Saturday, Aug 13, 2022 // (IG): BB //Sponsor: Zanes Hand Made
Starlink satellite dish cracked on stage at Black Hat
FROM THE MEDIA: A security researcher has shown how to, with physical access at least, fully take over a Starlink satellite terminal using a homemade modchip. Lennert Wouters, a researcher at the KU Leuven University in Belgium, walked through his methodology during a talk at Black Hat in Las Vegas this week. Wouters said he will release the code and details of components used via GitHub so other folks can build their own modchips that when fitted to the SpaceX hardware unlock the broadband satellite equipment. This will allow them to poke around for additional security holes in the device and possibly the network, play with the configuration, and discover any other functionality.
READ THE STORY: The Register // Punjab News Express
Russian Hackers Are Escalating and Diversifying Their Attacks on Ukraine, Research Says
FROM THE MEDIA: As the Russian invasion of Ukraine reaches its sixth month, Russian hackers are escalating and diversifying their attacks on the country and its citizenry, sending mass texts to Ukrainian civilians threatening their lives if they don’t retreat from their homes, attempting to breach the country’s banks, and even crippling some of their basic utilities. In a presentation at DEF CON 30, Kenneth Geers, a security specialist at Very Good Security and fellow at NATO Cyber Centre, outlined how Russia has forecast these actions for years, including via ongoing attacks on power grids and communication systems in Ukrainian towns.
READ THE STORY: Gizmodo // Defcon
Chinese hackers backdoor chat app with new Linux, macOS malware
FROM THE MEDIA: Versions of a cross-platform instant messenger application focused on the Chinese market known as 'MiMi' have been trojanized to deliver a new backdoor (dubbed rshell) that can be used to steal data from Linux and macOS systems. SEKOIA's Threat & Detection Research Team says that the app's macOS 2.3.0 version has been backdoored for almost four months, since May 26, 2022.
READ THE STORY: Bleeping Computer
Cisco Pwned by ‘Russian’ Gang — Data Leaked, Egg on Face
FROM THE MEDIA: The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications. The threat actors … gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company’s corporate network, [they] spread laterally to Citrix servers and domain controllers.
READ THE STORY: Security Boulevard
Killnet Releases 'Proof' of its Attack Against Lockheed Martin
FROM THE MEDIA: Newsweek added that Killnet claimed to have stolen Lockheed Martin employee data and threatened to share that data. There has been no word from Lockheed Martin about the supposed attack beyond telling Newsweek it is “aware of the reports and have policies and procedures in place to mitigate cyber threats to our business,” adding that “we remain confident in the integrity of our robust, multi-layered information systems and data security.” Killnet is a pro-Russia group that specializes in DoS and DDoS attacks. It is thought to have been formed in March 2022, and that its primary motivation is retaliation against perceived enemies of Russia.
READ THE STORY: Security Week
Profiling the Threat Actor Known as “Hagga” and His Work
FROM THE MEDIA: Agent Tesla, an infamous data stealer, has been plaguing Internet users since 2014. Much has been revealed about the malware, but the world didn’t come to know about one of its more adept campaign perpetrators—Hagga—until last year. Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021. Latest research published several indicators of compromise (IoCs) related to his infrastructure, including four domains and 18 IP addresses.
READ THE STORY: CircleID
At Black Hat, tech confronts the cyber consequences of Ukraine war, Log4j and Web3
FROM THE MEDIA: Technology has unintended consequences, and this reality getting much of the security world’s focus as events play out this year. There was news at the Black Hat 2022 cybersecurity conference this week about creating an open standard for analyzing enterprise data, innovative new security tools and a declaration by the former head of government cybersecurity that things will likely get worse. Yet much of the discussion from the annual gathering in Las Vegas revolved around three examples of how technology can have unintended consequences: the cyberwar in Ukraine, continued problems from the Log4j logging tool vulnerability and rising concerns around security threats in Web3.
READ THE STORY: SiliconAngle
Ex-CISA chief Krebs advocates for standalone cyber agency. Experts say that's impractical.
FROM THE MEDIA: Chris Krebs, former head of the nation’s cybersecurity agency inside the Department of Homeland Security, caused a stir this week when he suggested the agency break out on its own. Instead of the Cybersecurity and Infrastructure Security Agency residing in DHS, Krebs told an audience at the Black Hat cybersecurity conference in Las Vegas, a standalone CISA could help streamline how the private sector and other stakeholders work with the government to combat cyberthreats.
READ THE STORY: Cyberscoop
Australia: Google fined over location data claims
FROM THE MEDIA: An Australian court fined Google $43 million for misleading users about how they collect and use their location data. Meanwhile, a new report shows that online shopping prices have fallen for the first time in two years. An Australian court has ordered Google to pay roughly $43 million ($60 million AUD) for misleading users about the collection and use of their location data, an Australian competition watchdog said Friday. The court found Google breached Australian Consumer Law between January 2017 and December 2018 by misrepresenting to some Android users what settings allowed Google to collect and use personal location data, according to the Australian Competition & Consumer Commission’s announcement.
READ THE STORY: The Hill
'Internet of Things' technology from China is a new threat to the West: Reports
FROM THE MEDIA: The discussion over the security threat posed by Chinese technology resumed in the public eye as soon as the UK chose to bar the Chinese telecom Huawei from its 5G telecom networks. At the offices of important government leaders, the British government has recently replaced security equipment supplied by Chinese-owned tech companies. This comes after the British government was urged to take action against the use of surveillance technology made by two Chinese businesses, Hikvision and Dahua, which have previously been placed on the blacklist by Washington, according to a story in the American daily Financial Post.
READ THE STORY: DNA INDIA
Three flaws allow attackers to bypass UEFI Secure Boot feature
FROM THE MEDIA: Researchers from hardware security firm Eclypsium have discovered a vulnerability in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that can be exploited to bypass the UEFI Secure Boot feature. Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”
READ THE STORY: Security Affairs
Anonymous poop gifting site hacked, customers exposed
FROM THE MEDIA: ShitExpress, a web service that lets you send a box of feces along with a personalized message to friends and enemies, has been breached after a "customer" spotted a vulnerability. Except, in an interesting twist, rather than responsibly reporting the vulnerability, the customer who is a known threat actor ended up exploiting the bug and downloading the entire database. This database was then shared on a hacking forum, exposing the angry, and sometimes hysterical, personal messages sent by the customers with the gifts.
READ THE STORY: Bleeping Computer
Ransomware Attack Costs Hanesbrands $100 Million in Lost Sales
FROM THE MEDIA: It’s clear ransomware attacks can force victims to pay up, but they can also crater a company’s earnings potential. Case in point: apparel maker Hanesbrands estimates it lost $100 million in sales last quarter after suffering a ransomware attack. Hanesbrands originally reported the attack in late May. But on Thursday, the company revealed in an earnings statement(Opens in a new window) that the incident prevented it from fulfilling product orders for three weeks during Q2. This derailed its ability to purchase new supplies, ship orders, and process payments for brands including Hanes, Champion, and Playtex.
READ THE STORY: PCMAG
OFAC Sanctions Cryptocurrency Mixing Service for Allegedly Facilitating Money Laundering
FROM THE MEDIA: On Aug. 8, 2022, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed economic sanctions on Tornado Cash, a popular cryptocurrency mixing service that allows customers to obscure the original source of virtual currency transactions by “mixing” multiple transactions and then redistributing them. While mixing may have legitimate benefits in some transactions, it also may be exploited by criminals to potentially launder cryptocurrency, including crypto received in connection with ransomware attacks.
READ THE STORY: National Law Review
Cuba Ransomware now Targeting Critical Infrastructure
FROM THE MEDIA: Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques, and procedures (TTPs), including a new remote access Trojan called ROMCOM RAT on compromised systems. The new findings come from Palo Alto Networks’ Unit 42 threat intelligence team, which is tracking the double-extortion ransomware group under the moniker Tropical Scorpius. Cuba ransomware (also known as COLDDRAW), which was first detected in December 2019, re-emerged in the threat landscape in November 2021 and has been attributed to attacks against 60 entities in five critical infrastructure sectors, amassing at least $43.9 million in ransom payments.
READ THE STORY: Security Newspaper
Leaked NSO Group Presentation Details Malware’s Ability To Turn On Cameras, Mics To Surveil Targets
FROM THE MEDIA: Israel’s foremost purveyor of malware, NSO Group, has undergone nearly a yearlong reckoning. A leak last summer appeared to show NSO customers were routinely targeting journalists, activists, members of opposition parties, and, in one case, the ex-wife of a Dubai ruler. That NSO Group was shady wasn’t a new fact. Its decision to sell malware to abusive governments had been criticized for nearly a half-decade. But the data leak made this a problem too big to ignore. The US government responded by blacklisting NSO. The Israeli government — which had been instrumental in helping NSO Group secure contracts with human rights abusers — finally decided it was time to limit who NSO could sell its products to.
READ THE STORY: TechDirt
Ukraine's cyber chief comes to Black Hat in surprise visit
FROM THE MEDIA: Victor Zhora, Ukraine's lead cybersecurity official, made an unannounced visit to Black Hat in Las Vegas this week, where he spoke to attendees about the state of cyberwarfare in the country's conflict with Russia. The picture Zhora painted was bleak. Zhora, who is the deputy director of Ukraine's State Service of Special Communications and Information Protection, said cyber incidents in the country have tripled since February, when Russia invaded. Zhora told attendees that Ukraine had detected over 1,600 "major cyber incidents" so far in 2022, but reports don't include elaboration on how such incidents are classified. A number of huge incidents happened between March and April, Zhora said, including discovery of the "Industroyer2," an apparent successor to the Industroyer malware discovered in 2017.
READ THE STORY: The Register
Once, Twice, Three Times A Ransomware Victim: Triple-Hacked In Just 2 Weeks
FROM THE MEDIA: In his play, The Importance of Being Earnest, Oscar Wilde famously wrote: "To lose one parent, Mr. Worthing, may be regarded as a misfortune; to lose both looks like carelessness." If he were alive today, Wilde could well be saying, "To be compromised by one ransomware actor may be regarded as unfortunate, to be compromised three times in two weeks looks like poor security posture." Yet, as outlined in a new Sophos report, here we are. That's exactly what happened to one enterprise, an unnamed automotive supplies company, which fell victim to three different ransomware groups, three times, in the space of just 14 days.
READ THE STORY: Forbes
U.S. Intel Official Turned TikTok Lawyer Claims ‘Anti-China Xenophobia’
FROM THE MEDIA: A cybersecurity lawyer for TikTok blasted proposals to ban the Chinese Communist Party–linked app as driven “solely” by anti-China racism, in a Twitter post that has since been deleted. That attorney, Dondi West, formerly worked for the Office of the Director of National Intelligence and other government agencies, a fact that might raise new questions about TikTok’s hiring from the U.S. intelligence community, given the company’s ties to the Chinese government.get facilities including water treatment plants, power plants and gas lines.
READ THE STORY: National Review
Waterloo cybersecurity firm mining ‘treasure trove’ of clues about criminals on the dark web
FROM THE MEDIA: When hackers started turning on one another and leaking the contents of closed online forums, cybersecurity researchers found a trove of information about criminals on the dark web. That’s where eSentire’s Joe Stewart first picked up the digital trail of a Montreal man known as “Badbullzvenom,” who was providing notorious Russian cybercrime groups with malware. Stewart and another researcher at eSentire, Keegan Keplinger, are the talk of the cybersecurity conference in Las Vegas — Black Hat 2022 — for unmasking the hacker behind the malware “Golden Chickens.”
READ THE STORY: The Record
The Zoom installer let a researcher hack his way to root access on macOS
FROM THE MEDIA: A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system. Details of the exploit were released in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also presented one unpatched vulnerability that still affects systems now.
READ THE STORY: The Verge
India: Tek Fog: A New Cyber-Troop Cracking Down on Human Rights
FROM THE MEDIA: On January 6, The Wire, posted reports of a 20 months-long investigation that began after a former Bharatiya Janata Party’s (‘BJP’) IT-Cell employee blew the whistle on the party’s use of an app called Tek Fog. Tek Fog has been identified as a highly sophisticated application, used by online operatives from the incumbent party, to hijack major social media and encrypted messaging platforms, and amplify right-wing propaganda to a domestic audience. The whistle-blower tweeted and revealed that Tek Fog is a secret application solely for BJP’s IT cell workers that is used for auto-uploading texts and hashtag trends on social media platforms by bypassing checks on these platforms to prevent such activity.
READ THE STORY: NewsClick
Items of interest
The Anatomy of Wiper Malware, Part 1: Common Techniques
FROM THE MEDIA: A wiper is a type of malware with a single purpose: to erase user data beyond recoverability. Wipers are used to destroy computer networks in public or private companies ranging from industrial to entertainment sectors. Threat actors also use wipers to cover up traces left after an intrusion, weakening their victim’s ability to respond.
Wipers gained popularity back in 2012, when Saudi Arabia’s Saudi Aramco and Qatar’s RasGas oil companies were targeted by threat actors using the Shamoon family of wipers. After four years in which little to no wiper activity was observed, the Shamoon wiper resurfaced in 2016 with threat actors having the same goals and targets in mind.
The year 2017 put multiple wiper families on our radar. A wiper variant of Petya was used to target multiple institutions in Ukraine, Russia and western Europe. Institutions in Israel and Germany faced the wipers named SQLShred and Ordinypt, respectively, which masqueraded as ransomware. Middle Eastern companies again found themselves the target of a wiper, this time one named StoneDrill.
READ THE STORY: Crowdstrike
The Kuwaiti Banking Malware Mystery Darknet Diaries Ep. 120: Voulnet (Video)
FROM THE MEDIA: When Mohammed Aldoub found a vulnerability online, he tweeted about it to protect others. Then he got in a storm of trouble.
The Cybergang That Stole $1 Billion From ATMs Darknet Diaries Ep. 35: Carbanak (Video)
FROM THE MEDIA: Real hacking rarely looks like the movies, but in one case, a bank robber filled duffle bags with cash without touching the ATMs. It was possible thanks to the terrifying genius of the malware Carbanak.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com