Friday, Sept 02, 2022 // (IG): BB //Sponsor: ShadowNews
Threat Actor Phishing PyPI Users Identified
FROM THE MEDIA: Security researchers have identified a previously unknown group dubbed "JuiceLedger" as the threat actor behind a recent and first-known phishing campaign specifically targeting users of the Python Package Index (PyPI). The threat actor first surfaced early this year and is focused on distributing a .NET-based malware called JuiceStealer for searching and stealing browser and cryptocurrency-related information from infected systems.
READ THE STORY: DarkReading
“I’m Tired Of Living In Poverty” – Russian-Speaking Cyber Criminals Feeling The Economic Pinch
FROM THE MEDIA: Rising energy bills, inflation, skyrocketing interest rates; the world continues to suffer from a cost of living and economic crisis. While individuals are feeling the pinch at their supermarkets, with their mortgage rates, and at the petrol pumps, the impact of the global economic downturn and other major events are also being felt by the cybercriminal world. Check out some of our findings of these difficulties in the following blog.
READ THE STORY: Digital Shadows
Malicious payloads distributed through ModernLoader implant
FROM THE MEDIA: The Hacker News reports that malicious implant ModernLoader, also known as Avatar bot, has been leveraged by a Russian-speaking threat actor to deploy various malware in three separate but related campaigns between March and June 2022. Attacks using ModernLoader involve attack attempts on vulnerable WordPress and CPanel instances through files spoofing fake Amazon Gift cards, with an HTML Application file executing a PowerShell script for interim payload deployment being the initial stage payload, a report from Cisco Talos revealed.
READ THE STORY: SCMAG
Apple Quietly Releases Another Patch for Zero-Day RCE Bug
FROM THE MEDIA: Apple has quietly rolled out more updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in WebKit, can allow attackers to create malicious Web content that allows remote code execution (RCE) on a user's device. An update released Wednesday, iOS 12.5.6, applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.
READ THE STORY: DarkReading
Ransomware as a Service: Unravelling this Ecosystem
FROM THE MEDIA: The cybersecurity industry continuously tracks how ransomware groups attack and who the newest victims are. However, we sometimes forget to look at how all these groups work behind the scenes and what kind of resources they use before and after an attack, from affiliate services to “client support” platforms. What’s behind this boom? Jose Miguel Esparza, head of threat intelligence at Outpost24, explains how RaaS operations work in today’s ecosystem.
READ THE STORY: Spiceworks
Hackers using Instagram verification program to steal personal data
FROM THE MEDIA: Since July, hackers with IP addresses in Turkey have used Instagram’s verification process to steal sensitive information from unsuspecting users, according to a new report from Vade. The company said victims typically receive phishing emails from an “ig-badges” email account that generally has the subject line “ig bluebadge info.” The email tells the victim that their Instagram profile has been reviewed and “deemed eligible” for verification.
READ THE STORY: The Record
Kaspersky uncovers banking malware on the prowl in APAC
FROM THE MEDIA: With the continued uptick in the adoption of mobile banking in Asia Pacific (APAC), global cybersecurity company Kaspersky warns of more attacks against Android and iOS devices. Particularly, active monitoring shows the notorious Anubis Trojan now delivers a combination of mobile banking Trojan with ransomware functionalities to its target smartphones. Mobile banking Trojans are one of the most dangerous species in the malware world. This type of threat steals money from mobile users bank accounts usually by disguising the Trojans as legitimate apps to lure people into installing the malware.
READ THE STORY: SecurityBrief
Thunderbird 102.2.1 launches with important security fixes
FROM THE MEDIA: The security update addresses several vulnerabilities that may overcome the built-in remote content blocking mechanism. Thunderbird 102.2.1 is already available as an in-client update and as a separate download from the official project website. Existing users may select Help > About Thunderbird to display the current version. The program runs an automatic check for updates at this point to download and install any new version that is found during the check.
READ THE STORY: GHACKS
Evidence Backs Up Beijing Link to South China Sea Hackers
FROM THE MEDIA: On August 30, cybersecurity firm Proofpoint revealed that hackers linked to the Chinese state had targeted energy companies operating in the South China Sea, as well as other public and private entities in Australia and beyond. The U.S. Department of Justice had already indicted hackers linked to the campaign. China sought to deflect blame by attacking Proofpoint’s credibility. “[Proofpoint] has frequently collaborated with the U.S. government to systematically spread disinformation on the so-called ‘China hacking attacks,’ serving as the ‘white gloves’ of the U.S. government,” Chinese Foreign Ministry Spokesman Zhao Lijian said at a news conference on August 31.
READ THE STORY: Polygraph
No Honor Among Thieves – Prynt Stealer’s Backdoor Exposed
FROM THE MEDIA: Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile organizations, and execute bigger payday schemes like ransomware. Information stealer malware families including Prynt Stealer are often configured through a builder to facilitate the process for less sophisticated threat actors. However, Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.
READ THE STORY: Security Boulevard
Privacy commissioner closes probe into RBNZ cyber defenses
FROM THE MEDIA: New Zealand’s privacy commissioner has closed a probe into the central bank’s cyber defenses, following a breach that saw hackers gain access to sensitive documents in late 2020. The commissioner’s office ended its “compliance notice” today (September 1). The notice set out several reforms for the Reserve Bank of New Zealand to enact relating to the security of personal information. “The RBNZ has made every change recommended and more, and we are closing this compliance notice confident that
READ THE STORY: Central Banking
Ragnar Locker Ransomware Targets Energy Sector, Cybereason Suggests
FROM THE MEDIA: On Saturday, 20 August, Greece’s largest natural gas supplier DESFA said it was hit by a cyber-attack that impacted the availability of some of its systems. The hacking group operating under the name of Ragnar Locker claimed responsibility for the ransomware attack, saying it had published more than 360 GB of data allegedly stolen from DESFA. Almost two weeks after the attack, security researchers from Cybereason have now released a Threat Analysis Report describing the details of the attack.
READ THE STORY: InfoSec Mag
New ransomware hits Windows, Linux servers of Chile govt agency
FROM THE MEDIA: Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country. The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency.
READ THE STORY: Bleeping Computer
Montenegro hit by ransomware attack, hackers demand $10 million
FROM THE MEDIA: The government of Montenegro has provided more information about the attack on its critical infrastructure saying that ransomware is responsible for the damage and disruptions. Public Administration Minister Maras Dukaj stated on local television yesterday that behind the attack is an organized cybercrime group. The effects of the incindet continue for the tenth day.
READ THE STORY: Bleeping Computer
Ransomware is in the Cloud
FROM THE MEDIA: In a world of rapid digital transformation, ransomware ranks among the top concerns for cyber security professionals, and with good reason. It is elusive and can pawn even the most secure of organizations. Once the malware enters your network, it can ferret around and hold assets in other parts of your organization hostage. Currently, ransomware primarily targets vulnerabilities within on-premise network infrastructures. However, as the majority of companies transition to hybrid or purely cloud operations, the bad guys swiftly follow suit. Though we aren’t yet seeing it make headlines, ransomware attacks to the cloud have begun.
READ THE STORY: Security Boulevard
BlackCat Ransomware responsible for impacting Fremont County systems
FROM THE MEDIA: In collaboration with county, state and federal partners, the Governor’s Office of Information has determined through its investigation that the recent cybersecurity event impacting Fremont County systems was the result of BlackCat ransomware, also known as ALPHV. Fremont County incident response efforts remain in full effect and significant progress has been made following the Aug. 17 ransomware attack on county government systems.
READ THE STORY: Canon City Daily Record
Ransomware Attack Sends Montenegro Reaching Out to NATO Partners
FROM THE MEDIA: Montenegro is getting support from US and other allies in fending off cyberattacks against its information systems and electronic services at a time of political turmoil. Hackers targeted websites and databases of the smallest former Yugoslav republic with the “Cuba” ransomware and a new virus named “Zero Date,” Montenegro’s Public Administration Minister Marash Dukaj said in Facebook video. Montenegro joined the North Atlantic Treaty Organization in 2017 after ending close ties with Russia.
READ THE STORY: Bloomberg
Karakurt ransomware attacks migration policy organization
FROM THE MEDIA: International Centre for Migration Policy Development, which operates across 90 countries, had its servers breached in an attack claimed by the Karakurt ransomware group, reports The Record, a news site by cybersecurity firm Recorded Future. Aside from touting the theft of financial documents, personal data, and banking details on Telegram, Karakurt explained on its leak site that it had stolen 375GB of data, including contract scans and correspondences, project budgets, invoices, financial and insurance documents, and passports, as well as the mailboxes of the ICMPD's key members.
READ THE STORY: SCMAG
REvil claims to have hit a Fortune 500 company
FROM THE MEDIA: Notorious hacker cartel REvil, labeled dead for several months, appears to have come back to life. The group says it has breached Midea Group, a major Chinese electrical appliance manufacturer. Cybernews reached out to Midea Group for comment, but we haven’t received any reply before publishing the article. REvil’s leak site, seen by Cybernews, displays uploaded screenshots of the data the group claims to have stolen from the company. One of the pictures shows a folder titled ‘Target Properties,’ weighing 11.7 GBs. Another screenshot shows a folder that holds 373 GBs worth of information.
READ THE STORY: CyberNews
AI, Machine Learning a must in the face of cyber threats
FROM THE MEDIA: The semiannual FortiGuard Labs Global Threat Landscape Report is out, and the news isn’t great for defenders. Among the plethora of risks facing organizations, ransomware variants almost doubled in the last six months alone. As networks continue to expand, so do opportunities to exploit them, increasing the need for artificial intelligence (AI) and machine learning (ML) tools to bolster security efforts.
READ THE STORY: ITworld Canada
Malicious DNS traffic targets corporate and personal devices
FROM THE MEDIA: Akamai’s security research team examined potentially compromised devices, discovering that 12.3% communicated with domains associated with malware or ransomware during Q2 2022. This Help Net Security video uncovers how malicious DNS traffic affects people on the other end of the internet connection.
READ THE STORY: HelpNetSec
Technology alone can’t solve the cybersecurity problem; we need better information sharing
FROM THE MEDIA: On the modern battlefield, commanders and others share information in real time to gain a common, accurate view of what’s happening so forces can react quickly to whatever occurs. The fight against cyber criminals should be no different. When it comes to identifying attackers’ constantly changing tactics and the best defense strategies, information is power. But, alas, this too often is not the case today. The public and private sectors have lacked formal mechanisms for quickly sharing threat information, hampering the extensive and seamless collaboration needed to address a cybersecurity problem that keeps worsening.
READ THE STORY: The Hill
New Guidelines Spell Out How to Test IoT Security Products
FROM THE MEDIA: There's a lot of diversity in IoT devices, making it difficult to create a one-size-fits-all approach to security, says Tony Goulding, cybersecurity evangelist at Delinea. Some devices lack computational capacity, and not being able to deploy security agents or clients on the devices makes it difficult to enforce a centralized and consistent set of security policies. "Threat actors recognize this and exploit the fact that these devices are particularly vulnerable to malware," he says. "As a security community, we strive to eliminate or choke vectors of attack that can give adversaries illicit access to our infrastructure, resulting in a data breach, ransomware attack, or taking critical OT infrastructure offline."
READ THE STORY: DarkReading
Hacks tied to Russia and Ukraine war have had minor impact, researchers say
FROM THE MEDIA: Although politicians and cybersecurity experts have warned about the potential for widespread hacks in the wake of Russia’s invasion of Ukraine, a new study finds that attacks linked to the conflict have had minor impact and are unlikely to escalate further. Researchers from the University of Cambridge, the University of Edinburgh and the University of Strathclyde examined data from two months before and four months after the invasion. They analyzed 281,000 web defacement attacks, 1.7 million distributed denial-of-service (DDoS) attacks, and hundreds of announcements on Telegram used by hackers to coordinate their activity.
READ THE STORY: The Record
DHS Calls for “Excellence in Software” in Log4j Report
FROM THE MEDIA: Notably attackers immediately began leveraging the Log4j vulnerability to target SolarWinds and VMware servers, among other ubiquitous commercial applications. Fast forward to today and Log4j exploits are found in botnet packages, including IoT botnets in the case of Mirai, as well as ransomware, crypto miners, and other malware programs. Recently, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) released a study on how the Log4j vulnerability has impacted the software supply chain. As stated in the report, “A vulnerability in such a pervasive and ubiquitous piece of software has the ability to impact companies and organizations… all over the world.”
READ THE STORY: Security Boulevard
Raspberry Robin and Dridex: Two Birds of a Feather
FROM THE MEDIA: BM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group ‘Evil Corp,’ which is the same group behind the Dridex Malware, suggesting that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.
READ THE STORY: Security Intelligence
Electric car charging stations are being targeted by hackers – and the entire power grid could be at risk
FROM THE MEDIA: A large-scale electric charging station hack could result in entire charging outposts being disabled. EV charging station owners would have to pay millions to have their power restored, NoCamels reports. Once hackers connect to a charging network, they can gain backdoor access to the electrical grid. Yoav Levy, CEO of Upstream Security, said: “Somebody [a hacker] could give a command to the whole fleet of charging stations to start charging, creating fake demand from the grid that it [the grid] can’t supply, and it shuts down.” NoCamels reports.
READ THE STORY: The Sun
"Chinese intelligence operatives are on a par with the Russians"
FROM THE MEDIA: Western spy chiefs say that sophistication of Beijing’s intelligence operations is now comparable to the Kremlin's. There is growing fear in Europe that the Chinese spy and counter-intelligence services represent an ever-increasing threat to Europe, even greater than the one coming from Russia. "Chinese intelligence is no less dangerous. Moreover, their espionage operations are now even better than the Russian ones," confirmed a former senior CIA official for Europe.
READ THE STORY: B92
Chip Exports to China at Risk on New US Rules, Sparking Selloff
FROM THE MEDIA: The latest US effort to restrict chip exports to China from Nvidia Corp. and Advanced Micro Devices Inc. sparked concern that escalating government actions could cut off some of the semiconductor industry’s biggest companies from the largest market for their products. Nvidia’s stock tumbled as much as 12% on Thursday after warning that new rules on the export of some artificial-intelligence chips to China may affect hundreds of millions of dollars in revenue. The Philadelphia Stock Exchange Semiconductor Index shed as much as 2.5%, adding to losses that have wiped out a third of its valuation.
READ THE STORY: BloomBerg Law
Items of interest
Google says it cut off Russian disinformation sites from its vast ad display network
FROM THE MEDIA: Google says it took additional steps in the past week so that brands would no longer see their ads on Russian state-owned websites that are a regular source of Ukraine war propaganda.
The move comes after a software developer tweeted screenshots of ads from major Western companies placed through Google’s display advertisement service alongside headlines spreading disinformation about the war.
The Twitter thread — posted on Aug. 24 by Braedon Vickers, a Singapore-based software engineer who builds tools to detect digital advertising trends — enraged disinformation experts, digital advertising watchdogs and U.S. senators who condemned Google for continuing to profit off of ads placed on Russian websites.
“Continuing to run ads on these sites means Google — and the brands whose ads are run — are funding sites publishing this propaganda,” Vickers told CyberScoop. “Even when the sites aren’t dependent on this revenue to survive, having ads from well-known brands lends credibility to the sites, and what they’re pushing.”
The ads Vickers found and posted to Twitter are just the latest examples of Google-placed ads appearing on Russian-backed websites, a practice that congressional leaders and disinformation experts have long condemned because the ads provide money to the Russian government and bolster the propaganda it’s delivering to support the war.
READ THE STORY: CyberScoop
Ian Explains: Hackers, Innovation, Malice & Cybercrime (Video)
FROM THE MEDIA: In the 1950s, "phreakers" whistled their ways into free long-distance calls. Steve Wozniak then improved on the scam, making enough cash to get Apple started along with Steve Jobs. Many of today's hackers are also bored kids trying to beat the system and make a quick buck in the process.
Foreign Press Center Briefing on the "Cybercrime Treaty Negotiations at the United Nations" (Video)
FROM THE MEDIA: New York Foreign Press Center Briefing on the "Cybercrime Treaty Negotiations at the United Nations" on August 30, 2022.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com