Friday, December 23, 2022 // (IG): BB // THM:Windows RE // Coffee for Bob
Chinese Chipmaker Selling Military UAV Components to Iran Has Footholds in U.S. and Canada
FROM THE MEDIA: A Chinese satellite navigation manufacturer that sold electronics to Iran for military unmanned aerial vehicles (UAVs) and missiles has wholly-owned subsidiaries in the U.S. and Canada, through which it has conducted business with Western manufacturers, a Kharon investigation has found. The company also supplied electronics for advanced policing equipment to Chinese government entities implicated in human rights violations against ethnic minorities in Xinjiang. Beijing UniStrong Science & Technology Co., Ltd. was one of several technology companies and research institutes added by the U.S. Department of Commerce to the Bureau of Industry and Security’s (BIS) Entity List on December 15.
READ THE STORY: Kharon
Killnet targeted US healthcare sector organization
FROM THE MEDIA: Pro-Russian threat actor group Killnet decided to advance their political goals by targeting American hospitals and healthcare organizations, claim the US Department of Health and Human Services Cybersecurity Coordination Center (HC3). The group, most known for launching coordinated distributed denial-of-service (DDoS) attacks, targeted multiple counties supporting Ukraine after neighboring Russia invaded the country on February 24. “HC3 is closely tracking hacktivist groups which have previously affected a wide range of countries and industries, including the United States Healthcare and Public Health (HPH) sector. One of these hacktivist groups—dubbed ‘‘KillNet’’—recently targeted a US organization in the healthcare industry,” US authorities claim.
READ THE STORY: CyberNews
Vice Society Ransomware Attackers Adopt Robust Encryption Methods
FROM THE MEDIA: The Vice Society ransomware actors have switched to yet another custom ransomware payload in their recent attacks aimed at a variety of sectors. "This ransomware variant, dubbed 'PolyVice,' implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms," SentinelOne researcher Antonio Cocomazzi said in an analysis. Vice Society, which is tracked by Microsoft under the moniker DEV-0832, is an intrusion, exfiltration, and extortion hacking group that first appeared on the threat landscape in May 2021. Unlike other ransomware gangs, the cybercrime actor does not use file-encrypting malware developed in-house. Instead, it's known to deploy third-party lockers such as Hello Kitty, Zeppelin, and RedAlert ransomware in their attacks.
READ THE STORY: THN
A Semiconductor Renaissance Is Underway. It Will Change the World
FROM THE MEDIA: A new kind of creative destruction is presenting the world’s semiconductor sector with a paradox. Geopolitics and other existential factors have disrupted globalization as we’ve known it, fragmenting semiconductor global supply chains. But these same forces also present historic opportunities for innovation and growth. The world, in other words, isn’t deglobalizing. It’s reglobalizing. These changes fly in the face of deeply entrenched economic thinking. The liberal economic model holds that short of catastrophic market failures governments need to stay out of markets. C.C. Wei, CEO of Taiwan Semiconductor Manufacturing , said this month that U.S. and Chinese measures to control the flow of technology “destroy productivity and efficiency gained under globalization.” TSMC’s founder, Morris Chang, has put it in starker terms: “Globalization is almost dead and free trade is almost dead.”
READ THE STORY: Barrons
ByteDance finds former TikTok employees hacked data of two US journalists
FROM THE MEDIA: In yet another show of the misuse of China's ascendant tech prowess, Bytedance, the parent company of short-video social media app TikTok, hacked the TikTok accounts of two US-based journalists. ByteDance employees reportedly accessed the data of what is cited to be an unsuccessful effort to investigate leaks of company information earlier this year, according to an email from ByteDance general counsel Erich Andersen, Reuters reported. The identity of the journalists has been revealed as Financial Times reporter Cristina Criddle and former Buzzfeed writer (now with Forbes) Emily Baker-White. The disclosure is set to further the pressure on the Shenzen-based social media platform over security concerns about United States' user data, which have kept it in the news cycle over the past many months.
READ THE STORY: WION
Russia is jamming more GPS satellite signals around Moscow
Analyst Comments: This response acknowledges the effectiveness of the Ukrainian long-range drone program or more so this capability as a threat.
FROM THE MEDIA: Russia has stepped up satellite navigation jamming, especially around Moscow, in an apparent attempt to ward off any long-range strikes by Ukrainian drones. Russia is known for interfering with global navigation satellite systems, in particular GPS, which is operated by the US military and is ubiquitous in smartphones, car satnavs and other devices. Updates from the monitoring site GPSJam show that Russian jamming activity has increased sharply within Russia.
READ THE STORY: The New Scientist
Researchers Warn of Kavach 2FA Phishing Attacks Targeting Indian Govt. Officials
FROM THE MEDIA: A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that's used by Indian government officials. Cybersecurity firm Securonix dubbed the activity STEPPY#KAVACH, attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks. ".LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT)," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new report. SideCopy, a hacking crew believed to be of Pakistani origin and active since at least 2019, is said to share ties with another actor called Transparent Tribe (aka APT36 or Mythic Leopard).
READ THE STORY: THN
Compromised dispatch system helped move taxis to front of the line
FROM THE MEDIA: Two men have been charged with participating in a scheme that raked in big money by using a compromised dispatch system at New York’s John F. Kennedy International Airport to allow paying taxis to move to the front of the line. Daniel Abayev and Peter Leyman, both 48 and of Queens, New York, allegedly participated in a scheme that compromised the electronic dispatch system, federal prosecutors in the Southern District of New York said. Taxi drivers are required to wait in a holding lot. The computer-run dispatch system is designed to ensure that drivers are assigned in the order they arrive. The defendants, prosecutors said, conspired with Russian nationals to compromise the dispatch system and cause it to move specific taxis to the front of the line. Participants then advertised a service allowing drivers to skip the line in exchange for $10 each time.
READ THE STORY: arsTECHNICA
Guacamaya leaks spark debate about militarization, spyware, but no accountability
FROM THE MEDIA: In September, journalists in Mexico started receiving terabytes of hacked data stolen from the country’s Ministry of National Defense. The leak, which is now considered the largest of its kind in Mexico’s history, included details about the president’s health, as well as communication between some of the country’s top military officials. Around the same time, similar troves were being leaked from police and military organizations throughout Latin America, including El Salvador’s National Police and Armed Forces, the General Command of the Armed Forces in Colombia, the Peruvian Army and Chile’s General Staff of National Defense. The documents exposed widespread corruption, deep ties between military leaders and drug cartels as well as spyware used to monitor journalists and human rights defenders.
READ THE STORY: The Record
Cybercriminals using search engine ads to direct users to sites with malware, FBI warns
FROM THE MEDIA: The FBI issued a public service announcement warning that cybercriminals are impersonating brands via search engine advertisements to direct users to malicious sites. According to the Dec. 21 PSA, the sites host ransomware and steal login credentials, and other financial information, particularly for cryptocurrency platforms. The cybercriminals purchase the ads to appear within search results using domains that are similar to an actual business, but link to a webpage that looks identical to the legitimate business page. If a user is searching for a program to download, the fraudulent page links to malware instead. For instances when a site impersonates financial organizations, particularly crypto exchanges, the sites prompt users to enter login credentials and financial information.
READ THE STORY: SCMAG
The Chip War Between the US and China Continues to Intensify
FROM THE MEDIA: Competition between countries is normal, but in the case of semiconductors, things have been heating up between the US and China for quite some time. The US wants to impede China’s progress, and they have started to take more intense measures to do so, including export controls and restrictions that have had a major impact on the industry. Simply put, semiconductors are used in many places, from modern smartphones to military hardware. They are vital to these efforts, and the US is claiming that China is using them in a way that threatens national security. Ultimately, that outlook has led to the US doing everything it can to prevent China from acquiring technologies that can be of further threat.
READ THE STORY: Grit Daily
Google Chat expands search chips to the web for more precise results
FROM THE MEDIA: For as big and multi-faceted as Google is these days, the company never seems to forget its search roots. Google has been significantly improving the search experience across services like Google Chat, which recently added the ability to show suggestions as you enter keywords to help you refine your query. Search chips have helped change the way we scour through tons of information in emails and chats, cutting through the clutter. Gmail has had this feature since 2020, and the Chat mobile app picked it up last year — though the service’s web edition was left out in the cold. Thankfully, Google is now giving Chat on the web some love by rolling out the long-overdue search chips.
READ THE STORY: Android Police
Zerobot malware now shooting for Apache systems
FROM THE MEDIA: The Zerobot botnet, first detected earlier this month, is expanding the types of Internet of Things (IoT) devices it can compromise by going after Apache systems. The botnet, written in the Go programming language, is being sold as the malware-as-a-service (MaaS) model and spreads through vulnerabilities in IoT devices and web applications, according to the Microsoft Security Threat Intelligence (MSTIC) team in a report released on Wednesday. Zerobot was first reported on in early December by researchers at Fortinet's FortiGuard Labs, who said the botnet was targeting Linux devices. Like typical botnets, the goal is to compromise internet-connected devices like firewalls, routers, and cameras and pull them into a botnet to launch DDoS attacks.
READ THE STORY: The Register
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks
FROM THE MEDIA: Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges. Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed. After regaining access to the accounts, they discovered they had been hacked and a secondary email at the disposable @yopmail.com domain was added to their profile.
READ THE STORY: Bleeping Computer
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
FROM THE MEDIA: After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. This IcedID variant is detected by Trend Micro as TrojanSpy.Win64.ICEDID.SMYXCLGZ. Advertising platforms like Google Ads enable businesses to display advertisements to target audiences for the purpose of boosting traffic and increasing sales. Malware distributors abuse the same functionality in a technique known as malvertising, wherein chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users to downloading malware.
READ THE STORY: Trend Micro
Cyber Threats Increasingly Target Video Games
FROM THE MEDIA: Video games have become an integral part of our lives, thanks to evolving technology but the gaming industry has also become a lucrative target for cybercriminals. Let’s dig deeper into the constantly increasing number of treats targeting video games and discover how to avoid them. Among the growing sectors present on the internet today, online gaming is certainly in excellent health. While the companies involved have nothing to complain about, the growing number of players is increasingly exposed to online scams. The increase in the number of gamers, the wide range of monetization attacks and the large sums of money in the industry are just a few of the many reasons why gamers are attractive targets for malicious hackers.
READ THE STORY: HackRead
After ransomware hits Colombian energy firm, Moody’s says low patch rate suggests inadequacies in cyber practices
FROM THE MEDIA: A ransomware attack at top Colombian energy company Empresas Publicas de Medellin (EPM) may damage its credit quality, setting an alarm clock for the critical infrastructure industry to develop efficient mitigation practices and vulnerability management programs, Moody’s said. EPM, one of Colombia’s largest public energy, water, and gas providers suffered from a ransomware attack reported on Dec. 13. The incident threatens operational disruptions to the Colombian utility’s website, mobile application, payment gateway, and intranet, which Moody’s said the company is struggling to resolve and therefore may impact its credit score.
READ THE STORY: SCMAG
New exploit for Microsoft’s ProxyNotShell mitigation side steps fix
FROM THE MEDIA: In traditional ProxyNotShell exploits the Autodiscover endpoint is accessed through an authenticated request on the front end, according to CrowdStrike. A path confusion exploit, CVE-2022-41040, allows the attackers to reach the backend for arbitrary URLs, a vulnerability called a server side request forgery. In ProxyNotShell the Remote PowerShell is the targeted backend service, according to CrowdStrike. After the PowerShell remoting service is reached, CVE-2022-41082 is exploited to execute arbitrary commands. Incident responders at CrowdStrike found Remote PowerShell logs that were similar to ProxyNotShell log entries.
READ THE STORY: CyberSecurityDive
Leading sports betting firm BetMGM discloses data breach
FROM THE MEDIA: Leading sports betting company BetMGM disclosed a data breach after a threat actor stole personal information belonging to an undisclosed number of customers. While the personal info stolen in the attack varies for each customer, the attackers obtained a wide range of data, including names, contact info (like postal addresses, email addresses, and phone numbers), dates of birth, hashed Social Security numbers, account identifiers (like player IDs and screen names) and info related to transactions with BetMGM. The company added that it discovered the incident on November 2022 but believes the breach occurred in May 2022.
READ THE STORY: Bleeping Computer
LastPass tells world more about recent breach, researchers frustrated
FROM THE MEDIA: LastPass, a password manager with over 25 million users, gave more details about the latest breach into the company’s systems. The firm claims users’ personal data or master passwords were not affected – yet researchers are worried. In a blog post, Karim Touba, Chief Executive of LastPass, once again confirmed that a threat actor had recently gained access to a third-party cloud-based storage service, which LastPass uses to store backups of its production data. The company had earlier said that the attacker used information obtained in the August 2022 incident, and now has decided to share what exactly was stolen or copied. Details are worrying.
READ THE STORY: CyberNews // Security Week
Gootkit Loader continues to be used on multiple Australian networks
FROM THE MEDIA: The ACSC first observed Gootkit JS Loaders on Australian networks in mid-2021. Deployment was achieved through search engine de-optimization targeting terms such as 'agreement'. This report provides technical analysis and indicators of compromise derived from identified Gootkit JavaScript loaders on Australian networks in 2021 and 2022. This information is provided for the purposes of computer network defense and leads development. The report has been updated since its initial release in 2021 to include new behavior observed through analysis of additional samples. The malicious JavaScript samples were obfuscated in several stages. Once unpacked, Gootkit malware was retrieved. Open-source reporting indicates that: Gootkit JS Loaders are a precursor to several malware families traditionally used for cybercrime, notably, Gootkit, REvil ransomware, Kronos, or CobaltStrike. The JavaScript-based obfuscated loader shares capability with various other JS Downloaders identified in open-source reporting.
READ THE STORY: Cyber AU
Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says
FROM THE MEDIA: Hackers linked to the Chinese government stole at least $20 million in U.S. Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, according to the Secret Service. The theft of taxpayer funds by the Chengdu-based hacking group known as APT41 is the first instance of pandemic fraud tied to foreign, state-sponsored cybercriminals that the U.S. government has acknowledged publicly, but may just be the tip of the iceberg, according to U.S. law enforcement officials and cybersecurity experts. The officials and experts, most speaking on the condition of anonymity because of the sensitivity of the subject matter, say other federal investigations of pandemic fraud also seem to point back to foreign state-affiliated hackers.
READ THE STORY: PML Daily
Huawei is reportedly all out of its homegrown chips but a new patent could be a gamechanger
FROM THE MEDIA: Back in May 2019, Huawei was placed on the U.S. entity list which it still is on today. The U.S. cited security as the reason why it put the company on the list which prevents it from accessing its U.S. supply chain, including Google. Exactly one year later, the U.S. changed its export rules preventing foundries using American technology to produce chips from sending cutting-edge silicon to Huawei. As a result, Huawei can't even obtain its own Kirin chips designed by its HiSilicon unit. At one time, Huawei was TSMC's second-largest customer after Apple. For its last two flagship series, the photography-focused (no pun intended...or was it?) P50 line released in 2021 and this year's Mate 50 line (except for the low-priced Mate 50e), Huawei received permission to use Qualcomm's top-of-the-line SoCs designed not to work with 5G.
READ THE STORY: Phone Arena
TSMC in talks to build first Europe chip plant in Germany
FROM THE MEDIA: Taiwan Semiconductor Manufacturing Co. is in advanced talks with key suppliers about setting up its first potential European plant in the German city of Dresden, a move that would allow the world's largest chipmaker to capitalize on booming demand from the region's car industry. The Taiwanese company is sending a team of senior executives to Germany early next year to discuss the level of government support for the prospective plant as well as the capacity of the local supply chain to meet its needs, according to people familiar with the matter.
READ THE STORY: Nikkei Asia
Mossad Chief Warns About Iran's Intentions, Weapons For Russia
FROM THE MEDIA: Iran is preparing more weapons deliveries to Russia and is trying to mislead the world on arming its ally, head of Israel’s Mossad, David Barnea said Thursday. In a speech to his agency’s employees, Barnea warned about Tehran’s intentions, underlining that the Islamic Republic continues daily cyber-attacks and other machinations against Israel. He added that Mossad is ““still warning about Iran’s future and intentions, which it is trying to keep secret.” The spy chief also called the Obama-era nuclear deal with Iran known as the JCPOA an “absurd” agreement taking aim at the United States and its European allies who have been negotiating with Tehran to revive the accord since early 2021. The diplomatic effort has come to an impasse as Iran is ramping up uranium enrichment but the Biden Administration and the European Union still say that diplomacy is the best option to limit Iran’s nuclear program.
READ THE STORY: Iran International
Robot Wars: How Technology Is Shaping Ukraine Conflict
FROM THE MEDIA: Decades-old weapons and cutting-edge technology have made the war in Ukraine a testing ground for how the old can work with the new. The buzz of AI powered drones from a new era fly above the trench warfare, Soviet-era tanks and artillery bombardments that form much of the imagery of the Russian invasion. Moscow has reportedly used the Kalashnikov Kub and Lancet Kamikaze drones, while Ukraine has relied on the Turkish Bayraktar TB2 that boasts "laser guided smart ammunition." Russia's use of Iranian supplied Shahed-136 UAVs (unmanned aerial vehicles), also known as "kamikaze drones," which reportedly cost as little as $20,000 each, has given Moscow a cheap but effective way to hit Ukrainian energy infrastructure and terrorize the population. Tehran denies it has supplied the drones.
READ THE STORY: Newsweek
A Ukrainian Steals $25,000 In Bitcoin From Russian Dark Web Drug Market
FROM THE MEDIA: Cuba ransomware actors, with no connection to the Republic of Cuba, have continued to attack U.S. entities, including healthcare organizations, since they were first identified in November 2021. The FBI and the Cybersecurity and Infrastructure Security Agency released a new cybersecurity advisory (CSA) this month warning health IT leaders that the number of U.S. entities compromised by Cuba ransomware has doubled since December 2021. Not only has the frequency of attacks increased, but their tactics, techniques and procedures (TTPs) have become more sophisticated. According to the CSA, third-party sources have identified possible links between Cuba ransomware actors, RomCom remote access Trojan actors and Industrial Spy ransomware actors.
READ THE STORY: STL
Items of interest
Putin’s private Army: Wagner Group
FROM THE MEDIA: Before Russian forces crossed into Ukraine on February 24 2022, several mobile phones that had previously been seen in Libya, Syria and, most recently, the Central African Republic (CAR) could be seen pinging near key infrastructure sites in Kyiv, including President Zelensky’s residence. The Ukrainian government became aware of their presence on February 26 and initiated a 36-hour curfew to sweep the capital for Russian infiltrators. Soon after the curfew was announced, fighting broke out. By the following morning the Ukrainians were claiming to have repelled an attack on a military base. Two days later, a US official stated that there were indications that the Wagner Group, a Russian private military company, was operating in Kyiv. On 3 March, the Times reported that Zelensky had survived three assassination attempts, two by Wagner operatives.
READ THE STORY: The New European
Getting Started With CTF’s (Video)
FROM THE MEDIA: We train to stay capable and CTF’s allow you the ability to learn and or brush up new skills.
Supercon 2022: Sam Mulvey Shows You How to FM Radio (Video)
FROM THE MEDIA: Sam Mulvey talks all about how he set up the low-power FM radio station KTQA in Tacoma, WA. You might think that running a (legal) radio station is out of reach, but with a lot of ingenuity and some old-fashioned trash hacking, it's not just within reach, but opens up fantastic opportunities.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com