Thursday, November 17, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
Chinese Malware Group Fangxiao Targets Users With 42,000 Phishing Domains
FROM THE MEDIA: A report from Infosecurity has revealed a massive coordinated phishing campaign originating out of China. The new group, called Fangxiao, have been using thousands of malicious domains to spread malware and generate advertising revenue. By pretending to be big brands like Coca Cola or McDonald’s, the group fools innocent users by sending them a WhatsApp message saying they’ve won a prize. Users are then sent to a set of sites containing advertising which the group profits from. Depending on the target site, the user may then be hit with a malware download disguised as a prize survey. Any user who clicks on a ‘complete registration’ button who is using an Android device will be at risk of the malware attack.
READ THE STORY: TechReport // National Law Review
The UK must protect from influence operations run from foreign companies
FROM THE MEDIA: One of the most nerve-racking aspects of advising UK prime ministers on security matters was the knowledge that, while we often had the intelligence prowess to detect foreign influence operations, we lacked the legal basis to do much about them. There is a long history of countering hostile intelligence officers who operate in the UK as diplomats, by expelling them or restricting their freedom. Foreign powers have developed even more covert means for their influence operations.
READ THE STORY: FT
Critical infrastructure providers ask CISA to place guardrails on reporting requirements
FROM THE MEDIA: Some of the nation’s top critical infrastructure providers are asking the Cybersecurity and Infrastructure Security Agency to provide guardrails around the incident reporting requirements signed into law by President Biden earlier this year. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires these organizations to promptly report major incidents and ransomware payments in order to help federal officials rapidly respond to attacks. The aim is to share that information with other agencies and critical providers, who may not realize there is an impending threat.
READ THE STORY: CyberSecurityDive // Security Boulevard
China-Based Billbug APT Infiltrates Certificate Authority
FROM THE MEDIA: The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn. Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.
READ THE STORY: DarkReading
Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
FROM THE MEDIA: From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
READ THE STORY: CISA // Bleeping Computer // Security Affairs // TC
DOJ touts work with Kaseya, urges more ransomware victims to contact CISA, FBI
FROM THE MEDIA: A senior Justice Department official urged more ransomware victims to come forward and approach law enforcement agencies for assistance, touting the work done with software provider Kaseya last year. Speaking at the Aspen Cyber Summit on Wednesday, Eun Young Choi, Director of the DOJ’s National Cryptocurrency Enforcement Team, said her office is tracking more than 100 ransomware variants and is increasingly having success in helping victims. She noted that part of the ransom paid by Colonial Pipeline after last year’s ransomware attack was clawed back through the blockchain only a month after it was handed over.
READ THE STORY: The Record
Venus Ransomware: Zeoticus Spin-off Shows Sophistication Isn’t Necessary for Success
FROM THE MEDIA: Venus ransomware, also known as Goodgame, has been attracting attention since August 2022 and related samples have been known since at least mid-2021. There are sufficient markers and other metadata present in Venus samples to suggest a genealogy with Zeoticus ransomware, which dates back to early 2020. Venus ransomware is in the tradition of what now might be termed the “legacy ransomware” model: a file locker sold on underground markets as a standalone package rather than on a subscription or “ransomware-as-a-service” model.
READ THE STORY: Sentinelone
U.S. charges suspected LockBit ransomware member
FROM THE MEDIA: The Hacker News reports that Russian-Canadian national Mikhael Vasiliev has been charged by the U.S. Department of Justice for his alleged involvement in the LockBit ransomware operation. Vasiliev was also found to have a text file with LockBit ransomware deployment instructions, source code, and the control panel website. Nearly $17,332 in bitcoin has also been discovered to be received by Vasiliev from a LockBit victim in February.
READ THE STORY: SCMAG
Russia’s cyber personnel has ‘underperformed’ in Ukraine: U.S. Defense official
FROM THE MEDIA: A senior Pentagon official on Wednesday said that Russia’s cyber personnel “underperformed” during the initial invasion of Ukraine, prompting it to ultimately rely less on digital attacks during the now months-long conflict than was expected. Speaking at the Aspen Cyber Summit, Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, said Moscow “was not prepared for the conflict to go on as long as it did” and noted the Kremlin had sacrificed “intensity and sophistication” in order to rebuild its arsenal and avoid potential conflict that would draw in NATO.
READ THE STORY: The Record
WASP malware stings Python developers
FROM THE MEDIA: Malware dubbed WASP is using steganography and polymorphism to evade detection, with its malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages. A Checkmarx report detailed hundreds of successful infections of the WASP info-stealer malware, and found a number of interesting features to ensure persistence in a compromised PC and to evade cybersecurity tools.
READ THE STORY: The Register
Electricity access is critical to tackling global poverty
FROM THE MEDIA: Access to electricity may play a much more significant role in improving economic livelihoods than previously assumed, a new study has found. Stanford University scientists harnessed the power of satellite imagery and artificial intelligence to quantify the impacts such a shift can make — publishing their findings on Wednesday in Nature. Homing in on the country of Uganda and its expanding electricity grid, the researchers saw that financial conditions for populations that gained access to electricity roughly doubled in comparison to those that lacked power.
READ THE STORY: The Hill
Russia’s cyber forces ‘underperformed expectations’ in Ukraine: senior US official
FROM THE MEDIA: A senior cyber official at the Department of Defense said on Wednesday that Russian forces “underperformed expectations” in both the cyber and military space, as the West fears the Kremlin would unleash destructive cyberattacks against Ukraine as part of its invasion. Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Department of Defense, said there were a lot of assumptions that Russia would effectively carry out massive cyberattacks against Ukraine, given its prior history.
READ THE STORY: Yahoo News
DHS monitored 'social media reactions' to Roe, collected legally protected speech
FROM THE MEDIA: The Department of Homeland Security monitored “social media reactions” and “reflections” related to the Supreme Court decision that overturned Roe v. Wade, according to a DHS bulletin obtained by Yahoo News. This alarmed current and former DHS officials and civil liberties advocates, who said the agency appears to have collected speech that is protected by the First Amendment. The June 26, 2022, document circulated days after the Roe decision was produced by the department’s Office of Intelligence and Analysis and provides updates on what each part of the office is doing in the wake of the SCOTUS decision.
READ THE STORY: Yahoo News
Russian propaganda outlet RT launches Serbia service amid hike in tensions with Kosovo
FROM THE MEDIA: The chief editor of Russian state-funded broadcaster RT (formerly Russia Today) tweeted "Kosovo is Serbia” on the launch of its Serbian language service RT Balkan, apparently setting the tone for the outlet's reporting. Margarita Simonyan made the controversial comment amid a spike in tensions between Serbia and Kosovo that has raised fears of a new conflict breaking out in the Western Balkans. The RT Balkan news website has already launched, and RT plans to start local language TV broadcasts by 2024 at the latest, said a statement from RT on November 15.
READ THE STORY: BNE Intellinews
Amazon RDS snapshots found to be leaking personal information
FROM THE MEDIA: Thousands of databases hosted on Amazon Web Services Inc.’s Relational Database Service have been found to be leaking personally identifiable information, providing a potential treasure trove for threat actors. Discovered and detailed today by researchers at Mitiga Security Inc., the exposure comes through a snapshot feature in Amazon RDS that is used to back up the hosted databases. The feature allows users to share public data or a template database with an application, including creating a Public RDS snapshot for sharing without having to deal with roles and policies.
READ THE STORY: SiliconANGLE
Microsoft Detects an Increase in Nation-State Attacks and Password Attacks
FROM THE MEDIA: Microsoft has detected increased nation-state attacks as competing governments rush to compromise systems for cyber espionage and to spread misinformation. The company also observed increased password attacks as hackers “industrialize” cybercrime, thus lowering the entry barrier. According to Microsoft, nation-state attacks targeting critical infrastructure doubled from 20% to 40% in a year.
READ THE STORY: CPO MAG
DHS monitored 'social media reactions' to Roe, collected legally protected speech, bulletin shows
FROM THE MEDIA: The Department of Homeland Security monitored “social media reactions” and “reflections” related to the Supreme Court decision that overturned Roe v. Wade, according to a DHS bulletin obtained by Yahoo News. This alarmed current and former DHS officials and civil liberties advocates, who said the agency appears to have collected speech that is protected by the First Amendment. The June 26, 2022, document circulated days after the Roe decision was produced by the department’s Office of Intelligence and Analysis and provides updates on what each part of the office is doing in the wake of the SCOTUS decision.
READ THE STORY: Yahoo News
President Zelenskyy offers the "G19" the benefit of Ukraine's experience with cyber warfare
FROM THE MEDIA: In an address to the G20 delivered by video link, President Zelenskyy offered friendly nations the benefit of Ukraine's experience of resisting Russian cyberattacks during Russia's hybrid war. He addressed the gathering as the "G19," since in his view Russia's assumption of the role of "terrorist state" disqualifies it from the respect and consideration due to a G20 member. His comments to the G20's Digital Transformation Summit commended the creation of cyber auxiliary forces and migration to more resilient cloud services as centerpieces of Ukraine's cyber defense program.
READ THE STORY: The Cyberwire
Uyghur-language Apps Riddled with China-linked Spyware, Cybersecurity Firm Says
FROM THE MEDIA: Two new spyware strains are targeting Uyghurs in China and elsewhere by masquerading as Android apps, designed to track the user’s location and harvest their information, researchers at cybersecurity firm Lookout discovered in a recent threat analysis. Researchers attributed the spyware to Chinese state-backed groups, as some of the technologies overlapped with previous Uyghur cyber espionage campaigns linked to China, and said they can be used to track “pre-criminal” activities, which are considered by China to be signaling religious extremism or separatism.
READ THE STORY: OCCRP
ISIS uses fake Tinder profiles to scam South Africans, finance terrorism
FROM THE MEDIA: Terror organization Islamic State is using fake Tinder profiles in an attempt to catfish and blackmail South Africans into funding the organization's presence across Africa, British news outlet The Times reported on Monday. The Jihadist terrorist group expanded its influence in Africa and had "set up bases in Africa's most industrialized economy to drive fundraising and recruitment," South African Banking Risk Information Centre (SABRIC) head Nischal Mewalall told The Times.
READ THE STORY: JP
Cryptos, DeFi are soft targets for cyber hackers says a Moody’s report
FROM THE MEDIA: The cryptocurrency world is currently in the eye of a storm. The world’s second largest cryptocurrency exchange, FTX recently turned a victim to hackers who stole over $600 million worth of cryptocurrencies. A report by Moody’s suggests that the crypto ecosystem’s design is what makes it so vulnerable to cyber risks. “We think that digital finance is especially vulnerable to cyber risk because of its extensive reliance on automated and novel software and applications, thereby allowing criminals to avail themselves of multiple strategies to steal funds,” said a Moody’s report on decentralized finance and digital assets.
READ THE STORY: OODALOOP
Using AI as an offensive cyber weapon
FROM THE MEDIA: AI is a double-edged sword. It has enabled the creation of software tools that have helped to automate tasks such as prediction, information retrieval, and media synthesis, which have been used to improve various cyber defensive measures. AI can be used to poison ML models and thus target their datasets and steal login credentials (think keylogging, for example). In our discussions about artificial intelligence (AI) and machine learning (ML), most of the time we focus on how to defend ourselves against attacks that are powered by AI systems.
READ THE STORY: Security Boulevard
US Cyber Review Punts on Russian Hack, Hinting at Limitations
FROM THE MEDIA: China’s focus on enhancing its cyber capabilities over the past decade “poses a formidable threat to the United States in cyberspace today,” according to a report released on Tuesday by a congressional advisory commission. That warning comes on top of the commission’s assessment that Beijing’s trade practices necessitate closer scrutiny from lawmakers and the Biden administration. The U.S.-China Economic and Security Review Commission’s 2022 Annual Report to Congress assessed a range of threats to the U.S. economy and national security, including Beijing’s cyber warfare and espionage capabilities.
READ THE STORY: NextGov
China-Linked Cybercrime Group Attacks Asian Certificate Authority, Breaches Government Agencies
FROM THE MEDIA: All the targets of the attacks are in Asia but Symantec wasn’t more specific about the location or identities of the targets. Symantec calls the group responsible Billbug, an Advanced Persistent Threat (APT) group they believe to be active at least since 2009. The group is allegedly linked to China, according to reports. The attacks revealed today used specific backdoors Symantec had previously attributed to Billbug in earlier blogs. According to Symantec, Billbug is regarded as an “espionage actor.” That the attack was been ongoing for at least six months against sophisticated targets testifies to the sophistication of the attackers.
READ THE STORY: Security Boulevard
New Coverage – Azov Ransomware Data Wiper & LODEINFO Malware
FROM THE MEDIA: Azov ransomware is known to be distributed via SmokeLoader—a malicious bot application that can be used to load other malware, pirated software, key generators, and adware bundles. This data wiper scans all drives; encrypts any file that does not have .exe, .dll, and .ini extensions; and appends the .azov file extension to the encrypted filenames. According to the ransom note, devices are encrypted in protest of Crimea’s seizure, and the threat actors purportedly claim well-known researchers and other entities are involved in the operation and to contact them for decryption.
READ THE STORY: Security Boulevard
Items of interest
Australia takes a vow to hack the hackers
FROM THE MEDIA: After a cyber attack on national telecom operator Optus and Insurance company Medibank, the Australian government has hacked the hackers in order to bring them to knees. Australian Cybersecurity Minister Clare O’Neil will take a decision on this note and news is out that the government wants to take serious action against state funded hackers and so might go ahead with the said plan. Australian Fed is extremely concerned with exposed sensitive health data and theft and wants to block the threat hackers from been misused. For this reason, it has begun the work to track the criminals and hack their servers to siphon the information they possess about millions of customers.
READ THE STORY: Cyber Security Insiders
China and Mexico look to their joint future (Video)
FROM THE MEDIA: China and Mexico are celebrating 50 years of diplomatic relations this week, and as CGTN looks at the two countries’ relationship, we conclude our series today with a look forward, at what the next fifty years might bring. CGTN’s Alasdair Baverstock has more. CGTN is funded by part or whole of the CCP.
A rare look inside one Mexican cartel’s fentanyl operation, and how the drug reaches the U.S. (Video)
FROM THE MEDIA: The opioid epidemic has ravaged the United States, with the drug fentanyl, a synthetic opioid, delivering particularly fatal outcomes.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com