Friday, July 29, 2022 // (IG): BB //Buy Me: The Hawk Enigma
U.S. Justice Department probing cyber breach of federal court records system
FROM THE MEDIA: The U.S. Justice Department is investigating a cyber breach involving the federal court records management system, the department's top national security attorney told lawmakers on Thursday. Matt Olsen, head of the Justice Department's National Security Division, alluded to the threat of cyber attacks by foreign nations as he told the U.S. House of Representative Judiciary Committee that the incident was a "significant concern."
READ THE STORY: Reuters
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
FROM THE MEDIA: LockBit has been receiving a fair share of attention recently. Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe
, in a live engagement to side load Cobalt Strike.
READ THE STORY: Sentinelone
New MFA Bypass Phishing Method Uses WebView2 Applications with Hidden Keylogger
FROM THE MEDIA: Mr.d0x, a security researcher who previously released phishing tactics such as browser-in-the-browser (BitB) and utilized NoVNC to circumvent two-factor authentication (2FA), has released a new phishing attack method that exploits WebView2 applications to steal cookies and credentials. The code base utilizes a modified version of Microsoft’s WebView2 Samples repository. Microsoft has developed a new module called “Microsoft Edge WebView2 control”. This module allows the user to embed web technologies such as HTML, CSS and JavaScript in native applications. In this case, mr.d0x has included a JavaScript keylogger capable of sending keystrokes and cookie data to a command-and-control server.
READ THE STORY: Kroll
Phishing Attacks Take LinkedIn By Storm, and Affect Facebook Business Accounts in the Process
FROM THE MEDIA: A series of phishing attacks are cornering LinkedIn users, attempting to single out Facebook Business accounts for hacking and exploiting them.
Phishing attacks continue to rise at alarming levels and continue to infect social media platforms like ghouls haunting abandoned houses or, well, a virus. At any rate, social media platforms have their work cut out as well, considering how vast their user bases are. A few thousand individuals are manageable with a large enough team. Over 100,000 monthly users, and we’ve suddenly gotten ourselves the recipe for certain cybersecurity disasters.
READ THE STORY: Digital Information World
Cybersecurity in the Food and Beverage Industry: Risks and Recommendations
FROM THE MEDIA: A spate of serious cyberattacks on manufacturing businesses in recent years propelled the sector into the cybersecurity spotlight. The food and beverage industry is an area of manufacturing that somewhat went under the radar in discussions of cyber risk compared to other areas such as energy. But this industry is also critical, so it’s time to glean a better understanding of cybersecurity in the food and beverage industry.
READ THE STORY: Security Boulevard
Microsoft SQL servers hacked to steal bandwidth for proxy services
FROM THE MEDIA: Threat actors are generating revenue by using adware bundles, malware, or even hacking into Microsoft SQL servers, to convert devices into proxies that are rented through online proxy services. To steal a device's bandwidth, the threat actors install software called 'proxyware' that allocates a device's available internet bandwidth as a proxy server that remote users can use for various tasks, like testing, intelligence collection, content distribution, or market research. Botters also love these proxy services as they gain access to residential IP addresses that have not been blacklisted from online retailers.
READ THE STORY: BleepingComputer
Ransomware attacks badly hit manufacturing industry
FROM THE MEDIA: According to U.S.-based content delivery network Akamai Technologies Inc., nearly 30% of ransomware attacks worldwide launched by ransomware gang Conti targeted the manufacturing industry, IT Brief reports. Dean Houari, director of security technology and strategy for Asia Pacific and Japan at Akamai, said the manufacturing industry presents a prime target for attacks since they cannot afford downtime and disruptions especially when long supply chains depend on parts or products.
READ THE STORY: Business Insurance
On security researcher's newsletter, exposing cybercriminals behind ransomware
FROM THE MEDIA: On July 22, a Twitter user who goes by the handle @pancak3 received a warning they’d violated the platform’s rules against posting private information. The message included a screenshot of a tweet sent earlier that day containing the name, nickname, date of birth and passport of the alleged developer behind Predator the Thief, credential stealing malware dating back to 2018. Twitter temporarily locked the account, turning it back over 12 hours later, pancak3 told CyberScoop in an online chat. After the suspension, someone suggested pancak3 instead post the information on the newsletter platform Substack, “and I thought it was a good retention plan.”
READ THE STORY: CyberScoop
How Does Ransomware Spread in a Network?
FROM THE MEDIA: Ransomware is on the rise. From 2020 to 2021, the FBI’s Internet Crime Complaint Center receives a 62% increase in ransomware reports. In June 2021 alone, there were 78.4 million recorded attempts. When nearly two-thirds of the global population is connected to the web today, there is no excuse not to educate yourself and your staff on ransomware. Businesses can take proactive methods to adequately safeguard employees and executives from this malware. As industry leaders in digital risk protection, the Constella team is here to ensure you understand how ransomware spreads in a network and what you can do to combat it. Keep reading for all the details, and be sure to see Constella in action by requesting a demo.
READ THE STORY: Security Boulevard
Ransomware caused American Dental Association outage, led to stolen data
FROM THE MEDIA: The American Dental Association recently began notifying state regulators that the “cybersecurity incident” it reported in April was actually a ransomware attack, which led to the theft of member data. On April 23, ADA first reported to its members that a cybersecurity incident was causing technical issues and other disruptions for some of its clients, including the Texas and New York Dental Associations. In response, ADA shut down and isolated all of its systems, which affected the member-only access to the ADA and Texas Dental Association websites.
READ THE STORY: SCMAG
Cybercrime is on the rise, and water treatment plants are particularly vulnerable
FROM THE MEDIA: With most town water treatment plants serving less than 50,000 people, they’re facing a problem: budgetary constraints preventing administrators from investing in their digital defenses, making them prime targets for cybercriminals. “It’s definitely becoming a trend—possibly because ransomware has become a thing now where people can make money. Water plants do matter to the general public,” said Loney Crist, vice president of cyber security software development at, a New Jersey-based cybersecurity firm. “When you get a ransomware attack, it can be tens of thousands of dollars or hundreds of thousands of dollars.”
READ THE STORY: American City and County
Atlassian Confluence Hardcoded Credentials Bug Actively Exploited
FROM THE MEDIA: An Atlassian critical Confluence hardcoded credentials vulnerability that was fixed last week is now under active exploitation. The flaw (CVE-2022-26138) can be exploited by a remote, unauthenticated attacker that knows the hardcoded password for a specific account on the Questions for Confluence app in order to gain access to all non-restricted pages in Confluence. Atlassian fixed the flaw on July 20, but the company a day later warned that an external party had publicly disclosed the hardcoded password on Twitter, and the flaw was likely to be exploited.
READ THE STORY: DUO
Telegram and Discord Bots Delivering Infostealing Malware
FROM THE MEDIA: A new report from security vendor Intel471 reveals how cybercriminals are using bots already deployed in messaging apps Discord and Telegram to deliver malware and steal user credentials. In addition, these actors are targeting Roblox and Minecraft gaming platforms in similar attacks. Researchers pointed out that Discord’s content delivery network (CDN) is actively used for hosting malware because the platform doesn’t impose restrictions on file hosting.
READ THE STORY: HackRead
T-Mobile’s data breach set to cost them $500m
FROM THE MEDIA: Back in August 2021, T-Mobile suffered an enormous data breach that saw customers’ personal data stolen by malicious actors. AT the time, the operator said that it believed data from around 53 million former, current, and prospective customers had been compromised; since then, following further investigation, T-Mobile has announced that there were in fact 76.6 million customers were affected by the breach. While the breach did not jeopardies customers’ financial information, T-Mobile warned that various personal details could have been accessed by cybercriminals, such as names, addresses, birth dates, Social Security numbers, and drivers’ licenses.
READ THE STORY: Total Tele
Malicious npm packages steal Discord users’ payment card info
FROM THE MEDIA: Multiple npm packages are being used in an ongoing malicious campaign to infect Discord users with malware that steals their payment card information. The malware used in these attacks is a variant of the open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer, according to Kaspersky security researchers Igor Kuznetsov and Leonid Bezvershenko. "On July 26, using the internal automated system for monitoring open-source repositories, we identified four suspicious packages in the Node Package Manager (npm) repository," the researchers said.
READ THE STORY: BleepingComputer
Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics
FROM THE MEDIA: Cybersecurity researchers at Proofpoint have today released new research showing threat actors adopting new tactics in response to Microsoft’s announcements that it would block macros by default in Microsoft Office applications. Threat actors have responded to Microsoft’s move by increasing their use of container files such as ISO, RAR and Windows Shortcut (LNK) files to distribute malware, in one of the largest email threat landscape shifts in recent history.
READ THE STORY: Information Security Buzz
Microsoft SQL servers hacked to steal bandwidth for proxy services
FROM THE MEDIA: Threat actors are generating revenue by using adware bundles, malware, or even hacking into Microsoft SQL servers, to convert devices into proxies that are rented through online proxy services. To steal a device's bandwidth, the threat actors install software called 'proxyware' that allocates a device's available internet bandwidth as a proxy server that remote users can use for various tasks, like testing, intelligence collection, content distribution, or market research.
READ THE STORY: BleepingComputer
Novel Malware Hijacks Facebook Business Accounts
FROM THE MEDIA: A recently discovered malware dubbed Ducktail has been linked to Vietnamese threat actors. researchers from WithSecure released a report on Tuesday detailing the campaign in which the attackers use LinkedIn to steal data and admin privileges. The campaign appears to be motivated by financial gain. and has been active since late 2021. The malware uses browser cookies from authenticated user sessions to take over account, according to the report. The threat actors behind the campaign have been active since 2018, says WithSecure.
READ THE STORY: OODALOOP
State Department singles out Russian troll farm while offering $10 million for information on election interference
FROM THE MEDIA: The State Department on Thursday announced a reward of up to $10 million for knowledge on foreign attempts to interfere in US elections and sought information on the Internet Research Agency, a notorious Russian troll farm known for meddling in the 2016 presidential election. The department singled out the IRA, its leader Yevgeny Prigozhin -- who is a key ally of Russian President Vladimir Putin -- "and linked Russian entities and associates for their engagement in U.S. election interference."
READ THE STORY: Kake
Data breach with Cleveland Museum of Art e-mails
FROM THE MEDIA: Cleveland Museum of Art officials said their cybersecurity team is investigating a data breach for subscribers to their e-mails. The museum was notified of the ransomware attack on the external e-mail distribution provider WordFly on July 15. Cybersecurity team members followed protocols and have verified no additional data has been compromised, said museum officials. Officials added they are not aware of the data being misused and/or publicly distributed.
READ THE STORY: Cleveland 19
US doubles reward for information on North Korean cybercrime syndicates
FROM THE MEDIA: The US State Department has announced an additional $5 million reward for information on cyber threat actors having roots in North Korea. The new reward, which amounts to $10 million, also holds for information on Andariel, Bluenoroff, Kimsuky, and the notorious Lazarus Group implicated in the 2017 WannaCry ransomware attack. Albeit much is not known about the stealthy Lazarus syndicate, the United States Federal Bureau of Investigation cites the cyber group as a North Korean "state-sponsored hacking organization".
READ THE STORY: ITPRO
New study reveals opportunistic behaviour of cyber criminals
FROM THE MEDIA: According to a new report from Palo Alto Networks, the heavy use of software vulnerabilities matches the opportunistic behavior of threat actors who scour the internet for vulnerabilities and weak points on which to focus. The 2022 Unit 42 Incident Response Report offers a multitude of insights gleaned from Unit 42 by Palo Alto Networks extensive incident response (IR) work, leveraging a sampling of over 600 Unit 42 IR cases, to help CISOs and security teams understand the greatest security risks they face, and where to prioritize resources to reduce them.
READ THE STORY: Security Brief
Yet Another Uefi Bootkit Discovered: Meet CosmicStrand
FROM THE MEDIA: As far back as the spring of 2017, UEFI bootkits began to appear in the wild. The first such implant was named “Spy Shadow Trojan”, and was discovered by the Qihoo360 research group based out of China. Someone had purchased a laptop off of a marketplace and the device kept adding a backdoor spy admin account named “aaaabbbb“ to the Windows OS: a rudimentary, but effective attack on that device’s supply chain lifecycle, one that is commonly abused.
READ THE STORY: Security Boulevard
Time for U.S. to end the ambiguity and guarantee Taiwan’s security
FROM THE MEDIA: Speaking at the Aspen Security Forum last week, CIA Director William Burns observed that Russia’s brutal war on Ukraine “probably affects less the question of whether the Chinese leadership might choose some years down the road to use force to control Taiwan, but how and when they would do it.” The chief of the CIA — the agency whose mission is to recruit spies, steal secrets and produce all source analysis on the wickedly challenging worldwide threats to our national security — was delivering a stark warning.
READ THE STORY: Washington Times
Russia Has 'Secret Development' to Take Down U.S. HIMARS: Military Expert
FROM THE MEDIA: Russia has come up with a "secret development" that purportedly allows it to hack into the HIMARS rocket-launching systems the U.S. has sent to Ukraine, according to a Russian military expert. Alexei Leonkov unveiled the cryptic initiative during an appearance on the Russian state-owned Rossiya-1 TV channel, Russian news site Pravda reported. He was a guest of Russian host Vladimir Solovyov, whom the U.S. State Department has designated as a Kremlin propagandist.
READ THE STORY: NewsWeek
Audius hacked for $1 million by a malicious proposal
FROM THE MEDIA: In crypto, proposals help communities to make decisions based on consensus. But sometimes, proposals can be malicious. According to Cointelegraph, the music platform Audius passed on a malicious governance proposal, which resulted in a the transfer of tokens worth $6.1 million. From this proposal, the hacker made $1 million. This proposal, requesting the transfer of 18 million tokens, was approved by community voting on Sunday.
READ THE STORY: We Rave You
Breach Exposes Users of Microleaves Proxy Service
FROM THE MEDIA: Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes. The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.
READ THE STORY: Krebson Security
A Credible Source on Putin’s Trolls
FROM THE MEDIA: Finns like to say “Ei se pelaa, joka pelkää” (“No guts, no glory”) about people like Finnish journalist Jessikka Aro, who have the courage to act during the most trying of times. In spite of having faced repeated death threats and slander, Aro bravely exposes the truth about the Kremlin’s propaganda machine in her book, Putin’s Trolls. Putin’s Trolls delivers a comprehensive history of the Kremlin’s aggressive information warfare against Ukraine beginning in 2014, when Russian state media portrayed the Kiev government (and still does today), as “fascist” and full of Nazis.
READ THE STORY: The Cipher Brief
The Rise of Botnet and DDoS Attacks
FROM THE MEDIA: Distributed Denial of Service (DDoS) attacks have become an everyday or, some might argue, an hourly problem. Using a variety of techniques, a wide range of threat actors from lone hackers, criminal gangs and hacktivists, to nation-states have and are using DDoS attacks. These attacks are carried out to degrade or disable the performance and network communications of target systems.
READ THE STORY: TimesTech
Hacktivist group Anonymous is using six top techniques to ‘embarrass’ Russia
FROM THE MEDIA: Ongoing efforts by the underground hacktivists known as Anonymous are “embarrassing” Russia and its cybersecurity technology. That’s according to Jeremiah Fowler, co-founder of the cybersecurity company Security Discovery, who has been monitoring the hacker collective since it declared a “cyber war” on Russia for invading Ukraine.
READ THE STORY: CNBC
Experts warn of hacker claiming access to 50 U.S. companies through breached MSP
FROM THE MEDIA: Cybersecurity experts are raising concerns about an individual on a hacker forum claiming to have access to 50 American companies through an unnamed managed service provider (MSP). MSPs are paid to manage IT infrastructure and provide support, typically by smaller organizations lacking their own IT departments. In recent years they have been singled out by cybersecurity agencies as potentially vulnerable access points for hackers to exploit.
READ THE STORY: The Record
Items of interest
House group moves to label Russia as terrorist state
FROM THE MEDIA: Five House members will imminently introduce legislation to officially designate Russia as a state sponsor of terrorism, putting them and Congress on a collision course with the secretary of State, who argues only he can slap that label on a country. The bill — co-led by Reps. TED LIEU (D-Calif.), JOE WILSON (R-S.C.), JARED GOLDEN (D-Maine), ADAM KINZINGER (R-Ill.) and TOM MALINOWSKI (D-N.J.) — says that “the Russian Federation shall be deemed to have been determined to be a country the government of which has repeatedly provided support for acts of international terrorism.”
READ THE STORY: Politico
House Intelligence Committee Open Hearing on Commercial Cyber Surveillance (Video)
FROM THE MEDIA: On Wednesday, July 27, 2022, at 10:00 a.m. ET, the House Intelligence Committee will hold an open hearing on commercial cyber surveillance.
Jamtara: India's cyber crime capitol (Video)
FROM THE MEDIA: India’s Jamtara is notorious for its ‘phishing’ scams. Authorities are making efforts to change its image through enforcement and education. ST’s India correspondent Debarshi Dasgupta reports. READ MORE: https://str.sg/wEBR
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com