Daily Drop (220)
8-10-22
Wednesday, Aug 10, 2022 // (IG): BB //Sponsor: Zanes Hand Made
Klaviyo Hacked By Threat Actor Seeking Crypto Accounts
FROM THE MEDIA: Customer platform Klaviyo has been hacked by threat actors seeking crypto-related accounts, the firm said in a blog post on Monday. It is the second hack announced by service vendors within the same day. Twilio reported on Monday that it had been hacked last week. Klaviyo discovered the hack on August 3, and determined that an employee’s login credentials had been compromised. The hacker gained access to the worker’s account and some of the company’s internal support tools.
READ THE STORY: MediaPost
Phishers who breached Twilio and fooled Cloudflare could easily get you, too
FROM THE MEDIA: At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well. In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.
READ THE STORY: ArsTechnica
Lumen stops 1.06 Tbps DDoS attack
FROM THE MEDIA: In its quarterly report on Distributed Denial of Service (DDoS) attacks, Lumen Technologies (NYSE: LUMN) revealed the company mitigated one of its largest ever – a 1.06 terabits per second (Tbps) attack that was part of a larger campaign targeting a single victim. Despite the size and complexity of the attempted attack, the target experienced no downtime. Size was not the only notable element of the failed attack; it was also part of a larger campaign in which the threat actor attempted to leverage multiple techniques. These techniques are called out in the report as emerging trends in the second quarter.
READ THE STORY: LightReading
Nation-State Hackers Targeted Facebook in Cyber Espionage Attacks – Meta
FROM THE MEDIA: The first group is identified as Bitter APT aka T-APT-17. This group has been active since 2013 and was disrupted in the 2nd quarter of 2022. It targeted organizations in the engineering, energy, and government sectors. The other group is APT36 which is known for delivering Crimson RAT. This group targeted people in India, Pakistan, Afghanistan, UAE, and Saudi Arabia. Their primary victims included government and military officials, human rights employees, and people associated with non-profit organizations. As per Meta’s investigation, the activities of APT36 who is also known as Earth Karkaddan were connected to Pakistan-based state-linked actors.
READ THE STORY: HackRead
Cyberespionage targets industrial entities
FROM THE MEDIA: Kaspersky in January observed a targeted cyberespionage campaign against "industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan." The attackers were able to compromise dozens of the targeted entities with spearphishing emails that would install commodity malware: "The attackers penetrated the enterprise network using carefully crafted phishing emails, some of which use information that is specific to the organization under attack and is not publicly available.
READ THE STORY: The Cyber Wire
NHS 111 System Experiencing Disruption Due to Cyber Attack, System Outage May Impact Services for Several Days
FROM THE MEDIA: A cyber attack has caused what was described as a “major” system outage at the NHS 111 non-emergency medical help line, with hosting firm Advanced saying that there may be disruptions to patient scheduling services for at least several days. Advanced said that the cyber attack impacted a “small number of servers” but nevertheless caused issues with the patient scheduling system used by the phone service, and that the issue may not be fully resolved until next week.
READ THE STORY: CPOMAG
India: Spying on Opposition, Dissidents, Scribes Becomes More Dangerous
FROM THE MEDIA: Snooping on opposition politicians, journalists, political dissidents or even business rivals seems to have become the norm. It is also becoming easier with new methods, technology and people available to carry out such tasks without much difficulty. In 2021, it was the Pegasus Project. Now, cybersecurity groups have identified several cyber criminal outfits and individuals, including those acting like mercenaries, who can be engaged and used by any power—either governments, their agencies or even the big business—against their ‘enemies’.
READ THE STORY: SabrangIndia
Former Twitter Employee Charged in SF Court for Espionage, Aiding Saudi Arabia and Other Charges
FROM THE MEDIA: Former Twitter employee now faces charges of espionage, with one individual aiding and abetting Saudi Arabia in gathering critical and personal information that he received gifts for their actions. The employees are namely Ahmad Abouammo, Ali Alzabarah, and Ahmed Almutairi, with Abouamo now facing a 10 to 20-year sentence from a San Francisco federal court. Bloomberg reported that a former employee, Ahmad Abouammo, is now facing a grave federal court decision on a sentence against him regarding espionage, later charged with falsifying records, wire fraud, and money laundering.
READ THE STORY: TechTimes
Dragos: 125 ransomware attacks on industrial systems in Q2 after Conti shutdown
FROM THE MEDIA: Ransomware attacks on industrial systems continued unabated in the second quarter of the year according to data collected by security company Dragos, which counted 125 incidents during that time. In a report on Tuesday, Dragos researchers said that while there was a minor decline in ransomware attacks on industrial systems in the quarter due to the Conti ransomware group closing shop, several attacks had devastating effects. The LockBit ransomware group encrypted over 1,200 servers during a May attack on a Foxconn factory in Mexico, causing the factory to shut down for several weeks, according to Dragos.
READ THE STORY: The Record
Blueprint builds a ‘common language’ for ransomware protection
FROM THE MEDIA: A new blueprint aims to give those small and medium sized enterprises most vulnerable to ransomware attacks a “common language” to help leaders understand what they must do to prevent them. Developed by the Ransomware Task Force, the Blueprint for Ransomware Defense includes more than 40 recommendations to help small and medium-sized businesses — and state and local governments — protect themselves from ransomware attacks, as they are more frequent targets.
READ THE STORY: GCN
Identity Management Firm Entrust Suffers a Security Breach, Ransomware Gang Obtains Files
FROM THE MEDIA: Online trust and identity management giant Entrust confirmed a security breach by a suspected ransomware gang that accessed data from the company’s internal network. The Minneapolis, Minnesota-based company discovered the intrusion on June 18 and began notifying potential victims on July 6. However, the incident only grabbed the security news headlines when cybersecurity researcher Dominic Alvieri tweeted a screenshot of the security notice sent to Entrust customers.
READ THE STORY: CPOMAG
Ransomware gangs move away from exploiting Microsoft Office macros
FROM THE MEDIA: The Department of Homeland Security recently published a joint advisory along with the Federal Bureau of Investigation (FBI) and the Department of Treasury on suspected North Korean state-sponsored ransomware campaign implementing the Maui malware. The campaign has been targeting healthcare-related organizations for the purposes of coercing compromised victims into paying ransoms. These operations have successfully disrupted some important healthcare functionality such as access to health records and imagining services.
READ THE STORY: VentureBeat
Canada: Quebec farmers union under ransomware cyberattack
FROM THE MEDIA: The Union des producteurs agricoles, Quebec’s farming association, has been the target of a ransomware cyberattack since Sunday affecting all its computer systems. In an interview, UPA general manager Charles-Félix Ross called it a “major cyberattack.” “It’s the usual modus operandi,” he said. The hackers “managed to break in, get into our computer system and paralyzed the network. They are demanding a ransom in exchange for a decryption key.” About 160 UPA employees can’t connect to the network, whether from the Longueuil offices or remotely, and 23 UPA client organizations are also affected, like the union of grain producers.
READ THE STORY: Montreal Gazette
Microsoft fixes exploited zero-day in Windows Support Diagnostic Tool (CVE-2022-34713)
FROM THE MEDIA: The August 2022 Patch Tuesday has arrived, with fixes for an unexpectedly high number of vulnerabilities in various Microsoft products, including two zero-days: one actively exploited (CVE-2022-34713) and one not yet (CVE-2022-30134). CVE-2022-34713 is a vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) that allows for remote code execution. For an attacker to exploit it, they must trick targets into opening a specially crafted file (delivered via email or downloaded from a website).
READ THE STORY: HelpNetSecurity
Iran cheerfully admits using cryptocurrency to pay for imports
FROM THE MEDIA: Iran has announced it used cryptocurrency to pay for imports, raising the prospect that the nation is using digital assets to evade sanctions. Trade minister Alireza Peyman Pak revealed the transaction with the tweet below, which translates as "This week, the first official import order was successfully placed with cryptocurrency worth ten million dollars. By the end of September, the use of cryptocurrencies and smart contracts will be widespread in foreign trade with target countries."
READ THE STORY: The Register
VMware warns of public exploit for critical auth bypass vulnerability
FROM THE MEDIA: Proof-of-concept exploit code is now publicly available online for a critical authentication bypass security flaw in multiple VMware products that enables attackers to gain admin privileges. A week ago, VMware released updates to address the vulnerability (CVE-2022-31656) affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. Multiple other flaws were patched the same day, including a high severity SQL injection flaw (CVE-2022-31659) that allows remote attackers to gain remote code execution.
READ THE STORY: Bleeping Computer
The Log4j Exploit and Botnets
FROM THE MEDIA: Of all the security issues that have appeared over the last few years, none has had the impact of the Log4j exploit. Also called the Log4Shell, it was reported to the developers, the Apache Software Foundation, on 24 November, 2021, by the Chinese tech giant Alibaba and it took two weeks to develop and release a fix. The existence of the Log4j exploit was first publicly published in a tweet by Chen Zhaojun, a cyber security researcher with the Alibaba Cloud Security team on December 9, 2021 and formally announced by the U.S. Institute of Standards (NIST) under identifier CVE-2021-44832 on December 10, 2021 with a follow-up reanalysis, CVE-2021-45046, published on December 14, 2021.
READ THE STORY: Security Boulevard
What to watch for as 'Hacker Summer Camp' gets underway in Las Vegas
FROM THE MEDIA: A trio of cybersecurity conferences — BSidesLV, Black Hat USA and DEF CON — kicks off this week in Las Vegas in what’s collectively known as Hacker Summer Camp, bringing together policymakers, executives, experts, hackers and enthusiasts against a backdrop of some of the most unsettled international events of recent years. Thousands of cybersecurity professionals will gather on the Vegas Strip nearly six months into Russia’s war in Ukraine, two-and-a-half years into the COVID-19 pandemic and less than two weeks after U.S. House Speaker Nancy Pelosi’s historic visit to Taiwan triggered a wave of cyberattacks.
READ THE STORY: CyberScoop
Collective of anti-disinformation 'Elves' offer a bulwark against Russian propaganda
FROM THE MEDIA: Weeks after Russia launched its war in Ukraine in February, stories began circulating via Facebook and YouTube that President Vladimir Putin invaded only to destroy a secret U.S. and NATO-run lab making a deadly virus. The messages portrayed Putin as the anti-Western hero saving Eastern Europe from an American ploy: “Washington’s unprecedented rage. Destroyed laboratories in Ukraine where the United States was developing advanced biological weapons against Russia. Reasons for launching Russian ‘Special Operations.’ What to believe? They didn’t admit it in Wuhan either!”
READ THE STORY: CyberScoop
US warns against North Korea cyber capabilities
FROM THE MEDIA: U.S. officials warned that North Korea is increasingly using crypto heists to fund nuclear weapons programs. Meanwhile, Facebook’s parent company Meta is changing course with new product features and a focus on the metaverse as the tech giant vies to maintain its top spot in the industry amid increasing competition and regulatory scrutiny. North Korea is increasingly using its crypto heists to fund its nuclear weapons program, worried U.S. officials say.
READ THE STORY: The Hill
Suspected Russian cyber attack on British soil as firm subjected to ‘daily’ hacks
FROM THE MEDIA: GCHQ and the police have been alerted to a suspected Russian cyber attack on British soil. The National Cyber Security Centre (NCSC), which is part of GCHQ, and Scotland Yard have been assessing a series of attacks attempting to take down a cryptocurrency exchange based in London. The “distributed denial of service” attack on Currency.com saw millions of computers around the world coerced to bombard the company’s website with multiple requests, in an attempt to crash its systems.
READ THE STORY: The Telegraph
Australia: Supercomputer Setonix unveils highly detailed supernova remnant image
FROM THE MEDIA: Data used to create the image was collected in collaboration with CSIRO’s Askap radio telescope on Wajarri Yamatji Country in Western Australia. The data was then transferred to the Pawsey Supercomputing Research Centre in Perth via high-speed optical fiber. Within 24 hours, CSIRO’s Askap data processing team began integrating their pipeline into the new system. Setonix is named after quokka (Setonix brachyurus), Western Australia’s favorite animal. It is a part of the Pawsey Centre’s $70 million capital upgrade. The new supercomputer is being installed in two stages. The first stage is underway, and the second stage is expected to be completed later this year.
READ THE STORY: iTwire
Taiwan security officials want Foxconn to drop stake in Chinese chipmaker
FROM THE MEDIA: Taiwan's national security officials want to persuade Apple Inc's supplier Foxconn to unwind an $800 million investment in Chinese chipmaker Tsinghua Unigroup, the Financial Times reported on Wednesday. The deal will definitely not go through, the report said, citing a senior Taiwanese government official involved in national security issues. Taiwan, the world's largest contract electronics maker, has become increasingly cautious about China's ambition to boost its semiconductor sector. It has proposed new laws to prevent what it says is China stealing its chip technology, amid rising concerns in Taipei that Beijing is stepping up its economic espionage.
READ THE STORY: ET
Chinese solar panels seized at US border over possible human rights abuses
FROM THE MEDIA: The U.S. has begun cracking down on imported goods from China that may have been made with Uyghur forced labor. That includes solar panels, which have been detained at the border or shipped back to China in recent weeks. The Uyghur Forced Labor Prevention Act took effect in late June and requires companies to provide evidence that forced labor wasn't used to make imported goods. But despite months to prepare, the volume of documentation needed as proof has caught many in the solar industry flat-footed, according to reporting by The Wall Street Journal.
READ THE STORY: Protocol
ÆPIC Leak — Flaws in Intel CPU that Leaks Sensitive Data
FROM THE MEDIA: A couple of researchers from Sapienza University of Rome and Graz University of Technology have discovered a new vulnerability dubbed "ÆPIC Leak", a bug able to architecturally disclose sensitive data from Intel CPU. According to the researcher, ÆPIC Leak (CVE-2022-21233) is the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel. ÆPIC Leak works on all recent Sunny-Cove-based Intel CPUs (i.e., Ice Lake and Alder Lake). It architecturally leaks stale data incorrectly returned by reading undefined APIC-register ranges. ÆPIC Leak samples data transferred between the L2 and last-level cache, including SGX enclave data, from the super queue.
READ THE STORY: Cyber Kendra
How Stolen Credentials and Ransomware are a Simultaneous Threat
FROM THE MEDIA: Over the past decade, the cyber landscape has evolved rapidly. But as Mike Wilson points out for Forbes, with every positive change or technological advancement comes several layers of cyber threat, as criminals continue to seek out weaknesses wherever they can. Each year the Verizon DBIR provides an overall update on current threat trends and provides insight into who or what is being attacked, why they were targeted, and how the attack was launched. The 2022 report revealed that system intrusion attacks are the leading reason for data breaches—these types of attacks include everything from malware to shell access to a device, but the main culprit is ransomware.
READ THE STORY: Security Boulevard
Windows 11 To Block Brute Force Ransomware Attacks by Default
FROM THE MEDIA: Microsoft recently rolled out a new security policy for Windows 11 that aims to curb the growing ransomware threat by blocking some brute-force attacks. Current Windows 11 testing builds (Insider Preview 22528.1000 and newer) will now block ransomware-connected attacks as they happen by default. The announcement was made in a tweet by David Weston, Vice President, OS Security and Enterprise at Microsoft.
READ THE STORY: Redmond MAG
Recorded Future Launches National Cyber Defense Intelligence Kit
FROM THE MEDIA: Recorded Future, the world's largest intelligence company, today announced the launch of the National Cyber Defense Intelligence Kit for national cyber security organizations and governments to protect their critical infrastructure and mission-critical areas. Fueled with over a decade of human and machine intelligence combined with the most comprehensive dataset in the private industry, Recorded Future has the unique visibility on common national priorities that countries need to secure their infrastructure, assets, and data. "Alliances are one of democracy's strongest weapons. They are a thing that autocrats don't have.
READ THE STORY: PR NEWS WIRE
Ukraine at D+166: Cyberespionage campaign is interested in both sides
FROM THE MEDIA: From the UK's Ministry of Defence this morning: "Over the weekend, Russia has continued to focus efforts on reinforcing defences in southern Ukraine. Despite the shift in effort, Russia has maintained attacks on Ukrainian positions in Donetsk oblast. Over the last 30 days, Russia’s assault towards the town of Bakhmut has been its most successful axis in the Donbas; however, Russia has only managed to advance about 10km during this time. In other Donbas sectors where Russia was attempting to break through, its forces have not gained more than 3km during this 30 day period; almost certainly significantly less than planned. Despite its continued heavy use of artillery in these areas, Russia has not been able to generate capable combat infantry in sufficient numbers to secure more substantial advances."
READ THE STORY: The Cyber Wire
Items of interest
AiTM phishing attack targeting enterprise users of Gmail
FROM THE MEDIA: Beginning in mid-July 2022, ThreatLabz started observing instances of adversary-in-the-middle (AiTM) phishing attacks targeted towards enterprise users of Gmail. Upon further analysis of the attack chain, we identified multiple similarities between this campaign and the previous AiTM phishing campaign targeting users of Microsoft email services.
G Suite is the business version of Gmail, and is widely used in enterprises. This campaign specifically targeted chief executives and other senior members of various organizations which use G Suite.
As we have already covered the technical details of AiTM techniques in our previous blog, we won't describe them again here. However, it is important to note that AiTM phishing kits can be used to target various websites and bypass multi-factor authentication. By using phishlets crafted to target a specific legitimate website, attackers can quickly re-use the AiTM phishing technique against a new target website.
In this blog, we present the indicators of overlap between the two campaigns (Microsoft and Gmail), and discuss how we reached the conclusion that both these phishing campaigns were run by the same threat actor.
These campaigns used similar tactics, techniques and procedures (TTPs). There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure.
READ THE STORY: Security Boulevard
The Cybergang That Stole $1 Billion From ATMs Darknet Diaries Ep. 35: Carbanak (Video)
FROM THE MEDIA: Real hacking rarely looks like the movies, but in one case, a bank robber filled duffle bags with cash without touching the ATMs. It was possible thanks to the terrifying genius of the malware Carbanak.
The Most Sophisticated Malware Ever Made (That We Know Of) Darknet Diaries Ep. 29: Stuxnet (Video)
FROM THE MEDIA: The Stuxnet virus was made to infiltrate nuclear facilities in Iran ... until it broke free and spread around the world. Who created it, and why did it spin out of control?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com