Wednesday, May 25, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Trend Micro fixes bug Chinese hackers exploited for espionage
FROM THE MEDIA: Trend Micro says it patched a DLL hijacking flaw in Trend Micro Security used by a Chinese threat group to side-load malicious DLLs and deploy malware. As Sentinel Labs revealed in an early-May report, the attackers exploited the fact that security products run with high privileges on Windows to plant and load their own maliciously crafted DLL into memory, allowing them to elevate privileges and execute code.
"Trend Micro is aware of some research that was published on May 2, 2022, regarding a purported Central-Asian-based threat actor dubbed 'Moshen Dragon' that had deployed malware clusters that attempted to hijack various popular security products, including one from Trend Micro," the cybersecurity company said.
READ THE STORY: Bleeping Computer
Russian diplomat warns against global ‘cyber confrontation’
FROM THE MEDIA: Vassily Nebenzia, a Russian representative to the United Nations (U.N.), accused Western democracies of being one-sided and influencing the public to think negatively about his country, calling it a “Russophobic information campaign,” according to Business Insider.
Nebenzia, who spoke on Monday at a U.N. Security Council briefing, said that the West is trying to shut down Russia’s “alternative views” and build “a cyber totalitarianism” against his country.
READ THE STORY: The Hill
SAP and Cloudflare defend themselves after Ukraine accuses them over Russia activity
FROM THE MEDIA: Ukraine's tech minister this week slammed SAP and Cloudflare over their ongoing Russian operations, prompting the companies to defend their approaches to the situation. Mykhailo Federov told Politico at Davos that SAP, a German business-software giant, is "still continuing to work in Russia and to pay taxes to help finance the Russian army." He also said Cloudflare, a U.S. security and Internet-infrastructure company, "continues to protect Russian websites."
READ THE STORY: Fortune
Conti ransomware brand is dead, but gang restructures
FROM THE MEDIA: The Conti ransomware gang’s brand is dead. That’s the conclusion of researchers at Advanced Intelligence. Its infrastructure related to negotiations, data uploads, and hosting of stolen data has been shut down. However, before you start celebrating, the researchers say the gang has dispersed and is operating under a number of smaller brands.
This is part of a calculated scheme that started two months ago when the gang expressed support for Russia’s invasion of Ukraine. That, the researchers argue, made the Conti brand toxic to cyber intelligence agencies and organizations the gang hit. Since then almost no ransom payments have been made to the group. Its locker code became highly detectable by IT defenders and was rarely deployed.
READ THE STORY: IT World Canada
DeFi Is Getting Pummeled by Cybercriminals
FROM THE MEDIA: Decentralized finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cybercriminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.
Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cybersecurity practices of the sector.
READ THE STORY: DarkReading
Notorious Vietnamese hacker turns government cyber agent
FROM THE MEDIA: At the height of his career, Vietnamese hacker Ngo Minh Hieu made a fortune stealing the personal data of hundreds of millions of Americans. Now he has been recruited by his own authoritarian government to hunt, he says, the kind of cyber criminal he once used to be. After serving seven years in US prisons for stealing some 200 million Americans' personal details, Hieu was sent back to Vietnam, which imposes some of the world's strictest curbs on online freedom.
Hieu says he has since turned his back on his criminal past. "I fell to the bottom, now I am trying to climb up again," the 32-year-old told AFP. "Though I don't earn much now, I have peace instead." His transformation, however, is complicated.
READ THE STORY: Yahoo
A year on from JBS cyber attack, what has agribusiness learned about security?
FROM THE MEDIA: A YEAR on from the infamous JBS cyber attack, what has agribusiness learned about digital security?
While the company’s South American operations were less affected, JBS businesses in Australia and the United States were paralyzed by the 30 May 2021 cyber breach. Australian processing operations were closed for a week, before JBS paid a A$14.2m ransom to regain control of its systems. The event disrupted cattle markets in Australia, and left a significant hole in Australia’s June 2021 monthly beef exports.
The episode attracted worldwide media attention, as the world’s largest cyber attack against an agribusiness firm.
READ THE STORY: Beef Central
Ransomware Built in Venezuela Used to Target Institutions Across Latin America
FROM THE MEDIA: Venezuela has emerged as a potential base for the development of ransomware tools to cybercriminals after one man was charged with designing software used to carry out a range of cyberattacks.
Earlier this month, Moises Luis Zagala Gonzalez, from Bolivar City, was charged in the Eastern District Court of New York for attempted computer intrusions and conspiracy to commit intrusions owing to his "use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs."
READ THE STORY: Insight Crime
New Chaos Ransomware Builder Variant "Yashma" Discovered in the Wild
FROM THE MEDIA: Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma. "Though Chaos ransomware builder has only been in the wild for a year, Yashma claims to be the sixth version (v6.0) of this malware," BlackBerry research and intelligence team said in a report shared with The Hacker News. Chaos is a customizable ransomware builder that emerged in underground forums on June 9, 2021, by falsely marketing itself as the .NET version of Ryuk despite sharing no such overlaps with the notorious counterpart.
The fact that it's offered for sale also means that any malicious actor can purchase the builder and develop their own ransomware strains, turning it into a potent threat.
It has since undergone five successive iterations aimed at improving its functionalities: version 2.0 on June 17, version 3.0 on July 5, version 4.0 on August 5, and version 5.0 in early 2022.
READ THE STORY: THN
SpiceJet faces ransomware attack
FROM THE MEDIA: SpiceJet flight departures on Wednesday morning was impacted following a ransomware attack that the airlines faced on Tuesday.
In a tweet, the airlines said, “Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now.”
READ THE STORY: The Hindu BusinessLine
Chaos ransomware builder linked to Onyx and Yashma variants
FROM THE MEDIA: Researchers on Tuesday reported on new insights into the Chaos ransomware builder, research that revealed a twisted family tree that links it to both the Onyx and Yashma ransomware variants.
In a blog post, the BlackBerry research and intelligence team said that clues to the Chaos malware’s links to Onyx and Yashma surfaced during a discussion between a recent victim and the threat group behind Onyx ransomware. The discussion took place on the threat actor’s leak site.
According to the researchers, someone claiming to be the creator of the Chaos ransomware builder’s kit joined the conversation, and revealed that Onyx was constructed from the author’s own Chaos v4.0 Ransomware Builder. The author went on to promote the most current version of the Chaos ransomware line, now renamed Yashma.
READ THE STORY: SC Magazine
Lesson From the VirusTotal Hack: Antimalware Solutions are Not Enough
FROM THE MEDIA: VirusTotal, owned and operated by Google, is a free online service that scans user-provided content for malware. The service uses “over 70 antivirus scanners and URL/domain blocklisting services” to identify potentially malicious code and sites for service users. This is a lot of malware detection, but it apparently was not enough.
In May 2021, the Israeli security vendor CySource allegedly used a vulnerability (CVE-2021-22204) in ExifTool to send and execute malware using a DjVu file. CySource researchers claim that ExifTool is one of the tools used by VirusTotal to extract metadata from certain file types. DjVu is a graphics file type used as the format for digitally scanned versions of books, manuals, ancient documents, and newspapers.
READ THE STORY: ToolBox
Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys
FROM THE MEDIA: Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.
"In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC) said, one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package.
READ THE STORY: THN
Crypto Hacks Aren’t a Niche Concern; They Impact Wider Society
FROM THE MEDIA: The attack against the Ronin Network in March was quickly speculated to be one of the largest cryptocurrency hacks of all time. Approximately $540 million was stolen from the cryptocurrency and NFT games company in a combination of USDC and Etherium, with $400 million of the stolen funds owned by customers playing the game Axie Infinity.
This attack was the latest in a string of thefts perpetrated against crypto and should be a jolt to both the digital asset and cybersecurity communities to bring the security of cryptocurrencies into line.
READ THE STORY: DarkReading
Comodo and AquaOrange Software Partner to Deliver Zero Trust Endpoint Protection to Thailand
FROM THE MEDIA: Comodo Security Solutions, a leading provider of endpoint protection, today announced that they have partnered with AquaOrange Software, a large managed-service provider in Thailand, to boost presence and better support customers in Southeast Asia. The company will now deliver Comodo's patented Auto-Containment technology to defeat zero-day attacks with no impact to their customer's end-user experience.
This partnership comes at a critical time as ransomware attacks are increasing exponentially. More than 300,000 new ransomware variants are released each day. While other cybersecurity solutions detect and report on threats, Comodo's Advanced Endpoint Protection (AEP) is the only solution on the market that both protects and prevents 100% of ransomware and other malware before any damage occurs.
READ THE STORY: Benzinga
‘Smishing’ scams plague consumers and companies, and the next variant could be even worse
FROM THE MEDIA: “Smishing” – an insidious type of social engineering scam that exploits text (or SMS) messages – is becoming a big business opportunity for scammers. An FBI report shows that more than 320,000 Americans were targeted by these schemes in 2021, resulting in $44 billion in losses.
Unfortunately, these attacks have only become more frequent over time. Data from a recent TrueCaller report shows that consumers face an average of 19.5 spam texts per month, a rate that has more than doubled over the last three years.
Smishing scams often begin with a text message that includes a fake survey, a notification that a person has won something, or an “urgent” message about a bank account or credit card. Those texts invite a consumer to click a link, call a phone number, or contact an email address that the attacker provides. Once the victim does that, the race is on. Victims are usually asked to share things like login credentials, account numbers, and other sensitive personal information.
READ THE STORY: Consumer affairs
Asia Pacific plagued by sophisticated bad bots
FROM THE MEDIA: The Asia Pacific region is being plagued by sophisticated bad bots, according to new research. Imperva has released the 2022 Imperva Bad Bot Report, the ninth annual in-depth analysis of bot traffic across the internet by Imperva Threat Research. The report found bad bots, software applications that run automated tasks with malicious intent, accounted for a record-setting 27.7% of all global website traffic in 2021, up from 25.6% in 2020. The Asia Pacific region was slightly lower, with bad bots accounting for 25.9% of website traffic in 2021.
The three most common bot attacks were account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items. Of the five APAC countries studied, Singapore had the highest proportion of bad bot traffic at 39.1%. China followed Singapore's lead with 38.6% of bad bot traffic. Next was Australia (25.7%), New Zealand (20.3%), and Japan (16.9%).
READ THE STORY: Security Brief
CISA assures lawmakers on protecting 5G networks from EMP
FROM THE MEDIA: The Homeland Security Department’s cyber agency has assured lawmakers that it is working to understand the potential impacts of an electromagnetic pulse (EMP) on 5G cellular communications, as the US government — including the Pentagon — rushes to keep pace with China.
“We are certainly concerned about a range of risks, natural or human cause that could degrade our critical infrastructure and national critical functions,” Eric Goldstein, executive assistant director for cybersecurity at the department’s Cybersecurity and Infrastructure Security Agency (CISA) told lawmakers last week at a hearing of the House Homeland Security subcommittee on cybersecurity, infrastructure and innovation.
READ THE STORY: Breaking Defense
Mandiant reveals more Zero-days exploited in 2021 than ever before
FROM THE MEDIA: Mandiant Threat Intelligence identified 80 zero-days exploited in the wild in 2021, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors.
Zero-day exploitation increased from 2012 to 2021, and we expect the number of zero-days exploited per year to continue to grow. Several factors likely contribute to growth in the quantity of zero-days exploited. For example, the continued move toward cloud hosting, mobile, and Internet-of-Things (IoT) technologies increases the volume and complexity of systems and devices connected to the internet—put simply, more software leads to more software flaws. The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero-days, both by private companies and researchers, as well as threat groups. Finally, enhanced defenses also likely allow defenders to detect more zero-day exploitation now than in previous years, and more organizations have tightened security protocols to reduce compromises through other vectors.
READ THE STORY: Zawya
Xbox Gives Ukraine Their Own Store as Microsoft Helps Document War Crimes
FROM THE MEDIA: Ukraine gamers will be getting their own Xbox accounts and Xbox Store. The news was revealed by Ukraine government official Mykhailo Fedorov (thanks ResetEra) although Microsoft is yet to officially comment so there is no release date for this yet. Those wanting to migrate their Xbox Live account to Ukraine will be able to take their current profile, achievements, Xbox Game Pass and Live Gold subscriptions, and Gamertag with them. However, existing funds in their Microsoft account cannot be transferred and need to be spent before the transfer.
The news came as a side note from Microsoft President and Vice Chairman Brad Smith’s presence at Microsoft Envision UK where he revealed how the company is helping the Ukraine government as they adapt to a new world. The data and work of many ministries of the Ukranian government were moved to the cloud rather than using servers within the country. Microsoft’s knowledge of the digital industry will help the country rebuild some of its data processes and protect against cyber attacks that had been going on before the first shells were fired by Russia. Finally, they’ll also co-operate with Ukraine to document damages and war crimes for UN agencies. Of course, most of this assistance will not be conducted within the public realm.
READ THE STORY: Game Revolution
Items of interest
Defense Diary: By Acing Space Race, India Can Cut Military Spending, Develop Self-reliance, Deter China
FROM THE MEDIA: If and when the final order is placed, this will be the first-ever dedicated communications satellite for the 13-lakh-strong Indian Army. The force did not have a dedicated satellite of its own; it shared the services of the GSAT 7A for the Indian Air Force (IAF) launched in 2018 by the Indian Space Research Organization (ISRO).
The primary communication satellite for the Navy, GSAT 7, was launched in 2013. The Navy has already placed an order to procure the GSAT 7R satellite as a replacement for the existing GSAT 7. In November last year, the Defense Acquisition Council (DAC) approved the proposal to procure the GSAT 7C satellite for the IAF.
In the last three years, India’s efforts in the space sector for the military include setting up the tri-service Defense Space Agency for the command and control of the military’s space assets and the Defense Space Research Organization (DSRO) in 2019. In the same year, India also conducted a simulated space warfare exercise called IndSpaceEx.
In 2020, the government had approved the creation of IN-SPACe—an independent nodal agency under the Department of Space to encourage private participation in the domain—but it is yet to fully take shape. In the works is also a separate space policy that would take into account the Indian military’s needs in the domain.
However, even if one avoids a comparison with China—which has been heavily investing in establishing space dominance in the last two decades—it is high time that India’s space reforms gather greater pace.
This is because India needs to use space better for uninterrupted and seamless communication over large geographical areas, navigational purposes, ballistic missile warnings and superior Intelligence-Surveillance-Reconnaissance (ISR) capabilities among others while being self-reliant enough for these.
READ THE STORY: News18
Going phishing: Kiwis losing tens of millions to 'cyber baddies' (Video)
FROM THE MEDIA: Online scams are becoming more varied, and increasingly sophisticated.
Cloudflare CEO talks cyber security, Russia Ukraine war, global economy, recession threat and more (Video)
FROM THE MEDIA: Cloudflare CEO Matthew Prince joins Yahoo Finance editor-at-large and anchor Brian Sozzi to discuss key takeaways from Davos World Economic Forum 2022, the state of the global economy, and cybersecurity.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com