Tuesday, May 10, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
Securing U.S. Cleared Defense Contractors Against Russian State-Sponsored Attacks
FROM THE MEDIA: State-sponsored attacks frequently target numerous U.S. Cleared Defense Contractor (CDC) networks to obtain critical information and other sensitive assets related to the U.S. government’s national security and defense capabilities. For state-sponsored threat actors, gaining access to highly classified information allows their rogue state to mount malicious campaigns to disrupt or damage public and private infrastructures that power today’s modern world.
Although state-sponsored attackers are often referred to as advanced persistent threat (APT) actors, they often use common but effective tactics to access target networks, such as brute-force attacks, spear phishing, password spray techniques, credential harvesting, and exploiting vulnerabilities in VPN devices. Afterward, they move laterally to build persistence and steal data.
READ THE STORY: Security Boulevard
Victims of Horizon Actuarial data breach exceed 1M
FROM THE MEDIA: The victim count for the Horizon Actuarial Services data breach has continued to climb months after the ransomware attack was initially disclosed.
Horizon Actuarial was attacked last November, but the company didn't discover it had been breached until mid-January and didn't disclose the incident and resulting exposed data until March 21. The attack on the consulting firm, which provides actuarial services for employer benefits plans, illustrates how far-reaching the effects of a ransomware incident can be.
In recent weeks, more victims have emerged from the Horizon Actuarial data breach, stating that they were among the customers affected by the financial firm's data breach. In its most recent filing to the Maine attorney general's office on April 26, Horizon said the number affected rose to 1,312,212, the majority of whom belong to healthcare and benefit plans managed by the group.
READ THE STORY: TechTarget
EV infrastructure vulnerabilities put cars, the grid at risk
FROM THE MEDIA: Electrifying the nation’s vehicles and transportation infrastructure exposes drivers and cities to new risks. If cybercriminals hack into electric vehicles, they could not only penetrate the vehicle itself, but also compromise the entire connected infrastructure -- including charging stations, electrical grids, back office utilities and the cloud, according to experts at NextGov’s May 6 Cyber Defenders event.
Hackers that get into charging systems can even lock drivers out of their vehicles through a denial of service attack, said Sunil Chhaya, senior technical executive at the Electric Power Research Institute (EPRI). Threat actors could damage an EV by overcharging its battery or steal payment information through a charging station, Southwest Research Institute Computer Scientist Austin Dodson said. Hackers can also skim credit card information and users’ PIN codes from charging stations. “If they’re able to get that information … that's obviously very attractive for an attacker,” he said.
READ THE STORY: GCN
Budget-priced RAT is surprisingly effective tool for hackers, say BlackBerry researchers
FROM THE MEDIA: One of the reasons the number of cyberattacks keeps escalating is the cost of hacking tools for threat actors keeps dropping. Software-as-a-service offerings are common, but some crooked developers keep the price of their tools low.
According to researchers at BlackBerry, one is an inexpensive remote access trojan (RAT) that has been primarily sold on Russian language underground forums for over two years. Called DarkCrystal RAT (or DCRat for short), it’s a “surprisingly effective homemade tool for opening backdoors on a budget,” they said.
“DCRat is one of the cheapest commercial RATs we’ve ever come across,” the researchers said in a blog released on Monday. “The price for this backdoor starts at 500 RUB (less than US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.”
READ THE STORY: iTWorld Canada
Welcome “Frappo” – Resecurity identified a new Phishing-as-a-Service
FROM THE MEDIA: The Resecurity HUNTER unit identified a new underground service called “Frappo”, which is available on the Dark Web. “Frappo” acts as a Phishing-as-a-Service and enables cybercriminals to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and online services to steal customer data.
The platform has been built by cybercriminals to leverage spam campaigns which distribute professional phishing content. “Frappo” is actively advertised on the Dark Web and on Telegram, where it has a group with over 1,965 active members – there cybercriminals discuss how successful they’ve been at attacking the customers of various online services.
READ THE STORY: HelpNet Security
Grindr Location Data Sold to Ad Networks From 2017 to 2020, Legacy Information May Still Be Available
FROM THE MEDIA: A new report from the Wall Street Journal finds that dating app Grindr quietly sold user location data to a third-party ad network from “at least” 2017 until early 2020, making it available to thousands of parties. The app curtailed the practice in 2020, but some “legacy” data that was previously sold could still be in circulation.
Grindr is one of the biggest names in dating apps that focus on the LGBTQ community, and user presence on the app has been used for harassment purposes and even to remove employees and professional athletes from their positions in various countries. The app is also not new to security and privacy issues, having had prior data breaches that exposed user locations as well as sensitive personal information.
READ THE STORY: CPO
Brink’s joins forces with Metaco to combat cryptocurrency theft and hacking
FROM THE MEDIA: The security firm best known for building massive armoured vehicles and generating intricate robbery fantasies among bored suburban kids has entered the crypto market.
Brinks Senior Commercial Director Oliver Buckle-Wright stated in a statement that the company is trying to provide a “safe air-gapped service” to protect Metaco’s assets. In an interview with CoinDesk, Metaco Vice President of Strategic Alliances Seamus Donoghue noted that the physical backups will be certified “smartcards.”
Brink’s, a 163-year-old security company based in Virginia, has announced a partnership with Metaco, a Swiss cryptocurrency custody provider, to provide physical “disaster recovery” solutions for private bitcoin key backups. Brink’s will keep a physical backup of crypto clients’ keys in one of their protected vaults in the case of one of those doomsday disaster scenarios.
READ THE STORY: BollyInside
US State Department announces $10 million bounty after Costa Rica ransomware attack
FROM THE MEDIA: In the wake of a massive ransomware attack on the Costa Rican government in April, the US government issued a notice last week declaring a bounty potentially worth millions of dollars on people involved with the Conti ransomware used in the hack. Rodrigo Chaves Robles, Costa Rica’s recently sworn-in president, declared a national emergency due to the attack, according to CyberScoop.
According to BleepingComputer, the ransomware attack affected Costa Rica’s ministries of finance and Labor and Social Security, as well as the country’s Social Development and Family Allowances Fund, among other entities. The report also says that the attack affected some services from the country’s treasury starting on April 18th. Hackers not only took down some of the government’s systems, but they’re also leaking data, according to CyberScoop, which notes that almost 700GB of data has made its way onto Conti’s site.
READ THE STORY: TheVerge
Ukraine war causes US to step up security probe of software maker Kaspersky
FROM THE MEDIA: US President Joe Biden's administration has stepped up a national security probe into Russia's AO Kaspersky Lab antivirus software amid heightened fears of Russian cyber attacks after Moscow invaded Ukraine, three people familiar with the matter told Reuters.
The case was referred to the Commerce Department by the Department of Justice last year, a fourth person said, but little progress was made until a White House intervention urged them to move forward in March, the three sources said.
At issue is the chance that the Kremlin could use the antivirus software to steal sensitive information from American computers or tamper with them as tension escalates between Moscow and the West.
Access to the networks of federal contractors and operators of critical US infrastructure, such as power grids, are considered particularly concerning, the three people said.
READ THE STORY: The National News
New DOJ Team Focuses on Ransomware and Cryptocurrency Crime
FROM THE MEDIA: While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021.
What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber crimes? What kinds of cyber crime cases have they solved already? And how might this impact a company’s security strategy?
READ THE STORY: Security Intelligence
NFTs Emerge as the Next Enterprise Attack Vector
FROM THE MEDIA: A recent malware campaign that targeted online artists with a lure about lucrative nonfungible token (NFT) projects is a good indication of how threat actors are capitalizing on the snowballing interest in digital goods — and it has implications for the growing number of corporate brands trying to ride the NFT wave, too.
The campaign, which researchers from Malwarebytes observed, involved messages purporting to be from NFT project Cyberpunk Ape Executives. These were sent to digital art creators on online platforms such as DeviantArt and Pixiv, and they invited the recipients to work with the people behind the Cyberpunk Ape project to create new NFT characters. They also promised them $350 per day by way of compensation.
A link in the message directed recipients to more information about the project. When users clicked on it, they were sent to a site that downloaded multiple images of apes that purported to be examples of NFTs from the project. One of the images was an executable file, which when opened infected the user's system with an information stealer.
READ THE STORY: DarkReading
Researchers discover hackers using SEO to rank malicious PDFs on search engines
FROM THE MEDIA: Today, researchers at security service edge provider, Netskope, published the Netskope Cloud and Threat Report: Global Cloud and Malware Trends, which found that phishing downloads rose 450% over the past 12 months, and highlighted that attackers are using search engine optimization (SEO) to rank malicious PDF files on search engines.
The report’s findings show that phishing attempts are constantly evolving, and attackers aren’t just targeting employees through their email inboxes; they’re also using popular search engines like Google and Bing.
READ THE STORY: VentureBeat
Salesforce Bruised over Heroku Breach Response
FROM THE MEDIA: The May 3rd email unleashed a firestorm of criticism about the lack of an adequate response from Heroku about a security breach which had started two weeks earlier.
On April 12 GitHub informed Heroku that a cybersecurity threat actor had stolen the OAuth token which controls Heroku’s GitHub integration. Then, on April 15 GitHub published a blog post about the breach, and Heroku notified customers in the support thread. Heroku then shut down the connection with GitHub. Heroku later published some mitigation recommendations in the thread. However, no further information about the nature of the breach was available when the password reset email went out.
On May 5, Heroku posted new information about the breach in the support thread. In a shocking chronology, the company detailed a chain of events that led to the threat actor accessing authentication systems. A leading cybersecurity publication, Bleeping Computer, penned the headline “Heroku admits that customer credentials were stolen in cyberattack.”
READ THE STORY: SalesForceDevops
Eye on China, S Korea joins NATO cyber defense unit
FROM THE MEDIA: South Korea joined NATO’s cyber defense group on May 5, becoming the second East Asian country after Japan to join the group.
South Korea’s top spy agency, the National Intelligence Service (NIS), said it had been admitted as a “contributing participant” to the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) in Tallinn, Estonia.
The CCDCOE’s mission is to support NATO in the field of cyber defense research, training and exercises covering the focus areas of technology, strategy, operations and law.
It was established in 2008 on the initiative of Estonia, in response to alleged Russian cyberattacks in 2007 which targeted Estonian banks, government offices and media outlets after Estonia’s relocation of a Soviet-era World War II monument and war graves.
“Cyberthreats are causing great damage to not only individuals, but also separate nations and also transnationally, so close international cooperation is crucial,” the NIS said in a statement explaining South Korea’s rationale for joining the CCDOE.
South Korea has been trying to join the CCDCOE since 2019, hoping to learn more about threat response strategies and ways to protect key infrastructure, with the broad aim of having world-class abilities to respond to those threats.
READ THE STORY: AsiaTimes
Ukraine warns of “chemical attack” phishing pushing stealer malware
FROM THE MEDIA: Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of the mass distribution of Jester Stealer malware via phishing emails using warnings of impending chemical attacks to scare recipients into opening attachments.
As the war between Russia and Ukraine continues, the threat of escalation in using more lethal weapons remains a concern.
Ukrainians live under this constant fear, so these phishing emails pretend to be warnings of chemical attacks to ensure that recipients won’t ignore their messages.
The full text of the machine-translated phishing email can be read below:
“Today the information was received that chemical weapons will be used at 01.00 at night, the authorities are trying to hide it in order not to panic the population. Urgently get acquainted with the places where chemical weapons will be used and the places of special shelters where we will be safe.
Help us to disseminate the information attached to the document in the letter as much as possible. map of the zone of chemical damage.
We need to save as many lives as possible!”
READ THE STORY: Cyber Reports
IT offshoring in a risky world
FROM THE MEDIA: The global market for IT services has exploded in line with the overall growth of tech, which has become a $4 trillion dollar industry. Finding the talent to meet the growing demand for technical services is more difficult than ever, which has driven companies to hire IT employees across the globe, outsourcing to countries like the Philippines, India and, increasingly in recent years, Ukraine, Poland, Bulgaria and other Eastern European countries.
Everything changed for Eastern Europe’s IT services industry on Feb. 24, when Russia invaded Ukraine and started a war that has claimed the lives of more than 3,000 Ukrainian civilians, according to the United Nations. With no end to the war in sight, Europe’s tech sector is under pressure to maintain its reputation as a hot source of IT talent. Demand for that talent has not slowed: It’s no secret that companies across the board are having difficulty finding the right people.
READ THE STORY: Protocol
Hackers display “blood is on your hands" on Russian TV, take down RuTube
FROM THE MEDIA: Hackers continue to target Russia with cyberattacks, defacing Russian TV to show pro-Ukrainian messages and taking down the RuTube video streaming site.
During the Russian President Putin's speech at today's "Victory Day" military parade, pro-Ukrainian hacking groups defaced the online Russian TV schedule page to display anti-war messages.
Russian citizens attempting to access TV schedules via their smart TVs read messages that accused the Kremlin of propaganda and that blood was on their hands for the acts of violence in Ukraine.
READ THE STORY: Bleeping Computer
Items of interest
How a surging Chinese economic power could complicate a new US-Russia Cold War
FROM THE MEDIA: The U.S. and the West are barreling headlong into a new Cold War against Russia, some analysts contend. But China's inclusion into the geopolitical mix could complicate American officials' attempts to wage a renewed competition with Moscow.
The U.S. began imposing severe sanctions on Russia shortly after Moscow's invasion of Ukraine. Those harsh measures were in addition to other sanctions stemming from Moscow's intervention in past U.S. elections. Pentagon officials argue the goal is ultimately to weaken Russia, with Secretary of Defense Lloyd Austin telling reporters last month they want to prevent the former Soviet adversary from doing "the kinds of things that it has done in invading Ukraine." Part of that mission is to impress upon NATO allies to join the fight.
The Cold War is over, and a new one is beginning, according to Hal Brands, a professor of global affairs at Johns Hopkins University. This new one shows competition between Russia and the U.S. never ended. Rather, the fight was put on pause after the Soviet Union fell.
READ THE STORY: KATV
HackTheBox "Cyber Apocalypse" CTF is BACK for 2022 (Video)
FROM THE MEDIA: Jump in to the HackTheBox CA CTF!
China's Cyber Army & Future of warfare Q&A with Rajiv Malhotra (Video)
FROM THE MEDIA: Rajiv Malhotra answers people question about china's intention with advanced warfare technologies, algorithms and war time propaganda against India. In talk held with Friends of India Society International Rajiv Malhotra gives his views on the strength and weaknesses of India in the AI field.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com