Daily Drop (221)
8-11-22
Thursday, Aug 11, 2022 // (IG): BB //Sponsor: Zanes Hand Made
CISA publishes cyber toolkit for election officials ahead of midterms
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency on Wednesday released a guide to digital threats facing state and local election officials and recommendations on how to mitigate them in the run-up to November. The “Cybersecurity Toolkit to Protect Elections” aims to help election administrators and their staffs protect themselves against threats including phishing, ransomware, email scams, denial-of-service attacks and other vectors that could potentially disrupt the voting process or confuse voters. The guide notes, for instance, that election officials “are often required to open email attachments, which could contain malicious payloads,” to run processes like absentee ballot applications.
READ THE STORY: StatesScoop
Maui ransomware linked to North Korean group Andariel
FROM THE MEDIA: The Maui ransomware that has been used against US healthcare operations has been linked to Andariel, a North Korean state-sponsored threat with links to the notorious Lazarus Group. Researchers at Kaspersky said this week they were able to trace the origins of Maui to April 2021 – a month earlier than the strain had earlier been reported. An examination of data logs also showed some interesting information as to how the attack was deployed in advance. About 10 hours before the April Maui attack, the criminals inserted a variant of the DTrack malware to the target. Kaspersky also noted the presence of the 3Proxy tool – used for accessing internal resources – for several months prior to the ransomware deployment on an unnamed Japanese housing company.
READ THE STORY: The Register
Automotive supplier breached by 3 ransomware gangs in 2 weeks
FROM THE MEDIA: An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours. The attacks followed an initial breach of the company's systems by a likely initial access broker (IAB) in December 2021, who exploited a firewall misconfiguration to breach the domain controller server using a Remote Desktop Protocol (RDP) connection. While dual ransomware attacks are increasingly common, "this is the first incident we've seen where three separate ransomware actors used the same point of entry to attack a single organization," Sophos X-Ops incident responders said in a report published Wednesday.
READ THE STORY: Bleeping Computer
Danish 7-Eleven stores back on grid after ransomware attack
FROM THE MEDIA: In an email to news wire Ritzau, 7-eleven said that over 96 percent of its convenience stores across Denmark were now in “stable operation”. That corresponds to around 169 stores. “We have technicians at the remaining stores who are working hard to get them up and running as soon as possible,” the company said in the email. However, convenience stores at train stations (where you can buy a transport card) were only accepting Dankort (debit card) payments as of Wednesday evening. All operational stores outside of train stations currently accept Mobile Pay (app) and cash payments, and many can take Visa, Mastercard, and Dankort.
READ THE STORY: The Local // BleepingComputer
Cisco Hacked: Ransomware Gang Claims It Has 2.8GB Of Data
FROM THE MEDIA: Networking giant Cisco confirms hacking by ransomware group which has just published a partial list of files it claims to have exfiltrated. On the same day that the Yanluowang ransomware group published a partial list of files it says were stolen from Cisco, the networking giant's Talos Intelligence Group confirmed that Cisco had, indeed, been hacked. The confirmation, that came by way of a Talos blog posting, stated Cisco was first made aware of a potential compromise on May 24. The potential compromise became a confirmed network breach following further investigation by the Cisco Security Incident Response (CSIRT) team.
READ THE STORY: Forbes
Stats say Chinese researchers are not deterred by China’s vulnerability law
FROM THE MEDIA: Chinese researchers are significant contributors to vulnerability disclosure programs, both in volume and quality. When permitted by China’s government to compete in the vulnerability discovery competition Pwn2Own, for example, Chinese researchers dominated. But a recent change in Chinese laws put new burdens on researchers that could have disincentivized participation. A group from the Atlantic Council’s Cyber Statecraft Initiative sifted through the thanks-for-telling-us notes included with patches for five large vendors and found that, tentatively, there was no effect.
READ THE STORY: SCMAG
China Cambodia Cyber Slaves
FROM THE MEDIA: Once a financial securities analyst in China, Lu Xiangri never imagined he might be a victim of trafficking and enslavement by Chinese cyber-scam operations in Cambodia. Arriving in the Southeast Asian country in September 2020, the 32-year-old dreamed of starting his own business. To learn the ropes, he offered to help manage a friend’s restaurant in the capital, Phnom Penh. His friend was from the same village in China. Lu had watched him become wealthy, buying a big house and living well. He wanted the same for himself and his family - his parents, wife and two-year-old son.
READ THE STORY: Aljazeera
Industroyer2: How Ukraine avoided another blackout attack
FROM THE MEDIA: The Industroyer malware attack on Ukraine's energy grid in 2016 caused a significant blackout and marked a turning point for cyber attacks against critical infrastructure. But the Industroyer2 malware attack, which was more sophisticated than the original, failed to take down Ukraine's energy grid in March, thanks in part to the lessons learned from the 2016 attack. During a Black Hat 2022 session Wednesday, researchers from cybersecurity vendor ESET and Victor Zhora, deputy chairman of Ukraine's State Service of Special Communications and Information Protection (SSSCIP), discussed the Industroyer2 malware and the response to the attack, which was unsuccessful.
READ THE STORY: TechTarget
China could be reviewing security bugs before tech companies issue patches, DHS official says
FROM THE MEDIA: The Chinese government appears to use its software vulnerability disclosure rules to preview dangerous zero-day flaws before tech companies can deploy fixes, a top Department of Homeland Security official said Wednesday. Beijing’s strict vulnerability reporting rules mean government officials could get “early access” to even the most serious vulnerabilities, DHS Under Secretary for Policy Robert Silvers said during the Black Hat cybersecurity conference in Las Vegas. If the Chinese government is analyzing zero-days, or previously unknown software flaws, before affected companies can deploy a fix, Beijing could gain the upper hand when carrying out cyberattacks against the U.S. or other digital adversaries.
READ THE STORY: CyberScoop
Cisco was hacked by the Yanluowang ransomware gang
FROM THE MEDIA: The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker. Upon achieving an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user.
READ THE STORY: Security Affairs
Keys to Countering Cyberattacks Against State and Local Agencies
FROM THE MEDIA: As cyberattacks on critical infrastructure continue to proliferate, state, local, tribal and territorial (SLTT) government agencies must plan for the future while also addressing existing infrastructure security challenges. That means everything from ensuring operational technology (OT) is readily upgradeable and interoperable to coordinating information sharing across the public and private sectors. Critical infrastructure has become a major target for cyberattackers. In fact, 93 percent of OT organizations experienced an intrusion in the past 12 months, according to a recent Fortinet survey. With a new wave of projects certain to result from Infrastructure Investment and Jobs Act (IIJA) funding, SLTT governments should be talking about security from the beginning.
READ THE STORY: StateTech
Tens of Thousands of GitHub Code Repositories Cloned With Malicious Code Added; Hacker Claims Campaign Was Elaborate Bug Bounty Effort
FROM THE MEDIA: An apparent long-term campaign to fork and clone GitHub code repositories and add malicious code to the new versions has been detected after it picked up speed over the past month, but the hacker behind it has piped up on Twitter to claim that it was an elaborate attempt to claim a GitHub bug bounty. Security researchers have found over 35,000 code repositories with malicious forks or clones leading back to a single source; most of the activity appears to be recent, but there are instances linked to this particular actor that date back as far as 2015.
READ THE STORY: CPOMAG
Hacker uses new RAT malware in Cuba Ransomware attacks
FROM THE MEDIA: A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool. The threat actor was named ‘Tropical Scorpius’ by researchers at Palo Alto Networks Unit 42 and is likely an affiliate of the Cuba ransomware operation. Cuba ransomware underwent a minor refresh in Q1 2022, using an updated encryptor with more nuanced options and adding quTox for live victim support.
READ THE STORY: Bleeping Computer
Conti extortion gangs behind surge of BazarCall phishing attacks
FROM THE MEDIA: At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim’s network. This allows the threat actors to deploy highly-targeted attacks that are more difficult to detect and stop because of the social engineering component. The BazarCall/BazaCall method also referred to as call-back phishing, emerged in early 2021 as an attack vector used by the Ryuk ransomware operation, which later rebranded into Conti. Threat actors using this technique target employees, whether from one company or entire industry, and tailor the phishing campaigns accordingly for maximum efficiency.
READ THE STORY: Bleeping Computer
Microsoft Patches 'DogWalk' Zero-Day in August Patch Tuesday
FROM THE MEDIA: Microsoft's newest bundle of patches includes a fix for a zero-day vulnerability known as DogWalk that allows hackers to gain remote code execution in Windows. The operating system giant's newest Patch Tuesday dump includes patches for 141 flaws, of which 17 "critical" fixes stop the possibility of remote code execution or elevation of privileges. This month's batch of patches is the second-largest release this year and is almost triple the size of last year's August release. DogWalk, tracked as CVE-2022-34713, exploits a bug in the Microsoft Windows Support Diagnostic Tool via remote code execution. MSDT is a utility built into Windows designed to collect information to send to Microsoft.
READ THE STORY: GovInfoSec
DeathStalker's VileRAT Continues to Target Foreign and Crypto Exchanges
FROM THE MEDIA: The threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware, according to security researchers from Kaspersky. The findings are detailed in an advisory published on August 10 2022, which mentions a number of VileRAT-focussed campaigns supposedly perpetrated by DeathStalker, starting in September 2020, through 2021 and more recently in June 2022. “DeathStalker has indeed continuously leveraged and updated its VileRAT toolchain against the same type of targets since we first identified it in June 2020,” reads the advisory.
READ THE STORY: InfoSec Mag
Rise of precision agriculture exposes food system to new threats
FROM THE MEDIA: Farmers are adopting precision agriculture, using data collected by GPS, satellite imagery, internet-connected sensors and other technologies to farm more efficiently. While these practices could help increase crop yields and reduce costs, the technology behind the practices is creating opportunities for extremists, terrorists and adversarial governments to attack farming machinery, with the aim of disrupting food production.
READ THE STORY: Biz Community
Researchers discover an architectural bug in Intel CPUs
FROM THE MEDIA: ÆPIC Leak is said to be the first CPU (central processing unit) bug to architecturally disclose sensitive data, meaning that sensitive data gets directly disclosed without relying on any (noisy) side channel. “It leverages a vulnerability in recent Intel CPUs to leak secrets from the processor itself: on most 10th, 11th and 12th generation Intel CPUs the APIC MMIO undefined range incorrectly returns stale data from the cache hierarchy,” the research paper reads. The research was conducted by researchers from the Sapienza University of Rome, Graz University of Technology, CISPA Helmholtz Center for Information Security, and Amazon Web Services. Pietro Borrello of Sapienza University and Andreas Kogler of Graz University of Technology presented the ÆPIC Leak at the Black Hat USA 2022 conference.
READ THE STORY: CyberNews
Hackers are still using these old security flaws in Microsoft Office. Make sure you've patched them
FROM THE MEDIA: Cyber criminals are exploiting security vulnerabilities in Microsoft Office which have been known about for years to infect PCs with malware in attacks which demonstrate the importance of applying cybersecurity updates. As detailed by cybersecurity researchers at Fortinet, cyber criminals are taking advantage of the unpatched security flaws to deliver SmokeLoader, a form of malware which is installed on Windows machines with the intention of using it to deliver additional malware, including Trickbot and various backdoors and trojan malware.
READ THE STORY: ZDNET
Black Basta: New ransomware threat aiming for the big league
FROM THE MEDIA: Many ransomware gangs have risen to the top over the years only to suddenly disband and be replaced by others. Security researchers believe many of these movements in the ransomware space are intentional rebranding efforts to throw off law enforcement when the heat gets too high. This is also the suspicion for Black Basta, a relatively new ransomware operation that saw immediate success in several months of operation. Some believe it has splintered off from the infamous Conti gang.
READ THE STORY: CSO Online
Hackers and fraudsters used crypto bridge RenBridge to launder $540 million, says report
FROM THE MEDIA: Hackers, fraudsters, and others laundered at least $540 million through the cryptocurrency bridge network RenBridge since 2020, according to blockchain analysis group Elliptic. Elliptic researchers published the report today, citing RenBridge as an example of the risks of decentralized cross-chain networks. RenBridge is pitched as a way to easily convert virtual currencies like ZCash and Bitcoin to the Ethereum network and then to other blockchains. But “as well as a legitimate tool, cross-chain bridges have also emerged as a key facilitator of money laundering,” letting users avoid regulations and move money easily across networks, the report says. That includes the proceeds of ransomware operations and theft from other chains.
READ THE STORY: The Verge
Not all criminal organizations are working for Russia
FROM THE MEDIA: Digital Shadows reports on a cybercriminal gang that's exhibiting some sympathy for the cause of Ukraine. DUMPS Forum, established in May of this year, and, Digital Shadows says, it looks a lot like other criminal fora. "DUMPS Forum appears to be the same as every other run-of-the-mill Russian language cybercriminal forum. There’s a section for trading illicit material, carding, malware, and establishing accesses to targeted networks. At present this forum is open to members without any vetting or registration process, however, there is an ongoing request for an invite system that may become the main method of gaining access if the forum builds its notoriety."
READ THE STORY: The Cyber Wire
Ethical hacking: How to conduct a Sticky Keys hack
FROM THE MEDIA: How is a physical access attack conducted? You'd see one happen -- right? "An attacker could walk into an organization, plug a flash drive with an advanced strain of ransomware into a computer and then walk around pretending to be a phone repairman or someone working with pest control," said Bryson Payne, author of Go H*ck Yourself. Such attacks are not always as easy to detect as one might think -- nor as easy to defend against. Organizations need to converge cybersecurity and physical security to fully protect their assets. But, before trying to improve the relationship between the two, it's important to understand how weak physical security affects cybersecurity and puts an organization's sensitive data at risk.
READ THE STORY: TechTarget
Hardware MFA Stops Attack on Cloudflare
FROM THE MEDIA: Cloudflare is touting hardware multifactor authentication as the saving grace that protected it from a targeted phishing attack, unlike tech colleagues down the street at virtual communications firm Twilio. The internet infrastructure company says the same attackers that went after Twilio last week also sent Cloudflare employees malicious SMS messages with links to phishing sites dressed up as an official company website. The difference? Despite employees at both San Francisco-based companies taking the bait, Cloudflare said attackers were unable to snatch the full logon credentials of its workers. That's because the company's second layer of authentication isn't time-limited one-time codes, such as those from a second-factor app.
READ THE STORY: BankInfoSec
Thinking like a cyber-attacker to protect user data
FROM THE MEDIA: A component of computer processors that connects different parts of the chip can be exploited by malicious agents who seek to steal secret information from programs running on the computer, MIT researchers have found. Modern computer processors contain many computing units, called cores, which share the same hardware resources. The on-chip interconnect is the component that enables these cores to communicate with each other. But when programs on multiple cores run simultaneously, there is a chance they can delay one another when they use the interconnect to send data across the chip at the same time.
READ THE STORY: MIT
Amid Drone Deal, IRGC-linked Flights to Russia Surge
FROM THE MEDIA: The number of Iranian cargo flights to Russia has surged since the war in Ukraine began, an analysis of open-source flight data shows. Since April, at least 42 flights by Iranian carriers linked to the Iran's Revolutionary Guards have landed in Moscow, compared to just three in 2021. Last month, U.S. National Security Advisor Jake Sullivan said that Iran was preparing to supply armed drones to Russia for use in its invasion of Ukraine. Sullivan said Russia had asked Iran to provide it with hundreds of drones; he also revealed satellite photos showing two visits to Iran by a Russian delegation during which they were shown armed drones.
READ THE STORY: Haaretz
Items of interest
Convergence and adoption of AI and ML countering the cyber threat
FROM THE MEDIA: During the last few years, we have witnessed an increase in advanced cyber attacks. Cybercriminals utilize advanced technology to breach the digital boundary and exploit enterprises’ security vulnerabilities. No industry feels secure; security professionals do their utmost to close security gaps and strengthen their cyber defense. As new technologies pop up at an unprecedented rate, cybersecurity professionals are literally “chasing the tail”; they need time to train themselves in new systems and processes understand how they work, and adopt best practices to protect them against cyber threats.
To counter advanced technology a high-tech toolbox is needed. Technologies such as artificial intelligence (AI) and machine learning (ML) have come into play and are used in the cybersecurity industry. Can this inseparable duo play a significant role in the fight against cybercriminals in a way that eliminates inefficient human behavior and perception from the equation? Can security systems “be educated” to discover anomalies of behavioral changes as soon as they happen?
READ THE STORY: TripWire
The New Guy at the Office Is a Secret Super Hacker Darknet Diaries Ep. 36: Jeremy From Marketing (Video)
FROM THE MEDIA: Penetration testers are good guys, hired by companies to hack into their own networks by any means necessary. Pro hacker and ex-marine "Tinker" goes undercover as a marketing temp for the toughest crack of his career.
The Sewage Incident - When Operational Technology Isn't Secure (Video)
FROM THE MEDIA: Overnight, a small town in Australia was overflowing with raw sewage from a local wastewater treatment plant. The OT systems looked like they were being tampered with. But by who?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com