Daily Drop (125)

5-5-22

Thursday, May 05, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters

Russian forces usurp Ukrainian internet infrastructure in Donba

FROM THE MEDIA: Russian forces have taken over internet infrastructure in Ukraine and rerouted traffic to Russia-controlled operators, making Ukrainians’ data vulnerable to interception and censorship by the Kremlin. As Russia has renewed its offensive on the southern Donbas region over the past fortnight, shelling and power cuts have caused the nation’s biggest broadband and mobile internet providers to lose connectivity across large swaths of besieged regions. A fibre optic cable in the city of Kherson was taken offline last weekend and rerouted to a separatist Crimean operator called Miranda-Media, meaning broadband data was directed out of Ukraine and into Kremlin-controlled regions, according to Ukrainian officials. The move mirrors the way telecommunication networks were usurped and data rechanneled in the areas of Donbas captured by pro-Russian rebels with Moscow’s support following the 2014 annexation of Crimea.

READ THE STORY:  FT

China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack

FROM THE MEDIA: China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

READ THE STORY:  DarkReading

This researcher just beat ransomware gangs at their own game

FROM THE MEDIA: A security researcher has discovered key flaws pertaining to popular ransomware and malware — a state of affairs that could lead to their creators entirely rethinking the approach to infiltrate potential victims.

Currently, among the most active ransomware-based groups are the likes of Conti, REvil, Black Basta, LockBit, and AvosLocker. However, as reported by Bleeping Computer, the malware developed by these cyber gangs has been found to come with crucial security vulnerabilities.

These defects could very well prove to be a damaging revelation for the aforementioned groups — ultimately, such security holes can be targeted in order to prevent what the majority of ransomware is created for; the encryption of files contained within a system.

READ THE STORY:  Digital Trends

Ukraine cyberthreat activity ramps up against critical infrastructure, governments

FROM THE MEDIA: The Google TAG research follows a flurry of activity in recent weeks indicating heightened hybrid attacks linked to the Ukraine invasion. 

Microsoft security researchers last week said at least six state-linked actors aligned with Russia had launched 237 attacks since before the invasion. About 40% of the attacks were aimed at critical infrastructure, while 32% of the attacks were aimed at the Ukrainian government on a national, regional or city level, according to a blog post from Tom Burt, corporate vice president, customer security and trust at Microsoft. 

The Cybersecurity and Infrastructure Security Agency (CISA) has also updated prior warnings about destructive wiper malware deployed prior to the February invasion. CISA disclosed indicators of compromise and other technical details on the various wipers.

READ THE STORY:  CyberSecurity Dive // Android Police

New report uncovers massive Chinese hacking of trade secrets

FROM THE MEDIA: Security researchers on Wednesday said that hackers connected to the Chinese government have attempted to access sensitive information from dozens of global organizations. 

Security firm Cybereason published research on a cyberattack believed to have had the goal of stealing sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe and North America.  

The group said it had “medium-high confidence” that the attack was linked to Winnti APT group, which specializes in cyber espionage and intellectual property theft and is believed to work for Chinese state interests. 

In a statement, Cybereason CEO and co-founder Lior Div said the group made “intricate and extensive efforts” to garner information from the organizations.  

READ THE STORY:  The Hill

Home Depot Customer Records Offered on Dark Web

FROM THE MEDIA: Nearly 300,000 customer records from Home Depot, acquired by a hacker in 2020, are now being offered for free on the dark web, according to a firm that tracks such activity.

Cyberint, an Israeli firm with offices in the U.S., the UK, France and Singapore, said a threat actor recently began offering a total of 299,394 customer records, likely as a way of gaining credibility and moving up the ranks as a source of valuable material on the dark web.

Customer information being offered include details such as addresses, phone numbers, delivery records, brands purchased and orders, according to Cyberint. It was offered recently on a dark web marketplace called Breached.co, which has sprung up as the heir apparent to RaidForums. That notorious site, which the Department of Justice called “one of the world’s largest hacker forums,” was seized by the FBI in February and shut down in April.

READ THE STORY:  Multichannel Merchant

FBI: Business Email Compromise attacks led to more than $43 billion in losses since 2016

FROM THE MEDIA: More than $43 billion has been lost through Business Email Compromise and Email Account Compromise scams since 2016, according to data released Wednesday by the FBI. 

The FBI and its Internet Crime Complaint Center (IC3) said in an alert that when it combined domestic and international exposed dollar loss from June 2016 and December 2021, it found that $43.31 billion was taken across 241,206 incidents.

The figures are derived from incidents reported to IC3, law enforcement and filings with financial institutions.

BEC scams are popular attacks where hackers compromise legitimate business or personal email accounts through social engineering or computer intrusion before conducting unauthorized transfers of funds.

READ THE STORY:  The Record 

China-linked APT Caught Pilfering Treasure Trove of IP

FROM THE MEDIA: Researchers from Cybereason’s Nocturnus Team have uncovered a massive, highly successful, three-year-long campaign of intellectual property theft.

The perpetrators were likely able to siphon hundreds of gigabytes worth of “sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America,” according to the report released Wednesday.

The theft remained completely under the radar from law enforcement. They pulled it off by combining an “arsenal” of malware – including a brand new strain called DEPLOYLOG – into a complex infection chain. The researchers attributed the campaign, with “moderate-to-high confidence,” to the Winnti group (aka APT 41, BARIUM,  or Blackfly). Winnti is “an exceptionally capable adversary” that is “believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft.”

READ THE STORY:  ThreatPost

Kaspersky Warns of Fileless Malware Hidden in Windows Event Logs

FROM THE MEDIA: Threat hunters at Kaspersky are publicly documenting a malicious campaign that abuses Windows event logs to store fileless last stage Trojans and keep them hidden in the file system.

In a research report published Wednesday, Kaspersky said the first phase of the campaign started around September 2021, with the threat actor luring victims into downloading a digitally-signed Cobalt Strike module.

The use of event logs for malware stashing is a technique that Kaspersky’s security researchers say they have not seen before in live malware attacks.

The researchers haven not attributed the attacks to a known threat actor, but say that the group stands out because it patches Windows native API functions associated with event tracking and the anti-malware scan interface to ensure the infection remains stealthy.

READ THE STORY:  Security Week

GitHub launches new 2FA mandates for code developers, contributors

FROM THE MEDIA: GitHub is introducing new rules surrounding developers and two-factor authentication (2FA) security.

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

On Wednesday, the Microsoft-owned code repository said that changes will be made to existing authentication rules as "part of a platform-wide effort to secure the software ecosystem through improving account security."

According to Mike Hanley, GitHub's Chief Security Officer (CSO), GitHub will require any developer contributing code to the platform to enable at least one form of 2FA by the end of 2023.

READ THE STORY:  ZDNET

Communication around Heroku security incident dubbed 'train wreck'

FROM THE MEDIA: Efforts by Salesforce-owned cloud platform Heroku to manage a recent security incident are turning into a bit of a disaster, according to some users.

Heroku has run security incident notifications for 18 days and appears to have upset several of its customers due to a perceived lack of openness and communication.

The most recent status update from just prior to midnight UTC on 3 May read: "A subset of Heroku customers will receive email notifications directly from Salesforce Incident Alerts (incidentalerts@msg.salesforce.com) regarding our continuous efforts to enhance security."

"We recommend that you reset your user account password," was the best advice the platform's support could give, said one Heroku user on Hacker News. Others harbored some healthy curiosity about what might lie behind the advice.

READ THE STORY:  The Register

New Ransomware Variant Linked to North Korean Cyber Army

FROM THE MEDIA: A new ransomware strain called VHD has been traced to North Korean state actor APT38 by a team of researchers using detailed code analysis and following a Bitcoin trail. 

The Democratic People's Republic of Korea (DPRK) has used ransomware for several years to raise money for state coffers, including the February 2016 Bangladesh bank heist in which attackers tried to use the SWIFT banking system to steal almost US$1 billion, explains Trellix researcher Christiaan Beek in a new blog post. 

Beek and a team of fellow cybersecurity analysts linked North Korea's cyber army to the VHD ransomware, which they said has been used in ransomware attacks on global financial systems and cryptocurrency exchanges since March 2020. The analysts compared known DPRK code with VHD ransomware and found stark similarities, the post states. Bitcoin transactions overlapping between known DPRK-sponsored cybercrime groups were also reported by the team. 

READ THE STORY:  DarkReading

Phishers taking advantage of Gmail’s SMTP relay service to impersonate brands

FROM THE MEDIA: As the number of malware and ransomware attacks continue to become more prevalent, cybersecurity has become a focal point for many industries and individuals. Google’s email client is one that has been compromised by some of the malicious parties out there. It was recently found by cloud email security company Avanan that phishers have been exploiting Gmail’s SMTP relay service since at least April.

By taking advantage of the SMTP relay service, spoofers are able to work around users’ spam folders by allowing phishing emails to impersonate legitimate companies, thus making malicious emails seem authentic even though an attempted hack is taking place. Gmail allows some Google plans to send up to 4.6 million emails in a 24-hour period, allowing malicious parties to have extremely wide attack vectors when sending out phishing attempts.

READ THE STORY:  TechRepublic

Stakeholder coordination still needs improvement a year after Colonial Pipeline attack

FROM THE MEDIA: Nearly one year to the day since the Colonial Pipeline ransomware attack, U.S. officials say that cybersecurity coordination between the federal government and critical infrastructure is much improved, but departments and agencies are still working through how to coordinate their regulatory pushes with other stakeholders in and out of government.

The attack on Colonial Pipeline’s IT network by the DarkSide ransomware group last year, which pushed company officials to temporarily shut down operations, was followed in quick succession by ransomware attacks against major food supplier JBS and IT management software company Kaseya and thousands of its customers. Those events underscored how even discrete hacks of individual strategic infrastructure can cause broad disruption throughout the global supply chain. It also spurred the Biden administration and policymakers in Congress to take a much harder line when it came to regulating the cybersecurity of critical infrastructure entities.

READ THE STORY:  SCMAGAZINE

Indonesia: weaponizing algorithms to silence dissent

FROM THE MEDIA: Skewing the online discussion threatens media literacy.

A social media cyber war raged throughout Indonesia’s past two presidential elections. The effects are still being felt by journalists years later — online discussions have been skewed to give the impression of a majority view, and those who disagree stay quiet.

Victims to what German political scientist Elisabeth Noelle-Neumann dubbed the ‘spiral of silence’ theory, citizens remain in the grip of fear and suppress their participation in public discussion. 

Algorithms sort a user’s social-media feed based on relevance and interest, dragging them into echo chambers where the discussion grows more and more polarized. In Indonesia, cyber warriors became influential when they used algorithms to skew the popularity of topics. 

READ THE STORY:  EastMojo

America’s Schools Face Mounting Threats from Cyberattacks

FROM THE MEDIA: The U.S. education sector is in the midst of a cyber crisis. The shift to cloud-based virtual learning during COVID-19 created the perfect storm for threat actors to capitalize on: education IT departments, already weathering a shortage of physical resources, funding, and staffing, unexpectedly faced an even greater challenge. Without the human resources and advanced solutions to secure vulnerabilities in their networks, K-12 school districts and higher-ed institutions became easy targets.

After 1,740 K-12 schools, colleges, and universities were hit by ransomware in 2020 – a record high – the frequency of attacks has shot up even more over the past year. Microsoft Security Intelligence found that from Aug. 14 to Sept. 12, 2021, educational organizations were targets of more than 5.8 million malware attacks globally – representing 63% of all such attacks. It’s abundantly clear that a change in approach is needed. Adopting new measures that better position the education sector to defend itself must be a top priority across the U.S. cybersecurity community.

READ THE STORY:  RealClear Education

Hybrid warfare considered: a US perspective

FROM THE MEDIA: Lieutenant General Charles Moore, Deputy Commander, US Cyber Command, began by giving a general explanation of what hybrid warfare is.

Moore said, “I think everybody recognizes there's no real doctrinal definition of hybrid or gray zone activities, but generally what we're talking about are the synchronization, the mixture of conventional traditional military activities with irregular or non-traditional activities conducted below the use of force or below the spectrum of conflict with some level of deniability or non-attribution obviously meant to achieve some type of military objectives.”

Moore added that cyber operations typically fall under this definition of hybrid warfare.

“Now, if you think about what I just said – operations below the use of force with deniability to achieve some type of military objective – sounds a whole lot like I'm describing cyberspace operations and...that's exactly how we describe what we're doing from a day-to-day perspective and fulfilling our strategy of defending forward, which is all about getting out of blue space and into red and in gray space to take on adversaries and potential adversaries to go track down and find the archers before they can shoot the arrows,” Moore said. “And the way that we implement that strategy is through what we call ‘persistent engagement,’ which is finding the adversary and then maintaining constant contact with them so that we can accomplish our missions to defend the nation.”

READ THE STORY:  The Cyberwire

Hackers find more than 400 vulnerabilities in DoD’s industrial base companies

FROM THE MEDIA: The Defense Department is finding out just how vulnerable its contractor’s networks are after the completion of a year-long bug bounty program.

Over one year, the hackers probed 41 companies and found more than 400 vulnerabilities that needed mitigation.

“DoD Cyber Crime Center’s DoD Vulnerability Disclosure Program  has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” said Melissa Vice, interim director of the Vulnerability Disclosure Program. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared defense industrial base company assets with potential risks for critical infrastructure and U.S. supply chain.”

The pilot originally launched with 14 companies and 141 assets and expanded to 41 businesses and 348 assets.

READ THE STORY:  Federal News Network

Items of interest

FAA to airlines: 5G-sensitive radio altimeters have to go

FROM THE MEDIA: The US Federal Aviation Administration (FAA) met with airline and telecom officials yesterday to present its latest solution to the instrument interference problem presented by C-band 5G: replace the affected equipment.

A letter from the FAA's head of aviation safety, Chris Rocheleau, proposed the meeting to establish a timeline for retrofitting or replacing radar altimeters in US airliners that are affected by 5G C-band signals, Reuters reported.

5G C-band was expected to roll out in the beginning of 2022, but was put on hold until July while the FAA, airlines, and jet manufacturers seek a resolution. A number of different planes were affected, including most of the Boeing 737 family, due to their use of radio altimeters, which use radio signals to determine the plane's distance from the ground. 

C-band signals operate between 4.2 and 4.4GHz, while C-band 5G transmits between 3.7 and 3.98GHz. There isn't any overlap, but the FAA isn't taking chances. It claims that interference could still affect altimeters to the point where they become unreliable. Radio altimeters are typically used to land planes in low-visibility conditions. 

READ THE STORY:  The Register

NSPM-13 and the Future of Cyber Warfare (Video)

FROM THE MEDIA: National Security Presidential Memorandum-13 (NSPM-13) came into effect in 2018, following a National Security Council-led interagency review process focused on increasing the operational effectiveness of the United States Cyber Command. The order delegated key authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace. There is currently a debate underway in national security circles about whether to amend NSPM-13 to restrict the autonomy of the Department of Defense, and by extension Cyber Command. How would such a change impact our ability to counter cyber attacks by Russia and China? Please join Hudson Adjunct Fellow Ezra Cohen for a discussion with expert panelists Alexei Bulazel, JD Work, and Joshua Steinman on the future of NSPM-13 and cyber warfare.

Coordinated Chaos: Synchronized Cyberwarfare and Disinformation Attacks by Lucas Hauser (Video)

FROM THE MEDIA: Through William & Mary's Global Research Institute, Project on International Security and Peace (PIPS) Fellows spend a year researching and producing creative policy-based solutions to address emerging international security issues. In this video, 2021-2022 PIPS Research Fellow Lucas Hauser presents about an unpredictable threat, which requires a coordinated response from all levels of government.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com