Friday, June 17, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Elon Musk wants Twitter to be more like WeChat, to allow 'outrageous' comments
FROM THE MEDIA: In his first direct call with Twitter employees, Elon Musk briefed them about his plans once he takes over the platform, including making it more like TikTok and WeChat and allowing "outrageous comments". The Tesla CEO, however, clarified that such comments shouldn't be amplified. Musk told Twitter employees that the platform needs to become more like WeChat and TikTok if it wants to achieve his goal of reaching one billion users. "There's no WeChat equivalent outside of China. You basically live on WeChat in China. If we can recreate that with Twitter, we'll be a great success," he told Twitter staff via a virtual meeting late on Thursday.
READ THE STORY: Business Standard
Sophos Firewall zero-day bug exploited weeks before fix
FROM THE MEDIA: Chinese hackers used a zero-day exploit for a critical-severity vulnerability in Sophos Firewall to compromise a company and breach cloud-hosted web servers operated by the victim. The security issue has been fixed in the meantime but various threat actors continued to exploit it to bypass authentication and run arbitrary code remotely on multiple organizations. On March 25, Sophos published a security advisory about CVE-2022-1040, an authentication bypass vulnerability that affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute arbitrary code remotely.
Three days later, the company warned that threat actors were exploiting the security issue to target several organizations in the South Asia region. This week, cybersecurity company Volexity detailed an attack from a Chinese advanced persistent threat group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos released a patch.
READ THE STORY: Bleeping Computer
Old Telerik UI vulnerability leveraged for Cobalt Strike distribution
FROM THE MEDIA: BleepingComputer reports that web servers are being compromised by threat actor Blue Mockingbird with the exploitation of a three-year-old security vulnerability in the Telerik UI library for ASP.NET AJAX to facilitate Cobalt Strike beacon deployment and Monero mining, two years after the same flaw, tracked as CVE-2019-18935, has been used to target unpatched Microsoft IIS servers with Telerik UI two years ago. Sophos security researchers discovered that Blue Mockingbird's new attacks involved the use of an available proof-of-concept exploit, which enables DLL compilation automation.
Blue Mockingbird establishes persistence through Active Directory Group Policy Objects. Moreover, Windows Defender is bypassed through typical AMSI-evading approaches before downloading the Cobalt Strike DLL. Meanwhile, an XMRig Miner dubbed "crby26td.exe" would be deployed as a second-stage executable for Monero mining. While Blue Mockingbird's new attacks were similarly financially-motivated as its intrusions in 2020, its recent use of Cobalt Strike may hasten data exfiltration and ransomware deployment, according to researchers.
READ THE STORY: SCMAG
Immediate patching of Cisco Secure Email vulnerability urged
FROM THE MEDIA: Cisco has called on the users of its Email Security Appliance and Secure Email and Web Manager appliances with non-default configurations to immediately patch a critical security flaw, tracked as CVE-2022-20798, which could be abused to evade authentication and access the appliances' web management interface, according to BleepingComputer. "An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device.
A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device," said Cisco, which noted the flaw's discovery while addressing a Cisco Technical Assistance Center case. Only appliances leveraging external authentication with LDAP are impacted by the security bug, which has not yet been exploited by any threat actor, said Cisco's Product Security Incident Response Team. Impacted appliances could be verified by logging into the web-based management interface and checking whether the "Enable External Authentication" option has a green check box.
READ THE STORY: SCMAG
Interpol anti-fraud operation busts call centers behind business email scams
FROM THE MEDIA: Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.
In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.
Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.
READ THE STORY: The Register
Costa Rica chaos a warning that ransomware threat remains
FROM THE MEDIA: Teachers unable to get paychecks. Tax and customs systems paralyzed. Health officials unable to access medical records or track the spread of COVID-19. A country’s president declaring war against foreign hackers saying they want to overthrow the government.
For two months now, Costa Rica has been reeling from unprecedented ransomware attacks disrupting everyday life in the Central American nation. It’s a situation raising questions about the United States’ role in protecting friendly nations from cyberattacks at a time when Russian-based criminal gangs are targeting less developed countries in ways that could have major global repercussions.
READ THE STORY: Seattle Times
Microsoft 365 Function Leaves SharePoint, OneDrive Files Open to Ransomware Attacks
FROM THE MEDIA: Enterprise cloud services like Microsoft 365 leave enterprises open to ransomware threat actors who want to encrypt files saved in SharePoint Online and OneDrive libraries, researchers warn. The new target marks a potential pivot point for ransomware attackers running out of luck focusing on endpoints and network drives and might find less resistance attacking cloud infrastructure, new research from Proofpoint says. The team was able to document the attack chain from initial credential compromise to account takeover, discovery, exfiltration, and, ultimately, the ransom demand.
READ THE STORY: Dark Reading
Conti Ransomware Group Explores Post-Encryption Future
FROM THE MEDIA: The February leak of internal communications from Conti, one of the world's most notorious ransomware groups, highlighted the extent to which such cybercriminal groups are running sophisticated and innovative business operations, says Vitali Kremez, chairman and CEO of New York-based Advanced Intelligence, aka AdvIntel.
But as Conti has felt the heat, its senior management team hasn't hesitated to rethink its entire approach, including launching multiple smaller operations and retiring the "Conti" name to make the group less of a target, he says.
Another trend is for Conti and some other groups to move away from launching traditional ransomware attacks and instead apply malware and network penetration to steal data and use psychological tactics - sometimes powered by call centers - to extort companies, he says.
READ THE STORY: Bank Info Security
Phishers targeting mainstream interest in crypto
FROM THE MEDIA: Cybercriminals are exploiting interest in cryptocurrency and non-fungible tokens by incorporating cryptocurrency into the phishing landscape, according to Proofpoint researchers.
Proofpoint Senior Director of Threat Research and Detection Sherrod DeGrippo said the company’s researchers have observed techniques such as credential harvesting, cryptocurrency transfer solicitation like business email compromise, and the use of malware stealers targeting crypto credentials.
“Cybercriminal threats to cryptocurrency are not new; however, as the general public experiences growing adoption of cryptocurrency, people may be more likely to engage with social engineering lures using such themes,” he said.
READ THE STORY: Technology Decisions
Russian Botnet Disrupted in International Cyber Operation
FROM THE MEDIA: The U.S. Department of Justice, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, have dismantled the infrastructure of a Russian botnet known as RSOCKS which hacked millions of computers and other electronic devices around the world. A botnet is a group of hacked internet-connected devices that are controlled as a group without the owner’s knowledge and typically used for malicious purposes. Every device that is connected to the internet is assigned an Internet Protocol (IP) address.
According to a search warrant affidavit, unsealed today in the Southern District of California, and the operators’ own claims, the RSOCKS botnet, operated by Russian cybercriminals, comprised millions of hacked devices worldwide. The RSOCKS botnet initially targeted Internet of Things (IoT) devices. IoT devices include a broad range of devices—including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers, which are connected to, and can communicate over, the internet, and therefore, are assigned IP addresses. The RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers.
READ THE STORY: Justice
Mixed results for Russia's aggressive Ukraine information war, experts say
FROM THE MEDIA: A top Ukrainian cybersecurity official said this week that the Russian campaign to wrest control over internet and phone networks in occupied Ukraine continues to grow, even as Russian forces intensify their shelling of telecommunications infrastructure.
The Russian outlet The Moscow Times reported Thursday that in areas of eastern Ukraine that Russian troops are occupying, a telecommunications company run by + 7 Telecom — a likely subsidiary of the Russian telecom giant MTS — has replaced Ukrainian mobile services. The news outlet quoted Ukrainians complaining about the poor reception and internet censorship that accompanied the shift.
READ THE STORY: CyberScoop
The Brazilian Candidate: The Studious Cover Identity of an Alleged Russian Spy
FROM THE MEDIA: On 16 June, Dutch intelligence (AIVD) published a press release detailing how it had disrupted an attempt by what it said was a Russian military intelligence (GRU) asset to gain “access as an intern to the International Criminal Court (ICC) in the Hague”. The man was denied entrance to the Netherlands and was sent back to Brazil. This press release provided a wide array of information about this individual, including his real identity and his “legend” identity – a fake persona created by the GRU.
The real name of the GRU asset, according to AIVD, is Sergey Vladimirovich Cherkasov (born 11 September 1985). His false persona is Victor Muller Ferreira (born 4 April 1989). The AIVD also provided a four-page legend letter used by Cherkasov/Ferreira, providing a bizarre biography for a fake Brazilian man.
READ THE STORY: BellingCat
Chinese State-Backed Hackers Targeting Major Telecom Companies: US Security Agencies
FROM THE MEDIA: U.S. security agencies have warned that hackers backed by the Chinese regime have been targeting “major telecommunications companies and network service providers” since 2020. In a June 7 cybersecurity advisory, they urged those affected to take immediate remedial action. The advisory, coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), said the hackers “continue to exploit publicly known vulnerabilities,” using tactics to bypass defenses and keeping themselves undetected.
READ THE STORY: The Epoch Times
Former chip research professor jailed for not disclosing Chinese patents
FROM THE MEDIA: The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specializes in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.
Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.
READ THE STORY: The Register
India’s hybrid warfare against the state of Pakistan
FROM THE MEDIA: Warfare in the contemporary era emerged as hybrid warfare due to changing dynamics of war. Hybrid warfare is a combination of conventional warfare, unconventional warfare, irregular warfare, and cyber and information warfare, of a military strategy to target vulnerable points of the adversary. These vulnerable targets include economic, political, ethnoreligious and diplomatic, which are used to destabilize and disintegrate the adversary.
The rapid advancement in technology changes the way of thinking and also impacts social economic and political processes. With the changing global politics, and evolving geostrategic environment in the era of globalization waging war is not possible and also not costly benefit.
READ THE STORY: Global Village Space
Criminal IP analysis report on zero-day vulnerability in Atlassian Confluence
FROM THE MEDIA: According to Volexity, a webshell was discovered in Atlassian Confluence server during an incident response investigation. Volexity determined that it was a zero-day vulnerability that could execute remote code even after the latest patch was completed and reported the issue to Atlassian. After receiving the issue report and identifying it as a zero-day, Atlassian issued a security advisory for the critical unauthenticated remote code execution.
According to Volexity, attackers could exploit CVE-2022-26134 to upload a webshell, particularly the China Chopper, a notorious security vulnerability issue that was also used during the last Microsoft Exchange Server crisis. If the hacker penetrates the server and uploads this webshell, attackers can access the server freely even if the zero-day security patch is up to date.
READ THE STORY: Help Net Security
Slovakia's defense department faced a large-scale cyber attack
FROM THE MEDIA: The website of Slovakia's Defense Ministry faced a large-scale cyber attack last night, Defense Minister Jaroslav Naď (OĽaNO) reported on June 17, 2022. The attackers failed to obtain any data thanks to the security and preparedness of the Centre for Cyber Defense running under the Military Intelligence Service, the minister wrote in his Facebook post. "I can confirm that this rather vast attack has been fought off without any harm to the infrastructure and the attackers, whose IP addresses were from different parts of the world, went away empty-handed," the minister wrote. He called on the public to be cautious and reiterated that the investigation into the incident has been launched.
READ THE STORY: Spectator
VPN services banned for Indian government employees; Google Drive, Dropbox use also barred
FROM THE MEDIA: Urging employees to not save “any internal, restricted or confidential government data files on any non-government cloud service such as Google Drive or Dropbox,” the Centre has issued a directive prohibiting its employees from using third-party virtual private networks (VPN). They also been barred from using any anonymization services offered by companies like Nord VPN, ExpressVPN and Tor. The government’s notice came a few days after VPN service providers like ExpressVPN, Surfshark and NordVPN said they would no longer offer their services in the country. Their announcement followed a directive by the Indian Computer Emergency Response Team (Cert-In) on how VPN companies should operate in India.
READ THE STORY: Times Now
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
FROM THE MEDIA: A ‘potentially dangerous’ functionality in Office 365 and Microsoft 365 has been discovered that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
Cyber security firm Proofpoint said it focused its research on SharePoint Online and OneDrive within the 365 suites, finding that hackers can target an organization’s data in the cloud, as well as launch attacks on cloud infrastructure. “Once executed, the attack encrypts the files in the compromised users’ accounts,” the Proofpoint team explained. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”
READ THE STORY: ITpro
Items of interest
Iran-Backed Cyber Warfare Group Phosphorus Targets US, Israel, Corporations
FROM THE MEDIA: Suspected Iranian hackers targeted the emails of senior Israeli and American officials and executives this month. According to the Israeli cybersecurity firm Check Point, the personal e-mail accounts of these individuals were subject to a variety of phishing attacks that linked references to security issues impacting Iran and Israel. This attack was reported just days after U.S. FBI Director Christopher Wray detailed how hackers sponsored by the Islamic Republic of Iran attempted to carry out a “despicable” cyber-attack targeting the Boston Children’s Hospital last year at a conference. In recent years, Iran has prioritized strengthening its cyber-warfare offensive capabilities to target its adversaries. Russia and China also possess sophisticated skills in the cyber realm. While the U.S. is largely regarded as the most “cyber-capable” nation, the world’s reliance on digital infrastructure and our adversaries’ improved capabilities have increased the frequency and scale of attacks.
READ THE STORY: 1945
One simple mistake - how cybercrime cost an agency $76,000 (Video)
FROM THE MEDIA: Dean Yeo recently caught up with Peter Lynch from Aon Insurance, to discuss how one mistake by one person cost an agency $76,000.
Digital Forensics: The Backbone of Cybercrime (Video)
FROM THE MEDIA: In today’s world, Digital Forensics is the backbone of cybercrime. During this NCF #CyberChats session, Kaitlyn Knabe, a senior cybersecurity student from Purdue University’s CERIAS (Center for Education and Research in Information Assurance and Security).
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com