Saturday, January 21, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Cyberattack on Nunavut energy supplier limits company operations
FROM THE MEDIA: A wide-ranging cyberattack on the Qulliq Energy Corporation (QEC) in Canada’s Nunavut territory has crippled the company’s administrative offices. Officials with the company said the attack started on January 15 and while power plants are still operating normally, computer systems at the corporation’s customer care and administrative offices are unavailable. The company cannot accept bill payment through credit cards but customers can pay using cash or through bank transfers. The premier of the region, P.J. Akeeagok, said in a statement that the government is working with the company to respond to the incident, with several government departments providing personnel. “These types of attacks are criminal. Expert cybersecurity and legal advice have been retained and the Royal Canadian Mounted Police are assisting QEC’s ongoing investigation,” Akeeagok said. “Cabinet and our regular members are being kept informed of the situation and are confident in the course of action being taken by the corporation and our public service.”
READ THE STORY: The Record
FTX Trading presentation explains 'the mechanics behind' the Alameda debacle
FROM THE MEDIA: FTX Trading said it had “uncovered the mechanics behind how Alameda Research” had the ability to borrow “effectively unlimited amounts” from FTX customers without providing any collateral. The company also said it uncovered a feature of the company’s operations that provided to a “small group of individuals … the ability to remove digital assets from the [company’s] exchange without being recorded on the exchange ledger.” The additional information was contained in a 20-page presentation used by the company during a Jan. 17 meeting to update the unsecured creditors’ committee in the case on the company’s efforts to locate assets that could be used to fund distributions to creditors.
READ THE STORY: PitchBook
Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram
FROM THE MEDIA: The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country. "The Gamaredon group's network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload," the BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. "This kind of technique to infect target systems is new." Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults aimed at Ukrainian entities since at least 2013. Last month, Palo Alto Networks Unit 42 disclosed the threat actor's unsuccessful attempts to break into an unnamed petroleum refining company within a NATO member state amid the Russo-Ukrainian war.
READ THE STORY: THN
‘No Big Bang’: Cyber successes in Ukraine are no cause for complacency in US
FROM THE MEDIA: In cyberspace, as on the ground, Ukraine has done a remarkable job fending off Russian attacks. That’s not because Russian cyber warfare is weak, warned officials and experts at a National Security Institute event here on Thursday. It’s because, after the shocking losses of Crimea and Eastern Donbas in 2014, Ukraine got serious about the threat and — with extensive US and European help — spent eight years preparing for an all-out Russian attack. But has the US taken its own defenses as seriously? Has it prepared as well for an attack on critical public and private networks as Ukraine did before 2022? According to NSI founder Prof. Jamil Jaffer, no. “Have we operationalized it [cyber defense] effectively, for real?” Jaffer told Breaking Defense during a sidebar interview after the public panel, which featured experts from the NSA, Homeland Security, State Department, and Google.
READ THE STORY: Breaking Defense
T-Mobile’s $150 Million Security Plan Isn’t Cutting It
FROM THE MEDIA: T-Mobile said that it suffered a data breach beginning on November 26 that impacts 37 million current customers on both prepaid and postpay accounts. The company said in a US Securities and Exchange Commission filing that a “bad actor” manipulated one of the company's application programming interfaces (APIs) to steal customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The initial intrusion occurred at the end of November, and T-Mobile discovered the activity on January 5. T-Mobile is one of the US's largest mobile carriers and is estimated to have more than 100 million customers. But in the past 10 years, the company has developed a reputation for suffering repeated data breaches alongside other security incidents. The company had a mega breach in 2021, two breaches in 2020, one in 2019, and another in 2018.
READ THE STORY: Wired
Emotet Returns With New Methods of Evasion
FROM THE MEDIA: Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks. Once it is successfully running on an endpoint, Emotet drops other malicious programs such as Qakbot, Cobalt Strike, or in some cases, even the notorious Ryuk ransomware. However, as of July 2022, the heavily distributed Malware-as-a-Service (MaaS) seemingly went dark, and no longer appeared to be running these spam campaigns. For the next four months, Emotet remained silent. Then, on November 2, the Cryptolaemus group found that its botnets, particularly those known as Epoch4 and Epoch5, had begun sending out spam emails once again.
READ THE STORY: Blackberry
LAUSD says Vice Society ransomware gang stole contractors’ SSNs
FROM THE MEDIA: Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, says the Vice Society ransomware gang has stolen files containing contractors' personal information, including Social Security Numbers (SSNs). LAUSD also revealed that the threat actors were active in its network for over two months, between July 31, 2022, and September 3, 2022. "Through our ongoing investigation, we determined that between July 31, 2022, and September 3, 2022, an unauthorized actor accessed and acquired certain files maintained on our servers," the school district said in data breach notification letters sent to affected individuals.
READ THE STORY: BleepingComputer
Ukraine signs agreement to join NATO cyber defense center
FROM THE MEDIA: Ukraine signs agreement to join NATO cyber defense center Ukraine has taken another step to deepen its cooperation with NATO in the cybersecurity field as its war with Russia — both kinetic and digital — approaches the one-year mark. On Thursday, Ukraine signed an agreement to join the Estonia-based NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE). Before it is official, all of CCDCOE’s members will have to sign this agreement. CCDCOE conducts research on cyber policy, coordinates education and training in cyber defense for all NATO bodies, and organizes the world’s largest international cyber defense exercise, called Locked Shields.
READ THE STORY: The Record
Electronic health record giant NextGen dealing with cyberattack
FROM THE MEDIA: Hospital technology giant NextGen Healthcare said it is responding to a cyberattack after a notorious ransomware group added the company to its list of victims. The multibillion-dollar healthcare giant produces electronic health record (EHR) software and practice management systems for hundreds of the biggest hospitals and clinics in the U.S., U.K., India and Canada. On Tuesday, hackers associated with the AlphV/BlackCat ransomware added the company to its list of victims alongside several other businesses. A spokesperson for NextGen Healthcare said it is aware of the claim and explained that they have been working with cybersecurity experts to “investigate and remediate” the issue.
READ THE STORY: The Record
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps
FROM THE MEDIA: The 8220 Gang, a Chinese threat organization that operates for profit, was the subject of a threat bulletin from Radware today. Using a specially created crypto miner and IRC bot, the group, also known as the 8220 Mining Group has started the New Year by focusing on apps with insufficient security and public cloud settings. The 8220 Gang is well recognized for employing a range of strategies and methods to conceal their operations and avoid capture. It was discovered attempting to infect one of Radware’s Redis honeypots; thus, it could be more flawless. Redis was the fourth-most, according to the Radware Threat Report for 2022. In Radware’s Global Deception Network, TCP port scanning and exploitation rose to the ninth spot in 2022 from the tenth in 2021.
READ THE STORY: Information Security Buzz
ChatGPT’s Dark Side: An Endless Supply of Polymorphic Malware
FROM THE MEDIA: CyberArk researchers are warning that OpenAI’s popular new AI tool ChatGPT can be used to create polymorphic malware. “[ChatGPT]’s impressive features offer fast and intuitive code examples, which are incredibly beneficial for anyone in the software business,” CyberArk researchers Eran Shimony and Omer Tsarfati wrote this week in a blog post that was itself apparently written by AI. “However, we find that its ability to write sophisticated malware that holds no malicious code is also quite advanced.” While ChatGPT’s built-in content filters are intended to prevent it from helping to create malware, the researchers were quickly able to bypass those filters by repeating and rephrasing their requests – and when they used the API rather than the web version, no content filter was applied at all.
READ THE STORY: E Security Planet
New Boldmove Linux malware used to backdoor Fortinet devices
FROM THE MEDIA: Suspected Chinese hackers exploited a recently disclosed FortiOS SSL-VPN vulnerability as a zero-day in December, targeting a European government and an African MSP with a new custom 'BOLDMOVE' Linux and Windows malware. The vulnerability is tracked as CVE-2022-42475 and was quietly fixed by Fortinet in November. Fortinet publicly disclosed the vulnerability in December, urging customers to patch their devices as threat actors were actively exploiting the flaw. The flaw allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution.
READ THE STORY: BleepingComputer
Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers' DNS Settings
FROM THE MEDIA: Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea. Roaming Mantis, also known as Shaoye, is a long-running financially motivated operation that singles out Android smartphone users with malware capable of stealing bank account credentials as well as harvesting other kinds of sensitive information. Although primarily targeting the Asian region since 2018, the hacking crew was detected expanding its victim range to include France and Germany for the first time in early 2022 by camouflaging the malware as the Google Chrome web browser application.
READ THE STORY: THN
Exploits released for two Samsung Galaxy App Store vulnerabilities
FROM THE MEDIA: Two vulnerabilities in the Galaxy App Store, Samsung’s official repository for its devices, could enable attackers to install any app in the Galaxy Store without the user’s knowledge or to direct victims to a malicious web location. The issues were discovered by researchers from the NCC Group between November 23 and December 3, 2022. The Korean smartphone maker announced on January 1, 2023 that it fixed the two flaws and released a new version for Galaxy App Store (4.5.49.8). Today, the NCC Group published technical details for the two security issues, along with proof-of-concept (PoC) exploit code for each of them.
READ THE STORY: BleepingComputer
95% of Coinbase Users Rely on SMS-Based 2FA, Account Takeover Stats Reveal
FROM THE MEDIA: Cryptocurrency platform Coinbase has revealed the account takeover rates for user accounts in an effort to encourage customers to upgrade their security settings. The stats(Opens in a new window) say about 95% of Coinbase’s customers are enrolled in SMS-based two-factor authentication—the weakest 2FA method available. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022. Meanwhile, users who protected their accounts with stronger two-factor authentication modes, such as authenticator apps and security keys, made up less than 5% of the account takeovers. Coinbase requires all users to protect their accounts with two-factor authentication. This forces anyone logging in to supply both the correct password and a one-time passcode generated on their phone, thereby making it much harder to break in.
READ THE STORY: PCMAG
Tamping down demand for spyware in Europe is an uphill battle
FROM THE MEDIA: Greek authorities closed out 2022 with a bang by raiding six surveillance-for-hire companies. A key target of the crackdown was Intellexa, an Israeli cyber intelligence firm operating in Greece through its subsidiary, Cytrox. Known for its Predator software — which collects mobile phone data after user interaction with a malicious link — Intellexa has become a major spyware exporter, which some governments use for repression of their people. However, Greece’s Intellexa clampdown is not a success story against a notoriously under-regulated industry. Instead, it is a reminder of authoritarian appetites for surveillance and regulatory irresponsibility across Europe. The raids occurred amidst a domestic spying scandal, in which the Greek National Intelligence Service (EYP) allegedly illegally monitored journalists, government officials and politicians with Predator.
READ THE STORY: The Hill
Compromised Zendesk Employee Credentials Lead to Breach
FROM THE MEDIA: It has come to light that the Zendesk software-as-a-service (SaaS) company for customer relationship management (CRM) was compromised in October, exposing client account data to a threat actor, according to an email sent to affected accounts on Jan. 13, 2023. The email from Zendesk with the details of the security incident was made public by Coinigy, which provides virtual wallet services and "felt the need to disclose it to our customers," Coinigy's post about the compromise explained. Zendesk explained in the email to Coinigy that the breach was the result of an SMS phishing campaign targeting Zendesk employees. "Zendesk determined that Service Data belonging to your coiningy.zendesk.com account may have been in the (exposed) unstructured logging platform data," the email from Zendesk explained.
READ THE STORY: DarkReading
TSA investigating how some no-fly list data was exposed on internet
FROM THE MEDIA: The Transportation Security Administration said it was investigating a “potential cybersecurity incident” after a hacker claimed to access an older version of the agency’s no-fly list of known or suspected terrorists. “TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” TSA said in a statement to CNN. The data was sitting on the public internet in an unsecured computer server hosted by CommuteAir, a regional airline based in Ohio, according to the hacker claiming the discovery. The hacker, who also describes herself as a cybersecurity researcher, told CNN she notified CommuteAir of the data exposure. CommuteAir said in a statement that the data accessed by the hacker was “an outdated 2019 version of the federal no-fly list” that included names and birthdates.
READ THE STORY: CNN
T-Mobile API Breach: Playing the Victim
FROM THE MEDIA: I’m not sure what is less surprising, that a big company got hacked or that they are trying to play the victim. The headline is that T-Mobile acknowledged that data on roughly 37 million customers was stolen. The breach resulted from a “bad actor” abusing an API to gain access to the data. First, let’s acknowledge that APIs have become fundamental to application architecture. It’s how microservices are stitched together and how broader systems communicate. If it’s been built with modern development practices, it’s built on APIs. Thus, securing APIs should be a priority of application security. Yet, we still live in a build-now, secure-later (if ever) world. So organizations few and far between consider API security on par with application scanning, and it’s not like all organizations have mastered application security scanning. API security is an emerging discipline, which means we’ll continue to have high-profile breaches due to vulnerable APIs.
READ THE STORY: Security Boulevard
Industry looks at the MailChimp data incident
FROM THE MEDIA: Email marketing firm MailChimp this week confirmed that it experienced a data breach after hackers infiltrated an internal customer support and account administration tool. The attackers accessed the data of 133 users by using employee credentials acquired in a social engineering attack aimed at MailChimp staff and contractors. The company first detected an unauthorized individual accessing their system support tools on January 11. Fortunately, MailChimp was able to act quickly, temporarily suspending the accounts where suspicious activity was logged and notifying the primary contacts for all impacted accounts less than twenty-four hours after the breach was discovered. Though the number of affected customers is small, one of them was the popular WooCommerce eCommerce plugin for WordPress, which warned users that the incident exposed their names, store URLs, addresses, and email addresses.
READ THE STORY: The Cyberwire
Pentagon strategy calls for integrated satellite comm networks
FROM THE MEDIA: As the Pentagon modernizes its satellite communications enterprise, its first task will be to develop standards to improve data sharing among SATCOM networks, according to an enterprise-level strategy released this week. U.S. Department of Defense Chief Information Officer John Sherman approved the Enterprise SATCOM Management and Control Implementation Plan in December and released it publicly Wednesday. The document provides guidance for DoD agencies that design, operate and develop space-based communications capabilities and lays out a phased approach to modernizing SATCOM capabilities to improve collaboration with partners and make systems more resilient against threats.
READ THE STORY: C4ISR
Critical ManageEngine RCE bug now exploited to open reverse shells
FROM THE MEDIA: A critical remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine products is now being exploited in attacks. The first exploitation attempts were observed by cybersecurity firm Rapid7 on Tuesday, two days before Horizon3 security researchers released public exploit code and in-depth technical analysis of the flaw. "Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products," the threat detection firm said. "Rapid7 observed exploitation across organizations as early as January 17, 2023 (UTC)."
READ THE STORY: BleepingComputer
Items of interest
Tech Giant Says the World Will Need Decades to Fix the Chip Problem
FROM THE MEDIA: The chip shortage seems to be easing off, with the most optimistic industry experts believing that the struggle could eventually come to an end this year. And while it’s hard to make an accurate assumption right now, especially due to the uncertainty that’s still impacting chip production, Intel believes that the world would have a much more difficult time addressing the cause of the crisis in the first place. Speaking at the World Economic Forum, Intel CEO Patrick Gelsinger pointed to the extreme reliance on Asian production power for the chips, explaining that Europe and the United States have lost traction in the manufacturing business.
READ THE STORY: Auto Evolution
Forced Digital Transformation and the Realities to ICS/OT Cybersecurity (Video)
FROM THE MEDIA: The COVID-19 crisis has forced companies into a pseudo digital transformation with hyper connectivity and some level of remote operations, driving cybersecurity to ‘mission critical’ nearly overnight.
ICS Village Running the S4x23 ICS Capture The Flag Competition (Video)
FROM THE MEDIA: Tom VanNorman and Don Weber join Dale to describe the ICS Capture The Flag competition they will be running at S4x23, Feb 13 - 16 in Miami South Beach.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com