Friday, May 06, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers
FROM THE MEDIA: The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S.
"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing the group's evolving modus operandi.
The group is known to have targeted a wide range of organizations since at least 2012, with the actor primarily relying on email-based social engineering to gain initial access to drop PlugX, a backdoor predominantly deployed for long-term access.
Phishing messages attributed to the campaign contain malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto compromised machines.
READ THE STORY: THN
China-backed Winnti APT siphons reams of U.S. trade secrets in sprawling cyber-espionage attack
FROM THE MEDIA: China’s Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.
That’s according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.
In addition, the attackers have harvested details about a target organization’s network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports this week.
READ THE STORY: Urgent Communications
South Korea’s Intelligence Agency Has Joined NATO’s Cyber Defense Unit. China Isn’t Happy
FROM THE MEDIA: On Thursday, South Korea’s spy agency became the first in Asia to join NATO’s Cyber Defense Group in a move that risks inflaming tensions with regional superpower China.
In a statement, South Korea’s National Intelligence Service (NIS) said it had been admitted as a contributing participant for NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), a cyber defense hub established in May 2008 in Tallinn, Estonia, focused on research, training, and exercises in the field of cybersecurity.
“Cyberthreats are causing great damage to not only individuals but also separate nations and also transnationally, so close international cooperation is crucial,” the NIS said.
READ THE STORY: Time
Why Authoritarian Governments Love Their ‘Patriotic Hackers’
FROM THE MEDIA: In June 2017, Russian president Vladimir Putin told reporters that “patriotic” civilian hackers from his country may have meddled in U.S national elections. Putin clarified that these were not Russian government-affiliated hackers but rather patriotic citizens of Russia who were defending the dignity of the nation in cyberspace. “If they are patriotic, they contribute in a way they think is right, to fight against those who say bad things about Russia,” Putin said about Russia’s patriotic hackers. This situation illustrates the strategic ways in which authoritarian governments increasingly utilize “patriotic” civilian hackers as a means of denying their own complicity in cyberattacks on foreign entities. The governments of Russia, China, and Iran view these “patriotic hackers” as a useful tool in their cyber arsenal against Western targets and as a means to place blame for attacks on non-state parties.
READ THE STORY: National Interest
Threat actor launches email attacks to lift corporate M&A secrets, Mandiant says
FROM THE MEDIA: The singular focus on email collection combined with an extended dwell time indicates UNC3524’s primary goal is to gain information on corporate strategy and decision making instead of a quick financial win, McLellan said.
Mandiant describes UNC3524 as a highly sophisticated threat actor that successfully evaded detection by appearing to access Microsoft Exchange email accounts from within its victim’s IP space. It used advanced tactics that allowed it to gain multiple footholds and consistently maintain access to sensitive corporate data.
“Besides the obvious data theft issue, long-term access allows the threat actor to learn the lay of the land inside the victim network to find configuration loopholes that could bypass two-factor authentication and collect previously used account passwords that may inform future re-compromise activity,” McLellan said.
READ THE STORY: Cybersecurity Dive
Can “regular” threat actors become Quasi-APTs?
FROM THE MEDIA: The proliferation of cyber-offensive capabilities has been thoroughly discussed in recent years by academics and think tankers alike. Parallels between this modern cyber arms race and the race to nuclear capabilities that plagued the previous century have been exhausted, in an attempt to encapsulate the rapid expansion and increasing volatility of the cyber threat landscape in recent years. In the past year alone, this escalation has been made blatantly manifest through the spike in ransomware attacks, the deployment of pernicious new malware and the unprecedented surge in cybercrime, cybercriminals and cyber incidents - coordinated and conducted within the illicit underground communities of deep and dark web. Check out our “State of the Underground in 2021” report for more context.
READ THE STORY: Security today
Heroku hackers got account passwords via OAuth token theft
FROM THE MEDIA: Salesforce platform-as-a-service provider Heroku has revealed that the April hack, which saw OAuth tokens for Microsoft Github integration downloaded by a threat actor, went further than initally thought, with customer passwords exfiltrated as well.
Heroku this week forced resets for user passwords, and also disabled application programming interface (API) access tokens, but at the time did not say why.
The password reset was thought to be brought on by the early April hack, and Heroku has now said this is the case.
"Separately, our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts," Heroku said.
READ THE STORY: iTnews
FBI Alert Warns of BlackCat Ransomware That Compromised 60 Organizations in 4 Months
FROM THE MEDIA: The Federal Bureau of Investigation (FBI) published a flash alert on the BlackCat ransomware group, also known as Noberus and AlphaV. The alert warned that BlackCat ransomware has victimized at least 60 organizations worldwide and demanded millions of dollars in ransom payments as of March 2022. Formed in November 2021, the BlackCat ransomware group works with experienced cybercriminals linked to the BlackMatter ransomware.
The FBI alert says BlackCat ransomware leverages previously compromised user credentials to gain initial access. Next, the malware group compromises Windows Server Active Directory user and administrator accounts and configures malicious Group Policy Object using the Windows Task Scheduler to deploy the ransomware.
READ THE STORY: CPO
SentinelOne finds high-severity flaws in Avast, AVG
FROM THE MEDIA: Threat detection vendor SentinelOne published a blog that disclosed the vulnerabilities on Thursday. The flaws concern Avast's anti-rootkit driver, which is used by both Avast and AVG antivirus products (Avast acquired AVG in 2016). If exploited, a threat actor could use the driver to escalate privileges to kernel level. The large number of Avast and AVG users means, as SentinelOne noted in its blog, that millions of users are theoretically vulnerable.
The flaws are tracked as CVE-2022-26522 and CVE-2022-26523; full technical details are available in SentinelOne's blog post. A patch released in February, version 22.1, fixed the issue and was automatically applied to most users' Avast and AVG installations. SentinelOne advised users without automatic updates, including those running on-premises versions, to patch immediately.
Kasif Dekel, SentinelOne senior security researcher and author of the blog post, wrote that the vulnerabilities remained undiscovered for 10 years and can be exploited in multiple contexts.
READ THE STORY: TechTarget
Chinese APT Group Winnti Is Stealing Intellectual Property
FROM THE MEDIA: A new malicious campaign that siphons off intellectual property and sensitive data - including documents, blueprints, diagrams, formulas and manufacturing-related proprietary data - has been identified by researchers at cybersecurity firm Cybereason as being the work of Chinese APT Winnti based on forensic analysis.
Also known as APT 41, BARIUM and Blackfly, the group is known for its stealth, sophistication and focus on stealing technology secrets. It primarily targets technology and manufacturing companies in North America, Europe and Asia.
Cybereason, which has closely tracked the group, says that the APT actor has, over several years, surreptitiously conducted reconnaissance, identified valuable data and exfiltrated hundreds of gigabytes of information in its campaign dubbed Operation CuckooBees.
READ THE STORY: Bank Info Security
Ransomware attacks are part of the cost of doing business
FROM THE MEDIA: André Nogueira was woken up early one Sunday morning by a phone call telling him that his company, JBS Foods, the world’s largest meat supplier, had been hacked. He was given the distressing details: A group of hackers called REvil had gained access to the company’s critical infrastructure and was holding it hostage, demanding a ransom of $11 million in bitcoin. The hack caused JBS to stop production at all of its plants in the United States as well as some operations in Canada and Australia. The shutdown rippled through the entire supply chain, halting livestock sales and leaving restaurants scrambling to find new temporary suppliers. Though Nogueira told the Wall Street Journal the company was able to restore some access to its systems via encrypted backups, JBS ended up paying out the full ransom to REvil in order to resume full operations.
READ THE STORY: Morningbrew
FBI Alert Warns of BlackCat Ransomware That Compromised 60 Organizations in 4 Months
FROM THE MEDIA: The Federal Bureau of Investigation (FBI) published a flash alert on the BlackCat ransomware group, also known as Noberus and AlphaV. The alert warned that BlackCat ransomware has victimized at least 60 organizations worldwide and demanded millions of dollars in ransom payments as of March 2022. Formed in November 2021, the BlackCat ransomware group works with experienced cybercriminals linked to the BlackMatter ransomware.
The FBI alert says BlackCat ransomware leverages previously compromised user credentials to gain initial access. Next, the malware group compromises Windows Server Active Directory user and administrator accounts and configures malicious Group Policy Object using the Windows Task Scheduler to deploy the ransomware. The malware disables network security during the initial deployment phases. It leverages PowerShell scripts, Cobalt Strike, Windows administrative tools, and Microsoft Sysinternals. Additionally, the threat actors leverage Windows scripting to compromise additional hosts.
READ THE STORY: CPO
Ransomware researchers are being targeted by the criminals they track
FROM THE MEDIA: Security researchers who investigate ransomware gangs are being targeted by the criminals they’re tracking. A hacker, thought to be a member of notorious Russian cybercrime gang REvil has used a fraudulent emergency data request (EDR), a type of subpoena deployed by US law enforcement agencies, to obtain information from Twitter about cybersecurity analysts, before threatening the researchers and their families.
EDRs can be obtained with little scrutiny, making them perfect vehicles for social engineering attacks. Legislation has been drafted which could require the requests to come with a digital signature, making them harder to forge.
READ THE STORY: TechMonitor
Preparing For Cyber Attacks – Strengthening Defenses Against Nation-State Threats
FROM THE MEDIA: This weekend marks the one-year anniversary of the ransomware attack against Colonial Pipeline. That attack was soon followed by the ransomware attack against JBS. One thing both of those attacks have in common is that they are attributed to cybercrime gangs operating within Russia. Groups like Darkside and REvil, along with threat actors from APTs associated with Russian intelligence agencies pose a serious threat to organizations around the world.
As the people of Ukraine heroically defend their country from destruction by Russian military forces, there remains a very real risk—expectation, actually—that Russia or threat actors aligned with Russia could launch devastating cyberattacks.
READ THE STORY: Forbes
Car Rental Giant Sixt Hit by Cyberattack, Operations Shut Down
FROM THE MEDIA: Rental car giant Sixt, a company based in Germany announced that it has been hit by a cyberattack that resulted in large-scale inconvenience in Sixt’s global operations. In April, the company closed down some parts of its IT infrastructure to restrict a cyberattack.
Only important systems were operating, like the company website and mobile applications. Sixt said that the disturbance for employees and customers was expected, it believes that the disruption was contained to great extent.
According to the company, it has offered business continuity to its customers, but the temporary disruptions in customer care centers and few branches can be expected for some time. “As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated. Many central Sixt systems, in particular, the website and apps were kept up and running,” said Sixt in a statement. Sixt did most of the car bookings with pen and paper last week, and systems that were not important have been shut down after the cyberattack.
READ THE STORY: ITsecurity News
White House: Prepare for cryptography-cracking quantum computers
FROM THE MEDIA: President Joe Biden signed a national security memorandum (NSM) on Thursday asking government agencies to implement measures that would mitigate risks posed by quantum computers to US national cyber security. The NSM outlines the risks of cryptanalytically relevant quantum computers (CRQC), such as their likely ability to brake current public-key cryptography.
The multi-year effort to migrate all vulnerable cryptographic systems to quantum-resistant cryptography will span over 50 government departments and agencies that use National Security Systems (NSS) (critical to military or intelligence operations or store classified info). As the National Manager for NSS, the Director of NSA General Paul M. Nakasone will oversee this entire process to ensure that all NSS systems are resistant to CRQC-based attacks.
"A cryptanalytically relevant quantum computer could jeopardize civilian and military communications as well as undermine supervisory and control systems for critical infrastructure," said Nakasone. "The No. 1 defense against this quantum computing threat is to implement quantum-resistant cryptography on our most important systems."
READ THE STORY: Bleeping Computer
Cyber Command creates forum with industry to share threat information
FROM THE MEDIA: U.S. Cyber Command has created a collaborative program with the private sector to share insights and information about critical cyber threats in an effort to further bolster national cybersecurity.
The program, dubbed “Under Advisement,” involves members of the command’s elite cyber national mission force (CNMF) — which is responsible for tracking and disrupting specific nation-state adversaries — sitting in chat rooms and disclosing threats with the cybersecurity sector, officials have said.
These military personnel use their real names for the sake of transparency and actually talk to members of the private sector.
“They are technical experts that can actually talk to people. They sit in private chats, elite invite-only industry forums, all in full name and with full transparent attribution,” Maj. Gen. William Hartman, commander of the cyber national mission force, said Wednesday during a speech at the Vanderbilt University Summit on Modern Conflict and Emerging Threats. “If you see something in the news about a cyber incident, you can bet one of them got a call about 1am the night before and have been exchanging unclassified information with cybersecurity experts as rapidly as possible.”
READ THE STORY: FedScoop
Far-Right Groups a Lingering Cyber Threat to North Macedonia
FROM THE MEDIA: The first distributed denial of service, DDoS, attacks came on election night, targeting North Macedonia’s electoral commission and the news aggregator TIME.mk. The next came days later, hitting the health and education ministries as politicians mooted the idea of appointing an ethnic Albanian as prime minister for the first time ever.
No one ever claimed responsibility for the electoral commission attack, and the name of the group that targeted TIME.mk – ‘Anonopsmkd’ – gave little away. But a subsequent message contained a good clue as to its ideological leanings.
If the biggest ethnic Albanian party in the country, the Democratic Union for Integration, is granted the post of premier, “expect that the whole of Macedonia will be turned upside down,” the hackers warned, “and you will face a complete ‘blackout’ within 24 hours. So don’t play with the Macedonian people.”
READ THE STORY: Balkan insight
Items of interest
Russian hackers threaten to shut down UK ventilators after 'cyber criminal' arrest
FROM THE MEDIA: Russian tech terrorists have threatened to shut down ventilators in British hospitals, it has been claimed.
It comes after an alleged cyber criminal and supporter of Kremlin chief Vladimir Putin was arrested in the UK on Monday.
The accused, who is said to be London-based, was detained after a police raid in the aftermath of a cyber assault on government and media websites in Romania, according to reports.
He is said to be part of group Killnet, which has since warned it will disable NHS ventilators, as well as those in Romania and Moldova if he is not released.
The 'gang' has claimed responsibility for the attacks, committed in retaliation for the country's support for Ukraine.
The official government webpage and defense ministry were targeted, as well as political parties and other companies.
READ THE STORY: Mirror
The national security implications of small satellites (Video)
FROM THE MEDIA: Experts from across the space community discuss how the United States and its allies and partners can leverage commercial small satellites to enhance space security.
The Senate Committee Reviews Posture, 2023 Authorization Request, Part 1 (Video)
FROM THE MEDIA: The Senate Committee on Armed Services spoke with Christopher Maier, assistant secretary of defense for Special Operations and Low-Intensity Conflict, Army Gen. Richard Clarke, U.S. Special Operations Command commander, and Army Gen. Paul Nakasone, U.S. Cybercommand commander and National Security Agency director, about the posture of United States Special Operations Command and United States Cyber Command in review of the defense authorization request for fiscal year 2023 and the Future Years Defense Program.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com