Tuesday, October 25, 2022 // (IG): BB // INTSUM // Coffee for Bob
Chinese Intelligence Officers Charged with Using Academic Cover to Target Individuals in United States
FROM THE MEDIA: A federal indictment was unsealed today charging four Chinese nationals, including three Ministry of State Security (MSS) intelligence officers, in connection with a long-running intelligence campaign targeting individuals in the United States to act as agents of the People’s Republic of China (PRC), U.S. Attorney Philip R. Sellinger and National Security Division Assistant Attorney General Matthew Olsen announced.
READ THE STORY: DOJ // The Washington Post // Independent
Black Reward Hackers Steal Trove of Emails from Iran’s Atomic Energy Agency
FROM THE MEDIA: A group of anti-Iranian government hackers have allegedly targeted Iran Atomic Energy Organization’s subsidiary’s network and managed to access its email server. The hacking group identified as Black Reward has claimed responsibility for the attack on the Iranian nuclear agency’s subsidiary, the Atomic Energy Production and Development Company located in Bushehr. The group claims they launched this attack to demand the release of political prisoners arrested during the countrywide protests.
READ THE STORY: HackRead
Low, slow, and noisy: Russia's drone war continues in the absence of more capable munitions
FROM THE MEDIA: The UK's Ministry of Defence, in this morning's situation report, assesses the progress and implications of Russia's increased reliance on Iranian loitering weapons for its attacks against Ukrainian cities and civilian infrastructure. "Russia continues to use Iranian uncrewed aerial vehicles (UAVs) against targets throughout Ukraine. Ukrainian efforts to defeat the Shahed-136 UAVs are increasingly successful. With official sources, including President Zelenskyy, claiming that up to 85% of attacks are being intercepted.
READ THE STORY: The Cyberwire
Russia’s methodical attacks exploit frailty of Ukrainian power system
FROM THE MEDIA: Russia’s ongoing attacks on Ukraine’s energy infrastructure have been so methodical and destructive that Ukrainian and Western officials say they are being directed by electricity specialists who know exactly which targets will inflict maximum pain on Ukraine’s grid. The two-week-old bombing campaign, an effort to plunge Ukrainians into darkness ahead of their country’s bitter winter, has focused less on well-protected power generation plants and more on the network nodes that are key to keeping Ukraine’s electricity grid functioning and providing critical services.
READ THE STORY: The Washington Post
CNC Machines Vulnerable to Hijacking, Data Theft, Damaging Cyberattacks
FROM THE MEDIA: Researchers at cybersecurity firm Trend Micro have shown that the computer numerical control (CNC) machines present in many modern manufacturing facilities are vulnerable to hacker attacks. Trend Micro is presenting the research this week at SecurityWeek’s 2022 ICS Cyber Security Conference in Atlanta. CNC machines can be programmed to carry out a wide range of tasks with a high level of efficiency, consistency and accuracy. They include mills, lathes, plasma cutters, electric discharge machines, water jet cutters, and punch presses.
READ THE STORY: Security Week
US chip curbs on China will also affect Australia
FROM THE MEDIA: James Laurenceson, director and professor at the Australia-China Relations Institute at the University of Technology Sydney, said the impact of the US policy hardly seemed to have registered in Australia. The updated export rules are claimed to be aimed at restricting "the PRC’s [People Republic of China's] ability to obtain advanced computing chips, develop and maintain supercomputers, and manufacture advanced semiconductors". Laurenceson said analysts outside government — which has painted the curbs as being targeted to blunt China's military modernization and alleged human rights abuses — were of one voice that Washington was trying to cut off Beijing's access to foundational technologies in order to remain economic top dog.
READ THE STORY: iTWire
Domestic Kitten Hackers Spying on Iranian Citizens with New Malware
FROM THE MEDIA: Domestic Kitten, a mass mobile surveillance operation, has been targeting Iranian citizens using a new spyware strain masquerading as a translation app, according to new research from the cybersecurity firm ESET. The Domestic Kitten campaign has been spying on Iranians since 2016, specifically on those that could pose a threat to the stability of the regime, through the use of deceitful mobile applications loaded with malware. The latest threats detected are no different.
READ THE STORY: OCCRP
We cannot let China use our ‘tech disconnect’ to advance its ‘rule by law’
FROM THE MEDIA: When it comes to global technology leadership, America has a growing and dangerous disconnect between the regulatory zeal of some and the national security interests of all Western countries. This “tech disconnect” threatens to undermine the United States’ national security strategy while handing a permanent geopolitical advantage to China, our most capable authoritarian adversary. For starters, China’s ambition is not to be just a global superpower; it is to be the dominant superpower.
READ THE STORY: The Hill
The long-term psychological effects of ransomware attacks
FROM THE MEDIA: Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organizations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn in disarray long after the crisis itself has passed. “The research reveals how the psychological impact of ransomware attacks can persist on people in affected organizations for a very long time,” explains Organizational Psychologist Inge van der Beijl, Director Behavior & Resilience at Northwave.
READ THE STORY: HelpNetSecurity
Ransomware group claims attack on Wisconsin school district
FROM THE MEDIA: A ransomware group took responsibility for a cyberattack on a school district in Wisconsin serving nearly 20,000 students. The Snatch ransomware group added the Kenosha Unified School District to its list of victims on Sunday morning but did not say how much data was stolen during the attack or what kind of files were taken. The school district did not respond to requests for comment but on September 29, officials published a notice about a cyberattack that began on September 25.
READ THE STORY: The Record
Hack-and-leak operations being conducted by Iranian cyber group
FROM THE MEDIA: The FBI has warned that Iranian cyber group Emennet Pasargad, previously known as Net Peygard Samavat and Eeleyanet Gostar, may target U.S. organizations in hack-and-leak attacks, which it has conducted against Israeli organizations, according to SecurityWeek. While Israeli organizations have primarily been targeted by Emennet Pasargad's false-flag hack-and-leak campaigns, the cyber group has also employed similar tactics during the 2020 U.S. presidential elections, noted the FBI.
READ THE STORY: SCMAG
Why hackers are much better at targeting than your marketing team
FROM THE MEDIA: This year is shaping up to be one of the most successful years for cyber hackers in Australia. The recent news cycle has revealed a new victim daily: Optus, Telstra, Woolworths, Holiday Inn, Uber, Northface, Rockstar, VinoMofo and more. Even Medibank was compromised, and now it’s been revealed the company is subject to a ransom demand. Some companies affected have been criticized for a slow or understated response, resulting in customers unsure of what action to take or not realizing the enormity of the situation.
READ THE STORY: Smart Company
CISA Warns Against Ransomware Group Daixin Team Targeting Health Organizations
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) has released a new joint Cybersecurity Advisory (CSA) warning organizations against the ransomware and data extortion group Daixin Team. Published in conjunction with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), the CSA said Daixin Team is actively targeting US businesses, mainly in the Healthcare and Public Health (HPH) Sector.
READ THE STORY: InfoSecMag
CISA alert: Daixin Team ransomware is an active threat
FROM THE MEDIA: CISA has warned that the Daixin Team, a criminal ransomware group, is currently active against US organizations. The Joint Alert says in part, "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations."
READ THE STORY: The Cyberwire
Australian energy provider experiences data breach
FROM THE MEDIA: Cybercriminals continue to pummel Australia with cyberattacks, and EnergyAustralia has become the latest victim to suffer a customer data breach. The electricity company on Friday disclosed that over three hundred residential and small business customers had been impacted in the incident, the result of an intruder gaining unauthorized access to the MyAccount customer portal in September. The Guardian reports that the potentially compromised data include customer names, street addresses, email addresses, phone number, electricity and gas bills, and the first six and last three digits of their payment card numbers.
READ THE STORY: The Register
Untangling Moscow’s Complex Cyber Web
FROM THE MEDIA: Contrary to popular belief, Vladimir Putin does not control every Russian cyber operation. Many Russian cybercriminals operate without active state backing. Patriotic hackers and criminal groups align with the state on an ad-hoc basis. Proxy organizations and front companies conduct Kremlin operations under a veil of deniability. Untangling this complex web is essential to track and combat the Russian government’s cyber operations.
READ THE STORY: CEPA
Aptos Move VM bug identified
FROM THE MEDIA: Newly emergent blockchain network Aptos, which had its mainnet only launched last week, has been impacted by an already-patched flaw in its Move Virtual Machine, which could be exploited to facilitate a denial-of-service condition, reports The Hacker News. Numen Cyber Labs researchers discovered that the vulnerability stems from an issue in the Move programming language's verification module used for bytecode instruction validation before MoveVM execution. Attackers could exploit the integer overflow bug in the stack-based Web3 programming language to prompt Aptos nodes to crash, according to the report.
READ THE STORY: SCMAG
Gone phishing: UK data watchdog fines construction biz £4.4m for poor infosec hygiene
FROM THE MEDIA: Britain's data watchdog has slapped construction business Interserve Group with a potential £4.4 million ($4.98M) fine after a successful phishing attack by criminals exposed the personal data of up to 113,000 employees. The Information Commissioner's Office said the Berkshire-based company failed to exercise good security hygiene, missing alerts and more, and so was deemed to have broken data protection laws. In a classic sting, one member of Interserve's workforce forwarded the email containing the hidden nasty to a colleague, who then opened it and downloaded the content, allowing the malware to do its work.
READ THE STORY: The Register
House Intel’s Turner ‘disappointed’ Israel not aiding Ukraine
FROM THE MEDIA: The top Republican on the House Intelligence Committee is “personally disappointed” that Israel won’t provide Ukraine with weapons. Rep. MICHAEL TURNER (R-Ohio), who also serves on the House Armed Services Committee, told reporters Monday that Israel could provide Ukraine with air defenses that would help Kyiv fend off the threat from Russian missiles and Iranian drones. “We have never seen, since Bosnia, this level of absolute murderous thuggery against innocent civilians,” he said in response to a question on Israel’s role from NatSec Daily.
READ THE STORY: Politico
Deceitful data for the greater good
FROM THE MEDIA: As cyber threats continue to evolve and become more elaborate, companies of all sizes are being challenged to protect their critical business data. And as ransomware grows in sophistication, the need for security controls to keep pace with these threats becomes more inherently important. The priority for most businesses is to fortify their perimeter defenses to prevent intrusions altogether. However, in the current landscape, a multi-layered approach is needed for comprehensively protecting data – one that doesn’t just focus on preventing breaches, but also responding in worst case scenarios.
READ THE STORY: SCMAG
NYDFS settles with EyeMed for $4.5 million
FROM THE MEDIA: On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk assessment, failure to implement multifactor authentication (MFA), and failure to implement policies and procedures for secure disposal of personal information. The settlement requires EyeMed to pay $4.5 million, among other things.
READ THE STORY: Data Protection Report
Car dealer group Pendragon refuses to pay $60 million to ransomware extortionists
FROM THE MEDIA: Pendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them. Pendragon owns CarStore, Evans Halshaw, and Stratstone luxury car retailer, that sell brands cars for all budgets, from Jaguar, Porsche, Ferrari, Mercedes-Benz, BMW, Land Rover, or Aston Martin, to Renault, Ford, Hyundai, Nissan, Peugeot, Vauxhall, Citroen, DS, Dacia, and DAF.
READ THE STORY: Bleeping Computer // Graham Cluley
Analysis-Pipeline blasts leave Nord Stream in insurance limbo
FROM THE MEDIA: With the mystery of the blasts that destroyed undersea gas pipelines between Russia and Germany unsolved, Nord Stream 1's insurers and reinsurers are grappling with how to respond to hundreds of millions of dollars in potential claims. Munich Re and syndicates within the Lloyd's of London market are among the major underwriters for Nord Stream 1, four industry sources with knowledge of the situation said, adding that it was unclear whether they would renew its cover.
READ THE STORY: Yahoo Finance
Cuba ransomware affiliate targets Ukrainian govt agencies
FROM THE MEDIA: The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about potential Cuba Ransomware attacks against critical networks in the country. Starting on October 21, CERT-UA observed a new wave of phishing emails that impersonated the Press Service of the General Staff of the Armed Forces of Ukraine, urging recipients to click on an embedded link. The link takes the recipient to a third-party web page to supposedly download a document named "Наказ_309.pdf," but they are shown a fake alert stating that the visitor needs to update their PDF reader software first.
READ THE STORY: Bleeping Computer
Remember the Equifax breach? You might have payout options in your email
FROM THE MEDIA: After years of waiting, millions of Americans will soon be seeing their payouts following a class-action lawsuit against Equifax. A deadline recently passed for changing the method of payout, but there’s still a way to get your money electronically. The 2017 Equifax breach saw hackers take roughly 147.9 million Americans‘ personal information, making it one of the largest data breaches in history.
READ THE STORY: News Channel 8
FTC Punishes Uber's Drizly and Its CEO For 2020 Data Breach
FROM THE MEDIA: The Federal Trade Commission is punishing Drizly, an alcohol delivery provider owned by Uber, for failing to prevent a 2020 data breach that ensnared 2.5 million consumers. According(Opens in a new window) to the FTC, Drizly could have prevented the breach if company executives had heeded an earlier warning in 2018 about its poor security practices. But it didn’t, which resulted in a hacker stealing data on 2.5 million customers, which was later sold online.
READ THE STORY: PCMAG
Apple Fixes Exploited Zero-Day With iOS 16.1 Patch
FROM THE MEDIA: The Cupertino device maker confirmed the active exploitation of CVE-2022-42827, warning in a barebones advisory that the flaw exposes iPhones and iPads to arbitrary code execution attacks. “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” Apple said in a note documenting the security vulnerabilities.
READ THE STORY: Security Week
Quickswap to close lending market following $220K exploit
FROM THE MEDIA: Decentralized exchange QuickSwap said that it will close its lending pool after Market XYZ was exploited in a flash loan attack. In the early hours of Oct. 24, blockchain security firm PeckShield flagged a flash loan attack against Market XYZ, a lending pool on QuickSwap. The attacker manipulated the miMATIC price on Curve Oracle to borrow some $220,000, which was deposited by Qi Dao. As a result of the exploit, QuickSwap has announced plans to close the Market XYZ lending pool.
READ THE STORY: CryptoSlate
Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App
FROM THE MEDIA: Several critical and high-severity vulnerabilities have been discovered affecting the Veeam Backup & Replication application that could be exploited by advertising fully weaponized tools for remote code execution (RCE). The findings come from security researchers at CloudSEK, who published an advisory about them earlier today. “Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication: CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8 and CVE-2022-26504 with a CVSS V3 score of 8.8,” reads the technical write-up.
READ THE STORY: InfoSecMag
FBI warns of Iranian threat group's activity
FROM THE MEDIA: The FBI has warned enterprises that Iranian hacker group Emennet Pasargad, a hacker group with ties to the Iranian government that tried to interfere in the 2020 election, is currently active. It is, the Bureau says, engaged in hack-and-leak operations of a kind familiar from earlier election cycles. Decipher reports that the FBI says the group uses “network intrusions along with information operations and fake personas that exaggerate and amplify the group’s operations.” They have also been seen exploiting vulnerability CVE-2021-44228, or Log4Shell, to get into a US organization’s server, Gov Info Security reports. The threat actors use open-source penetration testing tools, look for vulnerabilities in content management systems, and websites running PHP code or those with externally accessible mySQL databases are preferable to the group.
READ THE STORY: The Cyberwire
Items of interest
Ex-FBI Special Agent Says Mango’s $114M Exploit Was Market Manipulation, Not A Hack
FROM THE MEDIA: According to retired FBI Special Agent Chris Tarbell, the $114 million withdrawn from the decentralized cryptocurrency exchange (DEX) Mango Markets was not a cyberattack. Former New York FBI cybercrime squad member Tarbell told CoinDesk TV’s “First Mover” that the Mango Market exploit was “more of a market manipulation.” “This wasn’t [about] getting into a system and getting unauthorized access,” Tarbell added, alluding to the technique employed by the criminals. Earlier this month, exploiters used smart contract protocol flaws to modify Mango’s native token, MNGO. According to Tarbell, exploiters took advantage of the situation due to the absence of a central authority.
READ THE STORY: Coin Culture
DEF CON 30 - stacksmashing - The Hitchhacker’s Guide to iPhone Lightning and JTAG Hacking (Video)
FROM THE MEDIA: Apple’s Lightning connector was introduced almost 10 years ago - and under the hood it can be used for much more than just charging an iPhone: Using a proprietary protocol it can also be configured to give access to a serial-console and even expose the JTAG pins of the application processor.
DEF CON 30 - Cesare Pizzi - Old Malware, New tools: Ghidra and Commodore 64 (Video)
FROM THE MEDIA: Why looking into a 30 years old "malicious" software make sense in 2022? Because this little "jewels", written in a bunch of bytes, reached a level of complexity surprisingly high. With no other reason than pranking people or show off technical knowledge, this software show how much you can do with very limited resources: this is inspiring for us, looking at modern malicious software, looking at how things are done and how the same things could have been done instead.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com