Monday, January 02, 2023 // (IG): BB // THM:Windows RE // Coffee for Bob
Ransomware gang cloned victim’s website to leak stolen data
FROM THE MEDIA: The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victim's site to publish stolen data on it. It appears that ALPHV, also known as BlackCat ransomware, is known for testing new extortion tactics as a way to pressure and shame their victims into paying. While these tactics may not be successful, they introduce an ever-increasing threat landscape that victims need to navigate. On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services. As the victim did not meet the threat actor’s demands, BlackCat published all the stolen files as a penalty - a standard step for ransomware operators.
READ THE STORY: BleepingComputer
Ransomware gang apologizes, gives SickKids hospital free decryptor
FROM THE MEDIA: The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children. On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times. On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays.
READ THE STORY: BleepingComputer
EarSpy can eavesdrop on your phone conversations using motion sensors
FROM THE MEDIA: Mobile security is kind of like a highway: new potholes form every day and its throughput capabilities are highly dependent on the drivers taking care not to cause a pile-up. Whether these crashes are caused by researchers sniffing out a new vulnerability, players down the security chain not doing their part, or worse. A group of researchers from some of America's most reputed academic institutions has now developed an attack named EarSpy, designed to capture what users say through curiously crafty means. This effort is being carried out jointly by experts from the University of Dayton, New Jersey Institute of Technology, Rutgers University, Texas A&M University, and Temple University. Researchers have attempted to gather vibrations from a phone's loudspeaker in the past, but this particular attack is effective even when the user is holding the phone to their ear, SecurityWeek reports.
READ THE STORY: Android Police
Should open source sniff the geopolitical wind and ban itself in China and Russia
FROM THE MEDIA: In 2022, information technology collided with geopolitics like never before. After Russia's illegal invasion of Ukraine, many nations decided that Vladimir Putin's regime and populace should be denied access to technology and even to services from the companies that make and wield it. The USA, meanwhile, extended its restrictions on technology exports to China, citing its belligerence and repression of human rights. The bans appear to have been somewhat effective: China and Russia both started efforts to replicate technology they could no longer easily, or legally, obtain. Yet plenty of sophisticated top-tier tech still crossed their borders because open source code still flows around the world unimpeded.
READ THE STORY: The Register
WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws
FROM THE MEDIA: WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites." The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It's also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker's choice.
READ THE STORY: THN
PyTorch: Machine Learning toolkit pwned from Christmas to New Year
FROM THE MEDIA: PyTorch is one of the most popular and widely-used machine learning toolkits out there. (We’re not going to be drawn on where it sits on the artificial intelligence leaderboard – as with many widely-used open source tools in a competitive field, the answer seems to depend on whom you ask, and which toolkit they happen to use themselves.) Originally developed and released as an open-source project by Facebook, now Meta, the software was handed over to the Linux Foundation in late 2022, which now runs it under the aegis of the PyTorch Foundation. Unfortunately, the project was compromised by means of a supply-chain attack during the holiday season at the end of 2022, between Christmas Day [2022-12-25] and the day before New Year’s Eve [2022-12-30].
READ THE STORY: Naked Security
Cloud Phishing 101: The New Tricks
FROM THE MEDIA: Cloud Computing gives phishers a new playground to harvest and grow their business. But not only that, the impacts are much broader and more dangerous. No organization, small or big, is invulnerable to phishing attacks. Therefore, it’s critical to learn how you might be targeted and what you can do to prevent it. SaaS-based phishing is already familiar. For example, over 90% of all data breaches are due to phishing, from stolen credentials to malicious URLs. Also, according to a report from Palo Alto Networks Unit 42, researchers have seen a massive increase in this abuse, with the data collected by the firm showing an enormous expansion of 1,100% from June 2021 to June 2022.
READ THE STORY: Hackernoon
LastPass Accused Of Lying About Security Breach
FROM THE MEDIA: LastPass is now being accused of knowingly lying in announcing the recent security breaches. This is evident from media reports. The password administrator was only informed about the extent after several weeks. The attack on the password manager LastPass seems to be more far-reaching than previously assumed – in addition, LastPass is said to have known much earlier than was previously communicated to the outside world. The company announced just before Christmas that hackers were able to access sensitive, encrypted customer data and entire data vaults. The source codes used in a large-scale attack in early December were stolen back in August. LastPass’s updated report regarding the hack is now being torn up by security experts (via Beta News ). One of them denounced them as “full of omissions, half-truths, and outright lies”: Security researcher Vladimir Palant accuses the company.
READ THE STORY: RS
FBI Looking Closely Into Data Breach At 3Commas
FROM THE MEDIA: According to CoinDesk, the FBI is looking into the 3Commas data leak. Users of the Estonia-based crypto trading service have been critical of the company’s CEO for weeks, claiming that he ignored repeated warnings that the platform was leaking customer data. This has prompted the inquiry. This week, an unknown source exposed API keys for 100,000 3Commas accounts on Binance and KuCoin. CoinDesk reported that two 3Commas users had been reached by the FBI’s Cincinnati Field Office about the breach. Dozens of 3Commas users have recently discovered that the service has been trading away cash on cryptocurrency exchanges they connected to without their knowledge or permission. Early on, 3Commas claimed that the security concerns expressed by these users resulted from a phishing attack.
READ THE STORY: Coin Culture
Passwordstate Vulnerabilities Could Expose Passwords In Plaintext
FROM THE MEDIA: Researchers discovered numerous vulnerabilities in the credential manager “Passwordstate” that could leave stored passwords exposed. The vendors patched the flaws before active exploitation attempts, thus preventing the risk. According to an advisory from Swiss cybersecurity firm modzero AG, their researchers caught multiple security issues in Passwordstate. Passwordstate is an enterprise password management solution from ClickStudios with a prominent customer base, including some Fortune 500 companies. Specifically, they found at least seven security issues in the Passwordstate app and Chrome extension. The researchers believed that an attacker could even exploit these vulnerabilities in a chained manner to gain a shell on the Passwordstate host system and retrieve plaintext credentials.
READ THE STORY: LHN
Testing with SDR-based GPS/GNSS simulators
FROM THE MEDIA: Software Defined Radios (SDRs) are a valuable resource for test & measurement (T&M) of RF device function and capability development. These radio systems are particularly enticing due to their ability to be upgraded via software and/or field-programmable gate array (FPGA) IP cores, and thereby providing T&M engineers with extended flexibility, capabilities, and cost-efficiency. It is imperative to do extensive testing of GNSS-based products during the design and development phase. It can be beneficial to include an SDR-based GNSS simulator in the testing regime. One of the advantages is that the necessary test routines in the lab can be automated, tests can be programmed to cater for necessary power thresholds in order to protect RF components from damage, and tests can be planned in a particular order and sequence to ensure reliability and consistency and to reduce the problems caused by human error.
READ THE STORY: Embedded
Taiwan counts on military conscription reform to deter China invasion
FROM THE MEDIA: A low-key US military delegation arrived in Taiwan last month to assess its army, navy and air force and explore what the country’s armed services could gain from closer co-operation with Washington. The visit’s aims were the same as Taipei’s high-profile announcement last week that it was lengthening conscription: to strengthen Taiwan’s defenses enough to deter China from attempting an invasion. The People’s Republic of China, which claims Taiwan as part of its territory, has threatened to use force to bring the island under its control since the ruling Chinese Communist party’s Nationalist civil war adversaries fled there in 1949. But only over the past few years has that threat become a real concern for Taiwan and the US, the guarantor of its security.
READ THE STORY: FT
Russia risks causing new-year IT worker flight with remote working law
FROM THE MEDIA: Russia's buffetted IT sector risks losing more workers in the new year because of planned legislation on remote working, as authorities try to lure back some of the tens of thousands who have gone abroad without prompting them to cut ties completely. Having relatively portable jobs, IT workers featured prominently among the many Russians who fled after Moscow sent its army into Ukraine on February 24 and the hundreds of thousands who followed when a military call-up began in September. The government estimates that 100,000 IT specialists currently work for Russian companies overseas. Now, legislation is being mooted for early next year that could ban remote working for some professions.
READ THE STORY: ET
How Russia deploys an army of shadow diplomats
FROM THE MEDIA: Near a teeming town square along the Adriatic coast, where ancient city walls surround the ruins of bygone empires and shops and churches rise over the sea, Russia’s newly appointed representative to this tiny Balkan nation opened his consulate office. Boro Djukic, the first honorary consul named by Russia in Montenegro, was supposed to use his prestigious post to champion cultural ties and the interests of local Russian business owners and tourists – a benevolent bridge between the two countries. Instead, the middle-aged former bureaucrat took on an aggressive role in Montenegro’s politics, backing a movement that aimed to empower allies of the Kremlin and working to undermine the fragile government of a country considered a valuable US ally in a turbulent region.
READ THE STORY: Asian Times
Eastern Kazakh Natural-Gas Supply To China Halted
FROM THE MEDIA: Officials in an eastern Kazakh region say gas exports to China from the area's only natural-gas producing facility were halted on January 1 amid an expiring deal and local complaints that some villages were without gas while its fuel was being sent abroad to China. A contract on the export of gas between the local Tarbagatai Oil company that operates the gas mine at Sarybulak and the Kazakh Energy Ministry reportedly expired on December 31 despite reports that it never fulfilled the 75 million-cubic-meter order. A regional official had announced a suspension in July, citing the depletion of gas reserves in the Zaisan Basin. But activists had complained recently that locals were undersupplied during the bitterly cold Central Asian winter.
READ THE STORY: RFERL
Washington urged to cut North Korea's purse strings through cryptocurrency regulations
FROM THE MEDIA: North Korea made headlines in 2022 by firing more ballistic missiles than any other year ― 38 launches. But besides its ceaseless saber-rattling, the isolated country was also in the spotlight for its illegal cyber activities that allegedly raked in billions of dollars. Crippled by international sanctions, the Kim Jong-un regime, which has refused to abandon its nuclear ambitions, has turned to digital crimes, or stealing cryptocurrencies ― an act feared to help fund the development of its weapons of mass destruction (WMD). "The threat posed by North Korea's cyber activities, especially its cryptocurrency thefts, is very real and very serious. The money North Korea has stolen, which is now in the billions of dollars, is a pure revenue stream that can finance North Korea's most destabilizing activities," said Nick Carlsen, a blockchain analyst at TRM Labs and a former FBI analyst.
READ THE STORY: The Korea Times
The Twitter Files, leaks and the FBI: key revelations so far
FROM THE MEDIA: The Twitter Files began on December 2 after CEO Elon Musk promised to release the company’s internal dialogue regarding the suppression of the New York Post’s Hunter Biden laptop story. Musk released unvetted documents to journalists Matt Taibbi, Bari Weiss and Michael Shellenberger. The leaks have now gone beyond the Hunter Biden story to show how the company worked with the FBI to suppress free speech. The most recent reveal showed how Twitter was paid $3.5 million by the FBI for the company’s constant work in suppressing accounts and tweets at the request of the bureau.
READ THE STORY: INFERSE
Los Angeles’ Housing Authority hit by LockBit
FROM THE MEDIA: If folks in Los Angeles were upset about the ransomware incident involving the Los Angeles Unified School District, they might want to buckle up before reading this: It appears that LockBit 3.0 has managed to compromise and exfiltrate data from the Housing Authority of the City of Los Angeles (HACLA). Municipal housing authorities collect and store a great deal of personal information on residents and landlords, and HACLA’s site can be used to apply for housing, pay rent, or other functions that involve personal data. The screencaps LockBit posted as proof of access suggest that this leak, if and when it happens, may affect many people who sought housing assistance from the city and may also impact employees.
READ THE STORY: Data Breaches
SpaceX’s 2Gen Starlink satellites + ImageSat International’s EROS C-3 satellite
FROM THE MEDIA: This was the 11th launch and landing for this Falcon 9 first stage booster, which previously launched GPS III Space Vehicle 04, GPS III Space Vehicle 05, Inspiration4, Ax-1, Nilesat 301, and now six Starlink missions. This launch marked the first of Starlink’s upgraded network. Under the company’s new license, SpaceX is now able to deploy satellites to new orbits that will add even more capacity to the network. Ultimately, this enables SpaceX to add more customers and provide faster service — particularly in areas that are currently over-subscribed.
READ THE STORY: SatNews
What Is Cryptovirology? Is It Dangerous?
FROM THE MEDIA: It feels like there are already enough cyber-threats out there to worry about. But cybercriminals may now be able to launch even stronger attacks via cryptovirology. No, this isn't to do with cryptocurrency. So, what is cryptovirology, and is it a danger to you? Cryptovirology is the practice of harnessing cryptography to create or improve upon malicious programs. In short, it switches cryptography from a method of defense to a method of attack. Cryptography (not to be confused with the umbrella term "cryptology") has done great things for cybersecurity and privacy. This field involves taking easily readable information and transforming it into coded text so that it is much harder to decipher, and therefore exploit. You may have heard of the term "encryption" before, as numerous online platforms now employ this security practice to protect users. Encryption codes your data so that no unauthorized parties can view it.
READ THE STORY: MUO
Items of interest
Copper Mountain Mining hit by ransomware, second major attack on copper producer
FROM THE MEDIA: In a development that will send shockwaves through the mining industry, it seems that metal producers might be a new target for ransomware criminals. Copper Mountain Mining has put its Canadian treatment plant on “preventative” shutdown after being hit by a ransomware attack. It has released no details of the cyber-attack on its systems but reports that it quickly implemented its risk management protocols in response to the attack. The company operates the 75%-owned Copper Mountain mine, 20km south of Princeton, British Columbia, and 300km from the port at Vancouver through which it ships its output. The mine has a 45,000 tonnes per day plant that uses conventional crushing, grinding and floatation. Copper Mountain says it isolated all operations where possible and the mill was closed down while staff assessed the effects on its control systems.
READ THE STORY: Small CAPS
What is The Future of Reverse Engineering [RE AMA] (Video)
FROM THE MEDIA: What is the future of reverse engineering? What should we prepare for?
Self-Learning Reverse Engineering in 2022 (Video)
FROM THE MEDIA: There exist some awesome tools nowadays to accelerate your self-education for reverse engineering. godbolt and dogbolt are amazing to quickly learn basic assembly and reversing.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com