Wednesday, Sept 14, 2022 // (IG): BB // Sponsor: Shadow News
Chinese government compiles DNA database of Tibetans
FROM THE MEDIA: The University of Toronto's Citizen Lab has published a report finding that the Chinese government is compiling a database of DNA samples from people living in the Tibet Autonomous Region. Police have collected samples from up to 1.2 million people (one-third of the region's population): "Police have targeted men, women, and children for DNA collection outside of any ongoing criminal investigation."
READ THE STORY: The Cyberwire
Energy providers hit by North Korea-linked Lazarus exploiting Log4j VMware vulnerabilities
FROM THE MEDIA: Lazarus is one of a few North Korea government-linked threat actors targeting critical infrastructure. Other state-sponsored groups include Andariel, APT38, BlueNoroff, Guardians of Peace and Kimsuky. “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” Cisco Talos researchers wrote in a blog post.
READ THE STORY: Utility Dive
ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools
FROM THE MEDIA: A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia. The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system.
READ THE STORY: DarkReading
New Microsoft Windows Zero-Day Attack Confirmed: Update Now
FROM THE MEDIA: It's the second Tuesday of the month, which means Microsoft has started rolling out the latest set of security fixes. This Patch Tuesday, there's another Windows zero-day vulnerability already being exploited by attackers, Microsoft has confirmed. Users are advised to apply the security updates as soon as possible. In total, some 63 security vulnerabilities have been identified and patched this month. Of these, five are flagged as critical and one has been confirmed as already actively exploited by threat actors: CVE-2022-37969
READ THE STORY: Forbes
Breach of software maker used to backdoor as many as 200,000 servers
FROM THE MEDIA: Fishpig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems. The unknown threat actors used their control of FishPig's systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June.
READ THE STORY: ArsTechnica
'Twitter's Misleading The Public' On Cyber Security Whistleblower Tells Congress
FROM THE MEDIA: A former security chief at Twitter told Congress on Tuesday that the social platform is plagued by weak cyber defenses, privacy threats and the inability to control millions of fake accounts. Peter "Mudge" Zatko, a respected cybersecurity expert, appeared before the Senate Judiciary Committee to lay out his allegations. "Twitter's misleading the public, lawmakers" and regulators, Zatko said as he began his sworn testimony. The platform is "over a decade behind the industry's best standard," he said. "This is a big deal for all of us."
READ THE STORY: Patch
Space Force nominee sees growing threats to U.S. satellites from rival powers
FROM THE MEDIA: Lt. Gen. B. Chance Saltzman — President Biden’s pick to serve as chief of space operations of the U.S. Space Force — told lawmakers Sept. 13 in a confirmation hearing that China’s aggressive pursuit of advanced technologies is “the most immediate threat” to U.S. satellite capabilities and ground infrastructure. The Senate Armed Services Committee held a confirmation hearing for Saltzman, who is poised to get a fourth star and become the second chief of space operations, or CSO, succeeding Gen. John “Jay” Raymond.
READ THE STORY: SN
Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
FROM THE MEDIA: A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted. "Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," Wordfence researcher Ram Gall said in an advisory.
READ THE STORY: THN
Hackers now use ‘sock puppets’ for more realistic phishing attacks
FROM THE MEDIA: An Iranian-aligned hacking group uses a new, elaborate phishing technique where they use multiple personas and email accounts to lure targets into thinking its a realistic email conversation. The attackers send an email to targets while CCing another email address under their control and then respond from that email, engaging in a fake conversation. Named 'multi-persona impersonation' (MPI) by researchers at Proofpoint who noticed it for the first time, the technique leverages the psychology principle of "social proof" to obscure logical thinking and add an element of trustworthiness to the phishing threads.
READ THE STORY: Bleeping Computer
Hackers breach software vendor for Magento supply-chain attacks
FROM THE MEDIA: Hackers have injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200,000 downloads. Magento is a popular open-source eCommerce platform used for building electronic shops, supporting the sale of tens of billions USD worth of goods annually. The intruders took control of FishPig's server infrastructure and added malicious code to the vendor's software to gain access to websites using the products, in what is described as a supply-chain attack.
READ THE STORY: Bleeping Computer
Police arrest man for laundering tens of millions in stolen crypto
FROM THE MEDIA: The Dutch police arrested a 39-year-old man on suspicions of laundering tens of millions of euros worth of cryptocurrency stolen in phishing attacks. ‘Politie Gelderland’ (Eastern) worked closely with the country’s central cybercrime team to monitor specific bitcoin transactions and eventually traced the man to the village of Veenendaal. The arrest occurred in the early morning of September 6, 2022, with the police seizing devices and “data carriers” to aid the ongoing investigations.
READ THE STORY: Bleeping Computer
Cloud compromise a doddle for threat actors as victims attest
FROM THE MEDIA: It takes an average of just three steps for a threat actor to infiltrate a target cloud environment and get to its “crown jewel” assets, and as a result, vast numbers of organizations are now experiencing cloud security incidents, with at least 80% reporting a “severe” incident in the past 12 months. This is according to two different reports on the state of cloud security released today by sector specialists Orca Security and Snyk, both of which reveal fresh insight into the cyber risks and challenges brought to the fore by widespread cloud adoption, and how security teams are grappling with them.
READ THE STORY: Computer Weekly
Charming Kitten and group-think in social engineering
FROM THE MEDIA: Proofpoint researchers today described a phishing campaign operated by the Iranian threat group TA453 (also known as Charming Kitten, PHOSPHORUS, or APT42). Associated with Iran’s Islamic Revolutionary Guard Corps, the threat group is using a range of impersonated personae including the policy think-tanks Chatham House, the PEW Research Center, and the Foreign Policy Research Institute, as well as the scientific journal Nature, to lend credibility to its phishing attacks. It's not simple spoofing, however: TA453 includes more than one persona in the phishing email thread.
READ THE STORY: The Cyberwire // iTECHPOST
American storage giant U-Haul confirms data breach affecting its custom contracts portal
FROM THE MEDIA: In a notice sent to affected individuals, the company said that an investigation concluded that threat actors gained unauthorized access to some rental contracts between November 5, 2021, and April 5, 2022.
“We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers,” U-Haul mentioned in the notice sent to its customers.
The company said that it involved cybersecurity experts to investigate the security incident and confirmed that sensitive personal information, including customer names and driver’s licenses or state identification numbers, were accessed by the threat actor.
READ THE STORY: TEISS
Ransomware gang threatens 1m-plus medical record leak
FROM THE MEDIA: Two recent ransomware attacks against healthcare systems indicate cybercriminals continue to put medical clinics and hospitals firmly in their crosshairs. Daixin Team has taken credit for a September 1 assault on Texas-based OakBend Medical Center, causing a shutdown of the organization's communication and IT systems as well as exfiltrating internal data. The criminals claim to have stolen more than a million records including names, dates of birth, Social Security numbers, and patient treatment information.
READ THE STORY: The Register
Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems
FROM THE MEDIA: A ransomware gang has been seen using a unique initial-access tactic to exploit a vulnerability in voice-over-IP (VoIP) appliances to breach corporate phone systems, before pivoting to corporate networks to commit double-extortion attacks. Researchers from Artic Wolf Labs have spotted the Lorenz ransomware group exploiting a flaw in Mitel MiVoice VoIP appliances. The bug (tracked as CVE-2022-29499) was discovered in April and fully patched in July, and is a remote code execution (RCE) flaw affecting the Mitel Service Appliance component of MiVoice Connect.
READ THE STORY: DarkReading
Napa Valley College ransomware attack caused possible data breach
FROM THE MEDIA: About 8,000 people with some association to Napa Valley College recently received letters informing them of a possible data breach of personal information that occurred during the ransomware attack that struck NVC in June. The community college, once aware of the cyberattack that shut down the NVC website and network systems, worked with a third-party forensic firm to investigate, the letter says. On Aug. 18, the college subsequently discovered "a limited amount of personal information may have been accessed by an unauthorized third party in connection with this incident."
READ THE STORY: North Bay Business Journal
LA Schools and the Mystery of the Missing Ransom Note
FROM THE MEDIA: As the shady ransomware gang Vice Society took credit for a hack that sent Los Angeles school officials scrambling last week, cybersecurity experts noticed something peculiar. Vice Society, an “intrusion, exfiltration and extortion” group that experts believe is based in Russia, has become notorious for waging cyber warfare against K-12 schools, leveraging the theft of sensitive data to demand a ransom. Schools nationwide have shelled out millions of dollars to prevent hackers from publishing private records on dark-web outposts.
READ THE STORY: The 74
Montenegro Wrestles With Massive Cyberattack, Russia Blamed
FROM THE MEDIA: At the government headquarters in NATO-member Montenegro, the computers are unplugged, the internet is switched off and the state’s main websites are down. The blackout comes amid a massive cyberattack against the small Balkan state which officials say bears the hallmark of pro-Russian hackers and its security services. The coordinated attack that started around Aug. 20 crippled online government information platforms and put Montenegro’s essential infrastructure, including banking, water and electricity power systems, at high risk.
READ THE STORY: Insurance Journal
Albania Drops Diplomatic Ties With Iran in First-Ever Severance of Relations Due to a Cyber Attack
FROM THE MEDIA: A July cyber attack that has been attributed to Iran has caused Albania to cut all diplomatic ties with that country, setting what the White House National Security Council calls a “troubling precedent for cyberspace.” This is the first time a nation has severed diplomatic ties due to a cyber attack. The July 15 incident damaged critical infrastructure in Albania and shut down several government websites, leading to a call for assistance from NATO partners.
READ THE STORY: CPO
DDoS attacks on UK financial sector surged during Ukraine war
FROM THE MEDIA: The UK’s Financial Conduct Authority (FCA) has revealed evidence of a dramatic and ongoing surge in the number of distributed denial of service (DDoS) attacks against the financial sector, with a quarter of the incidents notified in the first six months of this year involving DDoS, compared to 4% in 2021. The data was revealed via a freedom of information (FoI) request lodged by breach and attack simulation (BAS) specialist Picus Security, which said the data may indicate the financial services industry is being targeted by nation-state attackers and hacktivists linked to Russia’s ongoing war on Ukraine.
READ THE STORY: Computer Weekly
Hackers release Portuguese airline’s customer data, threaten to publish more
FROM THE MEDIA: Hackers have published the personal data of 150,000 customers of Portugal’s flagship airline TAP, local media reported Tuesday. The Ragnar Locker ransomware gang published the data on Monday night and is threatening to publish more information if TAP management does not engage in talks with the group. In a statement on its page on the dark web, the group said it has the personal data of around 1.5 million customers as well as “a lot of interesting internal corporate files.”
READ THE STORY: AA
Cybersecurity Threats to the US Water Industry
FROM THE MEDIA: In an increasingly digital world, cybersecurity is a significant – and relevant – threat to individuals and companies alike. Cybercriminals are constantly devising new ways to steal information for personal gain through exploitation or ransom demands. It’s become unfortunately commonplace to hear tales of drained checking accounts, leaked photos, and private documents being published to the masses. In this post-pandemic era, the move to hybrid and remote work dynamics has tempted nefarious actors even more. In 2021, the average instance of data breaches and cyberattacks rose more than 15% year over year.
READ THE STORY: Tripwire
Hackers are using WeTransfer links to spread malware
FROM THE MEDIA: So if you get an email from an unknown person, sharing a ‘Proof of Payment’ document from WeTransfer, it’s most likely malware. WeTransfer is a free file-sharing site used by several workers and businesses. Hackers have figured out a way to use this to get around security software that detects URLs in emails. Cybersecurity researchers from Cofense have found that hackers are now distributing a malware called Lampion using a misleading WeTransfer link as reported by Bleeping Computer.
READ THE STORY: Metro
Pro-Ukraine hackers claim attack on Russian TV broadcasts
FROM THE MEDIA: Pro-Ukrainian hackers on Sunday took credit for breaching Russian TV channels and broadcasting anti-war messages comparing Russia’s attack on Ukraine to the September 11 terrorist attacks in New York. Members of a pro-Ukrainian hacktivist group called “hdr0” said on Telegram that several Russian channels, including Channel One Russia, Russia-24, and Russia-1 were affected by the hack. The group did not provide details about how they carried out the attack or how many people saw the message.
READ THE STORY: The Record
Iranian Hackers Target Albania’s Border Control System in a Tit-for-Tat Operation
FROM THE MEDIA: The Albanian prime minister Edi Rama confirmed this weekend that the country was attacked for the second time earlier in September. The cyberattack comes right on the heels of Albania, a NATO member state and U.S. ally, severing diplomatic ties with Iran for the July 15 cyberattack that crippled 1225 online services for businesses and the government. The cyberattack forced the Albanian government to suspend online services, most of which became operational by mid-August. “Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging,” Microsoft noted.
READ THE STORY: SpiceWorks
CIA Sweating China, AI, Capacity Challenges, Tech Official Says
FROM THE MEDIA: The Central Intelligence Agency’s (CIA) Deputy Director for Digital Innovation (DDI) flagged competition with China, the need to create better artificial intelligence (AI) capabilities, and pressures to ramp up digital capabilities as three of the agency’s biggest tech priorities at September 13 event organized by GovExec. CIA Deputy DDI Jennifer Ewbank talked about those challenges, and how they fit into the agency’s larger mission. Her office’s tech portfolio at the agency is daunting, and includes accelerating development and integration of digital and cyber capabilities across all of CIA’s mission areas – including cybersecurity and AI – and building the digital acumen of the CIA workforce through training and education.
READ THE STORY: Meritalk
'Humour over rumour': Taiwan eyes Ukraine messaging model if China attacks
FROM THE MEDIA: Taiwan is looking at Ukraine's ways of communicating its message to the outside world at a time of conflict, by making use of tools such as satellites and deploying humor, the digital minister said on Wednesday. China's war games and blockade drills around Taiwan last month, following a visit to Taipei by U.S. House Speaker Nancy Pelosi, have heightened concerns on the island about the prospect of an attack by its giant neighbor.
READ THE STORY: Reuters
Another IRGC Cyber Warfare Commander Exposed
FROM THE MEDIA: The photo of Reza Salarvand, who leads one of the units of Iran’s Revolutionary Guard’s wing of cyber hackers, has been released to the media. Last year, Iran International published a facial composite of Salarvand that was obtained from Lab-Doukhtegan (Sealed Lips) hacktivist group, and the new photo – released for the first time by an account called ‘3ackd0or’ on Tuesday – corroborated his identity. He is the head of the ‘Intelligence Group 13,’ which is apparently a sub-group within the Shahid Kaveh unit, headed by an IRGC cyber warfare commander, Hamidreza Lashkarian (Lashgarian)
READ THE STORY: Iran International
Sovereign Russian internet may bring cyber risks for insurers
FROM THE MEDIA: A report by cyber risk analytics expert CyberCube found that a sovereign Russian internet could lead to cybercriminal safe havens and create security risks with consequences for insurers and reinsurers, Reinsurance News reported. Reinsurers should look across their portfolios for indications that certain companies may be susceptible to different threat actors, adding that forward-looking reinsurers and insurers are already starting to adopt a threat-modelling approach to portfolio risk management.
READ THE STORY: Business Insurance
Items of interest
The 5 Dangers of Misinformation & How Disinformation Campaigns are Related
FROM THE MEDIA: Misinformation is rampant in the world today. One study found that nearly 80% of United States consumers reported seeing misinformation regarding the COVID-19 pandemic, and 70% of Europeans report regularly seeing fake news. Outside of isolated cases, virtually every human being has likely consumed misinformation at some point. But what does misinformation mean and how does it differ from disinformation?
Misinformation describes the general spread of false information, whether or not the person knew the information was false. Meanwhile, disinformation is false or inaccurate information that is deliberately framed to be deceptive to those who consume it. Businesses and individuals have been hyper-aware of misinformation since the 2010s when the term “fake news” seemed to be plastered on virtually every story on a news feed.
But misinformation is not new—organizations have pedaled misinformation for centuries. In the early 1900s, flagrantly false advertisements could be seen as an early form of misinformation before the Federal Trade Commission Act was established by the U.S. Political propaganda is another age-old tool used to sway public opinion with murky facts.
Today, misinformation occurs more commonly in the form of fake websites, news stories, and manipulated content. Misinformation can incite rage, contribute to growing social divides, and lead people to take action based on false pretenses. As the fight against misinformation and disinformation campaigns continues, companies must consider the political, economic, and regulatory elements at play—despite the intense focus on technical-first approaches.
READ THE STORY: Security Boulevard
Spying in the NFL with Kevin Bryant (Video)
FROM THE MEDIA: You don't have to look very far under the surface of the average game in the National Football League to find cloak-and-dagger machinations worthy of governmental intelligence agencies. During the past several decades, teams have used both myriad spying tactics to gain extra advantages and extensive counterintelligence techniques to thwart them. The line between traditional espionage and NFL methods is surprisingly thin.
Coffee Talk with SURGe: Mudge Testimony, Albania Cyberattacks, Vice Society, Data Privacy (Video)
FROM THE MEDIA: Grab a cup of coffee and join Ryan Kovar, Mick Baccio, and Audra Streetman for another episode of Coffee Talk with SURGe.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com