Thursday, Sept 08, 2022 // (IG): BB //Sponsor: VetSec
I'm reminded of 'The Early Bird", 'cept your posts are seemingly on semantically-enhanced steroids. - 2600hz
Hackers Hide Malware in App Pretending to Be China-Repressed Uyghur Activist's Memoir
FROM THE MEDIA: Hackers are targeting members of the ever-repressed minority Uyghur community in western China by trying to get users to download a fake app version of a book released by a prominent Uyghur activist. In a report released Monday by the cybersecurity firm Cyble, cybersecurity researchers said the Android app-based malware is designed to look like the personal memoir of World Uyghur Congress President Dolkun Isa titled The China Freedom Trap.
READ THE STORY: Gizmodo
Google Details Recent Ukraine Cyberattacks
FROM THE MEDIA: The group’s activities closely align with those of Russian government-backed attackers, and Google’s Threat Analysis Group (TAG) believes that at least some of UAC-0098’s members are former members of the Conti ransomware gang. UAC-0098 is widely known for using the IcedID banking trojan in attacks that led to the deployment of human-operated ransomware, operating as an access broker for ransomware groups such as Quantum and Conti. Recently, however, the threat actor has been targeting the Ukrainian government, various organizations in the country, and European humanitarian and non-profit organizations.
READ THE STORY: SecurityWeek
Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group
FROM THE MEDIA: Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations. "DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft said.
READ THE STORY: DarkReading
New Iranian hacking group APT42 deploys custom Android spyware
FROM THE MEDIA: A new Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest. The cybersecurity firm has collected enough evidence to determine that APT42 is a state-sponsored threat actor who engages in cyberespionage against individuals and organizations of particular interest to the Iranian government. APT42's first signs of activity date back to seven years ago and revolve around lengthy spear-phishing campaigns that targeted government officials, policymakers, journalists, academics across the globe, and Iranian dissidents.
READ THE STORY: BleepingComputer
CodeRAT malware source code out in the open
FROM THE MEDIA: SecurityWeek reports that the new CodeRAT backdoor had its source code released online by its developer after being confronted by SafeBreach security researchers. Malicious Word documents with a Dynamic Data Exchange exploit have been used to deploy CodeRAT, which has nearly 50 various commands that could be leveraged for activity monitoring, data theft, and malware deployment, according to a SafeBreach report. Aside from having five operational modes, CodeRAT also enables unique ID generation and command receipt through local files, Telegram bot API, or the main user interface.
READ THE STORY: SCMAG
'DangerousSavanna' Hackers Targeted Financial Institutions in Africa For Two Years
FROM THE MEDIA: A persistent cyber–attack campaign has emerged targeting major financial institutions in French–speaking African countries and has been active over the last two years. The campaign was discovered by Check Point Research (CPR) and dubbed 'DangerousSavanna.' It relied on spear phishing techniques to initiate infection chains. The threat actors reportedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal and Togo utilizing diverse file types, including PDF, Word, ZIP and ISO files, to lure victims.
READ THE STORY: InfoSecMag // THN
InterContinental Hotels Confirms Cyber-Attack After Two-Day Outage
FROM THE MEDIA: InterContinental Hotels Group (IHG) has confirmed its subsidiary Holiday Inn has been hit by a cyber–attack. More specifically, the firm issued a statement saying it was investigating "unauthorized access" to a number of its technology systems. The acknowledgment comes two days after the UK–based company's booking channels and other applications were disrupted, preventing many customers from booking accommodations online. Now, IHG confirmed it is assessing the nature, extent and impact of the incident and is implementing its response plans, which reportedly include the appointment of external specialists to investigate the breach.
READ THE STORY: InfoSecMag
Cobalt Strike servers linked to former Conti gang members attacked
FROM THE MEDIA: A report Wednesday in BleepingComputer that an unknown group launched DDoS attacks on Cobalt Strike servers operated by former Conti ransomware gang members — peppering the attacks with anti-Russian rhetoric — prompted security researchers to warn everyday practitioners to button up any Cobalt Strike servers they use for red team operations. Security researchers were reported saying that whoever executed these attacks targeted at least four Cobalt Strike servers allegedly controlled by former Conti gang members. The Conti gang shut down its operations in May, but former gang members have joined other groups and continue to use the same Cobalt Strike infrastructure to launch other ransomware attacks.
READ THE STORY: SCMAG // The Verge
New wave of data-destroying ransomware attacks hits QNAP NAS devices
FROM THE MEDIA: Network hardware-maker QNAP is urging customers to update their network-attached storage devices immediately to protect them from a new wave of ongoing ransomware attacks that can destroy terabytes of data in a single stroke. Singapore-based QNAP said recently that it has identified a new campaign from a ransomware group known as DeadBolt. The attacks take aim at QNAP NAS devices that use a proprietary feature known as Photo Station. The advisory instructs customers to update their firmware, suggesting there is a vulnerability that’s under exploit, but the company makes no explicit mention of a CVE designation that security professionals use to track such security flaws.
READ THE STORY: ArsTechnica
Hotel giant IHG blames cyberattack for booking systems outage
FROM THE MEDIA: InterContinental Hotels Group, also known as IHG Hotels & Resorts, has confirmed it was hit by a cyberattack that downed its booking systems and mobile apps. U.K.-headquartered IHG operates some of the world’s largest hotel chains, including the Holiday Inn, Crown Plaza and Regent hotels. The company runs more than 6,000 hotels in more than 100 countries, including over 3,000 in the United States and serves more than 150 million guests each year. In a Tuesday filing with the London Stock Exchange on Tuesday, the company confirmed that “parts of the company’s technology systems have been subject to unauthorized activity.”
READ THE STORY: TechCrunch
Hackers Are Using NASA Telescope Images To Push Ransomware
FROM THE MEDIA: According to Metro, One of the first images taken by Nasa’s James Webb Telescope is being used by hackers in a phishing scam. A security analytics platform, Securonix, uncovered the new computer security threat that uses the James Webb Space Telescope‘s first public image to spread malware. The attack is called ‘GO#WEBBFUSCATOR’ and reportedly starts with a phishing email containing a Microsoft Office attachment. If a receiver opens the attachment, a URL within the document’s metadata downloads a file with a script, which runs if certain Word macros are enabled. This, in turn, downloads a copy of Webb’s First Deep Field photo, containing malicious code.
READ THE STORY: Information Security
FBI issues cyber attack warning for schools nationwide
FROM THE MEDIA: The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center released a joint Cybersecurity Advisory Tuesday to disseminate tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Vice Society actors identified through FBI investigations as recently as this month, according to a statement from the agency.
READ THE STORY: Hayspost
FBI issues cyber security advisory for same hacking group that hit Linn-Mar
FROM THE MEDIA: he FBI issued a Cyber Security Advisory on Tuesday for the same hacking group that has targeted at least one eastern Iowa School District. The FBI says hacking group Vice Society is increasingly targeting school districts nationwide. Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in the summer of 2021. The group targets schools because of the amount of sensitive staff and student data, and then threatens to publish the information unless a ransom is paid.
READ THE STORY: KCRG
APT42: Crooked Charms, Cons, and Compromises
FROM THE MEDIA: Today, Mandiant is releasing a comprehensive report detailing APT42, an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization’s operational mandates and priorities.
READ THE STORY: Mandiant
BianLian hits a community services organization for adults with serious disabilities
FROM THE MEDIA: Alegria Family Services (AFS) provides residential and community services to adults with developmental disabilities in New Mexico under a contract with the New Mexico Department of Health. They are not a large organization with vast resources, yet BianLian decided they would target them with a ransomware attack. Maybe they saw a ZoomInfo listing showing $7 million in revenue and didn’t understand that funds from the state and federal government under Medicaid or other programs are not revenue the agency can reallocate.
READ THE STORY: Data Breaches
Iran-linked hackers release Mossad chief’s medical records, personal photos
FROM THE MEDIA: Hackers linked to Iran have published personal photos and medical records of Mossad intelligence agency chief David Barnea, Israeli media reported on Sunday. The hackers reportedly accessed the cellular phone of Barnea’s wife, according to I24 News. The stolen files were released on the eve of the Mossad director’s visit to Washington, D.C., for a series of meetings with senior American officials over the possibility of reviving the 2015 Iran nuclear agreement.
READ THE STORY: JNS
Zyxel Patches Critical Vulnerability in NAS Firmware
FROM THE MEDIA: The security defect, tracked as CVE-2022-34747, carries a CVSS score of 9.8/10 and is publicly documented as a format string vulnerability impacting Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0. An attacker could exploit the vulnerability by sending specially crafted UDP packets to the affected products. Successful exploitation of the bug could allow an attacker to execute arbitrary code on the impacted device, the company said in an advisory. “A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” the company added.
READ THE STORY: SecurityWeek
TeslaGun Primed to Blast a New Wave of Backdoor Cyberattacks
FROM THE MEDIA: A newly discovered cyberattack panel dubbed TeslaGun has been discovered, used by Evil Corp to run ServHelper backdoor campaigns. Data gleaned from an analysis by the Prodraft Threat Intelligence (PTI) team shows the Evil Corp ransomware gang (aka TA505 or UNC2165, along with half a dozen other colorful tracking names) has used TeslaGun to carry out mass phishing campaigns and targeted campaigns against more than 8,000 different organizations and individuals. The majority of targets have been in the US, which accounted for more than 3,600 of the victims, with a scattered international distribution outside of that.
READ THE STORY: OODALOOP
Ukraine’s largest telecom stands against Russian cyberattacks
FROM THE MEDIA: The operator of Ukraine’s largest mobile phone network is fighting a two-front war: one on the ground and one in cyberspace. Kyivstar serves around 26 million mobile customers in Ukraine and has been jumping from crisis to crisis since the Russian invasion on Feb. 24. Russian rockets and other physical attacks have taken out almost 10 percent of its base stations. And in areas that have been taken back from Russian occupation, about 30 percent of the company’s infrastructure — including phone towers and lines — has been damaged, CEO Oleksandr Komarov said in an interview during a visit to Washington.
READ THE STORY: Politico
Govt. site hit by apparent cyber-attack; pro-Russian hackers claim responsibility
FROM THE MEDIA: A government website was hit by what appeared to be a cyber-attack Tuesday, causing the site to go down temporarily. A pro-Russia hacker group called Killnet announced on social media Tuesday evening that it had conducted a cyber-attack on the government’s e-Gov site, according to Nobuo Miwa, president of Tokyo-based cybersecurity firm S&J Corp. According to the digital agency, the e-Gov website went down at around 4:30 p.m. Tuesday. The e-Gov service, which enables people to complete administrative procedures online, had been mostly restored by the end of the day.
READ THE STORY: AsianNews
Japan's Subway Operating As Normal Despite Hacker Attacks
FROM THE MEDIA: Tokyo is aware of the statements of the pro-Russian hacker group KillNet about the "declared war on the Japanese government" and the cyber attacks on the websites of Tokyo and Osaka subway, but the temporary unavailability of the sites has not affected the transport system, Japanese Chief Cabinet Secretary Hirokazu Matsuno said on Thursday. "We are aware of the statements of the Kill Net group about declaring war on the Japanese government, as well as the attacks on Tokyo's and Osaka's subway. Despite the fact that the sites of the Tokyo subway and the Osaka subway were temporarily unavailable, this did not affect the transport system in any way," Matsuno said.
READ THE STORY: Urdupoint
Ukraine dismantles more bot farms spreading Russian disinformation
FROM THE MEDIA: The Cyber Department of the Ukrainian Security Service (SSU) dismantled two more bot farms that spread Russian disinformation on social networks and messaging platforms via thousands of fake accounts. As the SSU discovered, this bot army "of almost 7,000 accounts" was used to push content discrediting the Defense Forces of Ukraine, justify Russia's armed aggression, and destabilize Ukraine's social and political situation.
READ THE STORY: BleepingComputer
ChiComms Denial And The DHS
FROM THE MEDIA: Safeguarding National Security is on everyone’s mind, and we are here to help close the gaps for those still unwittingly giving away the intelligence store. The leakage debate is not unlike the discussion with people feigning ignorance of drone regulation to make money years ago. This conversation ran past the point of plausibility, and now we see this debate/conversation overlaid on data collection. The guy from DJI (registered agent of a foreign PRC entity) said they hired an independent security firm that found no issues.
READ THE STORY: SUAS News
CISA teases strategy to protect critical infrastructure
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency is preparing to roll out a strategic plan to protect the nation's critical infrastructure industries, as well as developing a new cybersecurity advisory system, according to Director Jen Easterly. The director of the nation's cyber defense agency detailed the two separate initiatives on Wednesday at the Billington Cybersecurity Summit, saying the critical infrastructure plan will ensure the protection of the .GOV domain, reduce risks and improve resilience and expand operational collaboration.
READ THE STORY: FCW
US decries Iran's cyberattack on Albania
FROM THE MEDIA: Spokesperson of the US National Security Council (NSC) Adrienne Watson said Wednesday the United States strongly condemns Iran's cyberattack against "our NATO ally, Albania," in last July. "We join in Prime Minister Rama's call for Iran to be held accountable for this unprecedented cyber incident," she said in a press release. "The United States will take further action to hold Iran accountable for actions that threaten the security of a US ally and set a troubling precedent for cyberspace. "For weeks, the U.S. government has been on the ground working alongside private sector partners to support Albania's efforts to mitigate, recover from, and investigate the July 15 cyberattack that destroyed government data and disrupted government services to the public.
READ THE STORY: Saudi Gazette
Hackers actively supporting Iran's domestic and foreign spying efforts, researchers warn
FROM THE MEDIA: A group of prolific Iranian hackers has likely been key to Iran's Islamic Revolutionary Guard Corps efforts to track its domestic and foreign adversaries in recent years by targeting US government officials, Iranian dissidents and journalists, according to new research published Wednesday. The hackers have tried to break into the email accounts of US government officials focused on Iran policy and the mobile phones of Iranian dissidents, according to the research from US cybersecurity firm Mandiant, underscoring the extent to which the IRGC's surveillance apparatus allegedly relies on cyber operations.
READ THE STORY: KTEN
Twitter's disinformation team had to 'beg' other teams for help because of a lack of tools and staff, a leaked audit says
FROM THE MEDIA: Twitter's disinformation team reportedly had to "beg" for help from other teams because they lacked the tools and resources they needed, according to a leaked audit. The audit, which the Washington Post obtained and published in full, stated that the company's site integrity team did not have "the necessary dedicated engineering support" to target widespread disinformation on the platform. The audit concluded that the lack of resources meant that the team could only be "reactive to the crisis of the day" and prevented the platform from effective "proactive threat detection and mitigation to avoid crises."
READ THE STORY: Yahoo Finance
Turkey turns into haven for money launderers as Iran and Russia use Turkish banks to avoid sanctions
FROM THE MEDIA: Turkey, already under monitoring by global money-laundering watchdog FATF for backsliding in combatting money laundering and terrorism financing, has taken yet another step in boosting the illicit transfer of wealth with no questions asked by the authorities. The move, put on parliament’s agenda with a last-minute amendment to a bill during debate on the floor, allowed the transfer of cash, gold and other assets to Turkey without a requirement to explain their origin and with no penalties imposed by Turkish authorities. The amendment was quickly approved by parliament, which is controlled by President Recep Tayyip Erdoğan’s Justice and Development Party (AKP) amid protests from the opposition that Turkey had turned into a haven for money laundering and illegal funding.
READ THE STORY: Nordic Monitor
US offers special training program on dealing with N. Korean malware
FROM THE MEDIA: The United States has developed a special training program to help detect and prevent malicious cyber activities by North Korea, the state department said Wednesday. The nine-day training program, titled "Unhiding Hidden Cobra," has already been provided to government officials and cyber security specialists from six countries, according to the department, noting the U.S. refers to malicious cyber activity by North Korea as "Hidden Cobra." The department said the program, developed and offered by its Bureau of Cyberspace and Digital Policy, includes "practical, hands-on exercises to equip participants to prevent, detect, and mitigate malicious cyber activity using cybersecurity information released by U.S. government agencies."
READ THE STORY: The Korea Times
Iranian diplomats burn documents hours before leaving Albania
FROM THE MEDIA: Iranian diplomats burned documents in the early morning on Thursday hours before they were to leave the country after Albania cut diplomatic relations with Iran, accusing the Islamic Republic of an cyberattack in July. In a rare video address on Wednesday, Albania's Prime Minister Edi Rama said he had ordered Iranian diplomats and staff to close the embassy and leave the country within 24 hours. Rama said the July cyberattack has "threatened to paralyze public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country."
READ THE STORY: Saltwire
Items of interest
How Russia Uses Cyber Proxies to Respond to Accusations of Cyber Attacks
FROM THE MEDIA: “Governments accused of state-sponsored cyber attacks face a vexing dilemma. They can admit the attack and face painful retaliatory consequences or deny involvement and risk diminishing their cyber capabilities. As yet we know very little about how accused states handle this dilemma. In this paper, I examine how Russia - one of the most frequently accused countries - addresses this dilemma. I draw on newly available data from Twitter and leverage topic modeling, semantic, cluster and rhetorical analyses to reveal a sophisticated and highly nuanced effort by Russian proxies to refute allegations of cyber interference. The results have important implications for academic and policy debates about how best to combat state-sponsored cyber attacks and the appropriate role of social media platforms in countering online misinformation and disinformation.” - William Akoto
READ THE STORY: MIT
Can You Be Hacked Through the Mail for $10? (Video)
FROM THE MEDIA: The term "WarShipping" was coined in 2019 to describe wireless attacks through the mail, but how likely is a warshipping attack to succeed?
Telegram Bot | Read Telegram Group Messages Automatically (Video)
FROM THE MEDIA: Welcome to this complete course of Telegram Bot and Automation. In this course, you will learn all you need to know to start creating Telegram Bots and achieve complex functionalities to easily manage your Telegram groups. You will also be learning to create some real time projects to achieve some tasks and impress your friends and colleagues or to add it to your CV.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com