Friday, January 27, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
U.S. sanctions Chinese satellite firm for allegedly supplying SAR imagery to Russia’s Wagner Group
FROM THE MEDIA: In this scenario, the U.S. has sanctioned Spacety, a Chinese small satellite manufacturer, for allegedly supplying the Russian Wagner Group with radar satellite imagery of Ukraine to support its combat operations. This is part of a move against the private paramilitary organization Wagner Group, and is meant to impede Putin's ability to arm and equip his war machine. It is also notable that China has attempted to act in a neutral role following Russia's invasion of Ukraine and has adhered to U.S. and European sanctions imposed on Russia. Furthermore, the U.S. has used commercial satellite constellations in the Ukraine conflict, including imagery from companies like Maxar. This has raised concerns from China, which has noted that the U.S. is attempting to blur the boundary between military and civilian spheres in order to strengthen its dominant position in space.
READ THE STORY: SN
Deployment of 5G Technology: Scrutinizing the Potential Menace & Its Repercussions globally
FROM THE MEDIA: 5G technology, the latest generation of mobile telecommunications technology, is set to revolutionize various sectors such as healthcare, transportation, manufacturing, and entertainment. 5G networks promise faster internet speeds, lower latency and greater capacity than previous generations of mobile networks. They are also designed to support a wide range of new and emerging applications such as the Internet of Things (IoT), autonomous vehicles, and virtual and augmented reality. However, the deployment of 5G networks is not without its challenges. Cybersecurity and privacy risks, environmental concerns, and supply chain security are just some of the issues that must be addressed. Governments, industry, and other stakeholders must work together to develop and implement security standards, data protection and privacy policies, and measures to minimize the environmental impact of 5G networks. This will ensure that the benefits of 5G technology are realized while minimizing any associated risks.
READ THE STORY: Moderndipolmacy
Hive Ransomware Infrastructure Seized in Joint International Law Enforcement Effort
FROM THE MEDIA: This week, a joint law enforcement effort involving 13 countries orchestrated the seizure of the darknet infrastructure associated with Hive, a ransomware-as-a-service (RaaS) operation. This infiltration enabled the FBI to capture 336 decryption keys and distribute them to companies affected by the gang, effectively saving $130 million in ransom payments. Additionally, the FBI distributed 1,000 decryption keys to previous Hive victims. This move is likely to cause a temporary disruption to Hive's operations and serves as a reminder of the potential impact of law enforcement actions against cybercrime groups. Despite this action, ransomware remains a threat, particularly as companies increasingly refuse to settle payments, leading to record low payments in the fourth quarter of 2022.
READ THE STORY: THN
Large East Asian companies attacked with SparkRAT open source tool
FROM THE MEDIA: East Asian companies have been the target of a hacking group known as DragonSpark, which utilizes the open source tool SparkRAT to gain access to their system. Researchers from SentinelLabs have been tracking the group since October, and the tool is considered to be opportunistic in nature. Microsoft released its own report on SparkRAT in December and the tool is used by a variety of actors due to its practicality and feature-rich, multi-platform capabilities. DragonSpark relies heavily on open source tools provided by Chinese-speaking developers or vendors, including SharpToken and BadPotato, and their C2 servers are located in Hong Kong and the United States. The motivations of the group remain unclear but are likely related to cybercrime or espionage.
READ THE STORY: The Record
Google TAG disrupts a Chinese influence network
FROM THE MEDIA: In 2022, DRAGONBRIDGE, also known as "Spamouflage Dragon," was the most prolific Coordinated Information Operations (IO) actor tracked by Threat Analysis Group’s (TAG). Content produced by DRAGONBRIDGE was of low quality and spammy, with most posts being clips of animals, landscapes, food, sports and other content without an overt political message. However, a small fraction of DRAGONBRIDGE channels and blogs post on current events, promoting pro-China messages and criticizing the US. Google disrupted over 50,000 instances of DRAGONBRIDGE activity across YouTube, Blogger, and AdSense, and terminated over 100,000 DRAGONBRIDGE accounts in the IO network’s lifetime. Despite their scale and profuse content production, DRAGONBRIDGE achieved practically no organic engagement from real viewers. DRAGONBRIDGE is persistent and adaptable and continues to experiment with new tactics, new formats and higher quality content to try and attract a real audience, thus making it important for TAG and Google to remain vigilant in disrupting their activity.
READ THE STORY: The Cyberwire // TAG
Science has finally cracked the mystery of why so many people believe in conspiracy theories
FROM THE MEDIA: Elon Musk's purchase of Twitter has had a profound effect on the spread of conspiracy theories. Researchers have determined that the key factor in people believing in such theories is the trait of overconfidence. This means that those who have a strong sense of their own infallibility are more likely to buy into conspiracies, regardless of the evidence. This is especially concerning when those with the most money and power, such as Musk and ex-President Donald Trump, have the loudest megaphones. To combat this, researchers like Gordon Pennycook have been trying to find ways to limit the spread of these theories through social media algorithms, though the issue is far more complex than just a few adjustments.
READ THE STORY: Insider
Britain’s cyber intel agency GCHQ to start search for new director as Fleming signals departure
FROM THE MEDIA: As GCHQ, Britain's cyber and signals intelligence agency, searches for a new director to replace Sir Jeremy Fleming, who has held the role for nearly six years, many have called for a woman to take the position. This is supported by the agency's efforts to diversify its ranks and commitment to gender balance to benefit its counterterrorism mission. In the United States, intelligence agencies strive for a diverse workforce for the same reason, as Richards Heuer’s CIA-published book “Psychology of Intelligence Analysis” emphasizes the risks of cognitive biases that can stem from a homogeneous workforce. The agency has also implemented job shares in top-level positions to set an example of what’s possible. As the search for a new director continues, the UK intelligence community is looking for a candidate that will bring a new perspective and build on the progress of the past.
READ THE STORY: The Record
Researchers Uncover Connection b/w Moses Staff and Emerging Abraham's Ax Hacktivists Group
FROM THE MEDIA: Recently, a cybersecurity firm has linked the operations of a politically motivated hacktivist group known as Moses Staff to another threat actor named Abraham's Ax. Both groups are believed to be sponsored by the Iranian government and have been linked to espionage and sabotage attacks, as well as the use of custom malware to encrypt data. The connections between the two groups is evidenced by the fact the WordPress-based leak sites were hosted in the same subnet in the early stages and that both actors share a common motivation for targeting perceived enemies of Iran with disruptive tactics without a financial incentive. These findings suggest that Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries, a trend which is likely to continue.
READ THE STORY: THN
Robinhood Twitter Handle Hacked, Hackers Stole BNB Tokens
FROM THE MEDIA: Recently, several high-profile Twitter accounts were hacked, resulting in the theft of over $8,200 worth of BNB tokens. The hackers used the Binance Smart Chain and the decentralized exchange PancakeSwap to promote fraudulent RBH tokens to US-based brokerage firm Robinhood Markets Inc's 1.1 million Twitter followers. The attack was discovered by internet detective ZackXBT and the fraudulent tweet was quickly removed. Users were offered RBH tokens for as little as $0.0005 apiece, resulting in ten customers spending around $1,000 on the scam. Binance froze Robinhood's account and further investigations are pending. This is only the latest example of the widespread fraud that is occurring on Twitter, which is home to over 20 million fraudulent accounts. To protect users, Twitter users are encouraged to use strong passwords and two-factor authentication, as well as to manage third-party application permissions.
READ THE STORY: Coinnounce
Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA
FROM THE MEDIA: This past year, researchers reported a high-severity security flaw in the Windows CryptoAPI to Microsoft, which was subsequently patched. This vulnerability, tracked as CVE-2022-34689, could be exploited to spoof a user's identity by manipulating the x.509 certificate. Akamai recently released a proof-of-concept code, which revealed that the vulnerability was rooted in the fact that the code relied on the certificate's MD5 fingerprint, which is now cryptographically broken. An attacker could exploit the vulnerability to stage a MitM attack, redirecting users to an arbitrary website of their choosing. Although the scope of this vulnerability is limited, it is still important to patch, even for discontinued versions of Windows.
READ THE STORY: THN
Dutch Hacker Attempted to Sell Personal Data of Almost 9 Million Austrian Citizens
FROM THE MEDIA: In November 2020, a 25 year-old Dutch hacker was arrested in Amsterdam for stealing and attempting to sell confidential information belonging to nearly nine million Austrian citizens. This hacker is also suspected of stealing data from other countries such as the Netherlands, Italy, and Colombia. Though the hacker had stolen information such as names, addresses, and dates of birth, there was no evidence of stolen financial information. The data was also posted online, leaving victims vulnerable to phishing attacks, such as malicious offers or change-of-address systems. In order to protect themselves, victims should monitor their credit and contact the proper authorities or their bank if they notice any suspicious activity.
READ THE STORY: iTECHPOST
New Mimic ransomware abuses ‘Everything’ Windows search tool
FROM THE MEDIA: In June 2022, security researchers at Trend Micro discovered a new ransomware strain named Mimic. It has capabilities seen in modern strains such as collecting system information and bypassing User Account Control. Mimic uses the Everything file search tool for Windows to look for files targeted for encryption, which it then encrypts with the ".QUIETPLACE" extension and drops a ransom note. The code in Mimic shares similarities with Conti ransomware, and the authors appear to be experienced software developers. Although Mimic has not yet been seen in the wild, its capabilities and sophistication suggest it could become a serious cybersecurity threat.
READ THE STORY: BleepingComputer
SaaS RootKit Exploits Hidden Rules in Microsoft 365
FROM THE MEDIA: Microsoft is a major target for malicious actors, and a recent security research effort from Adaptive Shield has revealed a new attack vector that can leverage a vulnerability in Microsoft's OAuth application registration to create hidden forwarding rules in Microsoft 365 mailboxes. This allows attackers to create a malicious SaaS rootkit that can infiltrate users' accounts and control their mailboxes without their knowledge. This attack vector has components including hidden forwarding rules and SaaS-to-SaaS app access, and it is necessary to understand these components to mitigate the attack. Microsoft responded to the issue by flagging it for future review, and organizations can take steps to mitigate the attack such as monitoring third-party app access, tracking activities, and disabling third-party app registrations. The traditional malware controls have lagged behind the evolution of malware, and organizations must use native security configurations to control OAuth application installations across SaaS apps to protect users.
READ THE STORY: DARKReading
Cybercriminals scam two federal agencies via remote desktop tool, CISA warns
FROM THE MEDIA: In this recent alert, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) warned of malicious use of two remote management software systems, ConnectWise Control and AnyDesk, by cybercriminals to dupe federal employees and steal money from victims’ bank accounts. The malicious activity has been ongoing since June, with hackers impersonating help desk services such as Geek Squad Services and Norton, Amazon, McAfee and PayPal in order to gain access to victims' machines. Furthermore, the alert warned of the threat of malicious cyber activity associated with legitimate RMM software, including bypassing administrative privilege requirements and software management control policies. As such, this alert serves as a reminder of the importance of cyber security vigilance to protect against malicious activity.
READ THE STORY: FedScoop
Google Takes Down 50,000 Instances of Pro-Chinese DRAGONBRIDGE Influence Operation
FROM THE MEDIA: In 2022, Google uncovered a pro-Chinese influence operation known as DRAGONBRIDGE that was attempting to spread narratives critical of the U.S. and favorable of China. Google took steps to dismantle over 50,000 instances of this activity, including terminating 100,960 accounts across YouTube, Blogger, and AdSense. Despite their efforts, DRAGONBRIDGE was able to persistently tweak its methods by creating animated political cartoons and producing higher quality content in order to lure real users. Google also noted that the coordinated inauthentic behavior was facilitated by leveraging Google Accounts purchased in bulk from account sellers. This is far from the only pro-Chinese influence operation to have emerged recently, and is a reminder that coordinated inauthentic behavior is a real threat.
READ THE STORY: THN
Alleged French cybercriminal to appear in Seattle on indictment for conspiracy, computer intrusion, wire fraud and aggravated identity theft
FROM THE MEDIA: Sebastien Raoult, a 21-year-old French citizen from Epinal, France, will appear in U.S. District Court in Seattle tomorrow, January 27, 2023, on a nine-count indictment alleging computer fraud and abuse, wire fraud, and aggravated identity theft. Raoult was a member of a hacking group known as the “ShinyHunters” that targeted corporate entities and stole proprietary and corporate information. He and two co-conspirators advertised and sold the stolen data on the dark web and threatened to leak the data if the victims did not pay a ransom. They also created websites that appeared to be legitimate businesses in order to obtain victims' account credentials. The victims of the ShinyHunters included companies from Washington State and around the world, and millions of customer records were included in the stolen data. Raoult was arrested in Morocco last year and was extradited to the U.S. this week. The Department of Justice appreciates the significant cooperation and assistance provided by Moroccan and French authorities.
READ THE STORY: DOJ
Microsoft urges admins to patch on-premises Exchange servers
FROM THE MEDIA: Microsoft is urging customers to keep their on-premises Exchange servers patched to prevent exploitation of known vulnerabilities. Microsoft recommends running the Exchange Server Health Checker script after installing updates to detect common configuration issues, as well as installing the latest Cumulative Update (CU) and Security Update (SU). Additionally, Exchange admins are asked to provide feedback on the update experience so Microsoft can look for ways to improve it. Unfortunately, the number of servers unpatched against ProxyNotShell is still alarmingly high, which puts organizations at risk of exploitation by motivated and well-resourced attackers. It is imperative that Exchange admins take the necessary steps to patch their servers in order to protect them from malicious actors.
READ THE STORY: BleepingComputer
British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries
FROM THE MEDIA: The U.K. National Cyber Security Centre (NCSC) recently warned of spear-phishing campaigns conducted by Russian and Iranian state-sponsored actors for information-gathering operations. These attacks are focused on specific sectors, such as academia, defense, government organizations, NGOs, and think tanks, as well as politicians, journalists, and activists. The NCSC attributed the intrusions to two distinct groups - SEABORGIUM and APT42, who use targeted lures such as fake profiles on social media platforms and malicious links to harvest credentials and access sensitive data. Enterprise security firm Proofpoint also noted the use of compromised accounts, malware, and confrontational lures to target individuals with a range of backgrounds. Furthermore, these campaigns also employ the use of targets' personal email addresses as a means to circumvent security controls. These malicious activities highlight the need for organizations to take proactive measures to protect their data and systems from potential malicious actors.
READ THE STORY: THN
Bitwarden password vaults targeted in Google ads phishing attack
FROM THE MEDIA: The use of password managers to store credentials has become increasingly popular as the need for unique passwords for every website arises. While cloud-based password managers provide users with convenience, they may be susceptible to credential theft through phishing campaigns. Recently, Bitwarden and other password managers have been targeted in Google ads phishing campaigns, with threat actors setting up fake login pages to steal passwords and potentially authentication cookies. To protect against such attacks, users should always verify the website they are entering their credentials on and configure multi-factor authentication with their password manager. Additionally, users should be aware of advanced adversary-in-the-middle phishing attacks that can be used to bypass MFA and steal authentication cookies.
READ THE STORY: BleepingComputer
Supporting military operations on Earth to remain U.S. Space Force’s top priority
FROM THE MEDIA: Frank Calvelli, the Space Force's top acquisition executive, recently asserted that the service needs to focus on advancing satellites systems for military operations on Earth, rather than devoting attention towards missions in cislunar space. This remark is in line with the opinion of Air Force Secretary Frank Kendall, who believes that the U.S. faces more immediate space security challenges within Earth’s orbit. Nevertheless, the U.S. Air Force is supporting an experiment to study the cislunar region of outer space. Some Space Force personnel argue that the service must be prepared to establish a presence in cislunar space if other nations, such as Russia or China, move to exploit resources on the moon. For the Space Force to provide security in the lunar region, they would need to deploy satellite communications, space domain awareness, and intelligence systems.
READ THE STORY: SN
BuzzFeed To Use ChatGPT’s AI For Content Creation
FROM THE MEDIA: In recent years, digital media company BuzzFeed (NASDAQ: BZFD) has increasingly invested in AI-generated content. Utilizing ChatGPT’s Open AI, BuzzFeed plans to create a wide range of content such as quizzes, while other companies such as Microsoft have invested heavily in OpenAI. While these investments have been met with enthusiasm from investors, educators are wary of potential risks associated with the technology, including plagiarism and avoidance of learning. At the same time, AI has the potential to elevate the human experience by inspiring new ideas and personalizing content. Ultimately, the greatest success in utilizing AI will come from collaboration and communication between humans and machines.
READ THE STORY: Forbes
Let’s choose collective intelligence over the madness of mobs
FROM THE MEDIA: In this reflective essay, an American Chinese immigrant looks back on their experiences growing up in the 1960s and 70s in New York City, where they experienced racism and other forms of discrimination first-hand. Despite this milieu, the American dream was still attainable, as evidenced by the author's mother's hard work and sacrifices, which enabled her three children to attend the best colleges. This prompted the author to research the origins of bias and discrimination, leading them to explore the idea of group selection and the potential influence of collective ignorance. The author proposes that policy interventions should focus on creating an environment and incentives to move toward collective intelligence, preventing negative feedback loops and giving better access to educational and career opportunities for underrepresented groups.
READ THE STORY: MIT SLOAN
3 Lifehacks While Analyzing Orcus RAT in a Malware Sandbox
FROM THE MEDIA: Orcus RAT is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks. It is a malicious program that is often spread via malicious emails, websites, and social engineering attacks, and is capable of stealing data, conducting surveillance, and launching DDoS attacks. To protect against this threat, it is important to implement a comprehensive security strategy, train employees to recognize and avoid malicious emails and websites, and use reliable anti-virus software and ANY.RUN malware sandbox to detect and analyze Orcus. By doing so, organizations can protect their systems and networks from malicious activity.
READ THE STORY: THN
Items of interest
Ukraine's Critical Sectors Targeted in Phishing Attack Surge
FROM THE MEDIA: In late 2022, independent observers of Ukrainian cyberspace reported an increase in phishing attacks and malware campaigns targeting the country. This surge coincided with findings from other cyberattack watchers and is believed to be linked to Russia's invasion of the country. The majority of attacks targeted email addresses registered in the top-level .ua domain, which is used by government and military agencies, and some of these attacks trace to a Russian state-sponsored group called Gamaredon. Additionally, researchers observed an increase in potentially unwanted programs, which are believed to be connected to attempts to infect systems with malware designed to look like software for pirating Adobe products. Furthermore, Google's incident response group Mandiant reported that it had seen a 2013-era version of Andromeda being used by a suspected Russian nation-state hacking group, and this attack was successful in exfiltrating data.
READ THE STORY: GovInfoSec
Artistic Journalism Vol.1: Understanding AI (Video)
FROM THE MEDIA: Ars Electronica Futurelab director Hideaki Ogawa teaches an online course entitled “Artistic Journalism” at Keio University SFC. This experimental series of classes discusses artistic journalism through a unique guided tour and dialogue in the Ars Electronica Center. Since 2020, we are faced with COVID-19 and the various social changes cascading from it.
The Cybercriminal Hierarchy (Video)
FROM THE MEDIA: Vincent D’Agostino, Head of Cyber Forensics and Incident Response at BlueVoyant, has had plenty of experience with traditional organized crime during his time at the FBI which has given him insights into his current work in cybercrime. That experience and those insights make him a perfect guest for The Cyber Crime Lab Podcast.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com