Wednesday, May 18, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
PSA:
This service remains free because of our sponsors - without the funding they give us this would be forced to move to a paid subscription model. Show them some love.
Cardiologist charged with creating Thanos, Jigsaw ransomware
FROM THE MEDIA: The U.S. Attorney's Office for the Eastern District of New York announced charges Monday against a cardiologist for selling the prominent ransomware tools known as Jigsaw and Thanos. Moises Luis Zagala Gonzalez, 55, was charged with attempted computer intrusions and conspiracy to commit computer intrusions. A Venezuelan resident and cardiologist, Zagala is accused of developing and selling the ransomware-as-a-service tools.
Both tools are fairly well known. Jigsaw version 2 is an updated version of the original Jigsaw ransomware -- the latter was not developed by Zagala -- and has a "doomsday" counter that would delete 1,000 files from the victim's computer every time they attempt to restart. Thanos ransomware, which was discovered in 2020, has dozens of configuration options and was notably the first ransomware to advertise that it optionally uses RIPlace, an evasion technique discovered in 2019.
READ THE STORY: TechTarget
Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find
FROM THE MEDIA: Ransomware gangs are a menace born of the cyber age. While the devastation they spread in corporations is sometimes visible and tangible (remember the gas shortage provoked by the Colonial Pipeline attack last year?), their identities and the way they operate remain mostly concealed.
Now, the curtain has parted slightly as an indirect result of the war in Ukraine.
On Feb. 25, the Conti group declared its allegiance to the Russian government following the invasion of Ukraine. On its official website, Conti threatened to retaliate against the West in response to potential cyber attacks against Russia. This cyber saber-rattling appears to have provoked the leaks, which appeared in several places.
READ THE STORY: CoinDesk
Wizard Spider hackers hire cold callers to scare ransomware victims into paying up
FROM THE MEDIA: Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise. Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy. On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.
According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a "complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo."
Today's more sophisticated cybercriminal operations, whether purely for profit or working for state interests -- as with many advanced persistent threat (APT) groups -- often operate business-style models. This includes hiring top talent and creating a financial framework to deposit, transfer, and launder proceeds.
READ THE STORY: ZDNET
Ransomware Gang Hacks Costa Rica, Asks Residents to Overthrow the Government
FROM THE MEDIA: The notorious hacking gang Conti hacked the Costa Rican government and is encouraging citizens to protest their government's nonpayment of a ransom, and says they should overthrow the government if it doesn't pay up.
Last week, Costa Rica’s president, Rodrigo Chaves declared a state of emergency after the hack. The ransomware attack, according to the country’s government, affected the Ministry of Finance and that there are ongoing attacks, according to the official state of emergency declaration.
READ THE STORY: VICE
Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government
FROM THE MEDIA: The notorious Conti ransomware gang, which last month staged an attack on Costa Rican administrative systems, has threatened to "overthrow" the new government of the country.
"We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power," the group said on its official website. "We have our insiders in your government. We are also working on gaining access to your other systems, you have no other options but to pay us."
READ THE STORY: THN
Why is everyone getting hacked on Facebook?
FROM THE MEDIA: If your social media networks are anything like mine, you’ve noticed an uptick in people getting “hacked” lately. Maybe you’ve gotten a weird Facebook message from someone you hadn’t spoken with in a while. Maybe your least tech-y friend is suddenly talking about crypto on Instagram. Or maybe you’ve seen post after post on your timeline of someone saying something like, “Sorry everyone, I got hacked!”
So what’s the deal? Why are your aunt and your favorite podcaster and that girl you went to high school with suddenly getting hacked? Isn’t that something that used to only happen to celebrities?
READ THE STORY: Security Boulevard
X-Cart Skimmer with DOM-based Obfuscation
FROM THE MEDIA: Our lead security analyst Liam Smith recently worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.
X-Cart’s e-commerce platform is not nearly as popular as Magento or WooCommerce and as a result we don’t see as many threat actors targeting it. While we do still regularly find skimmers on X-Cart sites, they are usually more customized and don’t look like typical Magecart malware.
READ THE STORY: SecurityBoulevard
Microsoft Warns of "Cryware" Info-Stealing Malware Targeting Crypto Wallets
FROM THE MEDIA: Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks.
The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet.
"Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets," Berman Enconado and Laurie Kirk of the Microsoft 365 Defender Research Team said in a new report.
READ THE STORY: THN
Beware of North Korean IT workers with fake credentials, US government warns
FROM THE MEDIA: Companies that hire freelance IT teleworkers could inadvertently be employing North Koreans who have been dispatched to generate revenue for the country’s authoritarian regime or gain access to corporate networks, the U.S. government said Monday.
The workers “take advantage of existing demands for specific IT skills, such as software and mobile application development,” according to the alert from the FBI, the Treasury Department and the State Department. In many cases, they used forged documents or stolen identities to “represent themselves as U.S.-based and/or non-North Korean teleworkers.”
READ THE STORY: The Coin Republic // The Record
BlackBerry offers Kaspersky replacement cybersecurity for the channel
FROM THE MEDIA: The Russian invasion in Ukraine has demonstrated that while wars in the past were mainly confined to geographical locations, today’s battles are also being fought digitally, and globally. The challenge of ‘borderless’ cyber warfare is further underlined by this week‘s joint warning from Five Eyes Alliance security authorities, including the Australian Cyber Security Centre (ACSC) and New Zealand’s National Cyber Security Centre (NCSC), urging Managed Service Providers to protect the IT supply chain with a fresh set of cybersecurity measures.
The Biden Administration also just revealed the USA will ramp up a security probe into Kaspersky, following earlier statements by Germany and Italy about potential cyber risks associated with the company’s software.
READ THE STORY: SecurityBrief
Costa Rica's Online Tax Collection System Hacked: Ministry of Finance Networks Down
FROM THE MEDIA: The Ministry of Finance is just one of several Costa Rican government agencies that has been compromised in the cyberattack. According to the story by NBC News, Conti, an international cybercriminal gang has been demanding the agencies to pay ransom since April. The cybercriminal gang will only allow the agencies operational again once they have paid the demanded ransom. President Rodrigo Chaves, the country's brand new leader, has even announced a state of emergency.
The state of emergency declaration was made just recently after the new leader was sworn in. NBC News notes that ransomware attacks have become more and more common as of late.
It was said that cybercriminals usually attack businesses and "smaller government organizations" during periods wherein they would be incentivized to pay. The publication notes that these shutdowns would usually happen at a time where the results would come at a high cost.
READ THE STORY: TechTimes
Tesla cars, Bluetooth locks vulnerable to hackers – researchers
FROM THE MEDIA: Millions of digital locks worldwide, including on Tesla cars, can be remotely unlocked by hackers exploiting a vulnerability in Bluetooth technology, a cybersecurity firm said on Tuesday.
In a video shared with Reuters, NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device attached to a laptop which bridged a large gap between the Tesla and the Tesla owner’s phone.
“This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world,” the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol – technology used in millions of cars and smart locks which automatically open when in close proximity to an authorized device.
Although Khan demonstrated the hack on a 2021 Tesla Model Y, NCC Group said any smart locks using BLE technology, including residential smart locks, could be unlocked in the same way.
READ THE STORY: Rappler
Hackers actively targeting WordPress sites running unpatched Tatsu plugin
FROM THE MEDIA: Hackers are reported to be actively targeting WordPress sites with unpatched versions of the Tatsu no-code page builder plugin installed.
Detailed Monday by Ram Gall at Wordfence, the large-scale attack is targeting a Remote Code Execution vulnerability in Tatsu that was publicly disclosed in March. Although an updated version of the plugin has since been released, as is often typical with software or, in this case, a WordPress plugin, not all users have installed the latest version. That opens the door to hackers.
READ THE STORY: SiliconAngle
Critical VMware Bug Exploits Continue, as Botnet Operators Jump In
FROM THE MEDIA: Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.
That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.
READ THE STORY: DarkReading
Why Remote Access in Manufacturing is a Dangerous Game
FROM THE MEDIA: Recently, the cybersecurity spotlight has been on manufacturing, and not for good reason. Manufacturing is the second most-targeted industry by cyber-attackers, and the most notorious hacks of 2021 happened in the manufacturing and critical infrastructure sector. The Colonial Pipeline and JBS hacks caught the attention of the entire country – not just because the companies were victims of cybercrime, but because the consequences of the cybercrime fell outside of the digital landscape: America experienced gas and fuel shortages as well as meat production delays and inflation due to the respective cyber-attacks.
READ THE STORY: Infosecurity Magazine
Hackers are abusing free trials of business software to evade detection
FROM THE MEDIA: Cybercrooks are using free trials of Remote Monitoring and Management (RMM) tools to distribute ransomware, security experts are warning.
Blackpoint Cyber founder and CEO Jon Murchison says in order to protect from the rising threat, RMM companies need to have more checks and balances on their free trial system, while everyone else needs to have multi-factor authentication (MFA) active on their RMM.
Explaining the stages of the attack, Murchison explained that the attacker would first use phishing to try and obtain the target’s VPN credentials. After logging onto the target endpoint, the threat actor would then install the trial version of the RMM, and use that to deploy stage-two malware, usually ransomware.
READ THE STORY: TechRadar
Insider Threats: Recruitment Tactics and TTPs You Should Prepare For
FROM THE MEDIA: The tactic of recruiting insiders has been gaining popularity among threat actors aiming to breach systems and/or commit ransomware attacks. According to Flashpoint data collections, there were 3,988 unique discussions about insider-related threats observed in our datasets between January 1 and November 30, 2021—a number that shows dramatic growth since August 2021. Furthermore, a January 2022 study found that 65 percent of employees had been approached by malicious actors, often to aid in a ransomware attack, for a hefty cash reward, which represents a double-digit increase from the prior period.
READ THE STORY: Flashpoint Intel
US Manufacturing Giant Parker Hit by Conti Ransomware Gang
FROM THE MEDIA: Parker-Hannifin Corporation, a US manufacturing company, has confirmed that it was impacted by a data breach that has exposed employees’ personally identifiable information (PII). According to the firm, Conti ransomware actors published the stolen data last month after claiming responsibility for the attack. Parker-Hannifin is one of the largest motion control technologies companies in the world. According to the company, unauthorized third party access was detected on its systems in May, but the attacker may have breached the system anytime between March 11 and May 14 2022.
READ THE STORY: OODALOOP
FBI warns of ransomware attacks against food supply; offers cyber hygiene and PC security tips. Plus Pinal County's risk
FROM THE MEDIA: The FBI warned of an increased risk of ransomware attacks against agricultural coops, which could disrupt food supply chains, in a private industry notification issued on April 20. The notification reported six such attacks in the Fall of 2021 and two more in early 2022. A multi-state grain company and six grain coops were among the victims. One company detected and stopped two attempts to initiate ransomware attacks. Unfortunately, others weren't so lucky, with damages ranging from the loss of administrative functions to complete halts in production.
While the agricultural sectors in Pinal County and Arizona have avoided such high-profile problems so far, FBI Special Agent Suzanne Allen warns that many businesses and individuals across the county and state are regularly victims of cybercrime.
READ THE STORY: Original Newsbreak
Auction.com Data Breach Due to Conti Ransomware Attack
FROM THE MEDIA: Auction.com has been reported to be one of the latest California companies to fall prey to the Conti ransomware group, causing personal financial data and other identifying information maintained by Auction.com to be released on the dark web.
Auction.com has its headquarters in Irvine, California. According to the company’s website, it offers an online marketplace for buying and selling of distressed real estate holdings, including residential bank-owned property and those in foreclosure.
READ THE STORY: Legalscoops
Items of interest
Cloudflare to run Ethereum node experiment to help ‘build a better internet’
FROM THE MEDIA: “Cloudflare is going to participate in the research and development of the core infrastructure that helps keep Ethereum secure, fast, as well as energy-efficient for everyone,” the firm stated.
Ahead of Ethereum’s highly anticipated switch to proof-of-stake (PoS), cybersecurity firm Cloudflare is set to launch and fully stake Ethereum validator nodes over the next few months.
It aims to study energy efficiency, consistency management and network speed of the PoS network as part of its commitment to environmental sustainability and to help “build a better internet.”
Cloudflare was founded in 2010 and provides web security services such as distributed denial-of-service (DDoS) mitigation to protect clients from DDoS attacks.
Cloudflare said it was experimenting with the “next generation of Web3 networks that are embracing proof of stake,” with Ethereum being the first in line for the company.
At this stage, it appears the Merge and transition to a PoS consensus mechanism is slated to go live by Q3 or early Q4, barring any further delays, with Cloudflare noting that this will lead to “significant energy efficiency improvements” for the network.
According to a Monday blog post, the firm will launch and fully stake Ethereum validator nodes — 32 Ether (ETH) required per node — over the next few months
READ THE STORY: CoinTelegraph
Russian cyber threats and NATO’s Article 5. Conti says it’s going to bring Cost Rica to its knees.(Video)
FROM THE MEDIA: An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line.
Hacking Shut Down iPhones - ThreatWire (Video)
FROM THE MEDIA: Zyxel has an actively exploited vulnerability so patch now, a shut down iphone could be hacked, and a SatComms hack is being blamed on Russia! All that coming up now on ThreatWire.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com