Thursday, June 09, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Fed cyber officials detail Chinese state hackers using common exploits against telcos
FROM THE MEDIA: Chinese hackers have targeted and compromised “major telecommunications companies and network service providers” by exploiting publicly known vulnerabilities in a range of routers and network-attached data storage devices, the National Security Agency, FBI and the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency said in a joint advisory Tuesday.
“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices,” the agencies wrote in the advisory. “In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.”
READ THE STORY: Cyberscoop
Potential Risk for Financial Firms in China’s New Draft Cybersecurity Rules: Mandatory Data Storage, Sharing With CSRC
FROM THE MEDIA: A leading lobbying group in the Asia Pacific region is raising a warning about China’s new proposed cyber security rules for financial firms, sending a letter to the China Securities Regulatory Commission (CSRC) outlining its concerns that has been seen by Reuters.
The Asia Securities Industry and Financial Markets Association (ASIFMA), a trade association based in Hong Kong and with over 165 members, has raised concerns about the level of access that firms doing business in China will be required to provide to the regulator. The CSRC is requiring that financial outfits allow the regulator to perform regular testing, and that they create a centralized data backup and share customer and internal data upon request.
READ THE STORY: CPO Magazine
Joint CISA/FBI warning of Chinese cyberespionage.
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI yesterday provided an overview of ongoing Chinese cyberespionage activity against US targets, Alert AA22-158A. Beijing's threat actors, the alert says, "continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure." Their typical approach is to compromise unpatched network devices, especially Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. Compromised SOHO routers and NAS devices can then serve as "additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities."
“This work is building the foundation that they can do all of their objectives,” NSA's Rob Joyce told the Record, as he characterized the Chinese activity. “This is their plumbing.” A podcast version of the alert may be found here.
READ THE STORY: The Cyber Wire
Black Basta Ransomware Teams Up with Malware Stalwart Qbot
FROM THE MEDIA: A newcomer on the ransomware scene has coopted a 14-year-old malware variant to help it maintain persistence on a targeted network in a recent attack, researchers have found.
Black Basta, a ransomware group that emerged in April, leveraged Qbot, (a.k.a. Quakbot), to move laterally on a compromised network, researchers from security consulting firm NCC Group wrote in a blog post published this week. Researchers also observed in detail how Black Basta operates. “Qakbot was the primary method utilized by the threat actor to maintain their presence on the network,” NCC Group’s Ross Inman and Peter Gurney wrote in the post.
READ THE STORY: Threatpost
Massive Facebook Messenger phishing operation generates millions
FROM THE MEDIA: Researchers have uncovered a large-scale phishing operation that abused Facebook and Messenger to lure millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements. The campaign operators used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions.
According to PIXM, a New York-based AI-focused cybersecurity firm, the campaign peaked in April-May 2022 but has been active since at least September 2021. PIXM was able to trace the threat actor and map the campaign due to one of the identified phishing pages hosting a link to a traffic monitoring app (whos.amung.us) that was publicly accessible without authentication.
READ THE STORY: Bleeping computer
New Emotet Variant Stealing Users' Credit Card Information from Google Chrome
FROM THE MEDIA: The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser.
The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint, which observed the component on June 6.
The development comes amid a spike in Emotet activity since it was resurrected late last year following a 10-month-long hiatus in the wake of a law enforcement operation that took down its attack infrastructure in January 2021.
READ THE STORY: THN
Most organizations that paid a ransom were hit with a second ransomware attack
FROM THE MEDIA: Cybereason on Tuesday released a report that found some 80% of organizations that paid a ransom were hit by ransomware a second time — and 68% said the second attack came less than one month later and the threat actors demanded a higher ransom amount.
The study, based on responses from more than 1,400 cybersecurity pros, also found that 73% of organizations suffered at least one ransomware attack in 2022, compared with just 55% in the 2021 study. Cybereason found that it’s not possible for companies to pay their way out of a ransomware attack, said Sam Curry, chief security officer at Cybereason.
READ THE STORY: SCMAG
SVCReady Malware Emerges in Phishing Campaigns
FROM THE MEDIA: Researchers have uncovered a malware loader being distributed via phishing emails with Microsoft Word attachments. The loader, called SVCReady, allows attackers to gather information on infected machines, run shell commands and execute arbitrary files.
SVCReady was first seen in April being spread by malicious spam campaigns. The loader is unique in that it relies on an infection chain leveraging shellcode stored in a Word document. This is a technique that is not often seen in malware campaigns, said researchers, although it was observed in mid-April by attackers being used to distribute the Ursnif malware.
READ THE STORY: DUO
Threat actors use old techniques to create greater disruption in cyberattacks
FROM THE MEDIA: The top cyberattack trends see threat actors engaging in old tactics to create greater disruption. These include living-off-the-cloud, multi-factor authentication bypass, threats to data backups, stalkerware, and satellite attacks, according to SANS Institute leaders during day three of the RSA Conference.
Vowing to “keep it boring,” Heather Mahalik, senior director of digital intelligence at Cellebrite and SANS faculty fellow, explained that “attackers are using old techniques to do newer fancy things.”
READ THE STORY: SCMAG
U.S. Agencies Warn About Chinese Hackers Targeting Telecoms and Network Service Providers
FROM THE MEDIA: U.S. cybersecurity and intelligence agencies have warned about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020.
The widespread intrusion campaigns aim to exploit publicly identified security flaws in network devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices with the goal of gaining deeper access to victim networks.
In addition, the actors used these compromised devices as route command-and-control (C2) traffic to break into other targets at scale, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) said in a joint advisory.
READ THE STORY: THN // TechRadar
When will Microsoft patch the Follina Office 365 vulnerability?
FROM THE MEDIA: The vulnerability was spotted last month, and hackers which successfully exploit it are free to access compromised systems “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” says a Microsoft blog on Follina.
The nature of the vulnerability means that malware can be uploaded easily, says Satya Gupta, founder and CEO of security company Virsec. “This vulnerability in MSDT affects not just Word but all Office 365 apps,” he says. “This event once again heavily underscores the power of RCE vulnerabilities as being the most dangerous vulnerabilities. Most enterprises don’t patch for days, weeks and sometimes even for months. This is great news for bad actors because RCEs give attackers a free pass to infiltrate the enterprise’s compute infrastructure.”
READ THE STORY: Techmonitor
Linux version of Black Basta ransomware targets VMware ESXi servers
FROM THE MEDIA: Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers. Most ransomware groups are now focusing their attacks on ESXi VMs since this tactic aligns with their enterprise targeting. It also makes it possible to take advantage of faster encryption of multiple servers with a single command. Encrypting VMs makes sense since many companies have recently migrated to virtual machines as they allow for easier device management and a lot more efficient resource usage.
READ THE STORY: Bleeping Computer
Black Basta Ransomware Targets ESXi Servers in Active Campaign
FROM THE MEDIA: The Black Basta ransomware emerged last month to target Windows-based systems only, but now the latest ransomware binary is going after VMware virtual machines (VMs).
The latest variant looks to encrypt VMs present inside the volumes folder (/vmfs/volumes) on ESXi-based systems and servers, according to research shared with Dark Reading by Uptycs. It uses the ChaCha20 algorithm to encrypt the files, researchers say, and also multithreading for encryption to utilize multiple processors and make itself faster and harder to detect.
READ THE STORY: DarkReading
How To Detect Google/Microsoft 365 Ransomware Indicators Using ManagedMethods
FROM THE MEDIA: When it comes to ransomware attacks, the notification that your data has been encrypted is not the beginning. It’s typically the result of days, weeks, or even months worth of effort. Monitoring for ransomware indicators means that you can detect ransomware early warning signs to stop, or at least reduce the impact of, an attack in its earliest stages.
ManagedMethods cloud security and safety platform provide a variety of monitoring and security tools to help reduce the chances of ransomware—and even phishing—attacks in your district’s Google Workspace and/or Microsoft 365 domains.
READ THE STORY: Security Boulevard
Supply chain attacks will get worse: Microsoft Security Response Center boss
FROM THE MEDIA: Major supply-chain attacks of recent years – we're talking about SolarWinds, Kaseya and Log4j to name a few – are "just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center. "All of those have been big," she said, in an interview with The Register at RSA Conference. "But I feel they will continue and there will be more. And there's a reason I think that."
As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft's products and services, as well as visibility across industry partners' software and tools plus customers' environments including government agencies.
READ THE STORY: The Register
Criminals use SaaS
FROM THE MEDIA: The cloud-based software-as-a-service model is everywhere now, including the criminal underground, according to Steven Ursillo, the national assurance and cybersecurity leader for Top 100 Firm Cherry Bekaert.
Speaking at the AICPA Engage Conference, held in Las Vegas this week, Ursillo noted specifically that ransomware attacks — cyber attacks that lock up victims' data and computer systems unless a sum of money is paid — are not only on the rise, they are growing more sophisticated as well.
A lot of this has to do with the fact that, much like legitimate companies, criminals are also adopting the SaaS model for much of the same reasons: lower technical requirements. Just as an accountant need not be a coder to make, say, a bot for processing tax data, bad actors no longer have to code their own tools, which has served to lower the barrier for entry for such activities.
READ THE STORY: Accounting Today
Schneider Electric and Claroty collaborate to enhance industrial cybersecurity
FROM THE MEDIA: ndustrial cybersecurity is a prerogative that enterprises and governments that shouldn’t be taken lightly. In recent times, the number of cyberattacks targeting the manufacturing industry as well as critical infrastructures demonstrate the potential havoc and disruption that can be brought about by cybercriminals.
While cyberattacks on critical infrastructures are normally brought about by state-sponsored hackers, the manufacturing industry can be targeted by almost any cybercriminal looking to make a profit or simply feeling mischievous.
Some examples of cyberattacks involving critical infrastructures and the manufacturing industry include the ransomware attack on Colonial Pipeline as well as the cyberattacks on both Ukraine and Russian critical infrastructures following the conflict in that region.
READ THE STORY: TechWire Asia
Elon Musk’s Starlink Makes China ‘Very Scared’: Space Expert
FROM THE MEDIA: As Americans try out the newest Starlink dishes on their R.V.s, a space expert says Elon Musk’s Starlink makes the Chinese Communist Party (CCP) “nervous” as the “only” player in the field now when it comes to the U.S.’s strategic space race with China.
“It is important to understand that Elon Musk’s SpaceX company is the only thing keeping the U.S. in the Space Race with China,” Brandon Weichert, space expert and author of “Winning Space: How America Remains a Superpower,” told The Epoch Times in an interview in late-May.
The expert says Starlink, now “possibly a vital component of war-making,” is making America’s rivals “nervous,” yet Elon Musk is under a two-fold “attack” by the White House and the military establishment.
READ THE STORY: The Epoch Times
A Refreshed Autonomous Weapons Policy Will Be Critical for U.S. Global Leadership Moving Forward
FROM THE MEDIA: The U.S. Department of Defense (DoD) has announced its intention to update its keystone directive on autonomous weapons systems (AWS). The directive “establishes DoD policy and assigns responsibilities for the development and use of autonomous and semi-autonomous functions in weapon systems” with the aim to reduce the possibility of accidents from the use of these weapons, including those that might lead to unintended conflict or inadvertent escalation.
First published in 2012, the directive remains “one of the only publicly available national policies” on weapon systems that present higher degrees of autonomy. With the directive coming up on its tenth anniversary, the directive must either be updated or canceled—in keeping with the Department’s issuance policy—and it is perfect timing. Given advances in artificial intelligence and autonomy technologies, as well as changes within the Department, DoD has an opportunity to update the policy and sustain responsible U.S. global leadership.
READ THE STORY: CFR
Items of interest
Putin’s Jedi Mind Trick in Ukraine: How Truth Decay Shapes the Operational Environment
FROM THE MEDIA: In a fiery March speech that referenced 18th century Russian Orthodox saint Admiral Fyodor Ushakov, Vladimir Putin added holy war to the long list of justifications for his assault on Ukraine.[1] Even to those paying close attention, the Kremlin’s official narratives are hard to follow. Considering Ukraine’s deft maneuver in the information space, many in the West are tempted to dismiss what Putin is doing there as almost absurd—but they should not.[2]
Though hyperbolic or even outright false, Moscow’s tropes are gaining traction, and not just in nationalist cliques orbiting Moscow and St. Petersburg.[3] Much in the same way Putin’s invasion of his neighbor took most by surprise, a lack of appreciation for how these sentiments might mature could set the West up for an even greater failure to deter in the future.[4] China’s growing sympathy for Kremlin narratives contributes to global truth decay and arms revisionist powers with potential justifications for military aggression.[5] The free world’s response to this malignant growth in the information environment must not be limited to that domain, because its side effects certainly will not be.
READ THE STORY: The Strategy Bridge
VPN Ban in India : A Data-Risking Decision (Video)
FROM THE MEDIA: VPN Ban in India : A Data-Risking Decision.
The North Korean Model: Using Cyber Capabilities to Blunt Sanctions and Generate Illicit Revenue (Video)
FROM THE MEDIA: Financially motivated cyber operations, especially cybercrime, represent an increasingly central component of North Korea’s strategy for evading sanctions and generating illicit revenue. In this event, Priscilla Moriuchi and Alex O’Neill will discuss ongoing trends and future expectations for North Korean financially motivated cyber operations, as well as O’Neill’s recent report, Cybercriminal Statecraft.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com