Wednesday, June 08, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
FROM THE MEDIA: PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
READ THE STORY: CISA
Lebanese threat actor targets Israeli organizations
FROM THE MEDIA: Microsoft says a previously little-observed Lebanese threat actor dubbed "POLONIUM" is coordinating with Iran’s Ministry of Intelligence and Security (MOIS) to target Israeli entities in the critical manufacturing, IT, and defense industries. The threat actor used legitimate OneDrive accounts as command-and-control platforms, and the researchers suspect that the actor gained initial access to victims' networks by exploiting CVE-2018-13379 in unpatched Fortinet devices:
"MSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques. Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability.
READ THE STORY: The CyberWire
Mossad blamed for cyberattack on Tehran municipality
FROM THE MEDIA: The head of the Tehran City Council blamed the Mossad and anti-government groups for a cyberattack against the municipality, the Iranian Mehr News Agency reported on Tuesday.
On Thursday, a group called "Uprising until Overthrow," affiliated with The People's Mujahedin Organization of Iran (the Mujahedin-e-Khalq or MEK), claimed that it had hacked into the Tehran municipality's security cameras and defaced the municipality's website with a graphic that criticized the "anti-human Khomeini," according to the Voice of America.
READ THE STORY: JPOST
‘Assume you can be jammed’ — What US troops are learning about electronic warfare in Ukraine
FROM THE MEDIA: Russia’s use of electronic warfare in eastern Ukraine provides a preview to U.S. troops about what it will be like to fight an adversary that can intercept and jam their communications, sever all links to their drones flying overhead, and blind their radars and other sensors.
“Electronic warfare is almost by definition one of the hardest things to discern on the battlefield,” Russian military analyst Michael Kofman told Task & Purpose. “It seems early on Russia was not well prepared to employ these capabilities, but now there are numerous stories of localized jamming and disabling of drones.”
READ THE STORY: Task and Purpose
Evil Corp Hacker Group Changes Ransomware Tactics to Evade US Sanctions
FROM THE MEDIA: Russian hacker group Evil Corp has reportedly updated its attack methods to avoid sanctions prohibiting US companies from paying it a ransom.
The shift was reported by threat intelligence firm Mandiant, who recently wrote a blog post attributing a series of Lockbit ransomware intrusions to UNC2165, a threat cluster sharing numerous overlaps with Evil Corp.
UNC2165 was sanctioned by the US Treasury Department in 2019 for using the Dridex malware to infect hundreds of banks and financial institutions across 40 countries and stealing more than $10m.
From a regulatory standpoint, these sanctions essentially prevented targeted organizations from paying UNC2165 a ransom to restore access to their systems.
READ THE STORY: InfoSecurity Magazine
Qbot malware now uses Windows MSDT zero-day in phishing attacks
FROM THE MEDIA: A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
Proofpoint first reported Monday that the same zero-day was used in phishing targeting US and EU government agencies. Last week, the enterprise security firm also revealed that the Chinese TA413 hacking group is exploiting the bug in attacks targeting the Tibetan diaspora. As Proofpoint security researchers shared today, the TA570 Qbot affiliate has now begun using malicious Microsoft Office .docx documents to abuse the Follina CVE-2022-30190 security flaw and infect recipients with Qbot.
READ THE STORY: Bleeping Computer
Think Twice Before You Scan That QR Code
FROM THE MEDIA: It seems like QR codes are everywhere now. Thanks to the COVID pandemic, QR codes catapulted from a semi-niche concept to a virtual requirement. Restaurants and bars adopted QR codes to provide menus without passing germs, and businesses of all types embraced QR codes as a method for paying for goods and services. Unfortunately, any technology that makes life easier or more convenient, also makes it easier for cybercriminals and exposes you to increased risk.
When used as intended, the QR code is pretty cool. Just point the camera of your smartphone at a QR code and it will magically pop up a link you can tap to visit the designated website. The problem, however, is that you don't actually know what the designated website is. You have no idea where the QR code will take you, and no way to know if it is a legitimate website or a malicious destination.
READ THE STORY: Forbes
Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware
FROM THE MEDIA: A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady. "The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP, said in a technical write-up. SVCReady is said to be in its early stage of development, with the authors iteratively updating the malware several times last month. First signs of activity date back to April 22, 2022.
Infection chains involve sending Microsoft Word document attachments to targets via email that contain VBA macros to activate the deployment of malicious payloads.
READ THE STORY: THN
Kaspersky: WinDealer malware shows extremely sophisticated network abilities
FROM THE MEDIA: Kaspersky researchers have discovered that malware dubbed WinDealer, spread by Chinese-speaking Advanced Persistent Threat (APT) actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack. This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads. Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection.
Following the findings by TeamT5, Kaspersky researchers discovered a new distribution method applied by operators to spread the WinDealer malware. Specifically, they used a man-on-the-side attack to read traffic and insert new messages. The general concept of a man-on-the-side attack is that when the attacker sees a request for a specific resource on the network (through its interception capabilities or strategic position on the ISP’s network), it tries to reply to the victim faster than the legitimate server. If the attacker wins the ‘race’, the target machine will then use the attacker-supplied data instead of the normal data. Even if the attackers don’t win most ‘races’, they can try again until they succeed, guaranteeing that they will eventually infect most devices.
READ THE STORY: ZAWYA
Unisoc-powered Moto G20, E30 and E40 smartphones found vulnerable to remote hacking
FROM THE MEDIA: Three Motorola smartphone models are at risk of being subjected to an exploit that prevents users from connecting to LTE networks on their handsets. Checkpoint Research discovered the flaw in smartphones powered by UNISOC processors. The flaw was discovered in the Unisoc modem firmware, allowing a threat actor to disrupt the modem and restrict communications, as well as monitor the phone user. The three smartphones that are vulnerable to the exploit include the Moto G20, the Moto E30, and the Moto E40.
"We reverse-engineered the implementation of the LTE protocol stack and discovered a vulnerability that could be used to deny modem services and block communications," says Slava Makkaveev, researcher at Checkpoint Research.
READ THE STORY: News 9 live
LockBit overtakes Conti as most active ransomware group so far in 2022
FROM THE MEDIA: KELA on Monday released threat intelligence data at the RSA Conference which said in Q1 2022, ransomware gangs continued as a major threat, collaborating with cybercriminals such as initial access brokers (IABs) to conduct attacks on companies worldwide.
Although KELA identified around 700 victims in its sources, showing a decrease of 40% compared with the end of 2021, there was an increase in attacks per month from January 2022 (152) to March 2022 (320). On average, KELA observed 227 ransomware attacks in each month of Q1 2022.
"IAB offers continued to be in demand in Q1 2022 with some of the sold access listings exploited by ransomware gangs for their attacks," said David Carmiel, chief executive officer of KELA. "It's crucial to monitor such activities and stay one step ahead of cybercriminals to prevent a potential ransomware attack."
READ THE STORY: SCMAG
Linux version of Black Basta ransomware targets VMware ESXi servers
FROM THE MEDIA: Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers. Most ransomware groups are now focusing their attacks on ESXi VMs since this tactic aligns with their enterprise targeting. It also makes it possible to take advantage of faster encryption of multiple servers with a single command. Encrypting VMs makes sense since many companies have recently migrated to virtual machines as they allow for easier device management and a lot more efficient resource usage.
READ THE STORY: Bleeping Computer
Evil Corp Cybercrime Group Shifts to LockBit Ransomware to Evade Sanctions
FROM THE MEDIA: The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in an attempt to get around sanctions imposed by the U.S. Treasury in December 2019.
"These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions," threat intelligence firm Mandiant noted in an analysis last week.
Active since 2019, UNC2165 is known to obtain initial access to victim networks via stolen credentials and a JavaScript-based downloader malware called FakeUpdates (aka SocGholish), leveraging it to previously deploy Hades ransomware.
READ THE STORY: THN
Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices
FROM THE MEDIA: The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.
These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week. The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.
READ THE STORY: DarkReading
Ransomware, bad and bogus. Updates on the cyber phases of Russia's hybrid war
FROM THE MEDIA: The LockBit gang, version 2.0, claims to have successfully hit Mandiant, but, CyberScoop and BleepingComputer both report, there seems to be nothing to those claims. Mandiant has seen no evidence of any successful attacks, and the purported evidence LockBit has been woofing seems to have been culled from earlier hits unrelated to Mandiant. Mandiant suggests an explanation for the imposture: "Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant's June 2nd, 2022 research blog on UNC2165 and LockBit." LockBit was especially exercised by Mandiant's association of the ransomware-as-a-service gang with Evil Corp, and by its suggestion that they operated in the interest of the Russian government. They're apolitical, says LockBit, and they've got affiliates all over the world.
READ THE STORY: The CyberWire
New IIoT ransomware exposes industry hardware vulnerabilities
FROM THE MEDIA: A ransomware attack is one where an attacker gains control over a system and holds it ransom against the system owners. For example, an attacker can encrypt all essential files to a company’s operation (such as financial records and IP) and demand payment for encryption keys to remove the encryption. This threat can be made more severe by adding a timer to the encryption key generator that will delete the key if no payment has been made. If a strong encryption algorithm is used, then the destruction of the key is as good as wiping all the encrypted data.
Another example of a ransomware attack would be an attacker gaining control over an industrial site and outright disabling all equipment. Simply rebooting hardware may not allow plant operators to regain control over their equipment if the wider network spans far beyond the plant (i.e., remote networks and other industrial sites). Due to the expensive nature of industrial operations, an attacker only needs to sit and wait until the amount being asked for by the attacker is lower than the money being lost by disrupted operations.
READ THE STORY: ElectroPages
Foxconn's Mexico plant suffers a LockBit 2.0 ransomware attack; operations affected
FROM THE MEDIA: In a statement shared with the media this week, Foxconn said that one of its Mexico-based production plants suffered a ransomware attack in late May. Located in Tijuana, Mexico, this strategic facility, producing medical devices, consumer electronics, and industrial operations, is a critical supply hub for California.
Jimmy Huang, a Foxconn spokesperson, said, “It is confirmed that one of our factories in Mexico experienced a ransomware cyberattack in late May. The company’s cybersecurity team has been carrying out the recovery plan accordingly.”
Foxconn admitted the attack did disrupt the facility’s daily operations. However, the company is working hard to get everything back to normal as soon as possible. “The factory is gradually returning to normal. The disruption caused to business operations will be handled through production capacity adjustment.
“The cybersecurity attack is estimated to have little impact on the Group’s overall operations. Relevant information about the incident is also provided instantly to our management, clients, and suppliers,” Huang added.
READ THE STORY: TEISS
Russian Government, Cybercriminal Cooperation a “Force Multiplier”
FROM THE MEDIA: Though much of the attention on Russian cyber threats has been focused on state-level activity in recent months, a top Department of Justice official said that the threat is much broader than that and is made even more serious by the Kremlin’s cooperation with and tacit support of the cybercrime groups inside Russia.
“We know they’re very focused on being able to establish persistent access to United States critical infrastructure and they have a very sophisticated set of actors in their foreign intelligence service,” said Matt Olsen, assistant attorney general for national security, during a talk at the RSA Conference here Tuesday. “They also have a force multiplier in the way they’re able to co opt the criminal groups.”
READ THE STORY: DUO
NTT Docomo pushes for 6G by 2030
FROM THE MEDIA: Japanese mobile phone operator company NTT Docomo and parent company NTT have revealed they are planning to run experimental trials with mobile technology vendors Fujitsu, NEC, and Nokia for the commercial launch of 6G services by 2030. Nokia and Docomo will set up experiments and demonstrations in Japan and Stuttgart, Germany with testing to start this year.
According to Nokia, the thrust of the partnership is to demonstrate AI-based learned waveform in the transmitter with a deep learning receiver in the mid-band, as well as to test high data rate indoor communications in the sub-THz band. Nokia claims these technologies can improve deployment flexibility and increase network throughput beyond 5G in the respective spectrum bands without increasing energy consumption.
READ THE STORY: ITwire
Items of interest
Cisco Talos: Destructive malware, supply chain attacks on the rise
FROM THE MEDIA: The use of destructive malware is becoming incredibly common and will likely continue for the foreseeable future, Cisco Talos warned during RSA Conference 2022.
Nick Biasini, head of outreach at Cisco Talos, and Pierre Cadieux, senior manager of incident response at Cisco Talos, hosted a session Tuesday that detailed the current threat landscape and provided actionable steps for enterprises to defend themselves. Key takeaways included the heightened importance of securing credentials and an increase in supply chain threats, destructive attacks and zero-day exploitation.
To convey how dangerous adversaries have become, Biasini emphasized new tactics developed over the years including the targeting of critical infrastructure, dropping false flags and a shift from covert operations to driving public attention.
Weaponized exploit markets are also becoming more common in use, and Cadieux expressed concern over how few organizations patch well. Even more alarming is an increase in actors who can deploy damaging attacks with destructive malware.
"Every major country out there has some sort of offensive capability and instead of having to develop those exploits in house, they are able to buy them," Biasini said during the session. "Anyone with a deep pocket has the ability to launch very sophisticated attacks."
The breadth of adversary has increased as well contributing to software supply chain risks. The technology supply chain, which he described as more of a web, is becoming a bigger and bigger problem. There's an array of avenues for adversaries to take advantage of including open source libraries and vendors exchanging data.
Biasini referenced CCleaner, a utility program that was compromised by threat actors in 2017, as a prime example. Attackers injected malicious code into CCleaner, which ended up being installed on millions of systems. It highlighted a willingness, he said, for actors to compromise more than 3 million systems, just to gain a foothold into 50 targets.
"This gives you a clear idea of the challenges we face as enterprises from these types of sophisticated actors," Biasini said during the session.
READ THE STORY: Techtarget
The Role of Cryptocurrency in Cybercrime Panel - Future in Review 2022 (Video)
FROM THE MEDIA: Learn about innovations in the use of cryptocurrency by cybercriminals, the challenges that presents to regulators and law enforcement, the consequences for business, and how to find a path forward.
FluBot Android Banking Malware Shutdown (Video)
FROM THE MEDIA: Atlassian servers are being actively attacked, updated ASAP, Flubot was finally shutdown, and evil corp attempts to evade sanctions! All that coming up now on ThreatWire.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com