Wednesday, January 25, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
LastPass Parent Company GoTo Suffers Data Breach, Customers' Backups Compromised
FROM THE MEDIA: LastPass-owner GoTo (formerly LogMeIn) on Tuesday disclosed that unidentified threat actors were able to steal encrypted backups of some customers' data along with an encryption key for some of those backups in a November 2022 incident. The breach, which targeted a third-party cloud storage service, impacted Central, Pro, join.me, Hamachi, and RemotelyAnywhere products, the company said. "The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor Authentication (MFA) settings, as well as some product settings and licensing information," GoTo's Paddy Srinivasan said. Additionally, MFA settings pertaining to a subset of its Rescue and GoToMyPC customers were impacted, although there is no evidence that the encrypted databases associated with the two services were exfiltrated.
READ THE STORY: THN // The Record
Well that escalated quickly: India demos homebrew mobile OS
FROM THE MEDIA: A mere week after an Indian government official teased the possibility the nation could create its own mobile OS to challenge the dominance of Google and Apple, minister for education and minister of skill development & entrepreneurship Dharmendra Pradhan has demonstrated just such an OS at work and endorsed it as the sort of the India should be doing. The OS is called BharOS and was announced last week by the Indian Institute of Technology, Madras. The OS is reported to ship with no pre-loaded apps, and to share no user data. Only private app stores work with the OS. Pradhan claimed the OS is incapable of running malware, without elaboration.
READ THE STORY: The Register
The FBI says LAZARUS was behind the Harmony Bridge heist
FROM THE MEDIA: The FBI is pinning the blame for a $100 million cryptocurrency heist last June on the Lazarus Group, a team associated with the North Korean government that is notorious for stealing cryptocurrency to help support that country’s military and weapons programs. On Tuesday, the FBI released a statement identifying Lazarus Group, also known as APT38, as the culprit for the June 24 attack on the Harmony Horizon bridge that resulted in the loss of $100 million in Ethereum. The Harmony Horizon bridge is a connection between various cryptocurrency systems, specifically Harmony and Ethereum, Bitcoin, and Binance Chain. In June, attackers were able to gain access to the bridge and make off with the Ethereum. “The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” Harmony said at the time of the incident.
READ THE STORY: DUO
VMware Releases Patches for Critical vRealize Log Insight Software Vulnerabilities
FROM THE MEDIA: VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight (aka Aria Operations for Logs) that could expose users to remote code execution attacks. Two of the flaws are critical, carrying a severity rating of 9.8 out of a maximum of 10, the virtualization services provider noted in its first security bulletin for 2023. Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway. "An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," the company said of the two shortcomings.
READ THE STORY: THN
Senators slam Ticketmaster for reporting just one bot case to FTC despite Taylor Swift fiasco claims
FROM THE MEDIA: Several U.S. Senators criticized Ticketmaster during a Judiciary Committee hearing on Tuesday for only reporting one case of bot abuse to the Federal Trade Commission despite previous claims that the company was dealing with unprecedented attacks by resellers using automated tools. Companies like Ticketmaster can report bot abuse to the FTC following the passage of the BOTS Act in 2016, which makes it illegal for companies to create systems that circumvent ticket sellers and resell tickets. But Joe Berchtold, president of Ticketmaster parent company Live Nation, confirmed to senators that the company has only reported one incident involving bots since 2019.
READ THE STORY: The Record
RT may be shutting down in Europe but it’s growing in Africa
FROM THE MEDIA: The French arm of the state-sponsored broadcaster was the only one to survive the EU ban on Russian media within Europe, issued shortly after Russia invaded Ukraine last February. But the latest round of European Union sanctions on Russia led to the freezing of RT France’s assets and forced them to shut down. The Russian Foreign Ministry promised retaliation. But the ban doesn’t mean the end of Kremlin disinformation campaigns in Europe. Researchers in France anticipate that at least some of the RT French language content will survive through mirror sites and social media. RT may be shutting down in Europe but it’s growing in Africa, where the network is actively recruiting journalists across the continent offering “competitive packages” and an opportunity to join a company that provides a “true alternative to the Western viewpoint.”
READ THE STORY: Coda
Hackers Using Sliver Framework as an Alternative to Cobalt Strike & Metasploit
FROM THE MEDIA: Silver is an open-source command-and-control framework that is becoming increasingly popular among malicious actors at current attacks. As threat actors are opting for this option since it offers a viable alternative to commercial tools such as: Cobalt Strike and Metasploit. Designed with scalability in mind, the Sliver security testing tool can be used by organizations of all sizes and can be adapted to meet their needs. A comprehensive analysis published a few days ago by Cybereason provides a detailed look at how it operates and revealed these findings. Silver is a revolutionary tool that is crafted by the experts at BishopFox. This cutting-edge post-exploitation framework, built using the versatile Golang programming language, is the ultimate weapon for security professionals engaged in red team operations.
READ THE STORY: GBhackers
How Dangerous Are ChatGPT And Natural Language Technology For Cybersecurity
FROM THE MEDIA: ChatGPT it the hot artificial intelligence (AI) app of the moment. In case you’re one of the few who hasn’t come across it yet, it’s basically a very sophisticated generative-AI chatbot powered by OpenAI’s GPT-3 large language model (LLM). Basically, that means that it’s a computer program that can understand and “talk” to us in a way that’s very close to conversing with an actual human. A very clever and knowledgeable human at that, who knows around 175 billion pieces of information and is able to recall any of them almost instantly. The sheer power and capability of ChatGPT have fueled the public’s imagination about just what could be possible with AI. Already, there’s a great deal of speculation about how it will impact a huge number of human job roles, from customer service to computer programming.
READ THE STORY: Forbes
View from Davos: The Changing Economics of Cybercrime
FROM THE MEDIA: While much of the press on the 2023 World Economic Forum in Davos, Switzerland, focused on international strife, on the ground it was a significantly more economic affair. Certainly, many of the conversations focused on how society must do more to align around solutions to the many polycrises we are facing today, including the threat of a third world war, accelerating climate change, and widening income inequality over COVID. But chief among topics was real, tactical discussion on how to reduce the profit motives of cybercriminals — and help enterprises look at their cyber risk in a radically different way. In our ransomware panel, Catherine De Bolle, executive director for Europol, noted that cybercrime is a risk created by humans, driven by the economic conditions of high profit and easy opportunity. Ransomware is the most recent monetization of these motives and opportunities, and it has evolved from simple malware to advanced exploits and double or triple extortion models.
READ THE STORY: DARKreading
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
FROM THE MEDIA: Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks. As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing. Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices. This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world.
READ THE STORY: Unit 42 // Techmonitor
From APIs and Automobiles: Hacker-Turned-Producer Alissa V. Knight
FROM THE MEDIA: Interview with Alissa Valentina Knight, an American author, film director and producer, whose cinematography is influenced by her early days as an infamous computer hacker who was arrested at age 17, then recruited to work for the intelligence community. At the behest of the FBI, she was allowed to test the security of connected vehicles across many of the intelligence agencies, which led to her resulting book, “Hacking Connected Cars” published by Wiley in 2019. She also has another book in the works about hacking API’s, which she determined years ago were not being developed securely or monitored well-enough by existing security tools. She is co-founder of commercial production house Knight Studios, part of the Knight Group, which she co-owns with her wife Melissa Knight, a producer and CISO. The pair recently released a membership portal to access their productions, Knight TV. One of their films, #Ransom, co-produced by Conceal, won Best New TV/Web Series at Cannes World Film Festival – Remember the Future. Their content has also been honored as finalists and semi-finalists in other Indie and Cannes festivals.
READ THE STORY: Security Boulevard
Security Navigator Research: Some Vulnerabilities Date Back to the Last Millennium
FROM THE MEDIA: Our Vulnerability Scans are performed on a recurring basis, which provides us the opportunity to examine the difference between when a scan was performed on an Asset, and when a given finding on that Asset was reported. We can call that the finding 'Age'. If the findings first reported are not addressed, they will occur in more scans over time with increasing Age, and so we can track how the Age of reported findings changes over time. As the chart below clearly illustrates, the majority of real findings in our dataset, across all Severity levels, are between 75 and 225 days old. There is a second 'peak' at around 300 days, which we suspect has more to do with the age of the data in the dataset and can therefore be ignored. Finally, there is a fascinating 'bump' at around 1,000 days, which we believe represents the 'long tail' of findings in the dataset that will simply never be addressed.
READ THE STORY: THN
Emotet Malware Makes a Comeback with New Evasion Techniques
FROM THE MEDIA: The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.
READ THE STORY: THN
DOJ, states target Google’s ad dominance
FROM THE MEDIA: The Department of Justice filed its second lawsuit targeting Google’s market power, this time focusing on the Silicon Valley giant’s dominance in the ad space. Meanwhile, the Senate kicked off its first hearing of the year with a rare display of unity. The issue that bridged the gap across the aisle? Ticketmaster and an opportunity for lawmakers to outwit each other with Taylor Swift references. The Department of Justice (DOJ) and a handful of states sued Google over the tech giant’s dominance in the digital ad space, according to a complaint filed Tuesday. The case is the second antitrust lawsuit the DOJ has filed against Google, adding to the mounting legal battles from state and federal antitrust enforcers targeting the Silicon Valley giant.
READ THE STORY: The Hill // BleepingComputer
Australians urged to be vigilant against continued cyber attacks from Iran's regime
FROM THE MEDIA: Iranian Revolutionary Guard-affiliated actors have launched targeted cyber attacks on Australian organizations, with the aim of using the data obtained for extortion, a report tabled in parliament shows. But the federal government won’t disclose information about whether it is considering listing the Iranian Islamic Revolutionary Guard Corps (IRGC) – the military arm of Iran’s government — as a terrorist organization, or how much worth of assets and/or investments that people connected to the regime hold in Australia. A federal parliamentary inquiry investigating recent human rights violations in Iran, which is due to hand down its report next week, heard evidence of reports of surveillance and abuse by the regime against Australian-Iranians who speak out against the Islamic Republic.
READ THE STORY: ABC (AU)
'DragonSpark' Malware: East Asian Cyberattackers Create an OSS Frankenstein
FROM THE MEDIA: We imagine that the world’s most successful hackers write their own dangerous code and invest heavily in the technologies they use to breach their targets. In recent months, however, a new cluster of attacks succeeded with just the opposite approach. According to a report out Jan. 24 from SentinelOne, a threat actor compromised a number of organizations across China and Taiwan by creating a Frankenstein's monster-style composite of preexisting open source components. Among them: multiple tools for escalating user privileges in Windows machines, and for establishing persistence and allowing remote code execution. In addition to adopting other hackers' code, the attackers freely adopted other organizations' infrastructure, too. In staging their malware, the hackers puppeteered servers located in China, Hong Kong, Singapore, and Taiwan, many of which were hosted by perfectly ordinary businesses.
READ THE STORY: DARKReading // The Cyberwire
Russia Affiliated NoName057(16) Hacktivist Group Puts 2023 Czech Presidential Election on the Spot
FROM THE MEDIA: NoName057(16) is a Russian-affiliated hacktivist group that has been active since March 2022. They have been known to target Ukrainian and pro-Ukrainian organizations, businesses, and governments, with the targets shifting according to geopolitical developments. In recent months, the group has focused on various countries in the European Union that have publicly supported Ukraine, including but not limited to Poland, Lithuania, Latvia, Slovakia, Norway, Finland, Germany, Spain, and Denmark. Additionally, the group has also launched attacks on specific targets in the US and the UK. DDoS is the primary method used by NoName057(16) in their attacks. The group has managed to cause temporary unavailability of websites of top private sector targets, such as banks and other financial institutions.
READ THE STORY: CheckPoint
US Cyber Command, DARPA ink cyberwar R&D pact
FROM THE MEDIA: An agreement between US Cyber Command and DAPRA aims to move innovative technologies out of the "valley of death" and into the hands of warfighters. The valley of death refers to the "painful and challenging" place where the Department of Defense's pilot technologies go to die unless they can move from the R&D phase into operational use by the military, according to Tejas Patel, DARPA's Constellation program manager. Constellation is a new program that will bridge this valley of death and create a long-term framework for moving cyber capabilities into operational use, he told The Register. For Government Tech Week, we sat down with Patel to discuss the new program, and how the Pentagon plans to use AI-based cybersecurity tools to help prepare for, and ultimately fight, cyberwars.
READ THE STORY: The Register
Russia is losing cyberwar or are they
FROM THE MEDIA: The top target countries for cyberattacks in 2022 included Russia and Ukraine, as one might expect – but there were a few surprises too, with Kazakhstan leading the pack and Egypt coming in at third place, according to findings from ReasonLabs. The cybersecurity analyst reached its conclusion by measuring the mean average of detected incidents per web user throughout the year by country: Kazakhstan came out well ahead with 23.37, while Russia was second with 20.26. The two nations were followed by Egypt (13.48), Ukraine (10.44), and Bolivia (10.24), with more than half of the world’s top 20 target nations located in Asia. This stood in stark contrast to nationally diverse Europe, which only returned a tenth of this total.
READ THE STORY: CyberNews
Chinese hackers threaten to attack S. Korean cybersecurity watchdog
FROM THE MEDIA: A foreign hacker group, apparently a Chinese one, attacked the websites of a dozen mostly research and academic institutions in South Korea over the Lunar New Year holiday, the country's cyber-safety agency said on Wednesday.
The hacker group, which identifies itself as Dawn Cavalry, said on its public channel on messaging app Telegram that its next target is the Korea Internet and Security Agency (KISA), which is the first government agency to be identified as a target of the group's cyberattacks. "The next target is KISA," a Dawn Cavalry administrator wrote in a message in Chinese and English on Telegram. "The specific invasion list is waiting for the official reply from South Korea." "So far, the South Korean government has reported breaches from only 12 agencies, but I've deleted more databases and websites than that."
READ THE STORY: The Korean Times
The Threat Of “Default” Tech
FROM THE MEDIA: There seems to be a never-ending series of cyber-attacks against critical infrastructure in today’s headlines. The simple fact is that attacks are happening all the time. In a significant recent example, what started out as a nuisance-level infection went unresolved going on to become a major data loss. It highlights the continued lack of preparedness by organizations to create response plans and a glaring indicator that endpoint devices and users are often the first point of attack and compromise. Despite all the regulatory structure in Europe, the subject of recent discussions was the Luxembourg-based Energy Supplier Encevo, and its European-based subsidiary electricity operator Enovos. In a post-facto review of the situation, the company shared that their customer contact portals were hacked in mid-summer. A malware infection led to escalated access to customer information, something that none of us should be comfortable about being in the hands of nefarious actors. Ransom demands were made.
READ THE STORY: Forbes
League of Legends source code hacked and up for sale
FROM THE MEDIA: On Tuesday, Riot Games, the developer of League of Legends, admitted falling victim to a ransomware attack. The company has confirmed that the source code of one of its most recognized games was leaked. "As promised, we wanted to update you on the status of last week's cyber attack. Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers," the company said in a tweet on Tuesday. The company suffered the attack last week, which led to the delays of the scheduled game patches. Riot Games refused to pay the ransom. “Needless to say, we won’t pay.” Soon after the company disclosed the nature of the attack, a threat actor posted an ad on a popular criminal forum, Breached, claiming they were selling League of Legends source code. The ad reads [sic]: "League of Legends Source Code Auction! As you know, League of Legends source code has been stolen, confirmed by Riot Games. I'm starting auction for the source code, at starting $1,000,000. ** INCLUDES PACKMAN (USERMODE ANTI-CHEAT FOR LEAGUE OF LEGENDS & VALORANT) **"
READ THE STORY: Cybernews
Items of interest
'Satellite bodyguards' prepared for space protection
FROM THE MEDIA: During the long years of the Cold War an unwritten agreement adhered to by Russia and the US was that their military satellites would remain off limits to attack. In the three decades since that conflict ended the boundaries of war have eroded to the point that the European Union’s top diplomat warned on Tuesday that space could soon become a “battlefield” between great powers. Speaking at the 15th European Space Conference in Brussels, Josep Borrell stated that Ukraine's defense against Russia demonstrated that satellites were a “game changer” for military maneuvers. That means that the orbiters themselves have now become targets, with an increasing need to protect them. The term “bodyguard satellites” is taking hold in the military lexicon as defense companies actively look at how to defend high value spacecraft against hostile attack. “Ten years ago, if you said do you think anybody would launch anti-satellite weapons that potentially can destroy the International Space Station all of us would have said no,” said Airbus’s military space expert Dr Markos Trichas. “In my personal opinion we need to be ready for a scenario where someone will actually try to take down someone else’s satellite.”
READ THE STORY: The National News
Hacking PLCs and Causing Havoc on Critical Infrastructures (Video)
FROM THE MEDIA: Programmable Logic Controllers (PLCs) are devices used on a variety of industrial plants, from small factories to critical infrastructures like nuclear power plants, dams and wastewater systems.
Cyber Physical Systems Security (5: Attacking SCADA and Modbus Communications)(Video)
FROM THE MEDIA: This video is part of the "Teaching Cyber Physical Systems Security using Interactive Simulation" project.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com