Tuesday, December 20, 2022 // (IG): BB // THM:Windows RE // Coffee for Bob
Iran and Russia were too distracted to meddle in midterm elections
FROM THE MEDIA: Domestic unrest in Iran and Russia’s war in Ukraine may have distracted Tehran and Moscow from making more of an effort to influence or interfere in the 2022 US midterm election, a top US military cyberofficial said Monday. “We collectively saw much less focus from foreign adversaries, particularly the Russians” in targeting the 2022 election compared to previous elections, Maj. Gen. William J. Hartman, who leads the Cyber National Mission Force of US Cyber Command, the military’s offensive and defensive hacking unit, said at a press briefing at Fort Meade, home to Cyber Command and the National Security Agency.
READ THE STORY: CNN Politics
US satellite network compromised by Russian APT operations
FROM THE MEDIA: Russian state-sponsored threat operation Fancy Bear, also known as APT28, was noted by the Cybersecurity and Infrastructure Security Agency to have infiltrated the network of a U.S. satellite communications provider with U.S. critical infrastructure clients, CyberScoop reports. Fancy Bear was discovered by CISA researchers within the satellite's network earlier this year, with CISA incident response analyst MJ Emanuel noting that the attackers were able to explore the network months prior to being discovered. Such an attack indicates Russia's interest in disrupting the space economy as evidenced by its attack against U.S. telecommunications firm Viasat which took down internet services in Ukraine prior to being invaded.
READ THE STORY: SCMAG
The secret payloads of Russia’s Glonass navigation satellites
FROM THE MEDIA: Aside from their primary mission, Russia’s Glonass navigation satellites are being used for a number of little publicized secondary objectives. Instruments to detect nuclear explosions have been flown on Glonass satellites since early this century and two new payloads are expected to be introduced on the next generation of satellites in 2023. One will help locate and rescue military personnel in distress and the other likely is part of a signals intelligence system that will provide targeting data for sea-launched cruise missiles. Despite the secretive nature of these payloads, a significant amount of information on them can be gathered from publicly available sources.
READ THE STORY: The Space Review
Telegram Hack Exposes Growing Russian Cyber Threat in Moldova
FROM THE MEDIA: A potentially damaging leak of alleged private Telegram conversations involving the president of Moldova and two cabinet ministers has further underscored the seriousness of the cyber threat that Chisinau says comes from Russia. The ministers and the office of pro-European President Maia Sandu say the content of the alleged conversations is fake, but Iurie Turcanu, Moldova’s deputy prime minister in charge of digitalization, said the attacks themselves are real and increasingly sophisticated. In late October, the Washington Post reported that Russian intelligence services had “funneled tens of millions of dollars from some of Russia’s biggest state companies to cultivate a network of Moldovan politicians and reorient the country toward Moscow.”
READ THE STORY: Balkin Insight
China and Russia 'Sharing a Toolkit' to Dismantle the West—NATO Ambassador
FROM THE MEDIA: China and Russia are "sharing a toolkit" of strategies to undermine NATO members and Western governments must do more to defend themselves against the two countries, a senior U.S. diplomat has warned. Discussing the threat posed by Beijing and Moscow in an interview with the Financial Times published Tuesday, Julianne Smith, U.S. ambassador to NATO, said: "Those two are increasingly sharing a toolkit that should concern the NATO alliance." Her comments come as Beijing and Moscow increase military exercises and foreign policy alignment against the West. China announced on Tuesday that joint drills with the Russian Navy will be held off the coast of Zhejiang province, south of Shanghai, from Wednesday until the following Tuesday.
READ THE STORY: Newsweek
Malicious Python Trojan Impersonates SentinelOne Security Client
FROM THE MEDIA: In the latest supply chain attack, an unknown threat actor has created a malicious Python package that appears to be a software development kit (SDK) for a well-known security client from SentinelOne. According to an advisory from cybersecurity firm ReversingLabs issued on Monday, the package, dubbed SentinelSneak, appears to be a "fully functional SentinelOne client" and is currently under development with frequent updates appearing on the Python Package Index (PyPI), the main repository for Python code. SentinelSneak does not attempt malicious actions when it is installed, but it waits for its function to be called by another program, researchers noted. As such, the attack highlights attackers' focus on the software supply chain as a way to inject compromised code into targeted systems as a beachhead for further attacks.
READ THE STORY: DARKReading
Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data
FROM THE MEDIA: Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed SentinelSneak. The package, named SentinelOne and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days. It claims to offer an easier method to access the company's APIs, but harbors a malicious backdoor that's engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. What's more, the threat actor has also been observed releasing two more packages with similar naming variations – SentinelOne-sdk and SentinelOneSDK – underscoring the continued threats lurking in open source repositories.
READ THE STORY: THN
“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”
FROM THE MEDIA: “RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs. Flashpoint first identified RisePro on December 13, 2022 after analysts identified several sets of logs uploaded to the illicit underground market Russian Market, which listed their source as “risepro.”
Russian Market is a log shop similar to other log markets, such as Genesis, in which threat actors can upload and sell logs collected from stealers. At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.
READ THE STORY: Security Boulevard
Microsoft finds macOS bug that lets malware bypass security checks
FROM THE MEDIA: Apple has fixed a vulnerability attackers could leverage to deploy malware on vulnerable macOS devices via untrusted applications capable of bypassing Gatekeeper application execution restrictions. Found and reported by Microsoft principal security researcher Jonathan Bar Or, the security flaw (dubbed Achilles) is now tracked as CVE-2022-42821. Apple addressed the bug in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur) one week ago, on December 13. Gatekeeper is a macOS security feature that automatically checks all apps downloaded from the Internet if they are notarized and developer-signed (approved by Apple), asking the user to confirm before launching or issuing an alert that the app cannot be trusted.
READ THE STORY: Bleeping Computer
Ukraine's DELTA military system users targeted by info-stealing malware
FROM THE MEDIA: A compromised Ukrainian Ministry of Defense email account was found sending phishing emails and instant messages to users of the 'DELTA' situational awareness program to infect systems with information-stealing malware. The campaign was highlighted in a report today by CERT-UA (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel of the malware attack. DELTA is an intelligence collection and management system created by Ukraine with the help of its allies to help the military track the movements of enemy forces. The system provides comprehensive real-time information with high-level integration from multiple sources on a digital map that can run on any electronic device, from a laptop to a smartphone.
READ THE STORY: Bleeping Computer
Critical Windows code-execution vulnerability went undetected until now
FROM THE MEDIA: Researchers recently discovered a Windows code-execution vulnerability that has the potential to rival EternalBlue, the name of a different Windows security flaw used to detonate WannaCry, the ransomware that shut down computer networks across the world in 2017. Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.
READ THE STORY: arsTECHINICA
Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages
FROM THE MEDIA: Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla." The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises. Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.
READ THE STORY: DARKReading
Chinese Hackers Exploit Citrix Vulnerabilities
FROM THE MEDIA: A networking appliance used to assure the availability of clinical applications and a virtual private network each made by Citrix both contain flaws that are under active exploitation by Chinese state-sponsored hackers. U.S. federal authorities and Citrix both are urging users to patch the flaw, tracked as CVE-2022-27518. "These vulnerabilities are known to be actively exploited by a Chinese state-sponsored advanced persistent threat," says the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert issued Friday. Citrix released patches for the vulnerability, which allows a remote attacker to "completely" compromise a target system.
READ THE STORY: BankInfoSecurity
DraftKings warns data of 67K people was exposed in account hacks
FROM THE MEDIA: Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. In credential stuffing attacks, automated tools are used to make a massive number of attempts (up to millions at a time) to sign into accounts using credentials (user/password pairs) stolen from other online services. This tactic works exceptionally well against user accounts whose owners have reused the same login information across multiple platforms. The attackers aim to take over as many accounts as possible to steal personal and financial info, which gets sold on hacking forums or the dark web. However, the stolen information may also be used in identity theft scams to make unauthorized purchases or empty banking accounts linked to compromised accounts.
READ THE STORY: Bleeping Computer
SolarWinds Talks ‘Transparent Communication’ with U.S. Government – But It’s Still Getting Sued by SEC
FROM THE MEDIA: SolarWinds says becoming the face of the Sunburst attack has led to more transparent communication with government agencies and enterprise customers. “We’re willing to share lessons learned to make everybody better together,” said Chip Daniels, head of government affairs at SolarWinds. “This is a threat that’s not one party against another party. This is a threat to our entire society. And to begin to counter this threat, it requires the cooperation of public and private. But it also requires the cooperation of private and private. So we’re having to collaborate with competitors in this space. Because, if you’ve to defend one, you’ve got to defend everybody.” The Sunburst supply chain cyberattack made headlines around the world in 2020.
READ THE STORY: CF
Data of over 100,000 students exposed in a massive data breach
FROM THE MEDIA: Student data of McGraw Hill, an education publishing company based in the USA, mistakenly exposed records of over 100,000s students online. The data could be accessed by anyone with a web browser. This breach exposed students from several universities across the US and Canada. A team of researchers at vpnMentor discover two misconfigured Amazon Web Services (AWS) S3 buckets that belonged to McGraw Hill. One was the production bucket with more than 47 million files and 12TB+ of data. The non-production bucket contained more than 69 million files and 10TB+ of data.
READ THE STORY: TECHLOMEDIA
Play ransomware claims attack on German hotel chain H-Hotels
FROM THE MEDIA: The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company. H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms. The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under 'H-Hotels' and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes. H-Hotels disclosed the cyberattack last week and stated that the security incident occurred on Sunday, December 11th, 2022. "According to the first findings of internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational protection systems of IT in a professional attack," explained the H-Hotel's security incident notice.
READ THE STORY: Bleeping Computer
CMS subcontractor hit with ransomware
FROM THE MEDIA: Initial information of a reported ransomware attack on vendor Healthcare Management Solutions indicates the company acted in "violation of its obligations to CMS," according to the agency, and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries. CMS was notified on October 9 that the subcontractor's corporate systems had been attacked with ransomware the day before. HMS resolves system errors related to Medicare beneficiary entitlement and premium payment records for CMS under a contract with ASRC Federal Data Solutions, LLC, but does not handle Medicare claims information, according to the agency's statement. The subcontractor also supports the collection of Medicare premiums from the direct-paying beneficiary population.
READ THE STORY: Healthcare IT News
The Modern Day Blackmail: Understanding the Dangers of Cyber Extortion
FROM THE MEDIA: In today’s digital age, organizations of all sizes and industries are vulnerable to cyber extortion. At its core, cyber extortion is when someone or some group uses online threats and intimidation to get someone or some group to pay a ransom or do something else they want. It is a crime that can have devastating consequences for those targeted. For organizations, the stakes are high. If a cyber extortion attack works, sensitive information can be lost, money can be lost, and the organization’s reputation can be hurt. In extreme cases, it can even put the organization out of business. That is why protecting your organization against cyber extortion is key. By taking proactive steps to secure your systems and data, you can reduce the risk of falling victim to this type of attack and the potentially disastrous consequences that come with it.
READ THE STORY: DATACONOMY
Duo Hacked Into Ring Accounts To Live Stream Swatting Incidents: DOJ
FROM THE MEDIA: Two men involved in a nationwide "swatting" spree made a series of bogus police calls and hacked into a dozen ring home security cameras to live stream the police response, federal prosecutors announced Monday in Los Angeles. The suspects allegedly used the Ring systems to taunt police as they arrived on the scene and further the hoax, according to the U.S. Attorney's Office. The alleged swatting and hacking spree took place in November of 2020 when the suspects were teenagers. Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, are each charged with one count of conspiracy to intentionally access computers without authorization.
READ THE STORY: PATCH
Zscaler becomes a member of the Joint Cyber Defense Collaborative
FROM THE MEDIA: Zscaler on Monday announced that it had become a member of the Joint Cyber Defense Collaborative (JCDC), underscoring the company’s commitment to play a more prominent role in the nation’s overall cybersecurity posture. Established last year by the Cybersecurity and Infrastructure Security Agency (CISA), the JCDC works to develop joint cyber defense plans and operations through partnerships with the private sector, federal government, and state, local, tribal and territorial governments. “Today, digital transformation has accelerated organizations’ move to cloud-based SaaS models and the internet is now the new corporate network — rendering 30 years of networking and security principles ineffective,” said Jay Chaudhry, founder, CEO and chairman of Zscaler.
READ THE STORY: SCMAG
Blackmailers Leverage Flutter Framework in ‘MoneyMonger’ Malware
FROM THE MEDIA: Blackmailers are using Flutter’s framework in a newly-discovered Android malware campaign. Mobile security platform Zimperium’s zLabs team publicly identified the threat, which it dubbed MoneyMonger, on Thursday. The attack allows the malfeasant to steal personal information from a device when the end user applies for a microloan through financial apps. The attacker then leverages that personal information to blackmail victims into paying more than the terms that their predatory loans required.
READ THE STORY: The New Stack
Threat Intelligence Through Web Scraping
FROM THE MEDIA: Threat intelligence plays a key role in the safety and security of any organization’s online activity, and it plays a determining factor in upholding the integrity of their internal infrastructure. But to be able to assess possible threats across the cybersecurity landscape at scale, they need data — and more importantly, public Web data. This is because Web data helps security operators better understand the vulnerabilities that may be present within their systems, threats that could originate within the networks of outside organizations as well as potential risks that could target their organization across the World Wide Web.
READ THE STORY: DARKReading
GPUs dodge price hike as US extends China tariff deadline beyond 2022
FROM THE MEDIA: Those fearing that graphics cards could see a significant price increase due to US tariffs returning for certain Chinese components can take a sigh of relief — for now. The Office of the United States Trade Representative announced on Friday that it will continue to exclude graphics cards and hundreds of other components from tariffs that were originally put on more than $300 billion in imports from China by the Trump administration in 2018. The exclusions for the 352 products exported from China [PDF] were set to expire on New Year's Eve, but the US trade office said it will continue to not slap tariffs on the components for another nine months. The Biden administration first applied the tariff exclusions in March after a previous exemption under Trump's leadership expired at the end of 2020.
READ THE STORY: The Register
Russia and China are sharing strategies to undermine NATO, says top US diplomat
FROM THE MEDIA: Russia and China are “sharing a toolkit” of strategies to undermine NATO members, a top US diplomat has warned, urging western capitals to step up efforts to defend themselves against both Moscow and Beijing. Washington is pushing members of the transatlantic alliance to toughen their stance towards China, citing Beijing’s military developments, threats to critical western infrastructure such as transport and power networks, its “no limits” partnership with Moscow and support for its war against Ukraine. “Those two are increasingly sharing a toolkit that should concern the NATO alliance,” said Julianne Smith, the US ambassador to NATO, pointing to the threats to energy supplies and cyber security among other factors.
READ THE STORY: FT
HSI Baltimore seizes another 23 websites that violated copyrights by illegally live streaming World Cup matches
FROM THE MEDIA: Special agents from Homeland Security Investigations (HSI) Baltimore Field Office seized 23 separate internet domains Friday for allegedly live streaming World Cup matches, an infringement of the Fédération Internationale de Football Association (FIFA) copyrights. Individuals visiting the sites will now see a message that the site has been seized by the federal government and be redirected to another site for additional information. The investigation into the illegal web streaming, titled “Operation Offsides” has resulted in a total of 78 website seizures; the latest round of 23 are in addition to 55 internet domains that HSI Baltimore seized Dec. 10.
READ THE STORY: ICE
Items of interest
Hacker Swipes FBI’s Info Sharing InfraGard Database of 80K Contacts
FROM THE MEDIA: A hacker calling themselves “USDoD” has swiped tens of thousands of records from an internal database belonging to a Federal Bureau of Investigation (FBI) cyber-specific information sharing program called InfraGard. The database, which contained names and contact information for InfraGard’s 80,000 members, has been put up for sale on the dark web for $50,000, said Krebson Security, which first reported the December 10, 2022 heist. The hacker told Krebs that they knew the price was likely too high to fetch a buyer but they had to price it a “bit higher…to [negotiate] the price I want.” It’s uncertain if the hacker’s ultimate goal is financial or access to bigger fish.
READ THE STORY: MSSPALERT
Hardware Hacking! Day 19 - TryHackMe Advent of Cyber (Video)
FROM THE MEDIA: Try Hack Me hardware hacking CTF.
Fred Cohen: The Godfather of Computer Viruses (Video)
FROM THE MEDIA: n his 1984 seminal paper – “Computer Viruses: Theory and Experiments” – Dr. Fred Cohen not only introduced the name ‘computer virus’, a term invented by his mentor, Leonard Adelman, but was also the first to analyze computer viruses in a rigorous mathematical way, proving that computer viruses were not only practical – but that they were in fact inevitable.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com