Thursday, October 06, 2022 // (IG): BB // INTSUM // Coffee for Bob
Relentless Russian Cyberattacks on Ukraine Raise Important Policy Questions
FROM THE MEDIA: The first shots in the Russia-Ukraine cyberwar were fired virtually on Feb. 23, when destructive attacks were launched against organizations the day before Russian military troops moved into Ukraine. Microsoft was figuratively "there," observing the developments — and its researchers were immediately concerned. The tech giant happened to have pre-positioned sensors within various public and private networks in-country, installed in conjunction with Ukrainian incident-recovery teams in the wake of previous cyberattacks.
READ THE STORY: DARKReading
US military contractor infiltrated in long-term data exfiltration operation
FROM THE MEDIA: Numerous state-sponsored threat actors were able to compromise and exfiltrate data from a U.S.-based defense industrial base organization between January and November last year, BleepingComputer reports. Attackers behind the compromise leveraged the CovalentStealer malware in combination with the Impacket open-source toolkit, China Chopper webshells, and the HyperBro remote access trojan, a joint report from the FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency showed.
READ THE STORY: SCMAG
As Iran throttles its internet, activists fight to get online
FROM THE MEDIA: As protesters flooded the streets of Iran in September after the death in custody of Mahsa Amini — a 22-year-old woman who was arrested for not wearing her hijab in accordance with the country’s strict dress code for women — videos and images of the protests spread online inside the country. Previously unheard-of acts, such as the destruction of pictures of Iran’s Supreme Leader or women removing their hijabs, were spread by smartphone video.
READ THE STORY: TC
EU Watchdog Mulls Regulation of AI-Cybersecurity Firms
FROM THE MEDIA: In what’s been called the fourth industrial revolution, artificial intelligence (AI) is radically transforming global economies at a pace that has regulators scrambling to keep up. In the European Union (EU), the proposed Regulation Laying Down Harmonized Rules on Artificial Intelligence (“the AI Act”) is the most comprehensive piece of legislation to date.
READ THE STORY: PYMNTS
How one group of 'fellas' is winning the meme war in support of Ukraine
FROM THE MEDIA: The North Atlantic Fella Organization, or NAFO, has arrived. Ukraine’s Defense Ministry celebrated the group on Twitter for waging a “fierce fight” against Kremlin trolls. And Rep. Adam Kinzinger, D-Ill., tweeted that he was “self-declaring as a proud member of #NAFO” and “the #fellas shall prevail.” The brainchild of former Marine Matt Moores, NAFO launched in May and quickly blew up on Twitter.
READ THE STORY: Cyberscoop
Major sideloading cryptojacking campaign in progress
FROM THE MEDIA: Bitdefender researchers say they've detected a significant cryptojacking campaign in the wild. It's a sideloading campaign, and represents an evolution in criminal cryptojacking technique. Bitdefender explains, "This is the case of an active cryptojacking campaign that uses a Dynamic Library Link (DLL) hijacking vulnerability in OneDrive to achieve persistence and run undetected on infected devices."
READ THE STORY: The Cyberwire
RansomEXX ransomware attack refuted by Ferrari
FROM THE MEDIA: Italian luxury sports car manufacturer Ferrari has dismissed being impacted by a ransomware attack after the RansomEXX ransomware operation claimed to have stolen 7GB of data from the car maker, reports The Record, a news site by cybersecurity firm Recorded Future. RansomEXX posted the claims of stolen data, which it says includes invoices, contracts, internal company information, and repair manuals, among others, just four days after Ferrari's Formula 1 team and Bitdefender announced a new partnership, said DarkFeed in a tweet.
READ THE STORY: SCMAG
Russia finding new ways to spread propaganda videos
FROM THE MEDIA: Russia has devised yet another way to spread disinformation about its invasion of Ukraine, using digital tricks that allow its war propaganda videos to evade restrictions imposed by governments and tech companies. Accounts linked to Russian state-controlled media have used the new method to spread dozens of videos in 18 different languages, all without leaving telltale signs that would give away the source, researchers at Nisos, a U.S.-based intelligence firm that tracks disinformation and other cyber threats, said in a report released Wednesday.
READ THE STORY: The Asahi Shimbun
Russia’s Cyber Attacks in Ukraine is Less About Testing New Attacks and All About Regime Survival
FROM THE MEDIA: A recent article in Newsweek suggested that Russia is using the ongoing conflict in Ukraine as a test bed for new cyber weaponry and tactics to ultimately be used against NATO. Per one Ukrainian security official, Ukraine has been on the receiving end of at least eight years’ worth of cyber attacks that have ranged from disruption to destruction, depending on the type of attack.
READ THE STORY: OODALOOP
Fake News Sites Pumping Out Pro-Russian Disinformation
FROM THE MEDIA: A boy dies in a cycling accident in Berlin after street lights were turned off at night, as Germany faces an energy crunch following the shutdown of Russian gas supplies. At first glance, the story appears to be a genuine article from the country's top tabloid, Bild, and it was shared on Facebook. But investigations, including by AFP, found it was disinformation, part of a major campaign in which leading news sites -- mainly in Germany but also other European countries -- were imitated to spread pro-Moscow messages.
READ THE STORY: BARRONS
Space, the unseen frontier in the war in Ukraine
FROM THE MEDIA: In an interview with the BBC, the head of the US Space Force, General Jay Raymond, describes it as the "first war where commercial space capabilities have really played a significant role". It's also the first major conflict in which both sides have become so reliant on space. Gen Raymond - whose service is the newest branch of the US armed forces - avoids giving precise details of how the US and its allies have been helping Ukraine. But he gives a clear indication of what it's been doing.
READ THE STORY: BBC
Nord Stream attacks show the way war is evolving across air, land, sea, space and through cyberspace
FROM THE MEDIA: It's not yet clear who carried out the attacks on the Nord Stream gas pipelines in the Baltic Sea last week, although many Western nations are suspicious it was an act of sabotage by Russia. What is clear is that the ruptures have added to already heightened tensions and an impending energy crisis in the region. While further investigations are required, if Russia was behind such sabotage, we can view it as an evolution of "hybrid warfare", because it would highlight how the energy sector and critical infrastructure can be strategically targeted as an unconventional warfare method.
READ THE STORY: ABC Net AU
LinkedIn Faces Flood of AI-Generated Fake Profiles
FROM THE MEDIA: Fake LinkedIn executive profiles are creating an issue for the business networking site, a report from KrebsOnSecurity said. The fake identities, pairing AI-generated profile photos with text from legitimate accounts, have made for trouble for corporate HR departments, and those which work with invite-only groups on LinkedIn. KrebsOnSecurity has looked into numerous fake profiles, which all claimed to be looking for Chief Information Security Officer at numerous Fortune 500 companies like Biogen, Chevron, ExxonMobil and Hewlett Packard.
READ THE STORY: PYMNTS
Novel advanced malware leveraged in reemerging Prilex attacks
FROM THE MEDIA: The Hacker News reports that Brazilian threat actor Prilex has reemerged in new attacks leveraging an advanced point-of-sale malware instead of ATM-focused malware prior to its year-long hiatus. While Prilex has also exhibited its capability to conduct EMV replay attacks, the threat actor has been observed by Kaspersky researchers to transition into the new GHOST transactions approach, which involves a stealer that gathers PoS software-PIN pad communications in an effort to obtain card information.
READ THE STORY: SCMAG
Fast Company Back Online After Lewd, Racist Hack Attack Forces 8-Day Shutdown
FROM THE MEDIA: After more than a week in the dark, FastCompany was back online Tuesday. A hacker brought the independent business magazine’s website and Apple News feed down last week, putting vile and racist language where news headlines are supposed to go. FastCompany immediately shut down its website to investigate … then the clock started ticking.theme of these cyber challenges and what organizations can do moving forward.
READ THE STORY: The Wrap
Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast
FROM THE MEDIA: Researchers have demonstrated how an attacker could take over control of light bulbs in the Ikea Trådfri smart lighting system, ultimately turning the bulbs up to full brightness — and users can't turn them down through the app or the remote control. Cybersecurity analysts at Synopsys CyRC found that if a threat actor re-sent the same malformed Zigbee frame (IEEE 802.15.4) over and over again, an attacker could advantage of two vulnerabilities (tracked under CVE-2022-39064 and CVE-2022-39065) in the Ikea Trådfri smart lighting system.
READ THE STORY: DARKReading
Family Medical informs 234K patients of possible data compromise
FROM THE MEDIA: Family Medical Center Services recently informed 233,948 patients that their data was potentially compromised after a “network data security incident” on July 26. FMC is a network of 75 primary care clinics in Amarillo and Canyon, Texas. Upon discovering the incident, FMC deployed measures to stop the proliferation and launched an investigation. The forensics did not show whether any information was “specifically accessed for misuse.”
READ THE STORY: SCMAG
BlackByte ransomware abuses legit driver to disable security products
FROM THE MEDIA: The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Own Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions. Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.
READ THE STORY: Bleeping Computer
Avast releases free decryptor for Hades ransomware variants
FROM THE MEDIA: Avast has released a decryptor for variants of the Hades ransomware known as 'MafiaWare666', 'Jcrypt', 'RIP Lmao', and 'BrutusptCrypt,' allowing victims to recover their files for free. The security company says it discovered a flaw in the encryption scheme of the Hades strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system.
READ THE STORY: Bleeping Computer
CommonSpirit cyberattack spurs IT outages at CHI Memorial, hospitals across US
FROM THE MEDIA: A cyberattack deployed against CommonSpirit has led to IT outages at hospitals across the U.S., including multiple CHI Memorial hospitals in Chattanooga, Tennessee. Local media outlets report the incident has also caused disruptions at hospitals run by Virginia Mason Franciscan Health (VMFH) in Seattle. While some local reports purport the attack struck the electronic health record (EHR) vendor, the cyber incident indeed struck CommonSpirit: the second-largest nonprofit hospital chain in the country. CommonSpirit operates more than 700 care sites and 142 hospitals in 21 states.
READ THE STORY: SCMAG
Cyber Attacks On the Rise at US Ports and Terminals
FROM THE MEDIA: Cyber attack attempts are becoming more common at U.S. ports and terminals, according to findings published this week by law firm Jones Walker LLP. The firm publicly released the findings of its 2022 Ports and Terminals Cybersecurity Survey, examining cybersecurity preparedness in U.S.-based ports and terminals. The report outlining the results of the survey is authored by four of the firm’s attorneys and the findings was presented by two of them, Jim Kearns and Andy Lee, during the Inland Rivers, Ports & Terminals (IRPT) conference in Tulsa, Oklahoma.
READ THE STORY: Marinelink
Uber’s former security chief convicted of data hack coverup
FROM THE MEDIA: Uber Technologies Inc.’s former security chief was convicted of concealing a massive data breach in a case that prosecutors tied to the company’s troubled past under its original leadership. Joe Sullivan was found guilty in federal court in San Francisco on Wednesday by a jury that rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.
READ THE STORY: Los Angeles Times
The impact of cyberattacks in Latin America
FROM THE MEDIA: It is crucial that companies detect attacks before they become a real risk and before criminals turn business data into valuable assets. According to Netdata figures, 51% of Latin American organizations have received a ransomware attack in the last two years because of the pandemic and digital acceleration, including the imposition of environments with weaker boundaries and less reliable connectivity.
READ THE STORY: Intelligent CIO
Musk’s Twitter plans
FROM THE MEDIA: As Elon Musk moves ahead with plans to buy Twitter, we’ll dive into what to expect from the billionaire tech mogul as the deal proceeds. Meanwhile, federal officials on Tuesday expressed confidence that any attempts to manipulate votes at scale in November’s election will be detected and thwarted. Elon Musk is proceeding with a deal to buy Twitter for $44 billion, the original purchase price agreed upon in April, amid an intense legal battle between the two sides.
READ THE STORY: The Hill
Mexican government responds to Pegasus allegations
FROM THE MEDIA: As we noted yesterday, the Citizen Lab report confirmed that Pegasus spyware was used to track the devices of journalists and a human rights defender in Mexico, and there is evidence indicating the Mexican government purchased the controversial surveillance spyware. Reuters reports that Mexican President Andres Manuel Lopez Obrador yesterday responded to the allegations, denying his administration had spied on the victims.
READ THE STORY: The Cyberwire
Russian Hackers Reveal List of American Targets for Attack
FROM THE MEDIA: A pro-Russian computer hacking cell announced it will be launching a series of cyber attacks on a number of United States government websites in an apparent response to escalating tensions between the country and the North Atlantic Treaty Organization (NATO). In a Telegram post Wednesday, Killnet, a notorious "hacktivist" group formed at the onset of the Ukraine war earlier this year, posted a list of several governmental websites it would be targeting in the coming days beneath an image of a nuclear explosion behind the Statue of Liberty and the words, "F**K NATO."
READ THE STORY: Newsweek
GAO: Feds helpful on ransomware, could be more communicative
FROM THE MEDIA: State and local governments give federal agencies like the FBI, the Cybersecurity and Infrastructure Security Agency and the U.S. Secret Service solid marks on the assistance they provide after ransomware attacks. But states and localities also feel broadly that those agencies could improve their outreach and communications, according to a report made public Tuesday by the U.S. General Accountability Office.
READ THE STORY: Statescoop
Analysis of LilithBot Malware and Eternity Threat Group
FROM THE MEDIA: ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022. Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.
READ THE STORY: Security Boulevard
Bitcoin Defi Protocol Sovryn Gets Hacked for Over $1 Million
FROM THE MEDIA: Sovryn – a Bitcoin-based decentralized finance protocol – was drained of over $1 million in funds on Tuesday using a price manipulation exploit. The attack allowed the culprit to drain over $1 million worth of crypto from the protocol, including 44.93 RBTC and 211,045 USDT. According to Sovryn’s blog post on the topic, the attacks specifically targeted the legacy Sovryn Borrow/Lend protocol. It impacted the RBTC and USDT lending pools
READ THE STORY: CryptoPotato
Russian-speaking hackers knock US state government websites offline
FROM THE MEDIA: Russian-speaking hackers on Wednesday claimed responsibility for knocking offline state government websites in Colorado, Kentucky and Mississippi, among other states – the latest example of apparent politically motivated hacking following Russia’s invasion of Ukraine.
READ THE STORY: CNN
Cryptocurrency scam sites compromised for crypto theft
FROM THE MEDIA: BleepingComputer reports that malicious decentralized applications or cryptocurrency scam sites are being targeted by a threat actor dubbed "Water Labbu" to exfiltrate funds stolen from scam victims. At least 45 scam websites have already been infiltrated by Water Labbu, which has amassed at least $316,728 in profits, through an attack involving malicious JavaScript injection, according to a Trend Micro report.
READ THE STORY: SCMAG
Former AWS employee given 5 years probation for Capital One hack
FROM THE MEDIA: A former Amazon Web Services Inc. employee has been sentenced to time served and five years probation for stealing more than 100 million records belonging to Capital One Financial Corp. in 2019. Paige A. Thompson, who worked for AWS as an engineer until 2016, was found guilty in June of seven charges relating to the hack, including wire fraud, illegally accessing a protected computer and damaging a protected computer.
READ THE STORY: SiliconANGLE
Items of interest
CCP ‘Suppress the Truth and Spread Lies’ in Solomon Islands: Australian Think Tank
FROM THE MEDIA: A new report from the Australian Strategic Policy Institute (ASPI) has revealed that Beijing is spreading false information in the Solomon Islands in an attempt to undermine its partnerships with Australia and the United States.
The report entitled “Suppressing the Truth and Spreading Lies: How the CCP is influencing Solomon Islands’ information environment,” published on Oct. 5, examined how the Chinese Communist Party (CCP) used local media and disinformation to sway public opinion and undermine the Solomons’ existing partnerships with countries such as Australia and the United States during the mass protest in its capital Honiara last year.
READ THE STORY: The Epoch Times
How Hackers Used Porn Ads to Extort Millions From Embarrassed Victims Darknet Diaries Ep. 44: Zain (Video)
FROM THE MEDIA: Most malware lurks quietly on your computer to steal your information. But ransomware shouts: "Pay up or face the consequences!" This is the story of how a British kid, Russian hackers, and porn advertisements extorted millions from unsuspecting victims.
Liberty Reserve Scam (Video)
FROM THE MEDIA: Liberty Reserve, one of the world's main money exchangers has been shut down following the arrest of owner Arthur Budovsky. Solidtrustpay offers a safe, secure and trustworthy solution to all those needing to pay or get paid.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com