Friday, Sept 30, 2022 // (IG): BB // INTSUM // Coffee for Bob
State-linked actor targets VMware hypervisors with novel malware
FROM THE MEDIA: The malware was found at less than 10 organizations, but researchers expect to find more targeted companies. Mandiant is tracking the actor linked to the attacks as UNC3886. Researchers originally discovered the threat activity during an investigation in April.The firm discovered attackers issuing commands from a legitimate VMware Tools process on a Windows virtual machine that was hosted on a VMware ESXi hypervisor.
READ THE STORY: CyberSecurityDive
'Disgruntled insider' shared REvil information with researchers, helped law enforcement
FROM THE MEDIA: In the fall of 2019, after writing about how Sodinokibi ransomware affiliates bragged online about the money they were making, threat intelligence researchers with McAfee Advanced Threat Research received an interesting email. The sender turned out to be a “disgruntled internal source” upset with how other hackers boasted about earnings while they hadn’t been paid. The insider went on to help researchers understand the inner workings of the group that became known as REvil, whose antics and crimes made headlines after attacking beef producer JBS.
READ THE STORY: CyberScoop
The Nord Stream Leaks Set a Precedent for Russian Attacks on Europe's Energy Infrastructure
FROM THE MEDIA: Russia could further undermine Europe's energy security long after it cuts off gas supplies, if Moscow begins to more aggressively target the continent's maritime oil and gas industry. On Sept. 26, the Norwegian Petroleum Safety Administration warned of potential ''deliberate attacks'' after energy companies reported multiple cases of unidentified drones flying near offshore oil and gas installations. Just a few hours later, officials in Denmark warned they had found a gas leak along a section of the Nord Stream 2 pipeline off the coast of the Danish island of Bornholm.
READ THE STORY: Worldview
Lazarus Group Affiliate uses Trojanized Open Source APPS in New Campaigns
FROM THE MEDIA: The North Korean attack group responsible for the compromise of Sony Pictures Entertainment and many other operations has been running long-term phishing campaigns that rely on social engineering and impersonation, and deliver trojanized versions of legitimate open source applications to compromise targets inside technology, media, and other companies. The campaigns are the work of a threat actor that Microsoft calls ZINC and is affiliated with the Lazarus group,
READ THE STORY: DUO
Former Fox VP Blasts China Metaverse: CCP ‘Is Not Our Friend’
FROM THE MEDIA: A former Fox News executive has condemned the Chinese Communist Party’s (CCP) efforts to steal U.S. technologies and warned that the regime seeks to use the metaverse to further its authoritarian control of society. Former Fox News Executive Vice President John Moody said the United States and the CCP are in a bitter race for dominance in the field of artificial intelligence (AI) during an interview with “China in Focus” on NTD, a sister media outlet of The Epoch Times. He also said the United States is losing that race.
READ THE STORY: The Epoch Times
Brazilian Prilex Hackers Resurfaced With Sophisticated Point-of-Sale Malware
FROM THE MEDIA: A Brazilian threat actor known as Prilex has resurfaced after a year-long operational hiatus with an advanced and complex malware to steal money by means of fraudulent transactions. "The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works," Kaspersky researchers said. "This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks."
READ THE STORY: THN
White House pressuring Israel to cut research ties with China over dual-use concerns
FROM THE MEDIA: The US is quietly pressuring Israel to limit academic and research ties with China, over fears Beijing could access military technology through “dual-use” research efforts, sources here tell Breaking Defense. The move comes as Israel is moving to create stronger bonds with Chinese research institutes, including an agreement launched last year specifically “to attract excellent Chinese students” to come study in Israel.
READ THE STORY: Breaking Defense
Mandiant spots new malware targeting VMware ESXi hypervisors
FROM THE MEDIA: Mandiant Thursday detailed two new malware families targeting VMware ESXi hypervisors in an apparent cyberespionage campaign. In the first installment of a two-part report, Mandiant researchers described how an intrusion investigation earlier this year revealed a series of novel malware samples designed to establish and maintain persistent administrative access to hypervisors.
READ THE STORY: TechTarget
Fast Company Data Breach: Hackers Sent Offensive And Racist Push Notifications to Users
FROM THE MEDIA: Apple News disabled the Fast Company channel following the alert, which it described as an “incredibly offensive alert,” sent because of the hack. Soon after, Fast Company confirmed the breach that led to its systems sending out two obscene and racist push notifications to subscribers, including the words “Thrax was here.”
READ THE STORY: Spiceworks
Buying influence and amplification
FROM THE MEDIA: The Security Service of Ukraine (SBU) believes it's found a gang that was working to compromise accounts that could subsequently be used in influence operations. The SBU reports having taken down a gang based in Lviv that it says was responsible for compromising almost thirty-million accounts and earning roughly UAH 14 million (about $380,000) in the process. (BleepingComputer reads this as accounts belonging to thirty-million individuals.) The SBU says the hoods it took down were working for the Russians.
READ THE STORY: The Cyberwire
Malware builder uses fresh tactics to hit victims with Agent Tesla RAT
FROM THE MEDIA: A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cybersecurity company Zscaler. Quantum Builder, also known as Quantum LNK Builder, is used to create malicious shortcut files.
READ THE STORY: CSO
Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads
FROM THE MEDIA: Researchers at security firm Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks. The company published a new advisory about the campaign on Wednesday saying the threat actors behind it used a phishing email impersonating either a government organization in the US or a trade union in New Zealand with a malicious Microsoft Word document attachment as their initial attack vectors.
READ THE STORY: InfoSec Mag
Hackers Experimenting with Deploying Destructive Malware
FROM THE MEDIA: It’s a cold, hard fact that hackers don’t really care about their victims or their victims’ data or business. They are greedy, evil human beings that just want the money. The newest trend for hackers is to develop and launch cyber-attacks that deploy destructive malware. This means that when a threat actor infiltrates a business’ system, it exfiltrates the data, and in the process deploys destructive malware that destroys the victim’s data if the ransom isn’t paid.
READ THE STORY: The National Law Review
Hacking group hides backdoor malware inside Windows logo image
FROM THE MEDIA: Security researchers have discovered a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo. Witchetty is believed to have close ties to the state-backed Chinese threat actor APT10 (aka 'Cicada'). The group is also considered part of the TA410 operatives, previously linked to attacks against U.S. energy providers.
READ THE STORY: Bleeping Computer
Numerous orgs hacked after installing weaponized open source apps
FROM THE MEDIA: Hackers backed by the North Korean government are weaponizing well-known pieces of open source software in an ongoing campaign that has already succeeded in compromising "numerous" organizations in the media, defense and aerospace, and IT services industries, Microsoft said on Thursday. ZINC—Microsoft's name for a threat actor group also called Lazarus, which is best known for conducting the devastating 2014 compromise of Sony Pictures Entertainment—has been lacing PuTTY and other legitimate open source applications with highly encrypted code that ultimately installs espionage malware.
READ THE STORY: arsTechnica
LockBit remains dominant ransomware threat
FROM THE MEDIA: Forty percent of ransomware attacks in August were attributed to LockBit 3.0, making it the most dominant strain last month, VentureBeat reports. Even though ransomware attack volumes were noted by the NCC Group to have declined slightly from July, threats continue amid significant changes among ransomware gangs, according to NCC Group Global Head of Threat Intelligence Matt Hull.
READ THE STORY: SCMAG
Novel NullMixer malware campaign detailed
FROM THE MEDIA: The Hacker News reports that threat actors have been using cracked software to distribute the new NullMixer malware dropper, which could simultaneously deploy various trojans to enable credential, address, cryptocurrency, credit card data, and Facebook and Amazon cookie exfiltration. Kaspersky researchers found that attacks spreading NullMixer commence with the download of cracked software from malicious sites using search engine optimization poisoning approaches, which then leads to a password-protected archive with an executable enabling malicious file delivery.
READ THE STORY: SCMAG
Preventing NTLM-Based Lateral Movement with Silverfort
FROM THE MEDIA: Since its inception, NTLM authentication protocol has been infamous for its low resiliency against attackers that seek to compromise it for malicious access. While NTLM ceased to be the default in Active Directory environments long ago and many organizations now strive to restrict usage or even ban it altogether, it’s still supported and prevalent. In this blog post, we’ll recap on NTLM security risks and look at how a leading manufacturer prevented nation-state hackers from leveraging it for lateral movement with a Silverfort access policy.
READ THE STORY: Security Boulevard
Unpatched Microsoft Exchange Zero-Day actively exploited in the wild
FROM THE MEDIA: Cybersecurity firm GTSC discovered two Microsoft Exchange zero-day vulnerabilities that are under active exploitation in attacks in the wild. Both flaws were discovered by the researchers as part of an incident response activity in August 2022, they are remote code execution issues.The two vulnerabilities have yet to receive CVE identifiers, the company disclosed the issues via the Zero Day Initiative that tracked them as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3).
READ THE STORY: Security Affairs
Matrix: Install security update to fix end-to-end encryption flaws
FROM THE MEDIA: Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form.
READ THE STORY: Bleeping Computer
Fancy Bear Hackers Distributing Graphite Malware using PowerPoint Files
FROM THE MEDIA: Fancy Bear, aka APT28, is a Russian state-sponsored threat actor. The group is back in action and utilizing a new code execution method that exploits mouse movement in MS PowerPoint files to distribute Graphite malware. For your information, APT28/Fancy Bear is linked with a Russian military intelligence unit called GRU. This is the same group that was blamed for hacking MH17 flight crash investigators with a spear-phishing campaign in October 2016. In 2018, the group was accused of sending death threats to US army wives posing as ISIS.
READ THE STORY: HackRead
C2C access for sale: high-end auction houses and "flea markets."
FROM THE MEDIA: Cybersixgill has published a report looking at network access for sale on underground markets: “There are two broad categories of access-as-a-service for sale on the underground: initial access brokers (IABs), which auction access to companies for hundreds to thousands of dollars, and wholesale access markets (WAMs), which sell access to compromised endpoints for around $10.
READ THE STORY: The Cyberwire
New Royal Ransomware emerges in multi-million dollar attacks
FROM THE MEDIA: A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. Royal is an operation that launched in January 2022 and consists of a group of vetted and experienced ransomware actors from previous operations. Unlike most active ransomware operations, Royal does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates.
READ THE STORY: Bleeping Computer
Semiconductor industry faced 8 attacks from ransomware groups, extortion gangs in 2022
FROM THE MEDIA: Several of the world’s leading semiconductor companies have faced ransomware attacks, extortion attempts and other malicious activity in 2022 — right as the industry became critical to the world’s technology sector. Recorded Future, which owns The Record, released a report on Thursday outlining eight different cyberattacks on semiconductor companies in 2022. Five of the incidents involved ransomware from the LockBit, Cuba and LV gangs. The other three were done by extortion groups like Lapsus$ and RansomHouse.
READ THE STORY: The Record
A new weapon against Command & Control infrastructures
FROM THE MEDIA: Command and control (C2) infrastructures are the “brain” behind successful, malicious cyber attacks, including malware, ransomware, ransomware-as-a-service, living-off-the-land attacks, etc. As dangerous cyber weapons, C2 infrastructures are used by cyber criminals to communicate nefarious commands to systems inside a compromised network.
READ THE STORY: Security Boulevard
About a fifth of ransomware attacks are facilitated by initial access markets
FROM THE MEDIA: “[W]e sought to understand if any major ransomware attacks may have begun with purchase of access from these markets. To do so, Cybersixgill investigated over 3,600 attacks from ransomware leak sites in 2021 and correlated the victimized companies with resources mentioned in WAM listings prior to the attack. We found that in 19% of the ransomware incidents, access to a system logged in to the organization’s domain had been offered for sale on a WAM within 180 days before the attack. (Note that this figure includes external-facing accounts, such as partners and customers.)
READ THE STORY: The Cyberwire
This dangerous hacking tool is now on the loose, and the consequences could be huge
FROM THE MEDIA: A dangerous post-exploitation toolkit, first used for cybersecurity purposes, has now been cracked and leaked to hacking communities. The toolkit is being shared across many different websites, and the potential repercussions could be huge now that it can fall into the hands of various threat actors. This could be bad. The post-exploitation toolkit in question, called Brute Ratel C4, was initially created by Chetan Nayak.
READ THE STORY: Digital Trends
The Securities and Exchange Commission Obstructs National Security
FROM THE MEDIA: The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don’t release all the details of an incident before it’s solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don’t want hackers to know they’ve been discovered or to highlight a company’s weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn’t been remedied.
READ THE STORY: WSJ
Assessing the Geopolitical Playing Field
FROM THE MEDIA: The United States is arguably involved in the first cyberwar - against Russia and China, Unfortunately, on the battlefields of intelligence, leadership, economics, technology and education, the U.S. appears to be losing. In this episode of "Cybersecurity Unplugged," Tom Kellerman of Contrast Security and Richard Bird of Traceable.ai discuss what the U.S. government and companies need to do to win this cyberwar.
READ THE STORY: Bank Infosecurity
Items of interest
The Space Force wants to create temporary ‘training ranges’ in orbit
FROM THE MEDIA: The Space Force’s second-in-command says that his service is building what he described as a “space test and training range” that could offer Space Force guardians and their international partners brief opportunities to practice operating with real spacecraft in orbit overhead. The real-world practice would mark a change of pace from the largely-virtual simulation that most Space Force training consists of. However, the nature of orbital physics means there likely will not be dedicated real estate dedicated to military training purposes.
READ THE STORY: Task and Purpose
Are you crazy to share so much information online (Video)
FROM THE MEDIA: It's scary what you can find out about people based on their social media posts - including their drinking and exercise habits. With just a few tools and techniques you can use Open Source Intelligence (OSINT) to find all kinds of information about people. And it gets worse - someone like Micah can write tools to aggregate that data.
Main reason for data breaches (Video)
FROM THE MEDIA: #1 reason for data breaches is insecure software. Software badly needs to be made more secure - lots of opportunities here to either hack applications or help application developers secure them. Learn application security (appsec) for free with shehackspurple.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com