Monday, January 16, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild
FROM THE MEDIA: Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33," Qihoo Netlab 360's Alex Turing and Hui Wang said in a technical write-up published last week. xdr33 is said to be propagated by exploiting a security vulnerability in the F5 appliance and communicating with a command-and-control (C2) server using SSL with forged Kaspersky certificates. The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes.
READ THE STORY: THN
Lateral movement: The key to identity-based attacks
FROM THE MEDIA: After many years, lateral movement still presents a problem for organizations. Abusing identity infrastructure designed as much as 20 years ago, using techniques that have long since been in the public domain, we could assume that security and risk teams would have a handle on it by now. Unfortunately, that’s not true. Think of the scale of the impact: lateral movement has played a role in most big-name breaches in recent memory. The most recent Uber breach, the SolarWinds compromise, and the ransomware attack on the Colonial Pipeline are all examples of what can happen when an attacker has the freedom to move across an environment without being stopped. In fact, lateral movement figures in almost 60% of attacks today.
READ THE STORY: SCMAG
Intelligence website used by law enforcement website defaced in apparent hack
FROM THE MEDIA: An intelligence website that provides apps and facial recognition technologies used by law enforcement was hacked on Sunday. ODIN Intelligence took on a completely different look on the home page of its website just before it was taken down. Asterisks spelled out the acronym "ACAB," known as "all cops are b******s," according to a screenshot taken by TechCrunch. Below, a caption clarified it was directed at "all (cyber) cops." "No nations, no borders!" the caption went on to read. "We are all illegal!" The hacker's message went on to claim that “all data and backups have been shredded” among three archive file that totaled more than 16 gigabytes of data. This comes four days after a report that an app produced by the company, SweepWizard, had leaked confidential information regarding police raids. The app is used by department to help organize raids involving large swaths of officers. Over many years, the app had published geographic coordinates of suspects’ homes, the times and locations of raids, demographics, contact information, and occasionally even suspects’ Social Security numbers freely on the internet.
READ THE STORY: Washington Examiner // TECHCRUNCH
Ransomware Diaries: Undercover with the Leader of Lockbit
FROM THE MEDIA: An unusual announcement appeared in Russian Dark Web forums in June of 2020. Amid the hundreds of ads offering stolen credit card numbers and batches of personally identifiable information there was a Call for Papers. “We’re kicking off the summer PAPER CONTEST,” it read. “Accepted article topics include any methods for popuring shells, malware and malware coding, viruses, trojans, bot development… monetization.” Jon DiMaggio, chief security analyst at Analyst 1, remembers seeing the ad when it first appeared and thinking to himself how odd it was to have some sort of academic call for papers pop up where cyber criminals tend to gather. “They’re calling for papers like in the name of education of the criminal community, DiMaggio told Click Here. “As if they were helping out the young guys and gals coming up” in the cyber crime world..
READ THE STORY: The Record
CISA Warns for Flaws Affecting Industrial Control Systems from Major Manufacturers
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released several Industrial Control Systems (ICS) advisories warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens. The most severe of the flaws relate to Sewio's RTLS Studio, which could be exploited by an attacker to "obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code," according to CISA. This includes CVE-2022-45444 (CVSS score: 10.0), a case of hard-coded passwords for select users in the application's database that potentially grant remote adversaries unrestricted access. Also notable are two command injection flaws (CVE-2022-47911 and CVE-2022-43483, CVSS scores: 9.1) and an out-of-bounds write vulnerability (CVE-2022-41989, CVSS score: 9.1) that could result in denial-of-service condition or code execution.
READ THE STORY: THN
NY lawmakers vow to tackle cyber hack attacks against hospitals, schools
FROM THE MEDIA: New York state lawmakers have promised to make helping local governments, schools and hospitals protect against cyber ransomware attacks a top priority during the 2023 legislative session. It comes after a wave of such attacks hit institutions across the Empire State, with the computer systems of a major Brooklyn hospital network and those of the Suffolk County government disabled by hackers last year. “This is a top item on my agenda for 2023,” said Steven Otis, chairman of the Assembly Science and Technology Committee. “I am especially sensitive to local government and school districts being targets of ransomware attacks,” said Otis. “We have to get into prevent mode.” A study just published in the Journal of the American Medical Association found that the number of ransomware attacks against hospitals and other medical institutions more than doubled from 2016 to 2021 — from 43 to 91 nationally, and that figure is likely under-reported.
READ THE STORY: NYPOST
Three law firms join forces to pursue Medibank
FROM THE MEDIA: Bannister Law Class Actions, Centennial Lawyers and Maurice Blackburn have joined forces to pursue compensation for customers affected by the ransomware attack on Medibank last year. Maurice Blackburn filed a formal representative complaint to the Office of the Australian Information Commissioner, which has the power to order compensation for data breaches, in November. Under the joint cooperation agreement, the three firms will jointly seek orders for compensation from the OAIC. Tens of thousands of the health insurer’s current and former customers had already signed up to the lawsuit, a joint release said. Maurice Blackburn head of class actions Andrew Watson said, “the cooperation agreement ensures that all three law firms are working together for the common aim of obtaining compensation for those affected as quickly as possible.” Medibank confirmed the breach on October 13 in an ASX release.
READ THE STORY: iTNEWS
Notorious Hacker Group Lazarus Begins Laundering Harmony Funds
FROM THE MEDIA: With the broader crypto ecosystem reeling itself in with the ongoing positive price trend that has engulfed the industry, the notorious North Korean hacking syndicate, Lazarus Group, is reportedly busy moving funds stolen from the Harmony Bridge last year. Flagged by the on-chain sleuth and self-proclaimed 2D detective ZachXBT, the hacking group resorted to three different exchanges to move their stolen funds. "North Korea's Lazarus Group had a very busy weekend moving $63.5m (~41000 ETH) from the Harmony bridge hack through Railgun before consolidating funds and depositing on three different exchanges." The Lazarus Group has a profound reputation in the Ransomware world, and despite the high level of sophistication on crypto and blockchain platforms, they have wreaked havoc in terms of hacks and exploits over the past couple of years.
Time to study the classics: Vintage tech is the future of enterprise IT
FROM THE MEDIA: Business IT is driven by the need for the new. Not necessarily your business's need, but certainly that of vendors and service providers desperate for new revenue, the dismissal of the old once it's done its real job, and the in=evitable prying open of the corporate checkbook. If it's old, it's obsolete; and if it's obsolete, it needs to die. A remarkable number of those corpses are coming back to life, though, and they have something interesting to say. There's no very good definition of what makes something officially ancient. Microsoft seems to think it's somewhere around a decade, as it just quietly euthanized 2009's Windows 7 and 2012's Windows 8. Hard to shed many tears here, yet other, far older technologies are driving more than just nostalgia.
READ THE STORY: The Register
Android TV Box Sold on Amazon Contain Malware
FROM THE MEDIA: The affected device was a T95 Android TV box that came with sophisticated, persistent, and pre-installed malware embedded in its firmware. A Canadian infrastructure and security systems consultant, Daniel Milisic, discovered malware on an Android TV Box (Android-10-based TV box in this case) he purchased on Amazon. Milisic has now created a script and guide to help users annul the payload and prevent it from communicating with the C2 server. The box came with sophisticated, persistent and pre-loaded malware embedded into its firmware. The affected device was a T95 Android TV box with an AllWinner T616 processor. This device is available on all leading e-commerce platforms, including Amazon and AliExpress, for as low as $40.
READ THE STORY: HackRead
Google serves up malware for user looking to update their AMD Graphics Drivers
FROM THE MEDIA: A few days ago, on the popular PCMR subreddit, a user warned others that when he searched for "amd driver" the top result was an advertisement for a malicious website claiming to offer precisely that. Of course, this wasn't a legitimate search result, but appearing above their search results, it was an ad made to look like the real thing. In our testing, it seems like the search result and site have both been removed, which is good to see. Still, according to multiple sources, it was host to a dubious .exe download titled "Auto-Detect and Install Driver Updates for AMD Radeon Series Graphics and Ryzen Chipsets", which sounds legitimate. Until you take a closer look at the URL and realize it would definitely not do that. The site even featured AMD branding and AMD IP, a tactic that isn't new in the world of malware.
READ THE STORY: TweakTown
What Is a Salami Attack? You May Be a Victim and Not Even Know It
FROM THE MEDIA: This attack gets its name because it is similar to slicing a salami thinly, with each slice small adding to a larger whole. The first mention of a salami attack was in the 1940s, when a group of programmers from the Soviet Union stole funds from the government, manipulating transactions and raking home lots of cash. Salami slicing (another name for salami attacks) can also involve breaking a significant goal into smaller, more manageable pieces and working on each part separately. This can make it easier to achieve the overall plan and can also make it less noticeable to others. Also called penny shaving, these attacks can be difficult to detect because the changes are often subtle, and the hacker may be able to cover their tracks by disguising the attacks as legitimate.
READ THE STORY: MUO
70 percent in UAE struggle with work-life balance due to technology
FROM THE MEDIA: Nearly eight out of 10 people in the UAE (79 percent) wish their family and friends would spend less time on their phone when they are together. And a staggering 40 percent of UAE residents think they have a problem with using their mobile phone too much and would like to cut back. These results are some of the top findings from the 2023 Life and Technology Report from communications agency, duke+mir. More than 1,000 people across the Emirates were independently polled (through YouGov) for their views on a range of lifestyle and technology questions, to discover more about the attitudes and behaviour of people in the UAE. One of the biggest findings was that 70 percent of UAE respondents think it has become harder to separate their work and personal life because of technology since 2020. Adopting different remote technologies to enable us to work, since the onset of Covid-19, appears to have distorted work-life balance.
READ THE STORY: ZAWYA
China spyware threat could expose Rishi Sunak to blackmail, Foreign Affairs chair warns
FROM THE MEDIA: Components routinely fitted to modern cars threaten to hand China a massive intelligence advantage and could even expose a prime minister to blackmail, the head of the Foreign Affairs Committee has warned. Alicia Kearns was speaking after i revealed the discovery in a government car of an IoT cellular module capable of being used as a tracking device. She said the component was an example of the serious vulnerabilities inherent in new Internet of Things (IoT) connectivity technologies dominated by China. She added that three Chinese companies had won more than 50 per cent of the global market in the components as car manufacturers opted to pay less than charged by Western providers.
READ THE STORY: iNews
Russia relies on 'shadow fleets' for crude oil sales
FROM THE MEDIA: Facing sanctions for its invasion of Ukraine, Russia is looking further afield to find customers for its crude oil. It is having to rely on so-called "shadow fleets" to do so. A ban by the European Union on Russian oil that went into effect late last year over the war in Ukraine is forcing Russia to look further afield to sell its fuel. But transporting the oil has become an increasing challenge for Russia. So it's having to turn to a fleet of tankers willing to bust sanctions. NPR's Jackie Northam reports. Before Russia invaded Ukraine, Europe was by far and away the largest customer for its oil, even bigger than Russia's domestic market. Pipelines, ports, oil fields in West Siberia, everything has been oriented toward selling to Europe. But now it's being forced into a much smaller market, much further away.
READ THE STORY: NPR
Taiwan’s Health System Runs a National Security Risk
FROM THE MEDIA: Taiwan’s National Health Insurance program offers its 24 million citizens one of the world’s best and most affordable medical systems. The price could be ongoing risks to patient privacy and national security, as a prosecution investigation revealed last week, amid growing tensions with China and increasing cybersecurity attacks. Launched in 1995, the single-payer mandatory system is modeled after Medicare in the US, except that it covers the entire population instead of just the elderly. Along with longer life expectancy and lower infant mortality — metrics that tend to improve as an economy develops — a 10-year study shows disparities between the most and least-healthy groups in Taiwan have since narrowed, though the authors say it’s not possible to link that to the health-insurance program.
READ THE STORY: Bloomberg
Decoding Chinese retaliation to the US comment on the LAC
FROM THE MEDIA: China’s reaction to the comment of Donald Lu, Assistant Secretary of State for South and Central Asian Affairs that ‘China had recently made aggressive moves along the border instead of taking steps to resolve the stand-off in Ladakh sector’, needs to be seen in the context of the overall Chinese approach on issues about its claims in the periphery. Donald Lu’s statement that the US would continue to stand with its Indian partners on this issue may have especially irked the Chinese policymakers. China builds narratives in its favour using several electronic, print, and social media platforms. Whenever its narrative ‘based on historical facts’ is negated, it makes a loud reaction contradicting the unfavourable statement, so that the other’s account is not accepted. Since 2012, this approach has been more aggressively and systematically pursued.
READ THE STORY: Times of India
For password protection, dump LastPass for open source Bitwarden
FROM THE MEDIA: For better or worse, we still need passwords, and to protect and organize them, I recommend the open source Bitwarden password manager. LastPass is perhaps the world's most popular password manager. It's also arguably the most broken password manager. There's a better, safer open source alternative. But before I dive into Bitwarden, let's talk a little bit about why LastPass is problematic. Late last year, LastPass CEO Karim Toubba revealed that an August security incident had been much worse than they'd first admitted. Instead of simply losing internal source code and developer documents – bad enough – they'd also lost customer account information and vault data. What does that mean? It means that, at the least, someone out there may have your unencrypted subscriber account data. That includes your LastPass usernames, company names, billing addresses, email addresses, phone numbers, and IP addresses. They also have your vault data. That includes website URLs and your encrypted usernames and passwords.
READ THE STORY: The Register
How Edge Computing Will Evolve in 2023
FROM THE MEDIA: With some of the most notable minds on Wall Street giving a bleak prognosis of the economy in the year ahead and continuing to worry that inflation is eroding everything, business leaders are bracing for rough times in 2023. To manage their way through an uncertain economy, companies will put more scrutiny on every part of the business, including the millions of dollars spent each year on research and development. While spending on edge computing is still expected to grow, executives are eager to see real-world applications of projects that, up until now, have thrived in laboratories. For edge computing professionals, 2023 is the time to get real. Edge computing moves computing power and storage to devices at the edge of a network instead of the cloud or a central server. The recent explosion of data allows for real-time decision-making, and edge computing enables companies to collect and analyze data closer to the source rather than upload it to the cloud for later analysis. Industries such as energy, manufacturing and retail are adopting edge computing to optimize performance, reduce costs and gain efficiency.
READ THE STORY: Hackernoon
Panthronics sampling single-chip solution for NFC wireless battery charging
FROM THE MEDIA: The device is said to be the industry’s only integrated, single-chip solution for the listener circuit in NFC wireless charging systems. The PTX30W, which is supplied in a compact 3.2mm2 WL-CSP package, enables manufacturers of small battery-powered products to implement NFC wireless charging with a board which is around four times smaller than existing designs based on multiple discrete components. The device, an integrated solution, is simpler to implement than a circuit made of multiple discrete components. The fully autonomous PTX30W runs an NFC Forum-derived wireless charging protocol which supports power negotiation, which means that the PTX30W can operate in stand-alone mode with no need for an external microcontroller to run NFC wireless charging operations. Paired with an NFC poller in the charging cradle, the PTX30W can supply as much as 1W to charge the li-ion battery in products such as fitness trackers, smart watches, earbuds, hearing aids, smart glasses, smart rings, styluses and medical sensors. Both the PTX30W and PTX130W are supported by a software development kit to accelerate integration into end product designs.
READ THE STORY: New Electronics
Items of interest
Artificial intelligence and the Modern Warfare
FROM THE MEDIA: Artificial intelligence is one of the most discussed and alarming technologies that can entirely change the nature of warfare in the times to come. Man is the most hazardous species on the planet earth who has done an enormous harm to life and after two World Wars we are once again marching towards the third that can completely wipe out the traces of life on earth. The article discusses the development of AI in the field of Modern warfare and the technologies employed for their creation and operation. The Russian Warship Moskva was sunk in the black sea by a drone named Bayraktaras claimed by Ukraine and US (BBC). Cyber-attacks on Ukrainian’s communication system by Russia, Clearview AI used by Ukraine for facial recognition to identify the dead, and many other technologies are being tested in the ongoing conflict between Russia and Ukraine.
READ THE STORY: Modern Diplomacy
Security Controls Compared: IT vs. OT | SANS ICS Security Brief (Video)
FROM THE MEDIA: SANS ICS Security Brief videos offer you quick cyber security tips to protect critical infrastructure. The series will touch on control system security topics covering both the tactical and management level. Each session is just a few minutes long and will provide actionable takeaways to help strength any ICS/OT cybersecurity program.
The Fish Tank Casino Heist - Daily Security Byte (Video)
FROM THE MEDIA: n this short, daily video post, Corey Nachreiner, CISSP and CTO for WatchGuard Technologies, shares the biggest InfoSec story from the day -- often sharing useful security tips where appropriate.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com