Friday, Aug 19, 2022 // (IG): BB //Sponsor: Zanes Hand Made
China's cyber watchdog tries to assuage concerns of internet firms
FROM THE MEDIA: China's cyberspace watchdog wants to build an "affectionate" relationship between internet enterprises and the government, a senior official said, the latest verbal assurance to an industry still on edge after a long and bruising regulatory crackdown. Niu Yibing, vice minister of the Cyberspace Administration of China (CAC), told a news conference on Friday the agency was supportive of the sector's healthy development and wanted to create a "healthy, get-to-the-top, can-do entrepreneurial atmosphere".
READ THE STORY: Reuters
Montana flagged bugs in cow app exploited in alleged China hack
FROM THE MEDIA: The US state of Montana suspended use of an agricultural database to improve its security months before its developer had to fix security flaws that were exposed in a suspected Chinese state-sponsored cyberattack, newly obtained documents show. The Montana Department of Agriculture temporarily took the USAHERDS web-based software offline last year to allow the application’s developer to beef up security following an unspecified “event,” according to the documents obtained by Al Jazeera.
READ THE STORY: Aljazeera
China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload
FROM THE MEDIA: An analysis of China-backed advanced persistent threat (APT) actor APT41's activities has shown the group to be using a unique — and somewhat inexplicable — method for deploying its main Cobalt Strike payload on victim systems. Researchers from Singapore-based Group-IB also discovered that the adversary is using a variety of dual-use tools for conducting reconnaissance. So far, Group-IB has identified at least 13 major organizations worldwide that have been compromised over four separate campaigns, with the APT gaining varying levels of access.
READ THE STORY: DarkReading
Attacks on Estonia and Latvia indicate latent cyber strike capabilities of APT groups
FROM THE MEDIA: In wake of the Russian invasion of Ukraine, there have been many spikes in cyberattacks on specific targets across Europe. These include Satcom infrastructure in Ukraine, renewable energy projects in Germany and Norway, and increased reconnaissance attacks in the Czech Republic, Belgium, and Spain. These attacks have followed increased scanning activity and exchange of malware and breach tools by Chinese and Russian APT groups in April this year. With such collaboration, APT groups in both countries have evolved latent capabilities that are only unleashed after specific event thresholds are breached.
READ THE STORY: SecurityBoulevard
State shares fears about Russia terrorism bill with Congress
FROM THE MEDIA: The State Department is quietly letting congressional offices know that it has substantive concerns about labeling Russia a state sponsor of terrorism. In July, Speaker NANCY PELOSI told Secretary of State ANTONY BLINKEN that if he didn’t put Russia on the terrorism blacklist, then Congress would. Since then, the Senate unanimously passed a non-binding resolution urging Blinken to do so, followed by a bipartisan quintet of House members introducing a bill that would officially slap the designation on Russia — circumventing the nation’s top diplomat.
READ THE STORY: Politico
Cybercrime Group TA558 Ramps Up Email Attacks Against Hotels
FROM THE MEDIA: This year, a small cybercrime actor is ramping up the number of malicious emails sent to hotels and related hospitality companies with the intent of delivering a diverse set of RATs, which have the capabilities to steal information. While first observed in 2018, the threat actor tracked as TA558 by Proofpoint has increased its operational tempo, with researchers observing 51 campaigns so far this year. Over the last four years, the cybercriminals have evolved their tactics and diversified the number of RATs deployed in campaigns, primarily focusing on victims in the Latin America region with additional targeting observed in Western Europe and North America.
READ THE STORY: DUO
Apple patches two zero-days in macOs, iOS
FROM THE MEDIA: Apple has released a series of patches to address two zero-day vulnerabilities affecting its macOS Monterey desktop operating system (OS), its iOS and iPadOS OSes, and its Safari web browser. The two vulnerabilities are tracked as CVE-2022-32893 and CVE-2022-32894. Both are out-of-bounds write issues that affect the Safari WebKit web browser extension, and the OS kernel, respectively. Apple said it was aware of reports that both vulnerabilities may already have been actively exploited in the wild – making the need to patch more urgent. Successfully exploited, CVE-2022-32893 enables a threat actor to achieve arbitrary code execution if the targeted user visits a maliciously crafted website. In layman’s terms, this could give them total control of the device.
READ THE STORY: ComputerWeekly
Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities
FROM THE MEDIA: For the past three years, Chinese state-sponsored cyberespionage group RedAlpha has been observed targeting numerous government organizations, humanitarian entities, and think tanks. Also tracked as Deepcliff and Red Dev 3, the advanced persistent threat (APT) actor has been active since at least 2015, focused on intelligence collection, including the surveillance of ethnic and religious minorities, such as the Tibetan and Uyghur communities.
READ THE STORY: SecurityWeek
Hackers are stealing browser cookies to glide past MFA
FROM THE MEDIA: Multi-factor authentication is a great way to keep cybercriminals at bay, but some are apparently getting pretty good at bypassing this type of protection by stealing application and browser session cookies. Cybersecurity researchers from Sophos say they're observing an increasing appetite for cookies, among malware of all sophistication levels. From infostealers such as Racoon Stealer, or RedLine Stealer, to destructive trojans such as Emotet, an increasing number of viruses and malware are getting cookie-stealing functionalities.
READ THE STORY: TechRadar
Bitdefender finds malicious campaign active on Google Play
FROM THE MEDIA: Bitdefender has released research about a new Google Play campaign that bypasses the storefront's security checks to deliver potentially malicious content and advertisements. Once a user downloads these apps, they work to remain on devices by changing names, switching icons, and taking further steps to remain hidden. In particular, these apps will change their icon and name to pretend to be the phone's 'Settings' app. One of the key findings in Bitdefender's research, 'Real-Time Behavior-Based Detection on Android Reveal Dozens of Malicious Apps on Google Play Store', is that 35 apps on the Google Play Store are using techniques to bypass storefront security checks to spread potentially harmful content and advertisements.
READ THE STORY: Security Brief
Mailchimp data breach took down DigitalOcean's email services
FROM THE MEDIA: In a blog post, DigitalOcean’s head of security, Tyler Healy, said that the company realized the possibility of a security incident when MailChimp, the company’s email services provider, disabled its account without any prior notification on 8th August. Also, emails regarding account confirmations and password reset delivered via Mailchimp stopped reaching its customers.
An automated email from Mailchimp advised DigitalOcean that its account was temporarily suspended due to a violation of “terms of service”. Other crypto-related clients who received the same email from MailChimp included Edge Wallet, Cointelegraph, NFT creators, Ethereum FESP, and Messari and Decrypt, whose accounts were also suspended without prior notification.
READ THE STORY: TEISS
Cyber Standoff: 51 Groups Tied to Russia-Ukraine War Attacks
FROM THE MEDIA: A crowded field of 51 different threat groups active in the Russia-Ukraine cyber conflict has led to digital attacks in more than two dozen nations so far – albeit concentrated in Ukraine, where hackers look to sow "chaos and confusion" on and off the battlefield, says Ukraine’s deputy head of cyber defense. Kyiv has fended off more than 1,600 "major cyber incidents" since January, an average of seven attacks a day, says Victor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, in an exclusive interview with Information Security Media Group.
READ THE STORY: GOVINFOSEC
Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals
FROM THE MEDIA: Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as Automotive, Chemicals Manufacturing and others. In this campaign, the threat actors impersonate government officials from the Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute “Grandoreiro” a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America.
READ THE STORY: SecurityBoulevard
LockBit claims ransomware attack on security giant Entrust
FROM THE MEDIA: The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust. Last month, BleepingComputer broke the story that Entrust suffered a ransomware attack on June 18th, 2022. Starting in early June, Entrust had begun to tell customers that they suffered a cyberattack where data was stolen from internal systems. "We have determined that some files were taken from our internal systems," Entrust shared in a security notification to customers. "As we continue to investigate the issue, we will contact you directly if we learn information that we believe would affect the security of the products and services we provide to your organization."
READ THE STORY: BleepingComputer
Russian citizen faces federal money laundering charge in alleged $400,000 ransomware attack
FROM THE MEDIA: A new indictment alleges a Russian citizen extradited this week from the Netherlands to Portland laundered more than $400,000 in cryptocurrency extracted from ransomware attacks in the United States in July 2019. Denis Mihaqlovic Dubnikov, 29, entered a not guilty plea through his attorney to one count of conspiracy to commit money laundering during his first appearance in federal court on Wednesday afternoon. U.S. Magistrate Judge Jolie A. Russo allowed Dubnikov to be released under GPS monitoring pending trial. A five-day trial has been tentatively set for Oct. 4.
READ THE STORY: Oregonlive
BlackByte ransomware gang returns with new multitier ransom strategy
FROM THE MEDIA: A ransomware gang with links to the Conti group has returned with a new campaign similar to the better-known LockBit gang. BlackByte version 2.0 ransomware gang, as the group calls itself, is promoting a new leaks site and claims to have successfully targeted new victims. Bleeping Computer reported Wednesday that those behind the ransomware are also promoting their activities on Twitter Inc., including auctions for stolen data. BlackByte’s leak site currently had only one victim listed, however. In a twist on traditional ransomware groups, BlackByte is using a multitier ransom and publication strategy.
READ THE STORY: SiliconAngle
Global ransomware survey reveals one in three organisations see malicious insiders as a route for ransomware
FROM THE MEDIA: According to the global survey of IT and security leaders across the US, EMEA and APAC, nearly one-third of organizations have suffered a ransomware attack enabled by a malicious insider, a threat seen as commonly as the accidental insider (35 percent). Furthermore, 59 percent of organizations believe ransomware has worsened in the last three months, with phishing (58 percent), malware/computer viruses (56 percent) and cloud applications (42 percent) cited as other common threat vectors. As the ransomware crisis worsens, threat actors like Lapsus$ group are now well-known for preying on disgruntled employees to gain access to corporate networks – 95 percent (and 99 percent of CISOs/CIOs) view the malicious insider as a significant risk.
READ THE STORY: ITwire
Wiper malware, ransomware variants increase amid Russia-Ukraine war
FROM THE MEDIA: More threat actors have used disk-wiping malware in cyberattacks since the beginning of the ongoing war between Russia and Ukraine, with Ukrainian government, military, and private entities having been targeted with at least seven new major wiper variants, according to VentureBeat. Ransomware variants have also increased from 5,400 in the second half of 2021 to 10,666 in the first half of 2022, a report from Fortinet revealed. Wiper malware trends reveal a disturbing evolution of more destructive and sophisticated attack techniques continuing with malicious software that destroys data by wiping it clean. This is an indicator that these weaponized payloads are not limited to one target or region, and will be used in other instances, campaigns, and targets,"
READ THE STORY: SCMAG
SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences
FROM THE MEDIA: CISA added seven vulnerabilities to its catalog on Thursday and instructed federal agencies to address them by September 8. For several of the newly added security holes, there do not appear to be any public reports describing exploitation in the wild, but the cybersecurity agency clarified in the past that it only adds CVEs to its catalog if it has reliable information about malicious exploitation. The SAP vulnerability added to CISA’s list, tracked as CVE-2022-22536, was patched by the vendor in February in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher.
READ THE STORY: SecurityWeek
Bumblebee attacks, from initial access to the compromise of Active Directory Services
FROM THE MEDIA: The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network. Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee. After initial execution, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft. Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
READ THE STORY: Security Affairs
Hacker Sick Codes says cybersecurity in agtech is no game after viral John Deere tractor hack
FROM THE MEDIA: An Australian hacker has fired a warning shot at the security of computerised farm equipment after breaking into the controls of a John Deere tractor to install the video game DOOM. His manipulation of the Linux-based display — showcased this month at one of the world's largest hacker conventions, DEF CON 30 in Las Vegas — has raised concerns about risks to the food supply chain and fired up debate about whether farmers should have the right to repair their own machinery. Described as a "white hat" hacker, Sick Codes is a security researcher who breaks into systems to identify vulnerabilities and then alerts the business so they can fix the flaws.
READ THE STORY: ABC
Organizations are now stressing resilient video security solutions
FROM THE MEDIA: Video surveillance is ubiquitous. In a single day, we might move through dozens of CCTV systems where we work, live, shop and play. While video surveillance might be more straightforward in smaller business settings, large organizations must operate both intricate and vast infrastructures to secure their operations. This complex infrastructure – as well as the exploding rate of data generation and increasingly sophisticated threats facing it – requires IT leaders to reframe the way they approach video surveillance. Instead of just plugging in a new NVR as physical space expands, enterprises must think deeply about the resilience of their entire video surveillance operation, including the foundational data storage and security infrastructure.
READ THE STORY: SecurityInfoWatch
Preventing cyber-bullying through Data Science
FROM THE MEDIA: Data science is the study of modeling and analyzing large data sets to discover patterns and derive useful information. The data used for analysis can come from a variety of sources and be presented in a variety of formats. Reichman University’s Data Science Institute is run by Dr. Shai Fine. Dr. Fine is the Julis-Rabinowitz Academic Chair for Data Science, holds a PhD in Computer Science from the Hebrew University of Jerusalem, and a postdoc at IBM, T.J. Watson Research Center, NY and has spent over 25 years at leading companies, such as Teva Pharmaceutical, Intel and IBM.
READ THE STORY: Times Of Israel
Concierge Digital Protection For Corporate Executives and High-Access Employees
FROM THE MEDIA: This blog post on concierge digital protection for corporate executives and high-access employees was written by analysts at TAG Cyber. An executive’s digital footprint and online presence is one of the new attack surface vectors into a targeted enterprise. The personal devices and home networks of corporate leaders are often not protected, requiring new security solutions to address this risk to avoid attacks on a company. To minimize cybersecurity risk, BlackCloak provides concierge digital executive protection for upper management, board members and high-risk employees, along with their families. We wanted to better understand the risks originating from personal digital lives, as well as BlackCloak’s comprehensive SaaS-based solution that addresses the security and privacy concerns of its clients.
READ THE STORY: SecurityBoulevard
U.S.-Mexico Working Group on Cyber Issues Advances Bilateral Cooperation, Including with CISA and HSI
FROM THE MEDIA: On August 10, the U.S.-Mexico Working Group on Cyber Issues convened its first bilateral cyber dialogue since the establishment of the U.S.-Mexico Bicentennial Framework for Security, Public Health, and Safe Communities. The meeting’s main objective was to advance bilateral cooperation on cyber issues in line with the two countries’ shared commitment to an open, interoperable, secure, and reliable Internet and a stable cyberspace. A secure, resilient, and stable cyberspace is fundamental for the development of the public and private sectors and for people worldwide to benefit from the free flow of information online. For this reason, cyber issues have become a priority in the U.S.-Mexico bilateral relationship, as demonstrated by their inclusion in the High-Level Security Dialogue (HLSD) and the inclusion of cybersecurity risk management issues in the High-Level Economic Dialogue (HLED).
READ THE STORY: HSTODAY
Ukraine warns Russia may cut Zaporizhzhia nuclear plant from power grid, both sides brace for 'provocation'
FROM THE MEDIA: Ukraine’s nuclear power agency Energoatom on Friday warned that it believes Russia is looking to cut the Zaporizhzhia plant off from the nation’s power grid as concerns continue to mount over a potential nuclear catastrophe. The Zaporizhzhia nuclear power plant has been under Russian control since March, but operations have remained under the control of Ukrainian officials as shelling and fighting continues to threaten Europe’s largest nuclear plant. "There is information that the Russian occupation forces are planning to shut down the power blocks and disconnect them from the power supply lines to the Ukrainian power system in the near future," Energoatom said in a Friday statement, first reported Reuters.
READ THE STORY: FOXNEWS
There’s a chance regular people didn’t even notice: expert on Russian cyber attack
FROM THE MEDIA: This is not the first time Estonia faced a cyberattack by Russian hackers. Ms Kuczyńska-Zonik pointed out that the biggest cyberattack against Estonia occurred in 2007, similarly over the removal of a Soviet monument. Such attacks target state institutions and private companies, but as Ms Kuczyńska-Zonik, there is a chance regular citizens did not even notice the attack occurred, as according to the government this attack, although very aggressive, was not very serious.
READ THE STORY: TVPWORLD
Hackers target dealer group Holdcroft in major cyber attack that may have compromised employees’ data
FROM THE MEDIA: Holdcroft Motor Group – which has 23 locations across the Midlands and north-west of England representing nine franchises – is understood to have lost data stretching back years, according to StokeonTrentLive. The attack left some of the Car Dealer Top 100 company’s core systems ‘damaged beyond repair’ or ‘permanently deleted’ but customer data wasn’t compromised, Holdcroft said. The news site added that it understood the hackers demanded a substantial payment following the attack. It is not known if the dealership group gave in to the demand.
READ THE STORY: Car Dealer Magazine
Items of interest
A major hacker conference kicks off in Taipei
FROM THE MEDIA: The largest cybersecurity community and conference in Taiwan, HITCON, opened its annual event in Taipei on Friday. The conference is bringing together Taiwan’s top cybersecurity, government, and business leaders to address growing security threats.
This year’s edition is called HITCON PEACE. The second word is an acronym for “Protect Enterprise And Citizens Ever-after.” The organizers say they aim to satisfy hackers and entrepreneurs alike by introducing both cutting edge technologies and practical solutions.
President Tsai Ing-wen was present at the opening ceremony. In her remarks, she said that strengthening cybersecurity has been a top priority for the government. Tsai said that a digital development ministry dedicated to Taiwan’s digital transformation will launch at the end of the month.
READ THE STORY: RTI
Defcon 30: Tor - Darknet OpSec By a Veteran Darknet Vendor & the Hackers Mentality (Video)
FROM THE MEDIA: Tor and Darknet OPSEC by a veteran Darknet Vendor & the Hackers Mentality War Story.
DEF CON 29 - Bill Graydon - Defeating Physical Intrusion Detection Alarm Wires (Video)
FROM THE MEDIA: Alarm systems are ubiquitous - no longer the realm of banks and vaults only, many people now have them in their homes or workplaces. But how do they work? And the logical follow-up question - how can they be hacked?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com