Friday, December 30, 2022 // (IG): BB // THM:Windows RE // Coffee for Bob
Port of Lisbon website still down as LockBit gang claims cyberattack
FROM THE MEDIA: The website for the Port of Lisbon is still down days after officials confirmed it was the target of a cyberattack. The Port of Lisbon is Portugal’s busiest and one of the most used across all of Europe, handling 13,200,000 tonnes of cargo each year due to its strategic location between Europe and Africa. On Christmas Day, officials with the Administration of the Port of Lisbon (APL) told the newspaper Publico that it had been targeted. Despite the attack, port officials said the incident did not compromise operational activity but noted that both the National Cybersecurity Center and the Judiciary Police were notified of the incident. “All security protocols and response measures planned for this type of occurrence were quickly activated,” port officials told Publico in a statement.
READ THE STORY: The Record
New CryWiper Malware Attacks Russian Courts and Mayors’ Offices
FROM THE MEDIA: A data-wiping program masquerading as ransomware attacked a network of Russian government organizations. The malicious program was first discovered in autumn of 2022 by Kaspersky, a Russian multinational cybersecurity and anti-malware firm who named the program “CryWiper.” A local Russian media report divulged that CryWiper targeted several courts and mayors’ offices. The exact number of offices hit by CryWiper is not public knowledge. According to a report by Kaspersky, their solutions “detected attempts by a previously unknown Trojan… to attack an organization’s network in the Russian Federation.” Despite the program prompt informing targets data would be restored after paying a fee, no files can be recovered.
READ THE STORY: Privacy Hub
Copper Mountain Mining Subject to Ransomware Attack and Implements Risk Management Systems and Protocols
FROM THE MEDIA: Copper Mountain Mining Corporation (reports that the Company's IT systems at its Copper Mountain Mine and corporate office were subject to a ransomware attack late on December 27, 2022. The Company quickly implemented its risk management systems and protocols in response to the attack. The Company has isolated operations, switched to manual processes, where possible, and the mill has been preventatively shutdown to determine the effect on its control system. The Company's external and internal IT teams are continuing to assess risks and are actively establishing additional safeguards to mitigate any further risk to the Company.
READ THE STORY: Yahoo Finance
Rackspace identifies group behind ransomware attack; recovery of customers’ data still uncertain
FROM THE MEDIA: A ransomware group identified by Rackspace Technology Inc. as “Play” used a new method to penetrate the cloud computing company’s hosted Microsoft Exchange network, leaving its customers without access to their email, contacts and calendars. It’s still not certain that all of them will regain full access to their hijacked data. In interviews, company executives and outside advisers said an internal investigation into the ransomware attack blamed for the shutdown identified the group and found that it used a Rackspace customer’s credentials for an email account to gain access to a company server Nov. 29. On Dec. 2, the ransomware attack was deployed.
READ THE STORY: San Antonio Express News
Intrado ransomware attack claimed by Royal ransomware gang
FROM THE MEDIA: BleepingComputer reports that telecommunications firm Intrado was claimed to have been attacked by the Royal ransomware gang. Intrado has not confirmed the intrusion but sources noted that the telecommunications provider has been compromised since Dec. 1 and was asked to pay a $60 million ransom. Royal ransomware has claimed to have exfiltrated Intrado's internal documents, employee driver's licenses, and passports, and while none of the allegedly obtained data has been leaked, the ransomware gang has shared a 52.8 MB archive with scans of the stolen files. Such a ransomware attack may be related to the massive outage across all Intrado's services around the same time.
READ THE STORY: SCMAG
Toy maker Jakks Pacific reports cyberattack after multiple ransomware groups leak data
FROM THE MEDIA: Toy production giant Jakks Pacific reported a cyberattack to the U.S. Securities and Exchange Commission last week after two different ransomware gangs posted stolen information to their leak site. On December 22, the company released a notice confirming it had suffered a ransomware attack on December 8 that encrypted their servers. The firm – which is one of the biggest toy companies in the world thanks to licensing deals with Disney and Nintendo – hired cybersecurity experts to deal with the incident and restore their servers. The company filed documents with the SEC in mid-December confirming the incident.
READ THE STORY: The Record
Malware increasingly spread through Google Ads exploits
FROM THE MEDIA: More threat actors have been distributing malware through fraudulent websites of widely used software products that are being promoted by exploiting the Google Ads platform, according to BleepingComputer. Malwarebytes, Grammarly, Slack, MSI Afterburner, Dashlane, AnyDesk, Audacity, Brave, Thunderbird, Teamviewer, Libre Office, Ring, OBS, and Torrent had their websites cloned by attackers to facilitate the distribution of trojanized software versions, which deploy Raccoon Stealer variants, a custom Vidar Stealer version, and the IcedID malware loader, a report from Guardio Labs revealed.
READ THE STORY: SCMAG
Google Home speakers allowed hackers to snoop on conversations
FROM THE MEDIA: A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. Researcher Matt Kunze discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged. While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.
READ THE STORY: BleepingComputer
FTX Customers Want Identities Redacted From Bankruptcy Filings
FROM THE MEDIA: A group of FTX’s international customers asked for a court order shielding their names from the public, spotlighting a privacy issue that has divided bankruptcy courts in other crypto-related cases. Unnamed customers of FTX.com, the failed company’s largest exchange platform outside the U.S., said in court papers Wednesday their interest in keeping their identities and contact information secret trumps the public’s interest in an open and transparent bankruptcy process. Public disclosure of customer identities puts them at risk of identity theft and cyber scams, and could diminish whatever value remains in FTX, according to the customer group.
READ THE STORY: WSJ
CISA Warns of Active exploitation of JasperReports Vulnerabilities
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two years-old security flaws impacting TIBCO Software's JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. TIBCO JasperReports is a Java-based reporting and data analytics platform for creating, distributing, and managing reports and dashboards.
READ THE STORY: THN
Ukraine shuts down fraudulent call center claiming 18,000 victims
FROM THE MEDIA: A group of imposters operating out of a Ukrainian call center defrauded thousands of victims while pretending to be IT security employees at their banks. They contacted the victims, claimed that their bank accounts had been accessed by attackers, and requested financial information claiming it was needed to prevent fraud but, instead, emptied their bank accounts. The scheme was uncovered by the Cyber Police Department, the Main Investigative Department of the National Police, the Prosecutor General's Office, and law enforcement officers in Kazakhstan.
READ THE STORY: BleepingComputer
Netgear warns users to patch recently fixed WiFi router bug
FROM THE MEDIA: Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability. The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack.
READ THE STORY: BleepingComputer
TSMC starts mass-producing three-nanometer chips
FROM THE MEDIA: Taiwan Semiconductor Manufacturing Co. Ltd. today began mass-producing processors based on its latest three-nanometer chip technology. Bloomberg reported the development this morning. TSMC is the world’s largest contract chip manufacturer. The company makes processors for Apple Inc., Advanced Micro Devices Inc., Nvidia Corp. and other major tech companies. Intel Corp., which competes with TSMC in the chip manufacturing market, also relies on the company to make its consumer graphics cards. The three-nanometer chip manufacturing process that entered mass production today is the most advanced offered by TSMC. Compared with the company’s earlier five-nanometer technology, the process promises to provide a 15% improvement in chip performance.
READ THE STORY: siliconANGLE
NYC says it's on track to launch next-generation 911 system by 2024
FROM THE MEDIA: New York City, home to the largest and busiest 911 system in the country, is on track to implement a next-generation 911 system in 2024 that can accept photos and videos from callers, according to an annual report released by the city’s Office of Technology and Innovation on Thursday. The new NG911 system will make New York’s emergency dispatch system digital, and allow call-center operators to answer and route calls from any device with an IP address. Along with traditional phone calls and current system’s capability of receiving messages over SMS text messages, NG911 will also be able to accept multimedia such as photos and videos from callers, and integrate data from internet-connected devices, such as the city’s gunshot detection sensors and surveillance cameras.
READ THE STORY: StateScoop
This app will self-destruct: How Belarusian hackers created an alternative Telegram for activists
FROM THE MEDIA: When a 25-year-old activist from Minsk who goes by Pavlo was detained by Belarusian KGB security forces last summer, he knew they would search his phone, looking for evidence of his involvement in anti-government protests. The police officer asked for Pavlo’s password to Telegram, the most popular messenger app among Belarusian activists, which he gave him. The officer entered it and… found nothing. All secret chats and news channels had disappeared, and after a few minutes of questioning Pavlo was released. Pavlo’s secret? A secure version of Telegram, developed by a hacktivist group from Belarus called the Cyber Partisans. Partisan Telegram, or P-Telegram, automatically deletes pre-selected chats when someone enters the so-called SOS password.
READ THE STORY: The Record
North Korean Hackers Are Posing As Venture Capitalists To Steal Crypto Assets: Security Firm
FROM THE MEDIA: A unit of the North Korean state-sponsored hacker Lazarus Group is impersonating financial and investment firms to steal crypto assets. According to security firm Kaspersky, the group known as BlueNorOff is creating fake domains that look like those of legitimate venture capital and banking companies. “The actor usually used fake domains such as cloud hosting services for hosting malicious documents or payloads.” The firms that the hackers imitate are mostly based in Japan, including Beyond Next Ventures, ANOBAKA, Angel Bridge, ABF Capital, Sumitomo Mitsui Banking Corporation, Mitsubishi UFJ Financial Group and Z Venture, suggesting of BlueNorOff’s interest in Japanese financial entities.
READ THE STORY: Daily Hodl
Ransomware Groups bypass PROXYNOTSHELL Mitigations with new exploit
FROM THE MEDIA: A new exploit that allows bad actors to use Outlook Web Access to remotely run code on the Microsoft Exchange Server has been discovered by security researchers at CrowdStrike. Dubbed Outlook Web Access Server-Side Request Forgery (OWASSRF), the method makes use of two vulnerabilities to sidestep Microsoft’s ProxyNotShell mitigations and access Exchange servers, which could now be subject to a wave of new cyber attacks. The two flaws, being CVE-2022-41040 and CVE-2022-41082, can be triggered by an attacker to run Microsoft’s task automation and config management program Powershell, and gain the ability to run remote code.
READ THE STORY: CyberSecurityConnect
LastPass Passwords Are Crackable for $100, Says Rival 1Password
FROM THE MEDIA: LastPass recently disclosed that an attacker obtained access to customer password vaults in a severe security breach. The attack stems from a security incident in August 2022 when a hacker was able to access some source code and technical information from their development environment. That information was used to target an employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. LastPass notes that encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. The service claims that if its best practices are followed it would take millions of years to crack a vault's master password.
READ THE STORY: iClarified
Viasat Receives $325M US Special Operations Command Contract Extension
FROM THE MEDIA: U.S. Special Operations Command (SOCOM) awarded Viasat a $325 million contract extension for tactical satellite communications and network management. It is a sole-source, indefinite delivery, indefinite quantity (IDIQ) contract award worth up to $325 million over five years. It extends a $350 million contract Viasat won in 2017. Viasat announced the extension Dec. 29, and said the IDIQ award structure allows for flexibility for the military to acquire technology developments. Viasat will provide equipment, services, and support to SOCOM for situational awareness, integration, terrestrial networking, intelligence, surveillance and reconnaissance (ISR), tactical satellite communications, information assurance, and network management capabilities.
READ THE STORY: Satellite Today
SpaceX launches Israeli reconnaissance satellite, lands rocket in final flight of 2022
FROM THE MEDIA: SpaceX rang out 2022 a few days early with a brilliant nighttime launch from California to haul an Israeli reconnaissance satellite into orbit. A SpaceX Falcon 9 rocket launched the Israeli Earth-imaging satellite EROS C-3 into orbit from Vandenberg Space Force Base in California late Thursday night (Dec. 29), releasing the payload into orbit about 15 minutes after leaving Earth. Liftoff occurred at 11:38 p.m. PST at the launch site (2:38 a.m. EST/0738 GMT), with the Falcon 9's first stage returning to land at a nearby SpaceX pad about 8 minutes into the flight. "This is our 61st and final SpaceX launch of 2022," Jesse Anderson, SpaceX's production and engineering manager, said during a live webcast.
READ THE STORY: SPACE
Developers Bite Apple, Relish Crunchy ARM-based M1 Chips
FROM THE MEDIA: Two years ago, Apple made waves with its announcement of Apple Silicon, starting with the M1 chip for the MacBook. This announcement sent ripples through the tech space, mainly due to Apple’s shift to an ARM-based architecture, moving away from Intel’s x86 standard. While this initially sent shivers down the spines of developers, Apple quickly quashed those fears by shedding light on how the new chips could be leveraged for the next generation of mobile computing.
READ THE STORY: AIM
FBI Investigating 3Commas Data Breach
FROM THE MEDIA: The FBI is investigating the 3Commas data breach, CoinDesk has learned. The investigation comes after weeks of criticism from users of the Estonia-based crypto trading service, who say its CEO repeatedly brushed off warning signs that the platform had leaked user data. This week, 100,000 Binance and KuCoin API keys linked to 3Commas were leaked by an anonymous person. On Thursday, two 3Commas users told CoinDesk that they were contacted by agents from the FBI’s Cincinnati Field Office in connection to the leak.
READ THE STORY: COINDESK
Railways denies data breach
FROM THE MEDIA: The railways has denied claims of a suspected data breach from servers of the Indian Railway Catering and Tourism Corporation (IRCTC). The railways said in a statement, "In this connection, it may be submitted that Railway Board had shared a possible data breach incident alert of CERT-In to IRCTC reporting a data breach pertaining to Indian Railways passengers. "On analysis of sample data, it is found that the sample data key pattern does not match with IRCTC history API. Reported/suspected data breach is not from the IRCTC servers.’
READ THE STORY: NYPOST
Twitter Rival Mastodon Turns Down Silicon Valley Funding Offers
FROM THE MEDIA: Twitter rival Mastodon has turned down more than five funding offers from Silicon Valley in recent months, as the crowdfunded, open-source social media platform aims to remain a non profit. German software developer Eugen Rochko, who founded the platform in 2016, told The Financial Times he’s gotten offers from multiple US-based investors dangling “hundreds of thousands of dollars” since drawing a surge of users after Elon Musk bought Twitter in October for $44 billion. But Rochko said the platform’s non-profit status was “untouchable,” the report said. He insisted Mastodon’s independence and moderation style is part of its appeal.
READ THE STORY: Yahoo Entertainment
Get ready, Arizona. Bigger, more sophisticated attacks on our power grid are likely
FROM THE MEDIA: The U.S. power grid is facing a rise in attacks at a rate not seen in at least a decade. These physical and cyberattacks on facilities are raising the alarm about the vulnerability of American electrical generation. They’re also raising questions about who might be attacking the grid and whether they are coordinating efforts or perhaps performing trial runs before a larger assault on the U.S. power supply. After analyzing the data, Politico determined that attacks on power infrastructure have reached their highest level since 2012. On Dec. 3, saboteurs used firearms to attack two Duke Energy substations in Moore County, N.C., that shut down power to 45,000 people.
READ THE STORY: AZCentral
Items of interest
Russia ready to resume gas supply to Europe via Yamal-Europe gas pipeline
FROM THE MEDIA: On Sunday, Russia’s Deputy Prime Minister Alexander Novak stated that Russia is preparing to resume gas supplies to Europe via the Yamal-Europe gas pipeline. The gas transport was previously stopped for political reasons, likely arising due to the Ukrainian-Russia conflict Novak stated that the relevancy of the European market in addition with the gas shortage has urged Russia to resume operations on the pipeline. Russia stated that it considers Europe as a potential market for the sale of Russian gas despite the large-scale campaign that the country claims was waged against it by European actors. Russia stated that the campaign led to acts of sabotage regarding the Nord Stream. Gazprom halted supplies via the pipeline in May, blaming interference. Gazprom was forced to suspend its operations and supplies due to sanctions placed on its parents company, EuRoPol GAZ.
READ THE STORY: OODALOOP
Practical Reverse Engineering Exercise 1 Solution Page 11 (Video)
FROM THE MEDIA: This is a 5 part series showing you how to solve some of the reverse engineering exercises from the Practical Reverse Engineering book.
Reverse Engineered old Compression Algorithm for Frogger (Video)
FROM THE MEDIA: An example why I love the internet. There are people still exploring the 1997 game Frogger! In this video we will look at an old compression algorithm to learn how a compression works in general. Kneesnap reverse engineered an old compression algorithm for his modding tool FrogLord. It can be used to unpack and repack game assets.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com