Saturday, May 14, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
PSA:
This service remains free because of our sponsors - without the funding they give us this would be forced to move to a paid subscription model. Show them some love.
Discord Webhooks used by novel KurayStealer malware builder
FROM THE MEDIA: Cybercriminals have been leveraging the simple KurayStealer password-stealing malware builder to launch attacks targeted at Discord users, Threatpost reports. KurayStealer was observed by Uptycs threat analysts to replace the "api/webhooks" string in BetterDiscord with "Kisses" to establish webhooks, which would then enable the malware to begin searching for tokens, passwords, IP addresses, and other data in Google Chrome, Microsoft Edge, Discord, and other applications.
Threat actor Portu, who has been advertising the malware builder on Discord, announced in late April the beginning of a new ransomware program, which prompted researchers to conclude that KurayStealer malware authors may be developing newer password stealers and malware.
READ THE STORY: SC Magazine
IRAN-LINKED THREAT GROUP TARGETED U.S. ORGS IN FINANCIALLY MOTIVATED ATTACKS
FROM THE MEDIA: The known Iran-linked threat group, Cobalt Mirage, has been conducting ransomware and espionage attacks on U.S.-based organizations over the past few months, including a local government network and a philanthropic organization.
Cobalt Mirage (which includes elements of threat activity that have previously been reported as Phosphorus and TunnelVision) has been around for years and has focused on organizations in the U.S., Israel, Europe and Australia. The group has historically launched broad scan-and-exploit campaigns, leveraging vulnerabilities like the Microsoft Exchange ProxyShell and Fortinet FortiOS flaws (including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591), said researchers with Secureworks in a Thursday analysis.
READ THE STORY: Duo
Sinister Eternity Malware Kit Is Being Sold On Telegram With Malicious Options Galore
FROM THE MEDIA: Lately, cybercriminals have been using Telegram to sell malware and other malicious tools as a service. Last month we reported on a Telegram bot that makes automatic phone calls to steal multi-factor authentication (MFA) codes. The Telegram bot gives bad actors an easy-to-use interface for placing scam phone calls and receiving stolen authentication codes. Scammers can access the bot by paying its developers a subscription fee. Now cybersecurity researchers at Cyble Research Labs are raising awareness about a similar, but even more sinister, malicious Telegram service.
The researchers first discovered a TOR website providing details about a toolkit containing different types of malware. The toolkit is known as Eternity Project and is associated with a Telegram channel, where the project’s developers sell annual subscriptions to six different kinds of malware.
READ THE STORY: Hot Hardware
Data breach exposes South African landlord and tenant information
FROM THE MEDIA: Averly, a South African online platform designed to help real estate agents and landlords identify well-behaved tenants, suffered a breach of its customer data on 9 May, according to a statement from the company.
It said that the third-party supplier which hosted its database was the victim of a ransomware attack that compromised the personal information of Averly’s customers.
The compromised data includes names and surnames, email addresses, identification numbers, residential addresses, and login information for Averly and the Tenant Profile Network (TPN).
READ THE STORY: My Broadband
Iran-Linked OilRig APT Caught Using New Backdoor
FROM THE MEDIA: The Iran-linked hacking group OilRig was observed using a new backdoor in an attack against a government official within Jordan’s foreign ministry, according to new research published this week.
Active since at least 2014, OilRig is also tracked as APT34, Helix Kitten, and Cobalt Gypsy, and is believed linked to the objectives of the Iranian government. To date, the group was seen targeting entities in the chemical, energy, financial, governmental, and telecommunication industries.
At the end of April 2022, security researchers with Fortinet and Malwarebytes identified a malicious Excel document that the hacking group sent to the Jordanian diplomat, and which was designed to drop a new backdoor called Saitama.
The phishing email allegedly came from an employee within the IT department, but in fact originated externally. The attack was identified after the recipient forwarded the message to the real IT employee, likely in an attempt to verify its authenticity.
READ THE STORY: Security Week
Lone Russian RAT operator rivals large gangs with “passion project”
FROM THE MEDIA:A lone Russian cyber criminal is achieving similar levels of success as massive organized cyber crime groups by selling a custom commercial remote access Trojan (RAT) for relative pennies.
Tracking the lone actor since 2018, the BlackBerry ThreatVector team has revelead this individual appears to have built and maintained the DarkCrystal RAT (DCRat) by themselves. They operate under the known aliases boldenis44, crystalcoder, and Кодер (‘Coder’).
DCRat is mainly sold on underground Russian forums, and researchers note that due to the dramatically low price of the tool – £5 for a two-month subscription, a fraction of the price of commercial rivals – that it could feasibly be a simple “passion project” for the actor.
READ THE STORY: TechCentral
Estonia asks NATO for anti-Russia command center in Baltics
FROM THE MEDIA: Estonia has asked NATO for command centers capable of overseeing more than 10,000 troops and the bloc's military operations in the Baltics to counter Russia amid the ongoing war in Ukraine, Estonian Defense Minister Kalle Laanet said in an exclusive interview with Nikkei.
"We are explaining right now to our allies that all three Baltic countries need a division-size command structure and also rapid deployment," the minister said. "For example, [Estonia has] two brigades of our own troops, and we need an extra brigade from NATO allies who can be deployed rapidly to Estonia if something happens. That's the change of posture."
"This means NATO can lead or command here in Estonia one division of 10,000 to 15,000 [soldiers]," he said.
READ THE STORY: Nikkei Asia
GRU accused of cyber war crimes
FROM THE MEDIA: A captured Russian soldier has been placed on trial by Ukrainian authorities for the shooting of a civilian in the early days of the war. Deutsche Welle identifies the defendant as Vadim Shishimarin. His unit was fleeing Ukrainian forces east of Kyiv. His tank disabled, Shishimarin is said to have fired at, stopped, and stolen a civilian car. As they were driving away seeking safety, Shishimarin is said to have shot and killed a sixty-two-year-old man to prevent him from revealing their position. Shishimarin is said to have acknowledged the killing, but has yet to enter a plea. “I was ordered to shoot,” the AP quotes Shyshimarin as saying. “I shot one (round) at him. He falls. And we kept on going.” It's not known who ordered him to shoot, or how the order was received.
The casual murder of civilians is obviously a war crime, and waging aggressive war is a recognized crime against peace. What about cyberattacks? Under what conditions might a cyber operation constitute a war crime?
READ THE STORY: The CyberWire
Roblox Exploited with Trojans from Scripting Engine
FROM THE MEDIA: Roblox is one of the most popular game systems in the world. In 2021, this gaming platform grew from 32.6 million daily active users to nearly 50 million, across 180 countries. At one point, over half of American kids were playing Roblox. Beyond that, two-thirds of all kids in the U.S. between 9 and 12 use the platform.
It’s no surprise, then, that hackers are looking to attach themselves to this service. According to Check Point Research, Roblox was the 8th-most impersonated brand in the first quarter of 2022, ahead of Paypal and Apple.
Now, a more malicious attack is afoot.
READ THE STORY: Avanan
Iranian cyberespionage (and a possible APT side-hustle)
FROM THE MEDIA: Fortinet describes a spearphishing effort against Jordanian diplomatic targets that was evidently conducted by Iran. The lure is a familiar "please acknowledge receipt of this document" come-on, but the payload is more sophisticated than the usual run of criminal phishing. The Excel macro in the phish hook may have been accompanied by anti-analysis features. The malware itself would sleep for six-to-eight hours, and the attackers used DNS tunneling for command and control. Their three command-and-control servers were also used unusually intelligently: two of them were "tightly controlled" and were brought up only at specific times. The third server has apparently been used for misdirection, to make attribution more difficult. Fortinet thinks the campaign was run by APT34 (also known as Helix Kitten) an Iranian government-directed threat group.
Another Iranian threat group, APT35 (or Charming Kitten) has been, Hacker News reports, actively conducting ransomware attacks. The activity cluster is tracked, by Secureworks, as Cobalt Mirage. Two series of attacks are reported, One uses BitLocker and DiskCryptor "for financial gain;" the other, while it also deployed ransomware opportunistically, is directed principally toward gaining access to, and collecting intelligence from, espionage targets.
READ THE STORY: The Cyberwire // Fortinet
U.S. Agricultural Machinery Manufacturer Hit with Ransomware Attack
FROM THE MEDIA: This week, AGCO, a U.S. agricultural machinery manufacturer, suffered a ransomware attack that affected its business operations and shut down its systems.
AGCO, headquartered in Duluth, Georgia, designs, produces, and sells tractors, combines, foragers, hay tools, self-propelled sprayers, smart farming technologies, seeding and tillage equipment. AGCO first discovered this attack through its subsidiary, Massey-Ferguson, when its websites in France, Germany, and China were targeted. At that time, more than 1,000 employees were sent home from production facilities in France. Operations across the globe have been affected.
READ THE STORY: JDsupra
What does the future of autonomous warfare look like?
FROM THE MEDIA: As warfare is increasingly dictated by machines, critical questions around strategy, technology, and morality arise at every turn. But there’s one thing we know for sure: There’s no reversing the rise of autonomous systems.
The upcoming NEXUS 22 symposium, hosted by Applied Intuition in collaboration with the Atlantic Council, will bring together senior leaders to discuss the complex issues at the intersection of national security, defense, and autonomous systems. Ahead of the gathering, experts from the Scowcroft Center for Strategy and Security’s Forward Defense practice addressed the most important questions about these systems and how they will shape the future of warfare.
READ THE STORY: Atlantic Council
Space Force General: Commercial satellite Internet in Ukraine demonstrates the power of mega-constellations
FROM THE MEDIA: In February, Russia used a cyberattack to impair satcom services provided by a Viasat satellite. Despite the attempts to disable it, SpaceX’s broadband constellation Starlink has continued to provide internet services throughout Ukraine. Elon Musk claims that the Starlink network “has so far defied Russian cyberwar jamming and hacking attempts, but they’re cranking up their efforts.”
At a hearing of the SASC strategic forces subcommittee, Cotton noted that most people expected Ukraine’s communications or internet access would be cut off in the first days or first hours of the war, “but that did not happen, and it still has not happened,” he said, and one reason for that is the availability of satellite based internet.
READ THE STORY: BollyInside
Treasury Targets Russia, Oligarchs as Part of Plan to Combat Illicit Finance
FROM THE MEDIA: The U.S. Treasury Department outlined actions it plans to take to address illicit-finance risks, saying Russia’s invasion of Ukraine had underscored the need to close regulatory loopholes and step up the fight against corruption.
The national strategy for combating illicit finance, released Friday, is the latest iteration of a report the Treasury produces every two years. But this year’s strategy might be among the most important it has produced, Treasury officials said, given Russia’s aggression against its neighbor.
“Illicit finance is a major national-security threat and nowhere is that more apparent than in Russia’s war against Ukraine, supported by decades of corruption by Russian elites,” said U.S. Treasury Assistant Secretary Elizabeth Rosenberg.
READ THE STORY: WSJ
Ukrainian crook jailed in US for selling thousands of stolen login credentials
FROM THE MEDIA: A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.
Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.
The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.
READ THE STORY: The Register
Cyber mistake: Cincinnati inadvertently posted employees' personal data online
FROM THE MEDIA: Personal information for more than 2,000 current and former Cincinnati city employees appeared online for almost two weeks in April because of a mistake, city officials said Friday.
The employee data includes names, addresses, insurance information and, in some cases, Social Security numbers. City officials said the data was posted online on April 8 and remained available until the error was discovered on April 19.
The mistake occurred, they said, when the city posted a request for dental and vision insurance providers to submit proposals to cover city employees.
READ THE STORY: Cincinnati
Starlink sees a growing threat as the US blames Russia for the KA-SAT breach
FROM THE MEDIA: Elon Musk claims that Russian hackers are stepping up their efforts to disrupt SpaceX’s Starlink broadband service in the midst of the Ukraine conflict.
“So far, Starlink has defied Russian cyberwar jamming and hacking attempts, but they’re stepping up their efforts,” Musk tweeted on May 10.
Earlier that day, the US formally blamed Russia for a cyberattack on Viasat’s KA-SAT satellite internet network in late February.
“Today, in support of the European Union and other partners, the United States is sharing publicly its assessment that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries,” U.S. Secretary of State Antony J. Blinken said in a May 10 press statement.
READ THE STORY: Bollyinside
Items of interest
TSMC, Samsung plan price hikes for chip designers
FROM THE MEDIA: Just as costs for some components have started to come down, TSMC and Samsung, the two largest contract chip manufacturers in the world, are reportedly planning to increase prices of production, which may affect Nvidia, AMD, Apple, and others that rely on the foundries.
Reports emerged earlier this week stating that Taiwan-based TSMC is planning price hikes in the single-digit percentages for legacy and advanced chip manufacturing technologies next year. Citing industry sources, Nikkei reported that the price hike will be around five to eight percent.
On Friday Bloomberg reported that South Korea's Samsung is planning to raise prices for chip designers by 15-20 percent this year, citing industry sources. Legacy nodes will be hit hardest, and the new pricing will come into effect in the second half of the year.
Over the course of the pandemic, high demand for electronics has overloaded semiconductor plants, giving foundries power to raise the prices of wafers for chip designers.
READ THE STORY: The Register
DEA Hacked, Sidewinder, Memory Bugs, US Bioeconomy, & Russian Cyber-Threat - Wrap Up - SWN #212 (Video)
FROM THE MEDIA: In the Security Weekly News, Jason talks: DEA portal hacks, SideWinder APT group, Intel memory bugs, US Bioeconomy, the Russian cyber-threat, as well as all the show Wrap Ups for this week!
Expert Reaction On Cyber Threats Five Years On From WannaCry (Video)
FROM THE MEDIA: Today marks the fifth anniversary of the NHS WannaCry cyber-attack. Cyber security experts commented.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com