Friday, July 01, 2022 // (IG): BB //Weekly Sponsor: Zanes Hand Made (leather works)
China urges US to immediately cease malicious cyber activities
NOTE: China government is adopting the US method of internationally addressing cyber activities. I’m curious to see if they will start pursuing western APT’s via their legal system.
FROM THE MEDIA: A Chinese foreign ministry spokesperson said on Thursday the United States is worthy of the name of the "empire of wiretapping" and "empire of secret stealing," urging the country to stop its malicious cyber activities immediately.
According to relevant reports, multiple Chinese scientific research institutions have been under cyber attack from the U.S. National Security Agency (NSA), and the NSA has installed Trojan horse programs inside at least over a hundred important information systems in China. To date, many such programs are still running and sending intelligence back to the NSA.
READ THE STORY: China (State Sponsored)
Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers
FROM THE MEDIA: A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign.
8220, active since early 2017, is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks.
READ THE STORY: THN
Georgia hospital recovering from cyberattack with Electronic Health Record (EHR) downtime procedures
FROM THE MEDIA: A cyberattack on Jack Hughston Memorial Hospital has led the Georgia hospital to pull certain systems offline and operate under EHR procedures, local news outlets reported Wednesday. It’s unclear the type of attack behind the network outage.
Patient care is continuing without disruptions, while the hospital works with a third-party cybersecurity firm to investigate the incident. The “hospital administration” is working to determine any possible compromise of patient data.
In previous years, cyberattacks leading to EHR downtime have been far more common. The attack on Jack Hughston Memorial is the first healthcare entity in the U.S. to report falling victim so far this summer. This story will be updated if more information becomes available.
READ THE STORY: SCMAG
ZuoRAT targets home-office routers in Europe and North America
FROM THE MEDIA: In a byproduct of the work-from-home era, researchers this week reported that they found a sophisticated campaign that leverages small office/home office (SOHO) routers from Asus, Cisco, and Netgear that are targeting home networks in North America and Europe.
In a blog post, Black Lotus Labs, the threat intel arm of Lumen Technologies, said they identified a remote access trojan (RAT) — dubbed ZuoRAT — developed for SOHO devices that lets the actor gain access into the local network and gain access to additional systems on a corporate LAN by hijacking network communications, while maintaining an undetected foothold.
READ THE STORY: SCMAG
Identity and Access: The Fight is On
FROM THE MEDIA: As was reported quite widely in APAC, earlier this year, cybercriminals infiltrated Okta's systems, an authentication company thousands of organisations around the world use to manage access to their networks and applications.
The threat actor gang, known as Lapsus$, gained access to the laptop of one of Okta's third-party support engineers for five days, potentially affecting a small number of the company's customers.
Okta said the access was limited, but this wasn't even the biggest issue. While cyberattacks are so frequent these days, this incident was different because the bad actors cleverly targeted the very tools that so many customers use to restrict network access.
READ THE STORY: SB AU
NATO leaders establish new €1B innovation fund, accelerator
FROM THE MEDIA: NATO leaders this week launched a new innovation fund and defense innovation accelerator initiative in an effort to stay ahead of technological advancements and cyber challenges posed by Russia and China.
Jens Stoltenberg, NATO secretary general, said today during a signing ceremony at the close of the alliance’s Madrid Summit the first-of-its-kind fund will invest €1 billion in startups and deep-tech funds across 22 participating nations over the next 15 years.
“Maintaining our technological edge has helped to keep our alliance strong and our nations safe for more than 70 years. But today, nations that do not share our values, like Russia and China, are challenging that lead in everything from artificial intelligence to space technologies,” he said. “It is essential that we do everything in our power to remain at the forefront of innovation and technology.”
READ THE STORY: Breaking Defense
Toll fraud malware disables your WiFi to force premium subscriptions
FROM THE MEDIA: Microsoft is warning that toll fraud malware is one of the most prevalent threats on Android and that it is evolving with features that allow automatic subscription to premium services. Toll fraud is a subset of billing fraud, where the threat actor tricks victims into calling or sending an SMS to a premium number. The difference is that toll fraud does not work over WiFi and forces the devices to connect to the mobile operator’s network.
READ THE STORY: Bleeping Computer
Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses
FROM THE MEDIA: The eCrime kill chain is often enabled by access brokers, the intruders who gain access to an organization’s infrastructure and then sell illicitly obtained credentials and other access methods to buyers in underground communities.
Adversaries buy compromised credentials to make the process of getting into a target organization easier and more efficient. Access brokers sell a broad range of access types, including financial account logins, business email account credentials, remote access to network assets and custom exploits for IT infrastructure.
To advertise compromised credentials and other access methods on the underground, access brokers use particular keywords and target specific marketplaces. However, their posts often leave behind “breadcrumbs” that offer defenders an opportunity to detect compromised accounts or risks of security incidents. For example, an access broker may include attributes such as company details (size, revenue, industry), IT infrastructure details, the malware used to steal credentials, or the access broker’s alias.
READ THE STORY: Crowdstrike
Google's Threat Analysis Group Blocks Domains, Websites Used by Hack-For-Hire Groups
FROM THE MEDIA: The Threat Analysis Group (TAG) of Google LLC reported on Thursday that it had blocked more than 30 fraudulent domains linked to international hacker groups from various regions, according to Silicon Angle.
To conduct corporate espionage attacks against businesses, human rights activists and journalists, these hack-for-hire groups have been actively targeting Gmail and Amazon Web Services Inc. accounts. The groups allegedly use known security vulnerabilities when executing opportunistic campaigns.
READ THE STORY: Itech Post
DragonForce Malaysia Group Releases Windows LPE Exploit and Turns to Ransomware Tactics
FROM THE MEDIA: Security researchers from CloudSEK have spotted a new exploit from hacktivist group DragonForce Malaysia capable of performing Windows servers’ local privilege escalation (LPE) and local distribution router (LDR) actions on Indian servers.
The attack was reportedly illustrated in a PoC (proof of concept) video earlier this month and subsequently analyzed by CloudSEK in an advisory released on Thursday.
The cybersecurity experts said they used the company’s contextual artificial intelligence (AI) digital risk monitoring platform XVigil to identify a post on a Telegram channel where the hacktivist group posted the video describing the exploit.
READ THE STORY: InfoSec Mag
Black Basta ransomware – what you need to know
FROM THE MEDIA: Black Basta is a relatively new family of ransomware, first discovered in April 2022.
Although only active for the past couple of months, the Black Basta ransomware is thought to have already hit almost 50 organizations – first exfiltrating data from targeted companies, and then encrypting files on the firm’s computer systems.
Victims have reportedly been hit in countries around the world including the United States, UK, India, Canada, Australia, New Zealand, and UAE.
READ THE STORY: TripWire
Macmillan shuts down systems after likely ransomware attack
FROM THE MEDIA: Publishing giant Macmillan was forced to shut down their network and offices while recovering from a security incident that appears to be a ransomware attack. The attack reportedly occurred over the weekend, on Saturday, June 25th, with the company shutting down all of their IT systems to prevent the spread of the attack.
Publishers Weekly first reported on the incident, seeing emails from Macmillan that stated they suffered a "security incident, which involves the encryption of certain files on our network." The use of encryption in the attack indicates that it was a ransomware attack.
READ THE STORY: Bleeping Computer
LockBit ransomware gang promises bounty payment for personal data
FROM THE MEDIA: In a new twist on the ransomware game, the LockBit cybercrime group has launched a bug bounty program promising money to people willing to share sensitive data that can be exploited in ransomware attacks. A recent tweet posted by the vx-underground account, which publishes malware samples, says that through the new bounty program, LockBit will pay for personally-identifiable information on “high-profile individuals, web security exploits and more.”
The bounty program is being unveiled with the release of LockBit 3.0, the latest version of the gang’s ransomware-as-a-service product and one already being used in new ransomware attacks. At its LockBit 3.0 bug bounty site, the group is inviting “all security researchers, ethical and unethical hackers on the planet” to participate in their bug bounty program. The rewards for leaking personal data vary from $1,000 to as much as $1 million.
READ THE STORY: TechRepublic
Walmart rejects Yanluowang’s ransomware attack claims
FROM THE MEDIA: BleepingComputer reports that Walmart has dismissed that it was attacked by the Yanluowang ransomware operation after the group claimed on its data leak site that it had breached the retailer's Windows domain, encrypting 40,000 to 50,000 devices in the process. "We believe this claim is inaccurate and are not aware of a successful attack in this regard on our devices," said a Walmart spokesperson in a statement, which also noted that its systems are being monitored around the clock by its information security team. However, Yanluowang insists that it was able to infiltrate Walmart's systems last month and while the attack did not involve any data theft, it asked for a $55 million ransom from Walmart, to which the retailer did not respond.
READ THE STORY: SCMAG
RevCord Mitigates Ransomware Attack Damage to Arkansas County 9-1-1 Using RevSync's Cloud-Based Data Sync
FROM THE MEDIA: According to new data collected by the FBI's Internet Crime Complaint Center, U.S. critical infrastructure sectors are increasingly targeted by ransomware. Arkansas County's 9-1-1 Call Center in Arkansas was the target on April 18, 2022. One of the infected systems was the RevCord Call Logger.
IT personnel at Arkansas County quickly identified an attack within their network and took effective measures to stop the spread of the infection. Upon receiving notification, RevCord made immediate arrangements to provide a loaner unit until theirs was repaired.
READ THE STORY: PR
Stormous Ransomware Leaks IP Of Indian Companies Unearthed By Cloudsek
FROM THE MEDIA: Stormous ransomware attacks have been discovered by CloudSEK's Threat Intelligence team, which are aimed against a variety of companies throughout the world. The threat group is driven by money, and their most recent wave of attacks has targeted Indian entities. Stormous ransomware is an Arabic organization that works on Telegram and their Onion site, according to CloudSEK's earlier Stormous malware attribution analysis.
Threat actors might now acquire unlawful access to personal, private, and intellectual property (IP) data thanks to the disclosed information. The Stormous ransomware group is usually interested in the source code and confidential papers of their victims, according to CloudSEK analysts. The Stormous ransomware organization has been actively targeting Indian entities from April 11, 2022.
READ THE STORY: BusinessWorld
Russian Hackers Claim Responsibility for DDoS Cyber Attacks on Lithuania
FROM THE MEDIA: A wave of distributed denial of service (DDoS) cyber attacks that have hit Lithuania in the past week have been claimed by a non-government group of Russian hackers, who say the digital bombardment is in response to a blockade of train routes that serve Kaliningrad with freight.
The Russian hackers call themselves “Killnet” and first made the news in April with declarations of support for Russia’s war efforts and intent to attack critical infrastructure in other countries. The group has been linked to a prior DDoS campaign that attempted to shut down the Eurovision Song Contest website in May, as well as attacks on the government websites of assorted other countries.
READ THE STORY: CPO MAG
Cyber hack impacts over 1.5M Flagstar Customers
FROM THE MEDIA: Flagstar Bank says it was targeted by a hacker accessing customer account information in December 2021. Now, security experts are saying 1.5 million people could be affected. A Flagstar representative says once they learned of the breach the bank contacted outside cybersecurity experts immediately.
Flagstar says there have been no reports of customers’ information being misused. They are notifying individuals that may have been affected directly via U.S. mail and are offering free credit monitoring services for those impacted.
“We take the security of our network and the personal information entrusted to us with the utmost seriousness,” Flagstar said in a statement to TV6.
READ THE STORY: TV6
Northrop Grumman to build Space Force prototype for cyber protection of satellite networks
FROM THE MEDIA: Northrop Grumman will next spring begin testing on a new hardware/software prototype for the Space Force designed to protect large, interlinked satellite networks from cyber attacks, according to company officials.
The prototype, called Space End Crypto Unit (ECU), is being developed in tandem electronics firm Aeronix, with planned delivery in 2024.
“We are developing a hardware unit that can survive in the space environment, with the intent of deploying the hardware on satellites orbiting in proliferated low earth orbit (pLEO),” Amanda Walsh, a spokesperson for Northrop Grumman’s Networked Information Solutions (NIS) unit, said in an email. “We are also developing cryptographic software that will run on this hardware module, and this cryptographic software will enable network users to securely communicate within the network (i.e. Protect the Mesh Network).”
READ THE STORY: Breaking Defense
Office Hours Question: What is Cyber-Fraud?
FROM THE MEDIA: One thing that we think is really interesting is the Department of Justice’s [DOJ] new Civil Cyber-Fraud Initiative. What we think is so interesting about it is that DOJ often has initiatives. When I [Renée] was at DOJ, I headed up the Big Lender Initiative which was part of the Financial Fraud Enforcement Task Force after the big financial crisis, and we investigated and litigated against most major banks for making bad mortgages, put simply.
READ THE STORY: National Law Review
NATO Warns about ‘No-Limits’ Partnership between Russia and China
FROM THE MEDIA: This week’s NATO summit was significant for a whole host of reasons that have already been picked over extensively. From an agreement paving the way toward the accession of Finland and Sweden to NATO to President Biden’s decision to base U.S. troops in Poland, there were several notable announcements that resulted from Russia’s invasion of Ukraine.
Another development worth pointing out: The alliance explicitly acknowledged the danger of the “no-limits” partnership between Russia and China.
The strategic-concept document that made reference to that alignment did not specifically use that language, which refers to the outcome of a meeting between Vladimir Putin and Xi Jinping on February 4. However, the strategy clearly took aim at the partnership they declared on that occasion.
READ THE STORY: National Review
Maritime COIN: Pushing Back in the South China Sea
FROM THE MEDIA: Last fall, Hunter Stires, who won the 2018 General Prize Essay Contest with “The South China Sea Needs a ‘COIN’ Toss,” approached us with a project in mind. He was lining up a group of experts to expand on the idea of maritime counterinsurgency in the South China Sea. Not only had Hunter enlisted the help of all-star authors, but he also had garnered financial support from the Carnegie Corporation of New York.
READ THE STORY: USNI
Items of interest
Top Army Leadership Conveys Urgency to Protect Drones, Missiles & Tanks with Cybersecurity
FROM THE MEDIA: Missiles destroying targets with advanced precision-guidance systems, tanks adjusting navigation in response to uneven terrain or enemy obstacles and real-time drone video arriving in vehicles and command centers … are all operations now heavily reliant upon effective and secure computing.
Cybersecurity, therefore, is no longer limited to the realm of IT persay but expanded to encompass operations such as networked weapons systems, platform sensor information processing and even precision-weapons delivery.
Naturally, this dynamic further underscores the importance of “securing,” “hardening” and “protecting” a network from unwanted intrusions, hacking, jamming or other kinds of enemy intrusions.
READ THE STORY: WarriorMaven
Best Hacking Podcast in the world? (Video)
FROM THE MEDIA: Jack Rhysider - the creator of Darknet Diaries: True stories from the dark side of the Internet. This is the best Hacking podcast in the world.
Bug Bounty: Get paid to hack PayPal and TikTok (Video)
FROM THE MEDIA: Want to hack companies like PayPal and TikTok? What about the Department of Defense? Lots of companies that you can hack legally - and get paid doing it! This is a practical guide on how to get started hacking today.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com