Thursday, January 26, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
British cyber agency issues warning over Russian and Iranian espionage campaigns
FROM THE MEDIA: The UK's National Cyber Security Centre (NCSC) has warned of two separate but similar espionage campaigns from Russian and Iranian-linked groups. The NCSC has identified the groups as "Russia-based" SEABORGIUM and "Iran-based" APT42, or Charming Kitten. The hackers have taken the time to research their targets' interests and contacts to create a believable approach and establish a rapport with them, before attempting to dupe them into visiting a website which looks like the real sign-in page of a legitimate service, such as Gmail or Office 365, but is actually designed to harvest the target’s log-in credentials. The NCSC has published an advisory to raise awareness of the persistent threat posed by spear-phishing attacks and to encourage individuals and organizations to remain vigilant and protect themselves online.
READ THE STORY: The Record
U.S. Intelligence Wants to Use Psychology to Avert Cyberattacks
FROM THE MEDIA: The US intelligence community's main research organization, IARPA, is exploring ways to utilize psychological principles in order to counter cyberattacks. By understanding the behavior and decision-making of hackers, IARPA hopes to create systems designed to specifically account for and manipulate human limitations such as biases. European police are already using cyber psychology to understand different kinds of criminal attackers, and companies and governments have been looking to technology to automate defense and detection tasks due to a global talent shortage. With the help of IARPA, technology companies have already begun to create software that can identify misinformation and disinformation, as well as deception tools like honey pots to confuse and frustrate hackers. Ultimately, the goal is to use psychological theories to create technology that can account for and manipulate the cognitive vulnerabilities of attackers.
READ THE STORY: The Wall Street Journal
Exploit released for Microsoft bug allowing attacker to masquerade as legitimate entity
FROM THE MEDIA: Researchers from Akamai have discovered a vulnerability in Microsoft's CryptoAPI tool that affects the Windows' application programming interface for cryptography. The bug, which carries a vulnerability score of 7.5, was patched by Microsoft in August 2022 but only disclosed two months later. Akamai researchers have released a proof-of-concept for the exploit, which involves modifying a legitimate certificate and serving it to a victim, and have determined that fewer than 1% of visible devices in data centers are patched, making them vulnerable to exploitation. The bug is particularly concerning because of how important certificates are to identity verification online, making it a potentially lucrative bug for attacks. Akamai believes there may be other vulnerable targets in the wild, and is urging even discontinued versions of Windows, like Windows 7, to patch the vulnerability.
READ THE STORY: The Record
Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages
FROM THE MEDIA: For months, a malicious cyber attack campaign has been targeting WordPress websites, infecting over 4,500 sites and inserting malicious code into the index.php file. The rogue code is designed to redirect visitors to unwanted sites, as well as to display misleading browser update alerts and trigger drive-by downloads of malware. Google has since stepped in to block one of the rogue domains, but WordPress site owners should still take steps to mitigate the threat, including changing passwords, updating installed themes and plugins, and removing unused ones.
READ THE STORY: THN
PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration
FROM THE MEDIA: A new Python-based attack campaign has been uncovered by cybersecurity researchers which utilizes a remote access trojan to gain control over systems. This malware, dubbed PY#RATION, has an array of capabilities such as harvesting sensitive information, executing system commands, recording keystrokes, and siphoning data from web browsers and cryptocurrency wallets. It is difficult to detect due to the fact that it is a Python compiled binary and is encrypted using the fernet module. The source of the threat actor is unknown, but the phishing lures suggest the targets could be in the U.K. or North America.
READ THE STORY: THN
Yandex source code leaked on a hacking forum
FROM THE MEDIA: Someone has leaked the source code of Russia's largest IT corporation Yandex, dubbed the Russian Google, on a popular hacking forum. The data includes the source code of all major services such as the search engine, Yandex Maps, AI assistant Alice, Yandex Taxi, Yandex Mail, Yandex Pay, and others. The files are dated to February 24, 2022, the day Russia invaded Ukraine, suggesting the attack was motivated by the invasion. Yandex has launched an investigation and has confirmed the leak does not include any user or employee personal data. This is not the first time pro-Ukrainian hackers have attacked Yandex, as last year they meddled with the ride-hailing service to create a traffic jam in the Russian capital. The European Union has sanctioned the company's co-founder Arkady Volozh for the search engine's alleged role in censorship.
READ THE STORY: Cybernews
U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software
FROM THE MEDIA: At least two federal agencies in the U.S. have fallen victim to a "widespread cyber campaign" that involves the use of legitimate remote monitoring and management (RMM) software to perpetrate a phishing scam. This campaign was identified by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC). The malicious emails have financial motivations, but the access gained by the criminals could also be used for other activities. The emails contain a phone number and a malicious domain which when clicked on, downloads a binary that connects to a second-stage domain to retrieve the RMM software. This is then used to initiate a refund scam that defrauds victims of their money. The campaign is attributed to a large trojan operation and is similar to other telephone-oriented attack delivery methods.
READ THE STORY: THN // BleepingComputer
Contractor error led to Baltimore schools ransomware attack
FROM THE MEDIA: A 2020 ransomware attack against Baltimore County Public Schools, which represents over 115,000 students, was investigated by the Office of the Inspector General for Education. The attack was found to have been triggered by a contractor error when an employee clicked on an infected email attachment. The report found that the malware used had been programmed to delay its initial execution to avoid immediate detection which allowed the malware to disable critical functions within the BCPS network. The attack has so far cost the school district over $9.6 million in recovery and system upgrades. Baltimore County Public Schools has implemented several of the recommendations from the OIGE report and cited as a gold standard of prevention and defense.
READ THE STORY: TechTarget
Russian 'hacktivists' briefly knock German websites offline
FROM THE MEDIA: On Wednesday, Russian activist hackers launched a coordinated distributed denial-of-service (DDoS) attack against several German websites in response to Berlin’s decision to send tanks to Ukraine. Germany's BSI cyber agency reported that the attack had little tangible effect, as most websites were protected. The attack was claimed by Killnet, a self-proclaimed Russian “hacktivist” group that is likely connected to Russian intelligence services. The Kremlin denied any knowledge of the attack and questioned why any group of hackers would be associated with Russia.
READ THE STORY: Euronews
North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks
FROM THE MEDIA: The North Korean nation-state group TA444 (also known as APT38, BlueNoroff, Copernicium, and Stardust Chollima) is increasingly using malicious email attacks as part of a "sprawling" credential harvesting activity to generate illicit revenue for the Hermit Kingdom. The attacks typically employ phishing emails with malware-laced attachments, bogus and compromised LinkedIn accounts, and false job opportunities at prestigious firms. In December 2022, the group started using URLs to redirect victims to credential harvesting pages, targeting multiple industries in the U.S. and Canada. To further their efforts, they have been observed expanding the functionality of CageyChameleon and maintaining a wide arsenal of post-exploitation tools.
READ THE STORY: THN
Supply chain attacks caused more data compromises than malware
FROM THE MEDIA: In 2022, the number of data compromises reported decreased in the first half of the year due to various factors, however, the number of victims impacted increased by 41.5%. According to the Identity Theft Resource Center, data breaches continued to be the primary source of data compromises, and the number of data breaches resulting from supply chain attacks exceeded those linked to malware. Additionally, the number of data breaches and exposures linked to unprotected cloud databases dropped 75% in 2022 compared to the previous year, and physical attacks continued a multi-year downward trend. Despite some good news, the report concluded that victims were largely unable to protect themselves from the harmful effects of data compromises, resulting in an increase of identity fraud.
READ THE STORY: HelpNetSecurtiy
North Korean Group TA444 Shows 'Startup' Culture, Tries Numerous Infection Methods
FROM THE MEDIA: Proofpoint security researchers have identified a new North Korea state-sponsored threat actor, dubbed TA444, which has been actively targeting cryptocurrency exchanges since 2017. The group has adopted an "upstart" mentality and utilizes a variety of tools and methods to achieve their goal of financial gain. During 2021 and 2022, the group is estimated to have stolen over $1 billion in cryptocurrency and related assets. This report comes shortly after the FBI confirmed North Korea’s Lazarus Group was responsible for a $100 million theft from a cryptocurrency firm.
READ THE STORY: InfoSecMag
820,000 people affected by Zacks Investment Research breach from November 2021
FROM THE MEDIA: Zacks Investment Research, a stock market data giant, has recently revealed that they suffered a breach that lasted from November 2021 to August 2022, affecting 820,000 people. The breach involved names, addresses, phone numbers, email addresses, and passwords used for Zacks.com and the company has since implemented security measures to protect their systems. While they are not providing any credit monitoring service to those affected, they have urged victims to watch their financial accounts closely and change any passwords they've used elsewhere. KnowBe4's Roger Grimes noted that while there can be extenuating circumstances around why it took so long to notify victims, the company's lengthy wait left victims exposed for an extended period of time.
READ THE STORY: The Record
Attackers move away from Office macros to LNK files for malware delivery
FROM THE MEDIA: Attackers have long used malicious Office documents with macros to infect computers with malware. However, Microsoft decided to disable such scripts by default in documents downloaded from the internet, making it difficult for attackers to successfully use this method. As a result, many attackers have now switched to using LNK (shortcut) files to deliver malware. There are various tools and services available to build malicious LNK files, but their use can provide opportunities for easier detection. It is also possible to use LNK file metadata to discover new attack campaigns and associate them with known attacker groups.
READ THE STORY: CSO Online
Iranian and Russian hackers targeting politicians and journalists, warn UK officials
FROM THE MEDIA: The NCSC, a UK cyber and intelligence agency, has issued a warning regarding the increase of espionage attacks targeting British politicians and journalists by Iranian and Russian hackers. These hackers are believed to be linked to their respective countries, and have been described as "ruthless" in their pursuits. The NCSC has asked organizations and individuals to remain vigilant and secure their online accounts in order to protect themselves. Although the number of individuals targeted is small, the NCSC is taking the threat seriously.
READ THE STORY: BBC
Dark Web Intelligence Market Sets the Table for Continued Growth
FROM THE MEDIA: The Dark Web Intelligence market is witnessing growth due to the increasing R&D spending worldwide and the emergence of cyber threats. Companies such as Sixgill, Proofpoint, Verisign, Webroot, Digital Shadows Searchlight, SpyCloud ATO Prevention, Alert Logic Dark Web Scanner, DarkOwl Vision, Dashlane Business, Flashpoint, SiloBreaker, and Recorded Future are profiled in the study. The market is segmented by deployment mode, business model, content, network, and end user. Technological advancement in the Dark Web Intelligence market and threat actors sharing information about various vulnerabilities, exploits, and other sensitive information are driving the market growth. The report covers the North America, Europe, Asia Pacific, Oceania, South America, and Middle East & Africa regions.
READ THE STORY: Newstrail
DOD Modernization Relies on Rapidly Leveraging Commercial Technology
FROM THE MEDIA: The Department of Defense is increasingly relying on commercial technologies to provide warfighters with the capabilities they need to succeed in today's complex security environment. Through the Defense Innovation Unit (DIU), the Department is able to identify priority technology areas and expedite the transition process into the hands of our warfighters. In FY22, a total of 52 projects have been transitioned to the Department, with 86% of awards going to non-traditional vendors and 73% to small businesses. The DIU is also focused on advancing Artificial Intelligence (AI) capabilities, including AI-based knowledge graphing, automated vulnerability discovery and remediation, autonomous maritime intelligence, and cyber threat deception. Through these efforts, the Department is working to strengthen the national security innovation base and provide warfighters with the cutting-edge technologies they need to succeed.
READ THE STORY: DoD
Chinese threat actor DragonSpark targets Singaporean businesses
FROM THE MEDIA: Recently, SentinelOne researchers identified a Chinese threat actor, DragonSpark, attacking organizations in Singapore, Taiwan, Hong Kong, and China. The threat actor was observed using open source tool SparkRAT and Golang malware to interpret embedded GoLang source code at runtime and evade detection. DragonSpark also used common infrastructure posture flaws and webshells to gain initial access to compromised web servers, and subsequently leveraged a variety of malicious activities. Additionally, the command-and-control (C2) servers were located in Hong Kong and the US, and the staging infrastructure was located exclusively in the same countries as the initial targets. Based on several indicators, the researchers concluded that DragonSpark is likely a Chinese-speaking threat actor with either espionage or cybercrime motivations. This serves as a reminder of the need for vigilance and robust security measures from organizations in the region.
READ THE STORY: Reseller
University websites in South Korea defaced by Chinese hacktivist group, local media claims
FROM THE MEDIA: A Chinese-based hacktivist group called the Cyber Security Team has begun to carry out their alleged threats to attack a staggering 2,000 South Korean government targets. So far, they have hacked into 12 organizations, including universities and research centers, and stolen the personal information of 161 workers. It is unclear why the group is targeting South Korea, except for the fact that it is a democracy that is currently in a diplomatically awkward position between the US and China. The group has gone as far as to announce their invasion of the South Korean internet, showing their malicious intent.
READ THE STORY: Cybernews
Tensions flare again as South Korea investigates Chinese cyberattacks
FROM THE MEDIA: Tensions between South Korea and China have been heightened due to a visa spat over stronger COVID travel curbs. The situation was further complicated when police opened a formal probe to investigate hacking of multiple local academic organizations. A state-run cybersecurity think tank based in Seoul found Chinese hackers responsible for the breach, though the hackers deny any ties to the Chinese government. The cyberattacks come amid already strained relations between the two countries, and the potential for further retaliation exists. Analysts believe the Indo-Pacific strategy South Korea revealed last year is a major factor in the conflict, as it embodies everything China finds uncomfortable. It is therefore essential for both countries to examine the ground-level elements of the conflict in order to move forward.
READ THE STORY: AsianNews
Data breach notices become more opaque, leaving consumers in the dark
FROM THE MEDIA: In 2022, data breach disclosures that included details for consumers experienced a sharp decline according to a report from the Identity Theft Resource Center. This lack of disclosure makes it more difficult for consumers to protect themselves and for policymakers and cyber defenders to respond. This trend is concerning as 1,802 breaches were reported in 2022, affecting 400 million individuals. The FTC has taken action against companies for not disclosing breaches, but the enforcement may not be incentive enough for companies to share more information. Although there has been a slight slowdown in data breaches due to Russia-based cybercriminals being distracted by a war in Ukraine, this report is indicative of a worrying trend.
READ THE STORY: Cyberscoop
Chinese Playful Taurus activity in Iran
FROM THE MEDIA: Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat (APT) group that has been active since at least 2010. Unit 42 recently identified new variants of the Turian backdoor and new command and control infrastructure used by this group, suggesting that they continue to be successful in their cyber espionage campaigns. Furthermore, their activity has been identified in various government and diplomatic entities across North and South America, Africa and the Middle East, as well as in several Iranian government networks. This activity between China and Iran is occurring alongside the 2021 25-year cooperation accord that both countries signed, even as both countries are under different levels of United States sanctions. Palo Alto Networks customers are protected from this threat through Advanced URL Filtering, DNS Security, Cortex XDR and WildFire malware analysis.
READ THE STORY: Zawaya
Kronos Malware Reemerges with Increased Functionality
FROM THE MEDIA: Kronos is a malicious malware that has been in circulation since 2011, evolving to include a new variant in 2014 and resurging in 2018 under the name Osiris. In late 2022, it was used in Mexico to launch JavaScript web-injects on financial institutions with a malicious chrome extension, aiming to steal sensitive information such as login credentials, mobile tokens, OTP tokens and more. The malware uses a configuration file to identify targeted pages within a victim's web browsing session and has a "send_home" function to exfiltrate any stolen information. It also utilizes a "uadmin" panel to configure web injects and view sensitive information. To protect against Kronos, it is important to use reputable antivirus, anti-malware programs and email filtering and other security measures, plus take the system offline and scan if infection is suspected.
READ THE STORY: Security Intelligence
Items of interest
Russia suffered record number of DDoS attacks last year
FROM THE MEDIA: Last year, Russia faced a record number of distributed denial-of-service (DDoS) attacks, fueled by pro-Ukrainian hackers. The attacks were targeted, with 21.5 million critical web attacks identified by Russia’s largest telecom provider, Rostelecom. They were aimed to make Russian websites inaccessible to users, disrupt companies and organizations, and create panic in society. The state services were the most affected, with attacks increasing twelvefold compared to the previous year. Financial and educational services were also popular targets, with one attack lasting almost three months. Data leaks have also become more common, with hackers leaking the data of three out of every four Russian citizens. These leaks contained passwords, information about the use of various online services, and contact information. Russian companies were unprepared to protect their data from these attacks.
READ THE STORY: The Record
The future of AI Journalism (Video)
FROM THE MEDIA: This panel discussion explored how the future of AI in newsrooms might look in 2023 and beyond. How will AI in journalism evolve? What AI skills will be in demand? And how can journalists, researchers and students prepare for what is coming?
Spies, informants and new enemies - Today’s intelligence agencies (Video)
FROM THE MEDIA: Intelligence agencies are influencing governments and spying on countries with no regard for the law. And they are able to remain nearly invisible, in the process. Are they the new superpowers?
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com