Friday, October 14, 2022 // (IG): BB // INTSUM // Coffee for Bob
Cyberattacks And Satellite Sabotage: Putin's Non-Nuclear Escalations
FROM THE MEDIA: U.S. President Joe Biden turned heads last week by warning Russian President Vladimir Putin is "not joking" when he issues thinly veiled threats of using weapons of mass destruction as his invasion of Ukraine struggles, potentially threatening his 23-year hold on power. Days earlier, Senator Marco Rubio, a Republican member of the upper U.S. legislative chamber's intelligence committee, also made headlines when he said he feared Russia could launch a conventional strike against a NATO member to impede the alliance's military aid to Ukraine.
READ THE STORY: OilPrice
The Budworm espionage group resurfaced targeting a U.S.-based organization for the first time, Symantec Threat Hunter team reported
FROM THE MEDIA: The Budworm cyber espionage group (aka APT27, Bronze Union, Emissary Panda, Lucky Mouse, TG-3390, and Red Phoenix) is behind a series attacks conducted over the past six months against a number of high-profile targets, including the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. state legislature. This is the first time that Symantec researchers have observed the Budworm group targeting a U.S-based organization. The group also targeted a hospital in South East Asia.
READ THE STORY: Security Affairs // InfoSecMag // The Cyberwire
Russia looks to deprive Ukrainians of water and electricity as winter approaches
FROM THE MEDIA: Ukraine has been dealing with a spate of Russian missile attacks on its energy infrastructure this week, causing the widespread loss of water and power supplies, damaging its communications network and prompting blackouts in cities across the country. They affected hundreds of thousands of Ukrainians and there are concerns that such attacks, and the likelihood of Russia continuing to target critical infrastructure, leaves civilians very vulnerable as winter approaches.
READ THE STORY: CNBC
APT Groups Had “Long-Term Access” to a Defense Organization, Exfiltrated Sensitive Data
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) and the Nation Security Agency (NSA) issued a joint cybersecurity advisory on multiple advanced persistent threat (APT) groups that compromised a Defense Industrial Base (DIB) sector organization and exfiltrated sensitive data. CISA and a third-party incident response firm Mandiant responded to a network security incident between November 2021 and January 2022. Both response teams discovered a threat actor on the victim’s network. The federal security agency also discovered that multiple threat actors had access to the victim’s environment, with possible long-term persistence.
READ THE STORY: CPO
Chinese APT WIP19 Targets IT Service Providers and Telcos
FROM THE MEDIA: A new threat cluster, tracked by SentinelLabs as WIP19, has been targeting telecommunications and IT service providers across the Middle East and Asia. According to the security experts, the group is characterized by the use of a legitimate, stolen digital certificate issued by DEEPSoft, a Korean company specializing in messaging solutions. "Throughout this activity, the threat actor abused the certificate to sign several malicious components," SentinelLabs explained. "Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth."
READ THE STORY: InfoSecMag
NPM API flaw exposes secret packages
FROM THE MEDIA: Researchers disclosed a flaw in the NPM API that could potentially leave the door open for attacks on corporate developers. The team at security vendor Aqua Security's Nautilus reported the discovery of what it considers to be a timing attack in the popular JavaScript package manager that would allow a threat actor to figure out what hidden packages are on a user's account. The worry is that by exposing a company's hidden packages, the attacker could in turn craft poisoned lookalike packages that could be targeted at company developers with the aim of an eventual supply chain attack.
READ THE STORY: TechTarget
Fast Company says Executive Board member info was not stolen in attack
FROM THE MEDIA: American business magazine Fast Company reached out to its Executive Board members this week to let them know their personal information was not stolen in a September 27 cyberattack that forced it to shut down its website. However, it also confirmed that the threat actor behind the attack was able to steal contributor credentials and put them up for sale online after hacking its content management system.
READ THE STORY: Bleeping Computer
Huawei 'disappointed' as UK steps up moves to ban equipment and services
FROM THE MEDIA: Huawei has expressed its disappointment as the UK stepped up the legal processes on Thursday towards removing its equipment and services from the country's 5G networks. The UK government extended the deadline to stop using the Chinese company's products in core network functions by 11 months to December 31, 2023, after consulting with Huawei and other telecoms operators. The government said the deadline to remove all Huawei gear from the UK's 5G networks by the end of 2027 remained unchanged.
READ THE STORY: CGTN
Mormon Church IT ransacked, data stolen by 'state-sponsored' cyber-thieves
FROM THE MEDIA: Miscreants broke into the Church of Jesus Christ of Latter-day Saints' computer systems and stole personal data belonging to "some" members, employees, contractors and friends, the church has confirmed. According to a church statement on the "data incident," posted on its website today, the security breach happened in late March 2022. The breached systems contained LDS church members' basic contact info, but did not include banking history or other financial information associated with donations, we're told.
READ THE STORY: The Register // DeseretNews
Russian DDoS attack project pays contributors for more firepower
FROM THE MEDIA: A pro-Russian group created a crowdsourced project called 'DDOSIA' that pays volunteers launching distributed denial-of-service (DDOS) attacks against western entities. DDoS attacks typically don’t have any security repercussions for the target but can cause a lot of damage by generating service outages. Depending on the target, the impact can extend beyond financial losses. Because DDoS attacks are easy to organize, simple to carry out, and still carry a punch, they have been the de-facto weapon of hacktivists on both sides of the Russian-Ukrainian war.
READ THE STORY: Bleeping Computer
Magniber ransomware now infects Windows users via JavaScript files
FROM THE MEDIA: A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates. Threat actors created in September websites that promoted fake antivirus and security updates for Windows 10. The downloaded malicious files (ZIP archives) contained JavaScript that initiated an intricate infection with the file-encrypting malware. A report from HP's threat intelligence team notes that Magniber ransomware operators demanded payment of up to $2,500 for home users to receive a decryption tool and recover their files. The strain focuses explicitly on Windows 10 and Windows 11 builds.
READ THE STORY: Bleeping Computer
Tech companies seek to offer relief from Iranian censorship during ongoing protests
FROM THE MEDIA: The US Government is encouraging tech companies to offer solutions that would enable Iranian protesters and dissidents to evade pervasive censorship from Tehran. Radio Free Europe | Radio Liberty reports that the Government has issued a general license to facilitate such services. "The general license, known as a GL D-2, opens the door for technology companies to provide people in Iran the tools they need to circumvent Internet shutdowns. Several U.S. technology companies are already providing new services to Iranians under the license, [Deputy Secretary of State] Sherman said." Among the services being offered, according to the Washington Post, is Google's Outline virtual private network (VPN).
READ THE STORY: The Cyberwire
Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack
FROM THE MEDIA: Web infrastructure and security company Cloudflare disclosed this week that it halted a 2.5 Tbps distributed denial-of-service (DDoS) attack launched by a Mirai botnet. Characterizing it as a "multi-vector attack consisting of UDP and TCP floods," researcher Omer Yoachimik said the DDoS attack targeted the Minecraft server Wynncraft in Q3 2022. "The entire 2.5 Tbps attack lasted about 2 minutes, and the peak of the 26 million rps attack [was] only 15 seconds," Yoachimik noted. "This is the largest attack we've ever seen from the bitrate perspective."
READ THE STORY: THN // Security Affairs
Intel Alder Lake Source Code Leak Caused by Third Party, Boot Guard at Risk of Compromise
FROM THE MEDIA: A copy of the Intel Alder Lake BIOS posted to 4Chan has been confirmed as legitimate by the chip manufacturer, and the source code leak has raised security concerns. Among the proprietary information that security researchers have unearthed is inside documentation of Intel Boot Guard, a feature that has been present since the 4th Intel Core generation (the “Haswell” processors that debuted in 2014) and provides an optional layer of malware protection.
READ THE STORY: CPO
NFL Urges Lawmakers to Address Drone Threats and Nefarious Actors
FROM THE MEDIA: Cathy Lanier, the Chief Security Officer for the National Football League (NFL), is concerned about unauthorized drones flying above stadiums during games and the potential for accidents or even a mass attack on the crowd below. Last season, the NFL encountered some 1,400 drones over stadiums, even though there were no-fly-zone orders in place.
READ THE STORY: The National Law Review
White House targets 3 critical infrastructure sectors for new cyber regulations
FROM THE MEDIA: Communications, water and health care are the next critical infrastructure sectors the Biden administration plans to work with to increase their baseline cybersecurity, White House deputy national security adviser Anne Neuberger said Thursday. The effort, which will be carried out by various federal agencies, is the latest step by the administration to seal gaps in the security of critical infrastructure against hackers in the wake of last year’s high-profile ransomware attacks, including one targeting the Colonial Pipeline that disrupted the East Coast’s fuel supply.
READ THE STORY: The Record
Google Translate spoofed for credential harvesting
FROM THE MEDIA: Researchers at Avanan describe phishing emails that are impersonating Google Translate in order to steal users’ email credentials. The emails inform users that they have pending incoming emails, and they’ll need to confirm their account within 48 hours in order to receive the emails. If the user clicks the link in the emails, they’ll be taken to a phony Google Translate page with a login field.
READ THE STORY: The Cyberwire
Quarter of Healthcare Ransomware Victims Forced to Halt Operations
FROM THE MEDIA: Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today revealed that 86% of global healthcare organizations (HCOs) that have been compromised by ransomware suffered operational outages. Most (57%) global HCOs admit being compromised by ransomware over the past three years, according to the study. Of these, 25% say they were forced to completely halt operations, while 60% reveal that some business processes were impacted as a result.
READ THE STORY: DarkReading
The reason to ban TikTok has nothing to do with data security
FROM THE MEDIA: An old man is being yelled at in Cantonese as he scurries through the concourse of Hong Kong’s airport. The young protestors yelling push papers into his chest. It’s clear they’re mad. His glasses slip from his nose a few times. The paper pushing turns to physical pushing. He’s backed into a corner, fearful. Before the two-minute clip is up, you feel bad for him.
READ THE STORY: Cyberscoop
QAKBOT Attacks Spike Amid Concerning Cybercriminal Collaborations
FROM THE MEDIA: The QAKBOT malware group resumed expanding its access-as-a-service network in early September, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, threat researchers said this week. In the most recent incident, cybersecurity firm Trend Micro observed QAKBOT-infected systems deploying Brute Ratel, an "adversary emulation" platform used by penetration testers, but also — along with Cobalt Strike — used by cybercriminals for its sophisticated capabilities.
READ THE STORY: DarkReading
Google tackles supply chain risk with Software Delivery Shield
FROM THE MEDIA: Google is doubling down on its investment to supply chain security, announcing a new platform and Google Cloud-based development workstations designed to secure cloud development organizations from supply chain risks. The company’s Software Delivery Shield is a managed supply chain security platform targeted at development, DevOps, and security teams. The platform integrates with Google’s Cloud services and developer tooling, Google said in a blog post. Modules address application development, software “supply,” continuous integration (CI) and continuous delivery (CD), production environments, and policies.
READ THE STORY: Security Boulevard
Foreign Election Disinformation Campaigns Well Under Way
FROM THE MEDIA: Less than two weeks after senior U.S. officials warned that Russia, China and other adversaries were set to launch a variety of influence operations and disinformation campaigns aimed at the upcoming midterm elections, researchers are finding traces of the malign efforts online. A report Thursday by the cybersecurity firm Recorded Future warned that Russia and China, in particular, have resurrected dormant social media accounts or have amplified other ongoing influence operations to sway U.S. voters or sow chaos and discontent as Americans go to the polls.
READ THE STORY: VOA
AFP anti-drug operations hit by Colombian document leak
FROM THE MEDIA: The Australian Federal Police was unaware of a huge leak of Colombian government documents, which contained information about their operations to prevent international drug cartels from operating Down Under, until they informed about it by newspapers owned by Nine Entertainment. A report in the Sydney Morning Herald on Friday said the AFP had been contacted on 4 October and was now busy trying to contain the damage from the leaks. It said publication was delayed until the AFP gave the go-ahead.
READ THE STORY: iTwire
New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts
FROM THE MEDIA: In evaluating the spate of info-stealing malware being distributed over past couple of months, the Zscaler ThreatLabz research team has come across an interesting campaign. The PHP version of Ducktail Infostealer is actively being distributed by pretending to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others. Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information.
READ THE STORY: Security Boulevard
Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments
FROM THE MEDIA: Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild. The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed "Alchimist," a previously unseen remote access Trojan (RAT) called "Insekt," and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.
READ THE STORY: DarkReading
LockBit 3.0 malware forced NHS tech supplier to shut down hosted sites
FROM THE MEDIA: Advanced, a managed software provider to the UK National Health Service, has confirmed that customer data was indeed lifted as part of the attack by cyber baddies that has disrupted operations for months. The attack was first noted August 4 when Advanced promptly pulled a portion of its infrastructure offline to contain the spread of infection to other systems. As such, a range of sites hosted for clients were unavailable.
READ THE STORY: The Register
Banks face their 'darkest hour' as malware steps up, maker of antivirus says
FROM THE MEDIA: Crimeware targeting banks and other financial-services organizations today features sophisticated capabilities and evasion tools, according to Kaspersky's lead security researcher Sergey Lozhkin. "The darkest hour is now for the financial industry, especially for big and medium-sized corporations," Lozhkin said, during a panel discussion on threats to financial services organizations. BlackLotus, a Unified Extensible Firmware Interface (UEFI) firmware rootkit used to backdoor Windows machines, is one such newly discovered tool. Kaspersky hasn't yet published full research about the malicious implant, but Lozhkin said it appeared for sale with a $5,000 price tag on the cybercrime scene earlier this month.
READ THE STORY: The Register
The Internet Is Not Facebook: Why Infrastructure Providers Should Stay Out of Content Policing
FROM THE MEDIA: Cloudflare’s recent headline-making decision to refuse its services to KiwiFarms—a site notorious for allowing its users to wage harassment campaigns against trans people—is likely to lead to more calls for infrastructure companies to police online speech. Although EFF would shed no tears at the loss of KiwiFarms (which is still online as of this writing), Cloudflare’s decision re-raises fundamental, and still unanswered, questions about the role of such companies in shaping who can, and cannot, speak online.
READ THE STORY: EFF
Russian Stablecoin use increased after Ukraine attack
FROM THE MEDIA: Chainalysis, an American blockchain analytics company, has revealed that there is a rise in stablecoin utilization in Russia after the Russian attack over Ukraine, which has since witnessed sanctions and expansion affecting the country. On October 12, a report was issued disclosing that the share of Stablecoin’s transaction volume on initially Russian services rose from 42% in January to 67% in March after the attack and has carried on to rise since.
READ THE STORY: The Coin Republic
Electric Vehicles Could Introduce Cyber Risk to Australia’s Power Grid
FROM THE MEDIA: Energy experts have warned that Australia could be subject to cyber-attacks and widespread power outages as more electric vehicles (EVs) connect to the national power grid unless the government takes proper measures early. They said the cyber security issue had not been raised among the discussions on Australia’s National Electric Vehicle Strategy and thus needed to be prioritized. Before addressing the Australian Cyber Conference in Melbourne on Oct. 13, Electric Vehicle Council energy and infrastructure head Ross De Rango said that it was crucial to deal with the issue to prevent devastating outcomes.
READ THE STORY: The Epoch Times
More Mexican Journalists And Activists Found To Be Targeted By NSO Group Malware
FROM THE MEDIA: Last summer, a blockbuster leak of data allegedly related to NSO Group’s customers made it crystal clear that earlier rumors about routine abusive use of powerful phone-targeting malware were likely true. Israel’s NSO Group swiftly issued a denial that was more angry than coherent and did nothing to persuade its many critics that NSO just simply didn’t care what paying customers did with its products.
READ THE STORY: Techdirt
Items of interest
US restricts chip exports to China
FROM THE MEDIA: Last week, the US announced sweeping export restrictions blocking the export of advanced chips, chipmaking equipment, and design software to China in an effort to hamper China’s use of artificial intelligence. “The United States is saying to China, ‘AI technology is the future; we and our allies are going there—and you can’t come,’” says Gregory Allen, director of the AI governance project at the Center for Strategic & International Studies, a Washington, DC think tank. By taking advantage of China’s dependence on US silicon and chips manufactured by American firms like Nvidia, the blockade’s goal is to impede the progress of tech giants like Baidu, the leading Chinese web search provider and a key player in cloud AI services and autonomous driving, and TikTok parent company ByteDance, as well as military use of AI.
READ THE STORY: The Cyberwire
Trans-Atlantic Data Transfer Framework(Video)
FROM THE MEDIA: As we noted previously, last week US President Joe Biden issued an executive order outlining rules for the Trans-Atlantic Data Policy Framework, which will regulate EU-US data sharing policies and replace the former overturned agreement, Privacy Shield. Biden’s EO establishes the Data Protection Review Court, which will give EU citizens the opportunity to challenge how US security agencies use their data and also sets several restrictions on data collection by US intelligence agencies. source
U.S. hits China with export controls on chips (Video)
FROM THE MEDIA: China is criticizing the U.S. over its decision to tighten export controls that would target Chinese chip manufacturers. Ali Wyne, a senior analyst with Eurasia Group, joined John Dickerson on "Prime Time" to discuss the Biden administration's decision and more.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com