Friday, January 06, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Alleged Russian and Belarusian GRU spies charged in Poland
FROM THE MEDIA: Two men arrested in Poland in April have now been charged with spying for the Russian military intelligence service (GRU), the Warsaw prosecutor’s office announced Wednesday. An indictment against the men — one a Russian national and the other a Belarusian national — was filed with the District Court in Białystok on December 30 accusing them of conducting espionage activities for the GRU from 2017 until their capture. According to district prosecutor Aleksandra Skrzyniarz, Poland’s military counterintelligence service uncovered that the pair had been conducting “reconnaissance of military facilities of critical importance to the defense of the Republic of Poland” with a particular focus on north-eastern Poland, near the border with Belarus.
READ THE STORY: The Record
Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain
FROM THE MEDIA: A financially motivated threat actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador. Check Point's latest research offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the killchain. Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018. Blind Eagle's operations have been documented by Trend Micro in September 2021, uncovering a spear-phishing campaign primarily aimed at Colombian entities that's designed to deliver a commodity malware known as BitRAT, with a lesser focus towards targets in Ecuador, Spain, and Panama.winter storm drew attention to the threat of extreme weather on infrastructure.
READ THE STORY: THN
Bluebottle Cybercrime Group Preys on Financial Sector in French-Speaking African Nations
FROM THE MEDIA: A cybercrime group dubbed Bluebottle has been linked to a set of targeted attacks against the financial sector in Francophone countries located in Africa from at least July 2022 to September 2022. "The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign," Symantec, a division of Broadcom Software, said in a report shared with The Hacker News. The cybersecurity firm said the activity shares overlaps with a threat cluster tracked by Group-IB under the name OPERA1ER, which has carried out dozens of attacks aimed at banks, financial services, and telecom companies in Africa, Asia, and Latin America between 2018 and 2022.
READ THE STORY: THN
Threat Actors Evade Detection Through Geofencing & Fingerprinting
FROM THE MEDIA: Attackers today combine state-of-the-art obfuscation and adaptive environment-specific features to avoid detection by traditional malware analysis systems. If your security team is relying on legacy approaches, like traditional sandboxing, to scan files entering your network, they may miss these dangerous exploits targeting your organization. If your security teams are spending their time with easy-to-detect, common vulnerabilities and not on the targeted attacks, they are exposing your organization to unnecessary risk from cybercriminals. Nothing about this pattern is new: Researchers develop new anti-malware technology to detect malware attacks. Cybercriminals adapt their malware variants to avoid detection. And the cycle continues.
READ THE STORY: DarkReading
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources
FROM THE MEDIA: Unit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations. Freejacking is the process of using free (or limited-time) cloud resources to perform cryptomining operations. The PurpleUrchin cryptomining campaign, first uncovered in October 2022, is characterized as a freejacking operation. While doing our own investigation of this threat actor, Unit 42 researchers found evidence that PurpleUrchin threat actors employed Play and Run tactics, using cloud resources and not paying the cloud platform vendor’s resource bill.
READ THE STORY: Palo Alto Networks
Bitdefender releases free MegaCortex ransomware decryptor
FROM THE MEDIA: Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free. The creation of the decryptor was the combined work of Bitdefender analysts and experts from Europol, the NoMoreRansom Project, and the Zürich Public Prosecutor's Office and Cantonal Police. Using the decryptor is pretty straightforward, as it's a standalone executable that doesn't require installation and offers to locate encrypted files on the system automatically. Moreover, the decryptor can back up the encrypted files for safety in case something goes wrong in the decryption process that could corrupt the files beyond recovery. Also, for those who attempted to decrypt their files previously with mixed success, the new decryptor offers an advanced setting to replace them with clean files.
READ THE STORY: BleepingComputer
It's time to focus on information warfare's hard questions
FROM THE MEDIA: In 2016, Russia sparked our current era’s obsession with online information operations. By meddling in that year’s U.S. presidential election via a plethora of online tools, Moscow’s operatives illustrated what seemed like the boundless potential of digital manipulation. Since then, social media companies and governments have made massive investments in catching these efforts. As a report published by Facebook parent company Meta at the tail end of 2022 illustrates, these efforts appear to have reached something of an equilibrium with Russian information operators. Russia, along with several other states, still run malign online information operations, but these campaigns to influence public opinion are detected and taken down with such speed that they rarely reach significant audiences.
READ THE STORY: Cyberscoop
Taiwan plans domestic satellite champion to resist any China attack
FROM THE MEDIA: Taiwan is courting investors to help it establish its own satellite communications provider, inspired by the role Elon Musk’s Starlink has played in the war in Ukraine, as Taipei ramps up efforts to fortify itself against a potential assault from China. Taiwan is in preliminary talks with several domestic and international investors to raise funds for the project, which the country’s space agency, known as TASA, wants to spin out of an existing satellite division, according to three people familiar with the situation. “We are going to spin our low-Earth orbit satellite communications project off into a company,” said a senior official at TASA. People familiar with the talks said the government wanted to retain a significant minority stake in the venture.
READ THE STORY: FT
Outsourcing’s dark side: How to stop the surge of supply chain attacks
FROM THE MEDIA: It’s an increasingly familiar scenario. A well-regarded company offering a popular online service discloses that it has fallen victim to a data breach. Cyberattackers have stolen customer names, phone numbers and credit card data, and little can be done to rectify the situation. High-profile companies such as DoorDash, Plex and LastPass have all recently become victims of third-party supply chain attacks, but they are certainly not alone. According to “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk” — a report of more than 600 U.S. security professionals across five industries published by the Poneman Institute — third-party attacks have increased from 44% to 49% since last year. The real number of attacks is likely higher, as only 39% of respondents expressed confidence that a third-party associate would notify them of a breach.
READ THE STORY: VB
Chick-fil-A customers report fraudulent activity on the chain’s app
FROM THE MEDIA: Chick-fil-A is investigating reports of fraudulent activity on its mobile app after several customers claim their data, including bank account information, was accessed by hackers. The chain tweeted a statement claiming that the activity is “not due to a compromise of Chick-fil-A Inc.’s internal systems,” adding that it is working quickly to protect customers’ data. The alleged breach was initially reported by Atlanta news station 11Alive after several customers posted about their experience on a Facebook page called Paulding County Uncensored. Paulding County is part of the Atlanta metropolitan area, where Chick-fil-A is headquartered. There are now over 100 comments related to suspicious activity.
READ THE STORY: Nation's Restaurant News
Cybercrime group targeting banks in African Francophone countries
FROM THE MEDIA: A cybercriminal group continues to target banks and financial institutions in Francophone countries across Africa, with attacks spreading since the outfit was first observed in 2018. In a report published Thursday by Symantec, the researchers examined a recent campaign by a group they’ve named Bluebottle, which several other cybersecurity firms have investigated in recent years. “Three different financial institutions in three African nations were compromised in the activity seen by Symantec, with multiple machines infected in all three organizations,” the researchers said. “The effectiveness of its campaigns means that Bluebottle is unlikely to stop this activity. The attackers appear to be French speaking, so the possibility of them expanding this activity to French-speaking nations in other regions also cannot be ruled out.”
READ THE STORY: The Record
New Phishing Campaign Impersonates Flipper Zero to Target Cyber Professionals
FROM THE MEDIA: Several social media accounts and fake websites are pretending to sell the sought-after hacking tool Flipper Zero to lure cybersecurity professionals into making cryptocurrency transactions. This new campaign of angler phishing – a type of social media phishing that involves impersonating corporate social media accounts to interact with their customers – was first uncovered by security researcher Dominic Alvieri on December 2, 2022. On Twitter, Alvieri warned of three distinct Twitter accounts and two websites impersonating the official Flipper Zero seller to lure potential buyers into sending cryptocurrencies – without sending them the Flipper Zero device in exchange. At first glance, one of the Twitter accounts looked very similar to the official Flipper Zero.
READ THE STORY: OODALOOP
WhatsApp Introduces Proxy Support to Help Users Bypass Internet Censorship
FROM THE MEDIA: Popular instant messaging service WhatsApp has launched support for proxy servers in the latest version of its Android and iOS apps, letting users circumvent government-imposed censorship and internet shutdowns. "Choosing a proxy enables you to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely," the Meta-owned company said. Proxies act as an intermediary between end users and the service provider by routing requests originating from a client to the server and forwarding the response back to the device. Users can access the option by navigating to Settings > Storage and Data > Proxy > Use Proxy and entering a trusted proxy server address.
READ THE STORY: THN
US waged war on China’s chips; S Korea, Taiwan felt the fallout
FROM THE MEDIA: When United States President Joe Biden made his inaugural trip to South Korea as president in May, his first stop was a massive semiconductor production facility operated by Samsung Electronics. The choice signaled Biden’s recognition of the importance of both Samsung, South Korea’s biggest conglomerate and a major investor in the US, and semiconductors, the chips that power countless modern appliances and sit at the center of a growing US-China rivalry that encompasses business and geopolitics. “Semiconductors power our economies and enable our modern lives, from our automobiles to our smartphones to medical diagnostic equipment,” Biden said at the factory before touting chips as the next frontier in the alliance between the US and South Korea that dates back to the 1950-1953 Korean War.
READ THE STORY: Aljazeera
Taiwan Wants to Join WTO Talks on China’s Protest Against US Chip Sanctions
FROM THE MEDIA: Taiwan has asked to join discussions centered on China’s protest against US chip sanctions at the World Trade Organization, seeking a voice on a debate that could have ramifications for the global chip industry. The island has formally requested a seat at the table when consultations begin, based on the outsized role it plays in global chipmaking, Taiwan said in a statement filed at the WTO. China filed a dispute with the WTO in an effort to overturn US-imposed export controls, which aim to limit the Asian nation’s ability to develop a domestic semiconductor industry and equip its military. Beijing accused Washington of economic protectionism, undermining trade rules and jeopardizing the global supply chain.
READ THE STORY: Bloomberg
Slack GitHub Account Hacked via Stolen Employee API Token
FROM THE MEDIA: On December 29, 2022, Slack was alerted to suspicious activity on their GitHub account. Upon investigation, the company discovered that a limited number of employee tokens had been stolen and misused to gain access to an externally hosted repository. The threat actor had also downloaded private code repositories on December 27, but neither Slack’s primary codebase nor any customer data were included in the downloaded repositories. Upon being notified of the incident, Slack immediately invalidated the stolen tokens and began an investigation into the potential impact on their customers. It was determined that the threat actor did not access other areas of Slack’s environment or customer data. There was no impact on Slack’s code or services, and the company rotated all relevant credentials as a precautionary measure.
READ THE STORY: Security Boulevard
U.S. national cyber strategy to stress Biden push on regulation
FROM THE MEDIA: The Biden administration is set to unveil a national strategy that for the first time calls for comprehensive cybersecurity regulation of the nation’s critical infrastructure, explicitly recognizing that years of a voluntary approach have failed to secure the nation against cyberattacks, according to senior administration officials. The strategy builds on the first-ever oil and gas pipeline regulations imposed last year by the administration after a hack of one of the country’s largest pipelines led to a temporary shutdown, causing long lines at gas stations and fears of a fuel shortage. The attack on Colonial Pipeline by Russian-speaking criminals elevated ransomware to an issue of national security.
READ THE STORY: The Washington Post
SpyNote Android malware infections surge after source code leak
FROM THE MEDIA: The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as 'CypherRat.' 'CypherRat' combined SpyNote's spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials. CypherRat was sold via private Telegram channels from August 2021 until October 2022, when its author decided to publish its source code on GitHub, following a string of scamming incidents on hacking forums that impersonated the project.
READ THE STORY: BleepingComputer
The ‘Little Russia’ malware in our brains
FROM THE MEDIA: With the collapse of the Russian Empire in 1918, Ukraine declared independence and was promptly invaded by both the Russian monarchist White Army and Vladimir Lenin’s Red Army. Desperate to make itself known to the West, Ukraine sent its national chorus abroad as a cultural ambassador. After dozens of performances in Europe, it arrived in New York in 1922. It introduced to the American public what would become known as “Carol of the Bells” at Carnegie Hall. By that time, Ukraine had been overrun by Russian forces, a bloodbath being repeated today. The composer, Mykola Leontovych, was murdered and the extermination of Ukraine’s cultural, political, religious and intellectual strata accelerated.
READ THE STORY: The Hill
Notorious Russian Spies Piggybacked on Other Hackers’ USB Infections
FROM THE MEDIA: The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of other hackers to piggyback on their infections and stealthily choose their spying targets. Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives.
READ THE STORY: Wired
Volvo data breach sees information offered for sale on hacking forums
FROM THE MEDIA: Data allegedly belonging to Volvo has appeared for sale on hacking forums. The automaker has acknowledged the breach, which appears to have been perpetrated by a new ransomware gang, Endurance. The stolen information is being offered up for sale on the Breached.co hacking forum and the Sellix marketplace for $2,500 in Monero cryptocurrency. The hackers behind the sale are part of a newly established Serbian cybercrime gang Endurance, which was first spotted on the dark web in November. “I am currently selling the following information,” explains Endurance-member IntelBroker in a forum post, followed by a list of sensitive data points, including access to company databases, WiFi points and logins, employee lists and software keys.
READ THE STORY: Techmonitor
Twitter Files: Russian Bots promoted far-left Gustavo Petro’s campaign for president of Colombia
FROM THE MEDIA: The latest batch of the “Twitter files” document dump released by Matt Taibbi on Tuesday revealed that throngs of Russian-operated bot accounts on Twitter supported far-left Colombian President Gustavo Petro’s campaign last year. According to the documents, shared through current Twitter owner and pro-China green technology celebrity Elon Musk, Twitter officials detected unusual behavior on three hashtags related to Petro: #PactoHistorico, #PetroPresidente2022, and #PetroPresidenteColombia2022. The left-wing parties that belonged to Petro’s Pacto Histórico por Colombia (“Historic Pact for Colombia”) used these hashtags to publicize the campaign. The unusual bot behavior was reportedly detected on Twitter in 2021 during a routine monitoring of social media activity by the United States Intelligence Community (USIC), with a special focus on Venezuela, Cuba and Colombia, concluding that the listed bot accounts were connected to a pro-Petro influence network.
READ THE STORY: Breitbart
Iridium and Qualcomm to bring satellite connectivity to smartphones this year
FROM THE MEDIA: Iridium unveiled chip maker Qualcomm Jan. 5 as the partner behind plans to connect smartphones to its satellite constellation this year. U.S.-based Qualcomm has developed a product called Snapdragon Satellite, which it said can be added to Android smartphones and other devices to support two-way communications via Iridium satellites. Potential uses include emergency SOS services, SMS texts, and other low-bandwidth messaging applications in areas outside terrestrial networks and where Iridium’s global constellation is licensed to operate. Any emergency messages would be routed through response teams run by Garmin, a GPS technology specialist and longtime Iridium partner. Jordan Hassin, Iridium’s executive director of communication, acknowledged widespread speculation in the run-up to the announcement about South Korean smartphone maker Samsung being its direct-to-smartphone partner.
READ THE STORY: SN
Items of interest
How to harden machine learning models against adversarial attacks
FROM THE MEDIA: Machine learning (ML) is commonly used for malware detection alongside traditional approaches, such as signature-based detections and heuristics. The advantages of machine learning over traditional approaches are that it is much more capable of detecting novel (not previously seen) malware and is better suited to keep pace with malware evolution and large volumes of data. However, machine learning has its weaknesses. It is known that ML models have issues with adversarial examples — inputs to ML models designed by an attacker to cause the model to make a mistake. The inputs can be slightly altered but dramatically change a model’s response despite being unnoticeable to humans. Adversarial examples can produce strange and unwanted behaviors, and allow attackers to evade malicious file detection. Given that adversarial machine learning exploits software weaknesses, it should be addressed like any other software vulnerability.
READ THE STORY: Security Boulevard
How to Find Hidden Spy Cameras in your Airbnb with Wireshark (Video)
FROM THE MEDIA: On this episode of HakByte, @AlexLynd demonstrates how to identify and track down hidden cameras that might be spying on you, using Wireshark IO Graphs.
HakByte: How to find anything on the internet with Google Dorks (Video)
FROM THE MEDIA: On this first episode of HakByte, we cover Google Dorking, which is an OSINT technique that takes advantage of the Google Search engine with advanced search strings. This video covers basic google dorks that will allow you to filter out irrelevant information for a google search, finding insecure websites, and even discovering exposed password databases. Finally, an open source tool called pagodo is covered, which automatically can pass thousands of google dorks while avoiding detection from google.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com