Thursday, October 27, 2022 // (IG): BB // INTSUM // Coffee for Bob
People’s Information Warfare vs the U.S DoD Cyber Warfare Doctrine
FROM THE MEDIA: Folks as it’s been a while since I’ve last posted a high-quality post please bare with me while I take the time to catch up with some of the latest developments worth posting an article about and while I try and do my best to return to the usual blogging rhythm typical for me and for the readers who truly know me and appreciate my work and research I sincerely hope that you’ll find this post informative enough and share it.
READ THE STORY: Security Boulevard
Fears that Russia could launch deep water attack on British undersea cables and pipelines
FROM THE MEDIA: Britain is vulnerable to attacks on undersea infrastructure, which could see vital communication cables and pipelines severed without any backup plans in place, a defense analyst warns. It comes as the suspected sabotage of the Nord Stream gas pipelines in the Baltic Sea last month left Western states scrambling to better protect energy and telecommunications infrastructure on the seabed where they lie at depths of around 3,000-6,000 meters.
READ THE STORY: Scottish Daily Express
Mysterious Atlantic cable cuts linked to Russian fishing vessels
FROM THE MEDIA: Few took notice when a 4.2-km subsea cable in the Arctic Ocean vanished without trace back in April 2021, but these days undersea infrastructure security has become a hot topic. The cable had connected the Norwegian archipelago, Svalbard, to mainland Norway, where data was filtered by Norwegian environmental and defense authorities. Packed with sensors, the fiberoptic lines measured environmental conditions and fish migration, recording images and sound, and sending all the information back to shore.
READ THE STORY: EUobserver
Vice Society’s ransomware playbook, queries for potential victims leaked
FROM THE MEDIA: A joint Cybersecurity Advisory from federal authorities singled out Vice Society the same day the Los Angeles Unified School District went public with a ransomware attack initiated by the group. After the nation’s second-largest school system refused the group’s ransom demand, Vice Society leaked about 250,000 district files, including some containing personal and potentially damaging information on students and employees.
READ THE STORY: CyberSecurityDive
Cisco Warns AnyConnect VPNs Under Active Cyberattack
FROM THE MEDIA: A pair of known security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows is being actively exploited in the wild, despite being patched for two-plus years. The networking giant is warning that cybercrime groups are pressing two local privilege escalation (LPE) bugs into service, with active exploit chains against the VPN platform being observed starting this month. The first flaw (CVE-2020-3153, with a CVSS score of 6.5) would allow a logged-in user to send a specially crafted IPC message to the AnyConnect process to perform DLL hijacking and execute arbitrary code on the affected machine with SYSTEM privileges.
READ THE STORY: DARKReading
Ransomware Gangs Ramp Up Industrial Attacks in US
FROM THE MEDIA: Ransomware gangs are hitting the industrial sector hard — and especially manufacturing companies, with significant spikes in cyberattack activity against US organizations spotted in the third quarter. Meanwhile, emerging ransomware groups are bursting onto the scene, threatening to push the rate of attacks up even higher. According to a Dragos Q3 analysis of ransomware attacks on industrial organizations, 36% of the recorded cases globally hit North America (46 incidents). This is a significant 10% increase over last quarter, when a quarter of cases affected the region.
READ THE STORY: DARKReading
Pro-China disinformation scheme attempted to discourage Americans from voting, sow political discord
FROM THE MEDIA: Cybersecurity firm Mandiant said Wednesday that a pro-China cyber group waged an aggressive influence campaign online that discouraged Americans from voting in the midterm elections and promoted clashes with the U.S government. Mandiant said it previously saw the “DRAGONBRIDGE” threat group trying to mobilize protesters in the U.S. and has now witnessed the group sowing division, plagiarizing and altering news articles, and adopting false personas on social media to spread disinformation.
READ THE STORY: Washington Times // The Register
Pro-Kremlin Hacktivist Groups Seeking Impact By Courting Notoriety
FROM THE MEDIA: Russia’s February invasion of Ukraine has led to the emergence of a wide range of pro-Kremlin hacktivist groups. The loudest and most active of these groups has been “Killnet,” a former DDoS-as-a-service group, which has conducted mostly distributed denial of service attacks against Ukrainian and Western targets. While some groups (including one called “XakNet”) have consistently denied that they are working together with the Russian government, even in the face of evidence, other cyber threat groups have been openly seeking opportunities for cooperation. A group called “RahDIt,” for instance, claimed to have shared data on alleged “Ukrainian agents” with Russian security services.
READ THE STORY: Security Boulevard
Vulnerability in Atlassian Jira Align allows access to SaaS client
FROM THE MEDIA: Jira Align is a software-as-a-service (SaaS) platform that enables businesses to grow their cloud installations of the wildly popular bug tracking and project management tool Atlassian Jira. A high severity (CVSS 8.8) authorization controls issue was discovered by a Bishop Fox security researcher. It enables users with the ‘people’ permission to raise their privilege, or that of any other user, to “super admin” using the MasterUserEdit API. According to Jake Shafer, a senior security consultant, super administrators have the ability to change security settings, reset user accounts, and reconfigure Jira connections, among other things.
READ THE STORY: Security Newspaper
Hackers increasingly targeting Internet of Things devices
FROM THE MEDIA: In the last quarter of this year there has been a 98% rise in malware detected targeting Internet of Things devices, according to a new report by threat intelligence agency SonicWall. It comes as the number of never-before-seen malware variants also spiked, rising by 22% year-on-year. SonicWall says one of the biggest concerns for companies is the economically motivated attack, with ransomware groups holding out for millions in return for releasing stolen data – but with government agencies and professionals increasingly warning against paying ransoms, hackers are turning to cryptocurrency.
READ THE STORY: OODALOOP
Purpleurchin cryptocurrency miners spotted scouring free GitHub, Heroku accounts
FROM THE MEDIA: A stealthy cryptocurrency mining operation has been spotted using thousands of free accounts on GitHub, Heroku and other DevOps outfits to craft digital tokens. GitHub, for one, forbids the mining of coins using its cloud resources. The Sysdig Threat Research Team said at Kubecon this week it uncovered the activity, dubbed Purpleurchin. Specifically, the researchers found more than 30 GitHub, 2,000 Heroku, and 900 Buddy devops accounts – plus accounts with other cloud and continuous integration and deployment (CI/CD) service providers – being abused to quietly power Purpleurchin's crypto-asset-generating operations.
READ THE STORY: The Register
A popular British hacker was charged by the U.S. authorities for allegedly running the ‘The Real Deal’ dark web marketplace
FROM THE MEDIA: The British hacker Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) (34) was charged by the U.S. DoJ for allegedly running the ‘The Real Deal’ dark web marketplace. The man was charged with access device fraud and money laundering conspiracy. “Kaye allegedly operated The Real Deal, a Dark Web market for illicit items, including stolen account login credentials for U.S. government computers; stolen account login credentials for social media accounts and bank accounts; stolen credit card information; stolen personally identifiable information; illegal drugs; botnets; and computer hacking tools.” reads the press release published by DoJ. “The market was organized into categories, such as “Exploit Code,” “Counterfeits,” “Drugs,” “Fraud & More, “Government Data,” and “Weapons.””
READ THE STORY: Security Affairs
Is Biden’s chip ban a tipping point in US-China relations
FROM THE MEDIA: The Biden administration’s sweeping ban on high-end semiconductors and chip-making equipment earlier this month marks a tipping point not just in the tech wars, but in U.S.-China relations writ large. Previous export restrictions – most prominently, the Huawei ban – sought to prevent any chips for potential military use. But this move seeks to choke off entirely the high end of Beijing’s high-tech sector by banning export of any advanced chips for supercomputers and artificial intelligence.
READ THE STORY: The Hill
Starlink satellites can be reverse-engineered to create new GPS
FROM THE MEDIA: The Global Positioning System (GPS) is a group of 31 satellites owned and operated by the US government. From an altitude of about 12,500 miles, these satellites transmit radio signals, which are picked up by GPS receivers in cars, phones, and other tech. Using data from the signal, our GPS receivers can calculate their distance from the satellite. If a receiver is within sight of at least four satellites, it can use those distances to calculate its location down to about 7 meters.
READ THE STORY: FreeThink
MajikPOS – A POS Malware Attack & Steal Payment Data From Credit/Debit Cards
FROM THE MEDIA: Recently, Group-IB’s cybersecurity researchers have discovered that threat actors exploiting two vulnerabilities from point-of-sale payment devices and stolen more than 167,000 credit cards data. During a security audit conducted by Group-IB on April 19, 2022, a C2 server for the POS malware was identified, which is codenamed MajikPOS (aka MagicPOS). Experts were able to analyze the activity of the server’s operators due to a poor configuration of the server.
READ THE STORY: CyberSecurityNews
Threat Actors Exploit ERP Vulnerabilities for Financial Gain
FROM THE MEDIA: ERP systems, such as SAP and Oracle E-Business Suite (EBS), are the operational engine of an organization, running the business-critical applications and holding the data needed for businesses to function. These systems are essential to the organization, yet almost always fall in a cybersecurity blind spot, left unprotected against internal misuse and external attacks.
READ THE STORY: Security Boulevard
Threat Actors Target AWS EC2 Workloads to Steal Credentials
FROM THE MEDIA: Recently, we came across an exploitation attempt leveraging monitoring and visualization tool Weave Scope to enumerate the Amazon Web Services (AWS) instance metadata service (IMDS) from Elastic Compute Cloud (EC2) instances through environment variables and the IMDS endpoint. The abuse of this tool can allow the exfiltration of access keys and tokens to a domain possibly owned by the attacker and uses a dated technique called typosquatting on AWS-owned domain amazonaws.com.
READ THE STORY: Trendmicro
Uber Verdict Raises New Risks for Ransom Payments
FROM THE MEDIA: Shortly after the end of Q3, Joe Sullivan, the former Uber CSO, was convicted of two felonies associated with the handling of a security incident that occurred in 2016. An aspect of the case against Sullivan was how extortion payments to the threat actors responsible for the 2016 hack were handled. While many of the critical facts and circumstances are unique to Uber and well beyond the average ransomware attack, there are some elements of the case that are worth unpacking. We want to emphasize that our analysis has the obvious advantage of hindsight. We look backwards not to judge, but to understand past and present events so that we may better navigate the future.
READ THE STORY: Security Boulevard
Notorious ‘BestBuy’ hacker arraigned for running dark web market
FROM THE MEDIA: A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct 'The Real Deal" dark web marketplace. The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down. Threat actors used this platform to sell anything from stolen credentials for U.S. government agencies' systems and hacking tools to drugs, weapons, and government data.
READ THE STORY: Bleeping Computer
Sudan closes its Internet
FROM THE MEDIA: On the first anniversary of the military coup that brought the current regime to power, the Record reports, Sudan has shut down most of the country's Internet access. The measure, likely to be temporary, comes as civil unrest spreads through the country. According to Reuters, protesters number in the tens of thousands.
READ THE STORY: The Cyberwire
Grid Cards – MFA without the technical overhead
FROM THE MEDIA: This is part four of our MFA blog series for Cybersecurity Awareness Month. You can read up on blog one here, blog two here, and blog three here. We already know the importance of multi-factor authentication (MFA) to secure access to resources for users in a world where passwords are the single largest attack vector. In a recent study, it was found that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
READ THE STORY: Security Boulevard
Russian cyber attacks aimless and opportunistic
FROM THE MEDIA: Russian cyber attacks on Ukrainian infrastructure have devolved into a chaotic series of opportunistic events. That's according to Victor Zhora, the de facto head of cybersecurity for the Ukrainian government in Kyiv. Zhora, whose official title is deputy chairman of Ukraine's State Service of Special Communications and Information Protection (SSSCIP), has led the country's cyber response efforts during the Russian invasion, which began in late February.
READ THE STORY: TechTarget
China is going full 'Black Mirror,' showing off a robot dog that's mounted with a machine gun and can be deployed via drone
FROM THE MEDIA: China is showing off a terrifying new offering from one of its private military contractors — a robot dog mounted with a machine gun that can be transported via drone. Kestrel Defense Blood-Wing, a verified social media account for a private Chinese military contractor, made a post on China's Twitter-like Weibo platform on October 3. The video shows a large drone carrying a gun-mounted robot dog.
READ THE STORY: INSIDER
Security breaches forced US government to issue alert in Nigeria
FROM THE MEDIA: The decision by the United States government to withdraw its non-emergency staff from its diplomatic missions in the country as a result of what it called “elevated risk of terror attacks in Nigeria, specifically in Abuja” was triggered by recent security breaches around US infrastructure assets in the country, BusinessDay has learnt. An informed source told BusinessDay that the decision by the US government to issue the alert came after “a series of disturbing security threats and activities targeted against US interests in Abuja”.
READ THE STORY: BusinessDay
Why are there so many data breaches? A growing industry of criminals is brokering in stolen data
FROM THE MEDIA: New details have emerged on the severity of the Medibank hack, which has now affected all users. Optus, Medibank, Woolworths, and, last Friday, electricity provider Energy Australia are all now among the household names that have fallen victim to a data breach. If it seems like barely a week goes by without news of another incident like this, you would be right. Cybercrime is on the rise – seven major Australian businesses were affected by data breaches in the past month alone.
READ THE STORY: The Conversation
Genshin Impact dev suffers massive data breach
FROM THE MEDIA: Genshin Impact developer HoYoverse has suffered a massive data breach. Over the weekend, huge batches of information were shared online that revealed details of new characters, quests, and events from version 3.3 until 3.8. HoYoverse has DMCA striked posts containing information from the data breach, although any future updates are of course subject to change. However, many Genshin Impact leakers have since removed their posts when personal user data for multiple HoYoverse QA testers was discovered as part of the breach.
READ THE STORY: Eurogamer
Software supply chain security study
FROM THE MEDIA: BlackBerry has released the results of a survey focused on supply chain software security, conducted by research firm Coleman Parkes. Surveyed were 1,500 IT decision makers and cybersecurity professionals from North America, the United Kingdom, and Australia. 81% of those surveyed reported experiencing cyberattacks in the last 12 months, with 29% indicating that they had been compromised via operating systems.
READ THE STORY: The Cyberwire
Items of interest
New pro-China disinformation campaign targets 2022 elections
FROM THE MEDIA: Researchers at Google-owned Mandiant said in a report Wednesday that they've detected a group attempting to sow division in the U.S. and "operating in support of the political interests of the People’s Republic of China." Election officials have been on high alert for foreign disinformation campaigns aimed at further dividing the country and casting doubt on the U.S. political system in the weeks before the midterms. Mandiant's information adds to growing reports that pro-China actors are interested in influencing and disrupting next month's elections — although there's no evidence they've been successful.
READ THE STORY: AXIOS
Unraveling a REMOTE ACCESS TROJAN (VBScript Deobfuscation) (Video)
FROM THE MEDIA: Unraveling a REMOTE ACCESS TROJAN.
How Hackers Hide (Video)
FROM THE MEDIA: How Hackers Hide.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com