Thursday, October 20, 2022 // (IG): BB // INTSUM // Coffee for Bob
Russia continues its attacks against civilian targets
FROM THE MEDIA: Russian forces continue to expend long-range munitions, at this stage of the war mostly Iranian-supplied drones, against Ukrainian civilian targets. Those targets include residences and infrastructure, with special attention, the BBC notes, to the power grid. The goal of both appears to be what observers are calling General Surovikin's "unconventional warfare." General Surovikin, the recently appointed Russian commander of all forces in Ukraine, acquired a reputation for brutality during his service in Syria, where forces under his command propped up the Assad regime.
READ THE STORY: The Cyberwire
Hackers use new stealthy PowerShell backdoor to target 60+ victims
FROM THE MEDIA: A previously undocumented, fully undetectable PowerShell backdoor is being actively used by a threat actor who has targeted at least 69 entities. Based on its features, the malware is designed for cyberespionage, mainly engaging in data exfiltration from the compromised system. When first detected, the PowerShell backdoor was not seen as malicious by any vendors on the VirusTotal scanning service.
READ THE STORY: Bleeping Computer
Charming Kitten amid Iranian social unrest examined
FROM THE MEDIA: Iranian hacking group Charming Kitten, also known as TA453, is not expected to significantly alter its operations amid the ongoing social unrest in Iran but assets secured by the group, which has targeted human rights workers, journalists, diplomats, academics, and government agencies, could be easily leveraged to serve Iran's agenda, according to The Record, a news site by cybersecurity firm Recorded Future.
READ THE STORY: SCMAG
China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs
FROM THE MEDIA: The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong. Researchers at Symantec's Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the group's previously identified Operation Cuckoobees, they said in a blog post published this week.
READ THE STORY: Bleeping Computer
Brazil arrests suspect linked to the Lapsus$ hacking group
FROM THE MEDIA: Today, the Brazilian Federal Police arrested a Brazilian suspect in Feira de Santana, Bahia, believed to be part of the Lapsus$ extortion gang. The suspect was detained following an investigation started in December 2021 after last year's breach of the Brazilian Ministry of Health. During the incident, the attackers deleted files and defaced the Ministry of Health website to display a message where the Lapsus$ hacking group claimed the attack and said it had stolen data from the ministry's network.
READ THE STORY: Bleeping Computer
REvil and Conti Ransomware Spinoffs Refine Attack Strategies
FROM THE MEDIA: Ransomware groups come and go, but the individuals behind them persist in bringing their hacking and extortion skills to bear as part of fresh operations. Take the aftermath of what were two of the world's most formidable ransomware gangs: REvil and Conti. REvil - aka Sodinokibi - disappeared in July 2021 after being targeted by multiple law enforcement agencies, briefly spluttered back to life next September and then seemed to be gone for good.
READ THE STORY: Bank InfoSec
Disabilities support organization experiences data breach
FROM THE MEDIA: Lifespire Services, Inc, an organization based in the US state of New York that provides support services for individuals with intellectual or developmental disabilities, has disclosed it suffered a data breach last February that exposed participant data. After detecting unusual activity on its systems, the organization suspended its networks and conducted an investigation that revealed that an intruder had gained unauthorized access to sensitive consumer information including names, street addresses, Social Security numbers, dates of birth, driver’s license numbers, financial details, and some medical data.
READ THE STORY: The Cyberwire
Uber ex-CSO verdict raises thorny issues of cyber governance and transparency
FROM THE MEDIA: The former chief security officer of Uber was convicted in a historic federal trial earlier this month, after the defendant was charged with covering up a ransomware attack while his firm was under investigation by the Federal Trade Commission for prior lapses in data protection. The jury found that Joseph Sullivan obstructed justice by paying off a pair of hackers who gained access to 57 million customer records and 600,000 license numbers of Uber drivers.
READ THE STORY: CyberSecurityDive
Nozomi Networks Publishes Vulnerabilities in Siemens Desigo Devices
FROM THE MEDIA: Last month, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint Cybersecurity Advisory “Control System Defense: Know the Opponent,” describing Tactics, Techniques, and Procedures (TTPs) malicious actors use to compromise OT/ICS assets. One of the techniques mentioned in the advisory is the MITRE ATT&CK T0832 “Manipulation of View” employed during a cyberattack on the Ukraine power grid.
READ THE STORY: Security Boulevard
Killnet explains its actions against Bulgaria's government
FROM THE MEDIA: In its Telegram channel Killnet, the Russian auxiliary threat group, woofed a justification for its recent run of desultory distributed denial-of-service (DDoS) attacks against Bulgaria. "For betraying Russia and supplying weapons to Ukraine, the Bulgarian government is sentenced to network collapse and shame!" The Record cites Bulgarian authorities who say they've identified the name and address (in Magnitogorsk, confirming earlier reports) of one of those who participated in the attacks.
READ THE STORY: The Cyberwire
‘Dog act’: Medibank hackers have customers’ treatment, diagnosis information
FROM THE MEDIA: Medibank Private has confirmed that hackers have stolen sensitive health information from systems that hold the records of about 1 million customers after the criminals threatened to spread the information unless the insurer paid a ransom. On Thursday, Medibank said it had received a sample of data on 100 customers from the hackers which it confirmed as authentic, and warned that it expected the number of affected customers to grow substantially in coming days.
READ THE STORY: SMH
CISA releases two ICS Advisories
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency ICISA) yesterday released two industrial control system (ICS) advisories, for Advantech R-SeeNet (mitigation for "Path Traversal, Stack-based Buffer Overflow"), and Hitachi Energy APM Edge (Update A) (mitigation for "Reliance on Uncontrolled Component).
READ THE STORY: The Cyberwire
Musk's reliance on China a concern, Virginia Sen. Warner says
FROM THE MEDIA: Democratic Senator Mark Warner said he is concerned about Elon Musk's reliance on China amid the Tesla chief executive's recent statements about Taiwan and his potential purchase of Twitter. "I don't think there is another American more dependent upon the largess of the Communist Party than Elon Musk," Warner, the chair of the Senate Intelligence Committee, said in an interview in New York.
READ THE STORY: Stars and Stripes
Hackers Targeting Tech Supply Chains Spur Security Startup Boom
FROM THE MEDIA: Cyberattacks on the digital supply chain have become increasingly common, as hackers seek out weak links among makers of computer code and equipment to breach organizations that depend on the technologies. In 2020, for example, hackers suspected of working for Russia’s intelligence services used tampered updates from software maker SolarWinds Corp. to infiltrate nine US government agencies.
READ THE STORY: Bloomberg Law
Russian lawmaker urges WhatsApp ban for state employees
FROM THE MEDIA: A Russian lawmaker on Wednesday urged state institutions to stop using WhatsApp messenger and the industry ministry sought to promote domestically produced software as Russia tries to wean itself off Western technology. WhatsApp owner Meta Platforms Inc. was found guilty of "extremist activity" in Russia in March and later added to financial monitoring agency Rosfinmonitoring's list of "terrorists and extremists".
READ THE STORY: Yahoo Finance
Feds sought to detail cyber threats against aviation industry
FROM THE MEDIA: The U.S. Department of Transportation and Cybersecurity and Infrastructure Security Agency have been urged by Senate Subcommittee on Tourism, Trade, and Export Chair Jacky Rosen, D-Nev., to provide more information regarding the federal government's actions in bolstering the aviation industry's cybersecurity defenses following the recent Killnet cyberattacks that impacted the websites of 14 major airports across the U.S., reports The Hill.
READ THE STORY: SCMAG
So, the US, China, and Russia walk into an infosec conference
FROM THE MEDIA: Cyber-diplomats from around the world say they want the internet to be safe, secure, and free of interference. Of course, they believe it's the fault of other nations that the internet is not safe, secure or free of interference. The Reg attended Singapore International Cyber Week 2022, where officials from twelve countries had an airing of grievances across three separate panels, as if they were seated at carefully arranged tables at a wedding.
READ THE STORY: The Register
Crimeware Hackers Adopt APT-Like Capabilities
FROM THE MEDIA: Cyberthieves traditionally on the lower rung of hacking abilities now have access to nation-state-class malicious software, warn close observers of the criminal dark web. The appearance on criminal forums of tools capable of infecting a computer's boot firmware or malware that evades antivirus detection is a consequence of years of state-sponsored development of cyber weapons, says Sergey Lozhkin, lead security researcher at Kaspersky Global Research and Analysis Team.
READ THE STORY: GovInfoSec
Space Force briefing on military space race catches Jeff Bezos’ attention
FROM THE MEDIA: U.S. Space Systems Command officials earlier this month gave an unclassified briefing to Blue Origin founder Jeff Bezos on the power competition taking place in the space domain. Executives from the space company Blue Origin heard the briefing in September at a Space Systems Command industry meeting in Los Angeles. “The Blue Origin team was so impressed that they requested that SSC brief Jeff Bezos,” Col. Joseph Roth, the command’s director of innovation and prototyping, said Oct. 19 at the Space Industry Days conference hosted by AFCEA Los Angeles.
READ THE STORY: SpaceNews
Russian-Language Pro-Jihadi Telegram Outlet Solicits Bitcoin, Monero, And Ethereum Cryptocurrencies Donations For Its Syria-Based Video Productions
FROM THE MEDIA: On October 14, 2022, a Russian-language pro-jihadi Telegram channel that in its bio section claims to provide "a window on Syria through the eyes of a photographer," shared a post soliciting donations from supporters. The post said that due to some recent hardships, the channel is asking for financial support. "Those who wish to support us and thereby take part in the creation of films and development of our other projects can do so using the information below." The post then solicits donations via Monera, Bitcoin, and Ethereum, providing links to its wallets.
READ THE STORY: MEMRI
Russia and China may both be eyeing retaliatory cyberattacks against the West
FROM THE MEDIA: The risk is climbing that both Russia and China may look to bring an escalation in major cyberattacks against the U.S. and Western Europe, following Russian losses in Ukraine and the U.S. chip blockade against China, according to cybersecurity and geopolitics expert Dmitri Alperovitch. "What I do think we're about to enter is probably one of the most dangerous times that we've had in the history of the cyber domain, when it comes to our infrastructure here in the West — both because of what Russia may be doing against us, as well as China," said Alperovitch, the co-founder and former CTO of CrowdStrike, on Wednesday during a livestream Q&A with The Washington Post.
READ THE STORY: Protocol
House panel may remove Iran drone measure from NDAA
FROM THE MEDIA: The House Ways and Means Committee may force senators to drop a push to sanction Iran over its drones program as part of the National Defense Authorization Act, two people familiar with the matter told NatSec Daily. The reason: an amendment that would place Iranian groups on a terrorism blacklist for using those drones to kill Americans, the individuals said. The Stop Iranian Drones Act — aimed at stopping Tehran or any militia affiliated with Iran from acquiring a lethal unmanned aerial vehicle — passed out of the Senate Foreign Relations Committee in June.
READ THE STORY: Politico
Iraqi Hacker Group Team Linked To Iran-Backed Militias Claims Hacking Of Ukrainian Government Website
FROM THE MEDIA: On October 17, 2022, a hacker group linked to Iran-backed militias in Iraq shared a post on its Telegram channel claiming responsibility for a cyber-attack that targeted the website of the Ukrainian Ministry of Infrastructure. The channel shared two posts in English: One, expressing support for Russia, and another, condemning NATO.
READ THE STORY: MEMRI
Census website struck by a billion attempted cyber-attacks, Australian Bureau of Statistics reveals
FROM THE MEDIA: As Australia reels from another “immensely harmful” data hack, the Australian Bureau of Statistics has revealed it has fended off close to a billion cyber-attacks against the census. Australian statistician Dr David Gruen told the Melbourne Business Analytics Conference last week that after the 2016 distributed denial-of-service attacks which led to the first digital census being taken offline by the ABS for 40 hours, every effort was made to protect the census and its data.
READ THE STORY: The Guardian
NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry
FROM THE MEDIA: Rapidly and proactively sharing intelligence on cyberthreats with industry and critical infrastructure providers “can really make a big and decisive difference,” Rob Joyce, director of the NSA Cybersecurity Directorate, said Wednesday. It’s one of the key lessons his agency “took away personally” from the ongoing war in Ukraine, Joyce said at the Trellix Cybersecurity Summit in Washington.
READ THE STORY: Cyberscoop
GroupSense Delivers New Ransomware Negotiation Training Service
FROM THE MEDIA: GroupSense, a digital risk protection services company, today announced the launch of a new Ransomware Negotiation Training service offering. During an immersive three-day, in-person training session, participants will learn the proper strategies to combat the negative consequences of an attack from negotiation experts at both GroupSense and Max Negotiating, a negotiation advisory firm that specializes in training lawyers and legal professionals.
READ THE STORY: Valdosta Daily Times
Deadbolt ransomware is being used to target NAS vendors and customers
FROM THE MEDIA: Operators of the dreaded Deadbolt ransomware are attacking network-attached storage (NAS(opens in new tab)) users and NAS manufacturers in equal measure. In a study(opens in new tab) titled “Deadbolt ransomware: nothing but NASty”, Cybersecurity researchers from Group-IB published their analysis of an ongoing ransomware attack campaign being waged against NAS devices built by the Taiwanese manufacturer QNAP.
READ THE STORY: TechRadar
New York fines EyeMed $4.5 million for 2020 email hack, data breach
FROM THE MEDIA: The state of New York has slapped EyeMed Vision Care with yet another fine over its massive 2020 email hack and healthcare data breach. This time the vision benefits company will pay a $4.5 million penalty for multiple security violations that “contributed to” the data exposure.
READ THE STORY: SCMAG
JPMorgan Hires Crypto Policy Head From Celsius Network
FROM THE MEDIA: JPMorgan Chase & Co., whose chief executive recently expressed skepticism of cryptocurrency, has hired a crypto policy head from bankrupt cryptocurrency lender Celsius Network LLC. Aaron Iovine has joined the bank as executive director of digital assets regulatory policy, a spokeswoman for JPMorgan said on Wednesday. Mr. Iovine served as head of policy and regulatory affairs at Celsius between February and September of this year.
READ THE STORY: WSJ
Identifying ‘normal’ behavior combines art with science for security teams
FROM THE MEDIA: Now that the hybrid and remote working models have forever changed IT environments for security teams, it’s become more challenging than ever for security pros to determine what passes for normal behavior. In the past, when workforces were mostly in office environments or in regular travel routines, typical behavior was easier to define, and abnormal behavior was easier to identify because it mostly revolved around an on-premises corporate network that was easier to manage and control.
READ THE STORY: SCMAG
Even cybercriminals appreciate a good Riesling
FROM THE MEDIA: Australian wine dealer Vinomofo was targeted in a cyberattack that potentially exposed customer names, dates of birth, street addresses, email addresses, phone numbers, and genders of customers, the Guardian reports. Vinomofo has about 500,000 customers, but it’s unclear how many were impacted by the breach. “Vinomofo experienced a cybersecurity incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website,” the chief executive, Paul Edginton, said in a statement emailed to customers.
READ THE STORY: The Cyberwire
Items of interest
Timeline of Russia’s Invasion of Ukraine: Cyber and Physical Warfare
FROM THE MEDIA: On February 24, 2022, Russia launched a so-called “special military operation” in Ukraine. The conflict has become a war of attrition on all fronts. On the physical front, the Russian army has conducted air strikes, bombings, shellings, and ground operations against cities across the whole territory of Ukraine. Though it was unsuccessful in seizing Ukraine’s two largest cities, Kyiv and Kharkiv, Russia has been able to take territories in Ukraine’s southern and eastern regions under its control, as well as blockade Ukraine’s sea ports. As of August 2022, the Russian army controls roughly 20 percent of Ukraine’s territory.
The kinetic war has also been accompanied by large-scale—albeit mostly unsuccessful—cyberattacks on Ukrainian systems, by both Russian state-affiliated groups and independent groups that declared sympathy with Russia. Hacktivist groups and other threat actors, including the “IT Army of Ukraine,” supported by the Ukrainian government, are conducting cyber operations against Russian targets.
READ THE STORY: Security Boulevard
Supply Chain Compromises | Aaron Aubrey Ng (Video)
FROM THE MEDIA: Supply Chain Compromises - Understanding the Threat and Defending Your Organization | Aaron Aubrey Ng | BSides Singapore Conference 2022.
Catalangate – An example of massive cyberespionage with Pegasus against an ideology (Video)
FROM THE MEDIA: The biggest case of spying with Pegasus software has happened in Catalonia against pro-independence politicians and activists. Catalangate, with its sixty-five cases evidenced by forensic methods, has made Watergate a trifle.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com