Daily Drop (179)
Thursday, June 30, 2022 // (IG): BB //Weekly Sponsor: Dataminr
China lured graduate jobseekers into digital espionage
FROM THE MEDIA: Chinese university students were lured to work in a secret technology company that obscured the true nature of their work: tracking down Western targets to spy on and translate documents hacked under Beijing’s industrial-scale intelligence regime. The Financial Times identified and contacted 140 potential translators, mostly recent graduates who studied English at public universities in Hainan, Sichuan and Xi’an. They had responded to job offers at Hainan Xiandun, a company located in the southern tropical island of Hainan.
The application process included translation tests on sensitive documents obtained from US government agencies and instructions to search for individuals at Johns Hopkins University, a key intelligence target.
Hainan Xiandun is charged in a 2021 US federal indictment with serving as a cover for Chinese hacking group APT40. Western intelligence agencies have accused APT40 of infiltrating government agencies, companies and universities in the United States, Canada, Europe and the Middle East, under orders from the Chinese Ministry of State Security.
READ THE STORY: FT
Ukrainian Cops Bust Multimillion-Dollar Phishing Gang
FROM THE MEDIA: Ukrainian “cyber-police” have arrested nine alleged members of a prolific phishing gang that made 100 million hryvnias ($3.4m) by luring locals with the promise of financial support from the EU. Digital experts teamed up with Pechersk Police Department officers and specialists from the National Bank of Ukraine (NBU) to crack the case.
The nine are accused of building and operating over 400 phishing sites that requested victims enter their bank account and card details in order to apply for social welfare payments from the EU.
READ THE STORY: InfoSec Mag
Israel plans ‘Cyber-Dome’ to defeat digital attacks from Iran and others
FROM THE MEDIA: The new head of Israel's National Cyber Directorate (INCD) has announced the nation intends to build a "Cyber-Dome" – a national defense system to fend off digital attacks.
Gaby Portnoy, director general of INCD, revealed plans for Cyber-Dome on Tuesday, delivering his first public speech since his appointment to the role in February. Portnoy is a 31-year veteran of the Israeli Defense Forces, which he exited as a brigadier general after also serving as head of operations for the Intelligence Corps, and leading visual intelligence team Unit 9900.
READ THE STORY: The Register
Attackers are infiltrating routers to take control of connected devices
FROM THE MEDIA: An unknown threat actor is targeting routers(opens in new tab) with remote access trojans (RATs), in a bid to hijack traffic, collect sensitive data and compromise connected devices. This is according to Black Lotus Lab, the threat intelligence division of Lumen Technologies, which recently observed real-world attacks leveraging a novel malware strain, called ZuoRAT.
ZuoRAT is a multi-stage remote access trojan, developed exclusively for SOHO (small office/home office) routers. It’s been in use for some two years now, the researchers say, targeting businesses in North America and Europe.
READ THE STORY: TechRadar
YouTube Hacking Warning As Automated 2FA-Bypass Attacks Underway
FROM THE MEDIA: When it comes to credential theft and account takeovers, you might think that cybercriminals are somewhat indifferent as to what account is compromised. This is true, to a degree. Some accounts are more valuable than others, an email account can hold the keys to various kingdoms for example, but any account hack is a win. Where specialization is a factor, and a profitable one at that, is within the assorted online forums where malware to attack specific account types is sold.
When the accounts in question are those belonging to YouTube creators, given the number of eyes these can attract, then it grabs my attention. Particularly when in the case of YTStealer it can effectively bypass 2FA protections. With YTStealer being sold as a service to cybercriminals, it should come as no surprise that security researchers have spotted fully automated YTStealer attacks underway with compromised accounts already being sold on the dark web.
READ THE STORY: Forbes
CISA issues warning on active exploitation of PwnKit Linux vulnerability
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) this week added a Linux security vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalogue and warned that the flaw has been actively exploited in attacks. The PwnKit bug, tracked as CVE-2021-4034, was discovered by Qualys researchers in January 2022.
The flaw exists in the pkexec component of the Polkit system utility which is used in all major Linux distributions, including Ubuntu, CentOS, Debian and Fedora. Polkit, previously known as PolicyKit, is a system SUID-root program used to manage system-wide privileges in Unix-like operating systems. The tool makes it possible for non-privileged processes to communicate with privileged processes in an organized manner.
READ THE STORY: Computing
Bahamut threat group shifts gears, launches phishing campaigns targeting mobile devices
FROM THE MEDIA: Researchers on Wednesday reported that Bahamut, an advanced persistent threat (APT) group first discovered in 2017, has been recently involved in phishing campaigns that were delivering malware at targets in the Middle East and South Asia.
In a blog post, Cyble researchers said after about a year of silence, a new variant of Bahamut malware was spotted in the wild this past April, and the threat actors behind the APT group have increasingly shifted focus to target mobile devices.
The researchers said the phishing sites were masked as genuine websites for downloading a messaging application that provides secure communication. They also said the group has invested a great deal of time in developing a well-designed phishing website to attract the victim to download the malware.
READ THE STORY: SCMAG
North Korean Hackers Suspected to be Behind $100M Horizon Bridge Hack
FROM THE MEDIA: The notorious North Korea-backed hacking collective Lazarus Group is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge, citing similarities to the Ronin bridge attack in March 2022.
The finding comes as Harmony confirmed that its Horizon Bridge, a platform that allows users to move cryptocurrency across different blockchains, had been breached last week. The incident involved the exploiter carrying out multiple transactions on June 23 that extracted tokens stored in the bridge and subsequently made away with about $100 million in cryptocurrency.
READ THE STORY: THN
Patch Now: Linux Container-Escape Flaw in Azure Service Fabric
FROM THE MEDIA: Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.
The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.
READ THE STORY: DarkReading
Ex-Canadian Government Employee Pleads Guilty Over NetWalker Ransomware Attacks
FROM THE MEDIA: A former Canadian government employee this week agreed to plead guilty in the U.S. to charges related to his involvement with the NetWalker ransomware syndicate. Sebastien Vachon-Desjardins, who was extradited to the U.S. on March 10, 2022, is accused of conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.
The 34-year-old IT consultant from Gatineau, Quebec, was initially apprehended in January 2021 following a coordinated law enforcement operation to dismantle the dark web infrastructure used by the NetWalker ransomware cybercrime group to publish data siphoned from its victims. The takedown also brought its activities to a standstill.
READ THE STORY: THN
Secureworks reveals new information on BRONZE STARLIGHT threat group
FROM THE MEDIA: New research from Secureworks has uncovered new information on the Chinese threat group BRONZE STARLIGHT and how they are using targeted ransomware to initiate complicated attacks. The group has been active since early 2021, and while it was initially believed their attacks were for financial gain, Secureworks CTU believes this could be a smokescreen for more complex cyber espionage.
BRONZE STARLIGHT operates by compromising networks by exploiting vulnerabilities in network perimeter devices, including known vulnerabilities for which patches are available.
READ THE STORY: Security Brief
TSA to change cybersecurity rules for pipelines following industry criticism
FROM THE MEDIA: The Transportation Security Administration (TSA) announced changes to a cybersecurity directive for U.S. pipelines after backlash from industry experts and trade groups.
TSA issued two sets of security directives last year after the ransomware attack on Colonial Pipeline dominated headlines and caused a week-long run on gasoline along the East Coast of the U.S. The attack kickstarted wide-ranging government efforts to better protect critical infrastructure, and in May TSA reissued the first set of security directives for critical pipelines after they expired.
READ THE STORY: The Record
AMD Probing Claim of Brazen Cyberattack by RANSOMHOUSE Gang
FROM THE MEDIA: Semiconductor giant AMD is investigating a probable cyberattack by a group that claims it has stolen 450 gigabytes of data from the company, allegedly due to lax password controls. RansomHouse, which is a considered a relatively new data extortion gang, asserts on its dark website that it got hold of the files via an intrusion into AMD’s system on Jan. 5, 2022.
The gang says it doesn’t breach security systems per se, but does find ways into networks and then acts as a sort of ransomware “mediator” between attackers and victims, according to published reports.
READ THE STORY: CRN
Discord teens are deploying malware for a quick buck
FROM THE MEDIA: The group charged new members a small fee (less than about $30) for access to the Discord server, which was essentially a big group chat. Access to the Discord gave access to an easy-to-use malware builder and to an active community.
In some cases, they’d all work together. They’d create a YouTube video to use as bait, which would explain cracks or tips for video games. The video would encourage viewers to click a link in the description — which would put the malware on the victim’s computer. To make the video seem legit, the members of the Discord group would add seemingly genuine comments of gratitude saying that the download link was safe.
READ THE STORY: Input Mag
Norway blames "pro-Russian group" for cyber attack
FROM THE MEDIA: A number of institutions in Norway have been subjected to a so-called distributed denial-of-service (DDoS) cyber attack in the last 24 hours, the Norwegian NSM security authority said on Wednesday, blaming a "criminal pro-Russian group". The attacks, which began overnight, targeted private and public institutions offering important services, the agency said, but did not name any of those that were affected.
"We are working to find out whether there is a link with state-sponsored actors," NSM chief Sofie Nystroem later told broadcaster TV2. "We are quite certain that no sensitive information was taken."
READ THE STORY: Reuters
Russian Cyberattack on Ukrainian TV Channels Blocked
FROM THE MEDIA: The Ukrainian government says it is thwarting multiple misinformation campaigns perpetrated by Russia through cyberattacks against local broadcasters and via social media channels. Most recently, Ukraine's domestic intelligence agency says it blocked Russian attempts on the eve of a Tuesday public holiday to gain access to Ukrainian TV channels' live video stream and news feeds.
The Secret Service of Ukraine says the attempts were made ahead of Constitution Day celebrations, when several TV channels ran a national telethon promoting democracy. "Cyberattacks are part of Russia's purposeful efforts to influence Ukrainian information space, spread fakes and wage a hybrid war," the SSU says.
READ THE STORY: Bank InfoSec
UK Pledges More Funds to Protect Georgia from Russian Cyber Threats
FROM THE MEDIA: Prime Minister of the United Kingdom, Boris Johnson has announced in Madrid, at the sidelines of NATO Summit, that the UK will further aid Georgia with five million pounds (USD 6 million) to develop its defense capabilities against Russian cyber threats. “The people of Georgia live every day on the frontline of Russian aggression,” PM Johnson stressed on June 29. “Putin cannot be allowed to use Georgia’s sovereign institutions to sharpen the knife of his cyber capability.”
The British Prime Minister emphasized the support will “protect not just Georgia, but also the UK and all other free democracies threatened by Russian hostility.”
READ THE STORY: CIVIL
UK deploys military experts to counter Russian malign influence in Bosnia and Herzegovina
FROM THE MEDIA: UK military specialists will be sent to Bosnia and Herzegovina to reinforce the NATO Mission and promote stability and security in the country, the Prime Minister has announced today (Thursday 30th June).
Bosnia and Herzegovina is currently facing the greatest existential threat in its post-war period, with secessionist leaders actively working to create further division and conflict. These plans are backed by Moscow as part of Putin’s drive to undermine both Bosnia’s Euro-Atlantic integration and its stability.
At the request of NATO Headquarters Sarajevo, a UK military counter-disinformation expert and a civilian strategic defense adviser will be deployed to support and train the Bosnia and Herzegovinian Armed Forces.
READ THE STORY: GOV
Moscow court fines Pinterest, Airbnb, Twitch, UPS for not storing data locally
FROM THE MEDIA: A Moscow court has fined Airbnb, Twitch, UPS, and Pinterest for not storing Russian user data locally, according to Russian regulator Roskomnadzor.
The decision was handed down by the Tagansky District Court of Moscow after the four foreign companies allegedly did not provide documents confirming that the storage and processing of Russian personal data was conducted entirely in the country.
Twitch, Pinterest and Airbnb were fined approximately $38,500 while UPS received a fine of roughly $19,200.
READ THE STORY: The Register
App stores urged to remove TikTok
FROM THE MEDIA: A member of the Federal Communications Commission (FCC) asked Apple and Google to remove TikTok from their app stores over concerns about data harvesting.
FCC Commissioner Brendan Carr, who was appointed by former President Trump, said the app poses national security threats, adding to the growing backlash from Republicans after BuzzFeed reported earlier this month that employees of TikTok’s parent company in China have access to private data on U.S. users.
READ THE STORY: The Hill
This malware steals your passwords and is on sale for anyone who wants to use it
FROM THE MEDIA: Using a Password Manager is the best way to protect your authentication details for websites and services. Unfortunately, some people take the easy route by letting their internet browser do all the critical remembering.
Browsers like Google’s Chrome or Mozilla’s Firefox can store usernames, passwords, addresses and credit card information. The tool known as AutoComplete data makes it easy to fill in details on websites.
But it’s not as secure as you might think or hope. Read on for frightening details on how an updated malware variant can steal your critical information for as little as $50.
READ THE STORY: Komando
MaliBot financial malware is a master of disguise, targets Android users
FROM THE MEDIA: The saying goes that there is strength in numbers. So it’s not surprising that U.S. financial firms and their customers not only need to worry about the sheer volume of malware that is being lobbed at them, but also the emerging threat of these bad applications working more stealthily and in concert.
Case in point: The recently discovered MaliBot malware that has been plaguing Android users, a trojan-like software that when downloaded onto a user’s device steals banking credentials, other legitimate sensitive financial information, cookies, call logs, texts and application addresses, and even Google account credentials (thereby allowing the malware to sidestep two-factor authentication). MaliBot also boosts the cryptocurrency wallets of unaware mobile banking customers to boot.
READ THE STORY: SCMAG
Items of interest
Radware completes its Hacker's Almanac
FROM THE MEDIA: The Hacker's Almanac is a field guide for security analysts, professionals and executive decision-makers. "Understanding the threat landscape is one thing. Extracting and leveraging actionable intelligence to reinforce an organization's defensive posture is another," said Radware director of threat intelligence Pascal Geenens.
"Threat intelligence empowers organizations by providing them with the knowledge and visibility needed to make well-informed decisions about their security defenses and respond faster to current and evolving threats."
Series III of the Hacker’s Almanac outlines each phase of the threat intelligence lifecycle, demonstrates how to apply vetted intelligence from various types of internal and external sources, and offers details on cyber defense and how to achieve an improved security posture.
"There is no silver bullet or single path to a strong security posture, and no shield is impenetrable," said Geenens. "However, organizations that stay vigilant, shore up defenses, and create a healthy threat intelligence program will be better prepared to respond and maintain business operations when the inevitable happens." Series III of the Hacker’s Almanac is available here, along with Series I and Series II.
READ THE STORY: ITwire
You are in a Cyber War. Don't be a dumb*** and try to ignore it (Video)
FROM THE MEDIA: You are in a Cyber War. Don't try to ignore what is going on. Learn the Art of Cyberwarfare. An Investigator's Guide to Espionage, Ransomware and Organized Cybercrime.
She hacked me! (Video)
FROM THE MEDIA: Cori shows us how easy it is to set up a phishing campaign and hack companies. Be warned!
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at email@example.com