Wednesday, January 11, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it
FROM THE MEDIA: In October, investigative journalists at Bellingcat identified a secretive group of Russian military engineers responsible for programming the flight paths of high-precision cruise missiles. Their attacks on Ukraine’s critical and civilian infrastructure had left millions of Ukrainians without electricity and heating and caused hundreds of civilian deaths and injuries. Bellingcat used open-source intelligence and leaked information from Russia’s underground data markets to identify people in this group. Such leaks have proven useful for investigative journalism groups – although it isn’t obvious what to do with terabytes of unstructured data, which is extremely difficult to analyze and verify, according to Aric Toler, director of training and research at Bellingcat.
READ THE STORY: The Record
Russian Cyber Attacks Disrupt Banksy’s Print Sale Benefiting Humanitarian Efforts in Ukraine
FROM THE MEDIA: In early December, the anonymous street artist Banksy announced that he had partnered with the Legacy of War Foundation to offer 50 unique prints depicting the word “Fragile” scratched out by a rat. Proceeds set to go toward rescue efforts in Ukraine’s war-torn regions. Interested collectors were instructed to register online for a chance at one of the artworks, priced at £5,000 ($6,000) a pop. But just as soon as applications went live, the system hosting them was overwhelmed by entries—many of which came from suspicious sources in Russia. “We are currently sifting through the registered entries and will notify successful applicants shortly,” the Legacy of War Foundation wrote in a message published on the print sale landing page.
READ THE STORY: Artnet News
Dark Pink, a newly discovered hacking campaign, threatens Southeast Asian military, government organizations
FROM THE MEDIA: A recently discovered hacking campaign is targeting a range of organizations across the Asia-Pacific region, and one in Europe, as part of a sophisticated effort to steal corporate data and other high-value secrets, researchers with the cybersecurity firm Group-IB said Thursday. The so-called “Dark Pink” campaign surged in the second half of 2022 and has, to date, been responsible for seven successful attacks, Group-IB researchers Andrey Polovinkin and Albert Priego said in a detailed analysis. Its primary goals seem to be corporate espionage, document theft, sound capture from the microphones of infected devices and data exfiltration from messengers, according to the researchers’ analysis.
READ THE STORY: Cyberscoop // Cybernews // BleepingComputer // THN
Life during wartime: Ukraine ‘has to be ready for new more powerful and complex’ cyberattacks
FROM THE MEDIA: Blackouts in Kyiv can be sudden. Some are scheduled as part of the government’s attempts to manage energy usage, although even the scheduled cuts can begin early and end late. And then there are the emergency blackouts, which can last several days and usually follow Russian attacks on Ukraine’s power grid. These unexpected blackouts have left people stuck in elevators, which is why people in Kyiv now leave boxes of food and water and books inside them in case any of their neighbors end up stranded for several hours. The daily mean temperature in Kyiv is below freezing throughout December, January and February, and the daylight is gone by the end of the working day. Every evening when Denys, a 27-year-old Ukrainian tech specialist, walks home from work, he turns on his phone’s flashlight to navigate a dark street in the center of the capital.
READ THE STORY: The Record
Lorenz ransomware gang plants backdoors to use months later
FROM THE MEDIA: Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. Some gangs are exploiting the flaws to plan a backdoor while the window of opportunity exists and may return long after the victim applied the necessary security updates. One case is a Lorenz ransomware attack that reached completion months after the hackers gained access to the victim's network using an exploit for a critical bug in a telephony system. During an incident response engagement to a Lorenz ransomware attack, researchers at global intelligence and cyber security consulting company S-RM determined that the hackers had breached the victim network five months before starting to move laterally, steal data, and encrypt systems.
READ THE STORY: BleepingComputer
Microsoft Exchange bugs top list of exploited vulnerabilities affecting financial sector
FROM THE MEDIA: Two bugs affecting Microsoft products topped a survey of exploited vulnerabilities being used to target the U.S. financial services sector, according to new research. Researchers at the cybersecurity company LookingGlass examined public internet-facing assets from over 7 million IP addresses belonging to the sector in November 2022 – finding that a seven-year-old Remote Code Execution vulnerability affecting Microsoft Windows topped the list. “It was interesting to see that our research detected CVE-2015-1635, a Remote Code Execution vulnerability affecting Microsoft Windows, over 900 times in the finance sector, but this vulnerability is seven years old,” said LookingGlass CEO and former CISA Assistant Director Bryan Ware. “This goes to show that when hackers find a successful attack method, they continue to exploit it for years to come, particularly in highly advantageous industries like the financial sector.”
READ THE STORY: The Record
Expert Analysis Reveals Cryptographic Weaknesses in Threema Messaging App
FROM THE MEDIA: A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users' private keys. The seven attacks span three different threat models, according to ETH Zurich researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong Truong, who reported the issues to Threema on October 3, 2022. The weaknesses have since been addressed as part of updates released by the company on November 29, 2022. Threema is an encrypted messaging app that's used by more than 11 million users as of October 2022. "Security and privacy are deeply ingrained in Threema's DNA," the company claims on its website.
READ THE STORY: THN
A Widespread Logic Controller Flaw Raises the Specter of Stuxnet
FROM THE MEDIA: The computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them. The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013.
READ THE STORY: Wired
Here’s why raunchy military call signs keep showing up on flight trackers
FROM THE MEDIA: When an Air Force KC-135 broadcast “Titties” as its call sign during a mission last month over the Mediterranean Sea, it was not an isolated incident. Flightradar24 detected two incidents on March 6 and 9 when separate KC-135 aerial tankers briefly transmitted the call sign “Boobies” while the planes were on the ground at Al Udeid Air Base in Qatar, said Ian Petchenik, a spokesman for the flight tracking service. Every aircraft’s call sign needs to be entered into its flight management computer, Petchenik told Task & Purpose. Normally, that is done by someone aboard the aircraft. After a KC-135 broadcast “Titties” as its call sign on Dec. 16, U.S. Air Forces Central Command announced it was “taking appropriate action to address this behavior,” Lt. Col. Michael Hertzog, a spokesman for the command, told Task & Purpose at the time.
READ THE STORY: Task and Purpose
Here’s Why Tornado Cash’s Activity Didn’t Cease Completely Post OFAC Sanctions
FROM THE MEDIA: The Office of Foreign Assets Control’s (OFAC) tryst with the crypto industry dates back to 2018 when it designated two Iran-based individuals of malicious cyber activity. There has been no looking back since. More recently, the bombshell announcement that the US Treasury Department banned American citizens from using Tornado Cash, has had industry leaders abuzz. While sanctions did reduce Tornado Cash’s activity, a recent report by Chainalysis shows that it is not easy to “pull the plug” on a decentralized protocol. The blockchain analytics firm Chainalysis published a new report highlighting OFAC’s increased efforts in targeting crypto activity and its effect on the Ethereum-based coin mixer, Tornado Cash. On-chain data before sanctions revealed that 34% of all funds sent to Tornado Cash originated from illicit sources, while illegal activity was concentrated on just crypto hacks and scams.
READ THE STORY: Crypto Potato
How Serbia’s Cyber-War Outreach Taught Legions of Serbian Schoolchildren the Art of Hacking
FROM THE MEDIA: Through the hot summer of 1998, electricity hung in the air. It felt as if the power of the electrical zeroes and ones pulsing through schools, homes, intelligence, militaries, and universities was generating the dry storm clouds that swept in over the mountains for evening. America was in flower. Its map was bursting with new wires and exchanges, the internet bringing the country to itself like the railroads and the auto routes had for the past hundred years and more. This was Al Gore’s information superhighway all right. If it existed, there were websites for it, partly because there had never been anything like this and partly because interest rates were falling and low interest rates were going to make money free, and borrowing to invest would never be so gloriously untethered from risk.
READ THE STORY: Literary Hub
StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users
FROM THE MEDIA: The advanced persistent threat (APT) group known as StrongPity has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle. "A copycat website, mimicking the Shagle service, is used to distribute StrongPity's mobile backdoor app," ESET malware researcher Lukáš Štefanko said in a technical report. "The app is a modified version of the open source Telegram app, repackaged with StrongPity backdoor code." StrongPity, also known by the names APT-C-41 and Promethium, is a cyberespionage group active since at least 2012, with a majority of its operations focused on Syria and Turkey. The existence of the group was first publicly reported by Kaspersky in October 2016.
READ THE STORY: THN
Turla piggybacks on abandoned malware infrastructure
FROM THE MEDIA: Mandiant says the Russian threat actor Turla is using expired domains from the commodity malware ANDROMEDA to distribute its own backdoors KOPILUWAK and QUIETCANARY. The domains were used to selectively target organizations in Ukraine: "This is Mandiant’s first observation of suspected Turla targeting Ukrainian entities since the onset of the invasion. The campaign’s operational tactics appear consistent with Turla’s considerations for planning and advantageous positioning to achieve initial access into victim systems, as the group has leveraged USBs and conducted extensive victim profiling in the past. In this case, the extensive profiling achieved since January possibly allowed the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance to inform Russian priorities."
READ THE STORY: The Cyberwire
Misconfigured PostgreSQL Used to Target Kubernetes Clusters
FROM THE MEDIA: Researchers at Microsoft Defender for Cloud observed a growing number of PostgreSQL containers infected with the Kinsing malware. It uses unique techniques targeting containerized environments, said Sunders Bruskin, a security researcher for Microsoft Defender for Cloud, in a report published last week. A Golang-based malware, Kinsing has been observed to target Linux environments. "The fact that this is a new image that is targeted by the malware means some new methods of infection were added to it. Cryptominers' main target is to use the customer's resources. If there are servers that can be infected, the malware will try to target them and execute the malware," Bruskin tells Information Security Media Group.
READ THE STORY: Bank Info Sec
Iowa school district cancels classes another day due to cyberattack
FROM THE MEDIA: One of the biggest school districts in Iowa plans to shutter its doors again on Wednesday after canceling classes today due to a cyberattack. On Monday, Des Moines Public Schools – which serves 30,000 students and has nearly 5,000 staff members – said it preemptively took the school district’s internet and network services offline in response to “unusual activity on the network.” An investigation was started by the district’s IT staff as well as outside cybersecurity consultants, but access to the internet, WiFi, and various networked systems at school buildings and district offices was limited. By Monday afternoon, the district decided to cancel classes for Tuesday. “Because many technology tools that support both classroom learning as well as the management and operation of the school district are not available at this time, the prudent decision is to close the district for the day,” the district said in a statement, noting that some staff would be working remotely.
READ THE STORY: The Record
Over 1,300 fake AnyDesk sites push Vidar info-stealing malware
FROM THE MEDIA: A massive campaign using over 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware. AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration. Due to the tool's popularity, malware distribution campaigns often abuse the AnyDesk brand. For example, in October 2022, Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware. The new ongoing AnyDesk campaign was spotted by SEKOIA threat analyst crep1x, who warned about it on Twitter and shared the complete list of the malicious hostnames. All of these hostnames resolve to the same IP address of 185.149.120[.]9.
READ THE STORY: BleepingComputer
Combatting Cyberterrorism via Spatial Insights
FROM THE MEDIA: Social media has emerged as a new turf of terrorist groups and organized crime syndicates. In this scenario, data-based insights and geospatial visualizations play a key role in tracking these activities. While social media has enhanced connectivity and is a rich source of diverse information, at the same time, it poses several threats, ranging from impersonations, and identity thefts to cyber terrorism, and racketeering. The dark underbelly of the internet is a hotbed of all sorts of illicit activities that often tend to escape the lens of regulatory agencies. As per estimates, cyber-attacks have spiked by up to 240% since the second half of 2021. According to the Cybersecurity Ventures report, the estimated cost of cyber crimes would reach up to $10.5 trillion annually by 2025, representing one of the greatest wealth transfers in history.
READ THE STORY: Geospatial World
John Deere provides some right-to-repair concessions to customers
FROM THE MEDIA: John Deere finally caved, offering its customers some rights to repair and fix their expensive equipment however they like. There's a catch, though: if state or federal right-to-repair laws go into effect, the concessions are no more. In a hypothetical list of companies willing to go the extra mile to lock their customers in, John Deere would place among the most serious offenders. The US corporation makes agricultural machinery and other heavy equipment, then it locks the final products so that customers will not be able to repair them without going through an authorized dealer. Things could change soon, however, as the Illinois-based corporation has entered an agreement with American Farm Bureau Federation (AFBF) to make some much-sought concessions to the right-to-repair movement.
READ THE STORY: TECHSPOT
Beware of Modified Zoom App that Delivers Banking Malware IcedID Malware
FROM THE MEDIA: A malicious IcedID malware campaign was identified recently by Cyble researchers through which threat actors are actively spreading malware using modified versions of the Zoom application that have been trojanized. Due to the growing awareness of the COVID-19 pandemic in recent years, Zoom has become increasingly popular in recent years. A dramatic increase in remote work has been observed since the COVID-19 pandemic emerged, and virtual communication tools have become increasingly important. While the majority of malware is delivered to users’ machines by threat actors using these types of software tools as a means of delivering malware. A large number of businesses are being targeted by this campaign in an attempt to steal sensitive information as well as dump additional malware onto the computers of the victims.
READ THE STORY: Cyber Security News
CISA orders agencies to patch Exchange bug abused by ransomware gang
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today. The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution. Texas-based cloud computing provider Rackspace confirmed one week ago that the Play ransomware gang exploited it as a zero-day to bypass Microsoft's ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers. The exploit used in the attack, dubbed OWASSRF by CrowdStrike security researchers who spotted it, was also shared online with some of Play ransomware's other malicious tools. This will likely make it easier for other cybercriminals to create their own custom exploits or adapt Play ransomware's tool for their own purposes, adding to the urgency of updating the vulnerability as soon as possible.
READ THE STORY: BleepingComputer
Darknet Drug Markets Switches To Custom Android Apps
FROM THE MEDIA: Custom Android apps are now being used by online drug and other illegal substance markets on the darknet to boost privacy and elude law enforcement. These apps enable customers of pharmacy stores to contact suppliers and give particular delivery instructions to couriers in addition to placing orders. Around the start of the third quarter of 2022, experts at Resecurity noticed this new tendency. It is believed to be a reaction to the high-profile darknet market crackdowns of the previous year, most notably Hydra Market. With 19,000 registered merchants and 17 million customers globally, Hydra led the medical sales industry. German police seized its servers in April 2022, leaving a void in the industry. As Resecurity reported today, a number of minor actors tried to exploit Hydra’s abrupt demise and snare some of its orphaned user bases. They issued a warning, saying, “Our experts have lately detected some of these mobile apps on mobile devices confiscated by law enforcement – they belong to multiple suspects involved in drug trafficking and other illegal operations.”
READ THE STORY: Information Security Buzz
IMHEX: An open hex editor for the modern hacker
FROM THE MEDIA: It’s little surprise that most hackers have a favorite text editor, since we tend to spend quite a bit of time staring at the thing. From writing code to reading config files, the hacker’s world is filled with seemingly infinite lines of ASCII. Comparatively, while a hex editor is a critical tool to have in your arsenal, many of us don’t use one often enough to have a clear favorite. But we think that might change once you’ve taken ImHex for a spin. Developer [WerWolv] bills it specifically as the hex editor of choice for reverse engineering, it’s released under the GPL v2, and runs on Windows, Linux, and macOS. Oh, and did we mention it defaults to a slick dark theme designed to be easy on the eyes during those late night hacking sessions — just like your favorite website?
READ THE STORY: Hackaday
Items of interest
‘Twitter Files’: How the FBI “Hacked” Twitter
FROM THE MEDIA: More “Twitter Files” are out, and they document how the Department of Justice and its Federal Bureau of Investigation took control of Twitter. Do you remember what William Barr said after President Donald Trump nominated him as the nation’s top law enforcement officer in 2018? He boldly stated that it was a “dirty trick” by the Clinton campaign to accuse Trump of colluding with Russia in 2016. Many people could see that and were ready for Barr to use the Department of Justice to provide the proof. Barr never did. Radical liberals came roaring back and outright stole the 2020 election. Barr did nothing. Yet somehow the truth keeps coming out, if not from Barr, then—unexpectedly—from a South Africa-born entrepreneur with billions of dollars and an interest in free speech. New Twitter owner Elon Musk and journalist Matt Taibbi have now provided Twitter Files 11.0 and 12.0: “Twitter Let the Intelligence Community In.” This thread shows how the “dirty trick” of Russian disinformation was used by the Department of Justice to control Twitter.
READ THE STORY: The Trumpet
Firmware Reverse Engineering with Ghidra - Day 1 with Thomas Roth (Video)
FROM THE MEDIA: These are just some of the highlights from the first day of Firmware Reverse Engineering with Ghidra by Thomas Roth aka stacksmashing/Ghidra Ninja.
Firmware Reverse Engineering with Ghidra - Day 2 with Thomas Roth (Video)
FROM THE MEDIA: Highlights shown in this video were taken from the second day of the course Firmware Reverse Engineering with Ghidra by Thomas Roth.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com