Wednesday, July 20, 2022 // (IG): BB //Weekly Sponsor: The Fintel Brief
State-backed threat actors use Google Drive, Dropbox to launch attacks (CozyBear)
FROM THE MEDIA: What stands out under this particular campaign is how the threat actor, which Unit 42 researchers call Cloaked Ursa, continues to innovate and find new ways to evade detection. “Using Google Drive and Dropbox is a low-cost way to leverage trusted applications,” Unit 42 researchers said through a spokesperson. “That means you can easily get Google accounts for free and use that to collect information and host malware.” Researchers said the data being collected during these campaigns include machine names, usernames and a list of running processes. Google TAG closely tracks the activity of APT 29 and regularly exchanges information with other threat intelligence researchers, including Palo Alto Networks, according to Shane Huntley, senior director at Google TAG.
READ THE STORY: CyberSecurity Dive // Cyberwire
Ongoing 'Roaming Mantis' Smishing Campaign Hits Over 70,000 Users in France
FROM THE MEDIA: A Chinese threat actor named Roaming Mantis has been targeting Android users in France with the MoqHao malware in a new smishing campaign, security researchers with Sekoia warn. The campaign uses phishing SMS messages containing an embedded malicious link to trick unsuspecting victims into downloading malware on their Android devices, or into accessing a phishing page designed to harvest Apple login credentials. Roaming Mantis is a financially motivated threat actor operating out of China, which has been observed using the MoqHao malware in attacks targeting entities in Japan, Germany, South Korea, Taiwan, the US, and the UK.
READ THE STORY: SecurityWeek
A new technique against air-gapped systems
FROM THE MEDIA: Security researcher Mordechai Guri from Ben-Gurion University has published a paper on a new technique for stealing data from airgapped systems using serial ATA (SATA) cables. Guri explains that SATA "is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives." The attacker would still need to infect a system within four feet of the air-gapped system in order to steal data from it, but Guri notes that "the SATA interface is highly available to attackers in many computers, devices, and networking environments.
READ THE STORY: The CyberWire
Beware Of Roaming Mantis Malware Phishing Campaign Preying On Android And iOS Users
FROM THE MEDIA: While malware and phishing are two different kinds of cyberattacks, threat actors sometimes use both methods in malicious campaigns. A threat actor known as Roaming Mantis appears to be doing exactly that in a new campaign documented by researchers at the cybersecurity firm SEKOIA. Roaming Mantis has previously targeted users in Japan, South Korea, Taiwan, Germany, France, the UK, and the US, distributing the MoqHao Android malware, also known as XLoader. The researchers estimate that this new campaign has compromised around 70,000 Android devices belonging to French users.
Similar to a spyware campaign recently targeting Italian users, the campaign’s kill chain begins with an SMS message sent to phone numbers beginning with France’s +33 country code. The text message tells recipients that a package has been sent that requires review. The message includes a malicious link that directs users to different destinations, depending on certain conditions. If the user’s IP address corresponds to a location outside of France, the user is sent a 404 error, ending the attack prematurely.
READ THE STORY: Hot Hardware
US Issues Warning on North Korean Hackers
FROM THE MEDIA: On July 6, 2022, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury jointly issued a Cybersecurity Advisory, which cautioned hospital systems and other organizations operating in the public health sector of an uptick in North Korean state-backed hackers targeting their networks with a strain of ransomware dubbed “Maui.”
The advisory outlines concrete, tactical steps that senior leadership can take to buttress cybersecurity preparedness and defenses, such as implementing security controls and conducting phishing exercises for employees. The document also underscores growing governmental scrutiny of the Maui ransomware variant, which is unlike traditional, pre-developed ransomware tools. Maui is manually operated, for example, which allows the threat actor to select which files to encrypt when deploying the malware.
READ THE STORY: Brunswick Group
Russian Hackers Tricked Ukrainians with Fake "DoS Android Apps to Target Russia"
FROM THE MEDIA: Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites. Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB). "This is the first known instance of Turla distributing Android-related malware," TAG researcher Billy Leonard said. "The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services."
READ THE STORY: THN
Walmart-controlled flight booking service suffers substantial data leak
FROM THE MEDIA: An Indian flight booking website majority-owned by US retail colossus Walmart has experienced a data breach, but is saying very little about what happened or the risks to customers. News of the breach emerged on Monday, when customers received a message depicted in the tweet below. While the message to customers assures them that "no sensitive information pertaining to your Cleartrip account" was exposed, that leaves open the possibility that information pertinent to other matters may have been accessed. The Register therefore asked Cleartrip how attackers were able to access its systems, what data was exposed, whether that data was encrypted, if any information was exfiltrated, when the breach was detected, when the company notified users, and how the company plans to change its infosec practices in response to the breach.
READ THE STORY: The Register
Unpatched Micodus GPS Tracker Vulnerabilities Allow Hackers to Remotely Disable Cars
FROM THE MEDIA: BitSight researchers discovered the flaws last year and the company has been trying to responsibly disclose its findings to China-based GPS tracker supplier Micodus since September 2021. However, its efforts have been unsuccessful and the security holes remain unpatched. Six vulnerabilities have been identified in the Micodus MV720 GPS tracker, which costs roughly $20 and is widely available, but BitSight believes other products from the same vendor are likely affected as well. The vendor says 1.5 million of its tracking devices are deployed across 169 countries. The cybersecurity firm’s analysis shows that the products are used in the government, military, law enforcement, aerospace, engineering, shipping, manufacturing and other industries.
READ THE STORY: SecurityWeek
BJC Health to spend $2.7M on email MFA access to settle breach affecting 288K patients
FROM THE MEDIA: BJC HealthCare reached a settlement with the 287,873 patients impacted by a 2020 protected health information breach of its email system brought on by a successful phishing attack. Nineteen of its affiliated hospitals were involved in the incident. Each affected patient will receive up to $250 for bank fees, interest, credit monitoring costs, postage, mileage and up to three hours of lost time. Individuals who’ve faced extraordinary expenses as a direct result of the hack may also qualify for up to $5,000 in reimbursement. The proposed settlement also requires BJC HealthCare to implement multi-factor authentication for email access to reduce the risk of phishing, projected to cost $2.7 million. Depending on how many of the patients file claims, the overall settlement costs could be staggering.
READ THE STORY: SCMAG
New Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals
FROM THE MEDIA: A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data. "Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6GHz frequency band," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, wrote in a paper published last week. The technique, dubbed SATAn, takes advantage of the prevalence of the computer bus interface, making it "highly available to attackers in a wide range of computer systems and IT environments."
READ THE STORY: THN
Albania's national IT networks continue to work toward recovery
FROM THE MEDIA: The Register follows developments in the large-scale disruption of Albanian networks that began over the weekend. The e-Albania portal has been particularly disrupted by the attacks, and that disruption has been especially painful given Albania's closure of many in-person services back in May, judging the new online service platform to have rendered the older services redundant and unnecessary. The disruption offers an object lesson in the importance of redundancy and the availability of manual backups to provide continuity of service during emergencies. There's no attribution of the attacks so far, but the Register, on the basis of a little circumstantial evidence and a lot of a priori possibility, suggests that there may be a Russian hand behind them.
READ THE STORY: CyberWire
Data is the new oil — how companies can shield themselves from cyber attacks
FROM THE MEDIA: Zero-day attacks, ransomware, corporate espionage, disgruntled employees compromising internal data — there's no shortage of threats faced by today's companies. Their IT or tech team is always scrambling to put out a 100 little fires everywhere — some caused by malicious actors and some by a simple, off-the-shelf lack of awareness. In such an evolving, riskier-by-the-day scenario, it is more important than ever to ensure companies protect their core data. "The primary cause of these challenges is that today, data lives in more places than ever before," says Rajesh Dhar, Senior Director — Infrastructure Hardware Growth, Hewlett Packard Enterprise, India.
READ THE STORY: CNBC
Justice Recovered $500K for Victims, Traced Ransomware Payments to China
FROM THE MEDIA: The Justice Department will return an estimated half a million dollars it seized from money launderers based in China to victims of ransomware attacks attributed to North Korea, officials announced Tuesday while imploring victims to report their ransom payments to federal authorities. Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division, said in a press release. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”
In a keynote address to the International Conference on Cyber Security at Fordham University Tuesday, Deputy Attorney General Lisa Monaco trumpeted the latest in a series of wins for the department. It is part of a new strategy that prioritizes incentivizing incident reports from victims, which she said can create a virtuous cycle of prevention, versus issuing indictments that tend to fizzle out, given the global nature of the ransomware enterprise.
READ THE STORY: NEXTGOV
Belgium says Chinese cyber gangs attacked its government and military
FROM THE MEDIA: he government of Belgium has claimed it detected three Chinese Advanced Persistent Threat actors attacking its public service and defense forces. A government statement names Advanced Persistent Threat 27, 30, and 31 – aka UNSC 2814, GALLIUM, and SOFTCELL – as the groups responsible for the attacks. The statement doesn't detail the nature of the attacks other than to describe them as "malicious cyber activities that significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defense."
READ THE STORY: The Register
China-Made GPS Tracker is Found to Be Risk for Vehicle Hacking
FROM THE MEDIA: Vulnerabilities in a popular GPS tracker made in China and used around the world could allow hackers to disrupt vehicles, cut off their fuel and surveil drivers’ movements, according to new research. Several “severe” flaws in the Micodus MV720 tracker affect customers, private companies and government agencies, creating a “high risk” of personal injury, vehicle disablement and supply-chain disruption, according to Boston-based BitSight Technologies. Researchers believe 1.5 million Micodus devices are in use in more than 160 countries.
READ THE STORY: Bloomberg
Rep. Joyce applauds inclusion of NDAA amendment reducing depending on Chinese resources
FROM THE MEDIA: U.S. Rep. Dave Joyce (R-OH) is commending the House of Representatives’ passage of the Fiscal Year 2023 National Defense Authorization Act (NDAA) and his amendment regarding Chinese product and resource dependency. The amendment eliminates the domestic Armed Forces’ dependence on Chinese-made products and resources essential to national security.
“Not only does this bipartisan bill provide for the defense of this great nation, but it fulfills our responsibility to reduce the military’s dependence on foreign sources for crucial materials,” Joyce said. “I worked hard to ensure this legislation included my amendment to protect our Armed Forces from being compromised by our excessive dependence on China and was proud to support it. I look forward to seeing it signed into law so that we can improve the quality of life for our servicemembers and their families and ensure our military is properly resourced and equipped to defend our nation and our allies.”
READ THE STORY: Homeland Prep
The CHIPS Act up for Unexpected Vote to Approve $62 Billion Semiconductor Industry Subsidy
FROM THE MEDIA: The U.S. Senate has fast-tracked a vote to bring to the Senate floor deliberation and final approval of the $62B in subsidies for the already Senate-approved bill known as the CHIPS Act. The separate vote today on the CHIPS act appropriations will also include a vote on the Fabs Act: “A draft [of the CHIPS Act] being circulated in Congress on Monday also included elements of a separate bill, known as the Fabs Act, which offers tax credits to build chipmaking plants, and $1.5bn for funding 5G networks,” (1) including “a 25% tax credit for the construction of fabs and the manufacturing equipment necessary to operate the facilities.”
READ THE STORY: OODALOOP
The Hacker Mind: G-Men in Cyberspace
FROM THE MEDIA: Fighting organized crime online might seem like a logical extension for law enforcement, but, in fact, it is not all that straight forward. Michael McPherson is someone with 25 years in the FBI, who has transitioned out to the corporate world, and can best describe the experiences on both sides of fighting cybercrime.
READ THE STORY: Security Boulevard
Inside Ukraine’s Decentralized Cyber Army
FROM THE MEDIA: On May 11, the website of RuTube, Russia’s largest streaming service and YouTube competitor, was taken offline for three straight days in what the company called the “largest cyberattack” it had ever suffered. At the end of the cyber onslaught, a volunteer group of technologists and hackers known as Ukraine’s IT Army claimed responsibility on its official Telegram channel, calling the attack “the biggest victory of the cyber war.” The hackers also claimed to have changed admin passwords, deleted and stole internal data, and even blocked employee’s access cards to the company’s server rooms, locking people in.
READ THE STORY: VICE
‘Blended threat’: DOJ warns of China, Russia, and North Korea allying with hackers
FROM THE MEDIA: The Justice Department warned of “alliances” between hacker groups and foreign nations such as China, Russia, and North Korea to form a “blended threat” posing both criminal and national security challenges to the United States. The warning came in DOJ’s new Comprehensive Cyber Review report on Tuesday, the result of an internal effort led by Deputy Attorney General Lisa Monaco to prepare DOJ to handle the complicated challenges posed by the sometimes murky cyber landscape.
READ THE STORY: Washington Examiner
Russian cyber spies targeting NATO countries in new hacking campaign
FROM THE MEDIA: The hackers are using online storage services such as Google Drive and Dropbox to avoid being detected, said cyber security company Palo Alto. The hacking attempts have included phishing emails containing an agenda for an upcoming meeting with an ambassador as a lure, and were sent to several Western and NATO diplomatic missions between May and June of this year. A spokesperson for Dropbox told Sky News: "We can confirm that we worked with our industry partners and the researchers on this matter, and disabled user accounts immediately."
READ THE STORY: SKYNEWS
Russian Threat to U.S. Elections Persists Even Amid War in Ukraine, Officials Say
FROM THE MEDIA: Russia continues to pose a cyber threat to the U.S. midterm elections despite Kremlin-linked hackers’ focus on supporting the country’s war against Ukraine, U.S. national security officials said. The heads of the National Security Agency and the Federal Bureau of Investigation warned on Tuesday that Russia-linked groups, which have tried to hobble Kyiv through a stream of mostly low-level cyberattacks over months, may still attempt to destabilize U.S. elections in November through hacking and disinformation campaigns. “We’re quite confident the Russians can walk and chew gum,” FBI Director Christopher Wray said on Tuesday.
READ THE STORY: WSJ
Russia sought to unmask Ukrainian hackers with malware app, Google says
FROM THE MEDIA: Russian hackers apparently disguised and advertised a malware-infected Android app as a tool to fight back against Moscow in an effort to expose Ukrainian hackers. Google’s Threat Assessment Group (TAG) released a report Tuesday explaining that Russians disguised the malicious app as one that would launch Denial of Service attacks on certain Russian websites — and distributed the app from a domain masked as an extension of the Ukrainian National Guard’s Azov Regiment. The distributor, Turla, is a group TAG attributes to the Russian Federal Security Service.
READ THE STORY: The Hill
Items of interest
Why is China’s English disinformation still so crude?
FROM THE MEDIA: The comment arrived shortly after I’d posted the link on Facebook. The article, which was my first for Taiwan Business TOPICS, the magazine of the American Chamber of Commerce in Taiwan, was about burgeoning trade between Taiwan and Lithuania. Accompanied by the profile picture of an attractive young woman, the remark read: “Hello. Can we be friends? It’s like a fate to meet here.”
It was all so obvious. My article, while not directly critical of China, had drawn attention to Beijing’s ban on Lithuanian imports. This came after the opening of a Taiwan representative office in Vilnius in November under the name “Taiwan,” and a visit to Taipei by the Lithuanian Parliamentary Group that same month.
Multiple Lithuanian MPs had spoken out against Beijing’s bullying behavior — most vociferously Matas Maldeikis, who led the November delegation. Among other barbs, Maldeikis branded China “the people’s Republic of Comedy” for its hissy-fit.
READ THE STORY: Taipei Times
Forced to Scam: Cambodia’s Cyber Slaves (Video)
FROM THE MEDIA: Chinese cyber-scam operations are stealing tens of billions of dollars from victims around the world.
Cyber Warfare: Fighting The Crimes Of The Future (Full Documentary) (Video)
FROM THE MEDIA: A story about the world's best Cyber spies. Their training in Israel's military, and their impact on the world we live in.
hese open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com