Wednesday, October 19, 2022 // (IG): BB // INTSUM // Coffee for Bob
The not-so-Charming Kitten working for Iran
FROM THE MEDIA: So what we refer to as Threat Actor 453 is often referred to in the intelligence community as Charming Kitten. And the reason for that designation, which is incredibly adorable, is it refers to Persian cats. We see this group operating in support of the IRGC or Iran’s Islamic Revolutionary Guard Corps, so you can think of them as sort of a quasi-military cyber espionage organization. Their main targets are diplomats, academics, human rights workers, journalists, and government agencies.
READ THE STORY: The Record
NSA urges enterprises to watch China, Taiwan tensions
FROM THE MEDIA: Tensions between the US, China, and Taiwan have far-reaching impacts beyond semiconductor saber-rattling and trade restrictions. There is an enterprise security angle that CISOs should be on guard to tackle, according to US intelligence. NSA Director of Cybersecurity Rob Joyce has some critical lessons on how companies can withstand an escalation in China-Taiwan tensions and what such conflicts matter in the first place.
READ THE STORY: The Register
The security risk of M&A: Are Chinese cyber threats lurking in legacy infrastructure
FROM THE MEDIA: A little over a month ago, the IronNet Threat Research team uncovered malicious activity by a sophisticated threat actor targeting a software company in the United States. Specifically, the activity was observed in a compartmentalized segment of the company’s network that contained legacy infrastructure from a company acquisition several years prior. The observed compromise involved various service exploitation attempts and resulted in the deployment of two webshells: shack2 and China Chopper.
READ THE STORY: Security Boulevard
Verizon notifies prepaid customers their accounts were breached
FROM THE MEDIA: Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks. "We determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account," Verizon said in an alert published this week.
READ THE STORY: Bleeping Computer
MyDeal's Data Breach Exposing 2.2M Customers Just Went From Bad To Worse
FROM THE MEDIA: On October 10, less than a month after Australia was hit by its largest ever data breach, the Australian online retail store MyDeal was struck by a data breach. According to Woolworths Group, which recently acquired the online retailer, an unknown actor used a set of compromised employee credentials to access MyDeal’s Customer Relationship Management (CRM) system. Once inside the system, the threat actor stole personal information belonging to 2.2 million customers and listed it for sale on an online criminal marketplace.
READ THE STORY: Hot Hardware
Fully Undetectable PowerShell Backdoor Found by Security Researchers
FROM THE MEDIA: SafeBreach Labs researchers recently uncovered a new fully undetectable (FUD) PowerShell backdoor that uses a novel approach to disguise itself as part of the Windows update process. “The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” SafeBreach director of security research Tomer Bar wrote in a blog post today detailing the findings.
READ THE STORY: eSecurity Planet
Text message verification flaws in your Windows Active Directory
FROM THE MEDIA: Microsoft has long recommended that customers enable multifactor authentication (MFA) as a way of better protecting Active Directory and Azure AD accounts. Without MFA, anyone with access to a valid username and password could log into a user’s account. MFA adds at least one additional requirement so that a password alone is not enough to gain access to the user’s account.
READ THE STORY: Bleeping Computer
Hackers target Asian casinos in lengthy cyberespionage campaign
FROM THE MEDIA: A hacking group named ‘DiceyF’ has been observed deploying a malicious attack framework against online casinos based in Southeast Asia since at least November 2021. According to a new report by Kaspersky, the DiceyF APT group does not appear to be targeting financial gains from the casinos but instead conducting stealthy cyberespionage and intellectual property theft. The DiceyF activity aligns with “Operation Earth Berberoka” reported by Trend Micro in March 2022, both pointing to the threat actors being of Chinese origin.
READ THE STORY: Bleeping Computer
Hijacking of Popular Minecraft Launcher by Rogue Developer Raises Malware Fears
FROM THE MEDIA: Members of the Minecraft community using the PolyMC custom launcher are being told to switch to a different launcher after the owner removed contributors from the project in an attempt to “reclaim” PolyMC from people who promote queer and leftist ideology online. According to a report from GamingonLinux, the owner, who goes by the username LennyMcLennington on the developer hosting site GitHub, revoked these contributors’ permissions yesterday alongside an update titled “reclaim polymc from the leftoids.”
READ THE STORY: IGN
Sen. Rosen requests info on cyber threats targeting aviation sector
FROM THE MEDIA: Sen. Jacky Rosen (D-Nev.) is urging the federal government to identify steps it is taking to secure the aviation industry from cyberattacks. In a letter addressed to the Department of Transportation and the Cybersecurity and Infrastructure Security Agency (CISA), Rosen asked the agencies to provide her with information regarding the recent cyberattacks that hit a dozen websites of major U.S. airports last week.
READ THE STORY: The Hill // Senate
China-linked APT41 group targets Hong Kong with Spyder Loader
FROM THE MEDIA: Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage group that has been active since at least 2007. The Operation CuckooBees had been operating under the radar since at least 2019, threat actors conducted multiple attacks to steal intellectual property and other sensitive data from victims.
READ THE STORY: Security Affairs
Law enforcement arrested 31 suspects for stealing cars by hacking key fobs
FROM THE MEDIA: The French authorities in cooperation with their Spanish and Latvian peers, and with the support of Europol and Eurojust, have dismantled a cybercrime organization specializing in the theft of cars by hacking key fobs. Law enforcement arrested 31 individuals and seized over 1 million euro in criminal assets. “The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away.”
READ THE STORY: Security Affairs
Ransom Cartel linked to notorious REvil ransomware operation
FROM THE MEDIA: Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations' encryptors. REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.
READ THE STORY: Bleeping Computer
New ransomware targets transportation sectors in Ukraine, Poland
FROM THE MEDIA: A new ransomware campaign has been targeting transportation and logistics organizations in Ukraine and Poland, according to Microsoft. The novel ransomware, labeled "Prestige ransomware," was first identified October 11 and targeted numerous victims within the same one-hour window, according to Microsoft's Threat Intelligence Center. Researchers were not able to tie the strain to any of the 94 active ransomware groups they are currently tracking.
READ THE STORY: SCMAG
Ukraine's power, water supplies under Russian attack again
FROM THE MEDIA: Airstrikes cut power and water supplies to hundreds of thousands of Ukrainians on Tuesday, part of what the country’s president called an expanding Russian campaign to drive the nation into the cold and dark and make peace talks impossible. President Volodymyr Zelenskyy said nearly one-third of Ukraine’s power stations have been destroyed in the past week, “causing massive blackouts across the country.” “No space left for negotiations with Putin’s regime,” he tweeted.
READ THE STORY: CTV News
Intent-based approach leverages neural networks to deliver targeted classifications to BECs
FROM THE MEDIA: Researchers on Wednesday explained an innovative new way to mitigate business email compromise (BEC) attacks, an intent-based approach using neural networks that detects the BEC and then classifies it into a specific type of scam. In a blog post, Cisco Talos researchers said in the intent-based approach, the system catches BEC messages irrespective of whether a threat actor impersonates a C-level executive or any rank-and-file employee in the organization.
READ THE STORY: SCMAG
Killnet strikes at the heart of the Bulgarian state
FROM THE MEDIA: Multiple Bulgarian government agencies have suffered a cyberattack during October 2022. This appears to be at the hands of Russian threat actor Killnet. The distributed denial of service (DDoS) attack was massive in scale. The impact was to aparalyze the websites of the president’s office, the Defence Ministry, the Interior Ministry, the Justice Ministry and the Constitutional Court.
READ THE STORY: Digital Journal
Forget ‘ransomware.’ Call it a ‘multi-stage extortion campaign’
FROM THE MEDIA: Years ago, someone came up with a name for a new cyber attack that saw a threat actor demand money from a victim to get their encrypted data back. They called it ‘ransomware.’ But an industry analyst argues reducing the attack to one word has caused infosec pros to search for a single solution. Instead, says Fernando Montenegro, a senior principal analyst at international consulting firm Omedia, says we should call it what it is — a ‘multi-stage extortion campaign.’
READ THE STORY: IT World Canada
U.S. Financial Services Company Targeted by Hackers Using DJI Drones
FROM THE MEDIA: Unknown threat actors spent as much as $15,000 to carry out a single cyberattack using WiFi pineapple and other pentest tools mounted on a drone. Security researcher Greg Linares described the attack in a Twitter thread last week, counting it as the “third real-world drone-based attack” he encountered in the last two years. First reported by The Register, the attack was carried out against an East Coast financial services company specializing in private investments.
READ THE STORY: Spiceworks
NHS data stolen from contractor in serious cyberattack
FROM THE MEDIA: NHS software vendor Advanced has confirmed it suffered a ransomware(opens in new tab) attack that resulted in the theft of sensitive customer data. The company says an unknown threat actor used “legitimate third-party credentials” which gave them the ability to establish a remote desktop (RDP) session to the Staffplan Citrix server. From there, the attackers moved laterally throughout the network, escalating privileges where necessary to map the entire network, identify crucial endpoints, as well as pivotal data.
READ THE STORY: Techradar
Data privacy is expensive — here’s how to manage costs
FROM THE MEDIA: Data privacy has always been a top priority in both consumer and business circles. Individuals, including company employees, demand more control over how their personal data is used and greater transparency into how businesses manage customer information. If data is the currency of the future, then ensuring data privacy is the key to gaining user trust. In light of high-profile breaches and data leakage incidents such as the Sunburst SolarWinds attack, the Estée Lauder customer database leak, the discovery of Facebook and MGM Resorts confidential data on the dark web, the resurgence of WannaCry, REvil and other ransomware attacks companies have realized the need for robust data privacy strategies and processes.
READ THE STORY: VB
Smugglers reportedly selling Musk’s Starlink dishes in Iran as protesters battle regime’s internet shutdown
FROM THE MEDIA: Smuggling gangs in Iran are selling satellite receiver dishes for Elon Musk’s Starlink internet service brought in through the country’s porous border with Iraqi Kurdistan, Iranian newspaper Shargh reported on October 17. The dishes are reportedly on offer at Iranian rial (IRR) 600mn, or $1,900, with pre-orders being taken from across the country, which is struggling with internet blackouts brought in by the authorities attempting to put an end to the anti-regime protests that have rocked Iran since mid-September.
READ THE STORY: BNE
Chinese Firms Exporting Surveillance Tools Across the Globe
FROM THE MEDIA: The Chinese government is using its investments in surveillance technologies to advance “both its ambitions of becoming a global technology leader as well as its means of domestic social control,” according to a report released by the Atlantic Council on Monday. The report, authored by Bulelani Jili—a non-resident fellow at the Atlantic Council’s Cyber Statecraft Initiative—noted that Beijing’s domestic surveillance system “is confined to its national borders,” but said that the Chinese companies that “make its surveillance state possible are now actively selling their tools abroad.”
READ THE STORY: Nextgov
Chinese hacking concerns prompt FBI to contact Michigan political parties
FROM THE MEDIA: Michigan’s Democratic and Republican parties were both contacted by the FBI in recent days to warn about Chinese state hackers probing their digital infrastructure, spokespeople for both parties confirmed Monday. Gustavo Portela, communications director and deputy chief of staff for the Michigan Republican Party, said a party official had also been told by the FBI to contact the agency if they saw anyone unfamiliar enter the party’s headquarters or photographing the building.
READ THE STORY: Michigan Live
Is Musk hedging his bets on Ukraine
FROM THE MEDIA: Elon Musk’s Starlink is the most prominent of a new generation of low-Earth orbit satellite networks making a name for themselves this year by providing internet service in conflict zones and other geopolitical hotspots. Instead of using a handful of expensive-to-launch high-altitude satellites, these networks deploy thousands of cheaper low-orbit systems. This type of network may still be more expensive to use than terrestrial cables, but it allows operators to beam the internet into places with limited infrastructure on the ground to support it.
READ THE STORY: GZERO
Kingfisher confirms its IT systems were breached
FROM THE MEDIA: Kingfisher’s name appeared on the LockBit ransomware cartel’s leak site on Monday, with threat actors claiming they stole 1.4TB of company data, including personal details of employees and customers. The company acknowledged that it suffered from unauthorized access to Kingfisher’s IT systems, albeit denied threat actors could have stolen as much data as they claimed. “Kingfisher UK Holdings Limited and certain Kingfisher Group subsidiary companies (Kingfisher) are aware that, for a limited period of time, part of their IT systems was accessed by an unauthorized third party,” Kingfisher’s representative told Cybernews.
READ THE STORY: Cybernews // Techmonitor
Sonic’s $5.7 Million Data Breach Settlement With Banks Approved
FROM THE MEDIA: Sonic Corp. and a class of financial institutions received final approval from an Ohio federal judge on a $5.7 million class action settlement over a data breach that compromised the financial information of millions of the restaurant chain’s customers. The agreement reached between “legally sophisticated parties on both sides” is fair, reasonable, and adequate compensation, wrote Judge James S. Gwin in an Oct. 17 order filed in the US District Court for the Northern District of Ohio.
READ THE STORY: BloomBerg Law
Why Cybercriminals Target the Home Networks of Execs and High-Access Employees
FROM THE MEDIA: It is more common than ever for executives to work from home. According to a survey by Marcum and Hofstra University in 2022, less than half of CEOs have returned to the office full-time and a quarter plan to work a hybrid schedule indefinitely. As such, companies are having to adjust their workforce and business planning strategies to accommodate hybrid models.
READ THE STORY: Security Boulevard
Elon, Bots, and Rampant Fraud on the Web
FROM THE MEDIA: Elon Musk recently highlighted a big problem with Twitter: bots. We all know bots have been a significant problem on Social Media platforms. What makes bots so bad? Aside from the well-known issue of fake comments creating social toxicity and polarity, bots are also responsible for running financial scams on social media platforms. Examples include "Elon giving away free bitcoins" and "Free Airdrop,” fake ads on social media platforms and links to phishing sites, and executive impersonation on social media platforms.
READ THE STORY: Security Boulevard
Items of interest
Many public safety agencies remain unequipped to defend against cyberattacks
FROM THE MEDIA: There’s widespread concern among U.S. public safety personnel that their organizations aren’t equipped to defend against cyberattacks, according to a new survey of first responders across the U.S. Overall, less than 50% of all respondents said their agencies are “at least somewhat prepared in case of a cyberattack,” according to Verizon Frontline Public Safety Communications Survey. Law enforcement agencies reported stronger confidence than others in their ability to thwart cyberattacks, but overall, only 15% said their agencies are “very prepared.” Fifty-six percent said they’re only “somewhat prepared.”
READ THE STORY: Cyberscoop
Russian Information Warfare: A Conversation with Dr. Bilyana Lilly (Video)
FROM THE MEDIA: It is no secret that the Kremlin uses offensive cyber operations against NATO members. What is often overlooked is the supplementary information warfare that the Russian government uses as a tool against democratic political infrastructure.
ESET research into POLONIUM's 'Creepy' toolset (Video)
FROM THE MEDIA: This week, ESET researchers published their analysis of previously undocumented backdoors and cyberespionage tools that the POLONIUM APT group has deployed in Israel.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com