Friday, June 03, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Attackers Weaponize Vulnerabilities Days After Publishing
FROM THE MEDIA: Cyber Security Works (CSW) reported 22 new vulnerabilities associated with ransomware in the first quarter, a 7.6% spike since January, and the time window to patch before vulnerabilities are exploited is getting shorter.
CSW is a U.S. Department of Homeland Security-sponsored common vulnerabilities and exposures (CVEs) Numbering Authority, and it also offers attack surface management services. Its threat intelligence researchers found almost all the new vulnerabilities (21) are considered of critical or high-risk severity, and 19 are associated with the Conti ransomware gang.
Plus, 141 of Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators including 18 new additions this quarter, according to the research.
READ THE STORY: SDXCentral
CISA Warns of Karakurt extortion Group
FROM THE MEDIA: Federal authorities are warning enterprises about a relatively new data extortion group called Karakurt that is targeting organizations for data theft and then holding the data for ransom and demanding large Bitcoin payments in exchange for not publishing the stolen information.
The group does not deploy ransomware on compromised networks, but instead exfiltrates valuable corporate, employee, and customer information and then threatens to publish it if the ransom demands aren’t met. That extortion tactic is quite similar to what some ransomware groups do as an added way to pressure their victims to pay. But Karakurt relies solely on the extortion piece and have demanded as much $13 million from victims, according to a new advisory from the FBI, the Cybersecurity and Infrastructure Security Agency and other federal agencies.
READ THE STORY: DUO
US Sanctions Force Evil Corp to Change Tactics
FROM THE MEDIA: Researchers have investigated multiple LockBit intrusions that they attribute to a threat cluster sharing numerous overlaps with the well known Evil Corp cybercriminal group. The use of LockBit would signify a notable shift in tactics for the group, which researchers believe is part of an effort to both evade detection and sidestep the 2019 sanctions placed on Evil Corp by the U.S. government.
The financially motivated threat cluster in question, called UNC2165, has significant similarities to campaigns that have been publicly attributed to Evil Corp. For instance, the actor relies heavily on an infection chain called FakeUpdates - a multi-stage JavaScript dropper that typically masquerades as a browser update - to obtain initial access. Researchers also noted overlaps in the infrastructure and ransomware used by the two groups.
READ THE STORY: DarkReading // DUO
SecureWorks researches new threat to Elasticsearch databases
FROM THE MEDIA: Researchers from SecureWorks' Counter Threat Unit (CTU) have identified indexes of multiple internet-facing Elasticsearch databases replaced with a ransom note. The CTU says the note demands a Bitcoin payment in exchange for the data. It says the indexes reside on various versions of Elasticsearch and require no authentication to read or write. CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. However, they say it is impossible to determine the actual number of victims because most of the databases were hosted on networks operated by cloud computing providers.
They say it is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases. In each case, data held in the databases was replaced with a ransom note stored in the 'message' field of an index called 'read_me_to_recover_database'. The CTU says inside the 'email' field was a contact email address. CTU researchers identified four distinct email addresses used in this campaign.
READ THE STORY: Security Brief Asia
Russia, backed by ransomware gangs, actively targeting US, FBI director says
FROM THE MEDIA: The speech comes at an urgent time for the FBI and other federal agencies looking to prevent a potentially catastrophic act of retaliation by Russia-linked threat actors since the invasion of Ukraine in February. The FBI, working in concert with the Cybersecurity and Information Security Agency, the National Security Agency and foreign allies, has repeatedly warned industries about potential malicious cyber activity against critical infrastructure sites, including energy, utilities and water.
Wray reminded the conference that Russia was behind the 2017 NotPetya attacks, which started out as an attack that appeared to be criminal in nature, but rapidly spread across Europe, hit the U.S., Australia and even some organizations inside Russia.
READ THE STORY: Cyber Security Dive
Telegram’s Blogging Platform Comes Under Attack By Phishing Actors
FROM THE MEDIA: Popular app Telegram has recently faced some major trouble in terms of its anonymous platform for bloggers . Telegraph has been at the center of leading attacks by an array of phishing actors as the researchers recently revealed through a public statement. Phishing actors are going as far as exploiting the platform by undermining its relaxed policies that bring forward an array of landing pages that ultimately end up being at the center of theft of users’ sensitive data.
Through Telegraph, users are able to publish anything they desire without the hassle of making a new account or giving any details about their true identity. But while it may sound quite lucrative at first, many are calling the platform out for being too relaxed in today’s digital era where cybercrime is at an all-time high.
READ THE STORY: Digital Information World
Chinese LuoYu hackers deploy cyber-espionage malware via app updates
FROM THE MEDIA: A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. To do that, the threat actors actively monitor their targets' network traffic for app update requests linked to popular Asian apps such as QQ, WeChat, and WangWang and replace them with WinDealer installers. Once deployed, WinDealer helps the attackers search for and siphon large amounts of data from compromised Windows systems, install backdoors to maintain persistence, manipulate files, scan for other devices on the network, and run arbitrary commands.
READ THE STORY: BleepingComputer
Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability
FROM THE MEDIA: Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it said in an advisory.
"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available.
READ THE STORY: THN
Starlink's success in Ukraine amplifies interest in anti-satellite weapons
FROM THE MEDIA: In a report published earlier this week, the Secure World Foundation, a space-oriented NGO, warned that in the past few years there's been a surge of interest in offensive counterspace weapons that can disrupt space-based services. "The existence of counterspace capabilities is not new, but the circumstances surrounding them are," the report [PDF] says. "Today there are increased incentives for development, and potential use, of offensive counterspace capabilities."
"There are also greater potential consequences from their widespread use that could have global repercussions well beyond the military, as huge parts of the global economy and society are increasingly reliant on space applications."
READ THE STORY: The Register
China government-backed hackers exploiting new Microsoft Office bug
FROM THE MEDIA: China government-backed hackers, previously observed targeting the Tibetan government-in-exile based in Dharamshala, are actively exploiting a bug in Microsoft Office to steal and delete users' data. According to cyber-security firm Proofpoint, the newly-discovered vulnerability titled 'Follina' in Microsoft Office is being exploited by advanced persistent threat (APT) group 'TA413' linked to the Chinese government. "TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration," Proofpoint said in a tweet. Chinese hackers have a long history of using software security flaws to target Tibetans.
Microsoft has acknowledged the vulnerability, officially titled CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability, but was yet to issue a security patch.
READ THE STORY: The Sentinel // Tech Republic
Smartphones Powered by Unisoc SoCs Vulnerable to Hacking, Claims Check Point Research
FROM THE MEDIA: Several low-cost smartphones are vulnerable to hacking due to a number of flaws in the modems and other chip-related problems that put Android users at risk. Check Point Research, a cyber security research firm, has discovered a vulnerability in the Unisoc modem that might affect communication, according to a recent study.
Users should not be alarmed at this time, since Check Point Research notified the Unisoc teams back last month (May 2022) and informed them of their findings. Unisoc verified the findings and fixed the vulnerability with a critical 9.4 rating. Google has announced that the fix will be released in the next Android Security Bulletin, and hence it is recommended for users to always stay updated. Let’s take a closer look at the vulnerability and everything we know so far.
READ THE STORY: My Smart Price
Russian Hacking Group Turla Targeted Entity in Europe Last Month
FROM THE MEDIA: The Russian hacking group Turla targeted an entity in a European nation last month, according to a threat alert document seen by Bloomberg News. It’s the second time in recent weeks that activity by Turla, which is considered a top-level cyber-espionage threat, has been detected in the European Union, the document says. Hackers used a decoy Microsoft Corp. document and JavaScript backdoor to target the entity, according to the EU document.
Authorities in the UK and US, in addition to cybersecurity firms, have published several warnings in recent years about Turla, which is also known as Venomous Bear and Waterbug. It deploys a variety of techniques to target government, military, technology, energy and commercial organizations for intelligence gathering, according to authorities.
READ THE STORY: Dark Reading
Iranian Hackers Attempted Attack on Children’s Hospital, Russia’s Cyberattacks ‘Pale In Comparison to China’s’: FBI Director
FROM THE MEDIA: Hackers sponsored by the Iranian regime attempted a cyberattack against the Boston Children’s Hospital last year, revealed FBI Director Christopher Wray at a June 1 cyber security conference in Massachusetts.
“In fact, in the summer of 2021, hackers sponsored by the Iranian government tried to conduct one of the most despicable cyberattacks I’ve seen—right here in Boston—when they decided to go after Boston Children’s Hospital,” Wray said. Earlier in March, Wray had mentioned an unnamed children’s hospital being targeted by Iranian hackers.
READ THE STORY: The Epoch Times
Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group
FROM THE MEDIA: Killnet is one of many hacktivist groups that has taken a side in the ongoing Russian invasion of Ukraine. There have been more than 100 groups conducting cyberattacks since we published our initial analysis at the beginning of the war. Most of the attacks from these groups are distributed denials of service (DDoS), but they also include data breaches, data wipers and psychological operations, such as distributing propaganda.
These groups include hacktivists such as Killnet, state-sponsored entities such as Sandworm and ransomware gangs such as Conti. There are currently more than 70 active groups, located mainly in Russia or Ukraine but also in Belarus (Belarusian Cyber Partisans), Turkey (Monarch Turkish Hacktivists), Romania (Anonymous Romania), Poland (Squad303), Portugal (Anon666) and Italy (Anonymous Italia). Their coordination and the communication of their actions usually happens via either Twitter or Telegram.
READ THE STORY: Security Boulevard
Ransomware gang now hacks corporate websites to show ransom notes
FROM THE MEDIA: A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes. This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware as part of their attacks. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.
Today, Industrial Spy began selling data they claim was stolen from a French company named SATT Sud-Est for $500,000. As first noticed by security researcher MalwareHunterTeam, this attack stands out because the threat actors also hacked the company's website to display a message warning that 200GB had been stolen and would soon be up for sale if the victim did not pay a ransom.
READ THE STORY: BleepingComputer
Business’s Data May Be Vulnerable Under Proposed China Cybersecurity Rules
FROM THE MEDIA: Proposed cybersecurity rules from China could make it hard for Western financial companies to operate as their data would be vulnerable to hacking and other risks, according to a industry group, Reuters reported Thursday (June 2). This comes as several Western investment banks and asset managers have been expanding Chinese presences. Some have set up wholly owned units by taking bigger shares in existing joint ventures.
The report noted that the proposed rules would make it mandatory for investment banks, asset managers and futures companies with operations in China to share data with the China Securities Regulatory Commission (CSRC), allow regulator-led testing and set up centralized data backup.
READ THE STORY: PYMNTS
Ransomware attack affects production at a Foxconn factory in Mexico
FROM THE MEDIA: Foxconn, one of the world’s biggest contract electronics manufacturers, has been hit with a ransomware attack on one of its facilities in Mexico. Talking to Bleeping Computer, the company explained, “one of our factories in Mexico experienced a ransomware cyberattack in late May. The company's cybersecurity team has been carrying out the recovery plan accordingly.”
The affected factory, which is located in Tijuana, serves as a major supply center for California, United States. To ensure production isn’t hampered by the hack, Foxconn has decided to adjust the production capacity of the factory. The company has also shared details of the attack with the management, clients, and suppliers.
READ THE STORY: Notebook Check
Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group
FROM THE MEDIA: Killnet is one of many hacktivist groups that has taken a side in the ongoing Russian invasion of Ukraine. There have been more than 100 groups conducting cyberattacks since we published our initial analysis at the beginning of the war. Most of the attacks from these groups are distributed denials of service (DDoS), but they also include data breaches, data wipers and psychological operations, such as distributing propaganda.
These groups include hacktivists such as Killnet, state-sponsored entities such as Sandworm and ransomware gangs such as Conti. There are currently more than 70 active groups, located mainly in Russia or Ukraine but also in Belarus (Belarusian Cyber Partisans), Turkey (Monarch Turkish Hacktivists), Romania (Anonymous Romania), Poland (Squad303), Portugal (Anon666) and Italy (Anonymous Italia). Their coordination and the communication of their actions usually happens via either Twitter or Telegram.
READ THE STORY: Security Boulevard
Kirsten Gillibrand Pushes 'Cyber Academy' to Fight China, Russia Cyber War
FROM THE MEDIA: As America finds itself in conflict with Russia over Ukraine and at odds with China over its encroachment of Taiwan, the potential for a cyber conflict between the U.S. and its top rivals remains as great of a threat as ever.
"They feel less constrained," James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), told Newsweek. "The Chinese haven't changed their basic analysis, and Putin hasn't changed his basic analysis, which is 'the West is in decline, and we can do what we want.'"
READ THE STORY: NewsWeek
Can the State Department’s Cyber Bureau Tackle Digital Repression?
FROM THE MEDIA: Digital technology is exerting a powerful influence on war, geopolitics, and global norms. In Ukraine, internet platforms like TikTok have unmasked the Kremlin’s fabricated narrative about conducting a “special military operation” and showcased—missile by missile and war crime by war crime—the reality of Russia’s invasion, galvanizing global opinion. In China, AI-enabled surveillance is a key weapon used by authorities to subjugate the country’s minority Uighur population, including the mass collection of biometric information from nearly nineteen million people. In the United States, cyberattacks linked to Russian hackers took down the largest fuel pipeline in the United States, leading to oil shortages across the East Coast, panic buying at gas pumps, and anxiety within the government about the spreading damage. The digital disruption sweeping the world is not relegated to a single domain; it involves security concerns, economic considerations, political questions, and human rights issues.
READ THE STORY: National Interest
Breaking into Uvalde shooter's phone is crucial, but past cases reveal difficulties ahead
FROM THE MEDIA: Even as the investigation into the deadly school shooting in Uvalde continues to receive widespread criticism, detectives will likely have even more major hurdles to clear to reveal answers desperately demanded by the public.
On Thursday, CBS Austin obtained court documents showing a judge has granted the Texas Department of Public Safety search warrants allowing them to download the contents of the shooter's iPhone. The phone was found next to the shooter's body after he was killed by a responding officer. Before, he was barricaded with his victims - 19 children and two teachers he killed, plus the 17 he wounded - for almost an hour before the classroom door was breached.
READ THE STORY: CBS Austin
Items of interest
Diplomacy In The Time Of Cyber Conflict
FROM THE MEDIA: The emergence of cyberspace as a domain of strategic competition has made it more complicated for the Philippines to leverage the advantages of the information revolution. The Philippines is currently strengthening its network readiness by building critical information infrastructure, enhancing connectivity and implementing policies to manage the impact of new technologies. But as network readiness improves, the country will become more vulnerable to cyber intrusions by capable adversaries.
In 2017, actors traced to Vietnam leaked sensitive government documents from Malacañang Palace and the Department of Foreign Affairs in response to President Rodrigo Duterte’s preference to strengthen ties with China. Despite these incidents, there was no clear policy response from the Philippines. The Philippines is prepared to secure government networks and critical information infrastructure but responding effectively to state-sponsored cyber intrusions poses a greater challenge. The leadership, careful management and prudent communication required can only be developed over time.
READ THE STORY: EurasiaReview
Ransomware Miniseries: How DOD Fights Cyber Crime (Video)
FROM THE MEDIA: The Defense Department's Cyber Crime Center (DC3) is a federal cyber center and serves as a center of excellence for digital and multimedia forensics. Its training academy also trains thousands of DOD personnel every year. Acting Executive Director Joshua Black, a longstanding cyber expert, discusses the ransomware trends and threats facing the Defense Industrial Base in this kickoff episode in CyberCast's Ransomware Miniseries.
Actionable Threat Intelligence and the Dark Web (Video)
FROM THE MEDIA: Victoria Kivilevich, Director of Threat Research at KELA Group, describes the cybercrime ecosystem and provides guidance on how to gain and leverage actionable intelligence from dark and deep web resources.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com