Tuesday, October 11, 2022 // (IG): BB // INTSUM // Coffee for Bob
Pro-Russian hackers claim responsibility for knocking U.S. airport websites offline
FROM THE MEDIA: A pro-Russian hacker group is taking credit for temporarily taking down several U.S. airport websites on Monday, though there appeared to be no impact on flight operations. The attacks claimed by Killnet impacted the websites for Los Angeles International, Chicago O'Hare, and Hartsfield-Jackson International in Atlanta, among others. The group posted a list of airports on Telegram, urging hackers to participate in what's known as a DDoS attack — a distributed denial-of-service caused when a computer network is flooded by simultaneous data transmissions.
READ THE STORY: NPR // MarketWatch // Barron’s // Bloomberg Law
Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers
FROM THE MEDIA: A group of anti-Iranian government hackers going by the name of “Edalate Ali” (Justice of Ali) has claimed responsibility for hacking and interrupting a state-run TV channel’s live broadcast on Saturday. It is worth noting that the cyberattack was carried out under the banner of OpIran, an Operation initiated by the online hacktivist group Anonymous in support of Iranians protesting against the death of 22-year-old Kurdish-Iranian Masha Amini while under detention by Tehran’s morality police called Guidance Patrol.
READ THE STORY: HackRead
State Bar of Georgia Confirms Data Breach Following Ransomware Attack
FROM THE MEDIA: The incident occurred in April 2022 and was disclosed in early May, when few details were shared by the organization. Roughly one month later, the bar revealed that the attack involved BitLocker ransomware, which encrypted tens of servers and workstations. “Although this has been officially described as a ransomware attack, no monetary demand has been made and no proof of possession of any personally identifiable information or other data has been provided,” a State Bar of Georgia representative said at the time.
READ THE STORY: SecurityWeek
UK Spy Chief Says China’s Digital Currency Could Evade Sanctions
FROM THE MEDIA: China is learning the lessons of Russia’s war in Ukraine and could use its centralized digital currency to avoid future sanctions, UK spy chief Jeremy Fleming will warn. Fleming, the director of the intelligence, cyber and security agency GCHQ, will use a speech in London on Tuesday to argue the Chinese Communist Party leadership is using its “financial and scientific muscle” to manipulate strategically important technologies as a means to control companies and ordinary people.
READ THE STORY: Bloomberg
Emotet Rises Again With More Sophistication, Evasion
FROM THE MEDIA: The threat group behind the Emotet malware-delivery botnet has resurrected the malware-as-a-service offering with more sophisticated countermeasures to foil takedowns. According to a 68-page analysis on Oct. 10 from VMware's Threat Analysis Unit — based on data collected from several new Emotet campaigns in early 2022 — the group has learned lessons from the 2021 law enforcement takedown of the group's infrastructure.
READ THE STORY: DARKReading // Technology Decisions
PayPal Says Plan for Misinformation Fines Was Published in Error
FROM THE MEDIA: PayPal Holdings Inc. said it has no intention of fining customers for spreading misinformation, after attracting criticism for publishing a new user agreement outlining such a plan. The issue gained traction over the weekend after the company published policy updates prohibiting users from using the PayPal service for activities identified by the company as “the sending, posting, or publication of any messages, content, or materials” promoting misinformation, in an Acceptable Use Policy due to kick in on Nov. 3.
READ THE STORY: Bloomberg Law
CVE-2022-40684 flaw in Fortinet products is being exploited in the wild
FROM THE MEDIA: Last week, Fortinet addressed a critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies. An attacker can exploit the vulnerability to log into vulnerable devices. “An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT.
READ THE STORY: Security Affairs
The US Department of Defense Has Formally blacklisted DJI as a “Chinese Military Company”
FROM THE MEDIA: It seems that DJI is facing even more struggles in the US as the Department of Defense (DoD) adds the companies to the list of Chinese companies on its official blacklist classifying them as a “Chinese military company”. DJI’s been facing problems with the US government since at least 2017 when the US Army banned the use of DJI drones over perceived cyber vulnerabilities. DJI was then added to the US Economic Blacklist in 2020.
READ THE STORY: DYI Photography
Feds Warn Healthcare Over Cobalt Strike Infections
FROM THE MEDIA: If every second hack seems to involve malicious use of penetration testing tool Cobalt Strike, it's not just your imagination. Russian hackers deployed Cobalt Strike's command and control function during their attack against SolarWinds' network management software. Hackers who earlier this year got into Cisco corporate IT infrastructure used the tool. The first thing the threat actor behind the Emotet malware does after an initial infection is to download Cobalt Strike onto compromised endpoints.
READ THE STORY: Bank InfoSec
Hackers behind IcedID malware attacks diversify delivery tactics
FROM THE MEDIA: The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets. Researchers at Cymru have observed several campaigns in September 2022, all following slightly different infection pathways, which they believe is to help them evaluate effectiveness. Moreover, the analysts have noticed changes in the management of C2 command and control server (C2) IPs used in the campaigns, now showing signs of sloppiness.
READ THE STORY: Bleeping Computer
Caffeine service lets anyone launch Microsoft 365 phishing attacks
FROM THE MEDIA: A phishing-as-a-service (PhaaS) platform named 'Caffeine' makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns. Caffeine doesn't require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind.
READ THE STORY: Bleeping Computer
Google Play Store cuts off access to customizable ad-free Instagram hack
FROM THE MEDIA: App stores like Google Play serve two different customer groups, with interests all their own. Smartphone users are mostly concerned about stores detecting malicious apps, and keeping their devices safe, while developers want exposure for their software, and protection for their IP. When one app starts accessing another's services in an unauthorized way, though, we're almost certainly headed for conflict, as we saw earlier this year with the shutdown of YouTube Vanced.
READ THE STORY: Android Police
Who is the Russian Hacker Group KILLNET
FROM THE MEDIA: In April 2021, Five Eyes issued a warning about the possible cyber threats that could happen amid Russia's invasion of Ukraine. Five Eyes is the intelligence alliance group of five countries — United States, United Kingdom, New Zealand, Canada, and Australia — that monitors electronic communications. The alert also noted the public threats and pledges from cybercrime groups that support Russia (via CISA).
READ THE STORY: Grunge
Singtel-owned Dialog Group hacked
FROM THE MEDIA: Singtel-owned IT consultancy Dialog Group has notified customers and staff of an attack on its systems in September 2022. The company published an advisory, later carried by its parent, which says the incident is unrelated to last month’s attack on Optus. The statement says Dialog’s systems are separate to those of Optus, and also of the other Singtel companies in its ownership chain. Dialog said “an unauthorized third party may have accessed company data, potentially affecting fewer than 20 clients and 1000 current Dialog employees as well as former employees."
READ THE STORY: itnews
Hackers can guess your password using thermal imagery
FROM THE MEDIA: Computer security experts have developed a system capable of guessing computer and smartphone passwords using thermal imagery. Researchers from the University of Glasgow developed the system called ThermoSecure which analyses the traces of heat fingertips leave on keyboards and screens.ng attack on its server, which holds data for the company’s berry operations. Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded.
READ THE STORY: Information Age
Mexican government hack reveals military sold arms, received escort from Cartels
FROM THE MEDIA: A major leak of Mexican government documents revealed that members of the military sold weapons and information to the cartels. "Sedena [Secretariat of National Defense] reported in its confidential report that the supplier of weapons and tactical equipment is another alleged member of the Army, whom the criminals refer to as "antiguo" and who, according to the analysis of his telephone signal, is based in Campo Military No. 1 of Mexico City," according to the documents.
READ THE STORY: Yahoo News
Zoom Phishing Scam Steals Microsoft Exchange Credentials
FROM THE MEDIA: According to cybersecurity firm Armorblox, the email-based attack used a socially engineered payload that easily tricked the Microsoft Exchange email security mechanism. These include Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting & Conformance. The email stated that two messages were to be checked on Zoom. The email also contained a malicious link with a call-to-action button. There was another malicious link for the unsubscribe button.
READ THE STORY: HackRead
Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky
FROM THE MEDIA: A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named Earth Aughisky. "Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week. Earth Aughisky, also known as Taidoor, is a cyber espionage group that's known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.
READ THE STORY: THN
Elon Musk’s SpaceX loses Starlink domain battle with Mexican company
FROM THE MEDIA: SpaceX has lost a cybersquatting challenge against a company in Mexico that registered the domain name starlinkmx.com. StarGroup is a company that offers telecommunications and entertainment services in Mexico. It was established 60 years ago and has several brand names including Star TV, Star Go, Star Line and Star Group. The company applied for trademarks in Mexico for Starlink for communications starting in 2015. This was about the time that SpaceX announced plans for its satellite service, although it does not appear SpaceX began using the Starlink name back then.
READ THE STORY: DNW
Singtel's 'old data' first posted on dark web in Feb 2021
FROM THE MEDIA: Brett Callow, a senior security researcher with the New Zealand-based Emsisoft, told iTWire that the data had been originally posted on the dark web site of the Windows ransomware group, Cl0p. "In February 2021, Cl0p posted data that it claimed was stolen from Singtel, and it’s that data which Singtel states is now being shared via the forum in question," he said. Callow's statement appears to refute a claim made the Guardian Australia which read: "Singtel informed those affected, but the post on the data leak forum is believed to be the first time the data has purportedly been posted online."
READ THE STORY: iTWire
Dark Web Site Publishes Details of 1.2 Million Credit Card Holders
FROM THE MEDIA: The credentials of over 1 million credit card holders have leaked online as part of a marketing ploy by a dark web site. A report from BleepingComputer shows that the BidenCash carding marketplace published a database showing credentials from 1.2 million+ credit cards, which are now available online. Included in the dump are card numbers, account holder names, banks, card types, email addresses, physical addresses, phone numbers, social security numbers, expiration dates, and CVV numbers. Yes, just about everything someone would need to purchase items online using the card.
READ THE STORY: WinBuzzer
Intel Alder Lake CPU BIOS Source Code, Tools and Files Leaked on GitHub and 4chan
FROM THE MEDIA: The leaked data, amounting to 5.86 GB (2.8 GB when compressed), contains code for UEFI or Unified Extensible Firmware Interface building and optimization and other tools and files. While Intel confirmed the leak, the company said the leaked data does not contain any sensitive files that could expose weaknesses and open the CPU to exploitation by threat actors.
READ THE STORY: Spiceworks
Ukrainian forces report Starlink outages in areas liberated from Russian control
FROM THE MEDIA: Ukrainian forces have reported outages of their Starlink communications, in what could be a potential setback in the country's push to liberate parts of the country from Russian forces. The Financial Times first reported the outages, with these outages leading to a "catastrophic" loss of communications in recent weeks, per one senior Ukrainian government official, the FT revealed. Starlink, which is a subsidiary of Elon Musk's SpaceX, has supported Ukraine's efforts since its conflict with Russia began in late February.
READ THE STORY: DCD
The black market to avoid Putin mobilization order is booming
FROM THE MEDIA: Since 21 September, when Putin’s partial mobilization was announced, Flashpoint analysts have observed a growing amount of chatter in Russian illicit communities and social media platforms about these methods. We have also seen an underground market of fake certificates and other services to avoid the draft emerging on various forums, including Telegram.
READ THE STORY: iTWire
Monster RaaS: Revival of Delphi and New Trend in Malware Developer Behavior
FROM THE MEDIA: Designated as both high-impact and high-risk by the researchers, ransomware-as-a-service (RaaS) named “Monster” was first seen in March 2022. Researchers identified it largely due to its similarities with Zeppelin RaaS, which also uses the Delphi scripting language. Zeppelin was notable for attacking tech and healthcare companies in Europe and the U.S. As Rohner notes, “The Zeppelin variant was visibly distinct.
READ THE STORY: BlackBerry
Reducing the Environmental Cost of Cyber Currency Mining
FROM THE MEDIA: We live in a world where wasteful energy use is coming under greater scrutiny in nearly every sector, with regulators looking for new ways to cut carbon emissions –from restricting the future sale of gasoline cars to mandating better energy conservation in buildings and appliances. Yet, as it turns out, cryptocurrency mining remains one of the world’s major energy consumers.
Can the Cyber Currency markets change on their own, or will they be forced to switch to lower energy cost methods? We investigate in this Form space technology report.
READ THE STORY: Newswires
The Coming Chinese Weapons Boom
FROM THE MEDIA: Shortly after Russia’s annual military expo concluded in August, Alexander Mikheyev, the head of the country’s state arms export agency, predicted that revenues from Russian arms exports in 2022 would be down 26 percent from last year. Russia remains the world’s second-largest arms exporter after the United States, according to the Stockholm International Peace Research Institute; it would take a far larger drop in revenues to change that.
READ THE STORY: Foreign Affairs
Shadow API is the Leading API Security Threat With Over 5 Billion Attacks, Says API Protection Report
FROM THE MEDIA: The Cequence threat research team released its API security report for the first half of 2022, showing that nearly a third of malicious requests target shadow API. The team analyzed over 16.7 billion API transactions and discovered that 31% or 5 billion malicious requests targeted unknown, unmanaged, or unprotected APIs called shadow API. According to Cequence, shadow API was the leading source of API security risks, followed by API abuse or OWASP API10+ and the “Unholy Trinity” of credential stuffing, shadow API, and sensitive data exposure.
READ THE STORY: CPO
CISOs, corporate boards in wide disagreement on cyber resilience
FROM THE MEDIA: The research comes at a critical juncture in the infosec world about the relationship between CISOs, the C-suite and boards of directors. Congress, federal agencies and a growing number of states are demanding robust and immediate disclosure of cybersecurity incidents following the 2020 nation-state attack against SolarWinds. A series of high-profile and disruptive ransomware incidents, most notably the May 2021 attack against Colonial Pipeline, have added to the tension.
READ THE STORY: CyberSecurityDive
Lloyd’s finishes cyber threat investigation and starts restoring online systems
FROM THE MEDIA: s a result, Lloyd’s has started restoring external connectivity with the marketplace, having temporarily shut it down last Wednesday. Lloyd’s expects to have all systems fully operational by this Wednesday. A Lloyd’s spokesperson said: “Last week, unusual activity was detected on the Lloyd’s network. As a result, the proactive decision was made to take some systems offline and perform a cyber security investigation.
READ THE STORY: Insuranceage
Items of interest
‘Grey zone’ warfare exposes Western weaknesses, including in Australia
FROM THE MEDIA: When first asked about the possibility that Russia might use nuclear weapons against his country, President Volodymyr Zelensky didn’t talk about bombs. He talked about a more immediate nuclear threat to Ukraine.
For months, Russia has been endangering the huge nuclear power plant at Zaporizhzhia in southeast Ukraine, and on the weekend it took a step closer to turning it into a radioactive bomb. The last remaining external electricity supply was cut by shelling near the plant, the biggest in Europe. The reactors need electric power to run their cooling systems. Without cooling, they will overheat and melt down in a fire that could spread radioactive fallout in whichever direction the wind is blowing.
READ THE STORY: The Sydney Morning Herald
Peel the Onion (Intel Bytes) (Video)
FROM THE MEDIA: Welcome to another video in the series Intel Bytes, where I go over topics on cyber threat intel, OSINt, privacy and a dash of Red Team. In todays video I go over the Darkweb search tool OnionSearch. Routing through Tor, this tool will let you search multiple established dark web search engines in one go, great for gathering intel on keywords.
EP003: Red Team | HACKING GOOGLE (Video)
FROM THE MEDIA: Go behind the scenes with the Red Team, the elite hackers dedicated to attacking Google’s own network. They sneak into buildings, launch phishing campaigns, and distribute malware across the company. Countless crucial protections have been created in response to the Red Team’s relentless assault on Google’s products.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com