Friday, Aug 12, 2022 // (IG): BB //Sponsor: Zanes Hand Made
State Dept. offers $10 million for information on Russian hackers (Conti)
FROM THE MEDIA: The State Department announced on Thursday that it was offering a reward of up to $10 million for information leading to the identity and location of five individuals believed to be tied to the Conti ransomware group. The agency accused the hackers, known by their online aliases as “Target,” “Reshaev,” “Professor,” “Tramp,” and “Dandis,” of participating in malicious cyber activities against U.S. critical infrastructure. “Stripping anonymity from key players, offering bounties, seizing illicit funds, and making public declarations of intent are important actions that may help to increase the real and perceived risks of engaging in ransomware operations,” said Jeremy Kennelly, a senior manager of financial crime analysis at cybersecurity firm Mandiant, in a statement.
READ THE STORY: The Hill // The Tech lookout // Yahoo // Bleeping Computer
Russian invasion has dangerously destabilized cyber security norms
FROM THE MEDIA: The hacktivist attacks that have occurred during the ongoing war in Ukraine are setting a dangerous precedent for cyber norms — and infrastructure security, according to journalist and author Kim Zetter. "Of course, the situation in Ukraine is unprecedented," said Zetter, speaking during the Black Hat keynote on Thursday. "And this isn't meant to criticize the country for doing what it thinks is necessary to defend itself. But the security community and governments have to be aware of the potential path that this is leading us to." The idea of "cyber norms" isn't an amorphous concept, she explained.
READ THE STORY: The Register
Zeppelin ransomware may encrypt devices multiple times in attacks
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations today that attackers deploying Zeppelin ransomware might encrypt their files multiple times. The two federal agencies also shared tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help security professionals detect and block attacks using this ransomware strain. "The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim's network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys," a joint advisory published today revealed.
READ THE STORY: Bleeping Computer
Cisco hacked by access broker with Lapsus$ ties
FROM THE MEDIA: Cisco disclosed on Wednesday a cyber attack it endured from a threat actor with ties to cybercrime gangs Lapsus$, UNC2447 and Yanluowang. The networking and security giant said it became aware of an attack on May 24. Cisco found over the course of its investigation that the compromise occurred after the attacker gained control of an employee's personal Google account that had a number of credentials synchronized, a Cisco Talos blog post explained. From there, the attacker "conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations" to convince the victim user to accept multifactor authentication push notifications. The attacker ultimately succeeded and gained access to the targeted user's VPN.
READ THE STORY: TechTarget
eSentire Researchers Unmask the Top Malware Supplier to Russia's Most Notorious Financial Crime Families: Fin6 and Cobalt Group
FROM THE MEDIA: eSentire, the Authority in Managed Detection and Response (MDR), released a report today, unmasking the threat actor behind the Golden Chickens malware, the weapon of choice for Russia’s most infamous financial cybercrime families— FIN6 and Cobalt Group. Joe Stewart and Keegan Keplinger, security researchers with eSentire‘s Threat Response Unit (TRU), authored the research. The report, unveiled today at Black Hat USA and titled “Unmasking VENOM SPIDER—the Hacker Behind the Cyber Weapon of Choice for Two of Russia’s Most Notorious Internet Crime Gangs,” reveals how eSentire identified the Golden Chickens malware operator.
READ THE STORY: Financial Post
Possible data leak at the University of Kashmir
FROM THE MEDIA: The Kashmir Monitor reports that the University of Kashmir has launched a probe into an alleged data leak. “Just spotted an alleged database of The University of Kashmir being sold on a hacking forum. Threat actor goes by the name “ViktorLustig” selling the database of @KmrUniversity for $250. He shared a Database index showing what he has,” said Abhishek Verma, a journalist at DroidMaze, in a tweet. According to a subsequent tweet from Verma, it is revealed that if the database is legitimate, the threat actor has student information, registration numbers, emails, passwords, employees, and more data. The administrator of the forum asserts that the database is legitimate, but the university claims that in their preliminary investigation, they found the data to be unmodified.
READ THE STORY: The Cyber Wire
Cisco ASA and ASDM flaws went unpatched for months
FROM THE MEDIA: Vulnerabilities discovered in Cisco software may lead to a variety of threats including supply chain attacks, Rapid7 lead researcher Jake Baines warned during a Black Hat 2022 session. In the session Thursday, Baines discussed several flaws affecting Cisco Adaptive Security Appliances (ASA) software, which is the operating system for ASA devices like firewalls. Cisco ASA devices, as he described, typically sits at the edge of a corporate network. "It's a critical asset because it acts as the gateway to the internet in your corporate network and implements access controls and protections," Baines said during the session.
READ THE STORY: TechTarget
Montreal man alleged to be an operator behind the Golden Chickens malware
FROM THE MEDIA: One of the threat actors behind the Golden Chickens malware suite said to be favored by three major Russian criminal cyber gangs lives in Montreal, according to an investigation by a Canadian-based managed security services firm. The claim was made Thursday by researchers at eSentire following a 16-month investigation into the person behind posts on a number of hacker forums and social media sites where “Chuck in Montreal” may have made some slips — including mentioning his love for BMWs. The report doesn’t name the man. But eSentire’s threat response unit says it knows “Chuck’s” real name, has pictures of him, his home address, the names of his parents, siblings, and friends; his social media accounts, his hobbies, and that he owns a small business which he runs out of his home.
READ THE STORY: Financial Post
Conti Cybercrime Cartel Using 'BazarCall' Phishing Attacks as Initial Attack Vector
FROM THE MEDIA: A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. "Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology," cybersecurity firm AdvIntel said in a Wednesday report. These targeted campaigns "substantially increased" attacks against entities in finance, technology, legal, and insurance sectors, the company added. The actors in question include Silent Ransom, Quantum, and Roy/Zeon, all of which split from Conti after the ransomware-as-a-service (RaaS) cartel orchestrated its shutdown in May 2022 following its public support for Russia in the ongoing Russo-Ukrainian conflict.
READ THE STORY: THN
Onyx Ransomware Overwrites Files Larger than 2MB Instead of Encrypting Them
FROM THE MEDIA: As early as mid-April of 2022 was the first time researchers discovered the Onyx ransomware. The ransomware group uses the double extortion method of encrypting and exfiltrating data from a victim in order to extort money. There is a possibility that the threat actor will leak the victim’s data on their leak site if the victim cannot pay the ransom. So far, there have been 13 victims from six different countries that have been affected by this group. The cybersecurity analysts at Cyble affirmed that a large percentage of the victims of this attack comes from the United States, which accounts for over 60% of the entire victim’s list.
READ THE STORY: CyberSecurityNews
Emotet is still the world's worst malware - but maybe not for long
FROM THE MEDIA: One of the world’s most infamous trojans/malware/droppers, Emotet, seems to be running out of steam a little as the summer holidays begin. Check Point Research's recent Global Threat Index for July 2022 found Emotet’s global impact, compared to June, fell by 50% - but warned that it’s still the reigning champion among malware and that won’t change any time soon. “Emotet continues to dominate our monthly top malware charts,” said Maya Horowitz, VP Research at Check Point Software.
READ THE STORY: TechRadar
Meta injecting code into websites to track its users
FROM THE MEDIA: Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an “in-app browser”, controlled by Facebook or Instagram, rather than sent to the user’s web browser of choice, such as Safari or Firefox.
READ THE STORY: The Guardian
GRIT Ransomware Report: July 2022
FROM THE MEDIA: GRIT saw and tracked activity from 21 total ransomware groups in July, 4 more threat groups than the month before. With an increase of 69 claimed victims, the average reports per day jumped from 4 in June to 6.2 in July. The publicly posted victims represented 35 industries and 40 countries, compared to 23 industries and 27 countries last month. This 59% month-over-month increase in claimed victims may have several causes.
READ THE STORY: Security Boulevard
It Might Be Our Data, But It’s Not Our Breach
FROM THE MEDIA: A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm’s analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn’t theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company.
READ THE STORY: Security Boulevard
Ransomware attack on NHS systems could take weeks to fix, major IT provider warns
FROM THE MEDIA: Advanced, which supplies vital systems for the NHS, said it suffered a cyber breach around 7am on 4 August which has now been contained. The attack had wide-ranging implications, affecting the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions. Call handlers for the NHS 111 service were left "working on paper" with the cyber attack "negatively affecting" response times, according to a letter from NHS England to London GPs seen by industry magazine Pulse.
READ THE STORY: Sky News
Cybercriminals Moving from Macros to Shortcut Files to Access Business PCs
FROM THE MEDIA: HP Inc. (NYSE: HPQ) today issued its quarterly Threat Insights Report revealing that a wave of cybercriminals spreading malware families – including QakBot, IceID, Emotet, and RedLine Stealer – are shifting to shortcut (LNK) files to deliver malware. Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware.
READ THE STORY: Industry Analysts
Ransomware attack costs HanesBrands $100 million in net sales
FROM THE MEDIA: HanesBrands suffered a $100 million blow from a ransomware attack that temporarily devastated its supply chain and orders, the company said Thursday. Why it matters: These cyber attacks pose a serious financial threat to companies in which bad actors seize control of their target's systems and then threaten to delete data, release information or refuse to relinquish control until payment is received.
READ THE STORY: Axios
BazarCall attacks have revolutionized ransomware operations
FROM THE MEDIA: The researchers at cybersecurity firm AdbIntel state that currently at least three autonomous threat groups are adopting and independently developing their own targeted phishing tactics derived from the call back phishing methodology. The three groups are tracked as Silent Ransom, Quantum, and Roy/Zeon, they emerged after the Conti gang opted to shut down its operation in May 2022. In March 2022, formed members of the Conti, who were experts in call back phishing attacks, created “Silent Ransom” when it became an autonomous group.
READ THE STORY: Security Affairs
Critical Infrastructure Attacks Remain a Major Threat, Top Security Writer Warns
FROM THE MEDIA: Last year's ransomware attack on Colonial Pipeline could have been prevented if the people trying to protect its computer systems had taken basic precautions and kept their eyes open for signs of an attack, a top cybersecurity journalist said Thursday. Investigative reporter Kim Zetter said attacks targeting the world's oil pipelines, power and water treatment plants, and essential computer systems have risen dramatically since the discovery of the Stuxnet worm in 2010. Stuxnet reportedly destroyed numerous centrifuges in an Iranian uranium enrichment facility and was later modified to target facilities including water treatment plants, power plants and gas lines.
READ THE STORY: CNET
Ex-CIA security boss predicts coming crackdown on spyware
FROM THE MEDIA: It turns out that ex-CIA chief information security officers don't spill secrets at bars in Vegas. Or via Zoom, while pretending to be at a Black Hat cocktail party. Still, Rubrik's new Chief Information Security Officer Michael Mestrovich, who was previously the CISO of the CIA, knows a thing or two about cyber spies and ransomware gangs, and in an interview with The Register, he weighed in on both hot topics. Last month, during a House Intelligence Committee hearing, security researchers and internet rights groups called on Congress to sanction and step up enforcement against surveillance ware makers like NSO Group's Pegasus spyware.
READ THE STORY: The Register
Taiwan Turns to Ethereum IPFS Tech to Thwart Chinese Cyberattacks
FROM THE MEDIA: Looking to boost its cybersecurity defenses against cyberattacks from China and other adversaries, Taiwan's Ministry of Digital Affairs has adopted IPFS technology to safeguard its infrastructure. InterPlanetary File System (IPFS), designed by Juan Benet in 2014, is a decentralized peer-to-peer network that lets users backup and stores files and websites by hosting them across a network of nodes, eliminating centralized points of failure and circumventing censorship efforts. The storage and file referencing system for Ethereum is frequently compared to peer-to-peer file sharing protocol BitTorrent.
READ THE STORY: Decrypt
Hacker offers to sell data of 48.5 million users of Shanghai's COVID app
FROM THE MEDIA: hacker has claimed to have obtained the personal information of 48.5 million users of a COVID health code mobile app run by the city of Shanghai, the second claim of a breach of the Chinese financial hub's data in just over a month. The hacker with the username as "XJP" posted an offer to sell the data for $4,000 on the hacker forum Breach Forums on Wednesday. The hacker provided a sample of the data including the phone numbers, names and Chinese identification numbers and health code status of 47 people.
READ THE STORY: Reuters
After Colonial Pipeline, Critical Infrastructure Operators Remain Blind to Cyber-Risks
FROM THE MEDIA: The unprecedented ransomware attack against Colonial Pipeline last year shows that critical infrastructure operators have made little progress in protecting their networks 12 years after the discovery of Stuxnet. Author and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline during the keynote session opening the second day of Black Hat USA, its leaders had plenty of warnings that could have prevented the crippling attack. Zetter, who has covered many major cyber-incidents over more than two decades, is author of the book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown: 2015). Stuxnet, the malicious worm that security experts discovered at an Iranian uranium enrichment facility in 2010, explicitly targeted the Siemens S7-400 system. The discovery heralded a new generation of targeted attacks, according to Zetter.
READ THE STORY: DarkReading
Reports flag threat from Chinese technology in ‘Internet of Things’ devices
FROM THE MEDIA: As soon as the UK decided to ban China's telecommunication Huawei, from its 5G telecoms networks, the debate regarding the security threat from Chinese equipment again intensified in the mainstream. Recently, the British government has replaced security equipment provided by Chinese-owned tech companies at offices of key government officials. This comes after the MPs and peers called on the British government to crack down on the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, which have already been blacklisted by Washington, Financial Post, an American-based publication reported.
READ THE STORY: Hindustan Times
Army looking at new ways to use space technology for unconventional warfare
FROM THE MEDIA: The U.S. Army’s land forces for decades have relied on satellites for communications, navigation and early warning of missile attack. But the Army now wants to figure out other ways to use space technologies for nontraditional military operations such as cyber and information warfare. Army leaders in panel discussions at the Space and Missile Defense Symposium said wars in the future will be fought in the space and cyber domains. And they argued that there should be more synergy among space, cyber and information warfare capabilities so they can be layered to greater effect.
READ THE STORY: SpaceNews
Sea-Doo maker BRP's operations remain suspended after cyberattack
FROM THE MEDIA: Bombardier Recreational Products Inc.’s operations remained suspended Thursday, three days after the maker of Sea-Doo watercraft and Ski-Doo snowmobiles said that it had been the victim of a cyberattack. The Valcourt, Que.-based company disclosed in a press release on Aug. 9 that it had been the target of “malicious cybersecurity activity” a day earlier, and that it had taken “immediate measures to contain the situation.” Those measures included activating its “internal network of IT professionals” and hiring “cybersecurity experts” to help secure its computer systems and assist with an internal investigation.
READ THE STORY: Financial Post
German soldier ‘sent army secrets to Russian spies out of sympathy’
FROM THE MEDIA: A German army officer has gone on trial accused of feeding Russia’s spy service with German military and industrial secrets out of “sympathy” for the country. Ralph G, a lieutenant colonel in the German reserves, gave his Russian contacts sensitive information on the operational abilities of the army in full knowledge that they were spies, Germany’s federal prosecution service said on the first day of the trial in Dusseldorf.
READ THE STORY: Telegram
Cyber-Insurance Fail: Most Businesses Lack Ransomware Coverage
FROM THE MEDIA: Organizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000. These were among the findings of a BlackBerry and Corvus Insurance survey of 450 business decision-makers for IT and security solutions, which also revealed more than a third (37%) of respondents currently lack coverage for any ransomware payment demands.
READ THE STORY: DarkReading
Items of interest
Israel denies warning Russia against election hacking
FROM THE MEDIA: Israel has denied reports that it appealed to Russia to not interfere in the upcoming November elections. According to the report, originally by Maariv, Israel is concerned with the possibility of external interference, particularly via cyber means. The appeal was allegedly apparently made between the Shin Bet and its Russian counterpart, following a directive from Prime Minister Yair Lapid. The message was matter-of-fact and focused, and included a request to avoid any interference in the democratic process in Israel.
READ THE STORY: Jpost
AT&T Charged Him $900 So He Took Down Their Network | Darknet Diaries Ep. 20: mobman (Video)
FROM THE MEDIA: Hacking changed mobman’s life. Chances are if you were downloading shady programs in the early 2000’s, you were infected with malware he wrote called SubSeven.
How Scammers Stole $40 Million in Tax Refunds From IRS.gov Darknet Diaries Ep. 26: IRS (Video)
FROM THE MEDIA: In 2014, the IRS made it easier to file your taxes online. Unfortunately, they also made it easier for criminals to file them for you — and pocket your refund.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com