Thursday, July 21, 2022 // (IG): BB //Weekly Sponsor: The Fintel Brief
Threat actors use Google Drive, Dropbox to launch cyberattacks
FROM THE MEDIA: What stands out under this particular campaign is how the threat actor, which Unit 42 researchers call Cloaked Ursa, continues to innovate and find new ways to evade detection. “Using Google Drive and Dropbox is a low-cost way to leverage trusted applications,” Unit 42 researchers said through a spokesperson. “That means you can easily get Google accounts for free and use that to collect information and host malware.”
READ THE STORY: CIODIVE
New Redeemer ransomware version promoted on hacker forums
FROM THE MEDIA: A threat actor is promoting a new version of their free-to-use 'Redeemer' ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AV detection rate. Unlike many Ransomware-as-a-Service (RaaS) operations, anyone can download and use the Redeemer ransomware builder to launch their own attacks. However, when a victim decides to pay the ransom, the author receives 20% of the fees and shares the master key to be combined with the private build key held by the affiliate for decryption.
READ THE STORY: BleepingComputer
'AIG' Threat Group Launches With Unique Business Model
FROM THE MEDIA: A threat group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) has recently surfaced with what appears to be a somewhat different — and potentially trend-setting — cybercrime model. Researchers from Cyberint who were the first to spot the group described the threat actor as selling a variety of services via its main website, including access to stolen databases, exclusive data leaks, distributed denial-of-service (DDoS) services, and initial access to enterprise networks via RDP clients and Web shells. Cyberint said this week that its researchers spotted AIG in May and have observed it growing rapidly since then.
READ THE STORY: DarkReading
Google details series of Russian hacking campaigns targeting Ukraine
FROM THE MEDIA: Google LLC on Tuesday shared new details about a series of Russian state-sponsored hacking campaigns targeting Ukraine. The hacking campaigns were detected by the search giant’s Threat Analysis Group. Billy Leonard, a security engineer with the Threat Analysis Group, detailed the cyberattacks in a blog post. Google researchers have identified a hacking campaign in which Turla, a threat actor associated with Russia’s Federal Security Service, used malicious Android apps to target users. The apps purported to be designed for the purpose of launching denial of service attacks against a set of Russian websites. According to Google, download links to the apps were disseminated via messaging services.
READ THE STORY: SiliconAngle
LockBit ransomware hitting network servers
FROM THE MEDIA: The implications of threat actors gaining access to network servers and spreading ransomware is worrisome because once the malware gains admin controls it can create a group policy to stop services, end processes and reproduce quicker at greater scale. Attackers can gain access to on-premises network servers via remote desktop applications or by exploiting a known vulnerability, according to Symantec’s threat hunting group.
READ THE STORY: CyberSecurityDive
Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists
FROM THE MEDIA: The LAPSUS$ extortion group has gone quiet following a notorious and rapid rise through the threat landscape, targeting companies including Microsoft, NVIDIA, and Okta, and earning notoriety for its freewheeling, decentralized approach to cybercrime. However, researchers said the group is likely not gone — and, in any case, its "brazen" tactics may leave a legacy.
A new report from exposure management specialist Tenable digs into the group's background and the tactics, techniques, and procedures (TTPs) it has used, maturing from distributed denial-of-service (DDoS) attacks and website vandalism to more sophisticated methods. These include the use of social engineering techniques to reset user passwords and co-opt multifactor authentication (MFA) tools trolled by the actor and disseminated via links on third party messaging services."
READ THE STORY: DarkReading
Belgium says China-linked APT groups attacked its interior and defense ministries
FROM THE MEDIA: Belgium has blamed multiple threat actors with links to China for attacks against the country's interior and defense ministries. The Minister for Foreign Affairs stated in an online post that they have uncovered malicious cyber activities by threat groups targeting the FPS Interior and the Belgian Defense, which had a significant impact on Belgium's sovereignty, democracy, security and society. "Belgium assesses these malicious cyber activities to have been undertaken by Chinese Advanced Persistent Threats (APT)," the post said. The hacker groups APT 27, APT 30, and APT 31 have been identified as the perpetrators of the attacks on the interior ministry, while the attacks on the defense department is attributed to Chinese hackers' collective UNSC2814/Gallium/Softcell.
READ THE STORY: Computing UK // The Print
FBI recovers $500,000 healthcare orgs paid to Maui ransomware
FROM THE MEDIA: The U.S. Department of Justice has announced the seizure of approximately $500,000 in Bitcoin, paid by American health care providers to the operators of the Maui ransomware strain. At the start of this month, Maui was highlighted by the FBI and CISA as a new North Korean-backed ransomware operation extorting western organizations with encryption attacks. The particular ransomware operation demonstrated an inclination towards healthcare and public health organizations in its targeting, causing life-threatening service outages.
READ THE STORY: BleepingComputer
New Rust-based Ransomware Family Targets Windows, Linux, and ESXi Systems
FROM THE MEDIA: Kaspersky security researchers have disclosed details of a brand-new ransomware family written in Rust, making it the third strain after BlackCat and Hive to use the programming language. Luna, as it's called, is "fairly simple" and can run on Windows, Linux, and ESXi systems, with the malware banking on a combination of Curve25519 and AES for encryption. "Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version," the Russian firm noted in a report published today. Advertisements for Luna on darknet forums suggest that the ransomware is intended for use only by Russian-speaking affiliates. Its core developers are also believed to be of Russian origin owing to spelling mistakes in the ransom note hard-coded within the binary.
READ THE STORY: THN
Black Basta ransomware hits Knauf Group
FROM THE MEDIA: German multinational building and construction material provider Knauf Group has been impacted by a cyberattack late last month, which has been claimed by the Black Basta ransomware gang, BleepingComputer reports. Attackers hit Knauf on June 29, prompting the firm to shut down its email systems as it works on incident response and remediation efforts. "We are currently working heavily to mitigate the impact to our customers and partners as well as to plan a safe recovery. However, we apologize for any inconvenience or delays in our delivery processes, that may occur," said Knauf.
READ THE STORY: SCMAG // TheStack // Techmonitor
How to Mitigate the Risk of Karakurt Data Extortion Group's Tactics, Techniques, and Procedures
FROM THE MEDIA: The Federal Bureau of Investigation (FBI), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) recently released a joint Cybersecurity Advisory (CSA) focusing on the Karakurt data extortion group, an emerging organization known for stealing company data and demanding ransom to avoid public exposure. The group has become the new face of ransomware, taking advantage of vulnerabilities and poor encryption.
READ THE STORY: DarkReading
Google: Kremlin-backed goons spread Android malware disguised as pro-Ukraine app
FROM THE MEDIA: Kremlin-backed criminals are trying to trick people into downloading Android malware by spoofing a Ukrainian military group, according to Google security researchers. According to the cloud giant's Threat Analysis Group (TAG) - which has been tracking cybersecurity activity in Eastern Europe since Russia invaded its neighbor - the Turla group publicly attributed to Russia's Federal Security Service (FSB), recently started promoting Android apps on a domain designed to look like the Ukrainian Azov Regiment.
READ THE STORY: The Register
HavanaCrypt Ransomware Poses as Google Update
FROM THE MEDIA: Ransomware remains popular in large part because it works. In that sense, it’s not surprising, although it is alarming, that Trend Micro found it had detected and blocked more than 4.4 million ransomware threats stretching across email, URL and file layers during Q1 of 2022—and discovered a new family dubbed HavanaCrypt. The activity in the first quarter represents an uptick of 37% in ransomware threats over the previous quarter.
“Ransomware’s pervasiveness is rooted in its being evolutionary: It employs ever-changing tactics and schemes to deceive unwitting victims and successfully infiltrate environments,” Trend Micro researchers wrote in a blog post detailing HavanaCrypt. “For example, this year, there have been reports of ransomware being distributed as fake Windows 10, Google Chrome and Microsoft Exchange updates to fool potential victims into downloading malicious files.”
READ THE STORY: Security Boulevard
ASSESS RUSSIA’S CYBER PERFORMANCE WITHOUT REPEATING ITS PAST MISTAKES
FROM THE MEDIA: Many observers saw Russia’s February invasion of Ukraine as the first case in modern history of a great power with near-peer cyber capability waging a major conventional war. Moscow’s cyber operations to disable Ukrainian satellite communications, wipe data from several of its state and civic organizations, and peddle disinformation to its public provide ample data to consider. Analysts are already trying to measure Russia’s cyber performance against prior expectations.
READ THE STORY: War on The Rocks
Russian hacking risks ‘spillover effects’ and possible escalation, EU warns
FROM THE MEDIA: One of the European Union’s top legislative bodies warned Tuesday that Russian hacking groups are “indiscriminately targeting essential entities globally” amid the country’s war with Ukraine, threatening potential spillover effects. The Council of the European Union singled out recent distributed denial-of-service (DDoS) attacks against several EU member states and partners, which pro-Russian hacking groups took credit for.
READ THE STORY: TheRecord
Cyber Command shares bevy of new malware used against Ukraine
FROM THE MEDIA: U.S. Cyber Command on Wednesday disclosed dozens of forms of malware that have been used against computer networks in Ukraine, including 20 never-before-seen samples of malicious code. The indicators of compromise were shared with the command’s Cyber National Mission Force (CNMF) by the Security Service of Ukraine, that country’s law enforcement authority and intelligence agency.
READ THE STORY: TheRecord
Conti’s Reign of Chaos: Costa Rica in the Crosshairs
FROM THE MEDIA: Any time conflict erupts, people tend to take sides, even when it comes to cybercrime. Since the beginning of the ongoing Russian-Ukrainian war, some bad actors have made their alliances known publicly. The Conti Ransomware-as-a-Service (RaaS) group is one of the most notable – declaring in February that they were backing Russia and would use their arsenal accordingly. Their latest target seems to be the entire country of Costa Rica, which expressed its opposition to the Russian invasion.
READ THE STORY: ThreatPost
Transnistria corridor: Russia's next target in the Ukraine conflict?
FROM THE MEDIA: As the conflict in Ukraine moves into what some military experts call 'Phase III,' speculation is growing over an imminent Russian takeover of Ukraine's southwest port city Odesa combined with a subsequent advance into neighboring Moldova. That scenario would create a land corridor from Russia through Ukraine and into Moldova - specifically Moldova's pro-Russia enclave Transnistria.
READ THE STORY: CGTN
Romanian Man Accused of Distributing Gozi Virus Extradited to US
FROM THE MEDIA: A Romanian man accused of distributing a computer virus that hit over 1 million computers has been extradited to the US. The suspect, 37-year-old Mihai Paunescu, allegedly ran a hosting service that helped distribute the Gozi virus, which caused tens of millions of dollars of financial losses worldwide. First discovered in 2007, the Gozi virus was able to go undetected as it stole bank account information from computers – 40,000 of which were in the US, with 140 belonging to NASA.
READ THE STORY: InfoSec Mag
Government blocks Chinese tech deal on national security grounds
FROM THE MEDIA: The government has blocked the acquisition of intellectual property (IP) by a foreign company for the first time under new national security powers. Business secretary Kwasi Kwarteng announced on Wednesday evening that he had issued an order to prevent Beijing Infinite Vision Technology (BIVT) from buying the vision sensing technology from the University of Manchester. A deal would have allowed the China-based firm to develop, test, manufacture, use and sell licenced products.
READ THE STORY: Yahoo
Electronic warfare ‘keeps me up at night’: undersecretary of the Army
FROM THE MEDIA: While not explicitly one of the Army’s key top named priorities, electronic warfare is something that keeps the service’s number two “up at night.” “It is something that definitely keeps me up at night,” Gabe Camarillo, the undersecretary of the Army told reporters following his participation in an event at the Association of the U.S. Army Wednesday. “I’ve been concerned about the EW and electronic protection capabilities in the Army since I was in [ the office of the Assistant Secretary of the Army for Acquisition, Logistics and Technology] back in the early part of last decade.”
READ THE STORY: FEDSCOOP
China using social media, disinformation campaigns to project its narratives about Xinjiang
FROM THE MEDIA: The Chinese Communist Party information operations are successfully silencing governments, businesses and civil society organisations globally and deterring them from criticising the CCP’s human rights record and actions in Xinjiang. Albert Zhang, an analyst and Tilla Hoja, a researcher at the Australian Strategic Policy Institute’s (ASPI) International Cyber Policy Centre said that China’s information operations are silencing and influencing global audiences on Xinjiang.
READ THE STORY: The Print
GCHQ experts set out how to tackle online child sexual abuse despite end-to-end encryption
FROM THE MEDIA: Two senior technical directors at GCHQ, the UK's cyber intelligence agency, have published a new paper analyzing how technology companies could protect children from sexual abuse online. The impact of child sexual abuse can last a lifetime even if the abuse takes place online. Research by the Independent Inquiry into Child Sexual Abuse found survivors often suffer serious physical and mental health conditions in later life.
READ THE STORY: Yahoo
China Fuyan: Beijing's defense against near-earth asteroids
FROM THE MEDIA: China Fuyan (faceted eye), a brand-new high-definition deep-space active observation station, is presently being built in the nation's Southwest Chongqing municipality. The facility will have scattered radars, each with a diameter of 25 to 30 metres and more than 20 antennas. These antennas will work together to conduct high-definition observations of asteroids within 150 million kilometres, according to the project's leading institution, the Beijing Institute of Technology.
READ THE STORY: WION
Items of interest
U.S. Water Sector Cybersecurity: “Absolutely Inadequate”
FROM THE MEDIA: Barely a month before Russia invaded Ukraine and everyone’s security awareness jumped off the charts, the White House announced it would now include drinking water and wastewater treatment systems in the feds’ cybersecurity initiative for industrial control systems (ICS).
But that’s not really a relief — it’s scary. Until recently, attacks on water systems haven’t been very high on the feds’ radar; at least, not publicly.
Yet on the same day as the White House’s announcement, federal officials told reporters off–record that most U.S. drinking water systems are essentially unprotected against large–scale disruption, calling their cyber defenses “absolutely inadequate.” As one official noted, federal efforts are constrained by the fact that most water providers are private companies, and there are so many of them — up to 150,000 by some estimates.
READ THE STORY: EE Times
Jon DiMaggio, NoStarch Press author of "The Art of Cyberwarfare" (Video)
FROM THE MEDIA: Jon DiMaggio, NoStarch Press author of "The Art of Cyberwarfare"
Conti Ransomware From High to Low (Video)
FROM THE MEDIA: The Conti ransomware group has been one of the most active groups in recent times. In April 2022 the Conti group published information about 46 victims on their leak site. In total, they published information about 859 compromised victims, but the real number of compromises is probably higher, as some have paid the demands and were not listed.
these open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com