Daily Drop (139)
5-19-22
Thursday, May 19, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters
PSA:
This service remains free because of our sponsors - without the funding they give us this would be forced to move to a paid subscription model. Show them some love.
Agile Sourcing Partners Suffers Data Breach Due to Conti Ransomware Attack
FROM THE MEDIA: Agile Sourcing Partners, a company based in Corona, California, appears to have fallen prey to the Conti ransomware group, causing personal financial data and other identifying information maintained by Agile to be released on the dark web.
On its website, Agile states it is in the business of providing integrated solutions in gas and electric utility and infrastructure markets. It has 8 locations nationwide.
On May 16, 2022, we learned that the Conti group had announced a possible data breach of Agile Sourcing Partners’ computer systems, which purportedly took place on April 2, 2022. Details are limited as to the extent of the hack at this time.
READ THE STORY: LegalScoops
Spanish police dismantle phishing gang that emptied bank accounts
FROM THE MEDIA: The Spanish police have announced the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing ring that stole online bank credentials.
The threat actors used phishing lures to trick their victims into believing they received an alert from their bank and proceeded to steal their account credentials.
Having access to banking accounts, the adversaries used their victims' money to make online purchases, direct transfers to "money mule" accounts, or request personal loans.
READ THE STORY: BleepingComputer
Microsoft warns of brute-force attacks targeting MSSQL servers
FROM THE MEDIA: Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords.
While this isn't necessarily the first time MSSQL servers have been targeted in such attacks, Redmond says that the threat actors behind this recently observed campaign are using the legitimate sqlps.exe tool as a LOLBin (short for living-off-the-land binary).
"The attackers achieve file less persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed.
READ THE STORY: BleepingComputer
Chinese ‘Space Pirates’ are hacking Russian aerospace firms
FROM THE MEDIA: A previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems.
The threat group is believed to have started operating in 2017, and while it has links to known groups like APT41 (Winnti), Mustang Panda, and APT27, it is thought to be a new cluster of malicious activity.
Russian threat analysts at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field.
READ THE STORY: BleepingComputer
Fake crypto sites lure wannabe thieves by spamming login credentials
FROM THE MEDIA: Threat actors are luring potential thieves by spamming login credentials for other people account's on fake crypto trading sites, illustrating once again, that there is no honor among thieves.
This new cryptocurrency scam is gaining traction recently, involving emails and texts sharing credentials to an online trading account holding 30 Bitcoin for them to withdraw, which today trades for around $900,000.
The phishing email, seen by security analyst Jan Kopriva, informs the recipient that a deposit of 30 BTC has been added to an account on the Orbitcoin trading platform.
READ THE STORY: BleepingComputer
CISA Orders Agencies to Mitigate VMWare Vulnerabilities Under Deadline
FROM THE MEDIA: Federal agencies must report to the Cybersecurity and Infrastructure Security Agency over the coming days on the status of VMWare product vulnerabilities the agency flagged in an emergency directive Wednesday.
“CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch agencies and require emergency action,” the agency said, imposing a deadline of Monday, May 23, at noon for required actions. “This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
READ THE STORY: Nextgov
Ransomware Groups Continue to Leverage Old Vulnerabilities
FROM THE MEDIA: Researchers observed ransomware groups leveraging vulnerabilities that were multiple years old to exploit their victims, a new report from Cyber Security Works (CSW) explained. The finding illustrates an ongoing trend of threat actors targeting known vulnerabilities and trusted attack methods rather than using and developing new ones.
The report drew on research into ransomware and vulnerability data from multiple threat intelligence feeds and risk analyses.
Since January 2022, researchers have observed a 7.6 percent increase in vulnerabilities tied to ransomware, the report stated.
READ THE STORY: Health IT Security
DHS warns of threats against Supreme Court in wake of leaked draft Roe opinion
FROM THE MEDIA: The Department of Homeland Security is warning law enforcement partners that there are potential threats to the public and members of the Supreme Court in response to the national abortion debate, including threats of burning down or storming the US Supreme Court and murdering justices and their clerks, members of Congress and lawful demonstrators.
A DHS memo warns that "domestic violence extremists and criminal actors have adopted narratives surrounding abortion rights to encourage violence, likely increasing the threat to government, religious, and reproductive healthcare personnel and facilities and ideological opponents."
Intelligence officials believe people "across a broad range of ideologies are attempting to justify and inspire attacks against abortion-related targets and ideological opponents at lawful protests."
READ THE STORY: KTEN
A Hard to Combat Non-State Actor: Ransomware
FROM THE MEDIA: Ransomware attacks on government agencies and municipalities are rising, especially in the United States. Cybercriminals behind these attacks target any network associated with the facets of public life, from city government agencies to school districts and even to police departments.
Ransomware attacks block access to your device, personal data, and other information by encrypting that data. Cybercriminals then hold your information hostage until a ransom is paid. The attackers promise to exchange a key that would allow the victim to decrypt their files, but there is no guarantee that the extortionists will give the decoding key over once the ransom is paid. Moreover, there is no surefire way to determine whether the cybercriminals left a contingency that would allow them to attack at a later time.
READ THE STORY: DigitalJournal
AvosLocker Claims Responsibility For Christus Health Ransomware Attack
FROM THE MEDIA: Dallas, Texas-based Christus Health faced a ransomware attack later claimed by the AvosLocker ransomware group, The Dallas Morning News reported. Christus Health told the local news outlet that it had successfully identified and blocked the unauthorized activity but has not yet confirmed the specifics of the event.
Christus Health is a non-profit, faith-based health system with facilities in 60 cities across the US, Mexico, Chile, and Colombia.
READ THE STORY: Health IT Security
Water companies are increasingly uninsurable due to ransomware, industry execs say
FROM THE MEDIA: More water companies are finding they are uninsurable as ransomware attacks against the sector grow, water utility and association executives said Wednesday.
Insurers are increasingly requiring water utilities to meet stringent cybersecurity requirements to even consider insuring them, said Nick Santillo, the vice president for digital infrastructure and security at American Water, a public utility. These requirements include a strong secure access management program for protecting administrative credentials with privileged accounts, as well as endpoint detection and response tools.
READ THE STORY: CyberScoop
Costa Rican president says country is ‘at war’ with Conti ransomware group
FROM THE MEDIA: Ransomware — and particularly the Conti ransomware gang — has become a geopolitical force in Costa Rica. On Monday, the new Costa Rican president Rodrigo Chaves – who began his four-year term only ten days ago – declared that the country was ”at war” with the Conti cybercriminal gang, whose ransomware attack has disabled agencies across the government since April.
In a forceful statement made to press on May 16th, President Chaves also said that Conti was receiving help from collaborators within the country, and called on international allies to help.
READ THE STORY: The Verge
How weaponized ransomware is quickly becoming more lethal
FROM THE MEDIA: Ransomware attackers continue to weaponize vulnerabilities faster than ever, setting a relentless pace. A recent survey published by Sophos found that 66% of organizations globally were the victims of a ransomware attack last year, a 78% increase from the year before. Ivanti’s Ransomware Index Report Q1 2022, released today, helps to explain why ransomware is becoming more lethal.
Ivanti’s latest index found that there’s been a 7.6% jump in the number of vulnerabilities associated with ransomware in Q1, 2022, compared to the end of 2021. The report uncovered 22 new vulnerabilities tied to ransomware (bringing the total to 310), with 19 being connected to Conti, one of the most prolific ransomware groups of 2022. Conti has pledged support for the Russian government following the invasion of Ukraine. Around the world, vulnerabilities tied to ransomware have skyrocketed in two years from 57 to 310, according to Ivanti’s report.
READ THE STORY: VentureBeat
Prioritize patching vulnerabilities associated with ransomware
FROM THE MEDIA: In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organizations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.
READ THE STORY: HelpNetSecurity
From heist to hijack, cybercriminals are moving on financial institutions
FROM THE MEDIA: Each passing year, the number of cyberattacks skyrockets as campaigns become more sophisticated globally — even among (and maybe especially among) financial institutions. VMware Inc’s fifth annual Modern Bank Heists report highlighted that when it comes to the banking sector, cybercriminals have begun realizing that the most significant asset is nonpublic market information that can be used to fuel economic espionage.
That has also led to financial institutions facing increased destructive attacks and falling victim to ransomware more than in years past. “Sophisticated cybercrime cartels (have) evolved beyond wire transfer fraud to now target market strategies, take over brokerage accounts, and island-hop into banks,” VMware said.
READ THE STORY: Tech HQ
Russian information agencies behind cyber-attacks in Romania, says intelligence chief
FROM THE MEDIA: Russian intelligence agencies are behind the recent uptick in cyber-attacks against Romania, said Anton Rog, the head of the Cyberint National Center within the Romanian Intelligence Service (SRI), at the BCR Expert Hub cyber security conference.
“We had technical data which showed that two actors [Russian intelligence agencies] were present here: the FSB (Federal Security Service, successor to the KGB, Russia’s security and intelligence service e.n.) and the GRU (the Russian army intelligence agency - e.n.),” said Rog, quoted by Agerpres. “A few months before the start of the war, a third actor arrived in Romania, the SVR (Russia’s Foreign Intelligence Service). As such, right now, when it comes to cyber espionage, all the relevant Russian intelligence agencies are attempting, through complex attacks, to be present in Romania,” he said.
READ THE STORY: Romania Insider
North Korean IT Workers Using US Salaries to Fund Nukes
FROM THE MEDIA: North Korean information technology workers have been attempting to obtain employment in public and private sectors in the United States to fund their home country's weapons of mass destruction and ballistic missiles programs, according to an advisory from U.S. federal agencies.
"There are reputational risks and the potential for legal consequences, including sanctions designation under U.S. and United Nations authorities, for individuals and entities engaged in or supporting [Democratic People's Republic of Korea] IT worker-related activity and processing related financial transactions," the U.S. Department of State, the U.S. Department of the Treasury and the FBI say in an advisory.
READ THE STORY: GOV InfoSecurity
Cybercriminals are targeting financial institutions in the Kingdom of Saudi Arabia
FROM THE MEDIA: Resecurity, a California-based cybersecurity company provides managed threat detection and response to Fortune 500 corporations worldwide, has registered a significant increase in malicious activity targeting private individuals and business customers of major financial institutions in the Kingdom of Saudi Arabia.
Being a member of FS-ISAC (Financial Services Information Sharing and Analysis Center) and Infragard the company monitors financial crimes and cybercriminal activity to facilitate private-public collaboration, and as a result to minimize the risks of online banking theft and new types of digital fraud.
The spike of malicious activity has been especially visible in Q2 2022, when the Saudi business society went into their holidays period for Holy Month of Ramadan – what always attracts cybercriminals as security teams and anti-fraud departments may have a lack in visibility and resources to react preemptively.
In one of the recent campaigns identified by Resecurity, fraudsters designed high-quality phishing kits for 12 financial institutions oriented in such a way to steal customer credentials who use online banking.
READ THE STORY: Arabian Business
The terrorist threat posed by lone actors is 'difficult to detect,' says federal report
FROM THE MEDIA: Violent extremists in Canada have the "intent and capability" to commit acts of terrorism, but detecting attacks by lone actors or small groups before they happen is "difficult," says an internal threat assessment conducted for the federal government last year.
The warning is found in a threat analysis prepared by the federal government's Integrated Terrorism Assessment Centre (ITAC) in the lead-up to last year's muted Canada Day celebrations.
At the time, the team — which works with the Canadian Security Intelligence Service (CSIS) to advise the federal government on terrorist threats — was worried that ideologically or religiously motivated extremists could seize the occasion of the national holiday to make a violent statement.
READ THE STORY: CBC
KurayStealer – Tool Sold to Criminals that Have Password Stealing and Screenshot Capabilities
FROM THE MEDIA: There was an advertisement by a discord user with the handle “Portu” that exploded over the internet on April 23rd, 2022 for a new password-stealing malware builder.
It is a sort of program that enables so-called script kiddie hackers, to construct their own executables from scratch. Recently, the threats analysts at Uptycs have discovered, in the wild, the first sample of what they called KurayStealer, which had been based on the Portu-inspired malware.
READ THE STORY: GBHackers
How Threat Actors Are a Click Away From Becoming Quasi-APTs
FROM THE MEDIA: The first shots fired in the current conflict between Russia and Ukraine were not by firearms, but keystrokes. In this new-age war, the cybersphere is a primary battleground, and advanced threat actor groups are the foot soldiers. This Russian-Ukrainian cyber battlefield is complex and multipolar, populated by many disparate threat groups, each determined to do their part — and take their share of the winnings.
Moscow deviated from the standard norms of conventional warfare when it attacked Georgia in 2008, and had been deploying major cyberattacks against Georgian websites and Internet infrastructure. This was reported to be a Kremlin-backed, nation-state campaign, according to the Small War Journal. It was considered the "first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other warfighting domains."
READ THE STORY: DarkReading
US recovers $15 million from global Kovter ad fraud operation
FROM THE MEDIA: The US government has recovered over $15 million from Swiss bank accounts belonging to operators behind the '3ve' online advertising fraud scheme.
Switzerland transferred $15,111,453.84 to the US government as part of a Final Order of Forfeiture related to United States v. Sergey Ovsyannikov, one of the conspirators in the global ad fraud campaign.
In 2018, the Department of Justice announced an indictment against Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko for their involvement in the 3ve ad fraud botnet.
READ THE STORY: BleepingComputer
Items of interest
China’s chaotic regulatory crackdown reflects splits among policymakers
FROM THE MEDIA: For nearly two years, a crackdown under President Xi Jinping’s banner of “common prosperity” has brought a clutch of China’s biggest companies to heel and reasserted the Communist party’s control over the country’s tycoons. But a stark change of rhetoric from policymakers in recent months, including vice-premier and top economic official Liu He and premier Li Keqiang, has stoked hopes a regulatory storm that has wiped trillions of dollars off the value of Chinese companies may be close to ending. In a meeting of China’s top political consultative body attended by industry leaders on Tuesday, Liu pledged support for the “platform economy” and for “digital enterprises” to list shares overseas. But the remarks were overshadowed and undermined by comments Xi made six months ago that were republished this week in Qiushi, the party’s flagship journal. The president restated his vision of “common prosperity” and stressed the importance of “supervision of capital” and “reining in its negative effects”. The distance between the promises from leaders such as Liu and Li and commercial realpolitik is emblematic of the chaotic policy environment as rival factions in Beijing battle for influence and favour under the most powerful Chinese leader in a generation. The fight is between senior party and government officials focused on economic growth and those more concerned with security and party control. Neither group threatens Xi’s primacy but the fallout has echoes of the infighting and policy guesswork that plagued China under Mao Zedong.
READ THE STORY: FT
On the Offense: Defending DeFi Against Cyber Threats (Video)
FROM THE MEDIA: On the Offense: Defending DeFi Against Cyber Threats.
How to Hunt for Cyber Threats Using Network Metadata and AI (Video)
FROM THE MEDIA: The network metadata the Vectra platform produces can be valuable for threat investigations. Have you wondered how you could make use of same metadata to proactively hunt for threats? In this webinar, Vectra Sidekick MDR analysts will describe techniques to identify three common attacker behaviors in your environment. Sidekick analysts will walk you through the specific workflows for each attack technique, provide best practices for hunting in your own environment, and answer questions about how to threat hunt using the Vectra platform. Recall will be used for this webinar.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com