes products from TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky.
READ THE STORY: Bleeping Computer
GitHub Says Recent Attack Was Highly Targeted
FROM THE MEDIA: Microsoft-owned code hosting platform GitHub says the recent cyberattack that resulted in the cloning of private repositories was highly targeted in nature.
Disclosed in mid-April, the incident involved stolen OAuth tokens issued to third-party integrators Heroku and Travis CI, which were used to download the private repositories of dozens of organizations.
The two continuous integration (CI) systems help organizations automate the scanning of newly introduced code changes, to help identify vulnerabilities and malicious snippets before they enter production.
These systems use authentication tokens to facilitate the automaton process, and the recent cyberattack happened after such tokens were compromised.
The tokens are not stored by GitHub in their original format, meaning that a threat actor obtaining them would not be able to abuse them in attacks, the platform says.
READ THE STORY: Security Week
Twitter may have given user's private data to a ransomware hacker, who then ran a researcher offline
FROM THE MEDIA: A man living in Russia whom the U.S. government accused of being involved in multiple REvil ransomware attacks may be involved in a phony emergency disclosure request to Twitter used to threaten a ransomware researcher in recent weeks and force them offline.
Twitter’s policies state the company will provide account information “to law enforcement in response to a valid emergency disclosure request.” The “quickest and most efficient method,” the company says, it through its legal request submissions site.
Twitter received 12,370 government information requests between January and June 2021, the latest period for which data is available, with emergency requests making up about 15%, according to data posted to the company’s site.
The disclosure request was just one part of an ongoing and escalating series of threats against researchers and at least one blogger by a cybercriminal known as “Lalartu” or “Sheriff” — or someone tying to pose as them — nicknames that security researchers in the past have tied to Aleksandr Sikerin. Federal prosecutors in Texas said in a November 2021 filing that Sikerin was most recently living in St. Petersburg, Russia, and had been an affiliate of the notorious REvil ransomware crew.
READ THE STORY: Cyberscoop
New Black Basta Ransomware Possibly Linked to Conti Group
FROM THE MEDIA: A new ransomware operation named Black Basta has targeted at least a dozen companies and some researchers believe there may be a connection to the notorious Conti group. The existence of Black Basta came to light in mid-April, but MalwareHunterTeam researchers spotted a sample apparently compiled in February.
The cybercriminals behind Black Basta use malware to encrypt files on compromised systems, appending the .basta extension to encrypted files. In addition, like many other ransomware groups, they steal large amounts of information from victims in an effort to increase their chances of getting paid.
Cybersecurity firm Minerva has conducted a technical analysis of the Black Basta ransomware and noted that the malware requires administrator privileges to work. The company’s researchers discovered that the malware hijacks the Windows Fax service for persistence on the infected systems.
READ THE STORY: Security week
Relentless ransomware disguised as Windows Updates takes aim at students
FROM THE MEDIA: It goes without saying that you shouldn’t download Windows updates from any source except Microsoft. But since it apparently doesn’t, let us reiterate: DON’T DOWNLOAD WINDOWS UPDATES FROM ANY SOURCE EXCEPT MICROSOFT. Recently Windows 10 updates from sketchy sources have been caught spreading the Magniber ransomware, causing unsuspecting users to be hit with Bitcoin ransom demands.
The security specialists at BleepingComputer spotted the problem, with forum users reporting the infection after installing self-declared W10 updates from illegal “warez” repositories. These sites offer pirated and cracked versions of paid software, and they’re infamous for being filled with easy targets for those who want to spread malware. The Magniber program hidden in these bogus updates encrypts targeted portions of the user’s storage drive, then demands an anonymous transfer of Bitcoin equal to about $2,600 USD in order to get your files back. The price goes up if you wait more than a few days, and there’s no known workaround to free your files without opening your wallet.
READ THE STORY: PCWorld
REvil ransomware group is back with a vengeance
FROM THE MEDIA: The REvil ransomware group is back in operation with new infrastructure and a modified encryptor after supposedly being shut down last year.
Back in October of 2021, the notorious ransomware gang was shut down after a law enforcement operation hijacked its Tor servers. This was then followed by several of its key members being arrested by Russia’s FSB.
As Russia’s invasion of Ukraine soured relations between it and the US, the US government went ahead and unilaterally shut down the communication channel it had on cybersecurity with Moscow. As a result, the US has also withdrawn itself from the negotiation process regarding REvil.
While it seemed for a bit there that REvil had closed shop for good, the group’s old Tor infrastructure recently began operating again. However, instead of showing old websites, its Tor servers redirected visitors to URLs for a new unnamed ransomware operation according to a report from BleepingComputer.
READ THE STORY: TechRadar
Security is a pain for American Dental Association: Ransomware infection feared
FROM THE MEDIA: The Black Basta crime gang has claimed it infected the American Dental Association with ransomware.
While the professional association confirmed to The Register it was the victim of a "cybersecurity incident" that occurred on or around April 21, it did not disclose the nature of the attack.
As of Friday last week, the organization "is currently executing an ongoing, active and vigorous investigation into the nature and scope of the technical difficulties in cooperation with federal authorities," we're told. "The ADA recognizes unsubstantiated reports are being circulated by organizations with no connection to this investigation."
In an earlier email sent to a member and shared with The Register, the ADA said the attack disrupted some of its email, phone, and chat systems. We note that the ADA's website suggests people contact a gmail.com address if they have any queries, indicating the extent of the cyber-assault.
READ THE STORY: The Register
Vietnam ‘opinion workers’ push Russian fake news on Ukraine on social media
FROM THE MEDIA: Vietnamese “opinion workers” who promote the Communist Party and protect its image on social media now have a new role: spreading fake or misleading reports that support Russia’s invasion of Ukraine on Facebook.
Facebook groups like “Đơn vị Tác chiến Mạng” (Cyber CombatUnit), “Truy quét Phản động” (Elimination of Reactionary Forces), “Bộ Tự lệnh Tác chiến” (Combat Command), and “Trung đoàn 47” (Regiment 47) that have worked to counter criticism of the Communist Party all now post information in favor of Russia.
For example, Trung đoàn 47, which is believed to be part of a cyber combat force in the Vietnam People’s Army, posted this justification for the invasion: “Mr. Putin said: ‘Moscow has done everything it can to maintain Ukraine’s territorial integrity as well as protect the interests of Donetsk and Lugansk’s people but Kiev had blocked Donbas, suppressing local residents and shelling Donbas.’”
Đơn vị Tác chiến Mạng posts fake news on a nearly daily basis. One video clip shows Ukrainian President Volodymyr Zelenskyy meeting with members of his Cabinet and a close-up shot of a handful of white powder on his desk that looks like heroin.
READ THE STORY: Radio Free Asia
Spring4Shell Marks the end of ‘Snooze Button’ Security
FROM THE MEDIA: While Spring4Shell may appear to be a replay of the initial Log4j alarm, what it actually signals is the changing cadence of zero-day attack frequency.
The combination of an easily exploitable RCE zero-day in a ubiquitous product isn’t usually a common event much less one that occurs back-to-back like Log4Shell and Spring4Shell. While the threat of these vulnerabilities themselves draws our attention, the more alarming part might be the timing and the suggestion that the frequency of these kinds of threats is accelerating.
As open source code continues to play a pivotal role in so many organizations’ tech stacks, we must consider the importance of proactive security as vulnerabilities get more pervasive. Zero-day attacks are increasing in frequency, and the proportion of those used by cybercriminals for the lucrative ransomware industry is growing.
Despite this ongoing pattern of similar alarms, security folks continue to hit the snooze button.
READ THE STORY: Security Boulevard
The Building Blocks of Power Sector Security for Utilities Across the Globe
FROM THE MEDIA: Cyberattacks to the power sector can impact utilities everywhere—with consequences that range from the cost of ransomware to damaged physical assets that come with the price of repair or replacement. But luckily, there are many guides, standards, and frameworks that can help power-sector organizations improve their cybersecurity, including one approach called the Power Sector Cybersecurity Building Blocks.
To help electric utilities better understand what a full cybersecurity program looks like, the National Renewable Energy Laboratory (NREL) partnered with the U.S. Agency for International Development (USAID) in support of the Resilient Energy Platform, providing assistance to a variety of stakeholders to improve security for the electrical grid. The project grew out of USAID and NREL’s discussions with utilities around the world, as well as past cybersecurity assessments performed by NREL on dozens of utilities and government agencies, with a focus on cybersecurity challenges faced by small and under-resourced utilities.
READ THE STORY: NREL
Why Ukraine has stayed online
FROM THE MEDIA: In November last year, as Russian troops gathered on Ukraine’s border, Prime Minister Boris Johnson told MPs on the defence select committee that “the old concepts of fighting big tank battles on the European land mass are over”.
“There are other, better things we should be investing in” besides tanks, said Johnson. “The future combat air system, cyber, this is how warfare in the future is going to be.”
The Prime Minister faced a heated grilling from skeptical members of his own party, including the committee chair Tobias Ellwood. He asked Johnson to “reconsider” cuts to conventional forces on land, sea and air. “What’s amassing right now on the Ukrainian border?”, asked the former soldier, before immediately answering his rhetorical question – “it’s tanks”.
READ THE STORY: New Statesman
Trinidad’s largest supermarket chain crippled by cyberattack
FROM THE MEDIA: The largest supermarket chain in Trinidad struggled to recover from a cyberattack that caused outages at all of its locations throughout the country this weekend. On Thursday, Massy Stores released a statement saying it was experiencing “technical challenges” with its front-end checkout systems that made it so products could not be purchased from its supermarkets and pharmacies.
“The company took immediate action, suspending all customer-facing systems, and has been working with third party experts to resolve the situation. Backup servers were not affected and the technical team is actively working with the expert teams to restore the system safely and in the shortest time possible,” the company explained in a follow-up comment. “The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised or misused as a result of the situation.”
READ THE STORY: The Record
Items of interest
Microsoft Reported Russian Cyber Attacks Were Timed To Support Military Strikes
FROM THE MEDIA: Microsoft’s Digital Security Unit has issued a special report on Russian cyber attacks in Ukraine, in which evidence is presented that some were timed to support military strikes.
Specifically, the Microsoft researchers say that cyber attacks in March against a television broadcaster and a nuclear plant directly preceded military action directed at those targets, and that over 70% of the destructive attacks were targeted either at Ukrainian government organizations or critical infrastructure companies.
Since just prior to the invasion of Ukraine in February, Microsoft reports seeing 237 operations against the country that are collectively linked to six nation-state groups that are aligned with Russia. Of these, about 40 of these were classified as “destructive” attacks meant to reduce the capabilities of the target. Espionage and intelligence activities are more common, and the researchers say they have observed “limited” espionage being conducted against NATO member states along with disinformation campaigns.
The report names two major Russian cyber attacks that preceded physical attacks on locations in Ukraine. On March 1, cyber attacks on a Ukraine TV broadcaster were followed by a missile attack against one of its TV towers. And on March 13, data was exfiltrated from a nuclear safety organization in the midst of a campaign by ground forces to capture nuclear power plants in the country. An additional email-based disinformation campaign accompanied the outset of the siege of Mariupol, with Ukrainians receiving fake emails from someone purporting to be a resident of the city and claiming that the government was going to abandon its population.
READ THE STORY: CPO
Cyberwarfare against Russia (Video)
FROM THE MEDIA: Cyberwarfare against Russia.
The Rise of AI in the Cyber Domain (Video)
FROM THE MEDIA: In an age where foreign actors are increasingly using cyberattacks to take down both commercial and government targets — crippling a country’s ability to act quickly — this panel explores how AI will shape the future of conflict across the cyber domain. We will discuss current examples of our vulnerabilities. China and Russia are rapidly gaining status as competitors of the United States in the commercial and national security applications of AI. We will explore what technologies are needed most, how the cyber security & defense industry can collaborate with leaders and enhance the protection of their companies and their people in the age of “informationized warfare.”
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com