Saturday, October 01, 2022 // (IG): BB // INTSUM // Coffee for Bob
Nord Stream pipeline disinformation fits pattern of Russian information warfare
FROM THE MEDIA: Within hours of this week’s Nord Stream pipeline explosion, Russian officials, Twitter users and Tucker Carlson began circulating disinformation suggesting that the Biden administration was responsible for the apparent act of sabotage. In fact, some viral tweets included old footage of U.S. military jets flying over Germany to support Russia’s claims that the U.S. was the culprit.
READ THE STORY: CyberScoop
“Gitting” the Malware: How Threat Actors Use GitHub Repositories to Deploy Malware
FROM THE MEDIA: The CrowdStrike Falcon Complete™ managed detection and response (MDR) team recently uncovered a creative and opportunistic interpretation of a watering hole attack that leverages GitHub to gain access to victim organizations. In the observed cases, there were no phishing emails, no exploitation of public-facing vulnerabilities, no malvertising and no compromised credentials. Instead, the threat actor leveraged a misconfiguration in GitHub repositories to get code execution and initial access on thousands of hosts across what are likely multiple victim environments worldwide.
READ THE STORY: Crowdstrike
Threat Actor Delivered Malware Via Trojanized Live Chat Installer
FROM THE MEDIA: A threat actor recently delivered malware through a trojanized installer for a legitimate desktop-based live chat application from Comm100 that is used by organizations globally. The signed, trojanized installer was available for download from Comm100’s official website from at least Sept. 27 through the morning of Sept. 29, according to CrowdStrike in a report first reported on by Reuters. Comm100, which makes customer engagement software that powers live chat, chatbots, ticketing, social media and messaging tools, removed the trojanized installer on Sept. 29 and released an updated one (10.0.9).
READ THE STORY: DUO
Mexican government suffers major data hack, president's health issues revealed
FROM THE MEDIA: The Mexican government said on Friday it had suffered a major cyber hack of data held by the armed forces, including details about President Andres Manuel Lopez Obrador's heart condition that led to his hospitalization in January. The president, speaking at a regular news conference, said information published in local media overnight from the hack of the Defense Ministry was genuine, and he confirmed revelations about his own health problems.
READ THE STORY: Reuters
Suspected Chinese hackers tampered with widely used customer chat program, researchers say
FROM THE MEDIA: Suspected Chinese hackers tampered with widely used software distributed by a small Canadian customer service company, another example of a "supply chain compromise" made infamous by the hack on U.S. networking company SolarWinds. U.S. cybersecurity firm CrowdStrike said in a blog post it had discovered malicious software being distributed by Vancouver-based Comm100, which provides customer service products, such as chat bots and social media management tools, to a range of clients around the globe.
READ THE STORY: Reuters
Satellite spies on Russian gas pipeline leak suspected of sabotage
FROM THE MEDIA: The two pipelines in question are called Nord Stream 1, and Nord Stream 2, and both run underwater in the Baltic Sea, providing gas to Germany from Russia. Sweden and Denmark have reported that a new major leak has been found, bringing the total number of identified leaks to four as of September 29. European leaders have accused Russia of sabotaging its own gas pipeline in an attempt to use gas resources as a weapon against the West. BBC reports that European leaders have come together to agree that if any deliberate attack was discovered on either of the gas pipelines, it would be met with the “strongest possible response”.
READ THE STORY: SN
Albania explains its reasons for severing relations with Iran
FROM THE MEDIA: The Washington Post last weekend interviewed Albania's Prime Minister Edi Rama on his government's decision to sever diplomatic relations with Iran over Tehran's large-scale cyberattack against Albanian IT infrastructure. “Based on the investigation, the scale of the attack was such that the aim behind it was to completely destroy our infrastructure back to the full paper age, and at the same time, wipe out all our data,” Rama told the Post.
READ THE STORY: The Cyberwire
Optus Cyber Attack Potentially Exposed Personal Data of up to 40% Of Australians, Negligence Suspected
FROM THE MEDIA: Australia’s second-largest telco Optus said it suffered a cyber attack that compromised the personal data of millions of customers. Optus said hackers accessed the personal information of an undisclosed number of customers, including names, dates of birth, phone numbers, email addresses, driver’s licence, and passport numbers. However, the breach did not compromise customers’ bank account information, payment details, and account passwords.
READ THE STORY: CPO
Microsoft investigating 2 zero-day vulnerabilities in Exchange Server
FROM THE MEDIA: Security researcher Kevin Beaumont on Thursday retweeted a report from GTSC Cyber Security, which originally said it first detected exploitation of a new zero day in August. The GTSC report noted that researchers detected webshells dropped to Exchange servers and said the attacker was using Antsword, a Chinese-based open source website administration tool. Beaumont said significant numbers of Exchange servers had been backdoored — including a honeypot.
READ THE STORY: CyberSecurityDive
Hackers Use Telegram, Signal, Dark Web to Help Iranian Protesters
FROM THE MEDIA: Protesters against the Iran regime are getting a boost to aid their efforts from hacking groups who are using Telegram, Signal and the dark web to get around government restrictions. “Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides,” according to a blog post by Check Point Research (CPR), which shared five examples of the counterprotesters’ activities.
READ THE STORY: Security Boulevard
Vice Society raises ransomware pressure on Los Angeles school district
FROM THE MEDIA: Vice Society on Friday listed the Los Angeles Unified School District on its ransomware leak site, four weeks after the country’s second-largest school system was hit by a major ransomware attack. The group threatened to publish data it claims to have stolen during the attack on Oct. 3 at 4 p.m. PST. Ransomware groups typically list their victims on leak sites to increase pressure and set deadlines for victims to meet their ransom demand before stolen data is published.
READ THE STORY: CyberSecurityDive
The Challenge of Cracking Iran’s Internet Blockade
FROM THE MEDIA: AMID WIDESPREAD PROTESTS across Iran sparked by the death of 22-year-old Mahsa Amini in “morality police” custody earlier this month, the government has imposed severe and extensive internet blackouts and blocked numerous digital services around the country for days. With most of Iran’s 80 million citizens impacted, people around the world have been searching for ways to get Iranians back online. But every approach comes with caveats.
READ THE STORY: WIRED
How Optus was hacked by someone acting like a ‘kid in a garage’
FROM THE MEDIA: Nine years ago, the US retailer Target suffered a data breach. First the company announced credit card information had been taken from 40 million people. Then it said 70 million had personal information stolen. Then it clarified the two were separate but overlapping, taking the likely total towards 100 million. Relative to the national population, the Target breach was about the same size as the Optus hack that has gripped Australia’s attention since it was revealed at 2pm on the public holiday called to mourn the Queen last Thursday.
READ THE STORY: The Sydney Morning Herald
Cyberespionage group developed backdoors tailored for VMware ESXi hypervisors
FROM THE MEDIA: Researchers have identified a new malware family that was designed to backdoor and create persistence on VMware ESXi servers by leveraging legitimate functionality the hypervisor software supports. According to researchers from Mandiant who found and analyzed the backdoors, they were packaged and deployed on infected servers as vSphere Installation Bundles (VIBs). VIBs are software packages used to distribute components that extend VMware ESXi functionality. The malicious VIBs provided hackers with remote command execution and persistence capabilities on the servers and the ability to execute commands on the guest virtual machines running on the servers.
READ THE STORY: CSO
Kinetic sabotage raises concerns about threats to infrastructure in cyberspace
FROM THE MEDIA: NATO has formally declared the four explosions that severed the Nord Stream natural gas pipelines in the Baltic Sea this week to have been acts of sabotage, the Wall Street Journal reports. The Atlantic Alliance stopped short of attributing them to any actor (although Russia is widely suspected), as investigation is still in progress. CNN cites multiple European sources as saying they observed Russian naval vessels in the area shortly before the explosions. For its part, as Reuters reports, Russia blames the British and the Americans for the sabotage.
READ THE STORY: The Cyberwire
A cyberespionage group, tracked as Witchetty, used steganography to hide a previously undocumented backdoor in a Windows logo
FROM THE MEDIA: Broadcom’s Symantec Threat Hunter Team observed a threat actor, tracked as Witchetty, using steganography to hide a previously undocumented backdoor in a Windows logo. The group used the backdoor in attacks against Middle Eastern governments. The cyber espionage group Witchetty (aka LookingFrog) was first spotted by cybersecurity firm ESET in April 2022, the experts argue it is a sub-group of the China-linked TA410 group (aka APT10, Cicada, Stone Panda, and TA429)).
READ THE STORY: Security Affairs
Trellix Threat Intelligence Leader Expects Cybercriminals to Pounce in Hurricane Ian Aftermath
FROM THE MEDIA: Trellix threat intelligence leader John Fokker expects cybercriminals to take advantage of Hurricane Ian‘s devastation in Florida and other states much the same way they did during the COVID-19 pandemic. Fokker, Trellix’s head of threat intelligence and principal engineer, spoke during this week’s Trellix Xpand Live 2022 conference. He and Doug McKee, principal engineer and director of vulnerability research, detailed how the company helped law enforcement take down the notorious REvil ransomware gang. REvil was responsible for last year’s attack on Kaseya.
READ THE STORY: Channel Futures
Hackers targeted 8 Shangri-La hotels between May and July, guests' data potentially leaked
FROM THE MEDIA: A database breach has occurred at luxury hotel chain Shangri-La Group, potentially exposing the personal information of guests who had stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei and Tokyo. In an e-mail informing affected guests on Friday, the group's senior vice-president for operations and process transformation, Mr Brian Yu, said: "A sophisticated threat actor managed to bypass Shangri-La's IT security monitoring systems undetected and illegally accessed the guest databases."
READ THE STORY: The Straits Times
BlackCat claims cyberattack on US defense contractor NJVC
FROM THE MEDIA: Russian ransomware gang BlackCat has posted the details of US defense contractor NJVC to its victim blog. Though the company has yet to confirm the breach is genuine, data allegedly sourced from the company is available on the dark web. The NJVC incident comes a day after another American defense company, Elbit Systems, revealed details of a hack on its systems. NJVC is an IT services company based in the US, that provides cloud, data center and cybersecurity services to the US government and the private sector. It has been working with the Department of Defense for more than 20 years.
READ THE STORY: Techmonitor
State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations
FROM THE MEDIA: Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center (MSTIC) said in a Friday report.
READ THE STORY: THN
Agro-Terrorism and the Food Supply Chain: This is a Different World, Rose Says
FROM THE MEDIA: If you want to disrupt a government, disrupt the food supply. “Agriculture is critical infrastructure,” Andrew Rose, strategic advisor to the food and agriculture supply chain, said during Farm Journal’s Farm Country Update on Sept. 28. “Three weeks without food and agriculture, and it’s over. You don’t mess with food and ag.” Years ago, Rose was working at a large agricultural lender and decided to run a tabletop exercise as part of a teambuilding workshop simulating a ransomware attack on the company.
READ THE STORY: Drovers
Fake US govt job offers push Cobalt Strike in phishing attacks
FROM THE MEDIA: A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims' devices. The attack is modularized and multi-staged, with most steps relying on executing obfuscated scripts from the host's memory and abusing the Bitbucket code hosting service to evade detection. A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims' devices.
READ THE STORY: Bleeping Computer
NPM Package Masquerading as Popular Material Tailwind Library To Install Malicious Code
FROM THE MEDIA: Researchers at ReversingLabs discovered a malicious npm package masquerading as the Material Tailwind library. Their finding highlights a new trend for threat actors to install malicious code, dubbed impostor packages, say the researchers. According to the researchers, the Material Tailwind attack is only the latest example of packages that aim to disguise as legitimate packages: “These types of software supply chain attacks can be spotted almost daily now. In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated.”
READ THE STORY: InfoQ
Most of the Russian ASAT debris that was monitored has gone out of orbit
FROM THE MEDIA: Nearly two-thirds of the debris detected in last year’s Russian attack on satellite test (ASAT) disappeared from orbit, but it could be a decade or more before the rest reenter. At the Advanced Maui Optical and Space Surveillance Technologies (AMOS) Conference on Sept. 28, Deshaun Hutchinson, an orbital analyst with the Space Force’s 18th Space Defense Squadron, said in August that he had 1,783 trackers. said that the objects found were related to the destruction of the universe. His 1408 satellite in November 2021 by Russian Direct Ascent ASAT.
READ THE STORY: Bollyinside
Satellite photos reveal colossal airship hangar in Chinese desert
FROM THE MEDIA: A gargantuan hangar in a secretive Xinjiang desert reveals China is thinking big – really big – when it comes to high-altitude warfare. Open-source intelligence (OSINT) analysts have been tracking the construction of a giant hangar on the northern edge of Xinjiang’s Taklimakan Desert since 2013. That’s when the People’s Liberation Army cut the foundations of a colossal new building into the sands of a research facility to the southeast of Bositeng Lake. Its shape was familiar. But its size was unexpected. It’s now one of the largest hangars anywhere on Earth.
READ THE STORY: News
A Deepfake Version of Bruce Willis Will Take His Place in Future Projects Following His Retirement
FROM THE MEDIA: Hollywood actor Bruce Willis is retiring, but will still appear in projects through deepfake technology after selling his rights to his "digital twin". Following his retirement, Willis signed a deal with AI company Deepcake to use his likeness in replicating a realistic digital dopplegänger, according to Ars Technica. With a degenerative cognitive disorder that impedes his communication and language, the Die Hard star is physically backing out of projects, but will continue appearing in future films, advertisements, and other projects.
READ THE STORY: iTECHPOST
U.S. Space Surveillance Telescope in Australia achieves initial operational capability
FROM THE MEDIA: The Australian Department of Defense and the U.S. Space Force declared initial operational capability for the Space Surveillance Telescope at Naval Communication Station Harold E. Holt, Australia, Sept. 30, 2022. The SST is a military telescope that provides ground-based, broad-area search, detection and tracking of faint objects in deep space to help predict and avoid potential collisions, as well as detect and monitor asteroids. Commander Defense Space Command, Air-Vice Marshal Cath Roberts said this milestone was an important step for the Alliance and the future of space capability in Australia.
READ THE STORY: SPACEFORCE
Putin’s War Machine Funding Is Unscathed by Latest Sanctions
FROM THE MEDIA: The US sanctioned hundreds of Russian officials, lawmakers, family members and businesses Friday in what Treasury Secretary Janet Yellen called a “sweeping action,” but in reality the measures will have little practical effect on President Vladimir Putin’s ability to sustain his country’s economy with oil and gas revenue. That raises fundamental questions about the effectiveness of sanctions, despite how big it looks on paper for the Biden administration to go after Russia’s central banker, Elvira Nabiullina, and Alexander Novak, the deputy prime minister and a key figure in Russia’s energy sector.
READ THE STORY: Bloomberg
Bot Hunting Is All About The Vibes
FROM THE MEDIA: Christopher Bouzy is trying to stay ahead of the bots. As the person behind Bot Sentinel, a popular bot-detection system, he and his team continuously update their machine learning models out of fear that they will get “stale.” The task? Sorting 3.2 million tweets from suspended accounts into two folders: “Bot” or “Not.” To detect bots, Bot Sentinel’s models must first learn what problematic behavior is through exposure to data. And by providing the model with tweets in two distinct categories—bot or not a bot—Bouzy’s model can calibrate itself and allegedly find the very essence of what, he thinks, makes a tweet problematic.
READ THE STORY: News Update
Items of interest
Russia could carry out attacks in space, warns British Armed Forces head Tony Radakin
FROM THE MEDIA: Russia could wage war in space against the West, the head of the Armed Forces has warned. Admiral Sir Tony Radakin cautioned that Russia could “disrupt” domains away from the traditional land warfare seen in Ukraine, including both sub surface and in the skies. “It has capabilities in space,” Sir Tony said. “We saw an example of that at the tail end of last year, when Russia exploded an object in space which created immense debris. Russia has nuclear capabilities, Russia has underwater capabilities.”
The Chief of the Defense Staff made the comments after President Putin was accused of sabotaging Nord Stream 1 and 2 pipelines with undersea explosions that caused four leaks and “unprecedented” damage. Although Sir Tony refused to blame Russia while an investigation into the explosions was ongoing, he warned: “Russia has the ability to disrupt in other areas in addition to what it’s doing in Ukraine, what it’s doing in energy and what it’s doing in these diplomatic and information battles.”
READ THE STORY: Telegraph
Creating Sock Puppet Accounts (Video)
FROM THE MEDIA: Creating Sock Puppet Accounts.
Open-Source Intelligence (OSINT) in 5 Hours (Video)
FROM THE MEDIA: Open-Source Intelligence (OSINT) in 5 Hours.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com