Bob’s Newsletter
Bob’s Newsletter Podcast
Daily Drop (193)

Daily Drop (193)


Thursday, July 14, 2022 // (IG): BB //Weekly Sponsor: The Fintel Brief

Bandai Namco confirms hack after ALPHV ransomware data leak threat

FROM THE MEDIA: Game publishing giant Bandai Namco has confirmed that they suffered a cyberattack that may have resulted in the theft of customers' personal data. Bandai Namco is a Japanese publisher of numerous popular video games, including Elden Ring, Dark Souls, Pac-Man, Tekken, Gundam, Soulcalibur, and many more. This past Monday, the BlackCat ransomware operation (aka AlphV) claimed to have breached Bandai Namco and stolen corporate data during the attack.

READ THE STORY:   BleepingComputer

Researcher develops Hive ransomware decryption tool

FROM THE MEDIA: A malware researcher known as "reecDeep" has developed and published a decryption tool on GitHub for the latest version of Hive ransomware. Published Tuesday, the tool specifically decrypts the version 5 variant of Hive ransomware. Hive was originally written in programming language Go, but more recently the ransomware authors switched to Rust, a language that has overall superior encryption technology and is harder to reverse engineer. Hive is a ransomware-as-a-service operation that was first discovered last summer. It immediately hit the ground running, claiming hundreds of victims in its first six months. Last year, the ransomware was responsible for compromising European retailer MediaMarkt and allegedly included a demand of $240 million. Earlier this year, Hive claimed an attack against Medicaid provider Partnership HealthPlan of California.


Criminals continue to exploit the Follina Microsoft Office 365 vulnerability

FROM THE MEDIA: The Follina vulnerability in Microsoft Office is still being exploited by criminals a month after a patch that supposedly fixed the problem was released by the company. Microsoft appeared to take further action as part of yesterday’s Patch Tuesday security update, but the vulnerability is likely to continue to be used by hackers, particularly state-sponsored groups. Follina, a vulnerability in the MSDT protocol tool used by Office, was first uncovered in April, and gives criminals who exploit it the ability to run arbitrary code on an infected system, meaning it can be used to take control of those systems and deliver malware. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” says a post on Microsoft’s Security Response Center (MSRC). “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.” 

READ THE STORY:  TechMonitor

US Interests Reportedly ‘Backed’ Purchasing of Blacklisted NSO Group

FROM THE MEDIA: The attempts by the American defense contractor L3 Harris to purchase the Pegasus spying and hacking tech from a blackballed Israeli company were supported by the US government authorities. The controversial spyware company, NSO Group, was placed on the government’s no-buy list during the tenure of the Joe Biden administration due to its actions intervening in privacy.

Hacking into the phones of political leaders, human rights activists, and journalists worldwide has been implemented with the aid of Pegasus by governments worldwide.

The defense contractor L3 Harris, who has previous experience in spyware technology, cited support from intelligence officials in its proposition to purchase the Israeli spyware company, according to NY Times. 


New Lilith ransomware emerges with extortion site, lists first victim

FROM THE MEDIA: A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks. Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices. According to a report by researchers at Cyble who analyzed Lilith, the new family doesn't introduce any novelties. However, it's one of the latest threats to watch out for, along with RedAlert and 0mega that also recently emerged.

READ THE STORY:  BleepingComputer

Major Optimum outage in New Jersey cuts off internet for many, but service is now restored for most

FROM THE MEDIA: Earlier on Wednesday, at least 13,000 customers in New Jersey were affected by a major Optimum outage, according to the company’s outage map. But in the evening, the company said the outage had been restored for most customers, and when I checked the map, it said only 16 customers were still affected. Optimum, which is owned by Altice USA and offers internet, TV, and phone services, hasn’t specified which of its services were down, though the outages appeared to be affecting all three for customers in the Parsippany-Troy Hills and Boonton areas.


Is your Honda key fob vulnerable to hackers? Here's what you should know.

FROM THE MEDIA: You have to give car thieves this much credit: They're always innovating.

By wirelessly stealing command codes from key fobs in a move called the "Rolling Pwn attack," hackers have been able to unlock and start Honda vehicles, report and automotive site

Each time you press a button on your key fob, a pseudorandom number generator (PRNG) sends a semi-random code to the vehicle, giving it a command to, say, unlock the doors or open the lift gate. The car then checks that code against a list of valid codes; and if it's legit, it carries out the command. It is also supposed to invalidate previous codes to keep bad actors from reusing them. (This rolling code mechanism replaced the old system of fixed codes, which made it even easier to steal a car.)


Ransomware Landscape Evolves in a Post-Conti World

FROM THE MEDIA: In the month after the Conti group closed its operations and shut down all its servers, researchers have observed several other actors taking the prolific group's place with novice attack tactics and new ransomware versions.

In May, the Conti gang shuttered the admin panel of its website and shut down its servers, including the ones used to negotiate ransom payments with victims. The moves left security analysts wondering how the ransomware landscape would be impacted, as Conti had presented a major threat for almost two years, with the U.S. government in September warning of attacks by Conti affiliates against health care providers, 911 systems and many other critical organizations.


ALPHV ransomware intros searchable database, raises ransom demands

FROM THE MEDIA: Following ALPHV ransomware's introduction of a dedicated leak site for a victim from which it had stolen more than 1,500 individuals' personally identifiable information, the ransomware gang was discovered by Resecurity to have unveiled a searchable database of stolen data with over 100,000 documents, reports SecurityWeek. Resecurity researchers found that ALPHV announced on Sunday in a dark web forum post that numerous documents, including IDs, Social Security numbers, and driver's licenses, as well as confidential information, access credentials, and passwords could be searched within the database.


These hackers are targeting healthcare records and IT systems with ‘Maui’ ransomware

FROM THE MEDIA: The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury have released a joint alert about the Maui ransomware. The agencies state that the Windows executable maui.exe is designed for attackers to manually select files to be encrypted. According to the agencies, the unknown ransomware has already targeted the IT services of healthcare and public health organizations. The FBI has attributed the attacks to North Korean state sponsored actors that have been leveraging the Maui ransomware since May 2021.


French telecom operator La Poste Mobile suffers a Lockbit ransomware attack

FROM THE MEDIA: La Poste Mobile is a French virtual mobile telephone operator that uses the infrastructure of the SFR network. Previously known as Simpleo and Simplicime, the company is 51% owned by the La Poste group and 49% by SFR, a French telecommunications operator. This week, The company posted a notice on its official website stating that it suffered a ransomware attack on July 4. As soon as the company became aware of the attack, it suspended the affected computer systems which resulted in its official website being taken offline. Even after ten days of the attack, La Poste Mobile’s website is still offline but displays a statement concerning the ransomware attack.


Weaponization of healthcare product flaws examined

FROM THE MEDIA: Forty-three of 624 security flaws identified in healthcare devices have been weaponized to impact patient care, with exploits for the weaponized vulnerabilities being available to the public or being actively exploited by threat actors, reports TechRepublic. Chinese state-backed advanced persistent threat group APT1, also known as BrownFox, has exploited four security vulnerabilities namely CVE-2015-9215, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023 found in three Oracle offerings, according to a Cyber SecurityWorks report. Healthcare product vulnerabilities have also been targeted in ransomware attacks, with the BigBossHorse ransomware leveraging a Biomerieux bug, and other ransomware actors exploiting the PrintNightmare flaw in Stryker devices.


Why Hackers are Increasingly Targeting Digital Supply Chains

FROM THE MEDIA: For a large majority of the world, the SolarWinds hack in December 2020 was the first real introduction to digital supply chains and their vulnerabilities. But the reality is that hackers increasingly have been vested in software supply chain attacks, which increased 650% from July 2019 to May 2020 alone. Likewise, data from Netscout’s 2H 2021 Threat Intelligence Report shows that hackers remain laser-focused on attacking the digital supply chain. Specifically, there was a 606% increase in attacks against software publishers from 1H 2021, as well as a 162% increase in attacks on computer manufacturers and a 263% increase against computer storage manufacturing. 


Pro-Russian hacker group Killnet targets Lithuanian energy company, disrupts operations

FROM THE MEDIA: In a recent post on Facebook, Ignitis Group said that it faced one of the biggest DDoS attacks in a decade. The company confirmed that it was able to manage the attack’s impact on its systems and that no internal systems of the group were harmed. Also, no sign of breach has been recorded.
“Ignitis Group currently managed to manage and limit DDoS attacks in the biggest cyberattack in a decade. No breaches into the systems or other negative impacts have been recorded,” the company said. Ignitis Group has informed law enforcement authorities and the country’s National Cyber Security Center(NKSC) about this incident and is working with them to investigate the attack. “Our current priority is to ensure that the Group’s websites and systems used by the customers are running without disruptions.


Biggest Gasoline Pipeline in the U.S. Reports Spill, a Year After Notorious Cyberattack

FROM THE MEDIA: There’s more trouble with the Colonial Pipeline: The nation’s largest gasoline pipeline reported a spill in Tennessee in early July, adding onto more than a year of public problems with the company, from a catastrophic hacking to being responsible for the largest gasoline spill in decades. According to the company, a valve failure spilled more than 24,000 gallons of gasoline in Loudon, Tennessee; the spill was discovered July 4 by workers responding to reports of a gas smell. That stretch of pipeline was shut down and the valve repaired, but on July 11 Colonial said that gasoline had been discovered outside of the company’s property line. The company said it is still in the “investigative stage” of figuring out the extent of the spill and is monitoring air and waterways for pollution.


Large-Scale Phishing Campaign Bypasses MFA

FROM THE MEDIA: According to researchers at Microsoft, a massive phishing campaign that can steal credentials despite the implementation of multi-factor authentication has already attempted to compromise more than 10,000 organizations. The adversary-in-the-middle style attack means that the attackers can hijack sign in sessions and access victim mailboxes to launch additional attacks against other targets. The campaign has been active since last fall, according to Microsoft’s 365 Defender Research Team. Microsoft released a report detailing the threat on Tuesday.


Will Hackers Bring Down Airplanes One Day?

FROM THE MEDIA: The increasingly complex—and networked—nature of international civil aviation appears vulnerable to new dangers at a time the industry’s successful reemergence from the coronavirus pandemic ranks as its top priority. Ever since 2017, the caseload involving cyber-attacks on airlines has evolved rapidly. Cathay Pacific, British Airways, Bangkok Airways, Air Canada, Singapore Airlines, and EasyJet have all fallen victim to highly costly and widely reported data breaches. In recent years, the aviation industry has had to deal with a new breed of threats, which could center on penetration of the aircraft’s avionics using networks associated, for example, with communications or in-flight entertainment (IFE) systems. Benign hackers have documented many cases.


Hackers Use Malicious NPM Packages To Steal Data in the IconBurst Supply Chain Attack

FROM THE MEDIA: ReversingLabs researchers discovered more than two dozen NPM packages stealing form data in a “coordinated supply chain attack” since December 2021. Node Package Manager (NPM) is a dependency installer for the JavaScript Node.js runtime environment. Dubbed IconBurst, the SolarWinds-style attack leveraged typo-squatting, the subtle but intentional misspelling of popular software repositories, to trick developers into downloading the malicious packages.


Qakbot malware evolves to bypass detection

FROM THE MEDIA: The Hacker News reports that Qakbot malware operators have been discovered by Zscaler researchers to have adopted code obfuscation and new attack chain layers, as well as leveraged various URLs and file extensions for payload delivery in an effort to better conceal their operations. "Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot," said Zscaler Threatlabz researchers Aditya Sharma and Tarun Dewan.


The Man Fighting Ukraine’s Cyber War

FROM THE MEDIA: Ukraine has long been Russia’s cyberwarfare sandbox, a proving ground for the Kremlin to trial new techniques and new malware viruses. Since Russia launched a full-scale invasion of the country on Feb. 24, Ukraine has seen those attacks increase threefold, according to Ukrainian officials — hitting everything from civilian and military agencies to communications and energy infrastructure. Those attacks have not been isolated to the roughly 40 million residents of Ukraine. Russian cyberespionage and cyberattacks since the start of the invasion have been recorded in 42 countries across six continents — the majority of which are NATO countries or those that supplied aid packages to or voiced support for Ukraine.


Ex-CIA engineer Joshua Schulte convicted over massive data leak

FROM THE MEDIA: A former Central Intelligence Agency (CIA) software engineer has been convicted of leaking classified information to whistleblowing website WikiLeaks, in one of the biggest such thefts in the United States spy agency’s history.

Joshua Schulte, 33, was convicted on Wednesday by jurors in a Manhattan federal court on eight espionage charges and one obstruction charge over the so-called Vault 7 leak.

READ THE STORY:  Alijazeera

Protecting Ukraine’s internet access and critical data

FROM THE MEDIA: The U.S. government and private sector are providing critical cybersecurity assistance to Ukraine, helping the country stay online during Russia’s brutal and unjust war. The Kremlin’s further invasion of Ukraine has used information warfare tactics, including cyberattacks on core infrastructure and dissemination of disinformation through state-sponsored malign networks, as well as mass disruption of internet service, according to media reports and Ukraine’s government. The U.S. Department of State has provided $40 million in cyber development assistance since 2017 to strengthen Ukraine’s cyber resilience, with another $45 million in supplemental assistance in 2022 to strengthen Ukraine’s cyber defensive capabilities.


Items of interest

How Israel plans to tackle cyberattacks with a ‘Cyber-Dome’

FROM THE MEDIA: At CyberWeek in Tel Aviv, Israel, Gaby Portnoy, the new director general of the country’s Cyber Directorate announced the Cyber-Dome project — a new big data, AI, overall approach to proactive cyberdefense. This project is expected to be a collaborative effort between cybersecurity leaders in Israel and across the globe in preparation for what Portnoy believes is unarguably “the most prominent dimension of future warfare.”

In his words, “the Cyber-Dome will elevate national cybersecurity by implementing new mechanisms in the national cyber perimeter and reducing the harm from cyberattacks at scale. The Cyber-Dome will also provide tools and services to elevate the protection of the national assets as a whole … and will synchronize nation-level real-time detection, analysis and mitigation of threats.”

READ THE STORY:  VentureBeat

Hackers Claim Theft of Police Info in China's Largest Data Leak (Video)

FROM THE MEDIA: Unknown hackers claimed to have stolen data on as many as a billion Chinese residents after breaching a Shanghai police database. Industry experts are saying this may be the largest cybersecurity breach in the country's history. Edwin Chan reports on Bloomberg Television.

China gathering online data on Western targets (Video)

FROM THE MEDIA: A new report by the Washington Post shows China is growing its internal internet-data surveillance network and mining Western social media sites for intel on foreign targets. Washington Post national security reporter Cate Cadell joins CBSN AM to discuss what she learned.

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at

Bob’s Newsletter
Bob’s Newsletter Podcast
Listen on
Substack App
RSS Feed
Appears in episode
Bob Bragg
Recent Episodes
  Bob Bragg