Daily Drop (174)

6-25-22

Saturday, June 25, 2022 // (IG): BB //Weekly Sponsor: Dataminr

Ransomware groups targeting Mitel VoIP zero-day

FROM THE MEDIA: Ransomware groups are targeting a zero-day affecting a Linux-based Mitel VoIP appliance, according to researchers from CrowdStrike. The zero-day – tagged as CVE-2022-29499 – was patched in April by Mitel after CrowdStrike researcher Patrick Bennett discovered the issue during a ransomware investigation. 

In a blog post on Thursday, Bennett explained that after taking the Mitel VoIP appliance offline, he discovered a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.”

READ THE STORY:  The Record

Chinese APT group likely using ransomware attacks as cover for IP theft

FROM THE MEDIA: A China-based advanced persistent threat (APT) actor, active since early 2021, appears to be using ransomware and double-extortion attacks as camouflage for systematic, government-sponsored cyberespionage and intellectual property theft.

In all of the attacks, the threat actor has used a malware loader called the HUI Loader — associated exclusively with China-backed groups — to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at SecureWorks who are tracking the group as “Bronze Starlight” say it’s a tactic they have not observed other threat actors use.

READ THE STORY:  Urgent Comm

Attackers keep targeting VMware Horizon, exploiting unpatched Log4Shell

FROM THE MEDIA: Malicious actors continue to dog VMware Horizon and Unified Access Gateway server deployments, capitalizing on unpatched Log4Shell, the Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory with the U.S. Coast Guard Cyber Command.

The agencies are calling for organizations to update all VMware Horizon and UAG systems and, if fixes weren’t applied in Dec. 2021, organizations should consider their systems compromised and start threat hunting. 

READ THE STORY:  Cyber Security Dive

This new malware diverts cryptocurrency payments to attacker-controlled wallets

FROM THE MEDIA: A clipper malware is a piece of software that once running on a computer will constantly check the content of the user’s clipboard and look for cryptocurrency wallets. If the user copies and pastes the wallet somewhere, it is replaced by another wallet, owned by the cybercriminal.

This way, if an unsuspecting user uses any interface to send a cryptocurrency payment to a wallet, which is generally done by copying and pasting a legitimate destination wallet, it gets replaced by the fraudulent one.

READ THE STORY:  TechRepublic

Fast Shop Brazilian retailer discloses "extortion" cyberattack

FROM THE MEDIA:  Fast Shop, one of Brazil's largest retailers, has suffered an 'extortion' cyberattack that led to network disruption and the temporary closure of its online store.

Fast Shop is an online retailer selling a wide range of products, including computers, smartphones, gaming consoles, furniture, beauty products, and home appliances. The retailer has been active in Brazil since 1986 and currently operates 86 physical locations, with its website and app counting over six million visits monthly.

READ THE STORY:  BleepingComputer

Scalper bots are snapping up appointments for government services in Israel

FROM THE MEDIA: Scalper bots are causing chaos for the Israeli government by trying to turn access to public services into a cash cow. Bots, otherwise known as web robots, are automatic systems programmed to perform specific functions.

Not all bots are bad; some index web content, others provide chat functions for business customers, and you may come across bots that run checks to find you the best product deals. However, so-called 'bad' bots can also be programmed to perform brute-force attacks, disrupt web services, and more.

READ THE STORY: ZDNET

Without Conti on the Scene, LockBit 2.0 Leads Ransomware Attacks

FROM THE MEDIA: The latest report from NCC Group's threat intelligence team shows LockBit 2.0 maintained its top spot among ransomware groups, launching 40% of all attacks in May. Black Basta, which was discovered in April, along with Hive were behind 7% of attacks last month. 

“Conti’s possible shutdown represents a significant change for the ransomware threat landscape, and it cannot go ignored," said Matt Hull, global lead for strategic threat intelligence at NCC Group, in a statement announcing the ransomware attack report findings. "It will be interesting to see which smaller groups replace it as it rebrands, and how these new or evolved actors will behave – which NCC Group will of course continue to monitor.”

READ THE STORY:  Dark Reading

Ransomware Gang Uses Log4Shell

FROM THE MEDIA: Log4Shell is the vulnerability that keeps giving with yet another ransomware group at work exploiting a bug present in a ubiquitous open-source data-logging framework.

Analysis by Cisco Talos shows actors affiliated with ransomware-as-a-service group AvosLocker exploiting unpatched VMWare virtual desktop software containing the vulnerability.

The Apache Software Foundation in December set off a global race between systems administrators and hackers when it fixed a bug identified by security researchers in the Java-based Log4j logging utility. Despite a flurry of warnings, some systems remain open hackers exploiting unpatched systems.

READ THE STORY:  Bank InfoSecurity

US arm of Japanese automotive hose maker Nichirin pauses production after ransomware attack

FROM THE MEDIA: Japanese automotive hose giant Nichirin was forced to pause production this week after a US subsidiary was hit with ransomware. In a statement, the company said it first discovered the ransomware attack on June 14. Servers at the US subsidiary – which is based in El Paso, Texas – were shut down in an effort to contain the attack.

Nichirin confirmed that none of their other subsidiaries were affected by the attack.  “We are proceeding with countermeasures and restoration for the blocked network. Currently, the [US subsidiary’s] production control system is also shut down, but we are manually producing and shipping,” the company explained. 

READ THE STORY:  The Record

Hacker selling access to 50 vulnerable networks through Atlassian vulnerability

FROM THE MEDIA: A hacker is selling access to 50 vulnerable networks on a cybercriminal forum after breaking into systems through the recently-discovered Atlassian Confluence zero-day.

The Rapid7 Threat Intelligence team told The Record that it found an access broker on the Russian-language forum XSS selling root access to 50 vulnerable networks – all allegedly within the United States. 

Erick Galinkin, principal AI Researcher at Rapid7, said the access was gained through CVE-2022-26134, a widely-discussed unauthenticated remote code execution vulnerability. A patch for the bug was released earlier this month after the zero-day was discovered in May.

READ THE STORY:  The Record

ToddyCat claws at Asian governments

FROM THE MEDIA: Researchers are monitoring an advanced persistent threat (APT) codenamed ToddyCat that has been linked to attacks on government and military entities in Europe and Asia since at least December 2020. Using an unknown exploit to deploy the Chopper web shell, the group targets Microsoft Exchange servers to activate a multistage infection change ultimately leading to Samurai, a backdoor that allows the attackers to move laterally within the compromised network.

It is unclear if this operation is connected to a similar APT Avast was tracking a couple years ago, which also attacked the same kinds of targets but used Gh0st RAT to install its backdoors. “This seems to be a nation-state sponsored attack, due to the nature of the targeted victims and the complexity of the attack chain,” commented Avast Security Evangelist Luis Corrons. “Although there is evidence that points to the possible country behind this attack, attribution requires more indicators. It is still too early to have a final answer.” For more on this story, see The Hacker News. 

READ THE STORY:  Security Boulevard

TridentCare Confirms Data Breach After Criminal Breaks into Office and Steals Hard Drives

FROM THE MEDIA: According to the notice posted on the company’s website, on April 17, 2022, a group of unauthorized individuals broke into one of TridentCare’s offices, removing multiple hard drives and other equipment from the facility. In response, TridentCare notified law enforcement and then engaged the assistance of cybersecurity and data recovery professionals to investigate the incident and as well as its impact on the company’s patients.

The results of the investigation confirmed that there was patient data contained on the hard drives. However, the investigative team believes, although it cannot confirm, that the data was corrupted and, thus, inaccessible. If the data was not corrupted, TridentCare notes that “it would have required certain technical capabilities to access the data.”

READ THE STORY:  JD Supra

The psychology of phishing attacks

FROM THE MEDIA: In cybersecurity, the human condition is the most frequent — and easiest — target. For threat actors, exploiting their human targets is usually the lowest hanging fruit instead of developing and deploying an exploit. As a result, adversaries often target the employees of an organization first, usually through phishing attacks.

Phishing is a social engineering attack where threat actors send fraudulent communications, usually emails, that appear to be from a trusted source and impart a sense of timeliness to the reader. The FBI’s 2021 Internet Crime Report analyzed data from 847,376 reported cybercrimes and found a sharp uptick in the number of phishing attacks, increasing from 25,344 incidents in 2017 to 323,972 in 2021. 

READ THE STORY:  VentureBeat

International Law Enforcement Partnership Takes Down Russian Botnet; Illicit Proxy Service Had Been Selling Hacked IP Addresses

FROM THE MEDIA: The US Department of Justice (DOJ), in partnership with law enforcement agencies from several European countries, has taken down a major Russian botnet that had compromised millions of devices worldwide. The botnet was essentially functioning as an underground proxy service provider for criminals, allowing for rental of the IP addresses attached to its collection of hacked IoT devices, Android phones and computers.

RSOCKS is a Russian botnet that has been active since at least 2014, the first point at which its handlers began to advertise it openly on underground forums in the country. Over the years the botnet has amassed millions of devices in its collection, first focusing on compromising poorly secured Internet of Things (IoT) devices but soon moving on to include Android phones/tablets and even computers.

READ THE STORY:  CPO MAG

High Intensity Warfare (HIW): Technology trends

FROM THE MEDIA: In the past 100 years of conflict, the victors in a high intensity warfare (HIW) scenario have often been determined based on either quantitative or technological overmatch in air, land, and sea. However, considering the significant advances in technology and wider shifts in socioeconomic norms since the end of the Cold War, strategists are having to contend with a new operational environment that is more populated, urbanized, digitized, and interconnected than ever before.

Though the current state of this technology remains fundamentally too underdeveloped to radically affect the conduct of HIW, AI/ML is widely regarded as one of the most promising and important disruptive technologies that could be employed in future armed conflicts. It can be expected that AI/ML capabilities would most likely be employed by geopolitical powerhouses such as the US, China, and Russia, increasing the likelihood that they would be included in any HIW operations plans.

READ THE STORY:  Army Tech

Remote Driving Could Be Exploited by Cyber-Attackers and Terrorists

FROM THE MEDIA: Remotely driven cars could make it easier for terrorists to launch attacks as they can avoid being in a crash or facing their victims, the Law Commission said on Friday.

Cybersecurity, in general, is also “an issue of acute public concern,” the Commission said, noting that the Society of Motor Manufacturers had said failure in this area may “undermine public confidence in the technology” and also “present genuine risks to public safety.”

It’s part of the risks laid out by the Law Commission—an independent body that advises the government on the law—in its consultation paper (pdf) on how to regulate remote driving in England and Wales.

READ THE STORY:  The Epoch Times

Ukraine deploys a DDoS protection service to survive the cyberwar

FROM THE MEDIA: Yesterday, cybersecurity provider Radware, announced that Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) is using Radware’s Cloud DDoS Protection and Cloud Web Application Firewall (WAF) service to protect itself amid the ongoing Russia-Ukraine war. 

Ukraine’s SSSCIP is responsible for protecting Ukraine’s state information resources, and will use Radware’s services to protect the country against zero-day and known DDoS and application attacks. 

READ THE STORY:  Venture Beat

Sega Announces A USB Cyber Stick Controller For The Mega Drive Mini 2

FROM THE MEDIA: Sega announced the next 11 games coming to the company's next mini console, the Mega Drive Mini 2. But that's not the only thing it revealed during the latest livestream.

In a bit of a surprise announcement, Sega unveiled a new USB controller — based on the classic SHARP Cyber Stick — that will be compatible with the tiny console. The controller was known for having both digital and analogue joystick modules, and it was compatible with multiple systems including the X68000, the PC98 series, and the PC Engine (if you had the Micomsoft XHE-3 adaptor).

READ THE STORY:  NintendoLife

Items of interest

Another warning of spyware in use against targets in Italy and Kazakhstan.

FROM THE MEDIA:  Google's Threat Analysis Group reported late yesterday that spyware developed by the Italian firm RCS has been found in use against targets in Italy and Kazakhstan. "Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan," the report said. Targets appear to have been infected by phishing or through the installation of malicious apps, and the malware comes in both iOS and Android versions. One surprising conclusion is that in some cases the spyware operators worked with the victims' ISPs to “disable the target’s mobile data connectivity.”

In some cases RCS had earlier cooperated in its business with the now-defunct Hacking Team. The tools RCS apparently sold to government customers were described last week by researchers at Lookout under the name "Hermit." TechCrunch reports that Google is notifying the victims it's been able to identify.

READ THE STORY:  The CyberWire

OSINT At Home #2 - Five ways to find EXIF/metadata in a photo or video (Video)

FROM THE MEDIA: Metadata is the key of clues when it comes to images, videos, documents or any other file type for that matter. This day and age, it is increasingly rare to come across a full packet of metadata. But in case there is a wide spread of information such as who created it, where it was made and when it was made, it’s good to know some basic ways to check for that attached information.

OSINT At Home #3 – Advanced Search Operators with Translate (Video)

FROM THE MEDIA: On the outset, Google ‘Dorks’ (also referenced as Google Advanced Search techniques) and the Google Translate feature are simple tools, but the use of those tools combined can be quite powerful. While this tutorial is created for those starting out in the world of open source investigations, it shows that through a bit of flexibility in your online processes, you can start to pick up more information and be more precise in your online research.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com