Wednesday, February 01, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software
FROM THE MEDIA: Recently, two new supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, which when exploited, can allow threat actors to obtain remote code execution and unauthorized device access with superuser permissions. These two vulnerabilities, CVE-2022-26872 and CVE-2022-40258, add to three other vulnerabilities disclosed in December and are exploitable only in scenarios where the BMCs are exposed to the internet or in cases where the threat actor has already gained initial access into a data center or administrative network by other methods. Gigabyte, Hewlett Packard Enterprise, Intel, and Lenovo have all released updates to address the security defects in their devices, while NVIDIA is expected to ship a fix in May 2023.
READ THE STORY: THN
Russia’s cyberwar against Ukraine offers vital lessons for the West
FROM THE MEDIA: The full-scale invasion of Ukraine by Vladimir Putin has demonstrated the complex nature of modern warfare, which includes cyberattacks directed at civilians and critical infrastructure. Ukrainian officials have asked the International Criminal Court (ICC) in The Hague to investigate whether these Russian cyberattacks could constitute war crimes. The ICC's decision could open the door to potential prosecutions and reparations for the victims. To oppose Russia and other authoritarian regimes, defense doctrines must be adapted to the requirements of the times, international legal approaches to the legal definition of aggression should be revised, and international companies should leave the Russian market.
READ THE STORY: Atlantic Council
How the war in Ukraine has strengthened the Kremlin’s ties with cybercriminals
FROM THE MEDIA: Since Russia's full-scale invasion of Ukraine in February 2022, its law enforcement agencies, intelligence, military and law enforcement services have been found to be in "established and systematic relationships" with hacking groups. This has been used to amplify and coordinate cyber and information operations, with financially-motivated hackers aiding the interests of the Russian state. Hacktivist groups have also emerged, many of which are linked to the Russian government and are used to provide a veneer of plausible deniability for their operations against Western countries.
READ THE STORY: The Record
Backdoor’ to Attack Satellites: CSO Sees Cyber Risks in Space Force Ground Systems
FROM THE MEDIA: General Saltzman has emphasized the importance of understanding the interconnectivity between space and cyber warfare, particularly following the Russian-Ukraine war. He has been pushing for the Space Force to establish its own component within U.S. Cyber Command, and believes that the ground networks that communicate with satellites pose a "backdoor" risk through which adversaries could potentially attack space capability. He has also noted the importance of training, logistics, sustainability, and operational concepts for the Space Force to be an effective fighting force. His initiative to reach out to the field with his C-notes and other means is not to be prescriptive, but to set the mark of what needs to be accomplished.
READ THE STORY: Air & Space Forces
Developers are in high demand in the cybercrime underworld
FROM THE MEDIA: Kaspersky's research into job postings on dark web forums revealed that developers are the most in-demand role, with some groups offering upwards of $20,000 a month for their services. This highlights the increasing professionalism of some cybercriminal and state-sponsored hacking groups, some of which even have HR departments and conduct job interviews. The analysis also shows why some hackers may be tempted to cross over to malicious work, as the median monthly salary for IT-related jobs ranged from $1,300 to $4,000 and 17% of job ads were people looking for jobs. However, not all job listings were necessarily criminal or illicit, as some were for potentially legal job offers that comply with national laws.
READ THE STORY: AXIOS
Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years
FROM THE MEDIA: TrickGate, a shellcode-based packer, has been successfully utilized for over six years by threat actors to deploy a range of malware, such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil. It has been able to avoid detection by frequently changing its wrapper code, making it a "master of disguises". It is offered as a service to other threat actors and has been observed primarily targeting the manufacturing sector and to a lesser extent, education, healthcare, government, and finance verticals. The infection chain involves sending malicious attachments or links which lead to the download of a shellcode loader that's responsible for decrypting and launching the payload. DTPacker is another packer-as-a-service which is .NET-based and has been associated with multiple cybercrime actors since 2020, using phishing emails as an initial infection vector and two Donald Trump-themed fixed keys for decoding.
READ THE STORY: THN
Pro-Russian DDoS attacks raise alarm in Denmark, U.S.
FROM THE MEDIA: Recent DDoS attacks by pro-Russian hacking groups have raised alarm in both the United States and Denmark, with incidents targeting websites of hospitals and government offices in both countries. The DDoS attacks are becoming increasingly more powerful and severe, and often overlap with ransomware and data theft attacks. The attacks are fueled by vulnerable devices and the proliferation of IoT devices, and the recruitment of new members through popular Telegram channels. Law enforcement has taken action to seize domains used by DDoS-for-hire services, but its impact on hacktivist operations is still unclear.
READ THE STORY: The Record
Hacked Electrify America Charger Exposes Major Cybersecurity Risk
FROM THE MEDIA: The recent incident involving a security loophole in an Electrify America charger has highlighted the need for better security protocols in the EV charging space. With the increasing trend of connected devices, security risks in the EV space are on the rise. Hackers can exploit loopholes in nationwide charging networks and cause serious damage, ranging from remotely starting an EV or stealing personal data to sabotaging the grid and cutting off access to drivers. Charging providers will need to prioritize the safety of customer data to ensure drivers are not vulnerable to such security threats.
READ THE STORY: ScreenRant
Russian hackers used new malware to target Ukrainian energy sector
FROM THE MEDIA: In this report, ESET researchers describe various malicious activities conducted by APT groups around the world, including the deployment of destructive wipers and ransomware. Notably, a Russian-aligned APT group targeted an energy sector company in Ukraine with a data-wiping malware at the same time as Russian armed forces were launching missile strikes targeting the same country's energy infrastructure. This suggests the group and the military forces may have had related objectives. In addition, other APT groups were targeting high-profile government entities, financial services, and cryptocurrency firms and exchanges. The intelligence shared in this report is based mostly on proprietary ESET telemetry and has been verified by ESET Research.
READ THE STORY: AXIOS
Maryland hospital facing outages after ‘significant’ ransomware attack
FROM THE MEDIA: Atlantic General Hospital in Maryland and Lutheran Social Services of Illinois have both experienced cybersecurity incidents, with the former experiencing network disruptions and outages, and the latter leading to the disclosure of 184,000 individuals' data. Additionally, LockBit has targeted the healthcare sector with their ransomware, and UCHealth and UCLA Health have both had data stolen via third-party vendors and analytics tools, respectively. These incidents demonstrate the need for increased security measures in the healthcare sector to protect both patients and providers.
READ THE STORY: SCMAG
Microsoft: Over 100 threat actors deploy ransomware in attacks
FROM THE MEDIA: Microsoft recently revealed that over 100 threat actors are deploying ransomware in attacks, utilizing 50 unique ransomware families. The attackers are targeting servers and devices that have not been patched against vulnerabilities, relying on tactics such as malvertising, phishing, and exploiting Exchange Server flaws. This year's ransomware revenue has dropped by 40%, likely due to victims refusing to pay the attackers' ransom demands. However, the FBI, DoJ, Secret Service, and Europol have recently seized data from the Hive ransomware gang, including decryption keys, communication records, and malware file hashes, in an attempt to curb the ransomware threat.
READ THE STORY: BleepingComputer
New Report Reveals NikoWiper Malware That Targeted Ukraine Energy Sector
FROM THE MEDIA: Russia-affiliated Sandworm is deploying destructive wiper malware, such as SDelete, as part of their cyber weapon of choice to cause irrevocable damage to their targeted organizations in Ukraine. The attacks have been linked to missile strikes orchestrated by the Russian armed forces and other Russian state-sponsored outfits have engaged in parallel efforts to cripple Ukrainian infrastructure via spear-phishing campaigns designed to facilitate backdoor access and credential theft. With the Russo-Ukrainian war entering its twelfth month, it remains to be seen how the conflict evolves forward in the cyber realm.
READ THE STORY: THN
How Can Disrupting DNS Communications Thwart a Malware Attack
FROM THE MEDIA: Malware is a major threat to companies, especially those in the healthcare industry, as it can lead to legal, reputational and financial repercussions. Most security solutions are unable to stop all threats at the gate, and these threats can even gain access to networks through physical access. While there is no 'magic bullet' to protect against all malware, the Domain Name System (DNS) is a shared Achilles' heel that can be used as a choke point in the fight against cyber threats. By employing a protective DNS solution, network administrators can monitor DNS traffic for indicators of malicious activity and then take action to disrupt it.
READ THE STORY: DARKReading
Mimic ransomware abuses legitimate search tool
FROM THE MEDIA: Mimic ransomware is a new threat that has been targeting Russian and English-speaking users since at least June 2022. It combines multiple running threads and abuses the Windows filename search tool called "Everything" to query filenames and extensions for encryption. Analysis of Mimic's code reveals that the threat actor behind it is resourceful and technically adept, having reused code from the leaked builder of the now-defunct Conti ransomware to capitalize on its various features, and even improve on it for more effective attacks. To protect against ransomware attacks, it is recommended to implement data protection, backup, and recovery measures, conduct regular vulnerability assessments and patch systems in a timely manner, and use a multilayered approach for guarding possible entry points into the system.
READ THE STORY: The Cyberwire
Novel malware leveraged in embassy-targeted APT29 attacks
FROM THE MEDIA: APT29, a state-sponsored Russian hacking group, has been identified as the source of the GraphicalNeutrino malware, which was used to target embassy-related individuals in October 2022. The malware has numerous anti-analysis capabilities, including sandbox evasion, API unhooking, and string encryption, as well as using the U.S. business automation service Notion as a command and control platform. Additionally, APT29 is also believed to have recently attacked an unnamed European diplomatic organization using Windows Credential Roaming feature, exploiting an arbitrary file write flaw to prompt remote code execution. These attacks highlight the importance of heightened security measures due to the ongoing war in Ukraine and the threat of APT29.
READ THE STORY: SCMAG
Reality check: Is ChatGPT really the next big cybersecurity threat
FROM THE MEDIA: Since its release in November, ChatGPT has inspired a flurry of articles about its ability to write code and malware, leading to speculation about its potential to disrupt programming and cybersecurity. However, when researchers such as Marcus Hutchins and Checkpoint put ChatGPT to the test, they found that the tool was prone to errors and was unable to produce fully-fledged malware or code without prompting. The benefits for malicious hackers will therefore be marginal, as ChatGPT can provide introductory tips but not much more. On the other hand, LLMs can be used to craft more effective phishing emails and produce variants of existing malware, making it more difficult to attribute attacks. Despite the hype, experts agree that LLMs like ChatGPT will not be replacing human expertise anytime soon, but rather, will play a supporting role.
READ THE STORY: Cyberscoop
Auditing Kubernetes with Open Source SIEM and XDR
FROM THE MEDIA: Kubernetes is an open source container management solution that automates the deployment, scaling, and management of containerized applications. It is widely used by organizations to improve efficiency and enable the development of cloud-native applications. To ensure compliance with regulations and identify security risks, Kubernetes audit logs should be monitored. The Wazuh open source platform can be used to monitor, store, and index Kubernetes audit logs, supporting the identification of threats and anomalies. Wazuh also provides additional security capabilities for other components of an organization's infrastructure.
READ THE STORY: THN
The Journey to a Smart Grid: Funding and New Technology Make It Possible
FROM THE MEDIA: The prospects for a smart grid have improved significantly due to government investments, private sector innovations, and the development of artificial intelligence. Innovative technologies such as PMUs, advanced digital meters, and batteries are allowing for greater grid stability, better consumer reporting, and the storage of excess energy. The Department of Energy's Grid Resilience Innovative Partnership and Transmission Facilitation Program are the largest direct federal investments in critical infrastructure, and private companies are launching new systems that mitigate outages. Artificial intelligence is also being used to accurately predict demand and generation in order to improve the performance of the smart grid.
READ THE STORY: PowerMag
Firmware Flaws Could Spell 'Lights Out' for Servers
FROM THE MEDIA: AMI's MegaRAC Baseboard Management Controller (BMC) software, which is used for remote management of systems-on-chip (SoC) computing platforms, contains five vulnerabilities that could allow an attacker to gain remote access. This software is used by at least 15 major vendors, including AMD, Asus, ARM, Dell, EMC, Hewlett-Packard Enterprise, Huawei, Lenovo, and Nvidia, and can give attackers near total control of server hardware. Eclypsium, a hardware security firm, found the vulnerabilities and released three of them in December and two more this week in order to give AMI time to mitigate the issues. Despite patching from AMI and advisories from other vendors, it remains to be seen how quickly the flaws will be patched due to the glacial rate of firmware patching.
READ THE STORY: DARKReading
Unsecured CommuteAir server exposed the personal data of people in the US government's No Fly list
FROM THE MEDIA: A recent security incident revealed that an unsecured server owned by CommuteAir exposed the personal information of about 1,000 employees and tens of thousands of people who featured in the US government’s “No Fly List” and “Selectee List”. The Transportation Security Agency (TSA) is currently investigating the incident due to the sensitive nature of the compromised information, and has issued a security directive to airports and air carriers to reinforce existing requirements for handling sensitive security information and personally identifiable information. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.
READ THE STORY: TEISS
Hacker stole Hilton Hotel database that contained the data of about 500,000 loyalty program members
FROM THE MEDIA: Hilton Hotels recently admitted that a hacker had stolen a database of 3.7 million records from their network and uploaded it to a dark web forum, compromising the personal information of nearly 500,000 loyalty program members. Despite initially denying the breach, the hotel giant soon confirmed that the hacker’s claims were genuine. Cybersecurity experts have noted that the leisure and travel industry is particularly vulnerable to targeted attacks, and have recommended a multi-pronged defensive strategy incorporating traditional security controls and data-centric protections, such as tokenization and format-preserving encryption, to protect customer data.
READ THE STORY: TEISS
British government minister told council to keep quiet after ransomware attack
FROM THE MEDIA: The JCNSS is holding an inquiry into the effectiveness of the United Kingdom's national security strategy in addressing the threats posed by ransomware. Redcar and Cleveland Borough Council experienced a "catastrophic" ransomware attack in January 2020 which ultimately cost them £7 million ($8.6 million). Mary Lanigan, the leader of the council, revealed that they were told by a central government minister to not discuss the attack, putting them in a difficult position. The attack not only locked up the council's records, but shut down access to all electronic devices, causing devastating impacts on services. The Republic of Ireland also experienced a major ransomware attack in May 2021, with the HSE having to rely on the decryption key posted by the attackers on the dark web to recover their systems.
READ THE STORY: The Record
Illicit Telegram Groups: A New Dark Web Frontier
FROM THE MEDIA: The dark web has long been a hub for cybercriminal activity, but Telegram is emerging as an increasingly popular alternative for threat actors. This messaging app offers cybercriminals enhanced anonymity, encryption, and a way to harden their operations. Threat actors are using Telegram to trade stolen information, tools, or malware, hold victims of cyber attacks to ransom, and discuss their targets and tactics. To remain aware of the latest illicit sources, organizations must monitor both the dark web and messaging apps like Telegram.
READ THE STORY: Security Boulevard
Poser Hackers Impersonate LockBit in SMB Cyberattacks
FROM THE MEDIA: This recent cyberattack against SMBs across Northern Europe has revealed the presence of a copycat group impersonating the LockBit ransomware. Although they did not have the same level of sophistication, they were still able to exploit an unpatched FortiGate firewall to encrypt the internal files of at least one organization. Fortunately, the company was able to restore its network from backups, but this incident demonstrates how important it is to patch vulnerabilities and other security flaws to prevent similar attacks.
READ THE STORY: DARKReading
US, Middle Eastern allies include cyber collaboration in Abraham Accords
FROM THE MEDIA: The U.S., its allies in the Middle East and North Africa, and Israel have announced an expansion to the Abraham Accords of 2020, which established diplomatic relations between Israel and some Arab countries. The expansion will include increased sharing of information on cyber threats, training staff in the cybersecurity field and conducting cross-border cybersecurity exercises. This collaboration is seen as a response to the rising digital threat from Iran and the illegal use of spyware tools by NSO Group, a leading Israeli cyber intelligence firm, to spy on dissidents, journalists and human right activists. The Biden administration has condemned the use of spyware and sanctioned spyware developers.
READ THE STORY: The Hill
Items of interest
Using a Flipper Zero to access API source code on IoT devices
FROM THE MEDIA: In this blog post, Dana Epp provides a detailed guide on how to use a Flipper Zero to gain access to the source code of an API running on an IoT device. By wiring up the GPIO pins, connecting to the Flipper Zero's USB-UART Bridge, and then interfacing with the device over a TTY, the reader can access the serial console of the device and gain access to the source code. This method is an effective, cost-efficient way to access the vulnerable APIs on IoT devices.
READ THE STORY: SecurityBoulevard
A.I. Writing .NET C# Code - ChatGPT (Video)
FROM THE MEDIA: In this video, the presenter demonstrates how AI can be used to generate code for .NET applications, such as a calculator app, a controller, and a web API. They also show how to use different Swagger implementations to generate code, as well as how to use a command line tool to test the service. Ultimately, the video highlights the potential of AI to help developers write better code.
Can AI Create a Minecraft Hack (Video)
FROM THE MEDIA: This video provides an overview of how AI can be used to create a hack that bypasses the flying check in Minecraft. It demonstrates how to use the add velocity and set position methods to prevent the player from being kicked for floating too long and provides additional examples of how this can be done in more effective ways. Additionally, the video provides an example of how a hack can be used to bypass checkpoints in Minecraft servers.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com