Daily Drop (186)
Thursday, July 07, 2022 // (IG): BB //Weekly Sponsor: Zanes Hand Made
FBI, CISA, Treasury: North Korean hackers taking aim at health care with Maui ransomware
FROM THE MEDIA: Three federal agencies said Wednesday that North Korean hackers have been attacking the health care sector with ransomware, and cautioned victims that paying up could run afoul of U.S. sanctions rules. The FBI, the Department of Homeland Security’s Cybersecurity an Infrastructure Security Agency and the Treasury Department said in an alert that the hackers were using a kind of ransomware dubbed “Maui” to go after health care and public health organizations.
“This malicious activity by North Korean state-sponsored cyber actors against the healthcare and public health sector poses a significant risk to organizations of all sizes,” said CISA’s executive director for cybersecurity, Eric Goldstein.
READ THE STORY: CyberScoop // DarkReading // NKNEWS // Law360
Bitter APT Hackers Continue to Target Bangladesh Military Entities
FROM THE MEDIA: Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter. "Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5. The findings from the Berlin-headquartered company build on a previous report from Cisco Talos in May, which disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor called ZxxZ.
READ THE STORY: THN
HackerOne incident raises concerns for insider threats
FROM THE MEDIA: In a blog post Friday, HackerOne disclosed a security incident involving an employee who took advantage of the platform's coordinated vulnerability disclosure program for financial gain. A call on June 22 from a customer reporting "intimidating and suspicious off-platform communication from an actor" prompted an investigation. Now, a detailed disclosure timeline revealed the actor to be an employee who anonymously disclosed vulnerability information to claim additional bounties.
READ THE STORY: TechTarget
Persistent Engagement in Cyberspace Is a Strategic Imperative
FROM THE MEDIA: The United States could lose its relative position of power in the world today without being defeated in an armed conflict. This is because cyberspace has opened a new avenue for international competition that coexists alongside the more familiar nuclear and conventional strategic environments where states interact in militarized crises and war. Competition in and through cyberspace, short of the threat or use of force, is potentially just as strategically consequential for a state’s relative position in the international system as war and militarized crises have been throughout history.
READ THE STORY: National Interest
Bulk Email Theft May Point to Russian Espionage
FROM THE MEDIA: Cybersecurity researchers recently identified a threat group with a possible Russian connection that targets corporate email environments. At first, the researchers thought the UNC3524 gang mostly sought money, as do many ransomware attacks. A deeper look at the group’s actions, however, suggests espionage. The researchers suspect that UNC3524 has ties to Russia, but it is unclear whether the state directly sponsors the group. UNC3524’s activity does support Russian geopolitical interests related to corporate development, mergers and acquisitions (M&A) and large corporate transactions.
READ THE STORY: Security Intelligence
Axie Infinity Hacked: $500M Lost via Fake LinkedIn Job Listing by North Korea’s ‘Lazarus
FROM THE MEDIA: Axie Infinity's blockchain got hacked, and it was because of a fake LinkedIn job listing that was able to penetrate the company's systems and stole as much as $500 million. The reports point to a North Korean hacking group called "Lazarus," identified as one of the US government's most notorious threat actor groups. The Block reported that Axie Infinity faced a new hack on its platform, and it was through a fake LinkedIn job listing that enticed an applicant into entering several personal information that is used against the company.
READ THE STORY: TechTimes
FROM THE MEDIA: On May 10, Paraguayan prosecutor Marcelo Pecci was murdered on a Colombian beach by hired assassins. As a high-profile member of the Office of Public Prosecution, he led Paraguay’s antinarcotics, corruption, organized crime, and terrorism finance investigations, prosecuting the most powerful criminal networks in his country. That included Hezbollah networks, which made him a target for the terror group as well as the powerful crime syndicates he sought to dismantle. Three day later, a Boeing 747 cargo plane registered with Venezuelan airline Emtrasur made its way from Caracas to Ciudad Del Este, Paraguay, in the Tri-Border Area (TBA) of Argentina, Brazil, and Paraguay.
READ THE STORY: The Dispatch
Russia-linked state-sponsored hackers launch fresh attacks by abusing latest red team tool
FROM THE MEDIA: Security researchers have discovered hackers abusing the latest penetration testing tool in active attacks on global targets. Unit 42 experts said that a malicious payload associated with the Brute Ratel C4 (BRc4) red teaming tool goes undetected by many major security products and has been sued against organizations in North and South America. The packaging of the malicious payload is consistent with the tactics deployed by advanced persistent threat group 29 (APT29) - otherwise known as ‘Cozy Bear’ - a Russian-linked state-sponsored hacking group known for the notorious SolarWinds attack in 2020.
READ THE STORY: ITpro
Russian information operations focus on dividing Western coalition supporting Ukraine
FROM THE MEDIA: Russian intelligence has been using state-controlled media and other disinformation channels to disseminate propaganda designed to divide the Western coalition supporting Ukraine, according to a report the cybersecurity firm Recorded Future released Thursday. Much of the open-source propaganda Recorded Future found closely aligns with what the firm refers to as an “unverified analytical note” from the Fifth Service of Russia’s Federal Security Service (FSB), which the Security Service of Ukraine reportedly intercepted and published on June 5.
READ THE STORY: CyberScoop
Hive Ransomware Upgraded to Rust to Deliver More Sophisticated Encryption
FROM THE MEDIA: Researchers from Microsoft Security have spotted an upgraded version of the ransomware-as-a-service (RaaS) dubbed Hive. The security experts outlined their findings in an advisory on Tuesday. “With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem,” reads the post. According to Microsoft, the upgrades in the latest variant represent an overhaul of the entire ransomware infrastructure. “The most notable changes include a full code migration to another programming language [from GoLang to Rust] and the use of a more complex encryption method,” the advisory explains.
READ THE STORY: INFOSEC MAG
FBI and MI5 bosses: China cheats and steals at massive scale
FROM THE MEDIA: The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China's increased espionage activity on UK and US intellectual property. Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and FBI director Chris Wray argued that Beijing's Made in China 2025 program and other self-sufficiency tech goals can't be achieved without a boost from illicit activities.
READ THE STORY: The Register // ABCNEWS
An updated crypto mining malware tool targets Linux systems worldwide
FROM THE MEDIA: The Security Intelligence team at Microsoft has issued a new warning against a threat actor (TA) group, tracked as 8220 and active since early 2017, which is believed to have updated its malware toolset, capable of breaching Linux servers worldwide in order to install crypto miners as part of a long-running campaign. The updates involve exploiting a recently discovered vulnerability and deploying new versions of a crypto miner and an IRC bot, the technology giant stated on Thursday. Microsoft claims that the group has actively updated its payloads and techniques over the past year.
READ THE STORY: TEISS UK
Simple supply chain attack compromises hundreds of websites and apps
FROM THE MEDIA: According to ReversingLabs, a threat actor known as IconBurst has created a number of malicious NPM modules capable of exfiltrating serialized form data, and given them names almost identical to other, legitimate modules. This is a popular attack technique known as typosquatting. The attackers essentially try and assume the identities(opens in new tab) of legitimate developers. Then, developers who are in a hurry, or who don’t pay attention to details such as NPM names, download the modules and embed them in their work.
READ THE STORY: TechRadar
Hive ransomware gang rapidly evolves with complex encryption, Rust code
FROM THE MEDIA: The Hive group, which has become one of the most prolific ransomware-as-a-service (RaaS) operators, has significantly overhauled its malware, including migrating the code to the Rust programming language and using a more complex file encryption process. Researchers at the Microsoft Threat Intelligence Center (MSTIC) uncovered the Hive variant while analyzing a change in the group's methods.
READ THE STORY: The Register
Ransomware Actors with ‘Very Low-Level’ Skills Committing More Attacks, DHS Official Says
FROM THE MEDIA: Ransomware tools are opening up the field to a growing number of less tech-savvy actors even as many ransomware operations have increased in sophistication, DHS Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Iranga Kahangama told Congress. “I think it’s appropriate to liken a ransomware organization almost to a modern-day mob or mafia,” Kahangama said June 28 at a Michigan field hearing of the House Homeland Subcommittee on Intelligence and Counterterrorism on combating ransomware.
READ THE STORY: HSTODAY
Ransomware, hacking groups move from Cobalt Strike to Brute Ratel
FROM THE MEDIA: Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network. For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands.
READ THE STORY: BleepingComputer
Uncovering ransomware gangs’ dark web domains
FROM THE MEDIA: Several publicly hosted TOR hidden services leveraged by ransomware groups including infrastructure linked to the Snatch, Nokoyawa, Quantum, and DarkAngels ransomware gangs have been uncovered by Cisco Talos researchers, reports The Hacker News. Despite being known to use the dark web to evade detection, ransomware gangs were discovered to have utilized public IP addresses for hosting dark web infrastructure, according to a Cisco Talos study.
READ THE STORY: SCMAG
AstraLocker 2.0 Ransomware Spreads Via Phishing Campaigns Including Malicious Microsoft Word Files
FROM THE MEDIA: The AstraLocker 2.0 is potent ransomware seemingly inspired by the leaked Babuk ransomware source code. The researchers established the link considering the shared code and campaign markers. Whereas they could also find a Monero wallet address used for a ransom payment linked to the Chaos ransomware. Yet, it exhibits some unique features that hint at its “smash-and-grab” attack nature. First, the attackers don’t waste time in gaining persistence on the target device. Instead, the ransomware starts its activity right after opening the malicious attachment. Then, the attackers embedded the ransomware payload in an OLE object within the Word document.
READ THE STORY: LHN
Expanding RaaS eco-system is exploiting OT security gaps like never before
FROM THE MEDIA: The global RaaS economy is now estimated to be worth more than a billion dollars. The business is not just highly profitable but is also working its way towards evolving some kind of an information structure and functional streamlining. The hierarchy of RaaS is a simple one. At the bottom rung lie freelancers who work with a contractor who is tied to multiple ransomware groups. The contractors are responsible for the recruitment and allocation of freelancers for specific projects that are chosen by the ransomware groups such as Lockbit.
READ THE STORY: Security Boulevard
Cyberattack on Luxury Resort Should Put Hospitality Industry on High Alert
FROM THE MEDIA: Cybercriminals are finding new ways to hold their victims hostage – and a recent cyberattack on a luxury resort should serve as a warning for your business. A June 15 media report revealed that one of Oregon’s premier resorts, The Allison Inn & Spa, recently fell prey to a ransomware attack that left its employees’ and guests’ personal information exposed for the world to see. What’s unique about this particular cyberattack is that the stolen information – which includes data from 1,500 employees and more than 2,500 guests, including dates the guests stayed at the hotel as well as employees’ birthdays, phone numbers, and Social Security numbers – was posted on the public internet in easily searchable form.
READ THE STORY: Fisher Phillips
AMD Latest Victim of RansomHouse Gang
FROM THE MEDIA: It’s been a challenging couple of years for AMD. After the last few years of disruption and amid the global chip shortage, the company has been attacked by the RansomHouse Extortion Group, which claims to have exfiltrated more than 450 GB of data. “In an ironic twist of fate, AMD survived the global chip supply chain crisis during the COVID-19 pandemic only to be victimized by ransomware from a new data extortion group,” said Saryu Nayyarr, CEO and founder of Gurucul. The RansomHouse gang did not initially release samples, but AMD acknowledged the breach. “AMD is aware of a bad actor claiming to be in possession of stolen data from AMD,” the company said in a statement sent to RestorePrivacy. “An investigation is currently underway.”
READ THE STORY: Security Boulevard
Billionaire’s Jeweler Pays $7.5 Million Crypto Ransom to Hackers
FROM THE MEDIA: Luxury British jeweler Graff Diamonds Corp. paid $7.5 million ransom in Bitcoin to a Russian hacking gang after it leaked data on the jeweler’s high-profile clients, according to a London lawsuit. Graff, that counts Middle East royalty among its client base, sued its insurer for losses over the extortion saying that the payment should be covered under their policy. The Travelers Companies Inc. is refusing to pay the jeweler’s loss caused by the Bitcoin ransom, Graff alleges. Ransomware group Conti attacked the high-society jeweler in September 2021, leaking data about the Saudi, UAE and Qatar royal families. Conti apologized to the families in an unusual move for a hacking group, but threatened to leak more of Graff’s data.
READ THE STORY: Bloomberg
Israel’s cyber advantage over Iran mixed with other abilities - interview with ex-cyber chief
FROM THE MEDIA: Israel has significant cyber advantages over Iran, especially when integrated with its other capabilities, former IDF Unit 8200 Cyber Operations chief col. (res.) Amir Becker told The Jerusalem Post in his first interview since retiring in 2021. Becker, who is now Sygnia’s Vice President of Cyber Incident Response, also said that, in combating Israel’s adversaries in the cyber arena, that cooperation between Unit 8200 and the cyber units of the Mossad, Shin Bet and Israel National Cyber Directorate were excellent.
READ THE STORY: JPOST
DoJ Beefing up Cyber, Ransomware Fight Goals in Strategic Plan
FROM THE MEDIA: The Department of Justice (DoJ) is targeting increased efforts to fight ransomware-driven cyber attacks – amid a host of other improved cybersecurity approaches – as one of a number of new agency priority goals in DoJ’s 2022-2026 Strategic Plan published on July 1. DoJ’s five-year plan lays out objectives for five broad strategic areas. The cybersecurity and ransomware-related objectives are included as an agency priority goal under the “Keep Our Country Safe” strategic objective.
READ THE STORY: MERITALK
China's Cabinet urges greater cyber security after data leak
FROM THE MEDIA: China's Cabinet stressed the need to bolster information security, following a huge leak of personal data that could be the largest cyber attack in the country's history. A State Council meeting led by Premier Li Keqiang emphasised the need "to improve security management provisions, raise protection abilities, protect personal information, privacy and commercial confidentiality in accordance with the law", according to the official Xinhua News Agency. These measures would allow the public and businesses to "operate with a peace of mind", the report added.
READ THE STORY: CyberScoop
Blasting Satellites, Crippling Attacks — Russia’s Invasion Of Ukraine Has Given A Clear Glimpse Of Future Wars – Top French Officer
FROM THE MEDIA: Thousands of internet users across Europe were thrown offline by the Russian cyber-attack on February 24, targeting Viasat, a California-based provider of high-speed satellite broadband services and secure networking systems covering military and commercial markets worldwide. The purpose of the attack was to cripple Ukrainian command and control, which relied on Viasat’s satellite terminal, at least to some extent, as acknowledged by the senior Ukrainian cybersecurity official, Victor Zhora, that it was “a huge loss in communications in the very beginning of the war.”
READ THE STORY: EURASIAN TIMES
Items of interest
The Hacker Mind Podcast: The Fog of Cyber War
FROM THE MEDIA: There’s an online war in Ukraine, one that you haven’t heard much about because that country is holding its own with an army of infosec volunteers worldwide.
READ THE STORY: Security Boulevard
Chinese firms explore Lithium projects in Afghanistan (Video)
FROM THE MEDIA: Afghanistan may be one of the poorest nations in the world but it sits on a vast resource of minerals deposits among them most crucial is Lithium. Eyeing these reserves is now China.
China's rare-earth monopoly: New state-owned giant is set, the huge price paid and facing challenges (Video)
FROM THE MEDIA: On Dec. 23rd, 2021, the Chinese government strategically restructured three large rare earth companies and created a new conglomerate controlled by the State Council of China: China Rare Earth Group Co. The Chinese official media reported it as the "rare earth mothership." What is Beijing’s intention behind this move?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at email@example.com