Daily Drop (124)

5-4-22

Wednesday, May 04, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters

Experts discover a Chinese-APT cyber espionage operation targeting US organizations

FROM THE MEDIA: Today, Cybereason released new threat research highlighting a multi-year cyber espionage operation led by Winnti, a Chinese Advanced Persistent Threat (APT) group targeting technology and manufacturing companies across the US, Europe, and Asia to steal trade secrets. 

Cybereason’s research also unveiled some of the core obfuscation techniques used by the attackers, such as using the Windows Common Log File System (CLFS) mechanism and NTFs transaction manipulations to conceal malicious payloads and evade detection by traditional security products. 

While Winnti’s campaign primarily targeted technology and manufacturing companies, the techniques used by the attacker’s pose a risk to all enterprises, who need to be aware of the techniques used by the attackers to preven them from being exploited by other cyber gangs and APTs who want to steal intellectual property. 

READ THE STORY:  VentureBeat

Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs

FROM THE MEDIA: Wide-ranging phishing campaigns targeting Eastern European countries are continuing to expand, according to a new report from Google’s Threat Analysis Group (TAG).

Cyber actors from Russia, Belarus and China are using a variety of email-based attack methods to steal credentials and gain access to organizations in Ukraine, Lithuania, Central Asia, countries in the Baltics and even Russia itself. 

“APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware,” TAG’s Billy Leonard wrote. 

“The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a compromised email account.”

Other Russian groups – including the FSB’s Turla and another Russian-based threat actor named COLDRIVER – were implicated in several attacks targeting defense and cybersecurity organizations in the Baltics as well as government and defense officials, politicians, NGOs and think tanks, and journalists.

READ THE STORY:  The Record

US 'deeply concerned' about China's hybrid warfare threat to Taiwan

FROM THE MEDIA: U.S. Secretary of State Antony Blinken on Tuesday (May 3) said that the U.S. is "deeply concerned" about China's use of hybrid warfare against Taiwan and that Washington is taking actions to defend freedom of the press in Taiwan.

After delivering remarks to the media in recognition of World Press Freedom Day at the Foreign Press Center in Washington, D.C., Blinken was asked to comment on how the State Department plans to avoid the erosion of Taiwan's press freedom amid Chinese pressure on media outlets. The second part of the question was, given Tesla CEO Elon Musk's acquisition of Twitter and his business ties to China, whether Blinken shares the concern of others that this may enable Beijing to censor or influence critics on the social media platform.

READ THE STORY:  Taiwan News

State-backed hackers target critical sectors

FROM THE MEDIA: State-backed hackers from Russia and China are increasing their efforts to target critical infrastructure in Eastern Europe and Central Asia, according to a latest cyber threat update from Google.

Meanwhile, Fight for the Future, a digital rights group, is launching a crowdfund campaign to press Senate leadership to bring two antitrust bills targeting tech giants to the floor for a vote.

Government-backed hackers from Russia, China, Iran and North Korea have been increasing their efforts over the past few weeks to target critical infrastructure in Eastern Europe and Central Asia, according to a latest cyber threat update from Google.  

The tech giant said in a blog post on Tuesday that the hackers are “using the war as a lure in phishing and malware campaigns” as they attempt to target critical sectors including telecommunications, manufacturing and the oil and gas industry. 

READ THE STORY:  The Hill

Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say

FROM THE MEDIA: Chinese government-linked hackers have tried to steal sensitive data from some three dozen manufacturing and technology firms in the US, Europe and Asia, security researchers said Wednesday, in findings that shed new light on Beijing's alleged use of hacking to buttress its powerhouse economy.

The hackers targeted blueprints for producing materials with broad applications to the pharmaceutical and aerospace sectors, according to Boston-based security firm Cybereason. The firm discovered the activity last year but said the hacking campaign dates to at least 2019, and it suggested that reams of data could have been stolen in the interim.

The research is an unsettling reminder of the scope of the cyber threats facing US businesses and government agencies as the Biden administration attempts to thwart them. For all of the attention on potential Russian hacking due to the war in Ukraine, China's digital operatives have been very active.

READ THE STORY:  CNN

Will Russia Turn to Cybercrime to Offset Stringent Economic Sanctions?

FROM THE MEDIA: Since the start of Russia’s invasion of Ukraine, the conflict has spilled into cyberspace with state and non-state actors taking sides and conducting a variety of disruptive operations. Russia state actors have executed eight new types of malware attacks against Ukraine, impacting government, business, financial institutions, and energy organizations, as well as a U.S. satellite communications provider. Ukrainian supporters have equally responded in kind. Notorious hacktivist group Anonymous and Ukraine’s volunteer IT Army have retaliated against Russian government and military entities in kind.  They have doxed thousands of Russian soldiers information and even disrupted Belarusian rail lines to slow Russian troop movement.  The failure to create a cyber “shock and awe” have led many to believe that Russia might lack the capability to produce one.

While the cyber war rages on, several governments in the global community have implemented a series of severe economic sanctions against Moscow.  Currently, Russia is now the world’s most sanctioned country, well ahead of governments like North Korea and Iran, the latter of which had previously occupied the top spot.  The longer the conflict persists, the more Russia suffers economically, which is a key objective of sanctions. However, without aggressively targeting Russia’s potent oil industry, sanctions may not yield favorable results in time.  Recent evidence has shown that Russia has withstood sanctions thus far with its ruble strengthening not weakening.

READ THE STORY:  OODALOOP 

Lapsus$: how two teenagers hacked big tech firms

FROM THE MEDIA: On March 22, authentication platform Okta confirmed that hackers had tried intruding into its system three months earlier. The platform confirmed an attacker had access to one of its employees’ laptops in January, and that a portion of its clients may have been affected because of the breach. The firm’s disclosure came after hacking group Lapsus$ shared screengrabs of Okta’s internal systems on messaging platform Telegram. The images included Okta’s Slack channels and its cloudflare interface. In a recent filing, Okta shared that it has over 15,000 clients globally, which includes bike brand Peloton, speaker maker Sonos, and the Federal Communications Commission (FCC). Just a day prior to sharing the screenshots, on March 21, Lapsus$ shared on social media that they had stolen source codes from a number of large tech firms. They claimed responsibility for breach and dissemination of confidential data.

READ THE STORY:  The Hindu

Stealthy APT group plunders very specific corporate email accounts

FROM THE MEDIA: An eminently sophisticated and stealthy APT group is going after specific corporate email accounts and has, on occasion, managed to remain undetected in victim environments for at least 18 months.

Catalogued as UNC3524 by Mandiant, the threat actor is also extremely adept at re-gaining access to a victim environment when booted out, “re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.”

UNC3524 is mostly after emails and their contents, particularly those of employees that focus on corporate development, mergers and acquisitions, large corporate transactions, and IT security staff (the latter, most likely, to determine if their operation had been detected).

READ THE STORY:  Helpnet Security

Ransomware Threat Actors Pivot from Big Game to Big Shame Hunting

FROM THE MEDIA: In the fight against ransomware, there is no magic bullet or single solution that will fix ANY aspect of this problem. Much as there is no single way to secure a network, there is no single method to make the unit economics of cybercrime worse for attackers. This is a double edged sword. For constituents that are in this fight for the long haul, the complexity of the problem actually allows for many levers to be tested and tried over long periods of time. For the casual short term observer, it can be difficult to tell if the problem is getting better or worse. Worse, short term observers are tempted to rationalize a single idea or thesis as THE fix. A recent report (survey based) showed that an increasing number of companies are resorting to ransom payments as the ultimate resolution of a ransomware incident. We have been tracking the resolution status on ransomware attacks since the early days of Coveware. While results quarter to quarter can hop and skip, the trend is very clear over the past 3 years. In Q1 of 2019, 85% of the cases we handled ended in the cyber criminal receiving a ransom payment. Three years later, that number is down to 46% in Q1 of 2022. 

READ THE STORY:  Security Boulevard

Critical CVEs put Aruba Networks, Avaya enterprise switches at risk

FROM THE MEDIA: The root cause of the vulnerability is the misuse of NanoSSL, a popular TLS library from Mocana, according to Armis researchers. Aruba and Avaya have switches vulnerable to remote code execution, which could allow an attacker to gain a dangerous level of access to affected devices. 

An attacker could move laterally to other devices by changing the switch behavior as well as exfiltrate data from the internal network.

These network switching devices are commonly used across hospitals, hotels, airports and other organizations, according to Armis. 

“Routers and switches pose significant risk due to their purpose — the backbone of every corporate network consists of routers and switches,” Barak Hadad, head of research at Armis, said via email. “These devices are often overlooked when examining the security posture of organizations, even though they are the enforcers of network segmentation.”

READ THE STORY:  CyberSecurity Dive

Winnti threat group’s full infection chain for IP theft comes into focus

FROM THE MEDIA: Cybereason published detailed research into the Winnti group, including what it believes is the first full view of an infection chain utilizing previously unknown malware, used in espionage campaigns.

"Mandiant and ESET both published either reports or tweets (in the case of ESET) about some of these components, but they didn't see the full picture. We're the first, to best of my knowledge, to really see the entire attack," said Assaf Dahan, senior director and head of threat research at Cybereason.

The company briefed the Federal Bureau of Investigation on its findings earlier this month.

Winnti is a long-running hacking operation engaged in criminal and nation-state activities. As an espionage group, Winnti has long been connected to China, including when seven members of the group were indicted in 2020.

READ THE STORY:  SCMagazine

Google: Chinese state hackers keep targeting Russian govt agencies

FROM THE MEDIA: Google said today that a Chinese-sponsored hacking group linked to China's People's Liberation Army Strategic Support Force (PLA SSF) is targeting Russian government agencies.

The company's Threat Analysis Group (TAG), a team of security experts that acts as a defense force for Google users from state-sponsored attacks, added in a report focused on Eastern Europe cyber activity that the APT group has also successfully breached several Russian companies. 

As revealed in previous Google TAG reports, this threat actor has been targeting government and military organizations from Russia, as well as those of other countries in the region like Ukraine, Kazakhstan, and Mongolia.

"In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs," Google TAG Security Engineer Billy Leonard said.

READ THE STORY:  Bleeping Computer

Conti ransomware group’s ‘used car salesmen negotiations’: discounts and limited-time offers

FROM THE MEDIA: An analysis of 40 negotiations from Hive and Conti showed stark differences between the two ransomware group's negotiating tactics. Hive was more freewheeling and less businesslike. Conti offered limited-time offers and holiday discounts.

"It is advantageous for defenders or anyone that's going to have to deal with these negotiators to kind of get an idea of what type of tactics do they use, what type of [business] language they use, how hardened are they around deadlines and things like that," said Nick Biasini, threat researcher and head of outreach for Cisco Talos, which conducted the research.

Both Hive and Conti negotiate prices based on apparent research into victims. Hive generally set its opening bid at 1% of annual revenue, though sometimes ranged as high as 1.5% of annual revenue. From there, the group would could be negotiated down. The group would offer reductions between 5% and 25%, though occasionally between 30% and 66%. Conti, too, did advance research, offered a price, and was quick to lower it in negotiations.

READ THE STORY:  SCMAGAZINE

Researchers tie ransomware families to North Korean cyber-army

FROM THE MEDIA: The North Korean army is continuing to try its hand at ransomware, according to a new report from cybersecurity firm Trellix.

Christiaan Beek, lead scientist with the company’s threat research division, released a report on Tuesday tying four ransomware families — BEAF, PXJ, ZZZZ and CHiCHi — to the prolific Unit 180 of North Korea’s cyber-army. 

Trellix said the unit is behind several ransomware attacks on organizations across Asia since 2020, when researchers first discovered the VHD ransomware and tied it to actors connected to the North Korean military. 

Beek explained that the source code for the VHD ransomware has similarities and ties to the four ransomware strains mentioned in the report. 

READ THE STORY:  The Record

Ransomware Group’s Claim of Data Theft Being Investigated by Coca-Cola

FROM THE MEDIA: A ransomware group called Stormrous is claiming that it stole 161 gigabytes of data from Coca-Cola, including login credentials and financial data. Coca-Cola has yet to confirm the data theft, but says that it has initiated an “urgent investigation.”

Stormous, a relatively new ransomware group that has yet to establish much of a reputation, has placed a listing on Telegram offering the data for the price of 1.6 bitcoin (about $64,000). It claims that data from commercial accounts is included in the bundle, along with unspecified financial data and internal usernames/passwords. It is unknown if there have been any takers as of yet.

The data theft came about via an unusual circumstance, as the ransomware group posted a poll on its Telegram for its followers. It offered a choice of four targets in addition to Coca-Cola: Mattel, science and tech conglomerate Danaher, education tech firm Blackboard and General Electric’s airplane engine provider GE Aviation. A little over 100 users voted in the poll, and Coca-Cola ran away with it with 72% of the vote.

READ THE STORY:  CPO

Conti, REvil, LockBit ransomware bugs exploited to block encryption

FROM THE MEDIA: Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today.

Malware from notorious ransomware operations like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.

Analyzing malware strains from these ransomware gangs, a security researcher named hyp3rlinx found that the samples were vulnerable to DLL hijacking, a method usually leveraged by attackers to inject malicious code into a legitimate application.

READ THE STORY:  Bleeping Computer

REvil Revival: Are Ransomware Gangs Ever Really Gone?

FROM THE MEDIA: Evidence that members of the defunct REvil group may be reviving the ransomware gang continues to accumulate, but cybersecurity experts question whether the group will have the same impact that it once did.

On April 29, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

These two breadcrumbs suggest that someone (or someones) has access to the REvil group's source code and infrastructure and may be restarting the operation, says Brett Callow, threat analyst at Emsisoft. They don't, however, prove it's the old crew getting back together.

READ THE STORY:  DarkReading

Items of interest

Ethiopia ‘foils’ cyber-attack on Nile dam, financial institutions

FROM THE MEDIA: Ethiopian Authorities on Tuesday said they had stopped international cyber attack attempts targeting the massive Grand Ethiopian Renaissance Dam (GERD) and the country's major financial institutions. “The failed cyber attacks include attempts to impede the works of the GERD by targeting 37,000 interlinked computers used by financial institutions,” said Shumete Gizaw, the director-general of Ethiopian Information Network Security Agency (INSA).

He spoke on the state-run local media on Tuesday.

Mr Shumete alleged that an organization sponsored by countries that "envy peace and development endeavours of Ethiopia" has declared cyber war against Addis Ababa under the motto of "Black Pyramid War".

He, however, did not disclose the implicated sponsoring countries or the organization or where it is based.

Previously, Addis Ababa has accused Egypt-based hackers of attempting to hack into computer systems in Ethiopia. Egypt has been vocal against the dam arguing that there was a need for an agreement on how to fill and operate the structure as it is built on the main water source for Cairo. But Ethiopia has been adamant that the water is first a sovereign project and that it will not hurt downstream countries Sudan and Egypt.

READ THE STORY:  Zawya

Ukraine Cyber War Update - Wipers Everywhere and Chinese Hacker Target Russian Troops (Video)

FROM THE MEDIA: The Cyberwar in Ukraine started before and has continued after the beginning of the physical conflict. Today we take a look at this new hybrid warfare and what sort of cyber-attacks are currently being carried out including unexpected attacks by Chinese hacker groups on Russian troops.

North Korea's Cyber Warfare(Video)

FROM THE MEDIA: The Lazarus Group have been causing chaos for over a decade. This is their history.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com