Tuesday, July 19, 2022 // (IG): BB //Weekly Sponsor: The Fintel Brief
H0lyGh0st Ransomware Details for Small Business MSPs
FROM THE MEDIA: A North Korean threat actor group has been using ransomware payloads to compromise small businesses in several countries, according to Microsoft. The group, dubbed “Holy Ghost,” has been developing and using ransomware in its attacks since June 2021 and launching campaigns against small businesses since September 2021, Microsoft said. It also has connections to the Plutonium North Korean threat actor group and has communicated with this group. Holy Ghost may exploit vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems, Microsoft reported. In doing so, Holy Ghost can target victims’ networks.
READ THE STORY: MSSP Alert
Mapping Major Milestones in the Evolution of North Korea’s Cyber Program
FROM THE MEDIA: Pyongyang has been developing an offensive cyber program for over 35 years through domestic innovation and foreign assistance. During that time, North Korea has undergone major transformations in its cybercrime modus operandi, shifting from disruptive cyberattacks and cyber intrusions primarily targeting South Korean government agencies to hacking banks and cryptocurrency exchanges located both on and off the Korean Peninsula.
READ THE STORY: The Diplomat
China’s Cyber Isolationism Has Severe Security Implications
FROM THE MEDIA: China, like every nation, has good reason to secure its digital borders against information theft. Yet Beijing’s growing isolationism is making the country’s cyberspace increasingly vulnerable, working against the goals it wants to achieve. Executives from Alibaba Group Holding Ltd.’s cloud services division were summoned by Shanghai authorities in relation to a leak containing data on what’s purported to be more than 1 billion people, the Wall Street Journal wrote on July 14. Bloomberg Opinion first reported Alibaba’s connection to that security breach earlier this month after examining files and messages posted to a forum used to sell exposed data.
READ THE STORY: Bloomberg
Roaming Mantis hits Android and iOS users in malware, phishing attacks
FROM THE MEDIA: After hitting Germany, Taiwan, South Korea, Japan, the US, and the U.K. the Roaming Mantis operation moved to targeting Android and iOS users in France, likely compromising tens of thousands of devices. Roaming Mantis is believed to be a financially-motivated threat actor that started targeting European users in February. In a recently observed campaign, the threat actor uses SMS communication to lure users into downloading malware on their Android devices. If the potential victim uses iOS, they are redirected to a phishing page for Apple credentials.
READ THE STORY: Bleeping Computer
Beware of password-cracking software for PLCs and HMIs
FROM THE MEDIA: A threat actor is targeting industrial engineers and operators with trojanized password-cracking software for programmable logic controllers (PLCs) and human-machine interfaces (HMIs), exploiting their pressing needs to turn industrial workstations into dangerous bots. According to Dragos researchers, the adversary seems not to be interested in disrupting industrial processes but making money. Several websites and multiple social media accounts are touting password-cracking software for PLCs, HMIs and project files, Dragos researchers have found. These appear to be tailor-made to work on PLCs and HMIs by AutomationDirect, Omron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi Electric, Pro-Face, Vigor Electric, Weintek, Allen-Bradley, Panasonic, Fatek, IDEC Corp., and LG.
READ THE STORY: HelpNet Security
New Study Finds Most Enterprise Vendors Failing to Mitigate Speculative Execution Attacks
FROM THE MEDIA: With speculative execution attacks remaining a stubbornly persistent vulnerability ailing modern processors, new research has highlighted an "industry failure" to adopt mitigations released by AMD and Intel, posing a firmware supply chain threat. Dubbed FirmwareBleed by Binarly, the information leaking assaults stem from the continued exposure of microarchitectural attack surfaces on the part of enterprise vendors either as a result of not correctly incorporating the fixes or only using them partially.
READ THE STORY: THN
What is E-Skimming? Detecting and Defending Against Digital Fraud
FROM THE MEDIA: While attacks targeting ATMs have been around for virtually as long as the ATMs themselves, security awareness and the capabilities of technology have led to an evolution of these attacks from being predominantly physical to increasingly digital in nature. The COVID pandemic—coupled with a steady shift from in-store and card present (CP) transactions, to online and card-not-present (CNP) transactions—has also required cybercriminals to change their tactics. Financial institutions, retailers, and ATM manufacturers have found ways to protect their assets against traditional physical attacks.
READ THE STORY: Security Boulevard
Chinese regulator fines Didi’s digital payment unit for misconduct
FROM THE MEDIA: China’s central bank has slapped Didi’s digital payment unit with an RMB 4.27 million (around $632,800) fine for misconduct, which includes failure to comply with Beijing’s real-name registration requirement for users, according to a statement posted Friday on the regulator’s website. The regulator added that Didi violated other rules such as not reporting major risk events in a timely manner and not verifying users’ identities as required by the government. Last July, Beijing launched a cyber-security probe into Didi following a public listing in the US. According to a Wall Street Journal report in June, China is concluding the investigation to allow the ride-hailing giant to return to app stores in mainland China, after a year-long investigation. [The People’s Bank of China, in Chinese]
READ THE STORY: Technode
China and the CIA Project of right Judgments of Future Predictors
FROM THE MEDIA: The (Project of Sound Judgments of Brilliant Future Predictors), which is funded by the “Advance Intelligence Research Projects Activity” section of the US government and the US Central Intelligence Agency (CIA), is striving to recruit, sort and employ brilliant geniuses who are able to predict the future in an unprecedented and genius way, by discovering new ways in advanced intelligence proactive thinking, which allows predicting the shape of the future and the new world order, and its network of international alliances globally.
READ THE STORY: Modern Diplomacy
Google Boots Multiple Malware-laced Android Apps from Marketplace
FROM THE MEDIA: Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads. French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.
READ THE STORY: ThreatPost
Botnet malware disguises itself as password cracker for industrial controllers
FROM THE MEDIA: Industrial engineers and operators are being lured into running backdoor malware disguised as tools for recovering access to work systems. These programs offer to crack passwords for specific programmable logic controllers, according to security shop Dragos this month. According to their online ads, the cracking tools can help unlock products from more than a dozen electronics manufacturing companies, including Siemens, Mitsubishi, Fuji, Panasonic, LG, and Omron. All you have to do is purchase the tool, run it on a Windows PC connected to the industrial controller via serial cable, click a button, and the password for the equipment is revealed. Under the hood, the software exploits a vulnerability – tracked as CVE-2022-2003 – in the device's Automation Direct firmware to retrieve the password in plain-text on command.
READ THE STORY: The Register
Will the Saudis help the U.S. beat Huawei?
FROM THE MEDIA: As President Joe Biden returns to Washington from his Middle East trip, U.S. and Saudi officials are beginning to implement a pair of cybersecurity agreements that the two countries announced during Biden’s visit to Jeddah. One of the agreements is a cybersecurity partnership between CISA, the FBI and Saudi Arabia’s National Cybersecurity Authority. But the other — a deal between the U.S. and Saudi telecom agencies to foster private-sector collaboration on the rollout of 5G networks — could give the U.S. a boost in its battle with China over the security of next-generation telecom networks.
As part of the deal, Saudi Arabia “will invest in new U.S.-led technology to develop and secure reliable 5G and 6G networks,” Biden told reporters in Jeddah. This technology, known as Open Radio Access Network or Open RAN, emphasizes interoperable, rather than proprietary, technologies, making it easier to combine pieces of different vendors’ infrastructure.
READ THE STORY: Politico
OpenDocument malware scams target hotels across the world
FROM THE MEDIA: Security experts have recently discovered hackers on a particularly stealthy mission to compromise hotels in Latin America using OpenDocument text files. The unknown hackers are using a rarely seen phishing method that seems to be working out well so far, with the detection rate on VirusTotal for the malicious files being used was zero less than two weeks ago. The campaign itself has also raised a number of questions due to some unique features and traits that set it apart from others.
READ THE STORY: TechRadar
Elastix VoIP systems targeted by massive malware campaign
FROM THE MEDIA: A number of different threat actors have attacked VoIP(opens in new tab) telephony servers belonging to Elastix with more than 500,000 different malware(opens in new tab) samples between December 2021 and March 2022, researchers have claimed. Elastix is a unified communications server software, bringing together IP PBX, email, IM, faxing and collaboration tools. The researchers are speculating the attackers exploited CVE-2021-45461, a high-severity (9.8) vulnerability that allows for remote code execution. Their goal was to set up a PHP web shell that would allow them to run arbitrary code on the compromised endpoints.
READ THE STORY: TechRadar
A Closer Look At Wiper Malware
FROM THE MEDIA: Wiper malware is a relatively new but highly destructive class of malicious software, first observed to have been used in the Middle East in 2012. During the Russia-Ukraine conflict in 2022, wiper malware emerged as a popular cyber weapon of choice for threat actors. In this edition of CyberSense, we will dive deeper into the class of wiper malware, explore the recent rise in observations of cyber-attacks involving new wiper malware strains, and discuss how organizations can better defend themselves against these attacks.
READ THE STORY: CSA
Why North Korean cybercriminals are targeting businesses with ransomware
FROM THE MEDIA: Ransomware attacks are typically staged by private criminal groups to make money through victimizing vulnerable organizations. But what happens when a hostile nation-state sponsors that same tactic? A new report by the Microsoft Threat Intelligence Center examines a series of ransomware attacks with ties to North Korea.
Since June of 2021, a cybercriminal group dubbed DEV-0530 by Microsoft but calling itself H0lyGh0st has launched ransomware attacks primarily against small and mid-sized businesses across different countries. The gang encrypts sensitive files on a compromised system, sends the victim a sample file as proof of the attack and then demands payment in the form of Bitcoin to decrypt the data. If the ransom is paid, the files presumably are restored. If not, the group threatens to send the data to customers of the victim or publish them on social media.
READ THE STORY: TechRepublic
SATAn hack can steal data directly from your SATA cable
FROM THE MEDIA: Researchers at the University of the Negev, Israel, have published a paper that demonstrates how a hacker could extract data from an otherwise secure system via its SATA cable. The attack uses the SATA cable itself as a form of wireless transmitter, and the data it carries can be intercepted as a form of radio signal in the 6GHz band. The attack is appropriately referred to as SATAn.
The researchers published a paper here (opens in new tab)(via Tom’s Hardware(opens in new tab)). They successfully demonstrated the technique and showed it in a video that’s included above. It has to be said that this kind of attack is complicated and requires specific malware to be installed on the target machine. It requires specialized shellcode to modify file system activity that generates identifiable radio signals from SATA cables.
READ THE STORY: PCGAMER
A Deep Dive Into the Residential Proxy Service ‘911’
FROM THE MEDIA: For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.
911[.]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.
READ THE STORY: Krebson Security
Africa: regulate surveillance technologies and personal data
FROM THE MEDIA: For more than a decade, African governments have installed thousands of closed-circuit television (CCTV) cameras and surveillance devices across cities, along with artificial-intelligence (AI) systems for facial recognition and other uses. Such technologies are often part of state-led initiatives to reduce crime rates and strengthen national security against terrorism. For instance, in Uganda in 2019, Kampala’s police force procured digital cameras and facial-recognition technology worth US$126 million to help it address a rise in homicides and kidnappings (see go.nature.com/3nx2tfk).
READ THE STORY: Nature
Costa Rica’s ‘War’ Against Ransomware Is a Wake-Up Call for the Region
FROM THE MEDIA: In May of this year, Costa Rica’s newly elected President Rodrigo Chaves declared, “We are at war.” It was significant considering that Costa Rica is one of the few countries in the world that does not have a military. Also atypical is Costa Rica’s opponent in this war: a nonstate hacking organization based in Russia. The organization, Conti ransomware, had taken significant portions of the Costa Rican government’s computer systems offline, threatening the economy and state operations.
READ THE STORY: World Politics Review
Russia Fines Google $387M for Repeated Content Violations
FROM THE MEDIA: Alphabet’s Google was fined $387 million by a Russian court for a repeated failure to remove content that Moscow deems illegal, the country’s telecom regulator said on Monday. According to reports, Roskomnadzor, said the Tagansky District Court had fined Google 21.1 billion roubles for repeatedly failing to restrict access promptly to banned materials, and singled out YouTube for particular criticism.
It said YouTube had not deleted “fakes about the course of the special military operation in Ukraine, discrediting the armed forces of the Russian Federation YouTube had failed to block “false information” on the offensive in Ukraine, “extremist and terrorist propaganda” and content “calling on minors to participate in unauthorized demonstrations”.
READ THE STORY: TechEconomy
Items of interest
CISA eyes cross-pond cyber cooperation with London office
FROM THE MEDIA: The London office underscores the federal government’s increasing emphasis on international cooperation and diplomacy in the effort to combat nation state and criminal cyber adversaries.
CISA has worked closely with members of the Five Eyes and other allies since late 2021 to help prepare critical infrastructure partners and state and local governments for malicious cyber activity linked to Russia’s late February invasion of Ukraine.
The Biden administration last year convened a virtual 30-nation summit designed to help combat the rise in ransomware attacks and the illicit use of cryptocurrencies that helped fuel the rise of multimillion dollar extortion schemes related to these attacks.
The State Department formally launched the Bureau of Cyberspace and Digital Policy in April, part of a larger effort to work with other nations to combat ransomware, isolate rogue nation-state actors and establish international rules on cyber activity.
READ THE STORY: CyberSecurityDive
Remote Sensing Solutions for Utilities and Critical Infrastructures (Video)
FROM THE MEDIA: Today, remote sensing technology combined with geospatial analytics is becoming a safe, accurate, and low-cost approach to automate operations, that can provide critical insights faster and more affordably than traditional inspections. Whether it is managing vegetation, monitoring or planning assets, or responding to a weather event, utilities increasingly turn to L3Harris, the firmly established industry leader in image science, to optimize on all aspects of asset management and planning operations.
DirectConnect: Episode #11 - Compliance Vs. Security Vs. Reliability (Video)
FROM THE MEDIA: On this episode #10 Mark Brahmstadt, Steve Parker and Leonard Chamberlin, sit down discuss compliance vs. security vs. reliability.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com