Saturday, Aug 20, 2022 // (IG): BB //Sponsor: Zanes Hand Made
Analysis of Clop’s Attack on South Staffordshire Water – UK
FROM THE MEDIA: On August 15, the Clop ransomware group announced on their leak website the breach of South Staffordshire Water, a privately owned UK water supply company. This attack is yet another example of ransomware gangs targeting critical infrastructure expecting to receive a big payout, which is reminiscent of hundreds of previous incidents, including the well-known Colonial Pipeline and JBS attacks. However, in this instance the attackers did not encrypt systems to prevent access to data or business continuity. They chose to use extortion techniques that are gaining popularity with cybercriminals: leak some of the exfiltrated data, publicly shame the victim and threaten further consequences if the ransom is not paid.
READ THE STORY: Security Boulevard
Ransomware-as-a-Service: SaaS' Evil Twin
FROM THE MEDIA: As each year passes, the enterprise attack surface widens—leaving backdoors for malicious actors to exploit. While the rapid adoption of digital transformation by organizations is a great development, it comes with challenges. One of such challenges is ransomware groups, which caused over __50% of ransomware attacks __between 2020 and 2022 alone. “Ransomware groups” is an everyday word for ransomware developers (also called “operators”) that provide ransomware kits on a subscription-based model. Technically known as Ransomware-as-a-Service (RaaS), its business model mirrors Software-as-a-Service (Saas)—the cloud computing service that allows you to access applications (e.g., Slack and Gmail) through the internet without managing the underlying internet infrastructure.
READ THE STORY: Hackernoon
North Korean hacker group Lazarus targeting Mac users with fake job ads
FROM THE MEDIA: A nefarious North Korean hacking group called Lazarus is reportedly targetting Apple users through fake job offers. Security researchers at ESET reported Tuesday that the group's latest efforts involve fake phone calls advertising Coinbase Inc developer jobs. Coinbase is a cryptocurrency exchange used by most crypto traders. The fake job offers include an attachment with malware files that can affect Intel and Apple's Mac computers. According to a report on Silicon Angle, the malware in the messages uses three files to compromise computers — a decoy PDF to make users think they've downloaded a legitimate attachment, a fake "font updater" app and a downloader labeled "safarifontagent”.
READ THE STORY: Independent // Tech Times
Grandoreiro banking malware targets manufacturers in Spain, Mexico
FROM THE MEDIA: The notorious 'Grandoreiro' banking trojan was spotted in recent attacks targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico. The malware has been active in the wild since at least 2017 and remains one of the most significant threats of its kind for Spanish-speaking users. The recent campaign, spotted by analysts at Zscaler, started in June 2022 and is still ongoing. It involves the deployment of a Grandoreiro malware variant featuring several new features to evade detection and anti-analysis, as well as a revamped C2 system.
READ THE STORY: Bleeping Computer
US deployed cyber ‘hunt forward’ team to Croatia
FROM THE MEDIA: The U.S. Cyber Command recently deployed its “hunt forward” team for the first time in Croatia to help the Balkan country shore up its cyber defenses and networks against active threats. The team, which is made up of U.S. military and civilian personnel, worked alongside Croatian intelligence and cybersecurity officials to look for malicious cyber activity and vulnerabilities. “It was an honor to send some of our best defensive operators to Croatia, to hunt for shared threats alongside our partners — we want to bring both expertise and talent to our partner nations, while seeing cyber adversaries who may be threatening our nation,” said U.S. Army Maj. Gen. William Hartman, commander of the U.S. Cyber Command’s Cyber National Mission Force.
READ THE STORY: The Hill
Chinese cyber agency signals support for tech industry
Regulators with China’s main cybersecurity watchdog sent a conciliatory message on Friday towards the country’s tech industry, which has been chastened by a years-long crackdown, including a $1.2 billion fine against international ride-hailing giant DiDi. In a press conference, Cyberspace Administration of China (CAC) Vice Minister Niu Yibing said the agency was committed to the healthy development of local internet companies, according to a summary it posted online. CAC cybersecurity coordination bureau head Sun Weimin said the agency was also supportive of domestic firms seeking listings on overseas exchanges, according to Reuters — despite that being the apparent source of DiDi’s regulatory issues.
READ THE STORY: The Record
Google blocks world's largest web DDoS cyber attack ever
FROM THE MEDIA: One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack ever recorded, according to a report the company released this week. Attributed to Google Cloud Armor Senior Product Manager Emil Kiner and Technical Lead Satya Konduru, the report details the June 1 incident, in which a Google customer was hit with a series of HTTPS DDoS attacks, peaking at 46 million requests per second. To put it in perspective, they compared the attack to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.” “This is the largest Layer 7 DDoS reported to date — at least 76% larger than the previously reported record,” they wrote.
READ THE STORY: The Record
Bumblebee loader use for network breaches on the rise
FROM THE MEDIA: More threat actors linked to TrickBot, IcedID, and BazarLoader have been leveraging the Bumblebee malware loader in an effort to facilitate network breaches, reports The Hacker News. Cybereason researchers noted that Active Directory had been controlled by attackers leveraging Bumblebee which had secured stolen credentials from a user with elevated privileges. "The time it took between initial access and Active Directory compromise was less than two days. Attacks involving Bumblebee must be treated as critical, [...] and this loader is known for ransomware delivery," said Cybereason.
READ THE STORY: SCMAG
What is Google Chrome's latest bug and how badly can it be exploited?
FROM THE MEDIA: The Singapore Computer Emergency Response Team (SingCERT) on Thursday (Aug 18) urged Google Chrome users to install the latest security updates immediately, citing a high-severity vulnerability in the web browser that is being exploited. While Google did not give more information about this vulnerability, usually to prevent further exploitation until more users apply the security update, its Chrome Releases blog stated that the bug involves "insufficient validation of untrusted input in Intents". "Users are also encouraged to enable the automatic update function in Chrome to ensure that their software is updated promptly," said SingCERT, a unit under the Cyber Security Agency of Singapore (CSA).
READ THE STORY: Channel News Asia
TA558 cybercrime group targets hospitality and travel orgs
FROM THE MEDIA: Researchers from Proofpoint are monitoring a malware campaign conducted by a cybercrime group, tracked as TA558, that is targeting hospitality, hotel, and travel organizations in Latin America. The group is a small crime threat actor, that has been active since at least April 2018, that employed multiple malware in its attacks, including Loda RAT, Vjw0rm, and Revenge RAT. The malware a reused to steal personal and financial data of hotel customers, including credit card data, perform lateral movement, and deliver additional payloads. The group is mainly targeting Portuguese and Spanish speakers, but experts also observed attacks aimed at entities in Western Europe and North America.
READ THE STORY: Security Affairs
The Pentagon may require vendors certify their software is free of known flaws. Experts are split.
FROM THE MEDIA: Should the Pentagon require that vendors only sell the military software that’s free of known vulnerabilities or defects that could cause security problems? On the surface, it seems like a reasonable request. But when security researcher Jerry Gamblin tweeted a screen shot of the House of Representative’s software vulnerability provision from within the massive 2023 National Defense Authorization Bill — passed July 14 — it divided the cybersecurity community. The debate boils down to two key arguments: the requirement is unnecessary and impossible to achieve or a game-changing move that will begin holding software vendors accountable for selling faulty technology.
READ THE STORY: CyberScoop
Goodbye “Kill Chains”, Hello “Attack Sequences”
FROM THE MEDIA: A few years ago at the RSA Conference I co-presented on the top cloud attack “kill chains”. Shawn Harris @infotechwarrior and I walked through what we considered to be the top 10+ real world cloud attacks. For each attack, we walked through each step, and some attacks had multiple branches to show the different options. We called these “kill chains”, but technically, a cyber kill chain is a very specific technique for modeling attacks developed by Lockheed Martin. Each attack starts with Reconnaissance and runs through a series of proscribed steps until Actions on Objectives. In the talk, we pointed to Lockheed Martin’s work and how our approach differed since we didn’t limit ourselves to proscribed steps.
READ THE STORY: Security Boulevard
Russian hackers plan to release data stolen from McKinney hospital onto dark web
FROM THE MEDIA: Tonight, an unknown number of North Texans should prepare for their personal information to be sold on the dark web. Russian hackers say they plan to release information on data files stolen from the servers at Methodist McKinney Hospital and two of its nearby surgery centers. Cyber security experts like Andrew Sternke and other threat analysts say the hospital's decision not to pay ransom was the correct one. "This group will release it out there on the dark web, basically selling the information," said Sternke. "This group had just basically stolen information versus locking down the whole system with the ransomware attack."
READ THE STORY: CBS NEWS
U.S. sending new drones to Ukraine ahead of southern push
FROM THE MEDIA: The Biden administration Friday announced it will send new weapons to Ukraine as part of a $775 million package, including new drones, armored vehicles and artillery. The shipments indicate that Washington and Kyiv expect hard fighting on the ground in the coming weeks — and not just the artillery tit-for-tat the world has witnessed for weeks. For the first time, the U.S. is sending 15 ScanEagle surveillance drones to help the Ukrainians spot and correct the precision artillery and rocket strikes that have taken a toll on Russian forces, stalling their progress. The small drones can be moved around the battlefield relatively easily and would be invaluable in the expected push to retake the city of Kherson in the south.
READ THE STORY: Politico
Former Trump-era officials frustrated by US technology losing to China
FROM THE MEDIA: The United States (US) is believed to have failed to limit technology exports to China. This frustrated former Pentagon officials during the Donald Trump administration. Trump had put in place a policy that tightened technology exports to China. Although wall street journal Noted, exports to China reached US$125 billion. About 94% of permit applications are approved by the US Department of Commerce. There are approximately 2,652 licenses in total. Steve Cunanan, a former Pentagon export control analyst, said he was disappointed with the data. “I have no problem doing business with China or ‘feeding’ them,” he said in an email sent to his colleague after resigning last year. daily mail Wednesday (17/8).
READ THE STORY: Nation World News
Outer space doesn’t need to be the Wild West
FROM THE MEDIA: The release of the first images taken by NASA’s James Webb Space Telescope will inspire generations with the infinite possibilities that outer space holds. Clearly, we have a responsibility to ensure that only peaceful, safe, sustainable, lawful and legitimate uses of space are undertaken for the benefit of humanity and future generations. In pursuit of this, over the past six years, McGill University and a host of collaborating institutions around the world have been involved in the drafting of the McGill Manual on International Law Applicable to Military Uses of Outer Space.
READ THE STORY: Asian Times
Putin is losing info war in Ukraine: UK spy chief
FROM THE MEDIA: Russia has failed to gain ground in cyberspace against Ukraine almost six months after its invasion of the country, the head of Britain's GCHQ intelligence service said on Friday. Jeremy Fleming, the intelligence head, in an op-ed in The Economist, wrote that both countries have been using their cyber capabilities in the war in Ukraine. "So far, president Putin has comprehensively lost the information war in Ukraine and in the West. Although that's cause for celebration, we should not underestimate how Russian disinformation is playing out elsewhere in the world," Fleming wrote.
READ THE STORY: The Daily Star
Russian APT 29 Targets Microsoft 365 features to Muddle Detection
FROM THE MEDIA: The threat actor behind the SolarWinds supply-chain intrusion, APT29, has been observed in recent attacks with newer tactics that target various Microsoft 365 features in order to evade detection and carry out “exceptional operational security.” The Russian espionage group, which has been tracked by Mandiant since 2014, has previously targeted the U.S. and countries part of NATO. In attacks this year focusing on unnamed organizations that influence the foreign policy of NATO countries, APT29 was observed disabling Microsoft 365 licensing models in order to kneecap organizations’ abilities to use logging features to confirm which accounts were compromised and targeting dormant accounts that are part of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory.
READ THE STORY: DUO
241 npm and PyPI packages caught dropping Linux cryptominers
FROM THE MEDIA: More than 200 malicious packages have been discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers. Researchers have caught at least 241 malicious npm and PyPI packages that drop cryptominers after infecting Linux machines. These packages are typosquats of popular open source libraries and commands like React, argparse, and AIOHTTP, but instead, download and install cryptomining Bash scripts from the threat actor's server.
READ THE STORY: Bleeping Computer
Bumblebee attacks, from initial access to the compromise of Active Directory Services
FROM THE MEDIA: The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network. Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee. After initial execution, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft. Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.
READ THE STORY: Security Affairs
Apple Safari patched to fix potentially dangerous zero-day flaws
FROM THE MEDIA: Apple has moved fast to patch its Safari browser against a serious security vulnerability that is affecting a number of its operating systems. Safari 15.6.1 for macOS Big Sur and Catalina is available to download now, with anyone using those versions advised to upgrade immediately. The fix for CVE-2022-32893 patches an out-of-bounds write flaw in WebKit, the engine of Safari that is also used by other apps with web access. Apple has confirmed the flaw is allegedly already being exploited in the wild, and when abused, the flaw allows threat actors to execute remote code on a vulnerable device, remotely.
READ THE STORY: TechRadar
FBI + CISA Warn Companies (Especially Health Care) About Zeppelin Ransomware
FROM THE MEDIA: The FBI and CISA recently issued a Cybersecurity Alert entitled “#StopRansomware: Zeppelin Ransomware” providing an alert to organizations about the proliferation of Zeppelin ransomware attacks and information on the indicators of compromise and techniques to combat them. According to the Advisory, “From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the health care and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”
READ THE STORY: National Law Review
Poppy Gustafsson, the cyber security chief with a human dilemma
FROM THE MEDIA: Addressing a group of investors last year, Poppy Gustafsson pronounced: “An attack, once thwarted, needs to have all the tendrils of infection removed.” “This is a human-intensive task that is prone to human error and insufficient vigilance,” added the chief executive of cyber security group Darktrace, one of the UK’s best-known start-ups. News this week that tech-focused private equity group Thoma Bravo is mulling a bid to take Darktrace private is a vote of confidence in a company that is grappling with some skepticism over its growth prospects as well as risks to its reputation, the tendrils of which have proved difficult to remove.
READ THE STORY: FT
Items of interest
Canada Announces Funding to Protect Against the Quantum Cyber Threat
FROM THE MEDIA: From electronic espionage to ransomware, the threats to Canadians from malicious cyber activity – including cyber attacks – are greater than ever. In the future this will also include the quantum threat, whereby quantum computers will be able to easily hack through much of the existing encryption that people rely on today. Given the significant risk that it poses, the Government of Canada is redoubling efforts to protect Canadians from the quantum threat.
The Minister of Public Safety, the Honorable Marco Mendicino, has announced federal support for Canada’s cyber defenses. Quantum-Safe Canada will receive $675,000 for their project Laying the Foundations for a Quantum-Safe Canada, which raises awareness and preparedness of the quantum threat. This funding is made available under the Cyber Security Cooperation Program.
READ THE STORY: HSTODAY
CTH: Go Phish: Visualizing Basic Malice (DEF CON 30, Project Obsidian) (Video)
FROM THE MEDIA: Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment? We will take a journey as if we are a new member of the Magnum Tempus Financial Security Team and proceed through a Threat Hunt through the eyes of a newbie in the field of Threat Hunting.
Hacking Go-Karts in the Car Hacking Village | DEF CON 30 (Video)
FROM THE MEDIA: Hacking Go-karts in the Car Hacking Village | DEF CON 30.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com