Friday, June 10, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Ransomware Actors Leaning on DNS Tunneling
FROM THE MEDIA: Like many other forms of intrusion, ransomware attacks are constantly evolving, as defenders get better at detecting and preventing them and attackers are forced to respond and change their techniques. In an effort to stay ahead of defenders, many ransomware groups have begun employing DNS tunneling for communications and data exfiltration in recent years, a technique that can be difficult to detect.
DNS tunneling is not a new technique by any means, and has been used by various forms of malware since the early 2000s at least. The basic idea is simple, but elegant. Rather than using HTTP for C2 communications or data exfiltration, the attacker uses the DNS protocol. There are a few ways to do this, and detecting the technique typically requires defenders to dig through logs and look for anomalous queries or other indicators. It’s attractive for attackers because it’s relatively simple to do and won’t be detected by many security tools. Ransomware actors have adopted it in a big way, often using a feature in the Cobalt Strike framework to send payloads and communications through DNS responses.
READ THE STORY: DUO
Hardware flaws give Bluetooth chipsets unique fingerprints that can be tracked
FROM THE MEDIA: Researchers at the University of California San Diego have shown for the first time that Bluetooth signals each have an individual, trackable, fingerprint.
In a paper presented at the IEEE Security and Privacy Conference last month, the researchers wrote that Bluetooth signals can also be tracked, given the right tools.
However, there are technological and expertise hurdles that a miscreant would have to clear today to track a person through the Bluetooth signals in their devices, they wrote.
"By their nature, BLE [Bluetooth Low Energy] wireless tracking beacons have the potential to introduce significant privacy risks," the researchers wrote. "For example, an adversary might stalk a user by placing BLE receivers near locations they might visit and then record the presence of the user's beacons."
READ THE STORY: The Register
Russia and China using criminals 'to commit attacks against' West
FROM THE MEDIA: Paul Abbate, deputy director of the FBI, speaking to Sky News Australia, said that the West faces a “real challenge” from Russia, China, and Iran, who are “getting in the way of justice”. He claimed the nations pose a “hybrid threat” by housing criminals enterprises and later bartering with them to “break the laws within our own countries”.
Mr Abbate said: “This is a real challenge that each of our countries faces. Each of the countries you cited, Russia, China, Iran, it’s not just a matter of providing safe haven to criminals and getting in the way of the justice we’re seeking through our criminal laws within our countries.
READ THE STORY: Express
Australian organizations targeted by Aoqin Dragon hackers for a decade
FROM THE MEDIA: Security researchers say they have identified another China-linked threat actor targeting Australian and South-East Asian organizations to spy upon them. Named Aoqin Dragon, security vendor SentinelLabs said the hacking group has been active at least 2013.
"The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests. "We primarily observed Aoqin Dragon targeting government, education, and telecommunication organizations in Southeast Asia and Australia," SentinelLabs said.
READ THE STORY: ITnews
New ultra-stealthy Linux backdoor isn’t your everyday malware discovery
FROM THE MEDIA: Researchers have unearthed a discovery that doesn’t occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.
On Thursday, researchers from Intezer and The BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.
READ THE STORY: ArsTechnica
Cyberextortion schemes increasing pressure to pay
FROM THE MEDIA: Enterprises are facing multilayered cyberextortion campaigns that combine data theft, public shaming and system encryption, which are increasing the pressure on victims to pay ransoms.
During an RSA Conference 2022 session Wednesday, David Wong, vice president at Mandiant, and Nick Bennett, vice president of professional services at Mandiant, provided case studies and anecdotal data that compared the outcomes of two clients that each suffered a ransomware attack and various cyberextortion attempts. While one client was more prepared to deal with a successful attack than the other, the examples highlighted an increasing persistence from attackers that pays off if the victim is ill-equipped.
READ THE STORY: TechTarget
Lyceum .NET DNS Backdoor
FROM THE MEDIA: Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares.
Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool.
READ THE STORY: Security Boulevard
Bizarre ransomware sells decryptor on Roblox Game Pass store
FROM THE MEDIA: A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's in-game Robux currency. Roblox is an online kids gaming platform where members can create their own games and monetize them by selling Game Passes, which provide in-game items, special access, or enhanced features. To pay for these Game Passes, members must purchase them using an in-game currency called Robux. To pay for these Game Passes, members must purchase them using an in-game currency called Robux.
READ THE STORY: Bleeping Computer
Google Chrome user profiles under attack from Emotet malware
FROM THE MEDIA: The Emotet botnet now has a brand new module that steals credit card information stored in Google Chrome user profiles.
Emotet was first spotted by cybersecurity researchers from Proofpoint dropping the new module on June 6. It tries to steal names, expiration dates, and card numbers stored in Chrome user profiles. An interesting detail is that the stealer exfiltrates the data to a command & control (C2) server that’s different from the module loader.
READ THE STORY: TechRadar
Rob Joyce: China represents biggest long-term cyberthreat
FROM THE MEDIA: While Russia is making the most noise now, China is the bigger long-term cyberthreat to the U.S., according to the National Security Agency's cybersecurity head.
Rob Joyce, director of cybersecurity at the NSA, spoke at RSA Conference 2022 in a Wednesday session titled "State of the Hacks: NSA's Perspective" and discussed the nation-state threat actors targeting the country and the technology and tactics that are used.
Joyce began with an overview of Russian nation-state hacking, which increased dramatically this year amid the country's invasion of Ukraine. Despite that increase, he said China represents a larger long-term cyberthreat to the U.S.
READ THE STORY: TechTarget
Russia, China, warn US its cyber support of Ukraine has consequences
FROM THE MEDIA: Russia and China have each warned the United States that the offensive cyber-ops it ran to support Ukraine were acts of aggression that invite reprisal. The US has acknowledged it assisted Ukraine to shore up its cyber defences, conducted information operations, and took offensive actions during Russia's illegal invasion. While many nations occasionally mention they possess offensive cyber-weapons and won't be afraid to use them, admissions they've been used are rare. US Cyber Command chief General
READ THE STORY: The Register
Chinese 'Aoqin Dragon' gang runs undetected ten-year espionage spree
FROM THE MEDIA: Threat researcher Joey Chen of Sentinel Labs says he's spotted a decade worth of cyber attacks he's happy to attribute to a single Chinese gang. Chen has named the group Aoqin Dragon, says its goal is espionage, and that it prefers targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.
The gang is fond of attacks that start by inducing users to open poisoned Word documents that install a backdoor – often a threat named Mongall or a modified version of the open source Heyoka project. The group's lures have changed over the years. Sometimes its lures are document on regional political topics, while on other occasions the gang has used pornographic content as a lure.
READ THE STORY: The Register
China is a threat to future of the internet and could force a 'moment of reckoning', UK spy chief says
FROM THE MEDIA: One of the UK’s spy chiefs said yesterday that China was threatening the future of the internet and the West was facing a ‘moment of reckoning’.
The deputy director of strategy at GCHQ, who was named only as Ann S, told Cheltenham Science Festival: ‘We in the West have been fortunate that a lot of the technology which has driven the internet has been informed by Western liberal values, democratic values, but that is not going to be the picture going forward.
'So we can see that there is a big shift to the East. There is a potential clash of values there.’
READ THE STORY: Dailymail
Alibaba sued for selling a 3D printer that overheated, caught fire, and killed a man
FROM THE MEDIA: Alibaba is being sued in the US by the parents of a man, who bought a 3D printer from the Chinese e-commerce giant, and died in an accident after the device allegedly malfunctioned and caught fire.
Hoi Kwong Yu and Janice Yu, parents of Calvin Yu, claim their son purchased "a defective Tronxy X5SA 24V 3D printer" from Alibaba's website AliExpress.com around 9 November 2019. Disaster struck six months later, on 11 June 2020.
The device was plugged into an electric power strip, and overheated causing a fire to erupt in Calvin's home, it was alleged in court documents filed to San Francisco's Superior Court [PDF]. He died a day later.
READ THE STORY: The Register
U.S. Issues Guidance to Companies Warning of Cybersecurity and Sanctions Risks Posed by IT Workers Directed by North Korea
FROM THE MEDIA: On May 16, 2022, the U.S. Department of State, U.S. Department of Treasury and the Federal Bureau of Investigation issued combined guidance (“IT Workers Advisory”) on efforts by North Korean nationals to secure freelance engagements as remote information technology (“IT”) workers by posing as non-North Korea nationals. The IT Workers Advisory provides employers with detailed information on how North Korean IT workers operate; highlights red flag indicators for companies hiring freelance developers and for freelance and payment platforms to identify these workers; and provides general mitigation measures for companies to better protect against inadvertently engaging these workers or facilitating the operations of the North Korean government (“DPRK”) in violation of U.S. sanctions.
READ THE STORY: NATLAWREVIEW
PC shipments sink amid steady waves of supply chain, war disruptions
FROM THE MEDIA: Orders for PCs are forecast to shrink in 2022 as consumers confront rising inflation, the war in Ukraine, and lockdowns in parts of the world critical to the supply chain, all of which continue.
So says IDC, which forecast shipments to decline 8.2 percent year-on-year to 321.2 million units during this calendar year. This follows three straight years of growth, the last of which saw units shipped rise to 348.8 million.
Things might be taking a turn for the worse but they are far from disastrous for an industry revived by the pandemic when PCs became the center of many people's universe. Shipments are still forecast to come in well above the pre-pandemic norms; 267 million units were shipped in 2019.
READ THE STORY: The Register
NSA Outlines Threats from Russia, China and Ransomware
FROM THE MEDIA: The US National Security Agency (NSA) Director of Cybersecurity Rob Joyce sees two primary adversaries in terms of nation-state cyber-attacks, with Russia and China being particularly active in recent months.
Speaking in a session at the RSA Conference 2022 Joyce, outlined the current state of hacking threats as the NSA sees it. The first threat that he sees is Russia, which is currently at war with Ukraine. Joyce said that starting in January of this year, even before Russia moved troops, it was already engaged in widespread cyber-attacks against Ukraine. "There were at least seven families of wipers deployed into the theater of operations, all of those were intended to defeat or avoid endpoint security," Joyce said.
READ THE STORY: InfoSecurity
Emotet malware gang re-emerges with Chrome-based credit card heist ware
FROM THE MEDIA: The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.
The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.
READ THE STORY: The Register
Chinese hackers have infiltrated major telco gears, claims US security advisory
FROM THE MEDIA: The National Security Agency (NSA), Cybersecurity and Infrastructure Agency (CISA), and the FBI issued a rare joint advisory explaining how attackers are exploiting publicly-known vulnerabilities in equipment.
Telecoms reported this has left a wide range of public and private sector organizations vulnerable to attack.
"Network devices, such as small office/home office (SOHO) routers and network attached storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices," the advisory reads.
READ THE STORY: ITWire
Items of interest
US SEC opens probe into Ericsson's alleged bribery in Iraq
FROM THE MEDIA: Swedish telecommunications equipment company Ericsson says it has been notified by the US Securities and Exchange Commission that an investigation has been opened into the company's report about its 2019 dealings in Iraq. In a statement issued on Thursday, Ericsson said, while it was too early to predict the outcome of the investigation, it was fully co-operating with the SEC.
The firm is facing a class action lawsuit in the US over the same issue. Chief executive Börje Ekholm and chief financial officer Carl Mellander have been named as defendants in the suit which was filed on 4 March. Details of alleged bribery in Ericsson's dealings in Iraq were leaked to the International Consortium of Investigative Journalists which shared the data with The Guardian, the BBC and the Washington Post in March.
READ THE STORY: ITwire
CrowdStrike on the Future of Cyber Security Landscape (Video)
FROM THE MEDIA: CrowdStrike CEO George Kurtz joins Emily Chang to discuss the cyber security investing landscape, the rise of ransomware, and what the US can do to better protect itself from cyber crimes.
Authorized Fraud Playbook: Scams and Social Engineering (Video)
FROM THE MEDIA: How can you detect, deter and prevent APP fraud & scams? Hear from the experts at @ Prove, @ NICE Actimize, @ DNB Bank ASA, @ BehavioSec, and @ The Paypers to learn how emerging tech such as data and AI/ML counteract & prevent scams.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com