Thursday, Sept 22, 2022 // (IG): BB // Sponsor: Shadow News
Technical Analysis of Crytox Ransomware
FROM THE MEDIA: The threat actor using Crytox ransomware has been active since at least 2020, but has received significantly less attention than many other ransomware families. In September 2021, the Netherlands-based company RTL publicly acknowledged that they were compromised by the threat actor. The company paid Crytox 8,500 euros. Compared with current ransom demands, this amount is relatively low. Unlike most ransomware groups, the Crytox threat actor does not perform double extortion attacks where data is both encrypted and held for ransom.
READ THE STORY: Security Boulevard
Ask.FM database with 350m user records allegedly sold online
FROM THE MEDIA: The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users. “I’m selling the users database of Ask.fm and ask.com. For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases.”
READ THE STORY: Cybernews
Microsoft Security: Scammers Targeting Users through YouTube Comments and Ads
FROM THE MEDIA: Microsoft Security Intelligence says that there is a large-scale click fraud campaign that is targeting users through YouTube comments and malicious ads. According to a tweet from Microsoft Security, the attack is perpetrated by a threat actor known as DEV-0796. This individual or group are monetizing clicks that happen through a browser node-webkit or infected browser extension. These components are placed onto a user’s device without them knowing.
READ THE STORY: Winbuzzer
Ransom demand escalates fallout from Los Angeles schools cyberattack
FROM THE MEDIA: Alberto Carvalho is confronting a major ransomware attack just eight months after he joined the Los Angeles Unified School District as superintendent. Late Tuesday, two weeks after LAUSD publicly disclosed the attack, Carvalho confirmed a ransom demand was made by the group that breached the district’s systems.
READ THE STORY: CYBERSECURITY DIVE
LockBit says it was an insider leak, and not an external attack
FROM THE MEDIA: After 3xp0rt's tweet, VX-Underground reported that someone using the nom-de-hack "protonleaks" contacted on September 10th by a user named 'protonleaks,' who at that time had shown them a copy of the builder. It's unclear whether protonleaks and ali_gushji are one person or two people, or whether perhaps their name is really legion. LockBit reached out to VX-Underground to deny that they had been hacked, that the leak was the work of a disgruntled developer unhappy with LockBit's leadership.
READ THE STORY: The Cyberwire
What Is Cryptojacking? How It Works and How to Protect Against It
FROM THE MEDIA: Cryptocurrency is entirely virtual, with no regulating body determining how much currency should be released into circulation. And in order for crypto to retain value, it is necessary that there is enough currency in circulation to be bought and sold. Therefore, it is up to users to create units of crypto themselves, and then verify its existence with the blockchain—a process known as cryptomining.
READ THE STORY: Security Boulevard
Pay-per-install services provide access to thousands of compromised computers
FROM THE MEDIA: PrivateLoader malware, which enables cybercriminals to buy thousands of infected computers in the U.S. and in other regions, is one of the most prevalent security threats. Pay-per-install services are used in the cybercrime underground to monetize the installation of malware on computers. Cybercriminals who have the capability to build a network of infected computers then sell access to those computers. That cybercriminal might do it all by themselves or join a PPI criminal organization as an affiliate.
READ THE STORY: TechRepublic
U-Haul Data Breach Exposed Sensitive Customer Data of More Than 2 Million Clients Over 5 Months
FROM THE MEDIA: The American moving and storage rental company U-Haul disclosed a data breach that exposed customer data. U-Haul started an investigation on July 12 and concluded on August 1st that the hackers accessed customers’ information between November 5, 2021, and April 5, 2022. On September 9, the moving and storage company began sending data breach notification letters to the affected customers. Additionally, U-Hall responded by engaging cybersecurity experts to determine the nature of the compromised contractual data.
READ THE STORY: CPO
350K Open-Source Projects At Risk of Supply Chain Vulnerability
FROM THE MEDIA: Trellix has announced the establishment of the Trellix Advanced Research Center, a facility and project aimed at creating real–time intelligence and threat indicators to help customers detect, respond and remediate the latest cybersecurity threats. “The threat landscape is scaling in sophistication and potential for impact,” said Trellix chief product officer Aparna Rayasam. “We do this work to make our digital and physical worlds safer for everyone. With adversaries strategically investing in talent and technical know–how, the industry has a duty to study the most combative actors and their methods to innovate at a faster rate.”
READ THE STORY: INFOSEC MAG
American Airlines Data Breach: What You Need to Know
FROM THE MEDIA: American Airlines has suffered a data breach affecting a small number of customers, the company has confirmed. The aviation industry is no stranger to data breaches, but they’re becoming increasingly common across almost all industries and sectors of the economy. Not enough companies use tech like password managers to create secure passwords for business email accounts, nor train staff to recognize suspicious communications. Weak credentials can be easily compromised with brute-forcing and credential stuffing, and in this case, a crafty phishing campaign duped employees.
READ THE STORY: Tech.co
Fresh Phish: Netflix Bad Actors Go Behind the Scenes to Stage a Credential Harvesting Heist
FROM THE MEDIA: With more than 220 million paid subscribers, entertainment giant Netflix is a popular pick when it comes to brand impersonation. Over the past few years, Netflix customers have been warned about numerous phishing threats, most of which share a common theme – credential harvesting. Scammers send phishing emails trying to convince Netflix users that their account is somehow in jeopardy, and rectifying the situation calls for them to update their credit card details and other personally identifiable Information (PII).
READ THE STORY: INKY
LockBit ransomware builder leaked online by “angry developer”
FROM THE MEDIA: The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang's newest encryptor. In June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black, after testing it for two months. The new version promised to 'Make Ransomware Great Again,' adding new anti-analysis features, a ransomware bug bounty program, and new extortion methods.
READ THE STORY: Bleeping Computer
Ransomware Groups Turn to Intermittent Encryption to Speed Attack Times
FROM THE MEDIA: During a cyberattack, time is of the essence for both attackers and defenders. To accelerate the ransomware encryption process and make it harder to detect, cybercriminal groups have begun using a new technique: intermittent encryption. Intermittent encryption allows the ransomware encryption malware to encrypt files partially or only encrypt parts of the files. The features are designed to increase attacks’ speed, reducing the chances of being detected and having the threat shut down.
READ THE STORY: eSecurity Planet
New York Racing Association Reports Data Breach Following Hive Ransomware Attack
FROM THE MEDIA: On August 25, 2022, New York Racing Association (“NYRA”) confirmed that the company experienced a data breach by filing notice of the breach with the Office of the Vermont Attorney General. Evidently, the NYRA was the target of a Hive ransomware attack, which enabled the hackers to obtain access to certain information belonging to certain current and former NYRA employees.
READ THE STORY: JDSUPRA
Don't Wait for a Mobile WannaCry
FROM THE MEDIA: Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry-level attack is just over the horizon.
READ THE STORY: DARKReading
Iranian State Actors Conduct Cyber Operations Against the Government of Albania
FROM THE MEDIA: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.
READ THE STORY: CISA
Water utilities rattle the cup on Capitol Hill for cyber
FROM THE MEDIA: Cybersecurity has steadily risen as a priority for water infrastructure over the past few years, but operators and industry groups pled with Congress this week to fully fund existing programs and open up new subsidies to replace aging infrastructure, update digital defenses and train replacements for a rapidly aging workforce. Representatives from the water sector testified in front of the House Homeland Security Committee Wednesday, painting a dire picture of utilities across the country with outdated equipment, systems that are increasingly a target for criminal and nation-state hackers and not nearly enough revenues or state and local funding to meaningfully address any of those problems.
READ THE STORY: SCMAG
Why humans are the top gateway to cyber compromise
FROM THE MEDIA: Despite the efforts being made to curb phishing, which has been around for more than three decades, phishing attacks continue to rise and organizations continue to struggle with this problem. Attackers know that it's much easier to target humans instead of targeting systems. Security systems, processes, and policies generally mature with time, but human beings not so fast -- we will always be creatures of habit. We come equipped with inherent weaknesses like judgment errors, biases and heuristics (mental shortcuts) to blame.
READ THE STORY: SECURITY INFOWATCH
Bosnia And Herzegovina Cyberattack
FROM THE MEDIA: It has been announced that cybercriminals have launched a ransomware attack against the parliament in Bosnia and Herzegovina, which has brought critical activity to a standstill. Prosecutors in Bosnia and Herzegovina are investigating a wide-ranging cyberattack that has crippled the operations of the country’s parliament. For nearly two weeks, the website for the country’s parliament has been down, and local news outlet Nezavisne spoke with several lawmakers who said they were told to not even turn on their computers, barring them from access to their email accounts and official documents.
READ THE STORY: Information Security Buzz
Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners
FROM THE MEDIA: A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware," Trend Micro threat researcher Sunil Bharti said in a report.
READ THE STORY: THN
Hackers Likely Accessed Emails of Serbia’s Cadastre Staff, BIRN Reveals
FROM THE MEDIA: A BIRN investigation shows that Serbia’s cadaster system, RGZ, was infected by not just one malware computer virus but by at least three malicious programs and that at least one of them entered the server via the RGZ mail server, from where it tried to spread. The servers of the Republic Geodetic Institute stopped working on June 14, when it was announced that a hacker attack had been carried out.
READ THE STORY: Balkan Insight
Cobalt Strike gets emergency patch
FROM THE MEDIA: Cobalt Strike developer HelpSystems has gone out of band to address a potentially serious security vulnerability in its Beacon software. The company said in a security advisory Tuesday that the Cobalt Strike 4.7.1 update will close off a cross-site-scripting (XSS) flaw, designated CVE-2022-39197, in the server component of the product. The bug was discovered and privately disclosed to HelpSystems by a researcher using the pseudonym "Beichendream."
READ THE STORY: TechTarget
Google Chrome users looking to download pirated software at risk of new malware infection
FROM THE MEDIA: Internet users, especially those on Google's Chrome browser, should think twice before illegally downloading video games and other software. Software researchers have warned about ChromeLoader, a malware that masquerades as pirated digital files and allows hackers to steal data or install ransomware on infected computers. "This malware has been observed to be distributed using malicious ISO and DMG files through advertisements, browser redirects and YouTube video comments," said the Singapore Computer Emergency Response Team (SingCert) of the Cyber Security Agency of Singapore, which sounded the alert on Wednesday.
READ THE STORY: The Straits Times
Iranian Hackers Indicted for Attacks on Government Agencies, Critical Infrastructure Companies
FROM THE MEDIA: The United States Department of Justice (DOJ) has indicted three Iranian hackers for a campaign of attacks dating back to 2020. The hackers hit targets throughout the US as well as in other countries, and went after a broad range of organizations including critical infrastructure companies and government agencies. The DOJ notes that the Iranian hackers do not appear to be linked to the Islamic Revolutionary Guard Corps, but accuses Iran of adopting a position similar to that of Russia in ignoring the actions of its criminal hackers so long as they stick to attacking enemy or rival nations.
READ THE STORY: CPO
Israel has foiled dozens of cyber attacks by Iran over last year, IDF says
FROM THE MEDIA: The IDF’s Cyber Defense Directorate has thwarted close to two dozen cyber attacks against the Israeli military in the past year. The IDF’s network, said to be the largest in the Middle East, is constantly being threatened, and the military has identified an increase of 70% in hostile activity in recent years. Though the majority of attacks were identified and thwarted ahead of time, the significant increase in attempts worries the IDF.
READ THE STORY: JPOST
Bandai Namco Admits July Hack May Have Exposed Customer Information
FROM THE MEDIA: Back in July, Bandai Namco revealed that a hack of the company's servers had taken place. At the time, the Elden Ring publisher offered little information about what had been taken, though it did state that customer information "was included in the servers and PCs." Today, Bandai Namco offered a follow-up to its previous statement, stating that "external leakage of information" as a result of the hack "cannot be denied." The company went on to state that it has not confirmed of any such instances, but did provide an email address where users could report any potential "information leakage."
READ THE STORY: COMIC BOOK
Microsoft Won’t Label Fake News as False in an Attempt to Avoid ‘Censorship’ Cries
FROM THE MEDIA: Microsoft Corp. won’t label social media posts that appear to be false in order to avoid the appearance that the company is trying to censor speech online, President Brad Smith said in an interview with Bloomberg News, hinting that the company is taking a different approach than other technology firms in dealing with disinformation. “I don’t think that people want governments to tell them what’s true or false,” Smith said when asked about Microsoft’s role in defining disinformation. “And I don’t think they’re really interested in having tech companies tell them either.”
READ THE STORY: Bloomberg
US Agency Broke Into China’s Telecom Networks, State Media Says
FROM THE MEDIA: US intelligence agents gained control of parts of China’s telecommunications network after hacking into a government-funded university, a prominent state-backed newspaper reported, issuing Beijing’s latest accusation of US cyber-intrusion. The National Security Agency’s cyber-warfare unit “penetrated and controlled” unnamed telecom operators, the Global Times reported on Thursday, citing information provided by officials.
READ THE STORY: Bloomberg Law
Ukraine-Russia shows us the future of war with high-end ATGMs, drones. India has to step up
FROM THE MEDIA: Ukraine’s Kharkiv counter-offensive, which began on 5 September and resulted in the recapture of 6,000 square kilometres of its territory, has led to speculation of an eventual Russian defeat. Considering Russia’s immense reserves and unused combat potential, it is unlikely to suffer a decisive military defeat but has certainly been stalemated—which is nothing short of a political defeat for a superior power. If Ukraine succeeds in recapturing Kherson, the mounting men and material losses may force Russia to negotiate a face-saving victory restricted to the Donbas region and Crimea.
READ THE STORY: The Print
The US Opioid Problem Is Also a China Problem
FROM THE MEDIA: The United States is under siege by a silent, faceless killer – fentanyl. Over 108,000 Americans died from drug overdoses in the last 12 months, according to the U.S. Centers for Disease Control and Prevention. Of these, nearly two-thirds involved fentanyl, an incredibly potent synthetic opioid more than 50 times more powerful than heroin. Fentanyl is now the leading cause of death for Americans aged 18 to 45, more than car accidents, firearms, and COVID-19, and is so widespread it has contributed to a sustained decrease in Americans’ life expectancy.
READ THE STORY: The Diplomat
My Heart Belongs to Kashmir
FROM THE MEDIA: On August 24, 2022, Twitter shared 15 datasets of information operations it identified and removed from the platform with researchers in the Twitter Moderation Research Consortium for independent analysis. One of these datasets included 1,198 accounts that tweeted about India and Pakistan. Twitter suspended the network for violating their Platform Manipulation and Spam Policy, and said that the presumptive country of origin was India.
READ THE STORY: Stanford
Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards
FROM THE MEDIA: A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls. In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.
READ THE STORY: DARKReading
Microsoft's new Windows 11 update 'eradicates' a key hacker tactic
FROM THE MEDIA: Microsoft is hoping that adoption of its latest version of Windows 11 will wipe out a popular technique for stealing credentials, thanks to the company's move to turn on certain security features by default in the operating system. The Windows 11 2022 update is generally available today. Among the on-by-default security features in the new version of Windows 11 is Credential Guard, which protects against the theft of login and password data stored in Windows.
READ THE STORY: PROTOCOL
Items of interest
Cyber firms explain their ongoing hacker group name game
FROM THE MEDIA: No matter how confusing it gets to refer to the same Russian hacker group by a handful of different names — Cozy Bear, Nobelium, APT29 and so on — don't expect the private companies behind those monikers to give them up anytime soon. The big picture: Naming conventions for state-backed hacking groups vary from technical, advanced persistent threat (APT) group numbers to whimsical, animal-based names, making it difficult for people outside of cybersecurity research to understand which hackers do what.
READ THE STORY: AXIOS
How Social Media Likes & Trolls Effects Your Brain (Video)
FROM THE MEDIA: The origin of this personality disorder isn't clear. There seems to be a genetic component that could manifest or not depending on how much affection an individual receives as a child. Experts also consider the hypothesis that the root cause could be found in damage to the frontal lobe due to malformation, illness, or brain injury.
I Hunt Down Internet Trolls (Video)
FROM THE MEDIA: Meet TikTok’s Masked Vigilante, who has made it his mission to track down and expose online bullies, scammers and trolls. If you’re racist, sexist, or generally abusive he may have you in his sights.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com