Tuesday, January 24, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Congressman ‘coming for answers’ after ‘no-fly list’ hack
FROM THE MEDIA: A Republican congressman on the House Committee on Homeland Security is seeking answers about last week’s hack of regional airline CommuteAir, which led to the exposure of a copy of the federal no-fly list from 2019. Alarm has grown since the researcher behind the hack, a Swiss national who goes by maia arson crimew, published a blog post explaining that the information was left exposed on an unsecured server alongside other sensitive data from CommuteAir, a regional airline under United Airlines. On Saturday, Rep. Dan Bishop (R-NC), expressed outrage at the situation. “The entire US no-fly list – with 1.5 million+ entries – was found on an unsecured server by a Swiss hacker,” he said. “Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible? We’ll be coming for answers.”
READ THE STORY: The Record
Axon still wants to put Taser drones in your kid’s school
FROM THE MEDIA: This week, Axon, the company that developed the Taser, is hosting a conference in Las Vegas called TaserCon. The event is billed as an opportunity to talk about law enforcement and public safety. Axon is expected to use the occasion to reintroduce a controversial plan: putting stun gun-equipped drones in schools to prevent mass shootings. Last summer, Axon’s founder and CEO Rick Smith announced the school initiative shortly after mass shootings in Buffalo, New York, and Uvalde, Texas. “We need different, better solutions, including ones that leverage technology to protect our schools, teachers and students,” Smith said at the time. Weaponized drones were something Axon had been focused on for some time. More than a year before the Uvalde shooting, Axon had asked its ethics board to conduct an evaluation of “Project Ion,” a narrower program that envisioned Taser-equipped drones as an alternative to firearms when proximity to a shooter would endanger police.
READ THE STORY: The Record
Roaming Mantis Malware Returns with DNS Changer Capability
FROM THE MEDIA: Currently, the primary target of the new Roaming Mantis malware is users in South Korea, but Kaspersky cybersecurity researchers suspect its scope will be expanded soon. According to a report from Kaspersky Labs, the infamous Roaming Mantis attack campaign, aka Shaoye has resurfaced with a brand-new scheme. As previously reported by Hackread.com, Roaming Mantis operators use DNS changer functionality to abuse compromised public WiFi routers. The objective is to infect a large number of Android smartphones with Wroba.o mobile malware (also called Agent.eq, Moqhao, XLoader). The prominent target of this campaign is users in South Korea. However, Kaspersky cybersecurity researchers suspect its scope to be expanded soon. Researchers explained that the Roaming Mantis attackers are delivering a revamped version of their patent mobile malware Wroba for infiltrating WiFi routers and hijacking Domain Name System/DNS. This malicious new attack is designed to specifically target South Korean WiFi routers manufactured by one of the leading network equipment vendors in South Korea.
READ THE STORY: HackRead
Ukraine impacted by new Gamaredon cyberattacks exploiting Telegram
FROM THE MEDIA: Ukraine's military and law enforcement sectors are being attacked by Russian state-backed cyberespionage operation Gamaredon with the use of the Telegram messaging app, The Hacker News reports. Gamaredon, also known as Actinium, Iron Tilden, Armageddon, Primitive Bear, Trident Ursa, Shuckworm, and Winterflounder, has been delivering spear-phishing emails using Ukrainian government organization documents as lures, according to a report from the BlackBerry Research and Intelligence Team. Such documents facilitate remote template injection, while a hard-coded Telegram channel retrieves the malware-hosting server's IP address, which eventually leads to the retrieval of an information-stealing malware. "The threat group changes IP addresses dynamically, which makes it even harder to automate analysis through sandbox techniques once the sample has aged out.
READ THE STORY: SCMAG
Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks
FROM THE MEDIA: The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that's designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitation of unpatched flaws.
READ THE STORY: THN
PLAY ransomware group claims attack on Arnold Clark, one of Britain’s largest car dealerships
FROM THE MEDIA: Sensitive personal data allegedly stolen from Arnold Clark, one of the United Kingdom’s largest car dealerships, has been posted online by the PLAY ransomware group. The company had claimed in a Tweet on January 3 to have protected customer data after it discovered suspicious traffic on its network back in December, although it did not confirm the nature of the attack. “Our priority has been to protect our customers’ data, our systems and our third-party partners,” the company stated, adding that “this has been achieved.” Its statement has not been updated following the publication last week of what appear to be customer details on the PLAY ransomware group’s extortion site. Arnold Clark’s press office did not immediately respond to The Record’s request for comment.
READ THE STORY: The Record
Jim Langevin on how Congress has come ‘a long way from where we first started’ on cyber
FROM THE MEDIA: When Jim Langevin entered Congress in 2001, cybersecurity was barely on the radar for most lawmakers. But a drumbeat of hacks and escalating digital threats prompted Langevin, who this year left office after 22 years representing Rhode Island’s 2nd congressional district, to help create the House Cybersecurity Caucus in 2008. As its co-chair, Langevin both raised awareness of the issue and proposed countless measures to strengthen America’s cybersecurity. Langevin was appointed to the Cyberspace Solarium Commission in 2019, which was created by Congress to develop a strategic approach to defending against major cyberattacks, and helped draft dozens of recommendations. More than half of the recommendations, including the establishment of a National Cyber Director, have been implemented or are close to implementation.
READ THE STORY: The Record
Cyberattacks Using AI/ML Technology Targeting Controlled Information
The possibilities of AI/ML Technology are vast, but it is essential to understand its potential security risks. This article will explore the most common methods criminal attackers use to take advantage of AI/ML Technology solutions. In conclusion, AI/ML Technology are powerful technologies that have the potential to revolutionize many industries. However, it is vital to understand their risks and how to mitigate them. By understanding the risks and taking the necessary steps to protect against them, organizations can minimize the chances of becoming victims of a criminal attack. Herewith are clarifications for terms needed to understand and clarify Artificial Intelligence AI/Machine Learning ML concept.
READ THE STORY: Experts Exchange
FanDuel Cautions Users Of Data Breach In Vendor Hack
FROM THE MEDIA: Customers of the FanDuel sportsbook and betting platform are being cautioned that their names and email addresses were made public due to a security breach at MailChimp in January 2023. Users are advised to be on the lookout for scam communications. MailChimp announced a compromise on January 13th after hackers used a social engineering effort to get an employee’s login information. The threat actors took the customer data of 133 users, who used these credentials to access an internal MailChimp customer assistance and administration tool. The names and email addresses of current or future customers are frequently included in this audience data, which varies depending on the MailChimp customer. Customers were informed via email last Thursday by FanDuel that threat actors obtained their names and email addresses as a result of the MailChimp breach. We recently learned of a security compromise in the system of a third-party technology provider that sends transactional emails on behalf of companies like FanDuel.
READ THE STORY: InfoSecBuzz
Samsung Galaxy Store App Found Vulnerable to Sneaky App Installs and Fraud
FROM THE MEDIA: Two security flaws have been disclosed in Samsung's Galaxy Store app for Android that could be exploited by a local attacker to stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web. The issues, tracked as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group and notified to the South Korean chaebol in November and December 2022. Samsung classified the bugs as moderate risk and released fixes in version 4.5.49.8 shipped earlier this month. Samsung Galaxy Store, previously known as Samsung Apps and Galaxy Apps, is a dedicated app store used for Android devices manufactured by Samsung. It was launched in September 2009. The first of the two vulnerabilities is CVE-2023-21433, which could enable an already installed rogue Android app on a Samsung device to install any application available on the Galaxy Store. The first of the two vulnerabilities is CVE-2023-21433, which could enable an already installed rogue Android app on a Samsung device to install any application available on the Galaxy Store.
READ THE STORY: THN
Apple Issues Updates for Older Devices to Fix Actively Exploited Vulnerability
FROM THE MEDIA: Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the iPhone maker said in an advisory published Monday. To that end, the latest update, iOS 12.5.7, is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
READ THE STORY: THN
Facebook Introduces New Features for End-to-End Encrypted Messenger App
FROM THE MEDIA: Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption (E2EE) in Messenger chats by default. "Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by end-to-end encryption," Meta's Melissa Miranda said. The social media behemoth said it intends to notify users in select individual chat threads as the security feature is enabled, while emphasizing that the process of choosing and upgrading the conversations to support E2EE is random. "It's designed to be random so that there isn't a negative impact on our infrastructure and people's chat experience," Miranda further explained. Along with flipping the switch on E2EE, Meta has also added more features into its encrypted chat experience, including support for themes, custom emojis and reactions, group profile photos, link previews, and active status.
READ THE STORY: THN
Los Angeles Unified School District confirms SSNs leaked in September ransomware attack
FROM THE MEDIA: The Los Angeles Unified School District (LAUSD) sent out breach notification letters to an unknown number of contractors in recent days notifying them that sensitive information – including Social Security numbers – was leaked during a wide-ranging cyberattack last year. The school district said an investigation revealed that from July 31 until September 3 hackers had access to LAUSD servers containing contractor information provided to the district. Those affected include current and former contractors and subcontractors who had provided the district with personal information in connection with Facilities Services Division projects. “Our review of the files that were accessed and acquired by the unauthorized actor is still ongoing. However, on January 9, 2023, we identified labor compliance documents, including certified payroll records,” officials said.
READ THE STORY: The Record
Riot Games to pause updates after social engineering attack
FROM THE MEDIA: Riot Games to pause updates after social engineering attack. Video game developer and esports organizer Riot Games was affected by a social engineering cyberattack last week, the company announced on January 20. The attack, which compromised multiple systems, affects the company’s ability to release content, as well as other operations at the company, including patching. A senior official at Riot Games clarified that the latest update scheduled for this week will still go out but other changes will be held. “We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained,” the developer said on Friday afternoon. “Please be patient with us as we work through this, and we’ll keep you posted as we continue our investigation.”
READ THE STORY: The Record
Credential Stuffing Attack Impacts About 35,000 PayPal Accounts, Company Says No Unauthorized Transactions Detected
FROM THE MEDIA: Though it did not suffer a breach, PayPal is reporting that a massive credential stuffing attack appears to have yielded access to about 35,000 accounts. The amount is a relative fraction of PayPal’s userbase, and the accounts in question were likely re-using credentials that were exposed in some other data breach. PayPal says that it has contacted those that were impacted and is offering a free two years of Equifax’s identity monitoring service, but that it also did not detect any unauthorized transactions as a result of the attack. A breach notification indicates that the credential stuffing attack took place from December 6 to December 8, 2022, when PayPal detected the campaign and cut off access. On December 20 the company verified that some PayPal accounts had been successfully accessed by the attackers.
READ THE STORY: CPOMAG
Hacker Exchanges $150 Million in ETH Into Staked Coins
FROM THE MEDIA: After several days of dormancy, the address linked to the theft of $323 million worth of Ethereum (ETH) from Wormhole has begun shuffling assets, according to records on Etherscan. The news about the activity on the cross-chain protocol Wormhole was first highlighted by Twitter user @Spreekaway on Monday, January 23, noting that the threat actor had converted his ETH to wstETH and was going to borrow DAI against it. Based on blockchain transaction history, the exploiter transferred the funds onto a decentralized exchange (DEX) and then went on to cycle funds around different DeFi protocols. Wormhole is a communication bridge linking Solana to other DeFi blockchain networks. The hackers stole approximately $320 million from it in 2022, marking it one of the biggest thefts of that kind. However, the losses were refunded by the crypto division of trading giant Jump, a leading force behind Wormhole.
READ THE STORY: Inside Bitcoins
Australia fronts International Counter Ransomware Taskforce
FROM THE MEDIA: The International Counter Ransomware Taskforce (ICRTF), envisioned by the International Counter Ransomware Initiative (CRI), kicked off its operations with Australia as its inaugural chair and coordinator. The CRI was first brought together in October 2021 with a virtual meeting of 30 countries, facilitated by the US White House National Security Council. The intention of setting up a taskforce also originated from this second summit with the goal to develop cross-sectoral tools, and exchange cyber threat intelligence to increase early warning capabilities and prevent attacks. The taskforce would also help consolidate policy and best practice frameworks. It was established in the Australian Department of Home Affairs’ Cyber and Critical Technology Coordination Centre.
READ THE STORY: ARNNET
ICE releases victims of recent data breach
FROM THE MEDIA: Governing.com reports that US Immigration and Customs Enforcement (ICE) officials have released nearly three thousand immigrants whose personal data were inadvertently posted on the web. The exposed data, which include birth dates, nationalities, and detention locations, were accidentally posted to the ICE website by government officials in November 2022, and immigration experts say the leak could put the victims at the mercy of the governments or individuals from which they’ve escaped. ICE has agreed not to deport any of the individuals impacted by the breach until they have a chance to raise the issue in immigration court. Unfortunately, over one hundred of the victims had already been deported by the time the leak was discovered, and a handful more were deported shortly after the exposure occurred. ICE says they will assist any of the deported individuals who would like to return to the US. Heidi Altman, director of policy of immigration advocacy organization the National Immigrant Justice Center, says ICE should go a step further and guarantee the safe return of the deported individuals. “Although inadvertent, ICE put lives at risk through this data breach,” Altman explains.
READ THE STORY: The Cyberwire
Cyberespionage threat actor exploits CVE-2022-42475 FortiOS vulnerability
FROM THE MEDIA: In December 2022, security company Mandiant, now a Google Cloud company, identified a FortiOS malware written in C that exploited the CVE-2022-42475 FortiOS vulnerability. According to Mandiant, the malware, which it has termed BOLDMOVE, exists in both Linux and Windows variants. This critical vulnerability affects FortiOS, an operating system developed by Fortinet, and consists of a heap-based buffer overflow in FortiOS SSL-VPN which may allow an attacker to execute code or commands via specially crafted requests. The vulnerability was patched by Fortinet three days after its discovery but was used by at least one threat actor prior to the patching. A detailed analysis of the vulnerability done by Fortinet reveals that “the complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.”
READ THE STORY: TechRepublic
The ‘Enshittification’ of TikTok
FROM THE MEDIA: Here is how platforms die: First, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die. I call this enshittification, and it is a seemingly inevitable consequence arising from the combination of the ease of changing how a platform allocates value, combined with the nature of a "two-sided market," where a platform sits between buyers and sellers, hold each hostage to the other, raking off an ever-larger share of the value that passes between them. When a platform starts, it needs users, so it makes itself valuable to users. Think of Amazon: For many years, it operated at a loss, using its access to the capital markets to subsidize everything you bought. It sold goods below cost and shipped them below cost. It operated a clean and useful search. If you searched for a product, Amazon tried its damndest to put it at the top of the search results.
READ THE STORY: Wired
Items of interest
Hacktivism Is a Risky Career Path
FROM THE MEDIA: The international community will be faced with the question of how to decommission the IT Army of Ukraine. Governments around the world will be keen to revert to the status quo from before the Russian invasion of Ukraine—and before hacktivism was legitimized. This may be easier said than done. With a quarter of a million subscribers to the IT Army of Ukraine Telegram channel, and a bilingual website providing attack instructions, target statuses, command tools, and distributed denial of service (DDoS) bots, it’s not hard to see why governments have warned their citizens against joining. The problem is not that the cause is unjust but that there is no legal protection for civilians engaged in offensive cyber operations. History provides a valuable lesson here. In a WIRED article, journalist Matt Burgess rightly pointed out that “a government-led volunteer unit that’s designed to operate in the middle of a fast-moving war zone … is without precedent” in the IT space. We do have precedents for land wars involving international volunteers.
READ THE STORY: Wired
This Is Better Than ChatGPT (With Prompting Guide) (Video)
FROM THE MEDIA: Everyone's talking about ChatGPT. But there's actually a tool that I find to work even better than ChatGPT... It's the original GPT-3 and here's a breakdown of how to use it, complete with some of the coolest prompts.
She hacked a billionaire, a bank and you could be next. Do this now to protect yourself (Video)
FROM THE MEDIA: She has hacked a CNN reporter, a billionaire, a bank and many others. Rachel Tobac can hack just about anyone - including you. Learn how to protect yourself.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com