Thursday, Aug 25, 2022 // (IG): BB //Sponsor: ShadowNews
Crypto Miners Using Tox P2P Messenger as Command and Control Server
FROM THE MEDIA: Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations. The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact ("72client") that functions as a bot and can run scripts on the compromised host using the Tox protocol. Tox is a serverless protocol for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library (NaCl, pronounced "salt") for encryption and authentication.
READ THE STORY: THN
Lessons from the Holy Ghost Ransomware Attacks
FROM THE MEDIA: Originating in North Korea, the Holy Ghost ransomware operation has preyed primarily on small businesses, but that doesn’t mean larger businesses can ignore it. This is an interesting shift of focus, and highlights a key lesson straight out the gate- cybersecurity is now no longer just for ‘big’ or ‘important’ businesses. With the pandemic-accelerated shift to online and remote work, staying safe in cyberspace has become a business-critical concern.
READ THE STORY: HackRead
Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account
FROM THE MEDIA: An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages. Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC). READ THE STORY: DarkReading
Ragnar Locker Likely Behind Attack on Greek Gas Operator
FROM THE MEDIA: Ragnar Locker ransomware group released 361 gigabytes of what appears to be confidential data belonging to Greek national natural gas pipeline operator DESFA. The crime group says the alleged victim refused to negotiate and so it made good on its data dump threat. Among the leaked documents are engineering designs and budget and revenue documents. DESFA company didn't pay any attention on the possible risk of data leakage," the ransomware gang wrote on its leak site on Tuesday. READ THE STORY: GovInfoSec
China is preparing for a full-spectrum AI war. India is still 15 years behind
FROM THE MEDIA: In his new book The Last War: How AI Will Shape India’s Final Showdown With China, Pravin Sawhney, the editor of FORCE magazine, disquietingly forebodes a grim scenario for 2024: “If India and China were to fight a war in the near future, India faces the prospect of losing the war within 10 days. China could take Arunachal Pradesh and Ladakh with a minimum loss of life, and there is very little that India could do about it.” Is it the imagination of a defence analyst running wild? Far from it — such scenarios have been predicted by other analysts too. READ THE STORY: The Print
CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild. The bug (CVE-2022-0028, with a CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse the firewalls to deploy distributed denial-of-service (DDoS) attacks against targets of their choice— without having to authenticate. READ THE STORY: DarkReading
Microsoft discovers post-compromise trick used by NOBELIUM to authenticate as anyone
FROM THE MEDIA: Security researchers at Microsoft have discovered a post-compromise capability or trick used by NOBELIUM to maintain persistent access to compromised environments. NOBELIUM is a highly active threat actor that executes multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia. READ THE STORY: Devdiscourse
GAIROSCOPE attack allows to exfiltrate data from Air-Gapped systems via ultrasonic tones
FROM THE MEDIA: The popular researcher Mordechai Guri from the Ben-Gurion University of the Negev in Israel devise an attack technique, named GAIROSCOPE, to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes. The attack requires that the threat actor has in advance installed malware on the air-gapped system, as well as on a smartphone which must be located in the proximity of the system. READ THE STORY: Security Affairs
PyPI Repository Warns Python Project Maintainers About Ongoing Phishing Attacks
FROM THE MEDIA: The Python Package Index, PyPI, on Wednesday sounded the alarm about an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to legitimate packages. "This is the first known phishing attack against PyPI," the maintainers of the official third-party software repository said in a series of tweets. The social engineering attack entails sending security-themed messages that create a false sense of urgency by informing recipients that Google is implementing a mandatory validation process on all packages and that they need to click on a link to complete the validation before September. READ THE STORY: THN
Hacked security cameras still wide open
FROM THE MEDIA: Shedloads of IP security cameras made by China-based Hikvision are still unpatched even if a fix was issues for a critical security bug nearly a year ago. A Cyfirma report found more than 80,000 cameras in more than 100 countries online, with ports open and no protection against CVE-2021-36260, a command-injection vulnerability exploitable by anyone with HTTP access to TCP ports 80 or 443 of an affected camera. READ THE STORY: Fudzilla
UK Water Supplier Suffered a Clop Ransomware Attack During Major Drought; Victim Initially Misidentified as UK’s Largest Water Utility
FROM THE MEDIA: UK water supplier, South Staffordshire PLC, suffered a Clop ransomware attack in which the gang misidentified its victim. The cybercrime gang claims it compromised Thames Water, the largest water utility and sewerage treatment facility serving Greater London and surrounding areas. According to the gang, the water supplier allegedly had “very bad holes” in “all systems,” allowing the threat actors to spend months in the systems. READ THE STORY: CPO MAG
GitLab ‘strongly recommends’ patching critical RCE vulnerability
FROM THE MEDIA: GitLab is urging users to install a security update for branches 15.1, 15.2, and 15.3 of its community and enterprise editions to fix a critical vulnerability that could enable an attacker to perform remote command execution via Github import. GitLab is a web-based Git repository for developer teams that need to manage their code remotely. It has approximately 30 million registered users and one million paying customers. READ THE STORY: Bleeping Computer
Breach data from Maine shows scope of bank, credit union exposures
FROM THE MEDIA: So far in 2022, at least 79 financial service companies have reported data breaches affecting 1,000 or more consumers, and the total number of consumers affected by these breaches could be as high as 9.4 million. Those numbers come from Maine Attorney General Aaron Frey, pursuant to the state's data breach disclosure laws. The figures track the total number of people affected by each breach — not just Maine residents. READ THE STORY: ASR
Twitter Won't Get Better: It's Time to Shut It Down
FROM THE MEDIA: Like many internet users, I love schadenfreude and few things have given me more pleasure to read than yesterday's Twitter whistleblower story. It's a veritable feast of terrible things. The company allegedly has half its 500,000 server fleet running an insecure operating system that's no longer supported by vendors. And the site has allegedly experienced one security incident per week. Delicious! READ THE STORY: PCMAG
Quantum ransomware attack disrupts govt agency in Dominican Republic
FROM THE MEDIA: The Dominican Republic's Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency. The Instituto Agrario Dominicano (IAD) is part of the Ministry of Agriculture and is responsible for executing Agrarian Reform programs in the country. Local media reports that the ransomware attack occurred on August 18th, which has impacted the agency's operation. READ THE STORY: Bleeping Computer
RansomEXX claims ransomware attack on Sea-Doo, Ski-Doo maker
FROM THE MEDIA: The RansomEXX ransomware gang is claiming responsibility for the cyberattack against Bombardier Recreational Products (BRP), disclosed by the company on August 8, 2022. At the time, the Canadian maker of Ski-Doo snowmobiles, Sea-Doo jet skis, ATVs, motorcycles, watercrafts, and Rotax engines informed the public of a temporary stop for all operations as a response to "malicious cyberactivity." READ THE STORY: Bleeping Computer
LockBit ransomware group implicated in crippling attack on French hospital
FROM THE MEDIA: French police sources have named the LockBit ransomware group as the culprits behind the devastating attack on a hospital in France. Center Hospital Sud Francilien (CHSF) in Corbeil-Essonnes — about an hour south-east of Paris — announced that it was hit early Sunday with a cyberattack that crippled the hospital’s “business software, storage systems (in particular medical imaging) and the information system relating to patient admissions.” READ THE STORY: The Record
Karakurt ransomware group targeting healthcare providers, HHS warns
FROM THE MEDIA: Provider organizations are being warned to be on the alert for cyberattacks levied by the Karakurt ransomware group after at least four cyberattacks by the threat actors against the healthcare sector in the last three months. Those observed attacks included an assisted living facility, a dental firm, a provider and a hospital. An alert from the Department of Health and Human Services Cybersecurity Coordination Center (HC3) notes that while Karakurt emerged in late 2021. READ THE STORY: SCMAG
WannaCry explained: A perfect ransomware storm
FROM THE MEDIA: WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them. READ THE STORY: CSO
BlackByte Ransomware Group Adds New “Feature” to Data Leak Site With Tiered Payment Options
FROM THE MEDIA: The BlackByte ransomware gang’s “2.0” reboot of their data leak site sports a new “feature” for its victims: a tiered payment system that allows for smaller payments to delay publication of sensitive data, or to simply download and recover it prior to having it dumped for public viewing. The group had disappeared briefly over the summer after being one of the biggest and most active ransomware gangs in the early part of 2022.
READ THE STORY: CPO
Iran to launch 150 military drones in test of combat capability
FROM THE MEDIA: Iran will carry out large-scale drone drills across the country on Wednesday, involving 150 unmanned aerial vehicles, to show off the country's military strength, state media reported. The accuracy, power, guidance and combat capabilities of the drones will be tested, Iran's deputy co-ordinator of the armed forces Admiral Habibollah Sayyari was quoted as saying. "This is the first time that a joint drone exercise is conducted at the level of the four forces of the Islamic Republic of Iran's army and the country's joint air defense base," Admiral Sayyari said. READ THE STORY: The National News
Against Disinformation: Google uses Videos as A “Vaccination” Against Manipulation
FROM THE MEDIA: In order to forestall the disinformation about refugees from Ukraine, google wants to display special videos in several European countries. With short video clips, Google wants to help people in Europe to better recognize disinformation and conspiracy theories about refugees from Ukraine. To do this, Google’s subsidiary Jigsaw draws on findings from an online experiment at the University of Cambridge.
READ THE STORY: TS
Google to start campaign against misinformation on Ukrainian refugees
FROM THE MEDIA: Google said that it was basing its campaign on research by British psychologists, where viewers were exposed to "inoculating" clips. The campaign is centered on Poland, the Czech Republic and Slovakia. Google's Jigsaw subsidiary will launch a campaign aimed at tackling disinformation about Ukrainian refugees next week. READ THE STORY: DW
Iranian cyberespionage group makes use of Hyperscrape to extract emails
FROM THE MEDIA: Charming Kitten, often known as APT35 and Magic Hound, is a state-sponsored risk actor originating from Iran that has been lively for about 10 years already. The risk actor has focused authorities and navy personnel, lecturers and journalists within the U.S. and Center East. Their aim is cyberespionage. APT35 may not be essentially the most subtle APT risk actor within the wild, but their tooling is powerful and efficient. READ THE STORY: FrpBypassFree
Following US nuclear deal response, Iran launches major drone drill
FROM THE MEDIA: The Iranian army launched a major nation-wide, two-day drone drill on Wednesday morning, using nearly 150 drones of various types, and including all four army branches as well as the Iranian air force. “These joint drills of the drones at the level of the four forces of the army and the joint air defense headquarters will take place for the first time, in the waters of the Persian Gulf and the Sea of Oman, from the south to the east, west, north and center of the country,” Rear Admiral Habibullah Sayyari, the Coordinating Assistant to the Commander of the Iranian Army, was quoted in the “Tehran Times”. READ THE STORY: Israel Defense
Beijing hires hackers to attack human rights organizations
FROM THE MEDIA: Massachusetts-based cybersecurity company Recorded Future recently released a report stating that a hacker group associated with the Chinese Communist Party has been targeting human rights organizations, think tanks, media agencies, and multinational government agencies. The group has carried out cyberattacks over the past three years. The hacker group RedAlpha targeted Amnesty International, the International Federation for Human Rights, Radio Free Asia, the Mercator Institute on China, and other think tanks, government agencies, and humanitarian organizations around the world. They register domains masquerading as the targeted organizations and agencies and use fake login pages to steal credentials such as username and password. READ THE STORY: The BL
Items of interest
Xiaomi could be 'adversely affected' by tax allegations in India
FROM THE MEDIA: RChinese gadget giant Xiaomi has warned in its April-June 2022 earnings report that its troubles in India – related to allegations of improperly moving funds offshore – could noticeably affect business.
The company admitted [PDF] the investigations and allegations "could take a long period of time to settle, and the Group could receive judgments or enter into settlements that may adversely affect its operating results or cash flows." Xiaomi added that "it is not practical to quantify related financial effects at this stage."
In late April, the Indian government seized over $724 million of Xiaomi's bank deposits. The Department of Revenue said the amount was equal to funds sent abroad under the guise of paying royalties without any services provided in return.
READ THE STORY: The Register
Reverse Engineering - Computerphile (Video)
FROM THE MEDIA: You just have the binary - can you work out what it does & how? Dr Steve Bagley talks about how you might reverse engineer a piece of software.
The rise of insider cybersecurity threats (Video)
FROM THE MEDIA: Irena Mroz, VP and Co-founder of Nucleus Cyber, and Cyber Work podcast host Chris Sienko discuss all things internal threats, from intentional and malicious attacks to poor employee practices and awareness.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com