Tuesday, November 15, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
Researchers Sound Alarm on Dangerous BatLoader Malware Dropper
FROM THE MEDIA: A dangerous new malware loader with features for determining whether it's on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months. Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor's tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.
READ THE STORY: DarkReading
OopSec – The Mistakes Made by Top APTs
FROM THE MEDIA: Advanced persistent threat (APT) groups are typically the most sophisticated of cybercrime operations. Many have been active for years, stealing tens of thousands of dollars and wreaking havoc upon their enemies and victims. Often backed by nation states, many APT groups carry out cyber espionage, spying on their country’s political enemies. Despite the apparent sophistication of APT groups, they make some surprising mistakes. In coordination with my SafeBreach Labs team, I’ve spent the last seven years on a research project dedicated to identifying these mistakes and using them to uncover unparalleled insights into the inner workings of cybercriminal groups. This undertaking culminated in a talk at this year’s DEF CON 30 that I dubbed “OopSec – The bad, the worse, and the ugly of APT’s operations security.”
READ THE STORY: Security Boulevard
Zapping the satellite board at just the right time can grant deeper access
FROM THE MEDIA: Getting root access inside one of Starlink's dishes requires a few things that are hard to come by: a deep understanding of board circuitry, eMMC dumping hardware and skills, bootloader software understanding, and a custom PCB board. But researchers have proven it can be done. In their talk "Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal," researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink User Terminal (i.e., a dish board) using a custom-built modchip through a voltage fault injection.
READ THE STORY: arsTECHNICA
Whoosh confirms data breach after hackers sell 7.2M user records
FROM THE MEDIA: The Russian scooter-sharing service Whoosh has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Whoosh is Russia's leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. On Friday, a threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data. The company confirmed the cyberattack via statements on Russian media earlier this month but claimed that its IT experts had managed to thwart it successfully.
READ THE STORY: Bleeping Computer
Previously undetected Earth Longzhi APT group is a subgroup of APT41
FROM THE MEDIA: Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020. The experts attributed the attacks to a new subgroup of the China-linked APT41 group, tracked as Earth Longzhi. The researchers analyzed two campaigns attributed to Earth Longzhi; the first one conducted between 2020 to 2021 targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China.
READ THE STORY: Security Affairs
Israeli rail cybersecurity company on “growing interest” from governments
FROM THE MEDIA: Earlier this month, trains stopped in Denmark as a result of a cyberattack. Local media reported that all trains operated by DSB, the largest train operating company in the country, came to a standstill on Saturday morning, October 29th, and could not resume their journey for several hours. And while this may sound like the work of a sophisticated threat actor, Security Week reported that it was actually the result of a security incident at Supeo, a Danish company that provides enterprise asset management solutions to railway companies, transportation infrastructure operators and public passenger authorities.
READ THE STORY: Israel Defense
GitHub Vulnerability Allows Hackers to Hijack Thousands of Popular Open-Source Packages
FROM THE MEDIA: Checkmarx Security researchers disclosed a GitHub vulnerability that allows threat actors to hijack and poison thousands of open-source packages with millions of users. Dubbed RepoJacking (repository hijacking), the vulnerability affects a GitHub namespace retirement feature that protects repositories of renamed user accounts. Security experts warned that the critical vulnerability could lead to widespread software supply chain attacks affecting millions of users. Checkmarx Supply Chain Security team discovered that the logical flaw allows a GitHub user to recreate a GitHub repository identical to one on a renamed account.
READ THE STORY: CPO MAG
China's surveillance campaigns targeting Uyghurs: Cybersecurity researchers
FROM THE MEDIA: Cybersecurity researchers uncovered two new surveillance campaigns that are targeting Uyghurs in China and abroad including messaging services, prayer time apps and dictionaries, according to Lookout report citing its Threat Lab. The two new surveillance campaigns are named as BadBazaar and MOONSHINE by the researchers on Thursday. The other employs a previously disclosed tool, MOONSHINE, which was discovered by Citizen Lab and observed targeting Tibetan activists in 2019. The surveillance and detainment campaigns against Uyghurs and other Turkic ethnic minorities have been operational for years.
READ THE STORY: The Sentinel
Canadian Supermarket Chain Sobeys Hit by Ransomware Attack
FROM THE MEDIA: Sobeys is the second largest supermarket chain in Canada and a wholly-owned subsidiary of Empire Company Limited, which operates more than 1,500 stores across the country, under brands such as Foodland, IGA, Lawtons, Needs, Safeway, and more. On November 7, Empire disclosed that it fell victim to a cyberattack that impacted some in-store systems at its supermarkets, as well as its pharmacies. By Friday, the company was able to fully restore impacted systems at its pharmacies.
READ THE STORY: Security Week
Dissect open source ransomware code to understand an attack
FROM THE MEDIA: Ransomware is malicious software used by cybercriminals to hold a computer and its data hostage. The software takes over the computer and encrypts its files, with the attacker promising to decrypt them once a ransom is paid. In a ransomware attack, an attacker often sends an email pretending to be a bank or service and asks the recipient to download a file. The victim falls for the fake email, downloads the file and unwittingly infects their computer with the ransomware. Next, their computer screen is covered by a message telling them that their personal files have been encrypted, with no way to decrypt them other than paying the attacker for a decryption service.
READ THE STORY: TechTarget
Research bolsters evidence of potential connection between ransomware groups and Russian government
FROM THE MEDIA: While it has been a long-standing question whether there are political motivations behind ransomware attacks, new research by the Stanford Internet Observatory reveals that some Russian ransomware groups may be timing their attacks against Western nations to support Moscow's geopolitical goals. The research, presented at the Cyberwarcon security conference last week, analyzed the ransomware landscape in the six most-attacked countries: the United States, Canada, France, Italy, Germany, and the United Kingdom. The dataset shows that there was an increasing number of Russia-based ransomware attacks before these countries’ national elections.
READ THE STORY: SCMAG
Russian Hackers Unleash New “Ransom-less” Ransomware
FROM THE MEDIA: One of Ukraine's cybersecurity bodies has reported that Russia is using a new type of Ransomware strain, called “Somnia”, to attack their systems and create operational gridlock. The technique relies on victim organizations not having two-factor authentication enabled on their business VPN accounts, which are then used to gain access to their wider network. Unusually, the ransomware is designed to disrupt key Ukrainian organizations, rather than hold data hostage for a price. But once the war abates, who knows where hacking groups – with weapons like this – will turn their attention. The National Computer Emergency Response Team for Ukraine (CERT-UA) has now reported several attacks involving Somnia ransomware.
READ THE STORY: Tech.co
After hack, Thales defense and security project data yet to appear on dark web
FROM THE MEDIA: French defense and aerospace firm Thales was attacked by hackers last week, with company data having been published on the dark net. However, sources close to the matter tell Breaking Defense that the published data is not linked to any of the company’s major defense or national security programs. The sources, speaking under condition of anonymity, expressed confidence that military and security projects were not affected by the breach, but admitted that it’s possible information was stolen that has yet to be discovered or made public. Even with that caveat, that sensitive defense information has yet to become public is a good sign for the firm.
READ THE STORY: Breaking Defense
Seizing the memes of advantage in the Ukraine war and beyond
FROM THE MEDIA: Of all the vagaries we label as ‘non-traditional security’, none is more amusing or indicative of the role of digital networks than that of a compressed, grainy image of a Shiba Inu—a Japanese dog breed that the North Atlantic Fellas Organization uses as its sign. With a swarm of members that include social media researchers, a former president of Estonia, US congressional representatives and military personnel, NAFO is living proof of the importance of memes in contemporary information warfare.
READ THE STORY: ASPI
Treasury targets electronics supply chains in new sanctions against Russia
FROM THE MEDIA: The Treasury Department on Monday announced a new round of sanctions on Russian military supply chains. Treasury said its sanctions target microelectronics imported by Russia that the country uses in its war with Ukraine, specifically ones produced by an Armenia-based company affiliated with Russian electronics producer Milandr. Treasury said the company was a front for the Russian military-industrial base and designated two Swiss nationals in connection with their work for the company. Treasury’s Office of Foreign Asset Control (OFAC) also froze the assets of a Taiwan-based company that it described as a front for purchasing microelectronic components from Asian manufacturers.
READ THE STORY: The Hill
Pro-Russian Hackers Claim Attack on FBI Site
FROM THE MEDIA: A pro-Russian hacking group took responsibility for an alleged attack on a section of the FBI’s website this week, in the latest high-profile attack on U.S. government websites, according to Newsweek. On Monday, the hacking group Killnet shared a post on its Telegram channel claiming an attack on the FBI’s law enforcement resources site. The post included a screenshot of what seemed to be a failed attempt to access the site and was originally shared by another account called “RADIS,” which mentions the “Killnet team” and the protection of Russian cyberspace in its bio.s related to politicians and celebrities to tarnish their images and what not.
READ THE STORY: NEWSMAX
To win the internet, the Pentagon's info ops need more humanity and a dash of absurdity
FROM THE MEDIA: Earlier this year, researchers at internet analytics firm Graphika and the Stanford Internet Observatory revealed the existence of a five-year influence operation that encapsulates the difficulties the U.S. government faces in covertly winning hearts and minds online. This campaign — that U.S. Central Command reportedly orchestrated — attempted to spread pro-U.S. messages and targeted audiences in the Middle East and Central Asia via the creation of false personas, the use of memes and phony independent media outlets. In its apparent attempt to run a Russia-style info op, CENTCOM failed. In addition to exhibiting relatively unsophisticated tradecraft mimicking Russian operations — and possibly skirting the military’s own standing protocols — the operation was perhaps most notable for what it wasn’t: effective.
READ THE STORY: Cyberscoop
Musk touches on Twitter criticism, workload at G-20 forum
FROM THE MEDIA: It’s not easy being Elon Musk. That was the message the new Twitter owner and billionaire head of Tesla and SpaceX had for younger people who might seek to emulate his entrepreneurial success. “Be careful what you wish for,” Musk told a business forum in Bali on Monday when asked what an up-and-coming “Elon Musk of the East” should focus on. “I’m not sure how many people would actually like to be me. They would like to be what they imagine being me, which is not the same,” he continued. “I mean, the amount that I torture myself, is the next level, frankly.”
READ THE STORY: Telegraph Herald
Possible employee data breach at Booz Allen Hamilton
FROM THE MEDIA: Leading American management and information technology consulting firm Booz Allen Hamilton has disclosed a May data incident potentially exposed the personally identifiable information (PII) of active employees. While working at the company, a now-former employee downloaded a copy of an internal report that was improperly stored on an internal SharePoint site. DataBreaches.net reports that the compromised data include employee names, Social Security numbers, compensation, gender, race, ethnicity, dates of birth, and U.S. Government security clearance eligibility. The company says their investigation indicates no intent to misuse the data on the part of the ex-employee.
READ THE STORY: The Cyberwire
How ABB is leading charge for connected energy sector
FROM THE MEDIA: ABB is a technology leader in electrification and automation, enabling a more sustainable and resource-efficient future. The company’s solutions connect engineering know-how and software to optimize how things are manufactured, moved, powered, and operated. Building on more than 130 years of excellence, ABB’s 105,000 employees are committed to driving innovations that accelerate industrial transformation. Particularly active in the global resources and energy sectors (including the oil and gas industry), ABB has achieved a strong reputation both in Australia and internationally for its comprehensive technology offering.
READ THE STORY: Mirage News
FBI tested and almost deployed controversial Pegasus spyware
FROM THE MEDIA: The Federal Bureau of Investigation almost deployed a highly controversial Israeli hacking tool called Pegasus that could have obtained sensitive content from Americans’ cell phones, according to a report. Pegasus one of the most powerful cyber weapons in the world because it is a zero-click hacking tool that can be covertly installed on a target’s cell phone in order to extract private messages, photos, contacts, messages and video recordings. After months of testing and an internal push to deploy it, the FBI ultimately chose in July 2021 not to deploy the tool in criminal investigations.
READ THE STORY: Fedscoop
Russia-based Pushwoosh tricks US Army and others into running its code – for a while
FROM THE MEDIA: US government agencies including the Army and Centers for Disease Control and Prevention pulled apps running Pushwoosh code after learning the software company – which presents itself as American – is actually Russian, according to Reuters. Pushwoosh is a software company that provides code and data analysis for developers so they can automate custom push notifications based on smartphone users' online activity. This is the same kind of tracking data – aka commercial surveillance – that major US tech companies like Google and Meta have come under fire for collecting by privacy advocates and watchdog agencies alike.
READ THE STORY: The Register
UK Imposes Sanctions On Iran Over Protests Crackdown
FROM THE MEDIA: Britain has slapped a new round of sanctions on 24 Iranian officials who played a role in cracking down on protests after the death of Mahsa Amini in police custody. In a press release on Monday the United Kingdom announced the “sanctions target officials within the Iranian regime who are responsible for heinous human rights violations.” British Foreign Secretary James Cleverly stated that by these sanctions the UK and its partners have sent a “clear message” to the Iranian regime that “the violent crackdown on protests must stop and freedom of expression must be respected.”
READ THE STORY: Iran International
No Code / Low Code for Social Engineering
FROM THE MEDIA: The dark web is a treasure trove of information, data, and malicious software. Most people do not know about the dark web and, if they do, they don’t really know what is available on it. For both professional and personal reasons, I worry about the dark web a lot. Here’s why. This past weekend, I was in the car with my kids and somehow, I can’t remember how, we got on the subject of the dark web. The conversation bounced around from the Silk Road, to recently seized bitcoin, to stolen passwords, to ways cyber criminals share software and information with each other. Initially, my kids thought I was lying about the whole dark web thing.
READ THE STORY: Security Boulevard
Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location
FROM THE MEDIA: Internet giant Google has agreed to pay a record $391.5 million to settle with 40 states in the U.S. over charges the company misled users about the collection of personal location data. "Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information," Oregon Attorney General Ellen Rosenblum said Monday. "For years Google has prioritized profit over their users' privacy. They have been crafty and deceptive," Rosenblum stated.
READ THE STORY: THN
Inside China’s new military ‘stealth jet’ with bizarre tail-free design to ‘dodge radar’
FROM THE MEDIA: The concept for the sixth-generation combat aircraft model was displayed during an airshow and aerospace trade expo in the Guangdong province last week. China's aerospace industry has reportedly been working on a sixth-generation fighter that is faster and more advanced than those already in their arsenal. The combat jet enhances the fighter's low observability, which allows them to dodge many radar types, according to The Defense Post. Reduced drag and sustained high-speed flight and cruising reportedly improves the efficiency of the aircraft.
READ THE STORY: The U.S. Sun
Cambodia-China solidify partnership to stop online gambling scams
FROM THE MEDIA: This particular topic was brought up during conversation between Premier Li and Cambodia’s prime minister Hun Sen, because the main goal of both countries is to improve security ties and safety of its people. In the past few years, Cambodia has become a nest for cyber slavery crimes with China’s traffickers luring unsuspecting victims from every Asian country and forcing them to work for criminal syndicates, specifically in operations related to illegal gambling. “Law enforcement cooperation is to be furthered with highlights on combating human trafficking, online gambling, telecom fraud and related heinous crimes, facilitated by closer cooperation in capacity building and information exchanges,” according to the joint statement.
READ THE STORY: World Casino Directory
TransUnion data breach exposes customers’ personal information
FROM THE MEDIA: TransUnion sent letters to consumers disclosing a data breach that exposed personal and financial information. The consumer credit reporting agency, which did not say how many individuals the breach affects, revealed the incident to the Massachusetts Attorney General, AppleInsider reports. TransUnion reportedly says the data breach exposed names, Social Security Numbers, financial account numbers and full driver’s license numbers. In the letters, TransUnion instructed potentially affected individuals on how to protect themselves from becoming victims of identity theft or fraud, AppleInsider reports.
READ THE STORY: Top Class Actions
Russia conspiring to sabotage vital British military fuel supply line in South Atlantic
FROM THE MEDIA: British intelligence has foiled a Russian plot to target a vital pipeline in the South Atlantic following an intelligence tip-off. The vital military facility supplies Royal Navy ships with fuel, US vessels, the RAF, US Space agency and navy bases on Ascension Island, a remote but strategically crucial British Overseas Territory. A security team is now being based at the site to secure the mile-long supply line against underwater sabotage by Russian subs and drones and assure its maintenance. It comes as the Kremlin is suspected to be behind the sabotage of two of its pipelines which deliver natural gas to Germany, the Nord Stream 1 and 2 which saw at least 50 meters (164ft) destroyed with an undersea blast.
READ THE STORY: Scottish Daily Express
UK group plans first large-scale liquid air energy storage plant
FROM THE MEDIA: UK energy group Highview Power plans to raise £400mn to build the world’s first commercial-scale liquid air energy storage plant in a potential boost for renewable power generation in the UK. Rupert Pearce, chief executive of the 17-year-old company, is aiming to wrap up Highview’s largest ever capital raising early next year to build a large-scale project near Manchester by the end of 2024. “We are raising a significant amount of money for the next two or three years,” the former boss of satellite giant Inmarsat said in an interview. “We’re looking for £400mn to take us through the next phase.”
READ THE STORY: FT
Items of interest
CIA director warns Russian spy chief against deploying nukes
FROM THE MEDIA: CIA Director Bill Burns met on Monday with his Russian intelligence counterpart to warn of consequences if Russia were to deploy a nuclear weapon in Ukraine, according to a White House National Security Council official.
The official, who was not authorized to comment publicly and spoke on the condition of anonymity, said Burns and Sergei Naryshkin, the head of Russia’s SVR spy agency, did not discuss settlement of the war in Ukraine during the meeting in Ankara, Turkiye. Ahead of the meeting, White House officials said Burns had also planned to raise the cases of Phoenix Mercury star Brittney Griner and Michigan corporate security executive Paul Whelan, two Americans detained in Russia whom the Biden administration has been pressing to release in a prisoner exchange.
READ THE STORY: Arab News
The Russian Business Network (Video)
FROM THE MEDIA: In 2006 the Russian Business Network pivoted its business: the once legitimate ISP became a ‘bullet-proof’ hosting service, catering to the needs of cybercriminals. It quickly became the largest player in the Russian cybercrime landscape, with ~60% of all cybercrime activity related to Russia connected to it in some way. Following the Russian government’s years-old tradition of collaborating with organized crime, it’s no wonder that the Russian Business Network quickly became Putin’s informal cyber attack arm.
The Story of ‘L0pht’, Part 1 (Video)
FROM THE MEDIA: 'L0pht', or 'L0pht Heavy Industries', was one of the most influential hacker collectives of the '90s: its members were even invited to testify in front of Congress on the current state of Internet security. In this episode, four of L0pht's members - Count Zero, Weld Pond, Kingpin & Dildog - talk about the beginning and influence of the L0pht on cybersecurity.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com