Thursday, January 05, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media
FROM THE MEDIA: The notorious information-stealer known as Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server. "When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. "Threat actors write identifying characters and the C2 address in parts of this page." In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address.
READ THE STORY: THN
Chinese researchers claim to have broken RSA with a quantum computer. Experts aren’t so sure
FROM THE MEDIA: Researchers in China claim to have reached a breakthrough in quantum computing, figuring out how they can break the RSA public-key encryption system using a quantum computer of around the power that will soon be publicly available. Breaking 2048-bit RSA — in other words finding a method to consistently and quickly discover the secret prime numbers underpinning the algorithm — would be extremely significant. Although the RSA algorithm itself has largely been replaced in consumer-facing protocols, such as Transport Layer Security, it is still widely used in older enterprise and operational technology software and in many code-signing certificates. If a malicious adversary were able to generate these signing keys or decrypt the messages protected by RSA then that adversary would be able to snoop on internet traffic as well as potentially pass off malicious code as if it were a legitimate software update, potentially enabling them to seize control of third-party devices.
READ THE STORY: The Record
How NATO can keep pace with hybrid threats in the Black Sea region and beyond
FROM THE MEDIA: Russian attacks on Ukraine’s infrastructure in recent months have highlighted the devastating impact of twenty-first-century warfare and the resulting vulnerability of civilian life. A major component of modern warfare is the hybrid threat, in which Russia is a most aggressive perpetrator. Indeed, the Kremlin effectively implemented hybrid warfare in the 2014 annexation of Crimea and continues to use similar tactics to influence political outcomes in Moscow’s favor. Hybrid warfare, which includes cyberwar and malign influence, allows states and non-state actors to impact the political stability of adversaries with limited or no use of conventional military forces. This is significant as it gives states, as well as terrorist and criminal organizations, a low-cost method to influence the politics and policies of other states or even capture territory.
READ THE STORY: Atlantic Council
U.K.'s National Crime Agency to launch a new crypto-focused unit focused on combating digital asset fraud
FROM THE MEDIA: The United Kingdom’s National Crime Agency (NCA), which focuses on tackling organized crime, has revealed its intentions to form a new cryptocurrency unit dedicated to investigating cyber incidents that involve the use of cryptocurrencies. The National Cyber Crime Unit (NCCU), which is the cyber arm of the NCA, will be launching the NCCU Crypto Cell, a unit that will initially be comprised of five officers who will focus on performing “proactive cryptocurrency remit,” according to a report by Financial News. To help get the new unit started, the NCA posted a civil service job posting that provides details about the new “Cryptocurrency Investigator” position.
READ THE STORY: KITCO
How Can the Oil & Gas Sector Better Secure its Systems
FROM THE MEDIA: Like all industries, the oil and gas sector is increasingly faced with cyber attacks. We talked with Edgardo Moreno, industry consultant in charge of cybersecurity at Hexagon about the threats targeting the oil industry, the particularity of the sector and how oil and gas companies can better secure their facilities. There are obviously several attacks happening, the most notorious being ransomware. They are the biggest concerns in the industry right now. One of the most famous ransomware attacks in the oil and gas industry was the Colonial Pipeline attack in 2021. The oil and gas industry is part of what we call critical infrastructure. Critical infrastructure is essential for the functioning of our society and for the economy of our countries. This Colonial Pipeline provides nearly half of the gasoline and fuel for the East Coast of the USA. So the impact of such attacks are enormous and can really block our societies.
READ THE STORY: Direct Industry
The Rise In Power Grid Attacks Leave Businesses With A New Variation On A Familiar Threat
FROM THE MEDIA: When an attack on an electrical substation in Moore County, North Carolina left thousands in the state without power through the following week, it became a wakeup call throughout the country that our power grid is dangerously vulnerable. Resilience experts have long recognized the inherent dangers to power grids, primarily a result of the usual suspects – heavy weather and local wildlife. Infrastructure is always in a precarious place and the effects of an outage are the number one disruption to businesses when it goes offline – costing the U.S. economy an estimated $80-188 billion annually. In the recent past there have been several outages with dire consequences for their regions. 2021’s outage in Texas during a winter storm drew attention to the threat of extreme weather on infrastructure.
READ THE STORY: Forbes
Vessel Vulnerabilities: Why Attackers Increasingly Target Maritime
FROM THE MEDIA: Maritime is at the center of global trade and many sectors rely upon the industry for safe transportation of critical goods. For instance food imports and building supplies. Despite this criticality, maritime infrastructure remains vulnerable and largely insecure. This article outlines some vulnerabilities, especially relating to vessels out at sea. Systems within vessels are impacted by OT/IT convergence, lacking maritime-specific defense and system visibility, and this is not helped by lack of policies and training. These vulnerabilities are combined with increased attacker incentives, relating to vessel criticality, potential for disruption and piracy.
READ THE STORY: Hellenic Shipping News
Ongoing Flipper Zero phishing attacks target infosec community
FROM THE MEDIA: A new phishing campaign is exploiting the increasing interest of security community members towards Flipper Zero to steal their personal information and cryptocurrency. Flipper Zero is a portable multi-functional cybersecurity tool for pen-testers and hacking enthusiasts. The tool allows researchers to tinker with a wide range of hardware by supporting RFID emulation, digital access key cloning, radio communications, NFC, infrared, Bluetooth, and more. The developers launched the device after a massively successful 2020 Kickstarter campaign, which surpassed the funding goal of $60,000 by 81 times, after receiving $4,882,784 in pledges.
READ THE STORY: BleepingComputer
Peiter Zatko (Mudge) joins Rapid7
FROM THE MEDIA: The former head of security at Twitter Inc., Peiter Zatko, is joining cybersecurity company Rapid7 Inc., following a whistleblower complaint to federal authorities last year in which he alleged security risks and mismanagement at the social media giant. Mr. Zatko’s part-time role at Rapid7 will entail advising the company’s executives and customers, including board members, on using data to make cyber decisions, a spokeswoman for the Boston-based company said. In a July whistleblower complaint, Mr. Zatko alleged Twitter lied about its computer security problems and failed to protect users’ privacy.
READ THE STORY: WSJ
Microsoft chases Google with ChatGPT-powered Bing
FROM THE MEDIA: Microsoft reportedly is integrating OpenAI's ChatGPT technology into Bing as it looks to boost its search engine's capabilities to challenge Google. According to a report in The Information citing the usual unnamed sources, Microsoft – which in 2019 invested $1 billion in OpenAI and is using the startup's technologies in Azure – could launch a ChatGPT-backed version of Bing before the end of March. OpenAI could use the artificial intelligence capabilities in ChatGPT to enable Bing to not only return a list of search results but also to answer users' search questions in a human-like fashion. The technology is the latest component of OpenAI larger GPT efforts to make AI more human.
READ THE STORY: The Register
Dell looks to phase out Chinese chips by 2024
FROM THE MEDIA: Dell Technologies Inc (DELL.N) plans to stop using China-made chips by 2024 and has told suppliers to reduce the amount of other made-in-China components in its products amid concerns over U.S.-Beijing tensions, Nikkei reported on Thursday. The computer maker told suppliers late last year that it aims to meaningfully lower the amount of China-made chips it uses, including those produced at facilities owned by non-Chinese chipmakers, the report added, citing three people with direct knowledge of the matter.
READ THE STORY: Nikkei Asia
Cyber-attack Threatens release of port of Lisbon data
FROM THE MEDIA: LockBit, who claimed the attack, said its ransomware has taken down the port’s website and internal computer systems. Meanwhile, they have reportedly stolen financial reports, audits, budgets, contracts, cargo information, ship logs, port documentation, among other vital port-related information, whilst already having published samples of the stolen data. LockBit has threatened to publish all of the files that were seized during their computer attack should their ransom demands of $1.5 million be left unmet by 18 January. Despite these threats, Portuguese newspaper, Publico, has stated that no operational activity has been compromised at the Port of Lisbon, which has more than 3,500 vessel calls annually handling over 13.4 million tons of cargo.
READ THE STORY: Global Trade
Twitter poised to ease political ad ban
FROM THE MEDIA: Twitter said it’s planning to lift its ban on political ads and focus more on “caused-based” advertising. In other news, SpaceX kicked off the year with its first rocket launch. We’ll also take a peek at what’s to come in the tech world at this year’s Consumer Electronics Show in Las Vegas. Twitter on Tuesday announced plans to scale back its ban on political ads and allow more “cause-based” advertising on the platform. “We believe that cause-based advertising can facilitate public conversation around important topics. Today, we’re relaxing our ads policy for cause-based ads in the US. We also plan to expand the political advertising we permit in the coming weeks,” the company’s safety team tweeted.
READ THE STORY: The Hill
Billion-dollar rail firm confirms data breach after suspected ransomware attack
FROM THE MEDIA: One of the world’s largest rail and locomotive companies announced a data breach this week that involved troves of employee information following an alleged ransomware attack last summer. Wabtec, which has about 25,000 employees and operates in 50 countries, began sending out breach notification letters on December 30 letting people know that data was stolen from their systems during a cyberattack they discovered last June. In a statement, the company said it contacted the FBI and hired a cybersecurity firm, which discovered that the hackers “introduced malware” to certain systems as early as March 15. The investigation found that systems containing sensitive information were accessed and data was exfiltrated before being posted to a leak site. Wabtec confirmed the findings on November 23 and began sending out breach notification letters on December 30.
READ THE STORY: The Record
Massachusetts school district, community college dealing with fallout from ransomware attacks
FROM THE MEDIA: A school district and community college in Massachusetts are struggling to recover from ransomware attacks that have crippled their digital systems. Bristol Community College said it discovered a cyberattack on December 23 and immediately launched an investigation after hiring a cybersecurity firm. The college is still determining whether personal information was accessed or stolen. On Tuesday, the college said some services are now available in person or over the phone but information systems are still limited. The college urged students and employees to change all passwords, including those used for bank accounts, credit cards and other financial institutions. Several systems used by professors are not available, nor is campus WiFi. There is no network access at any locations at the college, although school resumed on Tuesday.
READ THE STORY: The Record
AI threat detection that ‘understands you’ critical to thwarting attacks
FROM THE MEDIA: In today’s complicated cybersecurity landscape, detection is just one part of the puzzle. With threat actors exploiting everything from open-source code to AI tools to multi-factor authentication (MFA), security must be adaptive and continuous across an organization’s entire digital ecosystem. AI threat detection — or AI that “understands you” — is a critical tool that can help organizations protect themselves, said Toby Lewis, head of threat analysis at cybersecurity platform Darktrace. As he explained, the technology applies algorithmic models that build a baseline of an organization’s “normal.” It can then identify threats — regardless of whether novel or known — and make “intelligent micro-decisions” about potentially suspicious activity.
READ THE STORY: VB
New SHC-compiled Linux malware installs cryptominers, DDoS bots
FROM THE MEDIA: A new Linux malware downloader created using SHC (Shell Script Compiler) has been spotted in the wild, infecting systems with Monero cryptocurrency miners and DDoS IRC bots. According to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks generally focused on Linux systems in the same country. The analysts say the attacks likely rely on brute-forcing weak administrator account credentials over SSH on Linux servers. SHC is a "generic shell script compiler" for Linux, able to convert Bash shell scripts into ELF (Linux and Unix executables) files. Malicious Bash shell scripts used by threat actors typically contain system commands, which can be detected by security software installed on a Linux device.
READ THE STORY: BleepingComputer
Slack's private GitHub code repositories stolen over holidays
FROM THE MEDIA: Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world. BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022. The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen. While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remains unaffected, according to the company.
READ THE STORY: BleepingComputer
Qualcomm Chipsets and Lenovo BIOS Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities
FROM THE MEDIA: Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code. "An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests," the company said in an advisory. Users are recommended to upgrade to FortiADC versions 6.2.4 and 7.0.2 as and when they become available. The January 2023 patches also address a number of command injection vulnerabilities in FortiTester (CVE-2022-35845, CVSS score: 7.6) that could permit an authenticated attacker to execute arbitrary commands in the underlying shell.
READ THE STORY: THN
200 million Twitter users' email addresses allegedly leaked online
FROM THE MEDIA: A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. BleepingComputer has confirmed the validity of many of the email addresses listed in the leak. Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces. These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID.
READ THE STORY: BleepingComputer
Five Guys Data Breach Puts HR Data Under a Heat Lamp
FROM THE MEDIA: The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain. Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an "unauthorized access to files" was discovered on Sept. 17 and was blocked the same day. He added, "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and [variable data]." What was that "variable data," one might ask? Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.
READ THE STORY: DarkReading
Rail Tech Giant Wabtec Discloses Global Data Breach
FROM THE MEDIA: Wabtec Corporation has finally disclosed details of a data security incident last year which led to the compromise of highly sensitive personal information. The Pittsburgh-headquartered firm describes itself as the world’s leading rail technology company, operating in over 50 countries in the freight, transit, mining, industrial and marine sectors. The $8bn revenue firm suffered a ransomware attack first reported back in June 2022, attributed to the prolific LockBit group. Although the incident is not mentioned explicitly in the new breach notice, the link between the two can be inferred from the fact that stolen data was “posted to the threat actor’s leak site,” according to Wabtec. The firm explained that, although it first became aware of unusual network activity on June 26 2022, it later determined that malware was planted on its systems as far back as March 15 that year.
READ THE STORY: InfoSecMag
CircleCI Urges Customers to Rotate Secrets Following Security Incident
FROM THE MEDIA: DevOps platform CircleCI on Wednesday urged its customers to rotate all their secrets following an unspecified security incident. The company said an investigation is currently ongoing, but emphasized that "there are no unauthorized actors active in our systems." Additional details are expected to be shared in the coming days. "Immediately rotate any and all secrets stored in CircleCI," CircleCI's chief technology officer, Rob Zuber, said in a terse advisory. "These may be stored in project environment variables or in contexts." CircleCI is also recommending users to review internal logs for signs of any unauthorized access starting from December 21, 2022, to January 4, 2023, or until when the secrets are rotated. The software development service did not disclose any further specifics about the breach, but said it has also invalidated all Project API tokens and that they need to be replaced.
READ THE STORY: THN
Qualcomm Chipsets and Lenovo BIOS Get Security Updates to Fix Multiple Flaws
FROM THE MEDIA: Qualcomm on Tuesday released patches to address multiple security flaws in its chipsets, some of which could be exploited to cause information disclosure and memory corruption. The five vulnerabilities -- tracked from CVE-2022-40516 through CVE-2022-40520 -- also impact Lenovo ThinkPad X13s laptops, prompting the Chinese PC maker to issue BIOS updates to plug the security holes. Stack-based buffer overflow vulnerabilities can result in severe impacts, such as data corruption, system crashes, and arbitrary code execution. Buffer over-reads, on the other hand, can be weaponized to read out-of-bounds memory, leading to the exposure of secret data. Successful exploitation of the aforementioned flaws could allow a local adversary with elevated privileges to cause memory corruption or leak sensitive information, Lenovo noted in an alert published Tuesday.
READ THE STORY: THN
Items of interest
Costa Rica under Cyberattack: Vulnerability of Information Systems Was Exposed in 2022
FROM THE MEDIA: “We are at war and it is not an exaggeration.” This was one of the first strong phrases of the president, Rodrigo Chaves as president. The same day he took office, on May 8th, 2022, he announced a national emergency decree and on May 16th, after a week in power, he launched a series of measures for what he described as an “international terrorist attack”. It was not for less; the transition process between the government of the outgoing president, Carlos Alvarado, and Chaves was marked by the strongest cyberattack experienced in Costa Rica against State entities, an event with dozens of entities affected and the direct impact on the population. On Monday, April 18th, the country woke up with the news that some basic systems of the Ministry of Finance were down, including the platform for declaring and paying ATV taxes and customs systems. The government, at that time, reported that they were investigating what happened until they confirmed the attack attributed to an international group called Conti. The cyber attackers asked for a payment of US$10 million to stop the hack, which was not agreed.
READ THE STORY: The Costa Rica News
Bug Bounty bootcamp: The basics (Video)
FROM THE MEDIA: How to get experience with no experience? Have a look at bug bounty programs. Vickie Li demos Insecure Direct Object References (IDOR) and tells us how to get into bug bounty. We also discuss why her book Bug Bounty Bootcamp is a fantastic book to buy if you want to get into bug bounty. Get real world experience today.
Missing HTTP Security Headers (Video)
FROM THE MEDIA: In this video we talk about various HTTP headers that can improve or weaken the security of a site. And we discuss how serious they are in the context of Google's bug bounty program.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com