Wednesday, January 18, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
China proposes UN treaty criminalizes ‘dissemination of false information’
FROM THE MEDIA: China has proposed that a new international convention on cybercrime should criminalize the “dissemination of false information” during negotiations in Vienna about the provisions of the United Nations treaty. The proposal is likely to be contested by Western states who will see it as a threat to human rights standards and an attempt by the Chinese Communist Party to legitimize its controls, and those of like-minded governments, over what people can see and share online. In May 2021, the U.N. adopted a resolution calling for a draft convention “on countering the use of information and communications technologies for criminal purposes” to be voted on at the General Assembly by September 2024. Although an existing international convention on cybercrime was signed in Budapest in 2001, it was not a U.N. treaty and has not been adopted by countries such as China, Russia, India or Brazil. There is broad support for a new U.N. convention, but disagreements on the details of what it will actually cover.
READ THE STORY: The Record
Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers
FROM THE MEDIA: Security vulnerabilities have been disclosed in Netcomm and TP-Link routers, some of which could be weaponized to achieve remote code execution. The flaws, tracked as CVE-2022-4873 and CVE-2022-4874, concern a case of stack-based buffer overflow and authentication bypass and impact Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035. "The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code," the CERT Coordination Center (CERT/CC) said in an advisory published Tuesday. "The attacker can first gain unauthorized access to affected devices, and then use those entry points to gain access to other networks or compromise the availability, integrity, or confidentiality of data being transmitted from the internal network."
READ THE STORY: THN
Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks
FROM THE MEDIA: he threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010. Slovak cybersecurity firm ESET, in June 2021, unpacked the intrusions mounted by hacking crew against diplomatic entities and telecommunication companies in Africa and the Middle East using a custom implant known as Turian.
READ THE STORY: THN
How Royal Mail’s hacker became the world’s most prolific ransomware group
FROM THE MEDIA: As the UK’s Royal Mail grappled with the fallout of a ransomware attack, a purported member of the LockBit hacking group stepped forward on the weekend to take credit for the mayhem. LockBit has been busy: in just the past month, it has claimed to have compromised 40 organizations, from a private school in Malaysia to a dental group in Sydney, helping it take the mantle of the most prolific ransomware gang in the world. The group had already hit the City of London, ensnaring Kingfisher Insurance in October 2022. But Royal Mail, part of a £2.2bn delivery business, was its biggest target so far: a crucial part of the UK’s critical infrastructure that was suddenly left unable to send mail outside the British Isles. The spotlight — both from rival hacking gangs and UK authorities — was finally on LockBit.
READ THE STORY: FT
Norton LifeLock says 925,000 accounts targeted by credential-stuffing attacks
FROM THE MEDIA: Nearly one million active and inactive Norton LifeLock accounts have been targeted by credential stuffing attacks, according to a statement from the cybersecurity product’s parent company. Gen Digital – which owns Norton LifeLock and several other consumer cybersecurity brands – told The Record that 925,000 inactive and active accounts were locked down after their security team identified a high number of Norton account login attempts. The incident centered around Norton Password Manager users. “Systems have not been compromised, and they are safe and operational, but as is all too commonplace in today’s world for bad actors to take credentials found elsewhere, like the Dark Web, and create automated attacks to gain access to other unrelated accounts,” a spokesperson said. “We have been monitoring closely, flagging accounts with suspicious login attempts and proactively requiring those customers to reset their passwords upon login along with additional security measures to protect our customers.
READ THE STORY: The Record
The Fusion of Special and Cyber Forces Makes Sense
FROM THE MEDIA: There is increasing focus for U.S. Cyber Command (CYBERCOM) to try and replicate the ability of the U.S. Special Operations Command (SOCOM) – the unified combatant command with the mission of overseeing the special operations elements in the U.S. Armed Services – to bring capabilities directly into the battlespace. At a recent meeting, the chief of CYBEROM is quoted as saying that the command is “trying to build our authorities much in the same way Special Operations Command did this.” Indeed, per Politico, an unnamed Congressional aide confirmed that CYBERCOM’s evolution has been modeled on the same “legislative techniques” used for SOCOM. The concept sounds reasonable, particularly as the conflicts being fought are moving to more agile, and quick operations. And as one author points out, both commands are able to pull from their existing capabilities, along with space, to fuse cooperation best suited to the needs of today’s information-enabled environment.
READ THE STORY: OODA LOOP
Congressman calls on CISA to investigate air travel vulnerabilities after outage
FROM THE MEDIA: Congressman Ritchie Torres (D-NY) is calling for federal agencies to investigate cybersecurity vulnerabilities in all systems underpinning air travel after a technical glitch last week crippled flights across the country. Thousands of flights were delayed or canceled last Wednesday, but both the White House and Transportation Secretary Pete Buttigieg were quick to tamp down concerns that the issues were caused by a cyberattack. Several outlets have reported that the outage affecting the Federal Aviation Administration’s Notice to Air Mission (NOTAM) system last week was due to a damaged database file. The situation is still under investigation. The outage reignited concerns about the damage a single cyberattack could have on the country’s air systems, with several recent incidents having exposed the use of antiquated software prone to downtime.
READ THE STORY: The Record
How has the War in Ukraine Changed the Geopolitics of “The New Arctic”
FROM THE MEDIA: In July of last year, we followed up on OODA CTO Bob Gourley’s analysis of the Blueprint for a Blue Ocean with the question What Exactly is the PRC up to in the Arctic? Climate change and climate-induced emergencies and crises are creating newly contested, geopolitical arenas. The Arctic Region has one of the world’s smallest oceans, but because of where it is situated, it has the potential for connecting nearly 75% of the world’s population. When you consider that 90% of all trade travels across the world’s oceans, this can be either a tremendous opportunity or an emerging vulnerability. Additionally, the Arctic is home to 30% of the world’s undiscovered natural gas reserves, 13% of the global conventional oil reserves, and one trillion dollars’ worth of rare earth minerals.
READ THE STORY: OODA LOOP
TurboTax, QuickBooks owner slammed after MailChimp data breach
FROM THE MEDIA: A little-reported data breach at a marketing email service owned by Intuit is raising concerns about security protocols at its better-known properties such as TurboTax, QuickBooks and Credit Karma, The Post has learned. Intuit, a sprawling, publicly traded business-software empire with a market capitalization of $110 billion, admitted last week that 133 accounts using its MailChimp site were hacked. The company did not say who was responsible. While the number of breached accounts is relatively small, many were used by customers who run businesses with hundreds of thousands or even millions of emails on their rosters, according to sources. Last March, MailChimp confirmed hackers gained access to information on 102 of its customer accounts. A month later, Intuit was slapped with a class-action suit from customers of crypto wallet Trezor — a company that used MailChimp.
READ THE STORY: NYPOST
Darkbeam Launches Free Online Resource to Help Procurement Teams Mitigate Ransomware Risk in Supply Chains
FROM THE MEDIA: Darkbeam, a leading London-based provider of supply chain cyber security solutions, today announced the launch of a free online resource for Procurement teams to help them understand, monitor and mitigate the risk of a ransomware attack on a supplier. The platform, which is available at no cost, is designed to help organizations quickly and easily protect their entire supply chain without adding to their workloads. It includes information about the impact of ransomware on supply chains, a framework for managing cyber risk among suppliers, a series of Playbooks for addressing common cyber risk scenarios and free access to the powerful Darkbeam platform. "Ransomware attacks on suppliers are becoming an increasingly common threat to organizations, and Procurement teams are often on the front line of defense," said Charles Clark, CEO of Darkbeam.
READ THE STORY: NewsWires
Will 2023 be the year of dynamite disinfo deepfakes, cooked up by rogue states
FROM THE MEDIA: Foreign adversaries are expected to use AI algorithms to create increasingly realistic deepfakes and sow disinformation as part of military and intelligence operations as the technology improves. Deepfakes describe a class of content generated by machine learning models capable of pasting someone's face onto another person's body realistically. They can be in the form of images or videos, and are designed to make people believe someone has said or done something they haven't. The technology is often used to make false pornographic videos of female celebrities. As the technology advances, however, the synthetic media has also been used to spread disinformation to fuel political conflicts. A video of Ukrainian President Volodymyr Zelensky urging soldiers to lay down their weapons and surrender, for example, surfaced shortly after Russia invaded the country, last year.
READ THE STORY: The Register
Iran's digital protesters call for Revolutionary Guard to be designated 'terrorists' by international community
FROM THE MEDIA: The digital wing of Iran's protest movement has surged in activity in response to recent executions in the country, as protests on the ground persist but in lower numbers than before. Iran's cyber protesters have issued a resounding call for the world to recognize Iran's notorious Revolutionary Guard as "terrorists", with #IRGCterrorists posted more than 2.7 million times for two days in a row. Their action isn't limited to the online world. They also organized a large protest on Monday outside the European Parliament in Strasbourg calling for international action against the Iranian regime, reportedly one of the largest international protests seen since the start of the ongoing demonstrations. It comes as European Commission President Ursula von der Leyen said she backed listing the IRGC as a terrorist organization to respond to the "trampling" of "fundamental human rights" in the country.
READ THE STORY: Sky News
IoT explosion presents massive (and growing) cyber exposure
FROM THE MEDIA: Adoption of connected devices during the pandemic has led to a dramatic increase in cyberattacks, according to a report launched at the World Economic Forum Annual Meeting 2023 in Davos. If left unchecked, the cost of cyberattacks will continue to rise, threatening a fragile global economy, it warns.
The report, a collaboration of the World Economic Forum with the Council on the Connected World, says the immediate threats can be mitigated through robust security protocols and governance through public-private cooperation. Cyberattacks increased during the pandemic as rapid adoption of connected devices became critical for work, education and healthcare.
READ THE STORY: Strategic Risk
Google's DeepMind says it'll launch a more grown-up ChatGPT rival soon
FROM THE MEDIA: Google subsidiary DeepMind says it could launch a ChatGPT rival soon – and its chatbot promises to be a safer kind of AI assistant. DeepMind has been a pioneer in AI research for the last decade and was acquired by Google nine years ago. However, with ChatGPT stealing the recent headlines, DeepMind CEO Demis Hassabis told Time(opens in new tab) that it's considering releasing its own chatbot, called Sparrow, for a "private beta" sometime in 2023. Sparrow was introduced to the world last year as a proof-of-concept in a research paper(opens in new tab) that described it as a "dialogue agent that’s useful and reduces the risk of unsafe and inappropriate answers".
READ THE STORY: TechRadar
CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) and command injection (CVE-2022-2068, CVSS score: 9.8). Also patched by Siemens is an authentication bypass vulnerability in llhttp parser (CVE-2022-35256, CVSS score: 9.8) as well as an out-of-bounds write bug in the OpenSSL library (CVE-2022-2274, CVSS score: 9.8) that could be exploited to trigger remote code execution. The German automation company, in December 2022, released Service Pack 2 Update 1 software to mitigate the flaws. Separately, a critical flaw has also been revealed in GE Digital's Proficy Historian solution that could result in code execution regardless of authentication status.
READ THE STORY: THN
GitHub Rebuffs Breach With Swift Action, Rotating Credentials
FROM THE MEDIA: The holidays were anything but happy over at Slack, which saw threat actors access its externally hosted GitHub repositories. The miscreants apparently used a “limited” number of stolen Slack employee tokens. And while they breached some of the platform’s private code repositories, the primary codebase—as well as customer data—weren’t affected. “On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” according to a Slack alert. “Our investigation also revealed that the threat actor downloaded private code repositories on December 27, [2022]. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase.”
READ THE STORY: Security Boulevard
Hackers turn to Google search ads to push info-stealing malware
FROM THE MEDIA: Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. At least one prominent user on the cryptocurrency scene has fallen victim to the campaign, claiming it allowed hacker hackers steal all their digital crypto assets along with control over their professional and personal accounts. Over the weekend, crypto influencer Alex, better known by their online persona NFT God, was hacked after launching a fake executable for the Open Broadcaster Software (OBS) video recording and live streaming software they had downloaded from a Google ad in search results. “Nothing happened when I clicked the EXE,” Alex wrote in a Twitter thread recounting their experience over the weekend. However, a few hours later friends alerted them that their Twitter account had been hacked. Unbeknownst to Alex, this was likely an information-stealing malware that stole their saved browser passwords, cookies, Discord tokens, and cryptocurrency wallets and sent them to a remote attacker.
READ THE STORY: BleepingComputer
NIST to launch AI guidelines amid ChatGPT fears
FROM THE MEDIA: NIST released a statement announcing it would showcase the AI Risk Management Framework on January 26. The event can be watched from an embedded link on its website. “NIST is developing a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI),” it said, describing it as “intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” Some will feel the announcement comes not a moment too soon, while others may wonder whether it will be of any avail. Check Point recently revealed that there is growing evidence of Russian cybercriminals conspiring on the dark web to illegally access ChatGPT3, the AI-driven text generator app that can write anything from propaganda to low-level malware code.
READ THE STORY: CyberNews
Third-party administrator hack leads to theft of patient data for over 251K
FROM THE MEDIA: Austin, Texas-based Bay Bridge Administrators, a third-party administrator of insurance products, recently began notifying more than 251,000 patients that their data was stolen after a network hack in September 2022. The “network disruption” was first detected on Sept. 5, which prompted BAA to secure the network and engage with an outside cybersecurity firm to investigate. Forensics showed that the attacker had gained access more than a week before being discovered, which enabled them to exfiltrate “certain data” from the network on Sept. 3. BBA appears to explain the lengthy delay in notifying patients to a “thorough investigation” that concluded on Dec. 5. Under the Health Insurance Portability and Accountability Act, covered entities have 60 days without undue delay to inform patients of possible data exposure.
READ THE STORY: SCMAG
Been hit by BianLian ransomware? Here's your get-out-of-jail-free card
FROM THE MEDIA: Cybersecurity firm Avast has released a free decryptor for victims of BianLian – an emerging ransomware threat that came into the public eye in last year. Victims of BianLian are found in such industries as healthcare, manufacturing, energy, and financial services. Affected parties can download the decryptor to recover their encrypted data – though there could be challenges, according to the Avast researchers. The operators behind BianLian are among a growing number of ransomware groups using newer programming languages – in this case Go, but others also are turning to Rust – to make the malware difficult to detect, get around endpoint protection tools, and use concurrency capabilities to enable multiple computations to run at the same time.
READ THE STORY: The Register
Russian criminals can't wait to hop over OpenAI's fence, use ChatGPT for evil
FROM THE MEDIA: Cybercriminals are famously fast adopters of new tools for nefarious purposes, and ChatGPT is no different in that regard. However, its adoption by miscreants has happened "even faster than we expected," according to Sergey Shykevich, threat intelligence group manager at Check Point. The security shop's research team said it has already seen Russian cybercriminals on underground forums discussing workarounds so that they can bring OpenAI's ChatGPT to the dark side. Security researchers told The Register this text-generating tool is worrisome because it can be used to experiment with creating polymorphic malware, which can be used in ransomware attacks. It's called polymorphic because it mutates to evade detection and identification by antivirus. Not only that but low-skill miscreants could use the OpenAI bot to generate trivial malware that manages to infect naive or poorly defended networks.
READ THE STORY: The Register
Social Media Traffic Monitoring – From Thought Police to Security Priority
FROM THE MEDIA: It seems as though every week we hear about another government agency that has banned a specific social media platform from their government-issued devices. There are a multitude of reasons for banning social media off of devices that touch your network, such as phishing and malware concerns and the overreach of privacy needs stated in the terms of service, just to name a couple. No matter how restrictive employer policies are on the matter, Social Media Traffic Monitoring is an important endeavor. “Social Media Traffic Monitoring:” Those four words bring me back to high school, pimple-faced, much thinner, and reading a ragged, handed-down copy of George Orwell’s 1984. They make me feel like I am part of the “thought police.”
READ THE STORY: Security Boulevard
Items of interest
No Boxship Shortage for Russia: Turkish Carriers Pick up Liners' Slack
FROM THE MEDIA: As Russia-EU trade via the Baltic Sea was heavily sanctioned in response to the Russian invasion of Ukraine in 2022, Russian traders began to shift towards alternative routes, avoiding EU transshipment ports. The Black Sea-based port of Novorossiysk is one of their few remaining options. The Russian Baltic container terminals that depend heavily on European container hubs lost over half of their container traffic during January-September 2022 compared to the same period in 2021. At the same time, Russian container turnover on the Black Sea - which largely relies on Turkish container ports for transshipment - has dropped by just 11 percent over the same timeframe. Informall BG’s findings show that significant logistical changes have affected containerized cargo moving via Saint Peterburg (prior to the war, a major gateway for Russian containerized freight). Due to liner service suspension by many shipping companies, certain types of cargo (such as coffee and cocoa beans) that traditionally arrived at the port in ocean containers are now shipped directly to the country by road and rail.
READ THE STORY: Maritime Executive
Direct-To-Satellite Internet of Things (IoT) - Overview, Status and Challenges (Video)
FROM THE MEDIA: Direct-To-Satellite Internet of Things (IoT) - Overview, Status and Challenges.
The Current Landscape of Satellite IoT | Oscar Delgado & Raghu Das (Video)
FROM THE MEDIA: The satellite IoT market is currently growing, with companies such as HEAD Aerospace planning to launch constellations of satellites specifically for IoT purposes. These satellite constellations aim to provide connectivity for various markets and industries.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com