Saturday, June 18, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners
FROM THE MEDIA: A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.
In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner on victim networks.
The bug (CVE-2022-26134, CVSS score: 9.8), which was patched by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.
READ THE STORY: THN
The Cat and Mouse Game of Crypto Money Laundering
FROM THE MEDIA: Just a month after the May 2021 Colonial Pipeline ransomware attack, the Department of Justice (DoJ) announced it had seized a large portion (63.7 bitcoins, valued at $2.3 million at the time) of the total ransom paid in the attack (75 bitcoins).
According to the FBI, the initial ransom payment was sent to a cryptocurrency address in two payments, and from there a transaction was then made from this address to two other addresses; and then to two more, continuing in intervals from May 8 to May 9 until the ransom payment had been filtered through at least 23 other addresses, with each transaction cutting away a small portion of the total amount until 63.7 bitcoins were left.
The FBI, meanwhile, was able to track down these payments by reviewing the Bitcoin public ledger - which is used as a record-keeping organizer for all transactions between participants on a network - until the ransom was transferred to a specific address for which the FBI had the private key.
READ THE STORY: DUO
Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US
FROM THE MEDIA: Since May 2022, ThreatLabz has been closely monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials. The tactics, techniques, and procedures (TTPs) of this threat actor have a high overlap with a previous voicemail campaign that ThreatLabz analyzed in July 2020.
In this new instance of the campaign, the threat actor has targeted users in US-based organizations in specific verticals including software security, US military, security solution providers, healthcare / pharmaceutical, and the manufacturing supply chain. As Zscaler was one of the targeted organizations, it gave us a good insight into the full attack chain and motives of this threat actor.
READ THE STORY: Security Boulevard
Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware
FROM THE MEDIA: A recently disclosed critical remote code execution (RCE) vulnerability in Atlassian's Confluence Server collaboration platform is now under active attack, in a spate of attacks bent on deploying a variety of malware, including ransomware.
Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday.
Atlassian disclosed the vulnerability in Confluence Server (CVE-2022-26134) over Memorial Day weekend, after researchers from Volexity informed the company about the issue, which they discovered while investigating a breach at a customer location.
READ THE STORY: DarkReading
15 vulnerabilities discovered in Siemens industrial control management system
FROM THE MEDIA: Fifteen vulnerabilities affecting Siemens SINEC network management system (NMS) were unveiled this week, according to new research published by security company Claroty. The bugs affect all versions before V1.0 SP2 Update 1 and Siemens urged users to update their versions as soon as possible.
Noam Moshe, vulnerability researcher with Claroty, told The Record that the most concerning of the 15 vulnerabilities – which include denial-of-service attacks, credential leaks, and remote code execution in certain circumstances – revolve around CVE-2021-33723 and CVE-2021-33722.
Moshe noted that network management systems are used to centrally monitor, manage, and configure industrial networks with tens of thousands of devices. They are used widely in industrial automation across several industries, including manufacturing, oil and gas, electrical grids, and more.
“Most concerning is the chaining of CVE-2021-33723 and CVE-2021-33722, which creates a powerful exploit that could give an attacker elevated permissions on the SINEC system to NT AUTHORITY\SYSTEM, full system access,” Moshe said.
READ THE STORY: The Record
China-linked APT Flew Under Radar for Decade
FROM THE MEDIA: Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.
Researchers from SentinelLabs said the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is “a small Chinese-speaking team with potential association to [an APT called] UNC94,” they reported.
Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.
“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote.
READ THE STORY: ThreatPost
Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy
FROM THE MEDIA: An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.
Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.
Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up.
READ THE STORY: THN
Hydra Darknet Market: Threat Intelligence Lessons Learned
FROM THE MEDIA: Darknet markets continue to thrive as hubs for criminality, including for narcotics and firearm distribution, malware supply, ransomware recruitment and other cornerstone cybercrime-as-a-service activities.
Until its disruption earlier this year, the Russian-language Hydra marketplace was the world's largest darknet market. Studying how Hydra became such a success will be key to tracking and disrupting future darknet markets, says Ian Gray, senior intelligence director at Flashpoint.
Hydra makes quite a case study. After debuting in 2015, the market pushed aside its rivals and "grew to a scale of 19,000 vendors on the marketplace, 17 million users, 80% of darknet market transactions since 2015 … $5.2 billion in revenue, likely more, and when German federal police took down the servers, there was $25 million there in the servers," Gray says.
READ THE STORY: Gov Info Security
Ukraine reports a "massive" spam campaign against the country's media organizations
FROM THE MEDIA: An email from the Press Office of Ukraine's State Service of Special Communication and Information Protection (SSSCIP) last Saturday warned that a "massive" spam campaign against media outlets had begun:
"The Computer Emergency Response Team of Ukraine (CERT-UA) acting under the SSSCIP warns about mass spamming with dangerous emails titled 'Interactive Map Reference List'. In particular, these emails are targeting media outlets (radio stations, newspapers, news agencies, etc.) of Ukraine. Over 500 destination email addresses have been identified. These emails contain an attached document ... opening which may initiate downloading of CrescentImp malware.
Specialists warn that cyber criminals have been increasingly resorting to email spamming from compromised addresses of public institutions. If you fall victim to a cyberattack, please contact the CERT-UA immediately. This activity is tracked by UAC-0113 (attributed to the Sandworm group with a medium certainty level). As reported earlier, this group was involved in orchestrating a massive attack on the energy sector of Ukraine in April."
READ THE STORY: The CyberWire
DOJ seizes proxy service as US, partners hit Russian hackers
FROM THE MEDIA: The Department of Justice (DOJ) announced it has dismantled a Russian network of hacked internet-connected devices in a coordinated effort with foreign counterparts to crack down on malicious cyber activities.
The DOJ said Thursday it worked with law enforcement agencies in Germany, the Netherlands and the United Kingdom to take down the Russian botnet, known as RSOCKS. The network reportedly hacked millions of computers and other electronic devices around the world.
RSOCKs, a popular proxy service, illegally provided its users access to IP addresses linked to devices that had been hacked, authorities said. A message posted on the service’s website and viewed Friday confirmed that its domain had been seized by the DOJ.
The Russian network initially hacked time clocks, routers, and audio and video streaming equipment as well as smart garage door openers, which are devices that are connected to the internet, allowing the hackers to access IP addresses, according to the DOJ.
READ THE STORY: The Hill
DeadBolt ransomware takes another shot at QNAP storage
FROM THE MEDIA: QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.
The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.
READ THE STORY: The Register
Energy Department Releases Strategy to Build Cyber-Resilient Energy Systems
FROM THE MEDIA: The Department of Energy this week released its national Cyber-Informed Engineering Strategy that provides guidance for building resilient energy systems that can withstand cyber-attacks.
At its core, the strategy—a multi-stakeholder effort resulting from the 2020 National Defense Authorization Act—encourages the incorporation of cybersecurity technology early in the engineering process to lessen the cyber risk from foreign actors.
“Building a powerful and resilient grid that can withstand the full gamut of modern cyber threats begins at the design level,” Secretary of Energy Jennifer M. Granholm said in a statement. “Through this strategy, DOE is laying out a framework for ensuring the once-in-a-generation investment from the Bipartisan Infrastructure Law secures our energy sector and delivers a stronger, cleaner electric grid.”
READ THE STORY: NextGov
Welcome to the time of Cyber Assassination - You’re Under the Radar.
FROM THE MEDIA: In this hyper-connected world, cyber attacks that threaten the internet are a terrifying prospect. Cyber-attacks exploit vulnerabilities in computer systems and networks of computer data, or trick users to gain illegal access, with the intent to either steal, destroy or manipulate data and systems. Cyber-attacks in various forms have become a global problem. The real world and the virtual world have become so interdependent. So cybercrime, cyber terrorism, cyber warfare, etc., increased a lot.
Cyberterrorism is the intentional use of computers, networks, and the public internet to cause destruction and harm for personal objectives. It is the convergence of cyberspace and cyber terrorism. It refers to unlawful attacks and threats of attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.
Cyberwar has been described as a revolution in military affairs, a transformation of technology and doctrine capable of overturning the prevailing world order. This characterization of the threat from cyberwar, however, reflects a common tendency to conflate means and ends.
READ THE STORY: Analytics Insight
IOTW: BlackCat ransomware strikes Italian university
FROM THE MEDIA: Microsoft published details about BlackCat ransomware, also known as ALPHV, in the same week an Italian university was added to the ransomware gang’s list of victims.
According to cyber security organization, BetterCyber, the University of Pisa was added to BlackCat’s list of victims on 11 June with the message “Let’s play, the university goes to sleep, the mafia wakes up?”
The gang have requested a US$4.5mn ransom by 16 June which will increase to US$5mn if the date is passed, according to Italian news site Cybersecurity360.
The outlet shared a screenshot of the compromised network page which appears to invite the victim to speak to the gang about the ransom via an online chatroom.
READ THE STORY: CSHUB
Hackers Also Have Financial Reporting And Quotas
FROM THE MEDIA: “We recognize an increase in the focus and effectiveness of attacks. Hackers today work in shifts and act as a business organization for all intents and purposes to bring ROI on their effort,” said Dr. Yaniv Harel, SVP Cyber Defense at Signia, speaking at a conference on the future of cyber and fintech in Israel.
Have global firms ever looked at the monthly losses cybercriminals and hackers endure? Did Gartner or Forrester consider doing an ROI or ROA from the cyber criminal’s perspective?
Our industry may be asking the wrong question. We should not be focused so much on the organization’s Return on investment or Return on asset around security spending; we should consider for a moment that with every significant security awareness training, every adaptive control, and every security policy only makes the task “of being hacked” even more expensive for the cybercriminals.
READ THE STORY: Security Boulevard
Russian Botnets Infect Millions of Devices Worldwide
FROM THE MEDIA: A Russian-based cybercrime organization that hacked into millions of electronic devices around the world and sold their internet identities for other criminals to use has been disrupted in a joint law enforcement operation that spanned the U.S., Europe and United Kingdom, the U.S. Attorney's Office in San Diego said Thursday. The target of the investigation, a botnet known as RSOCKS, has been dismantled as a result, the office said.
Victims that have been confirmed thus far, including at least six in San Diego County, range from large public and private entities — including a university, a hotel, a television studio and an electronics manufacturer — to home businesses and individuals, according to investigators. None were publicly identified.
READ THE STORY: GOVTECH
The Reply Guy From Hell
FROM THE MEDIA: Reply guys. Maybe you’ve got one, maybe you are one. If you’re a public person online, and especially if you’re a woman, you tend to attract a few fans or detractors who respond to every single thing you post. Sometimes those interactions can be obnoxious. Sometimes, they can be so much worse.
Today’s Cyber is about a reply guy from hell, a person who—for almost two decades—has used the internet to wage sustained harassment campaigns against multiple women. It’s a bizarre and disturbing story that involves Twitter DMs, revenge porn, and Animal Crossing.
READ THE STORY: Vice
Ransomware attacks increasingly target Latin America governments
FROM THE MEDIA: Inadequate cyber resources have made Latin American countries attractive targets for ransomware attacks, CyberScoop reports. Latin American governments have been facing a "sustained increase" in database leaks and initial access sales since March, with most ransomware threat actors likely leveraging compromised credentials and session cookies as vectors for their attacks, a report from Recorded Future's Insikt Group revealed. "We have also identified a significant increase in Q1 2022, beginning in February 2022, of references to domains owned by government entities in [Latin America] on dark web shops and marketplaces such as Russian Market, Genesis Store, and 2easy Shop, relative to the same time period in 2021," researchers said.
READ THE STORY: SCMAG
Lessons from Chaos Monkey: Embracing Chaos to Bring Order to Service Disruptions
FROM THE MEDIA: As much effort as businesses put into making their systems reliable, disruptions can, do, and will happen. Service disruptions are an unavoidable truth even for the most well-prepared operations teams. Whether because of a cloud outage, a ransomware attack, or other failure, services will go down at some point, resulting in lost business, significant recovery costs, and damage to a company’s reputation.
It is much easier to accomplish efficient outage management if the operations team already has experience with handling outages. This is the idea behind chaos engineering, which breaks parts of a software system to give teams real-world practice in fixing them. In the face of a system’s failure, it ensures that crisis mode isn’t panic mode. If the team has seen this before, they can fix the failure confidently and quickly.
READ THE STORY: Tool box
Items of interest
‘The Lazarus Heist’ Is the Gripping Story of North Korean Cybercrime
FROM THE MEDIA: Suspected Iranian hackers targeted the emails of senior Israeli and American officials and executives this month. According to the Israeli cybersecurity firm Check Point, the personal e-mail accounts of these individuals were subject to a variety of phishing attacks that linked references to security issues impacting Iran and Israel. This attack was reported just days after U.S. FBI Director Christopher Wray detailed how hackers sponsored by the Islamic Republic of Iran attempted to carry out a “despicable” cyber-attack targeting the Boston Children’s Hospital last year at a conference.
In recent years, Iran has prioritized strengthening its cyber-warfare offensive capabilities to target its adversaries. Russia and China also possess sophisticated skills in the cyber realm. While the U.S. is largely regarded as the most “cyber-capable” nation, the world’s reliance on digital infrastructure and our adversaries’ improved capabilities have increased the frequency and scale of attacks“Remember the 11th of September 2001.” That chilling threat was posted on the internet after North Korea’s cyberattack against Sony Pictures Entertainment in 2014, which aimed to prevent the release of a movie that ends with the death of a fictitious version of North Korean leader Kim Jong Un. In his new book, The Lazarus Heist, investigative journalist Geoff White digs into the fascinating evolution of Pyongyang’s cyberactivities, from terrorism to sanctions evasion to other criminal activities. While the book reads like a typical Hollywood crime drama, in the end the good guys do not win.
White’s engaging prose takes us around the world—Ireland, Macao, South Korea, Bangladesh, China, the Philippines, Slovenia, Malta, the United Kingdom, Canada, and the United States—to document Pyongyang’s cyber-intrusions and other illicit activities. In particular, White comprehensively reviews the record of the North Korean hacking team code-named Lazarus Group by U.S. government investigators.
Much of White’s book draws from information already in the public domain, but his compelling narrative highlights the trail of accomplices and victims that North Korea leaves behind. U.S. law enforcement continues efforts to prosecute North Korean hackers—an admirable goal but extremely unlikely to happen—including the three North Koreans listed on the FBI’s Cyber’s Most Wanted list. The upshot is that “North Korea’s alleged computer hackers get away scot-free, while their accomplices (or some of them, at least) get caught in the net,” as White notes..
READ THE STORY: FP
Hacking Power Plants and Industrial Control Systems (Scada) (Video)
FROM THE MEDIA: This is my second interview with the professional hacker Occupy The Web. In this video we discuss OSINT and hacking industrial control systems (ICS) using SCADA (supervisory control and data acquisition).
Hunting for ICS and Other Tricks on Shodan (Video)
FROM THE MEDIA: If you are interested in sponsoring my videos, please see: https://forms.gle/aZm4raFyrmpmizUC7 In this video I go over hunting for ICS HMI’s, webcams and exposed SMB systems on Shodan.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com