Tuesday, October 04, 2022 // (IG): BB // INTSUM // Coffee for Bob
Is Russia preparing to target vital Norwegian energy exports to Europe
FROM THE MEDIA: For all the recent talk that Russian President Vladimir Putin might use nuclear weapons to hold onto Ukrainian territory, Russia may have already begun hybrid warfare against Norway and northern Europe, especially Germany, to exploit Europe’s energy needs over the coming winter. This seems the most probable explanation for an unlikely combination of two recent events: sabotage on September 26 against undersea gas pipelines from Russia to Germany, which received widespread publicity, and drones buzzing Norwegian offshore oil and gas platforms a week earlier, which got little publicity but was potentially far more threatening.
READ THE STORY: Atlantic Council
Lazarus Group Exploits Dell Driver Vulnerability to Bypass Windows Security
FROM THE MEDIA: The North Korea–backed threat actor known as Lazarus Group has been observed deploying a Windows rootkit by exploiting a Dell firmware driver. The campaign, which shows the hacker group’s ever–evolving techniques, was spotted by ESET security researchers in the autumn of 2021. “The campaign started with spearphishing emails containing malicious Amazon–themed documents and targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium,” ESET wrote in an advisory by Peter Kálnai, senior malware researcher, published over the weekend.
READ THE STORY: InfoSecMag
Trojanized Comm100 Live Chat app installer distributed a JavaScript backdoor
FROM THE MEDIA: Cybersecurity firm CrowdStrike disclosed details of a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Comm100 is a provider of customer service and communication products that serves over 200,000 businesses. At the time of this writing it is unclear how many customers of the company were impacted by the attack. The attack took place from at least September 27, 2022 through the morning of September 29, 2022.
READ THE STORY: Security Affairs
Albania Denies Police System Was Attacked by Iranian Hackers
FROM THE MEDIA: Albanian authorities Monday denied the country's police system was hacked after local media reported that data on people being investigated for crimes was released from an Iranian hacking group. Albanian media reported a leaked file with a list of suspected people, from allegedly the police database, who are being probed on different crimes. Ervin Karamuco, a criminology professor, was quoted in social media as saying a channel called Homeland Justice had published 1.7 gigabytes of criminal data from the Memex police system.
READ THE STORY: VOA
Linux Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group
FROM THE MEDIA: Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10). Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying post-intrusion ransomware families to cover up the cyber espionage operations. The experts observed an activity cluster involving post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.
READ THE STORY: Security Affairs
Russia and China are promoting US voting misinformation ahead of midterms, FBI warns
FROM THE MEDIA: Russian and Chinese government-affiliated operatives and organizations are promoting misinformation about the integrity of American elections that originated in the US ahead of November’s midterms, senior FBI officials said Monday. The FBI assessment underscores how the explosion of voting conspiracy theories in the US has been fertile ground for foreign operatives since Donald Trump’s 2020 electoral defeat. The recent Russian influence operations, which have been more pronounced than the Chinese, typically involve amplifying conversations that Americans have on social media or other platforms rather than creating new content, a senior official from the FBI’s Foreign Influence Task Force said Monday at a media briefing.
The sabotage of gas pipelines were a 'warning shot' from Putin to the West
FROM THE MEDIA: There's been a lot of finger pointing in the wake of several ecologically damaging gas leaks that abruptly sprang last week in the Nord Stream 1 and 2 pipelines running from Russia to Europe. Western leaders and officials, including President Joe Biden and NATO Secretary General Jens Stoltenberg, have suggested the ruptures were a product of sabotage. Sweden, Denmark, and Germany have all opened investigations into the leaks, which scientists said were likely induced by underwater explosions so large they were detected on the Richter scale.
READ THE STORY: Business Insider
Lazarus-Associated Hackers Weaponize Open-Source Tools Against Several Countries
FROM THE MEDIA: Notorious North Korean-associated hacking group Lazarus has been identified in a new campaign weaponizing legitimate open-source software. The software is being leverages by the group to target employees in organizations across multiple industries and countries. Microsoft’s Threat Intelligence Center recently published an advisory regarding the threat on Thursday. The report states that the attacks were executed by the Lazarus group, which Microsoft tracks as Zinc, against the media, defense, aerospace, and IT services industries in the UK, US, India, and Russia.
READ THE STORY: OODALOOP
Russian retail chain 'DNS' confirms hack after data leaked online
FROM THE MEDIA: Russian retail chain 'DNS' (Digital Network System) disclosed yesterday that they suffered a data breach that exposed the personal information of customers and employees. DNS is Russia's second-largest computer and home appliance store chain, with 2,000 branches and 35,000 employees. According to the scant details provided in the announcement, a group of hackers residing outside the Russian Federation exploited a security gap in the company's IT systems and accessed customer and employee details. "We have already found gaps in the protection of our information infrastructure and are working to strengthen information security in the company," says the DNS announcement.
READ THE STORY: Bleeping Computer
FBI: We tracked who was printing secret documents to unmask ex-NSA suspect
FROM THE MEDIA: A 30-year-old ex-NSA employee was accused by the FBI of trying to sell classified US information to a foreign government – after the Feds said they linked him to the printing of secret documents. The FBI also claimed it followed payment for the information as it moved from a cryptocurrency exchange to the former staffer's personal bank account. Jareh Sebastian Dalke, who was employed at the NSA as an information security systems designer from June 6 to July 1, this year, allegedly began communicating with who he believed to be a foreign agent on July 29, according to a statement from the Department of Justice (DoJ) announcing his arrest in Denver on September 28.
READ THE STORY: The Register
Google Shuts Translation Feature in Mainland China
FROM THE MEDIA: On Monday, American Tech giant Google proclaimed that it was shutting down the Google Translate service in Mainland China amid citing low usage in the country, as per reports. Earlier, as per several media reports, the Hong Kong version of the translation service is inaccessible in the area without a virtual private network. Notably, China is accused of assembling a staggering amount of personal data from millions of citizens, designing a system wherein a person’s identity could be found, which helps the government maintain its authoritarian rule.
READ THE STORY: EquityPandit
Cryptocurrency included in proposed cyber legislation amendment
FROM THE MEDIA: TechCrunch reports that legislation amending the Cybersecurity Information Sharing Act of 2015 to push cyber threat reporting for cryptocurrency companies has been introduced by Sens. Marsha Blackburn, R-Tenn., and Cynthia Lummis, R-Wyo. The Cryptocurrency Cybersecurity Information Sharing Act, which has already received the Electronic Transactions Association's endorsement, seeks to address cryptocurrency misuse by threat actors in a bid to curb cybersecurity incident-related losses, said Blackburn.
READ THE STORY: SCMAG
NOAA launches first of its kind drone in Hurricane Ian
FROM THE MEDIA: On Wednesday, the National Oceanographic and Atmospheric Administration researchers flew a drone into Hurricane Ian to collect weather measurements in a part of the storm too dangerous for Hurricane Hunters. Called an Area-I Altius-600 uncrewed aircraft system (UAS), the drone was the first of its kind to be deployed into a hurricane by NOAA. Drones do the hard work, learning the secrets that hurricanes hide within their two-story waves and 130-mph winds. On Wednesday, the National Oceanographic and Atmospheric Administration researchers flew a drone into Hurricane Ian to collect weather measurements in a part of the storm too dangerous for Hurricane Hunters.
READ THE STORY: SN
A deep dive into a Corporate Espionage operation
FROM THE MEDIA: Corporate espionage, also known as industrial espionage, is espionage conducted for commercial or financial purposes. One of the common misconceptions is that espionage is affecting only large corporations or government entities, but it is more common than expected. In this article, we provide an analysis of one such exfiltration and explain why these attacks are on the rise. In the last few years, we have seen a dramatic shift in the level of sophistication of cyberattacks, mostly thanks to the introduction of the profit-sharing business model for financially motivated threat actors.
READ THE STORY: Security Brief Asia
Russian Hacker Detained At Delhi's IGI Airport For Alleged Involvement In JEE Exam Scam
FROM THE MEDIA: Nine months back, i.e., in January, the Delhi Police’s Cyber Cell had busted a massive online examination hacking racket and arrested six people who with the help of Russian hackers had developed software to hack computers at examination centers remotely. According to police, the accused sent a link to a software named ‘Ultraviewer’ to gain access to the laptop at the examination center. The laptop’s access was then given to a “solver”, who helped the candidate by providing correct answers in the test.
READ THE STORY: RepublicWorld
Hacking saga hits Australia’s biggest telco
FROM THE MEDIA: As millions deal with the fallout from the Optus data breach, a third party company has leaked the information of Telstra employees. Up to 30,000 names and email addresses of past and present Telstra staff were uploaded online. It’s understood it’s the same forum where an Optus breach was shared last week. While no customer data has be lost, Telstra says it is aware of the breach, which contains employee information from 2017.
READ THE STORY: TickerNEWS
US-China Space Wars and Moon Mining
FROM THE MEDIA: The space race between the United States and China is not like the movies but is extremely important. “You could have a Chinese company on the moon in the 2030s claiming territory with a resource on it in the same way the Chinese have claimed the entire South China Sea,” warned Malcolm Davis, a space policy researcher at the Australian Strategic Policy Institute, in a report released on May 17.
READ THE STORY: The Epoch Times
Novel Royal ransomware operation ramps up attacks
FROM THE MEDIA: More corporations are being targeted by the Royal ransomware operation, which was launched in January but has significantly ramped up malicious activity this month, imposing demands of $250,000 to more than $2 million for its targets, BleepingComputer reports. Royal ransomware commences its attacks with callback phishing messages spoofing food delivery and software providers luring victims to contact included phone numbers to cancel their supposed subscriptions, according to AdvIntel CEO Vitali Kremez.
READ THE STORY: SCMAG
Ferrari falls victim to ransomware attack; 7GB of its internal documents made public
FROM THE MEDIA: Italian luxury sports car manufacturer Ferrari might have become the latest victim of a ransomware attack. As per a Reuters report, internal documents belonging to the brand had been posted online. The carmaker refuted that this was a ransomware attack, adding that there was no evidence of it or of a breach of the company's system. However, Ferrari said that it was working to identify how the documents were made public and that appropriate actions would be taken as needed, adding that there has been no disruption to its business and operations.
READ THE STORY: WION
Microsoft warns of potential escalation for Exchange server zero days
FROM THE MEDIA: The confirmations from Microsoft follow the initial reports reports from Vietnam-based GTSC, which disclosed the vulnerabilities to Trend Micro’s Zero Day Initiative so Microsoft could issue a patch. The zero days, involving Microsoft Exchange Server 2013, 2016 and 2019, were largely unknown publicly until security researcher Kevin Beaumont retweeted the GTSC research last week. Beaumont has dubbed the zero days “ProxyNotShell.”
READ THE STORY: CyberSecurityDive
Optus Says ID Numbers of 2.1 Million Compromised in Data Breach
FROM THE MEDIA: On September 22, the wireless carrier announced it had fallen victim to a cyberattack that resulted in the potential compromise of the personally identifiable information of some of its customers, without providing specifics on the number of impacted individuals. Days after the attack was identified and addressed, a threat actor posted 10,000 Optus customer records on the dark web, threatening to make more information public unless the wireless carrier paid a $1 million ransom in cryptocurrency. During the data breach, the attackers accessed user data such as names, dates of birth, email and home addresses, phone numbers, and personal identification document numbers.
READ THE STORY: Security Week
Sysdig Threat Report reveals victims lose $81.53 for every $1.54 cryptojackers gain
FROM THE MEDIA: The report confirms that cryptojacking remains the primary motivation for opportunistic attackers, exploiting vulnerabilities and weak system configurations. Using worldwide honeynets, the Sysdig Threat Research Team (Sysdig TRT) took an extensive look at TeamTNT and geopolitical activities over the past nine months. Sysdig was able to draw conclusions on TeamTNT, the explosion of malicious payloads in Docker Hub, and the rise in DDos attacks after the Russian/Ukraine war began. The rapid shift to containers and cloud has driven an increase in opportunities for attackers to steal data, take advantage of assets, and gain illicit network access.
READ THE STORY: itWIRE
Ransomware hunters: the self-taught tech geniuses fighting cybercrime
FROM THE MEDIA: Around 9pm on Monday 23 November 2020, the IT manager for a school in central London received a text message from a colleague, saying the school’s website was down. He tried logging on but couldn’t. At first, he thought he had forgotten the password. After several attempts, he realized that he was locked out. The IT manager, Matthew (he asked us not to use his last name), works in a central London neighborhood where affluence hides pockets of poverty, and migrant families from Pakistan, India and eastern Europe pin their hopes for their children on a small, publicly funded school. It has about 150 students aged between five and 10, many of them on free school meals.
READ THE STORY: The Guardian
Musk and Zelenskiy in Twitter showdown over billionaire's Ukraine peace plan
FROM THE MEDIA: Billionaire Elon Musk on Monday asked Twitter users to weigh in on a plan to end Russia's war in Ukraine that drew immediate condemnation from Ukrainians, including President Volodymyr Zelenskiy, who responded with his own poll. "Which @elonmusk do you like more?," Zelenskiy tweeted, offering two responses: one who supports Ukraine, one who supports Russia. Musk, the world's richest person, proposed U.N.-supervised elections in four occupied regions that Moscow last week moved to annex after what it called referendums. The votes were denounced by Kyiv and Western governments as illegal and coercive.
READ THE STORY: Reuters
Job-themed lures used in new malware campaign
FROM THE MEDIA: Cobalt Strike beacons are being deployed in a new malware campaign involving fraudulent job-themed lures, which was initially identified in August, reports The Hacker News. Threat actors have been exploiting a Microsoft Office remote code execution vulnerability, tracked as CVE-2017-0199, to facilitate system takeovers, with phishing emails having a Word document containing employment opportunities in the U.S. government and New Zealand-based trade union Public Service Association being the initial attack vector, according to a Cisco Talos report. Such an attack then results in the delivery of a leaked Cobalt Strike beacon.
READ THE STORY: SCMAG // Security Boulevard
Los Angeles schools’ data leaked after ransomware attack
FROM THE MEDIA: Vice Society published the stolen data two days after it listed the district on its ransomware leak site. LAUSD Superintendent Alberto Carvalho forcefully rejected the demand Friday in a public response. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” Carvalho said in the statement.
READ THE STORY: CyberSecurityDive // arsTechnica // AXIOS
Items of interest
How the West can thwart the next energy pipeline attack
FROM THE MEDIA: Europe and its allies are on high alert following four explosions last week along the Nord Stream 1 and 2 natural gas pipelines. While there is still no definitive answer on who bears responsibility—though seismologists have ruled out anything other than an explosion and European Union (EU) foreign-policy chief Josep Borrell called it a “deliberate act”—many suspect the Kremlin is the culprit.
Either way, the episode shows the United States and Europe must work together to secure critical energy infrastructure from kinetic and cyber threats and respond swiftly as additional information comes to light.
Initially, Russian sabotage may seem counterintuitive in this case. If Russia wanted to prevent gas flowing to Germany, it could have simply withheld supply without damaging future export infrastructure (as it has already done). Yet brazen assaults on infrastructure off the Danish and Swedish coasts could be easily used to spark panic in Europe over future attacks, further destabilize energy markets, and allow conspiracy theories to fester. All are known to be tricks of the Kremlin trade.
READ THE STORY: Atlantic Council
Hacking Multi-Factor Authentication [ML B-side] | Malicious Life (Video)
FROM THE MEDIA: Multi-Factor Authentication (MFA) is usually considered a better solution for authentication than just using passwords. But Roger Grimes, a veteran security professional, and a Data-Driven Defense Evangelist claims that the sense of security current MFA solutions provides us – is false.
China’s Unrestricted Warfare, Part 1 | Malicious Life Podcast (Video)
FROM THE MEDIA: Back in the 1990s, Cyberwarfare was a word rarely used in the West – and definitely unheard of in China, which was just taking it’s first steps in the Internet. Two Chinese military officers, veterans of the semi-conflict with Taiwan, helped shape the role of cyber in modern warfare in China and beyond.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com