Daily Drop (206)
Wednesday, July 27, 2022 // (IG): BB //Buy Me: The Hawk Enigma
Bad actors leverage popular cloud-based messaging apps to launch malware schemes
FROM THE MEDIA: Researchers on Tuesday reported that cybercriminals are leveraging the bots inside popular cloud-based messaging apps such as Discord and Telegram to spread malware. The bots are used to share media, play games, moderate channels, or any other automated tasks developers can devise. However, in the wrong hands, bad actors can leverage bots to conduct cybercrime. In a blog post, Intel 471 researchers said bad actors have found ways to use these messaging platforms in conjunction with information stealers to host, distribute, and execute various functions that let them steal credentials from unsuspecting users.
READ THE STORY: SCMAG
Discord, Telegram Services Hijacked to Launch Array of Cyberattacks
FROM THE MEDIA: Threat actors have figured out how to use the existing functionality and infrastructure of popular messaging apps such as Telegram and Discord to host, launch, and execute a variety of malware, as shown by ongoing, dangerous campaigns. From bots that enable games and content sharing, to robust content delivery networks (CDNs) ideal for hosting malicious files, these platforms are helping fuel a surge of new attacks, according to the security research team at Intel 471.
READ THE STORY: DarkReading
Google ad scam warning: Don’t click this hidden malware campaign
FROM THE MEDIA: One way cybercriminals spread malware is through malicious apps. We’re always warning you about apps hiding malware and to keep them off your devices. Tap or click here for a recent example of malicious apps making the rounds. But hiding malware-infested apps in app stores is just one technique. In a worrying trend, scammers are now weaponizing Google Search results to get malware on your device. They are creating malicious Google ads to get victims to click on links that lead to sites that infect their devices. Read on to see how the scheme works and what you can do about it.
READ THE STORY: Komando
Malware That Can Survive OS Reinstalls Found On Asus, Gigabyte Motherboards
FROM THE MEDIA: A malware strain capable of surviving OS reinstalls has been secretly infiltrating older motherboards from Asus and Gigabyte, according to antivirus vendor Kaspersky. The malware, dubbed CosmicStrand, is designed to infect the motherboard’s UEFI (Unified Extensible Firmware Interface), so that it can persist on a Windows machine, even if the storage drive is removed. On Monday, Kaspersky said it uncovered CosmicStrand circulating on Windows computers in China, Vietnam, Iran and Russia. All the victims were using Kaspersky’s free antivirus software, so they were likely private individuals.
READ THE STORY: PCMAG
New Rust-based malware spreads after code shared on cybercrime forum
FROM THE MEDIA: A new form of information-stealing malware based on the Rust programming language is rapidly spreading after the source code was recently shared on a popular cybercrime forum. Detailed Monday by researchers at Cyble Inc., the malware, dubbed “Luca Stealer,” was first shared on July 3. The malware developer is believed to have shared the source code to build a reputation for itself. The developer also provided steps to modify the malware and compile source code for ease of use. Since first being shared, Luca Stealer has been updated three times and the malware developer is said to be continuously adding multiple functions.
READ THE STORY: SiliconAngle
Vietnamese attacker circumvents Facebook security with ‘DUCKTAIL’ malware
FROM THE MEDIA: Security vendor WithSecure, which was spun out in March 2022 as F-Secure’s enterprise security arm, claims it’s found malware that targets Facebook Business accounts. “The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” states WithSecure’s report on the campaign. “The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.”
READ THE STORY: The Register
Email Tracking Pixels — What Are They and How To Stop Them From Tracking You
FROM THE MEDIA: The emails of today have come a long way since the first sent email back in 1971, per the Guinness World Records. Aside from the messages they convey, they can now have pictures, files, and even videos attached to them, making them a convenient way of sharing and receiving information formally. They could also be used to know if, when, and on which device you opened an email from a specific company, which may feel like a breach of privacy rather than an informative way of disseminating information.
READ THE STORY: ItechPost
HEAT Attacks: The new frontier for hackers
FROM THE MEDIA: As we are midway through the third year of remote work and have fully opened the door to hybrid work, cybersecurity experts can only assure one thing: attackers are going to continue to develop new ways to break through networks and spread ransomware to unsuspecting organizations and individuals. The newest form of ransomware emerging has been classified as a HEAT attack, or a Highly Evasive Adaptive Threat, recently discovered by the Menlo Labs team.
READ THE STORY: SecurityInfo Watch
Luca Stealer malware spreads rapidly after code handily appears on GitHub
FROM THE MEDIA: A new info-stealer malware is spreading rapidly in the wild as the developer behind it continues to add capabilities and recently released the source code on GitHub. In addition, the Windows software nasty – dubbed Luca Stealer by the folks at Cyble who detected it – is the latest to be built using the Rust programming language.
READ THE STORY: The Register
“Innovations” Continue for Ransomware Gangs as Specific Stolen Data Becomes Searchable on Data Leak Sites
FROM THE MEDIA: Ransomware gangs are constantly adding twists and tweaks to their operations to stay ahead of the competition, and the latest trend appears to be adding the ability to search data leak sites for specific items belonging to victims that refused to pay. At least three groups are now allowing stolen data to be trawled in this way, including the notorious LockBit gang.
READ THE STORY: CPOMAG
Israel’s new cyber-kinetic lab will boost the resilience of critical infrastructure
FROM THE MEDIA: In a building under construction at the Advanced Technologies Park in Be’er Sheva, the “cyber capital” of Israel, a new governmental lab is also taking shape: the National Cyber-Kinetic Lab for ICS and OT. A joint venture between the Israel Ministry of Energy (MoE) and the Israel National Cyber Directorate (INCD), it will serve as a sandbox for testing computing devices embedded in physical processes and simulating cyber-attacks on scaled-down models of real-life industrial and critical infrastructure control systems.
READ THE STORY: HelpnetSecurity
NIST’s health cyber guidance aligns with its newer frameworks
FROM THE MEDIA: The National Institute of Standards and Technology aligned recent cybersecurity guidance helping agencies and organizations secure electronic protected health information with its newer frameworks, according to author Jeff Marron. NIST Special Publication (SP) 900-66 Revision 2, Implementing the Health Insurance Portability Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, incorporates both its Cybersecurity Framework and SP 800-53 security controls.
READ THE STORY: Fedscoop
China Could Unleash A Cyber-Pearl Harbor On America
FROM THE MEDIA: It is understandable that military analysts focus on Russia and the threat it poses to Ukraine. But when it comes to cyber, and in particular cyber defense and offense in space, we cannot forget that China is the leading threat. Lessons from the war against Ukraine may have only limited application to this more critical, longer-term struggle.
READ THE STORY: 1945
Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access
FROM THE MEDIA: Threat actors are increasingly abusing Internet Information Services (IIS) extensions to backdoor servers as a means of establishing a "durable persistence mechanism." That's according to a new warning from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.
READ THE STORY: THN
Hackers Affiliated With Iran-Backed Militias In Iraq Claim Cyber Attack On Turkish Websites In Retaliation For Turkish Bombardment Of Iraq's Kurdistan
FROM THE MEDIA: In the wake of an alleged Turkish artillery bombardment of a resort in Zakhu district in Iraq's Dahuk Province on July 20, 2022, which reportedly killed and wounded several Iraqi civilians, several Telegram channels affiliated with Iran-backed militias in Iraq published posts vowing to retaliate. On June 21, 2022, the "Jehad Brothers Team" Telegram channel claimed that a Kurdish group named carried out a cyber attack in collaboration with a second hacking team, targeting websites affiliated with Turkish media outlets.
READ THE STORY: Memri
FBI, CISA Warn of North Korean Ransomware Threat Targeting Healthcare Organizations
FROM THE MEDIA: Cyberthreats to the healthcare industry are growing, especially ransomware attacks. In a joint cybersecurity advisory, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of the Treasury warned that North Korean state-sponsored cyber actors have been using Maui ransomware to target healthcare and public health organizations since at least May 2021. They expect these attacks to continue. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” states the advisory.
READ THE STORY: HealthTech Magazine
China targeted Fed employees for almost a decade, GOP Senate report says; chairman pushes back
FROM THE MEDIA: A report released Tuesday by Republicans on the Senate Homeland Security and Government Affairs Committee says that China targeted the Federal Reserve for nearly 10 years, working to recruit and influence employees in an effort to obtain information and monetary benefit and to influence U.S. monetary policy. The report zeroes in on what it describes as Chinese efforts to recruit American talent using programs that targeted individuals at the Fed -- offering job prospects, academic positions and economic and research opportunities in an effort to gain access to sensitive data and information.
READ THE STORY: ABCNEWS
Opponents of CHIPS Act say it could subsidize construction of semiconductors in China, not America
FROM THE MEDIA: (The Center Square) – Opposition to the CHIPS Act is growing after Texas Gov. Greg Abbott urged Congress to pass it and Florida lawmakers expressed opposition to it. Passing the bill, proponents argue, is necessary to bolster semiconductor production in the U.S. and reduce reliance on foreign production especially in China. When it was initially introduced, the bill would cost taxpayers $76 billion.
READ THE STORY: TheCenterSquare
T.H.R.E.A.T Tactical High Reconnaissance Evasive Aerial Target
FROM THE MEDIA: T.H.R.E.A.T. was developed in order to provide a low-cost, secure, and Bradley-compliant manufactured testing platform for counter sUAS solutions. Today’s battlefield is experiencing an unprecedented amount of off-the-shelf UAS equipment being deployed for offensive and reconnaissance roles. To combat this, the U.S. Department of Defense has issued several calls to action for prime manufacturers to develop countermeasures.
READ THE STORY: SUASNEWS
HS plans to overhaul disinformation efforts to 'increase trust with the public'
FROM THE MEDIA: When the Department of Homeland Security’s Advisory Council announces it plan next week for overhauling how the agency combats the spread of disinformation online, its focus will be on “how to achieve greater transparency across our disinformation related work” and how to “increase trust with the public,” according to council meeting minutes released Monday.
READ THE STORY: CyberScoop
Hard-coded Password in Popular Vehicle GPS Tracker Allows for User Impersonation, Remote Execution of Commands
FROM THE MEDIA: A hard-coded password discovered in a popular brand of vehicle GPS trackers has rendered them essentially unusable, at least until (if) some sort of patch is issued. Security firm Bitsight has cracked open the MiCODUS MV720 vehicle GPS tracker and found six separate vulnerabilities that are considered serious, at least four of which potentially allow for remote control of the device. The most severe of the bunch is a hard-coded password that allows anyone aware of it to log into the web server, impersonate the user and send the same commands to their GPS unit that legitimate users can normally send by phone.
READ THE STORY: CPOMAG
Iraqi hacker group 'ALtahrea Team' targets Israeli IT, e-commerce companies in major cyber attack: Reports
FROM THE MEDIA: A group of Iraqi hackers has reportedly targeted the website of a number of Israeli companies involved in the information technology sector as well as electronic purchase or sale of products on online services or over the Internet. Social media activists said various Israeli websites are currently offline due to a widespread cyber attack that took place on Tuesday and was perpetrated by an Iraqi hacker group calling itself "ALtahrea Team." Among the affected sites are the Lifters website, the Nadlan World website, and the website of the Liam Group.
READ THE STORY: Presstv
New Facebook malware targets business accounts
FROM THE MEDIA: Helsinki-based cybersecurity vendor WithSecure (formerly F-Secure Business) says it has discovered an operation, dubbed “DUCKTAIL,” that uses social media-based spear phishing attacks to gain access to Facebook Business accounts. The company said that it has “high confidence” that a Vietnamese threat actor is behind the attacks, which aim malicious messages at LinkedIn users who are likely to have admin access to their companies’ Facebook accounts. The threat actor also targets email addresses of potential victims directly.
READ THE STORY: CSO ONLINE
Newly found Lightning Framework offers a plethora of Linux hacking capabilities
FROM THE MEDIA: The software framework has become essential to developing almost all complex software these days. The Django Web framework, for instance, bundles all the libraries, image files, and other components needed to quickly build and deploy web apps, making it a mainstay at companies like Google, Spotify, and Pinterest. Frameworks provide a platform that performs common functions like logging and authentication shared across an app ecosystem. Last week, researchers from security firm Intezer revealed the Lightning Framework, a modular malware framework for Linux that has gone undocumented until now.
READ THE STORY: Arstechnica
StringJS Typosquat Deploys Discord Infostealer Obfuscated Five Times
FROM THE MEDIA: The legitimate ‘string’ library is downloaded anywhere between 70,000 and 100,000 times in any given week. Which explains why a threat actor would be lured to ship counterfeit versions of this library — a theme we’ve repeatedly observed when it comes to malware distributed via open source typosquats. The malicious ‘stringjs_lib’ package was caught by Sonatype’s automated malware detection systems, which are an integral part of Nexus Firewall. Analysis by our security researcher Carlos Fernandez revealed that the package goes to great lengths to hide it’s true purpose.
READ THE STORY: SecurityBoulevard
Kaspersky Researchers Dissect Bootup Rootkit
FROM THE MEDIA: Researchers from Russian cybersecurity firm Kaspersky say they found malware they've dubbed CosmicStrand in firmware images of Gigabyte or ASUS motherboards. The malware delivers a kernel-level implant into a Microsoft Windows system each time the computer boots, since hackers modified the interface between Windows and the boot firmware, an interface known as Unified Extensible Firmware Interface. UEFI replaced the older Basic Input/Output System, or BIOS, firmware interface.
READ THE STORY: BankInfoSec
Critical Vulnerabilities Exposed Nuki Smart Locks to a Plethora of Attack Options
FROM THE MEDIA: The IT security researchers at Manchester, England-based NCC Group have released a technical advisory explaining how Nuki Smart Locks were vulnerable to a plethora of attack possibilities. It is worth noting that Nuki Home Solutions is a Graz, Austria-based supplier of smart home solutions in Europe. Here is a detailed overview of the eleven flaws in Nuki’s locks. This flaw is tracked as CVE-2022-32509 and affects Nuki Smart Lock version 3.0. As per the NCC Group research, the company didn’t implement SSL/TLS certificate validation on its Smart lock and Bridge devices.
READ THE STORY: HackRead
What Is the Log4j Vulnerability and Why It’s NOT an Easy Fix
FROM THE MEDIA: Log4j is a very popular logging package for Java. It is widely used by high-profile applications and services, including software from Google, Apple, Amazon Web Services, Microsoft Minecraft, the world’s #1 best-selling game, and even the software deployed on a NASA Mars rover. Software using the Log4j package directly or indirectly impacts the lives of billions of people worldwide. On December 9, 2021, the most significant zero-day exploit of recent years was found in Log4j. Labeled CVE-2021-44228, it identified the ability of attackers to perform remote code execution (RCE) and unauthenticated server-side request forgery (SSRF) by logging certain unauthenticated payloads.
READ THE STORY: American Security Today
LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top
FROM THE MEDIA: Reverse-engineering the latest ransomware executables from the group behind LockBit shows that the developers have added capabilities from other popular attack tools and are actively working to improve LockBit's anti-analysis capabilities, according to researchers. This significant evolution, seen in the recently debuted LockBit 3.0 (aka LockBit Black), is likely meant to offset better defenses, a greater scrutiny by researchers and investigators, and competition from other gangs, according to analyses by multiple researchers
READ THE STORY: DarkReading
CISA Executive Director Brandon Wales discussed how ransomware actors target companies of all sizes, and how CISA wants organizations to prevent zero-day events.
FROM THE MEDIA: Since the large-scale ransomware hacks of the Colonial Oil Pipeline and North American branches of JBS Foods in 2021, federal agencies have doubled down on preventing future attacks on the nation’s critical infrastructures. Leadership at the Cybersecurity and Infrastructure Security Agency, however, confirmed that ransomware hackers are not exclusively targeting large organizations and businesses, but smaller entities as well. Speaking at a CyberShare event on Monday, CISA Executive Director Brandon Wales discussed the need for all companies and organizations to invest in the best cybersecurity practices as ransomware becomes a more pervasive and common threat.
READ THE STORY: NextGov
CrowdStrike to buy Israeli cybersecurity cos for $2b
FROM THE MEDIA: CrowdStrike (Nasdaq: CRWD), one of the biggest cybersecurity companies in the US, is setting up a large Israeli R&D center based on a huge acquisition. The name of the Israeli company is set to be announced. Sources close to the matter have told "Globes" that CrowdStrike has been in talks to buy one or more Israeli companies. Several sources, who preferred not to be named, told "Globes" that CrowdStrike's acquisitions in Israel could be for as much as $2 billion. CrowdStrike, which has a market cap of $39 billion, competes with some of Israel's largest and fastest growing cybersecurity companies like SentinelOne (NYSE: S) and Cybereason.
READ THE STORY: Globes
US State Department Doubles Reward to $10 Million for Tips Leading to North Korean-Backed Hackers
FROM THE MEDIA: The U.S. government has been offering rewards of up to $5 million in recent months for information that assists it in stopping the flow of illegal money to North Korea, according to Bank Info Security. The Rewards for Justice program of the State Department has previously stated that it is looking for information that will enable the financial systems of those involved in certain activities that support North Korea to be disrupted.
READ THE STORY: ItechPost
Items of interest
FileWave patches two vulnerabilities that impacted more than 1,000 orgs
FROM THE MEDIA: Swiss device management company FileWave confirmed on Tuesday that two vulnerabilities in their platform have been patched after being discovered by researchers from Claroty’s Team82.
The vulnerabilities – CVE-2022-34907 and CVE-2022-34906 – were found in FileWave’s mobile device management (MDM) system and affect thousands of companies that use the system.
Noam Mosche, a researcher for Claroty’s Team82, told The Record that it is common for any type of organization to use an MDM solution considering the large number of IoT devices in use today. The tools make it simpler for IT administrators to manage all of an organization’s devices effectively.
READ THE STORY: The Record
Australian anti-CCP activist was set up in bomb scare, lawyer says (Video)
FROM THE MEDIA: The lawyer for an Australian activist arrested in the UK believes his client has been set up. Drew Pavlou is accused of sending a bomb threat to the Chinese embassy in London.
Conti Costa Rica Ransomware Attack Explained (Video)
FROM THE MEDIA: On May 8th, 2022 the President of Costa Rica Rodrigo Chaves declared a national emergency due to an ongoing Conti ransomware campaign against several Costa Rican government entities starting in April of this year.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at firstname.lastname@example.org