Daily Drop (213)
Could Russian and Chinese Cybercriminals Team Up Against the West?
FROM THE MEDIA: Intelligence collected from the cybercriminal underground indicates that Chinese hackers are increasingly active within Russian threat actor spaces. While Russian cybercriminals undoubtedly have adequate hacking expertise, they serve to benefit from the innovation and creativity of Chinese threat actors. Could Chinese cybercriminals teach their Russian counterparts new approaches to hacking and increase the global cyber threat? There’s strength in numbers, as China-based hackers have learned. Working communally helps them slip past the “Chinese Firewall” (the Chinese government’s censorship filter) and avoid surveillance.
READ THE STORY: National Interest
European Missile Maker MBDA Denies Hackers Breached Systems
FROM THE MEDIA: A joint venture between aerospace and defense giants Airbus, BAE Systems and Leonardo, MBDA is a European group that designs and produces missiles and missile systems. The company provides its products to air, sea and land forces in Spain, Italy, France, the UK, the US, and Germany. In late July, a threat actor calling itself ‘Adrastea’ and describing itself as ‘a group of independent specialists and researchers in the field of cybersecurity’ claimed on several cybercrime forums that it had exploited critical vulnerabilities in MBDA systems and gained access to the company’s files.
READ THE STORY: Security Week
LockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike Payload
FROM THE MEDIA: A Sentinel One investigation revealed threat actors (TA) have been abusing the Windows Defender command line tool to decrypt and load Cobalt Strike payloads. The cybersecurity experts detailed their findings in an advisory last week, in which they said the TA managed to carry out the attacks after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server. The attackers reportedly modified the Blast Secure Gateway component of the application by installing a web shell using PowerShell code. “Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools,” the Sentinel One team wrote.
READ THE STORY: InfoSec Mag
Semiconductor manufacturer Semikron hit by LV ransomware attack
FROM THE MEDIA: German power electronics manufacturer Semikron has disclosed that it was hit by a ransomware attack that partially encrypted the company's network. Semikron has over 3,000 employees in 24 offices and 8 production sites worldwide across Germany, Brazil, China, France, India, Italy, Slovakia, and the USA, with a turnover of around $461 million in 2020. It also says it's one of the world's leading power engineering component manufacturers, with 35% of the wind turbines installed each year operating with its technologies.
READ THE STORY: Bleeping Computer
China’s Security Assessment for Cross Border Data Transfers
FROM THE MEDIA: China’s Cyberspace Administration of China (CAC) promulgated Measures on Security Assessment for Data Exports (the Measures), which shall take effect from 1 September 2022. The Measures set out detailed provisions regarding the “security assessment” required under China’s Personal Information Protection Law (PIPL), Cybersecurity Law and Data Security Law. Among others, international players with a larger client/user base in China are likely to be subject to the “security assessment” requirement and will need to take prompt compliance actions, given the relatively short grace period.
READ THE STORY: CyberScoop
How cyber criminals embrace messaging apps to spread malware, communicate
FROM THE MEDIA: Cybercriminals are turning to messaging apps like Telegram and Discord as alternatives to popular underground forums: not only for the private communications and security features but also as avenues for spreading malware. Researchers at infosec vendor Intel 471 have been tracking the movement of more than a dozen threat groups that are using the platforms primarily to host and distribute information-stealing malware and to more easily communicate with others in the cybercrime community.
READ THE STORY: The Register
DrayTek patches SOHO router bug that left thousands exposed
FROM THE MEDIA: Fraudsters are targeting verified Twitter accounts — the ones that come with a blue badge — sending fake but well-written messages threatening to suspend the account or deactivate the verification badge in an attempt to steal verified users’ credentials. Twitter verifies accounts if they are considered notable influencers, celebrities, politicians, sportspersons, journalists, activists, government, and private organizations.
READ THE STORY: Computer Weekly
AT&T’s 3G shutdown catches blame for a major election headache in Michigan
FROM THE MEDIA: Some Michigan counties can’t immediately report Tuesday night’s election results due to a confusing mix of federal vote reporting guidance and AT&T’s decision to retire its 3G networks this past February. In a website alert, the Wayne County clerk’s office confirmed that 65 of Michigan’s 83 total counties “are no longer modeming unofficial election results.” Wayne County is where Detroit is located, and it’s the state’s biggest county by population, with about 1.8 million residents. It’s unclear how many are due to county officials that did not upgrade their own modems, or if this is due to U.S. Election Assistance Commission (EAC) guidelines advising against using modems.
READ THE STORY: The Verge
Major building firm rocked to the foundations by cyberattack
FROM THE MEDIA: The Knauf Group has been the target of a cyberattack that has disrupted its business operations, forcing its global IT team to shut down all IT systems to isolate the incident. Knauf Gips KG is a multinational, family-owned company based in Iphofen, Germany. The incident took place towards the end of July 2022 and the full impact has recently come to light. In a statement, the company writes: “We are currently working heavily to mitigate the impact to our customers and partners – as well as to plan a safe recovery. However, we apologize for any inconvenience or delays in our delivery processes that may occur.”
READ THE STORY: Digital Journal
Spinneys dismisses claims that ransomware group is leaking its data
FROM THE MEDIA: “Spinneys is aware of unverified emails being sent out from unidentifiable email addresses stating that a ransomware group may have leaked data hacked from our internal server on July 16,” Tom Harvey, general manager of Spinneys Dubai, told The National. “We continue to work closely with the e-crime department at Dubai Police to investigate the matter and keep our customers up-to-date.” As more businesses adopt hybrid work models and undertake a rapid digital transformation to cope with coronavirus challenges, they are also more exposed to cyber threats.
READ THE STORY: The National News
Ransomware in PyPI: Sonatype Spots ‘Requests’ Typosquats
FROM THE MEDIA: This means any developer who intends to install or include the ‘requests’ library in their package but inadvertently mistypes its spelling could instead end up with one of these malicious packages and get infected with ransomware. These packages were analyzed by my colleague and Senior Security Researcher, Ankita Lamba. Particularly, all versions of the ‘requesys’ package contain scripts that traverse a Windows user’s folders, such as “Documents,” “Downloads,” “Pictures,” and begin encrypting files.
READ THE STORY: Security Boulevard
A Look Inside the LockBit Ransomware Gang
FROM THE MEDIA: Ransomware continues to be one of the biggest and most damaging types of cyberattacks today, as gangs are always evaluating and updating their tactics to circumvent defenses. These types of attacks can be especially alarming when they target government agencies. Recently, the infamous LockBit ransomware gang launched an attack on the Italian tax agency (Agenzia delle Entrate), where it claims to have stolen 75GB of data – including company documents, financial reports, contracts, etc. The group plans to release screenshots of the files soon unless it receives an undisclosed amount from the agency.
READ THE STORY: Security Boulevard
Security flaw might affect millions of Twitter accounts
FROM THE MEDIA: It is possible for attackers to get entire control of Twitter accounts and exploit them for a variety of fraudulent purposes, as the API keys of thousands of Twitter apps have been discovered to be leaked. CloudSEK, a cybersecurity company, found that a total of 3,207 mobile apps were leaking valid Consumer Keys and Consumer Secrets for the Twitter API. Several mobile apps can connect to Twitter, which lets those apps take care of certain tasks on the user’s behalf. The integration is done with the help of Consumer Keys and Secrets and the Twitter API.
READ THE STORY: BolNew
Threat Actors Merging Malicious Activity With Cryptocurrency Show How the Attack Landscape is Developing in Decentralized Finance
FROM THE MEDIA: Widespread implementation of decentralized finance (DeFi) systems since 2020 has created new fertile ground for a variety of threat actors to shift the development of cyberattack tactics, techniques, and procedures (TTPs). The number of threat actors participating in DeFi activity has grown substantially over the past two years. Current threat actor activity is incentivized by a broad attack surface represented through high volumes of users and systems, and high potential profits represented through the variety of cryptocurrency offerings.
READ THE STORY: OODA LOOP
Large-Scale AiTM Attack targeting enterprise users of Microsoft email services
FROM THE MEDIA: ThreatLabz has discovered a new strain of a large-scale phishing campaign, which uses adversary-in-the-middle (AiTM) techniques along with several evasion tactics. Similar AiTM phishing techniques were used in another phishing campaign described by Microsoft recently here.
READ THE STORY: SecurityAffairs
VirusTotal Reveals Most Impersonated Software in Malware Attacks
FROM THE MEDIA: Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack. Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.
READ THE STORY: THN
Solana Ecosystem Becomes Latest Target for Crypto Exploit as 8000 Wallets Affected
FROM THE MEDIA: The Solana ecosystem has become the latest target for crypto exploit as users claim funds have disappeared from their wallets without their knowledge. This came to notice after several tweets from victims raised an alarm. One member of the Solana community identified as @gostak_gm shared his experience: “I was getting my sunglasses refit when I got a push notification from my mobile wallet that I had sent all the SOL from my wallet.” According to him, the SOL was in his main hot wallet, so he had it connected to different mobile and web extension wallet providers as well as dapps.
READ THE STORY: Coin Speaker
Cisco fixes critical remote code execution bug in VPN routers
FROM THE MEDIA: Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices. The two security flaws tracked as CVE-2022-20842 and CVE-2022-20827 were found in the web-based management interfaces and the web filter database update feature, and are both caused by insufficient input validation.
READ THE STORY: Bleeping Computer
Nozomi Networks Labs Report: Wipers and IoT Botnets Dominate the Threat Landscape – Manufacturing and Energy at Highest Risk
FROM THE MEDIA: The latest OT/IoT security report from Nozomi Networks Labs finds wiper malware, IoT botnet activity, and the Russia/Ukraine war impacted the threat landscape in the first half of 2022. Since Russia began its invasion of Ukraine in February 2022, Nozomi Networks Labs researchers saw activity from several types of threat actors, including hacktivists, nation-state APTs, and cyber criminals. They also observed the robust usage of wiper malware, and witnessed the emergence of an Industroyer variant, dubbed Industroyer2, developed to misuse the IEC-104 protocol, which is commonly used in industrial environments.
READ THE STORY: Yahoo
The intellectual mistakes that crippled U.S. cyber policy
FROM THE MEDIA: The U.S. military enjoys dominance in all the other domains — land, sea, air and space. But it has fumbled badly with cyber. Today, cyberspace remains the domain where adversaries, criminal groups and terrorists operate largely freely. Indeed, if it were not for the internet, al-Qaida and the Islamic State would likely not exist today. Moving its radicalization efforts online saved al-Qaida. Cyberspace provides China and Russia the means to oppress and control citizens domestically, conduct information and influence operations inside the U.S., steal billions in intellectual property, threaten U.S. critical infrastructure, violate U.S. sovereignty daily and manipulate and extort the U.S. private sector.
READ THE STORY: CyberScoop
Adversary Quest 2022 Walkthrough, Part 1: Four CATAPULT SPIDER Challenges
FROM THE MEDIA: In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information security challenges in three different tracks: eCrime, Hacktivism and Targeted Intrusion. In each track, four consecutive challenges awaited the players, requiring different skills including reverse engineering, vulnerability analysis and exploitation, and cryptanalysis.
READ THE STORY: CrowdStrike
Items of interest
Researchers spotted a Chinese threat actors using a new offensive framework called Manjusaka which is similar to Cobalt Strike.
FROM THE MEDIA: The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.
The experts uncovered a campaign using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. The weaponized documents were crafted to start the infection process and led to the installation of Cobalt Strike beacons on infected systems.
“A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.” reads the analysis published by Cisco Talos. “We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.”
READ THE STORY: Security Affairs
Hack Wifi from $1.80 (Video)
FROM THE MEDIA: Which adapters are the best for WiFi hacking? Kody of Null Byte and Hak5 fame gives us his advice on what to buy. You can purchase a monster attenna like the Tube U, or something smaller like the AWUS036NHA or WEMOS D1 Mini or WiFi Nugget. Lots of options for different price points.
What You Don’t Know About The Solana Hack (Video)
FROM THE MEDIA: Solana has experienced a brutal hack on several of its most popular applications, draining millions of dollars in users' funds and Altcoins. In today's Crypto Banter, Cryptoman Ran points out what you currently don’t know about the hack. We will also cover WHY Michael Saylor steps down as MicroStrategy CEO and what that means for Bitcoin and its price.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at firstname.lastname@example.org