Thursday, Sept 29, 2022 // (IG): BB // Buy me a whiskey
Chinese State-Sponsored Threat Actor
FROM THE MEDIA: On Sept. 22, the Health Sector Cybersecurity Coordination Center (HC3) published a threat brief on the Chinese state-sponsored threat actor APT41. Members of APT have been actively tracked since 2012, and APT has been tracked as two separate groups, depending on operation. APT41 has a malicious history of targeting healthcare, as well as several other industries including high-tech and telecommunications, and uses methods like spear phishing, water holes, supply chain attacks, and backdoors.
READ THE STORY: Healthcare Innovation
Steep#Maverick cyberespionage campaign
FROM THE MEDIA: Researchers at Securonix Threat Labs have issued a report on a cyberespionage campaign they're calling Steep#Maverick. They call it a "covert attack campaign," and they conclude that its targets have been "multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft." The PowerShell stager the threat actor used isn't particularly novel, but "the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code."
READ THE STORY: The Cyberwire
Russia’s Internet Censor Is Also a Surveillance Machine
FROM THE MEDIA: As the Putin regime continues its war on Ukraine, the Kremlin has almost totally repressed the speech, assembly, and press environment in Russia. A little-known Russian agency: Roskomnadzor, the country’s internet and media regulator and, therefore, internet and media censor has been central to this effort. Roskomnadzor has played a central role in slowly increasing the Putin regime’s control over the internet in Russia, from managing a website blocklist with over 1.2 million URLs to sending numerous censorship orders.
READ THE STORY: CFR
Hackers Use Mouse Movement in Microsoft PowerPoint Presentations to Deliver Malware
FROM THE MEDIA: There is a new code execution technique being used by hackers who are thought to be working for Russia as reported by the security analysts at Cluster25. An attack of this type makes use of mouse movement to launch a malicious PowerShell script on the computer after a PowerPoint presentation has been opened. To create a more insidious attack, the malicious code does not require any macro to execute so that it can download the payload and execute the malicious code. According to the report, Graphite malware was delivered into the system as recently as September 9 using the newly developed APT28 (aka Fancy Bear, TSAR Team) delivery technique.
READ THE STORY: CyberSecurityNews
Phishing Attack Targets Microsoft Flaw to Deliver Cobalt Strike
FROM THE MEDIA: Threat actors are targeting a years-old remote code execution vulnerability in Microsoft Office in order to deliver Cobalt Strike beacons that can be used in future follow-on attacks. The attack was first discovered in August after victims received phishing emails containing malicious document attachments. One email claimed to be collecting personally identifiable information in order to decide if the victim was eligible for employment with a U.S. federal government contractor and to determine the enrollment status in the government’s life insurance program.
READ THE STORY: DUO
Hacker shares how they allegedly breached Fast Company’s site
FROM THE MEDIA: Fast Company took its website offline after it was hacked to display stories and push out Apple News notifications containing obscene and racist comments. Today, the hacker shared how they allegedly breached the site. The site today shows a statement from the company confirming they were hacked on Sunday afternoon, followed by an additional hack on Tuesday evening that allowed threat actors to push out racist notifications to mobile devices via Apple News.
READ THE STORY: Bleeping Computer
Cryptominers hijack $53 worth of system resources to earn $1
FROM THE MEDIA: Security researchers estimate that the financial impact of cryptominers infecting cloud servers costs victims about $53 for every $1 worth of cryptocurrency threat actors mine on hijacked devices. This activity is generally attributed to certain financially motivated hacking groups, most notably TeamTNT, that perform large-scale attacks against vulnerable Docker Hubs, AWS, Redis, and Kubernetes deployments. The threat actors load modified OS images containing XMRig, a miner for Monero (XMR), which is a privacy-oriented hard-to-trace cryptocurrency, and currently the most profitable CPU-based mining.
READ THE STORY: OODALOOP
Securing the seas when the maritime industry’s drowning
FROM THE MEDIA: Over the last decade, the maritime industry has undergone a digital transformation to increase efficiencies, save money, gain greater insights into vessels and cargo, and develop new business models. But digitization has created a playground for cybercriminals who are benefiting from the industry’s security shortfalls across cargo ships, cruisers, boats, yachts, and passenger ferries – and their infrastructure. Historically, ship owners protected themselves from pirates with weapons. Today, criminals also use an arsenal of digital weapons to attack. And globally, the maritime industry is struggling to keep up as cybercriminals get faster and smarter.
READ THE STORY: TNW
Bl00dy ransomware leveraging leaked LockBit ransomware builder
FROM THE MEDIA: BleepingComputer reports that recent attacks by the newly emergent Bl00dy Ransomware Gang involved the use of the LockBit 3.0 ransomware builder that leaked last week following a falling out between a LockBit operator and his developer. Bl00dy Ransomware Gang, which was initially discovered to attack New York-based medical and dental practices in May, was identified by cybersecurity researcher Vladislav Radetskiy to have used a new encryptor in an attack against a Ukrainian entity.
READ THE STORY: SCMAG
Patterns of Malicious Infrastructure (Re)Use in Ukraine-Themed Domains
FROM THE MEDIA: DomainTools, the leader for Internet intelligence, today announced that Aaron Gee-Clough and Tim Helming will be featured presenters at the mWISE Conference 2022 being held October 18-20, 2022, at the Washington Hilton in Washington, DC. mWISE, the Mandiant Worldwide Information Security Exchange, expands upon the 11-year history of Mandiant Cyber Defense Summit. The inaugural, vendor-neutral conference will bring together the global cyber security community to convert knowledge into collective action in the united fight against persistent and ever-evolving cyber threats.
READ THE STORY: Crypto Reporter
Hackers now sharing cracked Brute Ratel post-exploitation kit online
FROM THE MEDIA: The Brute Ratel post-exploitation toolkit has been cracked and is now being shared for free across Russian-speaking and English-speaking hacking communities. For those unfamiliar with Brute Ratel C4 (BRC4), it is a post-exploitation toolkit created by Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike. Red teamers are cybersecurity professionals whose job is to try and breach a corporate network to learn its flaws, while those on the blue team attempt to defend against these attacks.
READ THE STORY: Bleeping Computer
The Nord Stream blasts are Putin's warning shot to the West
FROM THE MEDIA: While the Ukrainians are fighting a conventional war on their own territory, Russia and the West are engaged in an unconventional one fought by economic pressure, political subterfuge and dirty tricks. The apparent sabotage of the Nord Stream gas pipelines seems just the latest example. Both of these lines linking Russia to Germany have sprung devastating leaks.
READ THE STORY: Spectator
Threat actors use Quantum Builder to deliver Agent Tesla malware
FROM THE MEDIA: The Quantum Builder (aka “Quantum Lnk Builder”) allows to create malicious shortcut files, it is sold on the dark web. The Quantum Builder also allows to generate malicious HTA, ISO, and PowerShell payloads that are used to drop the next-stage malware. In the campaign observed by the experts, threat actors used the builder to generate malicious LNK, HTA, and PowerShell payloads which is used to deliver Agent Tesla on the targeted machines. Experts noticed that this campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to past attacks.
READ THE STORY: Security Affairs
Russian Attack On Undersea Energy Infrastructure Means Businesses Should Prepare For More Infrastructure Attacks (including Space and Undersea comms)
FROM THE MEDIA: Russia’s sabotage of the Nordstream pipelines in the Baltic were probably done for many reasons. Just prior to Russia’s invasion of Ukraine they conducted tests of space based attack systems. Now they have shown they can attack undersea system and will do so when they want. For planning purposes we can assess the attacks were done to signal that Russia does not care about EU as a market so no sanctions can be levied that will matter.
READ THE STORY: OODALOOP
FBI joins investigation of Optus data breach
FROM THE MEDIA: Investigation of the Optus breach continues, and the US FBI has joined the inquiry to assist the Australian Federal Police. Australian Cyber Security Minister Clare O'Neil said, A Current Affair reports, that "Australian police (are) working with the FBI and state police forces around the country to not only find the person who is responsible for this vast breach of Australians' data, but to try to stop this data being used to commit financial crimes against Australians."
READ THE STORY: The Cyberwire
Microsoft 365 Email Hack Led to American Airlines Breach
FROM THE MEDIA: While the airline says the risk to victims is "remote," the carrier has notified affected individuals and offered them two years of credit and identity protection services. American said in a statement to the Maine attorney general that it is reviewing its security measures and internal controls. "American is currently implementing additional safeguards to prevent a similar incident from occurring in the future." The breach was discovered by the airline on July 5 after individuals reported receiving phishing emails from an American employee's account and unauthorized activity was detected in the company’s Microsoft 365 environment.
READ THE STORY: BankInfoSec
Cryptojacking, DDoS attacks increase in container-based cloud systems
FROM THE MEDIA: Cryptojacking is the most common form of attack against container-based systems running in the cloud, while geopolitical motivations—mainly related to Russia's war against Ukraine—factored into a fourfold increase in DDoS (distributed denial-of-service) attacks this year, according to a new report from cybersecurity company Sysdig. As containers are increasingly used in cloud-based systems, they have also become an important attack vector for supply chain attacks, according to the 2022 Sysdig Cloud Native Threat Report, released Wednesday and based on findings from the Sysdig Threat Research Team (Sysdig TRT).
READ THE STORY: CSO
This New Malware Poses Threat to Crypto Wallets, Even Cold Ones
FROM THE MEDIA: Dubbed “Erbium,” after the element, the malware steals personal information and data retained in browsers such as passwords, cookies, credit card information, and more. Reportedly, it has been able to access two-factor authentication codes from several two-factor authentication (2FA) and password managers, in addition to Steam and Discord tokens, as well as Telegram authentication files.
READ THE STORY: Be in Crypto
Poor API security leads to real-world consequences
FROM THE MEDIA: Winston Churchill once wrote, “those that fail to learn from history are doomed to repeat it.” If 2021 is any indication, we have a lot to learn when it comes to API security, lest we continue to make the same mistakes. As we pass the midpoint of 2022, there has never been a greater need for organizations to not only understand what APIs they have, but also actively take steps to secure them. Google predicted that API security will take on increased importance in 2022, which follows up on a similar statement from Gartner. I couldn’t agree more. A company’s exploited APIs are often the reason for breaches that expose the data of its customers and clients.
READ THE STORY: Security Infowatch
Fake Crypto.com job offers targeting developers and artists to spread malware
FROM THE MEDIA: Infamous North Korean threat actor Lazarus Group has been spotted targeting software developers and artists in the blockchain space with fake job offers. Researchers from cybersecurity firm Sentinel One found the group’s “Operation In(ter)ception”, kicked off in 2020, is still active, and still looking for gullible software developers and artists.
READ THE STORY: TechRadar
Drone Swarms Aren’t Science Fiction. America Must Meet This Threat
FROM THE MEDIA: Several good novels in the past few years have hinged on the looming technology gap between China and the U.S. with regard to cyberespionage, offensive hacking, and unmanned vehicle capabilities. All of which can be lumped together as military power on the cheap. One of these books is “Ghost Fleet” by P.W. Singer and August Cole; another is “2034: A Novel of the Next World War” by Elliot Ackerman and Jim Stavridis. I recommend both novels as strong clarion calls for America to up its game in the tech realm, and also as looks into the challenges the nation could face. Here’s another related, but perhaps even more likely, scenario.
READ THE STORY: Heritage
Sophisticated Covert Cyberattack Campaign Targets Military Contractors
FROM THE MEDIA: A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere. The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.
READ THE STORY: DarkReading
Go-based Chaos malware is rapidly growing targeting Windows, Linux and more
FROM THE MEDIA: Researchers from Black Lotus Labs at Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed to target devices based on multiple architectures, including Windows and Linux. The malicious code was developed to target a broad range of devices, including small office/home office (SOHO) routers and enterprise servers. The Chaos malware includes capabilities previously documented in the original Kaiji Linux botnet. The experts analyzed roughly 100 samples of the Chaos malware, which was written in Chinese and relies on a China-based C2 infrastructure.
READ THE STORY: Security Affairs
U.S. counterintelligence agency rife with vulnerabilities
FROM THE MEDIA: U.S. senators have released a report noting the vulnerabilities of the National Counterintelligence and Security Center stemming from prevalent dysfunction, failure to adapt to cybersecurity and "whole-of-society" threats, and inadequate resources, CyberScoop reports. Increasingly sophisticated threat intelligence tools used by China and other adversaries to target more U.S. entities should prompt the counterintelligence center to better define its mission and strategies, according to the Senate report.
READ THE STORY: SCMAG
US and Russia Face Off in UN Telecom Agency Leadership Vote
FROM THE MEDIA: An upcoming vote for leadership of a little-known United Nations agency that develops global standards for mobile phones, internet connectivity and satellite technology could impact the future of the internet. That’s because the choice for the next secretary-general of the International Telecommunication Union boils down to candidates from the US and Russia, two nations with starkly different visions of the internet. The vote is being held Thursday by secret ballot in Bucharest, Romania.
READ THE STORY: Bloomberg
Starlink Satellite Qatar licensed to provide broadband Internet services
FROM THE MEDIA: The Communications Regulatory Authority (CRA) on Wednesday issued an Individual Licence for the Provision of Public Satellite Telecommunications Networks and Services to Starlink Satellite Qatar WLL.
This follows a decision of HE Mohamed bin Ali al-Mannai, Minister of Communications and Information Technology. Starlink Satellite Qatar has recently been established in Qatar by leading international company SpaceX.
READ THE STORY: Gulf Times
'Rapid response': How Iran's tech-savvy diaspora is mobilising to support protesters
FROM THE MEDIA: The message reached Amin Sabeti in London on Monday night - a protester had been arrested. The Islamic Republic’s security services would begin combing applications on her phone for social media posts, contacts and messages. Sabeti went to work. He reached out to Twitter, WhatsApp and Instagram, requesting the companies shut down the activist’s accounts. “We call the procedure rapid response,” the cyber-security expert and founder of Certfa Lab, a research group that tracks hackers linked to the Iranian government, told Middle East Eye.
READ THE STORY: MEE
Cyber warfare rife in Ukraine, but impact stays in shadows
FROM THE MEDIA: Hackings, network sabotage and other cyber warfare campaigns are being intensely deployed by both sides as Russia's invasion of Ukraine grinds on, though the covert operations have not proved decisive on the battlefield -- at least so far. Western allies initially feared a tsunami of cyberattacks against Ukraine's military command and critical infrastructure, hindering its ability to resist the Russian forces pouring across its borders.
READ THE STORY: ET Telecom
Data extortion shift likely with updated Exmatter malware
FROM THE MEDIA: Data corruption functionality has been added to the updated version of the Exmatter malware, which could signify a new tactic that could be leveraged by ransomware affiliates, reports BleepingComputer. "As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named Eraser. A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file," said Cyderes researchers, who discovered the new Exmatter sample.
READ THE STORY: SCMAG
This evil dropper infects you with a dozen malware strains at the same time
FROM THE MEDIA: Cybercriminals have been observed using SEO poisoning to distribute a new malware loader which tries to infect the target endpoint(opens in new tab) with a dozen malware families. Researchers from Kaspersky discovered that for many people, typing the keyword “software crack” into Google brings up multiple websites distributing this new malware loader, some of which have even made it to the famed first page of the search results.
READ THE STORY: TechRadar
DOJ Announces National Network of Prosecutors Focused on Cryptocurrency Crime
FROM THE MEDIA: Tracking the rise of crimes involving digital assets and its forward leaning approach to combating digital asset-involved crime, on September 16, 2022, the Department of Justice (DOJ) announced the creation of the Digital Asset Coordinator (DAC) Network—a national network of over 150 federal prosecutors from around the country focused on combatting crypto-related crime. The DAC Network will be led by the DOJ’s National Cryptocurrency Enforcement Team.
READ THE STORY: Lexology
Items of interest
How Falun Gong-backed media pushed Xi coup rumors' around the world. And Indians bought it
FROM THE MEDIA: The rumours of a coup in Zhongnanhai and Xi Jinping’s ‘house arrest’ dominated all trends on Twitter from 24 to 26 September. But at the heart of the rumours is a sprawling media ecosystem backed by the Chinese religious movement ‘Falun Gong’. Falun Gong considers the whole of the Chinese Communist Party a mortal enemy and evil. The Epoch Times and the New Tang Dynasty TV are part of the Falun Gong-backed media ecosystem, which provides news to the overseas Chinese community in the US, Canada, the UK, Australia, Europe, and Singapore.
READ THE STORY: The Print
The Art of Influence: A Propaganda Primer (Video)
FROM THE MEDIA: What is propaganda? It’s not just art about politics. Propaganda is designed to shape your opinions and stir you to action. Trace the techniques and methods that masters of political propaganda developed in the 1920s and ’30s to shape public opinion—for good and ill.
Red Team Reconnaissance Techniques (Video)
FROM THE MEDIA: Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com