Wednesday, November 16, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
Masters of adaptation how the war on Ukraine is reshaping Russia’s digital underground
FROM THE MEDIA: In the cyber theater, Russia’s war against Ukraine has raged intensely for several years already, and major cyber intrusions into Ukrainian systems accompanied the February invasion, as well. While the weaponization of cybercrime against Western targets has not manifested as feared, the war is remapping the Russian-speaking cyber underground. In a guest essay for Meduza, Flashpoint Intelligence senior analyst András Tóth-Czifra explains how Russia’s invasion has changed this digital hunt for ill-gotten gains.
READ THE STORY: Meduza
How Ukrainians are using pirated movies to bring war’s reality to Russian viewers
FROM THE MEDIA: In recent months, many Russians who have tried to watch popular shows like The Walking Dead and Stranger Things have been interrupted by an unusual advertisement. The shows cut to a man in a white hoodie, telling stories about the war in Ukraine. “I know this is not the content you expected, but it is what you need to see. This is the illegal truth about Russia’s war in Ukraine,” the man says, before clips start playing of a house exploding from a missile strike, parents crying over the body of a murdered child, or corpses being pulled out from under the rubble.
READ THE STORY: The Record
Emerging US battery supply chain should be wary of China’s information ops
FROM THE MEDIA: 20 companies in the emerging domestic supply chain for lithium-ion batteries got some good news: President Biden, together with U.S. Secretary of Energy Jennifer Granholm, announced $2.8 billion in grants to support electrifying America’s light-duty vehicle fleet. But not long ago, a similar set of companies received very different news. Lynas Rare Earths, which was planning to build mineral processing facilities in Texas, found out in June that its project was the target of a Chinese disinformation campaign called “Dragonbridge.” There were fake social media profiles, shared images of angry protestors and calls to rally against the project. Two other firms – USA Rare Earths and Appia Rare Earths and Uranium – were targets earlier in the year.
READ THE STORY: The Hill
FBI director says he's 'extremely concerned' about China's ability to weaponize TikTok
FROM THE MEDIA: FBI Director Christopher Wray told Congress on Tuesday he is “extremely concerned” that Beijing could weaponize data collected through TikTok, the wildly popular app owned by the Chinese company ByteDance. Wray said during a House Homeland Security Committee hearing on worldwide threats that application programming interfaces, or APIs, that ByteDance embeds in TikTok are a national security concern since Beijing could use them to “control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.”
READ THE STORY: Cyberscoop
North Korean hackers target European orgs with updated malware
FROM THE MEDIA: North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device. The new malware version doesn't feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.
READ THE STORY: Bleeping Computer
Half of all macOS malware comes from this one app
FROM THE MEDIA: According to the 2022 Global Threat Report from Elastic Security Labs (via 9to5Mac), just 6.2% of malware ends up on macOS devices compared to 54.4% on Windows. This is not especially surprising, given how much of an emphasis Apple puts on security. What is surprising is that nearly half of all macOS malware originates from the same source. Elastic’s researchers claim that over 47% of macOS malware comes from the app MacKeeper. Ironically, the MacKeeper software suite purports to “keep your Mac clean and safe with zero effort,” but as Elastic explains, it is also a useful vector for attackers.
READ THE STORY: BGR
APT Group Pilfers $11 Million From Africa, Asia, Latin America Using Spear Phishing Emails
FROM THE MEDIA: The vast majority of the world’s cyber crime is directed at English-speaking countries, particularly businesses in the United States. But there are signs that major organized groups are actively probing and staking out lucrative niches in other areas, entering territory that was previously hunted by smaller and less skilled attackers. A detailed report on one such example has recently been published by security outfit Group-IB, outlining the activities of the “OPERA1ER” APT group over the past few years. This group is known for targeted spear phishing emails, but is unique in targeting less economically developed nations in Africa, Asia and Latin America.
READ THE STORY: CPO MAG
Android spyware campaigns aimed at Uyghurs detailed
FROM THE MEDIA: Uyghurs in China and around the world have been targeted by two prolonged surveillance campaigns leveraging Android spyware tools BadBazaar and new MOONSHINE variants that sought to monitor individuals' whereabouts and exfiltrate sensitive data, according to The Hacker News. Threat actors behind the BadBazaar campaign have leveraged 111 unique apps impersonating TikTok, video players, religious apps, and messengers, to spread spyware since late 2018, a report from Lookout revealed. BadBazaar has been discovered in the "Uyghur Lughat" dictionary app on the Apple App Store, which sends messages to the server of its Android counterpart to facilitate iPhone data collection.
READ THE STORY: SCMAG
SandStrike spyware spreads through VPN
FROM THE MEDIA: Sandstrike, a a previously unknown Android espionage campaign, has been spreading spyware to a Persian-speaking religion minority, Baháʼí. According to cybersecurity solutions company Kaspersky, Sandstrike distributes the spyware using virtual private network (VPN). The attackers use social media platforms to lure victims. When an unsuspecting internet user clicked on the link, he or she will be directed to a Telegram channel where Sandstrike spyware is distributed through a seemingly harmless VPN.
READ THE STORY: Back End News
Journalist behind Greek government spy scandal story summoned to testify
FROM THE MEDIA: Journalist and editor-in-chief of Documento newspaper Kostas Vaxevanis who broke the story of the spyware scandal alleging Greek government surveillance of opposition politicians, was summoned to testify to prosecutors on Friday on the matter, it was reported on Tuesday. Supreme Court Prosecutor Isidoros Dogiakos launched an inquiry after Documento published a list of 33 names of politicians, cabinet ministers, businesspeople and some of their relatives who were allegedly under surveillance. Vaxevanis had requested that Dogiakos consolidates pending criminal cases that are being investigated individually - such as the case of PASOK-KINAL party leader Nikos Androulakis and those of journalists - with Predator spyware being the common denominator.
READ THE STORY: GCT // The Hill
North Korean APT Using a New Version of DTrack Spyware
FROM THE MEDIA: Kaspersky researchers reported on a new variant of DTrack spyware, which can track and steal sensitive details of targets anywhere. They linked the new version’s usage by North Korean hackers, who’re using DTrack against companies in Europe and Latin America this time. This backdoor spyware will execute itself in the target’s system memory, thus staying in there longer period without being detected. A North Korean hacking group called Lazarus is reportedly using a new version of DTrack – a backdoor malware that’s used for spying on targets and installing additional malware.
READ THE STORY: Techdator
North Korea funneled $1b for its nuclear programs through cyber crypto heists
FROM THE MEDIA: North Korea has stolen more than $1 billion in cryptocurrencies and hard currencies in the past two years to fund its nuclear weapons program, the US secretary of homeland security said Tuesday in the US. US Secretary of Homeland Security Alejandro Mayorkas made the claim in his written testimony submitted ahead of a plenary session of the Committee on Homeland Security in the House of Representatives. “In the last two years alone, North Korea has largely funded its weapons of mass destruction programs through cyber heists of cryptocurrencies and hard currencies totaling more than $1 billion,” the US secretary said in the written statement.
READ THE STORY: The Korea Herald
Research bolsters evidence of potential connection between ransomware groups and Russian government
FROM THE MEDIA: While it has been a long-standing question whether there are political motivations behind ransomware attacks, new research by the Stanford Internet Observatory reveals that some Russian ransomware groups may be timing their attacks against Western nations to support Moscow's geopolitical goals. The research, presented at the Cyberwarcon security conference last week, analyzed the ransomware landscape in the six most-attacked countries: the United States, Canada, France, Italy, Germany, and the United Kingdom. The dataset shows that there was an increasing number of Russia-based ransomware attacks before these countries’ national elections.
READ THE STORY: SCMAG
Top Zeus Botnet Suspect “Tank” Arrested in Geneva
FROM THE MEDIA: Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources. Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan.
READ THE STORY: Security Boulevard
Official US Army app had Russian code, may have harvested user data
FROM THE MEDIA: The U.S. Army confirmed that an officially approved app was built using code from a tech company with Russian roots that provides popular tools for developers to send customized notifications to their users. At least 1,000 people downloaded the app, which delivered updates for troops at the National Training Center on Fort Irwin, California, a critical waypoint for deploying units to test their battlefield prowess before heading overseas.
READ THE STORY: Federal Times
Apple launches emergency system for people who can’t access cell service
FROM THE MEDIA: As Canada’s top telecommunications companies face pressure to ensure Canadians can reach emergency responders in the event of a major outage, Apple is rolling out a new service that will accomplish just that. The Cupertino, Calif. tech giant says its new Emergency SOS system, available on iPhone 14 devices in Canada this week, will help people without cellular or Wi-Fi service connect to a satellite to report an emergency or call for help in even the most remote locations.
READ THE STORY: Seaway News
Wipermania: Malware Remains a Potent Threat, 10 Years Since 'Shamoon'
FROM THE MEDIA: Destructive wiper malware has evolved very little since the "Shamoon" virus crippled some 30,000 client and server systems at Saudi Aramco more than 10 years ago. Yet it remains as potent a threat as ever to enterprise organizations, according to a new study. Max Kersten, a malware analyst at Trellix, recently analyzed more than 20 wiper families that threat actors deployed in various attacks since the beginning of this year — i.e., malware that makes files irrecoverable or destroys whole computer systems. He presented a summary of his findings at the Black Hat Middle East & Africa event on Tuesday during a "Wipermania" session.
READ THE STORY: DarkReading
Experts found critical RCE in Spotify’s Backstage
FROM THE MEDIA: Researchers from the security firm Oxeye discovered a critical Remote Code Execution in Spotify’s Backstage (CVSS Score of 9.8). Backstage is Spotify’s open-source platform for building developer portals, it’s used by a several organizations, including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games. The issue can be exploited by triggering a recently disclosed VM sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library. Oxeye researchers reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage development team quickly fixed it with the release of version 1.5.1.
READ THE STORY: Security Affairs
KmsdBot – A Malware Written in Golang Infects Via SSH To Perform DDoS Attack
FROM THE MEDIA: Recently, a new piece of evasive malware has been discovered that is able to gain entry into enterprise systems in order to mine cryptocurrency by exploiting a key internet-facing protocol. Researchers have discovered that the malware is capable of launching DDoS attacks, gaining a foothold on corporate networks, and launching attacks. To maintain Akamai’s long-term security and stability, the Security Intelligence Response Team (SIRT) tracks, detects, documents, and publishes new developments.
READ THE STORY: GBHACKERS
Lawmakers press Biden officials on cyber reporting, CISA’s future as threats from nations, ransomware evolve
FROM THE MEDIA: The future of the Cybersecurity and Infrastructure Security Agency, requests for a speedier implementation of new cyber incident reporting regulations, and a potential congressional authorization for the newly established Cyber Safety Review Board were all floated by members of the House Homeland Security Committee as they pressed Biden administration officials Tuesday on their cybersecurity plans for the coming year.
READ THE STORY: SCMAG
The US’s New Tool for Deterrence Isn’t Ready
FROM THE MEDIA: A “deterrence triad” that combines special operations, space, and cyber forces has been described as the “next step in terms of deterrence,” to give the U.S. the “ability to protect and the opportunity to disrupt.” But while the concept was announced in August, the actual where, how, and what of the triad remains “a work in progress,” according to special operations thinkers, leaders, and industry-movers who spoke last week at Global Special Operations Foundation’s Modern Warfare Week conference at Fort Bragg, N.C.
READ THE STORY: DefenseOne
Resilience Seen as a Key to Critical infrastructure Security
FROM THE MEDIA: The string of major supply chain and critical infrastructure attacks in the last couple of years have demonstrated not just the willingness of threat actors to target those systems, but also the importance of organizations planning for such attacks and being able to bounce back from them when they occur. Incidents such as the software supply chain attacks against SolarWinds and Kaseya and ransomware attack on Colonial Pipeline last year can cause long-term downstream effects for customers and other organizations for months or even years afterward.
READ THE STORY: DUO
What are Dating Apps Doing to Protect Their Users
FROM THE MEDIA: When asked about the pitfalls and problems behind using dating apps, users cite data security as one of the most worrying elements of online dating. Since the Ashley Madison breach in July 2015, online dating sites have repeatedly been under media scrutiny for the poor management of users’ personal information. For Ashley Madison, which controversially pitched itself to people who were already married or in existing relationships, this opened breach victims to more than simple credit card fraud. The very real possibility of extortion, blackmail, internet shaming, and some very awkward conversations with partners and family, placed users in a difficult and vulnerable position – the very position that Ashley Madison was allegedly created to avoid.
READ THE STORY: Security Boulevard
PCspooF: New Vulnerability Affects Networking Tech Used by Spacecraft and Aircraft
FROM THE MEDIA: A novel attack method has been disclosed against a crucial piece of technology called time-triggered ethernet (TTE) that's used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft. Dubbed PCspooF by a group of academics and researchers from the University of Michigan, the University of Pennsylvania, and the NASA Johnson Space Center, the technique is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, a behavior that can even lead to uncontrolled maneuvers in spaceflight missions and threaten crew safety.
READ THE STORY: THN
Three charged for sending military data to China, contracting fraud
FROM THE MEDIA: Three people and a magnetics company were charged over an alleged scheme to send military data to China and for illegally providing the U.S. Department of Defense with Chinese-made parts for military equipment. The Justice Department announced that Indiana residents Phil and Monica Pascoe, along with Scott Tubbs of Kentucky, were arrested and charged with wire fraud, violating the Arms Export Control Act and smuggling. The company Quadrant Magnetics was also charged for the crimes.
READ THE STORY: C4ISRNET
China’s Cyber Capabilities ‘Pose a Serious Threat’ to US, Advisory Panel Warns
FROM THE MEDIA: China’s focus on enhancing its cyber capabilities over the past decade “poses a formidable threat to the United States in cyberspace today,” according to a report released on Tuesday by a congressional advisory commission. That warning comes on top of the commission’s assessment that Beijing’s trade practices necessitate closer scrutiny from lawmakers and the Biden administration. The U.S.-China Economic and Security Review Commission’s 2022 Annual Report to Congress assessed a range of threats to the U.S. economy and national security, including Beijing’s cyber warfare and espionage capabilities.
READ THE STORY: NextGov
China-Linked Cybercrime Group Attacks Asian Certificate Authority, Breaches Government Agencies
FROM THE MEDIA: All the targets of the attacks are in Asia but Symantec wasn’t more specific about the location or identities of the targets. Symantec calls the group responsible Billbug, an Advanced Persistent Threat (APT) group they believe to be active at least since 2009. The group is allegedly linked to China, according to reports. The attacks revealed today used specific backdoors Symantec had previously attributed to Billbug in earlier blogs. According to Symantec, Billbug is regarded as an “espionage actor.” That the attack was been ongoing for at least six months against sophisticated targets testifies to the sophistication of the attackers.
READ THE STORY: Security Boulevard
New Coverage – Azov Ransomware Data Wiper & LODEINFO Malware
FROM THE MEDIA: Azov ransomware is known to be distributed via SmokeLoader—a malicious bot application that can be used to load other malware, pirated software, key generators, and adware bundles. This data wiper scans all drives; encrypts any file that does not have .exe, .dll, and .ini extensions; and appends the .azov file extension to the encrypted filenames. According to the ransom note, devices are encrypted in protest of Crimea’s seizure, and the threat actors purportedly claim well-known researchers and other entities are involved in the operation and to contact them for decryption.
READ THE STORY: Security Boulevard
Items of interest
Russian and Iranian spies face tougher sentences for harassing British nationals
FROM THE MEDIA: Iranian and Russian spies will face tougher sentences for threatening British nationals, the security minister has pledged. Writing for The Telegraph, Tom Tugendhat said that new laws would allow any harassment or assault by an agent of a foreign power to be treated as an “aggravating factor” by judges. This would mean courts would be able to impose higher sentences if a crime such as assault or harassment was committed at the behest of a foreign power. Mr Tugendhat cited the death threats to two London-based journalists from Tehran-backed agents over the reporting of the country’s protests.
READ THE STORY: The Telegraph
How China Is Weaponizing Mexican Cartels Against America (Video)
FROM THE MEDIA: Ed Calderon is a non-permissive environment specialist and combative instructor with over 10 years of experience in counter-narcotics, organized crime investigation, and public safety in the northern border region of Mexico.
How Roof Koreans Took Back Los Angeles... (Video)
FROM THE MEDIA: At the start of the riots, the Los Angeles Police Department (LAPD) offered next to no help to the Korean business owners, or indeed anyone caught in the fray and largely retreated from the situation as things slowly went from bad to worse. With no police force to protect people the city was at the brink, with both racial and economic issues taking the forefront.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com