Friday, December 02, 2022 // (IG): BB // Bubba3dPrints // Coffee for Bob
UPDATE: Mozilla and Microsoft distrust TrustCor root certificates in their browsers
FROM THE MEDIA: There is no evidence to suggest that TrustCor violated conduct, policy, or procedure' says biz. New information came to light during the course of the discussion on the security group. A representative of TrustCor provided information. In the end, it was clear that there were ties between Measurement Systems and TrustCor, at least until 2021, and that one developer hired by TrustCor had access to an unobfuscated version of the source code of the Measurement System malware SDK. However, there no evidence of the mis-issuing of certificates was presented. Mozilla decided to distrust TrustCor certificates from November 30, 2022 that are included in the Mozilla root store.
READ THE STORY: GHACKS // The Register
How Ukrainians have fought back with humorous war-related memes
FROM THE MEDIA: Since the start of Russia’s full-scale invasion, Ukrainians have fought back with humor, creating a trove of war-related memes that have countered Russian propaganda and disinformation campaigns. The Kyiv Independent has offered a handy guide to making sense of these Ukrainian memes that have been thriving on social media ever since a defiant Ukrainian border guard on Snake Island said “Russian warship, go fu-k yourself” on the first day of the war.
READ THE STORY: Daily Kos
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
FROM THE MEDIA: Days after researchers for Phylum and Checkmarx revealed an ongoing software supply chain attack spreading the W4SP Stealer malware through malicious packages on the Python Package Index (PyPI), ReversingLabs researchers discovered 10 additional PyPI packages pushing modified versions of W4SP that were overlooked. The newly discovered packages appear to be part of the same campaign but are using slightly modified versions of the W4SP Stealer malware and different command and control infrastructure. Here’s our discoveries and indicators of compromise (IOCs), as well as links to a ReversingLabs YARA rule that can be used to detect the malicious Python packages in your environment.
READ THE STORY: Security Boulevard
WhatsApp Files on Dark Web Show Millions of Records For Sale
FROM THE MEDIA: In mid-November, a threat actor posting on a dark web forum claimed to have stolen the personal information of almost 500 million WhatsApp users. Now, Check Point Research (CPR) has published a new advisory analyzing the exposed files and confirming the leak includes 360 million phone numbers from 108 countries. While CPR was unable to confirm the leaked numbers belonged to WhatsApp users, their analysis showed that the phone numbers varied in quantity among countries, ranging from 604 in Bosnia and Herzegovina to 35 million attributed to Italy.
READ THE STORY: InfoSecMag
CISA: Cuba ransomware group has stolen $60 million from at least 100 organizations
FROM THE MEDIA: The Cuba ransomware group has launched attacks against 100 organizations around the world and brought in $60 million between December 2021 and August 2022, according to a new advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and FBI. The two agencies also said there is no indication that the group is based in or has any connection to the Republic of Cuba. The advisory follows a December 2021 release from the FBI that found the group earned at least $43.9 million from ransom payments after attacks on at least 49 entities in five critical infrastructure sectors.
READ THE STORY: The Record // CISA
Archives overtake Office formats as top file type for delivering malware
FROM THE MEDIA: HP Wolf Security on Thursday reported in its Q3 report that archives have become the most popular file type for delivering malware, seeing an 11% growth in samples isolate compared with Q2, overtaking Office formats for the first time. The HP report found that attackers are bypassing perimeter network security controls such as email scanners by encrypting malicious payloads inside archives and HTML files. They then rely on social engineering techniques — mainly via email — to lure in unsuspecting victims.
READ THE STORY: SCMAG
Hackers Target Colombia's Healthcare System With Ransomware
FROM THE MEDIA: Colombian healthcare provider Keralty reported a ransomware attack on Sunday, which affected its systems as well as two of its subsidiaries: EPS Sanitas and Colsanitas. The attack has been reported on by Colombian news outlet El Tiempo, and would have disrupted the companies' IT operations, websites and scheduling of medical appointments. Keralty said on Monday they were suffering technical issues but did not disclose the cause. On Tuesday, the company released an additional statement confirming the cyber-attack.
READ THE STORY: InfoSecMag
Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, & Windows Zero-Days
FROM THE MEDIA: A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018. "Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.
READ THE STORY: THN // InfoSecMag
New DuckLogs malware service claims having thousands of ‘customers’
FROM THE MEDIA: A new malware-as-a-service (MaaS) operation named 'DuckLogs' has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. DuckLogs is entirely web-based. It claims to have thousands of cybercriminals paying a subscription to generate and launch more than 4,000 malware builds.
READ THE STORY: Bleeping Computer
New Redigo malware drops stealthy backdoor on Redis servers
FROM THE MEDIA: A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution. CVE-2022-0543 is a critical vulnerability in Redis (Remote Dictionary Server) software with a maximum severity rating. It was discovered and fixed in February 2022. Attackers continued to leverage it on unpatched machines several months after the fix came out, as proof-of-concept exploit code became publicly available. The name of the malware, Redigo, was coined from the machine it targets and the programming language for building it.
READ THE STORY: Bleeping Computer
Android malware infected 300,000 devices to steal Facebook accounts
FROM THE MEDIA: An Android malware campaign masquerading as reading and education apps has been underway since 2018, attempting to steal Facebook account credentials from infected devices. According to a new report by Zimperium, the campaign has infected at least 300,000 devices across 71 countries, primarily focusing on Vietnam. Some apps used for spreading the trojan, which Zimperium named 'Schoolyard Bully,' were previously on Google Play but have since been removed.
READ THE STORY: Bleeping Computer
Chinese protesters back Iranian women, Ethiopia hosts internet meet while keeping the internet off, and NSO’s legal woes
FROM THE MEDIA: It feels as if the world can see and hear the voices of regular people in China in a way that seemed impossible just a few weeks ago. Reports of new demonstrations happening in different city plazas and university campuses across the country seem to surface by the hour. Protesters are taking incredible risks in the face of China’s notorious surveillance regime, most of them for the very first time. China operates the world’s most powerful and sophisticated digital censorship apparatus for this express purpose: to keep people quiet.
READ THE STORY: CODA
Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework
FROM THE MEDIA: A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems. Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges. "The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution (RCE)," Contrast Security researcher Joseph Beeton, who reported the bug, said in a write-up.
READ THE STORY: THN
Google warns about commercial Heliconia spyware hitting Chrome, Firefox and Microsoft Defender
FROM THE MEDIA: Google's Threat Analysis Group (TAG) said on Wednesday that its researchers discovered commercial spyware called Heliconia that's designed to exploit vulnerabilities in Chrome and Firefox browsers as well as Microsoft Defender security software. Google's researchers said they became aware of the framework after an anonymous Chrome bug report that included instructions and source code with the names "Heliconia Noise," "Heliconia Soft" and "Files."
READ THE STORY: The Register
Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable
FROM THE MEDIA: The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the underlying software development pipelines for projects using GitHub Actions. In this fourth blog covering vulnerable GitHub Actions, we will explore this new technique of artifact poisoning and describe who could be vulnerable, including how we found this vulnerability in the Rust programming language and assisted in its remediation.
READ THE STORY: Security Boulevard
Exchange Online and Microsoft Teams go down across Asia
FROM THE MEDIA: Microsoft's flagship cloudy productivity services are down across the Asia-Pacific region. "Our initial investigation indicates that there our service infrastructure is performing at a sub-optimal level, resulting in impact to general service functionality" states an advisory time-stamped 12:41PM on December 2. The incident means customers of Exchange Online may not be able to access the service, send email and/or files, or use what Microsoft described as "General functionality".
READ THE STORY: The Register
Twitter Discontinuing its Covid19 Misinformation Policy Distorts Free Speech
FROM THE MEDIA: Twitter added a one-line update on its online rules on Monday night: “Effective November 23, 2022, Twitter is no longer enforcing the Covid19 misleading information policy.” This marks an end the platform’s nearly three-year-long effort in curbing misinformation relating to the Covid19 pandemic. Healthcare workers fear the discontinuation of the misinformation policy — together with Musk’s ideas to verify any account for $8 — could spell serious trouble for public health. As the latest change in the social media site after the takeover by Elon Musk, the move raises questions about how technocrats like Musk view free speech.
READ THE STORY: The Swaddle
Ransomware attack against Guatemala’s Foreign Ministry under investigation
FROM THE MEDIA: Guatemala's Ministry of Foreign Affairs has not provided any details regarding a ransomware attack earlier this year amid the ongoing investigation into the incident, according to The Record, a news site by cybersecurity firm Recorded Future. The Onyx ransomware operation listed Guatemala's Foreign Affairs Ministry on its leak site in late September and on Nov. 21. Initially identified in April and reported by BlackBerry researchers to have used ransomware based on the Chaos v4.0 ransomware builder, the Onyx ransomware gang was later noted by Dragos researchers to be launching attacks against critical infrastructure operations.
READ THE STORY: SCMAG
War against infrastructure, kinetic and cyber
FROM THE MEDIA: Further Russian withdrawals from the towns around Kherson, but on the east bank of the Dnipro, are being reported, according to the Telegraph. Russia's partial mobilization remains deeply unpopular, and military-aged men have been voting with their feet. Some estimates put the number of those fleeing conscription as high as a million. A report by Foreign Policy notes an interesting sidelightt (Extra credit to the two who crossed the Bering Sea to Alaska in a small boat--that's showing motivation of the highest degree).
READ THE STORY: The Cyberwire
Of Exploits and Experts: The Professionalization of Cybercrime
FROM THE MEDIA: Just as you keep up with the latest news, tools, and thought leadership in order to protect and secure your organization from cybercriminals, your adversaries are doing the same thing. They are connecting on forums, evaluating new software tools, talking with potential buyers, and searching for new ways to outsmart your security stack. A peek into their world shows they have advanced capabilities that often outmaneuver well-funded security teams and corporate security tools, especially when pitted against legacy solutions like signature-based antiviruses.
READ THE STORY: DARKReading
Russian embassy claims Australian Federal Police yet to get in touch over Medibank hackers
FROM THE MEDIA: Russia has denied any contact from Australian authorities over the Medibank hack, three weeks after federal police singled out Russian cyberhackers. Australian Federal Police (AFP) commissioner Reece Kershaw said on 11 November a group of "loosely affiliated cybercriminals” from Russia was responsible for the hack which affected 9.7 million current and former Medibank customers, and that talks would be held with Russian law enforcement agencies about the bad actors.
READ THE STORY: SBSnews
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines
FROM THE MEDIA: An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest version of a component to compile updates with malicious code. That's according to software supply chain security firm Legit Security, which said in an advisory published on Dec. 1 that this "artifact poisoning" weakness could affect software projects that use GitHub Actions — a service for automating development pipelines — by triggering the build process when a change is detected in a software dependency.
READ THE STORY: DARKReading
A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet
FROM THE MEDIA: Named by Akamai Security Intelligence Response Team (SIRT) in November 2022, KmsdBot is was a crypto mining botnet equipped with command-and-control abilities. It infected victims by exploiting weak credentials and SSH via brute force. The Akamai team assessed and reported on the botnet after one of its honeypots got infected. The botnet targeted both Linux and Windows devices using a range of microarchitectures to deploy mining software and include the compromised hosts in its DDoS bot army. Its main targets included gaming and tech firms and luxury vehicle makers.
READ THE STORY: Hackread
Eufy's security cameras send data to the cloud without consent, and that's not the worst part
FROM THE MEDIA: Eufy's claims to keep "privacy in your own hands" have been rendered null, after a researcher caught the security camera company uploading local-only footage to the cloud without user authorization or knowledge. To top it all off, users have also been made aware that you can watch camera streams using VLC without authentication. Paul Moore, a security researcher, was the first to expose the security flaw in local data being stored in the cloud.
READ THE STORY: ZDNET
Department of Energy taps blockchain for electricity grid cybersecurity amid rising vulnerabilities
FROM THE MEDIA: Oak Ridge National Laboratory (ORNL), a Department of Energy (DOE) research institute, is exploring the use of distributed ledger technology (DLT), or blockchain technology, to make electricity grids impervious to cybersecurity attacks. ORNL notes that DLT could hold the key to solving the existential threats plaguing America’s energy grid. The team argues that the decentralized nature of distributed ledgers creates multiple hash copies, triggering an alert if nodes have inconsistent data.
READ THE STORY: COINGEEK
Ukrainian engineers scramble to keep mobile phones working
FROM THE MEDIA: With Ukraine scrambling to keep communication lines open during the war, an army of engineers from the country’s phone companies has mobilized to help the public and policymakers stay in touch during repeated Russian missile and drone strikes. The engineers, who typically go unseen and unsung in peacetime, often work around the clock to maintain or restore phone service, sometimes braving minefields to do so. After Russian strikes took out the electricity that cellphone towers usually run on, they revved up generators to keep the towers on.
READ THE STORY: My Journal Courier
Proceeds from sale of Banksy sculpture will aid refugees
FROM THE MEDIA: A Banksy sculpture is up for sale during Miami Art Week at the satellite fair Context Art Miami (until 4 December), with up to 50% of the total sales benefitting Choose Love, an advocacy organization that provides humanitarian aid to refugees around the world. Dream Boat is a coin-operated piece that debuted in 2015 as part of the mysterious artist’s “Dismaland” project, a pop-up dystopian theme park in Somerset, England. The arresting fibreglass-and-resin object depicts a crowded boat of refugees. In its original display, the boat floated around a dingy outdoor fountain, chased by a menacing miniature coast guard.
READ THE STORY: The Art Newspaper
FCC authorizes SpaceX to begin deploying up to 7,500 next-generation Starlink satellites
FROM THE MEDIA: The Federal Communications Commission issued a key authorization to Elon Musk’s SpaceX on Thursday, granting approval for the company to move forward with launching up to 7,500 next-generation satellites in its Starlink internet network. “Our action will allow SpaceX to begin deployment of Gen 2 Starlink,” the FCC wrote in the order. The FCC did not grant SpaceX’s full application, which included deployment of nearly 30,000 satellites in low Earth orbit, and it placed some conditions on the company’s plan to deploy the satellites.
READ THE STORY: CNBC
The PLA And Intelligentized Warfare
FROM THE MEDIA: China is deploying advanced technologies, including artificial intelligence (AI) and machine learning, automation and robots, quantum computing, big data, 5G networking, and the Internet of Things (IoT), for military purposes. In its 14th Five Year Plan (FYP) (2021–25), China outlined the main aims and objectives of modernizing the People’s Liberation Army (PLA), including that of ‘elevating the level to being an intelligent force’.
READ THE STORY: Eurasia Review
China rapidly building space arms to ‘blind and deafen’ U.S. military
FROM THE MEDIA: China’s military is rapidly building a large force of space weapons, including sophisticated anti-satellite missiles, lasers, jammers, orbiting killer robots and cyber tools, designed to “blind and deafen” the American military in a future war, the U.S. military is warning. New details of Beijing’s growing space arms arsenal were revealed the Pentagon’s latest annual report to Congress on the Chinese military, released publicly on Tuesday.
READ THE STORY: Washington Times
How Much Of Chinese 5G Technology Is Still Used In Europe
FROM THE MEDIA: For many years European telecom operators have used Chinese 3G and 4G technology from vendors such as Huawei and ZTE. The issue was a no-brainer. China was not seen as a national security threat –in fact, the EU had signed a comprehensive strategic partnership with China in 2003– and Chinese technology was cheaper and, for many tech experts, even better than that of European vendors like Ericsson and Nokia. Hence, many European telecoms signed strategic partnerships with their Chinese providers and used their technology both in Europe and in their overseas businesses in the Global South.
READ THE STORY: Eurasia Review
Chinese firm selling surveillance tech to Iran comes under scrutiny
FROM THE MEDIA: As Iran tries to stifle anti-regime protests, human rights advocates and lawmakers are concerned Iranian authorities can draw on sophisticated video surveillance technology provided by a Chinese company that uses U.S. manufactured chips. Tiandy Technologies has sold its surveillance cameras to Iran’s Revolutionary Guards and other security services, according to a Tiandy website and social media posts. Intel Corp., one of America’s major semiconductor firms, lists the Chinese company as a partner, providing Intel-made processors for some of Tiandy’s video recording equipment.
READ THE STORY: NBC News
Items of interest
The Russian Threat to Subsea Cable Internet Infrastructure
FROM THE MEDIA: Increased Russian naval activity in recent years around deep-sea cables, the critical infrastructure of the global internet, has heightened concerns that Russia may target them in an effort to disrupt Western daily life as the country seeks new means of coercion amid its war in Ukraine. Deep-sea or submarine cables are fiber optic cables that lay the foundation for global internet connectivity across the world. The cables, which are often thousands of miles/kilometers in length, transmit an estimated 95% of international data traffic from country to country by connecting two or more land points across bodies of water.
READ THE STORY: DRANE
Putin’s Secret Private Army: The Wagner Group (Video)
FROM THE MEDIA: Who are the Wagner group.
Russian mercenary videos 'top 1bn views' on TikTok (Video)
FROM THE MEDIA: Russian mercenary videos 'top 1bn views' on TikTok.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com