Tuesday, June 28, 2022 // (IG): BB //Weekly Sponsor: Dataminr
Conti retires its brand, and LockBit 2.0 is now #1 in ransomware. Ransomware often skips encryption. Notes from Russia's hybrid war
FROM THE MEDIA: Conti seems to have retired, as a brand. BleepingComputer reports that the gang shut down its data leak and negotiation sites last Wednesday, and they seem to have remained down, at least for the rest of the week. Observers read this as the retirement of the brand, not the retirement (still less the reform) of the criminals behind it. "Some of the ransomware gangs known to now include old Conti members include Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revitalized, Quantum operation, BleepingComputer writes. "Other members have launched their own data extortion operations that do not encrypt data, such as Karakurt, BlackByte, and the Bazarcall collective."
READ THE STORY: The CyberWire
Iranian Government Behind Ransomware Attack On Boston Children’s Hospital
FROM THE MEDIA: On Wednesday, June 1, FBI Director Christopher Wray confirmed that the Iranian government was responsible for the cyberattack on Boston Children’s Hospital last year. The hospital’s computer network was hacked in this attack, a violation against U.S. healthcare that has been increasingly frequent in recent years. According to the Wall Street Journal, the potential damage done to the hospital had been thwarted ahead of time; however, it remains significant that a ransomware attack, typically executed by individuals, had been commissioned by a foreign government.
As reported by 10 Boston, the FBI worked closely with the Boston Children’s Hospital following the attack to discuss establishing tighter protection and protocols in case something similar happens again. Focus on potential future attacks is representative of the increasing regularity of cyberattacks and informal methods of conflict between states.
READ THE STORY: OWP
Venezuela Is Becoming a Chinese and Russian Cyber Hub on America’s Doorstep
FROM THE MEDIA: In the last decade, Venezuela has quickly become a hub for Russian and Chinese cyber technologies in the Western hemisphere. In an effort to expand its grip on power, the Maduro regime in Caracas has allowed the country to become a laboratory for digital surveillance and authoritarian social control. Moscow and Beijing are thus able to project their global ambitions into the Western hemisphere by sending their cybersecurity know-how and infrastructure to Venezuela. In other words, it’s a win-win exchange for both sides as they carve out an anti-American cyber partnership in Latin America.
READ THE STORY: National Interest
Behold this drone-dropping rifle with two-mile range
FROM THE MEDIA: What's said to be a Ukrainian-made long-range anti-drone rifle is one of the latest weapons to emerge from Russia's ongoing invasion of its neighbor.
The Antidron KVS G-6 is manufactured by Kvertus Technology, in the western Ukraine region of Ivano-Frankivsk, whose capital of the same name has twice been subjected to Russian bombings during the war. Like other drone-dropping equipment, we're told it uses radio signals to interrupt control, remotely disabling them, and it reportedly has an impressive 3.5 km (2.17 miles) range.
READ THE STORY: The Register
Pro-Russia hackers claim responsibility for 'intense, ongoing' cyberattack against Lithuanian websites
FROM THE MEDIA: An "intense, ongoing" cyberattack has hit the websites of government agencies and private firms in Lithuania, the Baltic country's defense ministry said Monday. A Russian-speaking hacking group, known as Killnet, claimed responsibility for at least some of the hacks, saying they were in retaliation for Lithuania blocking the shipment of some goods to the Russian enclave of Kaliningrad, which is wedged between Lithuania and Poland.
Monday's cyberattacks were aimed in part at Lithuania's Secure Data Transfer Network, a communications network for government officials that is built to withstand war and other crises, according to the defense ministry. "Part of the Secure National Data Transfer Network users have been unable to access services, work is in progress to restore it to normal," Lithuania's National Cyber Security Centre (NKSC) said in a statement issued by the defense ministry.
READ THE STORY: CNN
CISA Warns of Continued Log4Shell Exploits in VMware Horizon Systems
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) released a joint cybersecurity advisory to warn organizations of continued Log4Shell (CVE-2021-44228) exploits in VMware Horizon Systems.
Experts have observed threat actors, including state-sponsored advanced persistent threat (APT) actors, leveraging Log4Shell in VMware Horizon and Unified Access Gateway (UAG) servers. The exploits have largely impacted organizations that had not previously applied available patches or workarounds.
READ THE STORY: Health IT Security
An APT group uses ShadowPad backdoor and MS Exchange vulnerability
FROM THE MEDIA: In mid-October 2021, Kaspersky ICS CERT discovered a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries. During the initial attacks, the group exploited MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims.
A building automation system (BAS) connects all the functions inside the building – from electricity and heating to fire and security – and is managed from one control center. Once a BAS is compromised, all processes within that organization are at risk, including those relating to information security.
READ THE STORY: Zawya
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
FROM THE MEDIA: Researchers in Korea have identified threat actors targeting companies with emails claiming copyright infringement that contain ransomware. AhnLab Security Emergency Response Center (ASEC) has collected evidence of emails sent to companies with a password-protected compressed file attached, within which lies Lockbit.20 ransomware disguised with a PDF file icon. Although the research pointed to an active campaign by threat actors within the Republic of Korea, the widespread nature of Lockbit 2.0 means there is real potential that the same methods could soon be used to target firms in Europe and the US.
In recent attacks, emails have been spotted carrying a file that appears to contain the images of licensed content in dispute. Such emails may contain the name of actual artists, to add to their legitimacy, and follow a similar scam in which such files were passed off as resumes.
READ THE STORY: IT PRO
Pro-Russia threat group Killnet is pummeling Lithuania with DDoS attacks
FROM THE MEDIA: Internet services in Lithuania came under "intense" distributed denial of service attacks on Monday as the pro-Russia threat-actor group Killnet took credit. Killnet said its attacks were in retaliation regarding Lithuania's recent banning of shipments sanctioned by the European Union to the Russian exclave of Kaliningrad.
Lithuania's government said that the flood of malicious traffic disrupted parts of the Secure National Data Transfer Network, which it says is "one of the critical components of Lithuania's strategy on ensuring national security in cyberspace" and "is built to be operational during crises or war to ensure the continuity of activity of critical institutions." The country's Core Center of State Telecommunications was identifying the sites most affected in real time and providing them with DDoS mitigations while also working with international web service providers.
READ THE STORY: ArsTechnica
Return of the Evilnum APT with updated TTPs and new targets
FROM THE MEDIA: The new instances of the campaign use updated tactics, techniques, and procedures. In earlier campaigns observed in 2021, the main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims.
In the most recent instances, the threat actor has started using MS Office Word documents, leveraging document template injection to deliver the malicious payload to the victims’ machines. In this blog, we present the technical details of all components involved in the end-to-end attack chain. At the time of writing, to the best of our knowledge, the complete attack chain of this new instance of Evilnum APT group is not publicly documented anywhere.
READ THE STORY: SecurityBoulevard
Android Spyware Discovered in Kazakhstan in Wake of Protests Against National Government
FROM THE MEDIA: Android spyware developed by RCS Labs, a company in the same market as notorious Pegasus spyware developer NSO Group, has been discovered in Kazakhstan only months after protests against the government were met with violence. Security researchers with Lookout Threat Lab did not specify who the specific targets of the Android spyware were, but raised concerns based on the timing and the fact that a threat actor appears to have deployed it in Syria in opposition to the Syrian Defense Forces.
The Lookout researchers indicate there is evidence to suggest that the national government of Kazakhstan deployed the Android spyware within its borders. This follows an extended period of unrest in the country that dates back to January 2022, when citizens took to the streets in protest of a sharp and sudden rise in gas prices due to a government policy change. The protests spread quickly across the country and some turned into riots, prompting a government declaration of a state of emergency and authorization of the use of lethal force by the president. Roughly a week of violence led to 227 deaths and over 9,000 arrests.
READ THE STORY: CPO MAG
It's a Race to Secure the Software Supply Chain — Have You Already Stumbled?
FROM THE MEDIA: The digital world is ever-increasing in complexity and interconnectedness, and that's nowhere more apparent than in software supply chains. Our ability to build upon other software components means we innovate faster and build better products and services for everyone. But our dependence on third-party software and open source increases the complexity of how we must defend digital infrastructure.
Our recent survey of cybersecurity professionals found one-third of respondents monitor less than 75% of their attack surface, and almost 20% believe that over half of their attack surface is unknown or not observable. Log4Shell, Kaseya, and SolarWinds exposed how these statistics can manifest as devastating breaches with wide-reaching consequences. Cybercriminals already know supply chains are highly vulnerable to exploitation.
READ THE STORY: Darkreading
Israel cyber chief: Iran has become our dominant rival in cyber
FROM THE MEDIA: Iran has become our dominant rival in cyber together with Hezbollah and Hamas, Israel National Cyber Directorate (INCD) Chief Gaby Portnoy said on Tuesday. Speaking at Tel Aviv University’s Cyber Week, he said, “We see them, we know how they work and we are there.” Portnoy made his comments a day after Iran’s steel industry took one of its biggest cyber hits in history, bringing it to a grinding halt and only days after an Iranian cyberattack on Israel’s siren early warning systems in Jerusalem and Eilat.
The INCD chief said Israel is building a “cyber iron dome” which will elevate cybersecurity by using new mechanisms with cyber parameters that will “reduce cyberattacks, provide new big data and an AI overall approach to synchronize nationwide real-time detection… for ongoing cyber defense efforts.”
READ THE STORY: JPOST
Iranian Steelmaker Halts Production Following Cyberattack
FROM THE MEDIA: A major Iranian steel producer halted operations with a self-styled hacktivist group taking credit for an industrial system hack leading to a production-line explosion.
Recently identified threat actor Gonjeshke Darande - it means "Predatory Sparrow" in Persian - released video on Twitter purporting to show a foundry in the Khouzestan Steel Company going up in flames as the result of a cyberattack.
The group claims to have also targeted two other state-owned steel plants: Mobarakeh Steel Company, the largest steel producer of the Middle East, and the Hormozgan Steel Company. Information Security Media Group could not immediately establish the veracity of the claims.
READ THE STORY: Bank InfoSecurity
Cybersecurity Experts Warn of Emerging Threat of "Black Basta" Ransomware
FROM THE MEDIA: The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window.
"Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason said in a report.
Evidence indicates the ransomware strain was still in development as recently as February 2022, and only started to be used in attacks starting April after it was advertised on underground forums with an intent to buy and monetize corporate network access for a share of the profits.
READ THE STORY: THN
LockBit 3.0 introduces the first ransomware bug bounty program
FROM THE MEDIA: The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.
The ransomware operation launched in 2019 and has since grown to be the most prolific ransomware operation, accounting for 40% of all known ransomware attacks in May 2022. Over the weekend, the cybercrime gang released a revamped ransomware-as-a-service (RaaS) operation called LockBit 3.0 after beta testing for the past two months, with the new version already used in attacks.
READ THE STORY: Bleeping Computer
State Department cyber strategy emphasizes proactively hunting for threats
FROM THE MEDIA: The State Department Bureau of Intelligence and Research (INR) released a cybersecurity strategy Monday meant to address what the bureau’s chief called “technical debt” and to create a more proactive culture when it comes to finding and fixing vulnerabilities.
The strategy document focuses on what INR is doing to “strengthen the security of the department’s top secret computing environment and improve how we manage cyber risk.”
A key element of the strategy involves migrating to the cloud. The strategy document emphasizes the need to prioritize and leverage new technologies and “establish modern IT infrastructure, software, hardware, and systems.” The strategy also focuses on the need to deploy “real-time threat based security functions.”
READ THE STORY: The CyberScoop
Ransomware attacks are costing US schools and colleges billions
FROM THE MEDIA: The number of ransomware(opens in new tab) attacks against schools and colleges in the US may be starting to fall, but remain a serious threat, impacting hundreds of thousands of students, and costing the institutions billions in expenses.
Analyzing publicly available data on ransomware attacks against education institutions since 2018, Comparitech has found that in 2021, there had been 67 individual ransomware attacks affecting 954 schools and colleges(opens in new tab). This represents a 19% decrease from a year before, when 83 attacks were registered, affecting 1,753 institutions.
READ THE STORY: TechRadar
Cyber Threats Beyond Earth: Securing In-Space Manufacturing
FROM THE MEDIA: Our global society is heavily dependent on space-based technologies. Most of us are aware that space positioning, weather and communications systems are critical to our transportation activities. I’m writing this article on a plane that is using GPS to route my flight safely around severe weather patterns that have been identified by satellites. If I finish this article inflight, I’ll upload it for publication at Forbes via a geosynchronous communications satellite.
Still, many people would be surprised to learn that modern factories also depend on satellites. Manufacturing automation systems synchronize the operations of multiple robots on their production lines using the timing signals provided by GPS satellites. In fact, GPS is really a collection of 24 (plus spares) orbiting atomic clocks, each continually broadcasting time data. Your Uber is guided by tiny differences in the time signal emanating from four or more satellites, induced by the signal delay to your relative position. Knowing the speed-of-light (299,792,458 m/s) your phone calculates the distances and locates you position with simple trigonometry … simple for a smartphone anyway.
READ THE STORY: Forbes
Possible Ransomware Attack Allegedly Impacting Wabtec
FROM THE MEDIA: Multiple sources who work at Wabtec's Erie plant told Erie News Now a possible ransomware attack is allegedly impacting the ability of employees to log onto the company network and do their jobs. The first reports came into our newsroom late Monday morning. According to a source, some employees were met at the plant gate and told not to log on to their computers. Other employees working from home are also reportedly unable to connect their laptops to the company network.
Erie News Now reached out to several communication officials for Wabtec to validate the reports of a malware/ransomware attack but have not received any official response from the company as yet. We also contacted Scott Slawson, president of the UE 506 labor union at the plant. He told Erie News Now, "There is some computer difficulty, an IT issue at the plant." Slawson, however, had no details on the nature or scope of the problem. Slawson did say as of now, all union employees are still reporting to work. "We make locomotives, not computers," he said.
READ THE STORY: Erie News Now
Conti ransomware infrastructure dismantled
FROM THE MEDIA: BleepingComputer reports that the Conti ransomware group has completed its shutdown with the dismantling of its two Tor servers for data leaks and ransomware negotiations. Conti was reported by threat intelligence analyst Ido Cohen to have shut down its servers on Wednesday, with BleepingComputer confirming that the servers remained offline yesterday. Conti has been taking apart its infrastructure since last month following the exposure of its internal chats and ransomware encryptor source code while its members began transitioning to other ransomware groups but did leave one member to continue threatening Costa Rica.
"The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived," said Advanced Intel in a report last month.
READ THE STORY: SC MAG
GEBE ‘non-cooperative’ with Prosecutor in ransomware cyberattack investigation
FROM THE MEDIA: The Prosecutor’s Office OM SXM and St. Maarten Police Force KPSM have not been able to effectively investigate the BlackByte ransomware attack on St. Maarten’s sole utility company GEBE, “due to NV GEBE’s non-cooperative attitude.” This is evident from a press release sent out by KPSM on the limited results of the “Freya” investigation.
A cyber-attack on GEBE was discovered on March 17, 2022. A message in the computer system indicated that the company had been hacked by “BlackByte”, an organization that focuses on stealing and encrypting data, mainly from companies (ransomware). As a result of the hack, the entire customer database, financial data and other business data were encrypted. During their investigation, OM SXM and KPSM were unable to establish sufficiently what the actual danger to St. Maarten has been due to the hack. “Due to NV GEBE’s non-cooperative attitude, there had been no access to the hacked computer system at any time,” the investigators stated. “Therefore, the “Freya” investigation could not establish what were the exact risks for the country and
READ THE STORY: The Daily Herald
Kronos Workforce Ransomware Attack Is a Teachable Moment
FROM THE MEDIA: In December 2021, Kronos revealed that it had been the victim of a ransomware attack, leading to its customers’ payroll systems being taken down and employee data compromised. So, its customers turned on Kronos. Some of its customers had to resort to contingency arrangements to pay their staff, such as going back to paper checks. Millions of employees were left in administrative limbo, unable to access payroll systems due to the outages.
The ransomware attack targeted Kronos Private Cloud solutions, a data storage site for several of the firm’s services, including UKG Workforce Central, which employees utilize to track hours and manage shifts.
READ THE STORY: Digital Journal
Japan, US to talk semiconductors with eye on China during Economic 2+2 next month
FROM THE MEDIA: The Japanese and U.S. governments have begun coordinating to hold their first diplomatic-economic dialogue with the presence of both nation’s foreign and trade ministers. The Japan-U.S. Economic Policy Consultative Committee (Economic 2+2) had previously been held at the vice ministerial level in May. The ministerial Economic 2+2 will likely be held July 29 in Washington with the attendance of Foreign Minister Yoshimasa Hayashi and Economy, Trade, and Industry Minister Koichi Hagiuda, and U.S. Secretary of State Antony Blinken and U.S. Commerce Secretary Gina Raimondo.
After the meeting, a joint statement is expected that will likely touch on measures to shore up semiconductor supply chains. Both sides are also considering taking this opportunity to have Hayashi and Blinken meet to discuss foreign affairs. The 2+2 format traditionally involves foreign and defense ministers discussing security cooperation. Initiating the 2+2 dialogue for economic and diplomatic concerns was agreed on during a teleconference between Prime Minister Fumio Kishida and U.S. President Joe Biden in January.
READ THE STORY: Asian News
Items of interest
Carnival Cruises torpedoed by US states, agrees to pay $6m after waves of cyberattacks
FROM THE MEDIA: Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.
Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.
READ THE STORY: The Register
OSINT At Home #5 – Creating a panorama from a video for geolocation (Video)
FROM THE MEDIA: For geolocation, a panorama is not always necessary, however it is useful in more difficult geolocation tasks where there are limited ‘obvious’ features in the footage.
FINDING: MODI – Find where & when a photo was taken (geolocation & chronolocation) (Video)
FROM THE MEDIA: The purpose for this tutorial is to answer questions that I received from my previous tutorials on shadow calculation, specifically relating to things such as, ‘what if I don’t know the height of the person’, or ‘does it have to be the exact location’, or more simply, ‘how can I geolocate an image using mountains in the background’. I hope this video answers those questions.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com