Daily Drop (330)
12-1-22
Thursday, December 01, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
Web browsers drop mysterious company with ties to U.S. military contractor
FROM THE MEDIA: Major web browsers moved Wednesday to stop using a mysterious software company that certified websites were secure, three weeks after The Washington Post reported its connections to a U.S. military contractor. Mozilla’s Firefox and Microsoft’s Edge said they would stop trusting new certificates from TrustCor Systems that vouched for the legitimacy of sites reached by their users, capping weeks of online arguments among their technology experts, outside researchers and TrustCor, which said it had no ongoing ties of concern. Other tech companies are expected to follow suit.
READ THE STORY: WP // Google Groups
New Exploit Broker on the Scene Pays Premium for Signal App Zero-Days
FROM THE MEDIA: Gray-market exploit brokers are alive and kicking, with the latest sign of this flourishing market coming in the form of a bidding war for Signal messaging app zero-days from a relatively new entrant. Russia-based OpZero went on the record recently with a $1.5 million offer for Signal remote code execution (RCE) exploits, more than tripling the relatively stable high-water mark for that app offered by American firm Zerodium.
READ THE STORY: DARKReading
Vatican hit by suspected cyber attack days after Pope criticizes Russia
FROM THE MEDIA: The Vatican's website was down on Wednesday evening amid "abnormal access attempts", according to the Holy See. “Technical investigations are ongoing due to abnormal attempts to access the site,” Vatican spokesman Matteo Bruni said. He did not give any further information. Throughout Wednesday, several Vatican sites were offline and the official Vatican.va website was inaccessible well into the evening. The suspected hack came a day after Moscow rebuked Pope Francis’s latest condemnation of Russia’s invasion of Ukraine.
READ THE STORY: Euronews
TikTok users must be cautious about malware filled ‘Invisible Challenge’
FROM THE MEDIA: To all those who are about to take part in TikTok’s latest ‘Invisible Challenge’ where you are supposed to use a software filter while dancing N$de to shield your modesty, here’s a warning. According to a discovery and report released by cybersecurity firm Checkmarx, some hackers are hijacking the trend to steal victims’ information and that can turn more surreptitious in the coming weeks. Checkmarx experts state that some online users were being lured by threat actors to download a ‘Space Unfilter’ software that helps download videos to reveal the hidden nak*d bodies of TikTok users who already took the ‘Invisible Challenge’.
READ THE STORY: Cyber Security Insiders // Security Affairs
Guatemala’s Foreign Ministry investigating ransomware attack
FROM THE MEDIA: Guatemala’s Foreign Ministry said it is investigating a ransomware attack that happened earlier this year. The Ministry of Foreign Affairs shared the Law on Access to Public Information with The Record and said they were unable to comment on the cyberattack because of it. “The Ministry is not in a position to respond to your request, since it is in the investigation phase,” a spokesperson said. The Foreign Ministry was added to the leak site of the Onyx ransomware group on September 27 and was added again on November 21.
READ THE STORY: The Record
China-Based Hackers Target Southeast Asia With USB-Based Malware
FROM THE MEDIA: Cyber espionage activity relying on USB devices as an initial infection vector has been spotted targeting public and private entities in Southeast Asia and the Philippines in particular. Cybersecurity experts at Mandiant shared their findings about the new campaigns on Monday, attributing them to a China-based threat actor they call UNC4191. According to the technical write-up, UNC4191 operations have affected several entities in Southeast Asia but also in the US, Europe and Asia Pacific Japan.
READ THE STORY: InfoSecMag
LastPass says it was breached — again
FROM THE MEDIA: Password manager LassPass said it’s investigating a security incident after its systems were compromised for the second time this year. LastPass chief executive Karim Toubba said in a blog post that an “unauthorized party” recently gained access to some customers’ information stored in a third-party cloud service shared by LastPass and its parent company, GoTo. Toubba said the unauthorized party used information stolen from LastPass’ systems in August, which the company disclosed at the time.
READ THE STORY: TechCrunch
North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets
FROM THE MEDIA: The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko said in a new report published today. Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.
READ THE STORY: THN // Bleeping Computer
Zero-Day Flaw Discovered in Quarkus Java Framework
FROM THE MEDIA: A high-severity zero-day vulnerability has been discovered in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines (JVMs) and native compilation. Tracked CVE-2022-4116, the flaw has a CVSS v3 base score rating of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution (RCE). According to Joseph Beeton, a senior application security researcher at Contrast Security, exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges.
READ THE STORY: InfoSecMag
Hyundai vulnerability allowed remote hacking of locks, engine
FROM THE MEDIA: Security researchers have discovered a vulnerability affecting Hyundai and Genesis cars, which would have allowed hackers to remotely control functions such as the door locks and engine. The exploit impacts cars by Hyundai and Genesis released since 2012 and targets a weakness in the use of insecure vehicle data in mobile apps intended for use by the owners of the vehicles. The API calls used to control the locks, horn, engine, headlights, and boot controls of cars were easily exploitable, and could be backwards engineered to give hackers full remote access to the car’s functions, the researchers said.
READ THE STORY: TechCentral
Singapore releases blueprint to combat ransomware attacks
FROM THE MEDIA: Singapore has released what it says is a blueprint to combat growing ransomware threat and offer guidelines on how to mitigate such attacks. These include a reference ransomware "kill chain" and recommendations on whether to pay ransom demands. Ransomware risks had increased significantly in scale and impact, becoming an "urgent" problem that countries including Singapore must address, said Cyber Security Agency (CSA) in a statement Wednesday.
READ THE STORY: ZDNET
Keralty ransomware attack impacts Colombia's health care system
FROM THE MEDIA: The Keralty multinational healthcare organization suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries. Keralty is a Colombian healthcare provider that operates an international network of 12 hospitals and 371 medical centers in Latin America, Spain, the US, and Asia. The group employs 24,000 people and 10,000 medical doctors who provide healthcare to over 6 million patients. The company offers further healthcare services through its subsidiaries, Colsanitas, Sanitas USA, and EPS Sanitas.
READ THE STORY: Bleeping Computer
GoTo says hackers breached its dev environment, cloud storage
FROM THE MEDIA: Remote access and collaboration company GoTo disclosed today that they suffered a security breach where threat actors gained access to their development environment and third-party cloud storage service. GoTo (formerly LogMeIn) began emailing customers Wednesday afternoon, warning that they have started investigating the cyberattack with the help of Mandiant and have alerted law enforcement. The company says they first learned of the incident after detecting unusual activity in their development environment and third-party cloud storage service.
READ THE STORY: Bleeping Computer
Black Basta Crew using Qakbot in widespread Ransomware Strikes
FROM THE MEDIA: A potentially widespread ransomware campaign run by the Black Basta hacking crew is primarily targeting U.S.-based companies with Qakbot (aka QBot, Pinkslipbot) malware, a new Cybereason report said. Black Basta, which surfaced this past April and is composed of founding Conti members, typically targets organizations in the U.S., Canada, U.K., Australia, and New Zealand. The group is known for pilfering sensitive information and then extorting victims for as much as $2 million by threatening to post the data on the dark market unless the victim meets its ransomware demands.
READ THE STORY: MSSPAlert
Let Data Breach Victims Sue Marriott
FROM THE MEDIA: A company harvested your personal data, but failed to take basic steps to secure it. So thieves stole it. Now you’ve lost control of your data, and you’re at greater risk of identity theft. But when you sue the negligent company, they say you haven’t really been injured, so you don’t belong in court – not unless you can prove a specific economic harm on top of the obvious privacy harm. We say “no way.” Along with our friends at EPIC, and with assistance from Morgan & Morgan, EFF recently filed an amicus brief arguing that negligent data breaches inflict grievous privacy harms in and of themselves, and so the victims have “standing” to sue in federal court – without the need to prove more.
READ THE STORY: EFF
CI Fuzz CLI Brings Fuzz Testing to Java Applications
FROM THE MEDIA: The open source security tool CI Fuzz CLI now supports Java, according to Code Intelligence, the company behind the project. Back in September, Code Intelligence announced CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix functional bugs and security vulnerabilities at scale. CI Fuzz CLI can be integrated into common build systems such as Maven and Bazel; integrated development environments (IDEs), and continuous integration/continuous delivery (CI/CD) tools such as Jenkins.
READ THE STORY: DARKReading
Lockbit 3.0 has BlackMatter ransomware code, wormable traits
FROM THE MEDIA: The latest version of the LockBit ransomware strain contains new capabilities and utilizes features of another prominent ransomware, BlackMatter, according to Sophos research published Wednesday. Sophos said it analyzed multiple incidents utilizing the latest version of LockBit, referred to as LockBit 3.0 or "LockBit Black." The original LockBit ransomware was first observed in mid-2019, with an upgraded 2.0 version discovered last year. Version 3.0 was initially tracked earlier this year. Most recently, source code for the new variant was leaked in September.
READ THE STORY: TechTarget
IKEA’s Kuwait, Morocco franchises hit by Vice Society ransomware gang
FROM THE MEDIA: Major Swedish furniture retail firm IKEA had its Kuwait and Morocco franchises compromised by the Vice Society ransomware gang, resulting in disruptions for certain operating systems, according to The Record, a news site by cybersecurity firm Recorded Future. Vice Society added both IKEA franchises on its leak site on Monday, with the shared file names suggesting the theft of business and employee data, as well as information from Jordan-based IKEA outlets.
READ THE STORY: SCMAG
PII May Have Been Stolen in Virginia County Ransomware Attack
FROM THE MEDIA: Personal identifiable information may have been leaked in a recent ransomware attack targeting Southampton County in the state of Virginia. The county recently warned individuals that their information may have been stolen after cybercriminals were able to gain access to a single server and encrypted it. Southampton County stated that its IT team took appropriate steps to contain the incident and are also conducting an investigation to determine the nature and scope of the data breach.
READ THE STORY: OODALOOP
Ransomware Gang Takes Credit for Maple Leaf Foods Hack
FROM THE MEDIA: The Black Basta ransomware group has claimed responsibility for an attack that occurred earlier this month targeting Maple Leaf Foods. The company experienced outages as a result of the cyberattack despite taking action immediately after identifying the breach. The Canadian packaged meats company has not verified the extent of financial losses caused by the cyberattack. Additionally, it is unclear whether the company plans on paying a ransom or has done so, however, the hacking group has already begun to leak data indicating that the company has not given into demands.
READ THE STORY: OODALOOP
Australia will now fine firms up to AU$50 million for data breaches
FROM THE MEDIA: The Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches. The financial penalty introduced by the new bill is set to whichever is greater: AU$50 million, Three times the value of any benefit obtained through the misuse of information or 30% of a company's adjusted turnover in the relevant period.
READ THE STORY: Bleeping Computer
A syntax error took down the KmsdBot cryptomining botnet, effectively killing it
FROM THE MEDIA: Akamai on Wednesday reported that in some continued research its team did on the KmsdBot, a syntax error caused the bot to stop sending commands, effectively killing the botnet. The Akamai researchers had earlier released a blog post about the KmsdBot, a cryptomining botnet with command-and-control capabilities that infected victims via SSH and weak credentials. The Akamai team had analyzed and reported on KmsdBot after it infected one of its honeypots. “It’s not often we get this kind of story in security,” said the researchers. “In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story.”
READ THE STORY: SCMAG
Medibank hackers declare 'case closed'
FROM THE MEDIA: Australia's information commissioner has begun an investigation into Medibank's data-handling practices as the hackers behind the breach dumped the last customer information they stole on the dark web. The health insurer reported the breach on October 13 and the Russian ransomware group has been releasing customer information in a staged manner since early November. But the Office of the Australian Information Commissioner confirmed on Thursday it was examining Medibank after preliminary inquiries found enough evidence to press further.
READ THE STORY: Perthnow
Reformed Russian Cybercriminal Warns That Hatred Spreads Hacktivism
FROM THE MEDIA: Dmitry Smilyanets cost U.S. companies hundreds of millions of dollars when he was a hacker living in Russia in the 2000s. He said a selfie from a trip to Amsterdam in 2012 tipped off U.S. authorities to his whereabouts, ultimately landing him in prison. Mr. Smilyanets now helps companies protect themselves against cyberattacks and studies the activity of Russian ransomware gangs as principal product manager for identity intelligence at the cybersecurity company Recorded Future Inc. He is the subject of a WSJ podcast series, Hack Me If You Can.
READ THE STORY: WSJ
Cybersecurity researchers take down DDoS botnet by accident
FROM THE MEDIA: While analyzing its capabilities, Akamai researchers have accidentally taken down a cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks. As revealed in a report published earlier this month, the KmsdBot malware behind this botnet was discovered by members of the Akamai Security Intelligence Response Team (SIRT) after it infected one of their honeypots. KmsdBot targets Windows and Linux devices with a wide range of architectures, and it infects new systems via SSH connections that use weak or default login credentials.
READ THE STORY: Bleeping Computer
Spyware vendor Variston exploited Chrome, Firefox and Windows zero-days, says Google
FROM THE MEDIA: A Barcelona-based company that bills itself as a custom security solutions provider exploited several zero-day vulnerabilities in Windows, and Chrome and Firefox browsers to plant spyware, say Google security researchers. In research shared with TechCrunch ahead of publication on Wednesday, Google’s Threat Analysis Group (TAG) says it has linked Variston IT, which claims to offer tailor-made cybersecurity solutions, to an exploitation framework that enables spyware to be installed on targeted devices.
READ THE STORY: TechCrunch
A Hacked Newsroom Brings a Spyware Maker to U.S. Court
FROM THE MEDIA: Roman Gressier, an American journalist working for the Salvadoran news outlet El Faro, spent the spring of 2021 in his small, dorm-like apartment outside the capital. He was twenty-six, and had recently moved to San Salvador to pursue his long-standing ambition of working for El Faro, one of Central America’s foremost news organizations. Breaking a string of stories documenting corruption and malfeasance in the administration of El Salvador’s populist President, Nayib Bukele, El Faro has become a leading source of accountability in Central American media—and a source of frustration to Bukele.
READ THE STORY: The New Yorker
SpaceX's Starlink hit by global outage
FROM THE MEDIA: SpaceX's satellite Internet service has been impacted by a global outage. The issue appears to have caused near total downtime for 22 minutes, and users are still reporting some problems. "The SpaceX Starlink satellite Internet service experienced a global outage beginning at 20:56 UTC today," Doug Madory, the director of Internet analysis at network observability company Kentik, said on Twitter.
READ THE STORY: DCD
Amazon Satellite Experiment Puts the Cloud in Low Earth Orbit
FROM THE MEDIA: Satellite operators are often challenged by the horrendous amounts of data that satellites collect and transmit back to Earth. A recent experiment with prototype Amazon Web Services (AWS) software suggests cloud-based solutions, when used way above Earth’s actual clouds, can lessen the data load. AWS, describing the experiment as the “first of its kind,” announced the test at the Amazon subsidiary’s re:Invent conference in Las Vegas on Tuesday.
READ THE STORY: Gizmodo
Internet of Military Things (IoMT) and the Future of Warfare
FROM THE MEDIA: The Internet of Military Things (IoMT) is a class of heterogeneously connected devices employed for future warfare. It has wide applications in advanced combat operations and intelligence-oriented warfare. For example, it allows real-time connection among devices, such as between unmanned vehicles and a central command station. Likewise, it would enable a broader warfighting concept interpreted as Joint All Domain Command and Control (JADC2) by the United States (US) military. JADC2 is based on a similar network of sensors that connect all battlefield devices.
READ THE STORY: Modern Diplomacy
NVIDIA releases GPU driver update to fix 29 security flaws
FROM THE MEDIA: NVIDIA has released a security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation. The latest security update addresses 25 vulnerabilities on the Windows and Linux GPU drivers, while seven flaws are categorized as high-severity.
READ THE STORY: Bleeping Computer
What is Ransom Cartel? A ransomware gang focused on reputational damage
FROM THE MEDIA: Ransom Cartel, a ransomware-as-a-service (RaaS) operation, has stepped up its attacks over the past year after the disbanding of prominent gangs such as REvil and Conti. Believed to have launched in December 2021, Ransom Cartel has made victims of organizations from among the education, manufacturing, utilities, and energy sectors with aggressive malware and tactics that resemble those used by REvil.
READ THE STORY: ARN
Items of interest
Russia launches final GLONASS-M navigation satellite into orbit
FROM THE MEDIA: Russia added another piece to its GLONASS satellite-navigation network on Monday (Nov. 28). A Soyuz rocket rocket topped with a GLONASS-M satellite lifted off from Plesetsk Cosmodrome in northwestern Russia Monday at 10:17 a.m. EST (1517 GMT; 6:17 p.m. Moscow time). The spacecraft was successfully delivered to its target orbit and has received the designation Cosmos 2564, Roscosmos, Russia's federal space agency, announced via Telegram(opens in new tab) shortly after the launch.
READ THE STORY: SPACE
How does Starlink Satellite Internet Work (Video)
FROM THE MEDIA: With Starlink internet, data is continuously being sent between a ground dish and a Starlink satellite orbiting 550km above. Furthermore, the Starlink satellite zooms across the sky at 27,000km/hr!
Who are the Black Reward Hacking Team (Video)
FROM THE MEDIA: This group has actively targeted the Iranian government with their cyberattacks, in one of their attacks, they claim to have obtained audio recordings of an IRGC general talking with an Qatari about how individuals can be kept out of the World Cup.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com
I am not to familiar with hacking but I have been looking into how important cyber security is. You really should read this article about when this company was hacked and had all of their client files stolen. It happened to this law firm, and it also happened to a bunch of different medical facilities. www.gastelumattorneys.com They said the got a call shortly after the hack and were asked to pay a crazy sum just to have their files unlocked. It was nutts. I am not sure what is happening to our world now days.