Tuesday, January 10, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Researchers Hacked California's Digital License Plates, Gaining Access to GPS Location and User Info
FROM THE MEDIA: Cybersecurity researchers managed to hack into California’s new digital license plates, which are sold and managed by tech company Reviver. The digital plates, called Rplates, went on sale in California late last year, but it was only a matter of time before hackers found a backdoor into Reviver’s systems. Luckily, the white hats got there first by gaining full “super administrative access” via the Reviver website, according to Vice. This allowed the team of researchers to track the location of all cars using the plates, access all user records and even change some of the text shown on the digital plate displays. Bug bounty hunter Sam Curry explained how the team started probing Reviver’s mobile app first, then the website. The team became interested in Reviver due to the company’s ability to track the digital plates — and any car wearing one.
READ THE STORY: Jalopnik
The SSU detained the organizers of the Russian “troll factory” in Kyiv
FROM THE MEDIA: Cyber specialists of the Security Service neutralized the pro-Kremlin “troll factory” in Kyiv. The perpetrators spread appeals in social networks to support armed aggression against Ukraine and justified the war crimes of the Russian occupiers. It was established that as a primary source, the Internet agents used the Telegram channel of the Moscow propagandist Yuriy Podolyaka, a Russian blogger with more than 2.7 million subscribers. “Trolls” spread their publications through reposts or under the guise of “own” publications on social networks. According to the investigation, the subversive activity in the Kyiv region was organized by two local residents. Computer equipment for conducting “infomediary” and communication with Russian curators was installed in their own residences in the capital and Bila Tserkva. In order to massively “cover” the Internet space, the attackers tried to attract new members of the Kremlin propaganda “cell”.
READ THE STORY: The Odessa Journal
UK's Morgan Advanced Materials reports cyber security incident on its network
Analyst Comments: Morgan supplies supplies the health, energy, transport and automotive industries with a wide variety of products, from carbon brushes to cold storage packaging. Its main two divisions are focused on thermal products and carbon & technical ceramics. This is likely a nation state activity and possibly IP themed.
FROM THE MEDIA: British industrial firm Morgan Advanced Materials Plc said on Tuesday it was assessing a cyber security incident after detecting unauthorized activity on its network. The company, which makes a wide range of heat-resistant and other industrial materials, said it had launched an investigation and was taking steps to ensure that its businesses could continue to trade with its customers and suppliers.
READ THE STORY: Reuters
New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks
FROM THE MEDIA: A group of academics has demonstrated novel attacks that leverage Text-to-SQL models to produce malicious code that could enable adversaries to glean sensitive information and stage denial-of-service (DoS) attacks. "To better interact with users, a wide range of database applications employ AI techniques that can translate human questions into SQL queries (namely Text-to-SQL)," Xutan Peng, a researcher at the University of Sheffield, told The Hacker News. "We found that by asking some specially designed questions, crackers can fool Text-to-SQL models to produce malicious code. As such code is automatically executed on the database, the consequence can be pretty severe (e.g., data breaches and DoS attacks)." The findings, which were validated against two commercial solutions BAIDU-UNIT and AI2sql, mark the first empirical instance where natural language processing (NLP) models have been exploited as an attack vector in the wild.
READ THE STORY: THN
Iran’s support of Russia draws attention of pro-Ukraine hackers
FROM THE MEDIA: Pro-Ukraine hacktivists were in a bad mood on New Year’s Day. The previous day, Ukrainian air defense forces shot down a total of 45 drones — many of them supplied by Iran — but missile explosions rocked Kyiv and other population centers as much of the world was ringing in the new year. In response, pro-Ukraine hacktivists claimed to launch distributed denial-of-service attacks on several Iranian websites, including the website of Iran’s supreme leader Ali Khamenei, and the National Iranian Oil Company (NIOC). “Iranians, it is not your war, step down and fuck off,” one group of pro-Ukrainian hackers and cybersecurity specialists wrote on Telegram. Usually, DDoS attacks carried out by hacktivists last minutes to hours and have no real impact on the targeted services.
READ THE STORY: The Record
San Francisco BART investigating ransomware attack
FROM THE MEDIA: San Francisco’s Bay Area Rapid Transit (BART) is investigating an alleged ransomware attack after the Vice Society ransomware gang claimed to have attacked the agency. BART – the fifth-busiest heavy rail rapid transit system in the United States – was listed on the group’s leak site on Friday. Alicia Trost, chief communications officer for BART, told The Record that they are investigating the data that was stolen and posted by the group. “To be clear, no BART services or internal business systems have been impacted,” she said. “As with other government agencies, we are taking all necessary precautions to respond.” The rail industry has seen its fair share of cyberattacks in recent years. In April 2021, New York City’s Metropolitan Transportation Authority – one of the largest transportation systems in the world – was hacked by a group based in China.
READ THE STORY: The Record
Critical Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects
FROM THE MEDIA: A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. "By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request," Palo Alto Networks Unit 42 researcher Artur Oleyarsh said in a Monday report. Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0 shipped on December 21, 2022. The flaw was reported by the cybersecurity company on July 13, 2022. jsonwebtoken, which is developed and maintained by Okta's Auth0, is a JavaScript module that allows users to decode, verify, and generate JSON web tokens as a means of securely transmitting information between two parties for authorization and authentication. It has over 10 million weekly downloads on the npm software registry and is used by over 22,000 projects.
READ THE STORY: THN
Blues Wireless Brings Firmware-Agnostic Over-the-Air Updates to Notecard-Connected Microcontrollers
FROM THE MEDIA: Cellular Internet of Things (IoT) connectivity specialist Blues Wireless has announced a new feature designed to make its service even more tempting for remote device deployments: the ability to update a connected microcontroller entirely remotely using a new Over-the-Air (OTA) firmware. "Outboard Firmware Update is a Notecard feature that allows device builders to implement OTA firmware updates in their devices without writing any code," explains TJ VanToll, principal developer advocate at Blues Wireless. "Additionally, developers have the freedom of choice, and may select from a large number of microcontrollers (MCUs), programming languages, and real-time operating systems (RTOS), and can even perform updates on 'native' applications with no code from Blues and no RTOS at all. This capability from Blues continues to bring cellular cloud-connected products within reach of every developer, no matter their skill level."
READ THE STORY: Hackster
Hackers target cryptocurrency customers by impersonating well-known employee
FROM THE MEDIA: Researchers at Division Seven, SafeGuard Inc.’s threat intelligence team today detailed how customers at a cryptocurrency firm they work with were targeted by a threat actor using a social engineering attack with a twist: The hackers were pretending to be a well-known employee. The investigation was launched following a report by Microsoft Security in December into targeted attacks against the cryptocurrency industry. Microsoft Corp. researchers said a threat actor, tracked as DEV-0139, was joining Telegram groups where they targeted cryptocurrency investment companies. DEV-0139 was found to be using Telegram groups used to facilitate conversations between VIP clients and cryptocurrency exchange platforms to identify potential targets among its members.
READ THE STORY: OODALOOP
PurpleUrchin bypasses CAPTCHA and steals cloud platform resources
FROM THE MEDIA: Palo Alto Networks Unit 42 has published a research on PurpleUrchin, a freejacking campaign that has primarily targeted cloud platforms offering limited-time trials of cloud resources to perform cryptomining operations. Unit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations. Freejacking is the process of using free (or limited-time) cloud resources to perform cryptomining operations.
READ THE STORY: Zawya
Dealing with the implications of ChatGPT
FROM THE MEDIA: AIM reports that the New York City Department of Education has banned ChatGPT on school devices due to concerns about plagiarism. Vox notes that the chatbot is able to write decent essays that can pass popular anti-plagiarism tools like Turnitin. The Daily Beast reports that students are already using the AI to complete writing assignments. Technology question-and-answer site also banned the use of ChatGPT due to technical errors in its responses. Even if the service is technically banned by schools, however, it’s difficult to see how such a ban could be enforced. Princeton student Edward Tian attempted to offer a solution to this dilemma by creating an app called GPTZero, designed to detect if an essay was written by a human or an AI. The Daily Beast explains that GPTZero uses “perplexity” and “burstiness” as metrics.
READ THE STORY: The Cyberwire
MEGACORTEX Ransomware Decryptor Released
FROM THE MEDIA: Researchers have released a decryption tool for the MegaCortex ransomware, a strain that has been used in attacks on a long list of targets and has been deployed around the world. MegaCortex has been in use since at least January 2019 and some of the actors using it alo were known to have deployed the older Dharma and LockerGoga ransomware variants. The MegaCortex ransomware sometimes was associated with infections by the Qakbot and Emotet malware families and typically was used in intrusions on corporate networks. In October 2021, authorities from the United States, Switzerland, Ukraine, and elsewhere disrupted the operation of the MegaCortex ransomware infrastructure and arrested 12 people in connection with its deployment. That operation also disrupted the usage of Dharma and LockerGoga.
READ THE STORY: DUO
OFAC Sanctions’ Impact on Crypto Crime a Mixed Bag, Chainalysis Finds
FROM THE MEDIA: The US government’s crypto-related sanctions last year have had mixed results on crypto crime, according to a new report by Chainalysis. Decentralized mixing service Tornado Cash’s inflows fell 68% in the 30 days following its sanctions designation by the Office of Foreign Assets Control (OFAC) in August, for example. But Russia-based crypto exchange Garantex’s average monthly inflows more than doubled after implementing sanctions against it last April, Chainalysis data indicated. OFAC had sanctions against 10 crypto-related entities and about 350 addresses last year — both up from the prior year. The Chainalysis report highlighted sanctions against darknet market Hydra, Tornado Cash, and Garantex as the most notable.
READ THE STORY: Blockworks
German government warns of ‘Godfather’ malware targeting banking, crypto apps
FROM THE MEDIA: Financial authorities in Germany are raising the alarm amid the rapid spread of a new financial malware affecting banking and cryptocurrency applications. Germany’s Federal Financial Supervisory Authority (BaFin) released an official statement on Jan. 9, warning consumers of “Godfather,” a malware collecting user data in banking and crypto apps. BaFin emphasized that the new virus is targeting about 400 banking and crypto apps, including those operating in Germany. The Godfather malware attacks users by displaying fake websites of regular banking and crypto apps, stealing their login data. According to the regulator, it is yet to be determined how the malware attacks users’ devices. The malware is known to send push notifications to get the codes for two-factor authentication. “With this data, the cyber criminals may be able to gain access to consumers’ accounts and wallets,” BaFin noted.
READ THE STORY: Coin Telegraph
Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
FROM THE MEDIA: The Kinsing malware is now actively breaching Kubernetes clusters by leveraging known weaknesses in container images and misconfigured, exposed PostgreSQL containers. While these tactics aren't novel, Microsoft's Defender for Cloud team reports they have seen an uptick lately, indicating that the threat actors are actively looking for specific entry points. Kinsing is a Linux malware with a history of targeting containerized environments for crypto mining, using the breached server's hardware resources to generate revenue for the threat actors. The threat actors behind Kinsing are known for exploiting known vulnerabilities like Log4Shell, and, more recently, an Atlassian Confluence RCE to breach targets and establish persistence.
READ THE STORY: BleepingComputer
Python Package Index found stuffed with AWS keys and malware
FROM THE MEDIA: The Python Package Index, or PyPI, continues to surprise and not in a good way. Ideally a source of Python libraries that developers can include in their projects to save time, PyPI has again been caught hosting packages with live Amazon Web Services (AWS) keys and data-stealing malware. Malicious packages are, sadly, nothing new for PyPI or for packaging systems like npm, RubyGems, crates.io, and the like. Supply chain attacks – via compromising software libraries or typosquatting – have been an issue for years, though one that has gotten more attention recently with incidents like the compromise of SolarWinds. Despite enhanced vigilance, these incidents still occur with alarming frequency. Just before the New Year, the maintainers of machine learning framework PyTorch warned that PyTorch-nightly, if installed on Linux via pip, included a compromised dependency available through PyPI called torchtriton
.
READ THE STORY: The Register
Beware of Modified Zoom App that Delivers Banking Malware IcedID Malware
FROM THE MEDIA: A malicious IcedID malware campaign was identified recently by Cyble researchers through which threat actors are actively spreading malware using modified versions of the Zoom application that have been trojanized. Due to the growing awareness of the COVID-19 pandemic in recent years, Zoom has become increasingly popular in recent years. A dramatic increase in remote work has been observed since the COVID-19 pandemic emerged, and virtual communication tools have become increasingly important. While the majority of malware is delivered to users’ machines by threat actors using these types of software tools as a means of delivering malware. A large number of businesses are being targeted by this campaign in an attempt to steal sensitive information as well as dump additional malware onto the computers of the victims.
READ THE STORY: Cyber Security News
Colonoscopy Prep Retail Website Breach Festered for Years
FROM THE MEDIA: As if colonoscopies weren't invasive enough, nearly a quarter-million patients who underwent an intestinal probe since 2019 now must grapple with a data breach tied to a hacking incident at a third-party vendor to gastroenterologists. Kansas-based Captify Health is notifying approximately 244,300 patients that their payment card and other personal information may have been compromised in a data security incident that started as far as back as 2019 involving its colonoscopy prep kit online retail business. A company breach notification filed with Maine's attorney general says the Captify Health online retail service Your Patient Advisor suffered a "malicious code" incident that persisted for more than three years, from May 26, 2019, to April 20, 2022.
READ THE STORY: BankInfoSec
The Russia-Ukraine war has some rethinking the role of offensive cyber operations in armed conflict
FROM THE MEDIA: For some, the horror of the Russian invasion of Ukraine was also meant to mark the dawn of a new era in modern warfare: one in which degrading your enemy’s capabilities through cyberspace would play an important — perhaps even decisive — role in determining success on the real-world battlefield. As militaries and societies grew ever more connected to and reliant on the internet to run, so too would the cyberspace domain grow in importance in combat, and nowhere was that supposed to be demonstrated more clearly than in Russia’s war, where their elite and well-resourced military hacking units could cut off Ukraine’s access to power, water and other essential resources, disrupt their communications, wipe out large swaths of private and public sector systems and data, and smooth the way for ground troops to dominate their Ukrainian counterparts.
READ THE STORY: SCMAG
US Supremes deny Pegasus spyware maker's immunity claim
FROM THE MEDIA: The US Supreme Court has quashed spyware maker NSO Group's argument that it cannot be held legally responsible for using WhatsApp technology to deploy its Pegasus snoop-ware on users' phones. Facebook and its WhatsApp subsidiary sued the notorious Israel-based software company in 2019, alleging that NSO exploited a zero-day bug in WhatsApp to remotely drop Pegasus on about 1,400 smartphones belonging to attorneys, journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials in multiple countries.
READ THE STORY: The Register
Items of interest
Is RSA Algorithm still secured
FROM THE MEDIA: Researchers in China claim to have made a significant breakthrough in quantum computing by figuring out how to break the RSA (Rivest-Shamir-Adleman) public-key encryption system using a quantum computer that is soon to be publicly available. RSA encryption is still used in older enterprise and operational technology software and in code-signing certificates, and if broken, would allow a malicious adversary to generate signing keys or decrypt messages. This could enable them to snoop on internet traffic and potentially pass off malicious code as a legitimate software update, potentially allowing them to take control of third-party devices. A research was published in a white paper by the UK's National Cyber Security Centre in November 2020, and warns that almost all of today's public-key cryptography systems are easy to crack with a large general-purpose quantum computer.
READ THE STORY: Quantaneo
Cybersecurity for the Blockchain (Video)
FROM THE MEDIA: Halborn + SANS Security Summit 2022.
Cybersecurity Trends for 2023 (Video)
FROM THE MEDIA: Jeff Crume looks back on 2022 and forward to 2023 and beyond at the trends in cybersecurity. Ransomware and MFA will continue to play key roles in IT security, but what role will AI, deep fakes, and quantum computing play going forward into the New Year?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com