Tuesday, January 31, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
TSA issues security directive to airports, carriers after ‘no-fly’ list leak
FROM THE MEDIA: The recent revelation of the US no-fly list being leaked on an unsecured server has sparked outrage and prompted the Transportation Security Administration (TSA) to issue a security directive to all domestic airlines and airports. The directive reinforces existing requirements on handling sensitive security information and personally identifiable information and encourages the airlines to take immediate action to ensure files are protected. The incident has been reported to other federal agencies, who are working alongside TSA to investigate the issue. In the wake of the breach, Rep. Dan Bishop (R-NC) and Committee on Homeland Security Chairman Mark Green (R-TN) have sent a letter to TSA Administrator David Pekoske demanding answers about the security breach. The incident has highlighted the need for better cybersecurity protections in key sectors, and the European Air Traffic Management Computer Emergency Response Team (EATM-CERT) has reported a 530% increase in cyberattacks against airline industry organizations in the last year.
READ THE STORY: The Record
Russian foreign ministry claims to be the target of ‘coordinated’ cyber aggression
FROM THE MEDIA: Russia's deputy foreign minister Syromolotov recently claimed that the country has been the target of “coordinated aggression” conducted by “intelligence agencies, transnational IT corporations, and hacktivists” in cyberspace. He alleged that the attacks were in response to the invasion of Ukraine last February, and named Amazon and Microsoft as offenders, though both companies withdrew their operations from Russia in response to the invasion. The deputy minister has made similar claims before, and did not provide any specific attributions. The response from Microsoft and Amazon was to provide Ukraine with technology aid, as well as cloud computing services, to help maintain continuity and provide critical services to citizens.
READ THE STORY: The Record
Cybercrime Ecosystem Spawns Lucrative Underground Gig Economy
FROM THE MEDIA: The cybercrime underground is becoming more professionalized and efficient, resulting in an increased demand for technically skilled individuals. During the coronavirus pandemic, job-related posts on the Dark Web doubled the average rate, with a majority of posts seeking developers, attack specialists, and fraudulent website designers. While some are drawn by the promise of high salaries, the reality is that the pay is usually similar to what is available legally. Reverse engineers have the highest potential median salary, but developers are still the most sought-after professionals.
READ THE STORY: DARKReading
Wagner Group Redefined: Threats and Responses
FROM THE MEDIA: Wagner Group, a mercenary group initially used exclusively in Africa and Syria, has been heavily involved in the Russian invasion of Ukraine, sustaining heavy casualties as a result. In response, the group has resorted to recruiting prisoners, former special operations forces from Afghanistan, and other foreign recruits to fill its ranks. The length and severity of the conflict in Ukraine will largely determine Wagner’s availability for future deployments, including in Africa. The West has an opportunity to respond to Wagner deployments in Africa now, while Wagner and the Kremlin are focused on Ukraine, by providing assistance to combat Wagner forces, working to provide refuge to former Afghan special operations forces, and building a greater rapport with African nations.
READ THE STORY: FPRI
JCDC to concentrate on energy and water security
FROM THE MEDIA: The Joint Cyber Defense Collaborative (JCDC), a public-private cyber defense team established by the Cybersecurity and Infrastructure Security Agency (CISA), recently announced its 2023 agenda, which seeks to strengthen cybersecurity in energy and water infrastructure sectors, as well as through the use of open-source software (OSS) in industrial control systems. The JCDC will collaborate with managed service providers, manage security service providers, and remote monitoring and management to increase security and reduce risk for small- and medium-sized critical infrastructure providers. This agenda builds on the federal government's growing concern over open source security in light of recent attacks and will be an integral part of the collective response to cyber threats.
READ THE STORY: The Cyberwire
Ukraine seeks ICC probe on Russian cyberattacks
FROM THE MEDIA: The war in Ukraine between Russia and its neighbor has been raging for years, and in that time, Russia has increasingly used cyberattacks to target critical infrastructure and civilians. Ukrainian officials are now attempting to make history by convincing the International Criminal Court in the Hague to investigate whether certain Russian cyberattacks could constitute war crimes — a move that could potentially reshape the future of cyberwarfare and open the door for potential prosecutions and reparations for the victims. Experts have argued that cyberattacks could be considered war crimes, and Ukrainian officials have cited their evidence of Russian coordinated kinetic and cyberattacks against civilians as support for their case. However, some experts think that other more easily provable war crimes should be pursued first. While the ICC has yet to respond to the request, this development underscores the severity of cyberattacks and the need for organizations to strengthen their security posture to protect against them.
READ THE STORY: SCMAG
SBU Chief Maliuk: It's just that we, Ukrainians, love "cotton" very much
FROM THE MEDIA: Vasyl Maliuk, a brigadier general with combat experience, has been heading the Security Service of Ukraine (SBU) for 100 days and in that time he has been working to improve the Service's capabilities. His efforts have included self-purification, counterintelligence operations, and investigations of war crimes and collaborators. He has also been working to reform the SBU to make it more effective in protecting the country, including transferring cases to the Economic Security Bureau, strengthening counterintelligence, and creating a more robust model for the Service. Maliuk's work is critically important for Ukraine's security and for the ultimate victory for the country.
READ THE STORY: Interfax-Ukraine
QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates
FROM THE MEDIA: Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection. Tracked as CVE-2022-27596, this vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale, and could allow remote attackers to inject malicious code. This means an attacker could send specially crafted SQL queries such that they could be weaponized to bypass security controls and access or alter valuable information. To protect against the vulnerability, users are advised to update to the latest version of QTS 5.0.1.2234 build 20221201 or QuTS hero h5.0.1.2248 build 20221215. Doing so is essential to mitigate potential threats as zero-day vulnerabilities in exposed QNAP appliances have already been put to use by DeadBolt ransomware actors.
READ THE STORY: THN
Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine
FROM THE MEDIA: Sandworm, a state-backed threat actor, has deployed a range of destructive wiper malware against Ukrainian organizations, such as Ukrinform and an unidentified organization, in an effort to cause irrevocable damage. Wipers, which are designed to erase and overwrite data, have become increasingly popular among Russian cyber-threat actors, and although they have not been used to the same degree against US organizations, analysts have warned that they could be employed against US targets if desired.
READ THE STORY: DARKReading
A hacktivist auxiliary's social support system
FROM THE MEDIA: Killnet is a pro-Russian hacktivist group known for launching DDoS attacks against Ukraine opponents. Their leader, Killmilk, has been more of a public figure than other leaders of criminal organizations involved in the war, allowing them to gain more visibility, establish new connections, and raise funds for their operations. This article reviews three social circles associated with the group and examines how the organization has obtained social and financial backing from individuals in Russia. Support can come in the form of financial contributions, active participation in illegal activities, and even passive support through art and entertainment as seen with Infinity Music's song "KillnetFlow (Anonymous diss)" and HooliganZ Jewelry's Killnet-branded merchandise. Solaris Marketplace is a darknet criminal marketplace that has made financial contributions to the group. Examining a criminal organization's social presence can give analysts valuable insight into their structure and operations, as well as the relationships and connections between its members and the community around them.
READ THE STORY: The Cyberwire
Convincing, Malicious Google Ads Look to Lift Password Manager Logins
FROM THE MEDIA: The recent malicious ads targeting users of Bitwarden and 1Password password managers has brought to light the growing problem of malicious advertisements being used by threat actors to deliver malware, break into password managers and steal credentials. Google has taken steps to combat the problem by removing 3.4 billion ads and restricting 5.7 billion others in 2021, as well as suspending 5.6 million advertiser accounts. However, the sophisticated measures used by threat actors to conceal their identities and evade Google's policies and enforcement makes curbing the problem a continuing challenge.
READ THE STORY: DARKReading
GitHub says hackers cloned code-signing certificates in breached repository
FROM THE MEDIA: GitHub reported that an unauthorized user had accessed some of its code repositories and stolen code-signing certificates for two of its desktop applications, Desktop and Atom. These certificates allow a malicious actor to sign unofficial versions of the apps and pass them off as legitimate updates from GitHub. In order to prevent any malicious use of the exposed certificates, GitHub will revoke them, which will cause certain versions of the apps to stop working. In addition, GitHub has published a new version of the Desktop app signed with new certificates and is working with Apple to monitor for any new executable files signed with the exposed certificate. Moreover, the company found no evidence that the threat actor could decrypt or use any of the certificates, nor any impact to GitHub.com or any of its other offerings, outside of the specific certificates.
READ THE STORY: arsTECHNICA
Facebook Bug Allows 2FA Bypass Via Instagram
FROM THE MEDIA: This researcher discovered a flaw in Meta's Instagram API endpoints that allowed a threat actor to launch a brute-force attack to bypass Facebook's two-factor authentication (2FA) protections. Thanks to the bug-bounty hunter Gtm Mänôz, Meta has since fixed the issue and users should update their apps to the latest version to protect their accounts. As a reward for his efforts, Mänôz was awarded $27,000 through Meta's bug bounty program.
READ THE STORY: DARKReading
KeePass disputes vulnerability allowing stealthy password theft
FROM THE MEDIA: The KeePass open-source password manager has been under fire recently due to a newly found vulnerability (CVE-2023-24055) that allows attackers to export the entire database in plain text without the user being notified. However, the development team behind KeePass is disputing this vulnerability, arguing that it isn't a security vulnerability since attackers with write access to a target's device can gain access to the KeePass database through other means. To prevent this vulnerability, users can log in as a system admin and create an enforced configuration file, as well as making sure regular system users do not have write access to any files/folders in KeePass' app directory.
READ THE STORY: BleepingComputer
Atrium Health’s website disrupted Monday after threat from Russian hacking group
FROM THE MEDIA: Atrium Health and other hospital systems across the U.S. experienced outages on their public-facing websites Monday as a result of a "denial of service" attack by a pro-Russia hacking group known as Killnet. While the attack prevented access to the websites, Atrium Health reassured the public that their hospital systems and patient portal were not affected. Other hospital systems, including Stanford Health Care and University of Michigan Health, were also affected. Atrium Health successfully resolved the situation about 7 p.m.
READ THE STORY: AOL
Ransomware attack on Indianapolis Housing Agency leaks sensitive info on 200,000 residents
FROM THE MEDIA: The Indianapolis Housing Agency was recently attacked by the LockBit ransomware group, compromising the information of more than 200,000 people, including Social Security numbers and more. Victims are being provided with IDX identity protection services for 12 months and the agency reported the incident to the Maine Attorney General’s office, as well as law enforcement. This attack is yet another example of ransomware groups targeting poorly resourced local government agencies across the United States, highlighting the need for increased cybersecurity measures.
READ THE STORY: The Record
New York’s Andrew Garbarino takes helm of House’s cybersecurity subcommittee
FROM THE MEDIA: Rep. Andrew Garbarino (R-NY) has been appointed as the new chairman of the House's Cybersecurity, Infrastructure Protection and Innovation Subcommittee. He brings a wealth of experience in cybersecurity, having introduced the Cybersecurity Grants for Schools Act of 2022 and writing a letter to the White House demanding more information about the “Continuity of the Economy” plan. As part of the Homeland Security Committee, Garbarino will be tasked with addressing collaboration on cybersecurity between the 16 critical infrastructure sectors and working with CISA to strengthen the country's cybersecurity posture. Additionally, Rep. Laurel Lee (R-FL) has been appointed as the new vice chair of the subcommittee, and several other members of Congress from Florida, Texas and Mississippi have joined the panel. These appointments show the continued bipartisan support for cybersecurity and the importance of protecting our nation's critical assets.
READ THE STORY: The Record
Washington halts licenses for US companies to export to Huawei
FROM THE MEDIA: The US Commerce Department last week announced that it will no longer grant export licenses to US companies wishing to provide technology to Huawei, marking the latest move in the Biden administration's campaign to curb the Chinese tech company's access to US technology. The US had already implemented tough restrictions on exports to Huawei in 2019 as part of a strategy to protect US national security, but had continued to grant export licenses for some companies. This new decision goes further, and is part of a larger effort to restrict the sale of American technology to China and to slow China's push to develop cutting-edge technology. Secretary of State Antony Blinken is set to visit China next week, and it remains to be seen what the full impacts of this decision will be.
READ THE STORY: FT
Chromebook SH1MMER exploit promises admin jailbreak
FROM THE MEDIA: SH1MMER is a weaponized Return Merchandise Authorization (RMA) shim exploit developed by the Mercury Workshop team of 15 geeks, which allows users of enterprise-managed Chromebooks to break the shackles of administrative control. The exploit requires patching a board-specific RMA shim, which can be found online, and then flashing it to a USB drive. Although Google is aware of the issue and working with hardware partners to address it, the company has also advised customers to take steps to protect their devices. Despite the risk of bricking Chromebooks, many IT professionals have expressed sympathy for students trying to escape administrative control.
READ THE STORY: The Register
JD Sports says hackers stole data of 10 million customers
FROM THE MEDIA: Generative AI is quickly becoming an essential technology for businesses across many industries, allowing them to automate processes and create high-quality content faster than ever before. Companies such as OpenAI, Jasper, DeepL, Hypotenuse, Kore.ai, Copy.ai, Debuild, and Mongoose Media are leading the way in developing and leveraging this powerful technology, which can be used for marketing campaigns, copywriting, product descriptions, true personalization, diagnostics, drug discovery and development, and more. As AI-driven automated software engineering becomes more prominent, G7 countries have an opportunity to bridge the gap between human creativity and technological innovation and remain competitive in a fragmented world.
READ THE STORY: BleepingComputer
DoD clarifies ‘confusion’ around autonomous weapons
FROM THE MEDIA: The United States Department of Defense recently updated its 2012 Directive 3000.09, which sets the record straight on how the department fields and develops autonomous and semi-autonomous weapons systems. The new policy clarifies and expands the exemptions list, including additional reviews by senior officials, and adds a new exemption for human-supervised autonomous weapons that defend drones. This update is seen as a welcome change, as it outlines the design, development, deployment and use of AI and provides a foundation for the potential use of autonomous weapons in the future.
READ THE STORY: Politico
Chinese DJI Drone Business is Blooming in Russo-Ukrainian War
FROM THE MEDIA: Metinvest Group, as part of Rinat Akhmetov’s Steel Front military initiative, has provided the Armed Forces of Ukraine (AFU) with over 1,100 DJI Mavic 3 drones to aid their defense operations against Russian aggression. The Group has donated over UAH 1.5 billion since the beginning of the war and supplied the AFU with 150,000 sets of body armor, thermal imagers, vehicles, and other gear. DJI Mavic 3 drones provide the AFU with excellent optics and navigation, as well as reconnaissance and fire correction, making them an essential part of the AFU’s tactics. However, DJI has been accused of supporting Russia's aggression in Ukraine and has been put on the Department of Defense’s list of “Chinese military companies operating in the United States.”
READ THE STORY: The Financial
Crypto Enforcement Actions, the SEC Crypto Assets and Cyber Unit, and National Security Risk
FROM THE MEDIA: The SEC's Division of Enforcement's Crypto Assets and Cyber Unit has been expanded and rebranded in May 2022, with the aim of protecting investors in cryptocurrencies and other digital assets. This focus on crypto is anticipated to intensify, and the SEC has brought more than 80 enforcement actions related to fraudulent and unregistered crypto asset offerings and platforms, resulting in monetary relief totaling more than $2 billion. Additionally, the agency has brought its first-ever alleged insider trading and market manipulation case arising from the purchase and sale of digital assets. Although securing the marketplace is a laudable goal, there is a risk of overregulation that could potentially stifle innovation of the crypto ecosystem. In China, the government is introducing a 'digital asset trading platform' to facilitate transactions of intellectual property and non-fungible tokens (NFTs), while also considering legalizing crypto in an attempt to control the collection of crypto taxes. These developments in the US and China provide a stark contrast to the regulatory environment of crypto, with significant implications for national security risk.
READ THE STORY: OODALOOP
Realtek flaw accounted for 40% of attempts between August and December
FROM THE MEDIA: From August to October 2022, attacks attempting to exploit a remote code execution vulnerability accounted for more than 40% of total attacks, according to researchers. CVE-2021-35394, which affects 66 manufacturers and nearly 190 devices, was attempted 134 million times as of December 2022, and continues to be a threat. According to security experts, organizations should update to the latest and most secure firmware versions before deploying new devices in order to protect against such threats.
READ THE STORY: SCMAG
Hackers Use TrickGate Software to Deploy Emotet, REvil, Other Malware
FROM THE MEDIA: According to Check Point Research, TrickGate, a malicious live software service, has been used by threat actors to bypass endpoint detection and response (EDR) protection software for over six years. The service has been used to deploy malware, particularly targeting the manufacturing sector, with an increased concentration in Taiwan and Turkey. The researchers have noted the program's transformative property of undergoing periodic changes and its ability to be encrypted and packed with a special routine to prevent systems from detecting the payload statically and on run-time. DragonSpark is also another group utilizing malware designed to evade detection, SparkRAT, to target East Asian organizations.
READ THE STORY: InfoSecMag
Removable USB devices targeted by PlugX malware
FROM THE MEDIA: Recent malicious attacks have targeted Windows devices using PlugX malware, which is hidden on removable USB drives and cannot be detected by most antivirus engines. The malicious payloads are enabled through the use of the Windows debugger "x64dbg.exe" and the malicious "x32bridge.dll," and the use of Unicode character for new directory creation has enabled concealment in Windows Explorer and the command shell. Mustang Panda, a Chinese state-sponsored hacking group, is also targeting organizations in Europe and the Asia Pacific with phishing lures related to the ongoing war between Russia and Ukraine, and are using archive files, shortcut files, malicious loaders, and PlugX malware in order to establish persistence with the intent of espionage.
READ THE STORY: SCMAG
Hackers can get to your phone through Wi-Fi
FROM THE MEDIA: Kaspersky researchers have recently detected a campaign called Roaming Mantis, which uses malicious Android package (APK) files to control infected Android devices and steal device information. It has now added a domain name system (DNS) changer functionality to target Wi-Fi routers in public places, such as cafes, airports, hotels, and libraries. This DNS changer is capable of managing all device communications using the compromised Wi-Fi router and can be widely spread in targeted regions, making it highly critical for the cybersecurity of Android devices. Additionally, the attacker is using smishing techniques to target other regions and steal user info via a phishing website.
READ THE STORY: Gadget
Items of interest
US telecom giant impacted in vendor breach
FROM THE MEDIA: Charter Communications, the second largest cable operator in the US, recently reported a data breach allegedly caused by one of its third-party vendors. Details like when the breach occurred and when impacted customers will be notified are still unclear. This breach comes shortly after the FCC voted unanimously to consider changes to the telecom breach notification rules in order to better protect customers from data leaks. It is clear that the current rules, created over fifteen years ago, are no longer suitable for a world where telecommunication companies are privy to a large amount of customer data, and it is essential that the rules be updated to reduce the impact of future breaches.
READ THE STORY: The Cyberwire
How Russia is Attacking Ukraine With the Dark Web (Video)
FROM THE MEDIA: The video discusses how Russia is attacking Ukraine with the Dark Web, which is a small part of the web where people sometimes go to avoid being found. Hackers who adhere to a "code of criminality" may be more likely to engage in politically motivated attacks, and both Ukraine and Russia are currently employing teams of cyber security experts to monitor the Dark Web.
Cyber expert warns Iranian and Russian hackers will 'embarrass' politicians (Video)
FROM THE MEDIA: The video discusses the dangers of cyberattacks and provides advice on how to protect yourself. The former chief executive of national cyber security and now professor of the Levatnik school of government at the University of Oxford, Kieran Martin, warns that malicious people are after political influence, and that the government has issued an advisory warning people in relevant sectors. The video also discusses how to detect cyberattacks.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com