Thursday, November 03, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
Vitali Kremez Found Dead After Apparent Scuba Diving Accident
FROM THE MEDIA: Vitali Kremez, chairman and CEO of AdvIntel, has been found dead after going missing on Oct. 30. He was 36 years old. The US Coast Guard announced on Wednesday that the body of the longtime security researcher and ethical hacker had been recovered from the sea, after days of searching along the Florida coast. He was last seen "wearing a black wetsuit and scuba tank while diving near Hollywood Beach, Fla.," according to the Coast Guard. According to local reports, he went into the water around 9 a.m. EDT on Sunday, and did not return.
READ THE STORY: DarkReading // iTwire
French defense firm denies ransomware attack after leak site posting
FROM THE MEDIA: French defense and technology firm Thales has denied it was hit with ransomware after a hacking group threatened to leak data stolen from the company. A spokesperson for Thales confirmed that they were aware that the LockBit ransomware group announced plans to release the data on Nov. 7 in a post on Monday on its leak site. But the company said it has found no evidence that it was ever attacked by the group.
READ THE STORY: The Record
Vodafone Italy discloses data breach after reseller hacked
FROM THE MEDIA: Vodafone Italia is sending customers notices of a data breach, informing that one of its commercial partners, FourB S.p.A., who operates as a reseller of the telecommunications services in the country, has suffered a cyberattack. According to the notice, the cyberattack took place in the first week of September and resulted in the compromise of sensitive subscriber details. The exposed information includes subscription details, identity documents with sensitive data, and contact details.
READ THE STORY: BleepingComputer
Cyber threats in K-12 are 'here to stay'
FROM THE MEDIA: Improving the basic cybersecurity postures of K-12 school districts doesn’t have to be an expensive undertaking, even as costly ransomware incidents targeting the sector slogs on, speakers said Wednesday during an online event hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Ransomware attacks, CISA Director Jen Easterly said in pre-recorded comments, “strike at the core of schools’ financial stability and ability to carry out fundamental educational mission.” She said they’re also unlikely to fade away.
READ THE STORY: Statescoop
A look at TSA’s rail cybersecurity directive
FROM THE MEDIA: Attorneys at Bracewell LLP have published an article looking at the US Transportation Security Administration's (TSA's) recent initiative to improve railway cybersecurity: "[T]he TSA directive imposes two primary requirements on passenger and freight rail operators, each of which will require numerous elements. First, these operators must, by February 21, 2023 (120 days after the effective date), develop a TSA-approved Cybersecurity Implementation Plan laying out specific measures the company is taking."
READ THE STORY: The Cyberwire
Dozens of PyPI packages caught dropping 'W4SP' info-stealing malware
FROM THE MEDIA: Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops "W4SP" info-stealer on infected machines, while others make use of malware purportedly created for "educational purposes" only. Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines.
READ THE STORY: Bleeping Computer
Cyber incident reporting isn’t the problem — ignorance is
FROM THE MEDIA: For over 20 years, the federal government has urged industry — particularly those operating critical infrastructure systems like water systems and electric grids — to voluntarily secure their digital assets, share relevant threat information within their sectors, and report incidents to the government. This purely voluntary approach initially made sound legal and policy sense. The alternative, such as government monitoring private networks for signs of potential breaches, seemed both extreme and impractical.
READ THE STORY: The Hill
Defense & National Security — US says North Korea shipping ammunition to Russia
FROM THE MEDIA: The United States has accused North Korea of secretly sending Russia a “significant number” of artillery shells to help in its war in Ukraine. We’ll share what we know about the covert shipments plus a recent missile barrage from North Korea and the South’s response, a grim new watchdog report on Afghanistan and a new leader for the Space Force. The United States says North Korea is secretly sending Russia a “significant number” of artillery shells.
READ THE STORY: The Hill
Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware
FROM THE MEDIA: Kaspersky is warning of a previously unknown espionage campaign targeting the Persian-speaking religious minority Bahaʼi with Android spyware. As part of the campaign, victims were lured to a VPN application claiming to provide access to Bahaʼi religious resources that are banned in Iran. The application contains highly sophisticated spyware designed to collect all types of data from devices, including call logs and contact lists, and to track victims’ activities. The malware, named SandStrike, also supports commands that allow the attackers to perform various operations on the device.
READ THE STORY: SecurityWeek
Osaka Hospital Halts Services After Ransomware Attack
FROM THE MEDIA: In Osaka, Japan, a major hospital has suspended routine medical services due to a ransomware attack that has disrupted the facility’s electronic medical record systems. Emergency operations are continuing, the medical center told reporters. However, the hospital system failed earlier this week and could not be accessed. The Osaka General Medical Center has contacted a third party who examined the issue and found that the system had been attacked by ransomware. The investigator stated that the threat actor sent an email written in English to the hospital’s server demanding a ransom in Bitcoin.
READ THE STORY: OODALOOP // BankInfoSec
US Treasury thwarts DDoS attack from Russian Killnet group
FROM THE MEDIA: The US Treasury Department has thwarted a distributed denial of service (DDoS) attack that officials attributed to Russian hacktivist group Killnet. These are the same pro-Kremlin miscreants that claimed responsibility for knocking more than a dozen US airports' websites offline on October 10 in similar network-traffic flooding incidents. The large-scale DDoS attack didn't disrupt air travel or cause any operational harm to the airports.
READ THE STORY: The Register
EU Expands Cyber Rules for Airline Flight Safety
FROM THE MEDIA: New cybersecurity rules in Europe will for the first time require a swath of aviation suppliers to identify and defend against hacking risks to flight safety. The new rules will apply to a range of air transportation companies, including manufacturers, airlines, airports, flight training schools, caterers and weather data providers. Firms also will be required to create a governance system that assigns an individual to be responsible for making sure problems are documented and addressed.
READ THE STORY: WSJ
CISA: Election infrastructure not facing credible threats as polls near
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency has not identified any credible threat that may compromise election infrastructure a week before the midterm polls, according to CyberScoop. "We have done everything we can to make election infrastructure as secure and as resilient as possible," said CISA Director Jen Easterly during a Center for Strategic and International Studies event.
READ THE STORY: SCMAG
Emotet botnet starts blasting malware again after 5 month break
FROM THE MEDIA: The Emotet malware operation is again spamming malicious emails after almost a five-month "vacation" that saw little activity from the notorious cybercrime operation. Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
READ THE STORY: Bleeping Computer
How Ukrainians Are Protecting Their Centuries-Old Culture From Putin’s Invasion
FROM THE MEDIA: During the past eight months of attacks on Ukraine, more than 6,000 civilians have died, 7.7 million people have sought refuge abroad and another 6 million have been displaced internally, according to United Nations estimates. Shelling continues in major cities, leaving many without access to power or running water. Grassroots efforts by Ukrainians have documented the atrocities of the war, as well as damage to the country’s monuments and cultural landmarks, while also preserving and protecting significant pieces of cultural identity.
READ THE STORY: Bloomberg
The surprising relationship between Bitcoin and ransomware is investigated in White House summit
FROM THE MEDIA: Bitcoin has brought with it many benefits: accessibility, liquidity, anonymity, independence from central authority, high-return potential. All of which are a boon to cybercriminals, especially those working across national borders. “When Bitcoin became more widely used, we saw a huge jump in ransomware because it was the way to move money across borders,” a spokesperson only identified as a senior administration official said in a press briefing prior to an international cybersecurity summit in Washington this week.
READ THE STORY: VB
SandStrike, a previously undocumented Android malware targets a Persian-speaking religion minority
FROM THE MEDIA: In Q3 2022, Kaspersky researchers uncovered a previously undocumented Android spyware, dubbed SandStrike, employed in an espionage campaign targeting the Persian-speaking religion minority, Baháʼí. The threat actors were distributing a VPN app embedding a highly sophisticated spyware. The attackers set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed graphic materials in order to trick victims into downloading the tainted VPN app. The social media accounts were used to spread a link to a Telegram channel created to distribute the seemingly harmless VPN application.
READ THE STORY: Security Affairs
FCC re-enters cyber regulation
FROM THE MEDIA: Law firm Hogan Lovells has published an article in JD Supra summarizing the steps the US Federal Communications Commission (FCC) is taking for securing communications systems. Most recently, the FCC issued a proposal for securing the US's emergency alert system: "[O]n October 27, 2022, the FCC adopted a Notice of Proposed Rulemaking regarding strengthening the nation’s Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) programs against security threats. The FCC proposes to require participating alert providers to submit annual certifications that the provider has created, annually updated, and implemented a cybersecurity risk management plan.”
READ THE STORY: The Cyberwire
Dropbox incident raises questions about how much security pros can depend on MFA
FROM THE MEDIA: Reports on Tuesday that Dropbox was the target of a phishing campaign that successfully accessed some of the code it stores in GitHub raised eyebrows in security circles because the attackers were able to bypass multi-factor authentication (MFA). In a blog post, Dropbox researchers said the threat actors moved beyond simply harvesting usernames and passwords to harvesting MFA codes. The researchers pointed out that in September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI.
READ THE STORY: SCMAG
Preventing Hyperjacking in a virtual environment
FROM THE MEDIA: In the rapidly evolving world of information security, attack vectors, and cyberattacks, there is a regular cadence of new industry terms to grapple with. Hyperjacking is a term you may not have come across. It is a blend of hypervisor and hijacking. Hijacking is self-explanatory. A hypervisor is software installed on a physical host server that can virtually share its memory and processing resources for use by multiple virtual machines.
READ THE STORY: Security Boulevard
'Please, please, please' report cyber incidents, says Federal Student Aid office official
FROM THE MEDIA: Higher education institutions should report cyberattacks and data breaches the moment they’re discovered, Devin Bhatt, acting chief information security office for the U.S. Department of Education’s Federal Student Aid office, told a conference this week. While institutions can face fines for not reporting suspected data breaches or cyberattacks to the FSA, some institutions are reluctant to come forward as they fear they will be penalized, Bhatt said during the Educause 2022 conference’s virtual programming on Wednesday.
READ THE STORY: Edscoop
What is “proactive threat intelligence” and why do you need it
FROM THE MEDIA: The challenge with threat intelligence, however, is that the information often isn’t very tailored for a particular organization. Some threat intel feeds or platforms are timely. Others are relevant. Still others are actionable. The trick for today’s threat intelligence providers is to capture information that’s all three things at once – that is, timely, relevant, and actionable. Only by doing so can we turn reactive threat intel into proactive threat intel. What do I mean by “proactive threat intelligence”? To me, it means information that includes situational context of the incipient stages of an attack campaign, thereby giving analysts time to prioritize alerts and act quickly.
READ THE STORY: Security Boulevard
Hundreds of U.S. news sites push malware in supply-chain attack
FROM THE MEDIA: Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. "The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States," Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.
READ THE STORY: Bleeping Computer
Saudi Arabia intensifies targeting dissidents in US using Israeli spyware
FROM THE MEDIA: An investigative report says Saudi Arabia has stepped up its crackdown on dissidents on the United States' soil, using an Israeli spyware. The report compiled by the Associated Press and published on Wednesday found out that the Saudi kingdom had been monitoring dissidents' communications using the "military-grade" Israeli software. Upon spotting instances of dissent, the kingdom would then resort to handing out heavy sentences and imprisoning the targeted individuals if they return home.
READ THE STORY: PressTV
China covertly closes cities as 'COVID zero' resistance rises
FROM THE MEDIA: It’s nearly impossible to eat in a restaurant in Wuhan, the central Chinese city where COVID-19 was first detected nearly three years ago. There are few flights out of Zhengzhou, home to the country’s largest iPhone factory. And many children in the tech hub of Shenzhen haven’t been inside a classroom in weeks. Sweeping lockdown orders like that deployed in Shanghai earlier this year haven’t been announced in any of these places, yet people, businesses and entertainment venues are operating as if they’re in place.
READ THE STORY: JapanTimes
Raccoon Stealer and the war in Ukraine
FROM THE MEDIA: It's known that the US has indicted Mark Sokolovsky on charges that allege he was one of the principals behind the Raccoon Stealer malware-as-a-service operation, and that he was arrested by Dutch police on a US warrant, but what was he doing in the Netherlands? Apparently bugging out of Ukraine. A story in MarketWatch says that, shortly after the Russian invasion, Mr. Sokolovsky "climbed into a Porsche Cayenne with his girlfriend to get away from the fighting.
READ THE STORY: The Cyberwire
Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware
FROM THE MEDIA: Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well. The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.
READ THE STORY: DarkReading
U.S. govt employees exposed to mobile attacks from outdated Android, iOS
FROM THE MEDIA: According to a new report, almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million applications from 2021 to H2 2022.
READ THE STORY: Bleeping Computer
RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom
FROM THE MEDIA: The threat actor known as RomCom is running a series of new attack campaigns that take advantage of the brand power of SolarWinds, KeePass, and PDF Technologies. The BlackBerry Threat Research and Intelligence Team uncovered the campaigns while analyzing network artifacts unearthed during our recent report on RomComRAT, which was targeting Ukrainian military institutions through spoofed versions of Advanced IP Scanner software.
READ THE STORY: Blackberry
Starlink on a Drone? This Company Is Working on the Idea
FROM THE MEDIA: We’ve seen SpaceX’s Starlink expand to boats, planes, and moving cars. But now a Canadian company is working to bring the satellite internet service to drones. On Wednesday, an Ontario company called RDARS announced(Opens in a new window) it had successfully integrated Starlink into its drone system. The integration paves a way for an RDARS drone to connect to the internet in remote areas, where cellular access may be limited or unavailable. “One of the main issues facing commercial drone operations is communications outside of urban areas where maintaining sufficient internet connectivity may be challenging,” RDARS says.
READ THE STORY: PCMAG
This is how health entities should document security practices under the HITECH Act
FROM THE MEDIA: A new video from the Office for Civil Rights outlines the evidence and documentation entities impacted by a healthcare data breach must provide the agency in order to qualify for the relief outlined in the HITECH Act’s safe harbor amendment. The Trump administration signed HR 7898 into law on Jan. 5, 2021, which amended the HITECH Act and is seen as a way to incentivize provider organizations for meeting best practice cybersecurity requirements rather than handing down massive monetary penalties for entities experiencing a data breach despite best efforts.
READ THE STORY: SCMAG
Russia resumes grain deal, stays cautious of Ukraine guarantee breach
FROM THE MEDIA: In a meeting with permanent members of the security council on Wednesday, Russian President Vladimir Putin said the Russian Defense Ministry was instructed to resume its engagement in the grain deal. Yet, Russia remains cautious to withdraw its commitments if Kiev breaches the guarantees it provided earlier in the day about the non-use of the grain corridors for military purposes. "In this regard, I have given instructions to the Ministry of Defense to resume our full participation in this work. At the same time, Russia reserves the right to withdraw from these agreements if these guarantees are breached by Ukraine," Putin said.
READ THE STORY: Almayadeen
Items of interest
Thousands enslaved in Cambodia to run fake ICOs and scams
FROM THE MEDIA: The Cambodian government has come under fire for turning a blind eye to Chinese crime rings that human trafficked ‘up to 100,000’ migrant workers and forced them to run online scams, including fraudulent crypto ICOs.
Cambodia has become a hotbed for Chinese gangs thanks to a close relationship between its governments. Many chose to run casinos until the Covid-19 pandemic forced them into online scams instead.
Ads on social media promising well-paid customer service jobs in Cambodia lured in ‘tens of thousands’ of Asian workers, from China, Vietnam, Malaysia, Taiwan, and Hong Kong. Upon arrival, victims had their passports taken and were held captive, forced to work in ‘cyber scam mills.’
READ THE STORY: Protos
Super Spyware Lurked In a Telecom for Years, But Why? (Video)
FROM THE MEDIA: One of the most advanced malware toolkits ever devised was found "listening" on Belgecom's network. How did it get there? And if a nation state was responsible, what were they looking for?
Crocodile Of Wall Street And The Battle Over Billions In Stolen Bitcoin (Video)
FROM THE MEDIA: On the morning of August 2, 2016 all around the globe, thousands of unsuspecting crypto investors woke up to find their digital wallets mysteriously wiped out. News broke of a shocking digital heist: nearly 120,000 bitcoins stolen from Bitfinex and the start of a manhunt for the hackers. It has all the ingredients of a wide screen thriller…only this one is true, and is unfolding to be “super, super weird,” according to one of the investors targeted in the hack.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com