Thursday, February 02, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
FROM THE MEDIA: In the past six months, state-sponsored threat groups have been increasingly using ransomware and other malicious techniques to hide their activities and target organizations from Western countries. For example, the Russian APT group Sandworm used ransomware programs to destroy data multiple times and North Korea's Lazarus group used ransomware infrastructure for intelligence gathering campaigns. North Korean groups have also been observed using ransomware as a cover and to profit, such as the WannaCry ransomware worm of 2017 and the Maui ransomware to target the healthcare and public health sectors recently. It is clear that organizations from Western countries need to be aware of and prepared for an increased risk from APT activity.
READ THE STORY: CSO
Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows
FROM THE MEDIA: Pro-Russian hacktivist group Killnet launched distributed denial-of-service (DDoS) attacks on networks belonging to 14 major US hospitals, including Stanford Health, Michigan Medicine, Duke Health, and Cedars-Sinai, in retaliation against entities in countries perceived to be hostile to Russian interests in Ukraine. Despite causing only intermittent problems, the attacks are likely to garner Killnet more support from other like-minded hacktivists, and potentially fuel investments into its operations, making them more dangerous in the process. While the impact of these attacks remains questionable, the group's growing reach and skills make it a moderate risk that should not be underestimated.
READ THE STORY: DARKReading
Cyber attack at financial data group Ion affects derivatives trading
FROM THE MEDIA: Ion Markets, a Dublin-based software company, was hit by a ransomware attack on January 31, 2021, which has affected their post-trade processing services, such as trade matching and margin requirements. This cyber attack has caused slowdowns and manual labor on the part of traders who must now complete processes that would have been automated by ION Group’s software. The implications of the attack have been felt across global markets, with the Futures Industry Association (FIA) working with clearing firms, exchanges, and regulators to assess the impact on trading, processing, and clearing. The US Treasury has also stepped in to monitor the situation, while the London Metal Exchange and Euronext are both affected to varying degrees.
READ THE STORY: FT // The Record
Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover
FROM THE MEDIA: Researchers from Trellix revealed two security vulnerabilities in Cisco networking devices used in data centers, large enterprises, industrial factories, power plants, manufacturing centers, and smart city power grids that could allow cyberattacks unfettered access to these devices and broader networks. These bugs, CSCwc67015 and CVE-2023-20076, could allow hackers to remotely execute their own code, and potentially overwrite most of the files on the device, as well as open the door to unauthorized root-level access and remote code execution. Organizations are encouraged to check for any abnormal containers installed on relevant Cisco devices, disable the IOx container framework if not used, and update to the latest firmware immediately to protect themselves.
READ THE STORY: DARKReading
New APT34 Malware Targets The Middle East
FROM THE MEDIA: Trend Micro has identified a suspicious executable (Trojan.MSIL.REDCAP.AD) that was dropped and executed on multiple machines, which was linked to advanced persistent threat (APT) group APT34. This malware was used to steal users’ credentials, as well as sending new credentials to the threat actors in case of a password reset or change. After analyzing the backdoor variant deployed, we found the malware capable of new exfilteration techniques, using compromised mailbox accounts to send stolen data from the internal mail boxes to external mail accounts controlled by the attackers. We have identified data points and indicators that suggest APT34 carried out this attack, and that the group is still active in targeting countries in the Middle East with a special focus on compromising government entities.
READ THE STORY: Trendmicro
New Nevada Ransomware targets Windows and VMware ESXi systems
FROM THE MEDIA: Researchers from Resecurity have examined the capabilities of Nevada ransomware, a relatively new and quickly growing ransomware operation targeting Windows and VMware ESXi systems. Nevada has been promoted on the RAMP darknet forums, offering Russian and Chinese-speaking cybercriminals an 85% cut from paid ransoms. Its features include a Rust-based locker, real-time negotiation chat portal, separate domains in the Tor network for affiliates and victims, and a set of flags that give its operators some control over the encryption. Notably, Nevada ransomware uses the Salsa20 algorithm to perform intermittent encryption on files and appends the ".NEVADA" file extension to encrypted files. Resecurity researchers have provided a dummy prototype of a decrypter and have observed Nevada ransomware operators buying access to compromised endpoints and engaging a dedicated post-exploitation team to perform the intrusion. This threat should be closely monitored.
READ THE STORY: BleepingComputer
Google Fi data breach let hackers carry out SIM swap attacks
FROM THE MEDIA: Google Fi recently experienced a data breach in which personal data such as phone numbers, SIM card serial numbers, account status and mobile service plan details were exposed. This breach allowed threat actors to conduct SIM swap attacks on some customers, giving them access to the customer’s text messages, including MFA codes, allowing them to breach online accounts or take over services secured by a person’s phone number. Google has since notified customers of the breach and implemented measures to secure the data.
READ THE STORY: BleepingComputer
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers
FROM THE MEDIA: HeadCrab malware, a sophisticated and advanced threat actor targeting Redis servers worldwide since early September 2021. It is a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions and is designed to target Redis servers exposed to the internet, followed by issuing a SLAVEOF command from another Redis server. Through an in-depth analysis of the malware and its payload, the paper highlights the dangers of exposing Redis servers to the internet and provides valuable advice on how to protect against this threat. Furthermore, the paper also discusses the weaponization of the master-slave technique for further propagation of the malware. This is an important analysis that provides useful insights into the security of Redis servers.
READ THE STORY: THN
Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware
FROM THE MEDIA: The Russian-sponsored hacker group Gamaredon is responsible for a large number of cyberattacks on Ukraine's government and critical infrastructure. Using malicious LNK files distributed in RAR archives, they gain initial access to the victim's network and deploy malware payloads to maintain persistence. They have been active since 2013 and use variants of PowerShell info-stealer malware known as GammaLoad and GammaSteel to steal user credentials, exfiltrate files, and take screenshots of the victim's computer. Gamaredon has also attacked Ukraine's allies, with Latvia being the latest victim. Ukraine's computer emergency response team CERT-UA is attempting to reduce the attack surface by implementing attack surface management measures.
READ THE STORY: The Record
US Treasury Expands Crypto Sanction List With Another Russian Bad Actors
FROM THE MEDIA: The US Department of the Treasury's Office of Foreign Assets Control has blacklisted two Russians, Igor and Jonatan Zimenkov, and their crypto wallets over sanctions evasion. They provided sanctioned state-owned Russian defense entities with high-technology devices, and Jonatan's wallet contained 5,000 ETH from a large OTC wallet funded by a hedge fund with ties to FTX. This move follows the Treasury's recent sanction of Bitzlato, a Russian OTC-exchange service, for processing over $700 million worth of crypto from a darknet marketplace and ransomware gangs.
READ THE STORY: IHODL
GitHub resets code signing certificates following breach
FROM THE MEDIA: GitHub recently revealed that the code signing certificates on two of its repositories had been accessed and stolen by an unauthorized user. As a result, GitHub is revoking the exposed certificates and will be invalidating certain versions of GitHub Desktop for Mac and the source code editor Atom. Despite the breach, GitHub has concluded that there was no risk to its services and no malicious use of the certificates. However, to prevent potential misuse, GitHub is encouraging users to update their versions of Desktop for Mac and downgrade Atom before Thursday.
READ THE STORY: CyberSecurityDive
GoodRx to pay $1.5 million fine for sharing customer health info with Google, Facebook
FROM THE MEDIA: GoodRx, a telehealth and prescription drug discount provider, has agreed to pay a $1.5 million fine to the FTC for violating the Health Breach Notification Rule by failing to notify customers that it was sharing personal health information with advertising companies. The FTC's complaint noted that GoodRx had been sharing this sensitive data with Facebook, Google, Criteo, Branch and Twilio without informing customers, and that the company had falsely claimed to be compliant with HIPAA. In addition to the fine, GoodRx has been banned from sharing customer health information with third party advertisers, as well as using manipulative designs to obtain user consent. The FTC has been increasing its enforcement efforts in recent years, fining companies and warning makers of health apps and connected devices that collect health-related information about compliance with the Health Breach Notification Rule.
READ THE STORY: The Record
Space Force chief: Satellites are under threat, ‘we have to be ready’
FROM THE MEDIA: Gen. B. Chance Saltzman, U.S. Chief of Space Operations, recently announced his priorities for the coming year, with a focus on fielding "combat ready forces." To do this, the Space Force must be resilient, ready, and combat credible, training and testing infrastructure must be developed, with virtual simulators, training ranges, and digital twin environments, and personnel have to be trained and operational concepts validated. In addition, funding is being allocated in the 2024 budget for these initiatives and to buy the necessary equipment quickly. This is in response to the threats of anti-satellite warfare, cyber attacks, and electronic jamming of GPS signals, particularly from China.
READ THE STORY: SN
Microsoft disables phishing campaign after researchers flag OAuth app abuse
FROM THE MEDIA: A phishing campaign conducted by threat actors who abused Microsoft's "verified publisher" status to access cloud environments of certain organizations in the U.K. and Ireland. The attackers tricked users into granting permission to malicious apps, allowing them to gain persistent access to resources. Microsoft responded by disabling the applications and providing instructions for organizations to investigate potential compromises and take action to prevent further incidents. This case study provides a useful example of the pervasiveness of cybercrime and the steps organizations should take to protect their networks and data.
READ THE STORY: CyberSecurityDive
Lazarus Group Rises Again, to Gather Intelligence on Energy, Healthcare Firms
FROM THE MEDIA: Researchers discovered another Lazarus Group campaign that was carefully crafted to target valuable data in the medical research and energy verticals. The campaign wasn't simply a ransomware attack, but an espionage operation that leveraged a combination of public exploits, living-off-the-land techniques, and a web shell backed by a North Korean IP address. It's a reminder that Lazarus Group is still active, and that its motives are multi-faceted and ever-evolving.
READ THE STORY: DARKReading
T-Mobile CEO spins recent breach, says its cybersecurity chops ‘showed up’
FROM THE MEDIA: T-Mobile has recently been the target of multiple cyberattacks, including a critical incident identified as an attempt to access customer data through an API, which the company was able to shut down within 24 hours. Despite these breaches, T-Mobile is confident that their aggressive investments in cybersecurity over the last few years will help protect their customers from future attacks. Despite their confidence, the repeated attacks highlight the challenges that T-Mobile still faces in terms of security and make it a high-profile target for cybercriminals. Going forward, the company must invest in better visibility and controls to ensure that customer data remains secure.
READ THE STORY: CyberSecurityDive
Here’s who intelligence insiders tip for the next GCHQ director
FROM THE MEDIA: In the search for a new leader of the U.K. intelligence community, a handful of potential candidates from a variety of backgrounds have been tipped for the position. The recruitment process is highly secretive and is conducted internally, insulated from political interference. Among the potential candidates are the Deputy Directors General at MI5 and MI6, the Director General for Defense and Intelligence at the Foreign Office, the Director General for Technology at GCHQ, the former Director of the Office for Security and Counter-Terrorism at the Home Office, the former British Ambassador to Israel, and the inaugural Director General of the Homeland Security Group.
READ THE STORY: The Record
Experts Warn of 'Ice Breaker' Cyberattacks Targeting Gaming and Gambling Industry
FROM THE MEDIA: There is a new attack campaign targeting the gaming and gambling sectors. Israeli cybersecurity company Security Joes has been tracking the activity cluster under the name Ice Breaker, noting the adversary employs clever social engineering tactics to deploy a JavaScript backdoor. The threat actor poses as a customer to initiate a conversation with a support agent in order to persuade them to open a malicious screenshot link, leading to the retrieval of a payload that downloads and runs a Node.js implant. In addition, the threat actor may deploy a VBScript-based remote access trojan known as Houdini. The exact origins of the threat actor are currently unknown, however they have been observed using broken English during their conversations with customer service agents.
READ THE STORY: THN
Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility
FROM THE MEDIA: ImageMagick is an open source image processing software package commonly used by web services to process images. Recently, two security flaws in the software were identified which, if exploited, could lead to denial-of-service (DoS) and information disclosure. These vulnerabilities have been addressed in the latest version of ImageMagick, however, users of the software should still take steps to ensure they are protected from potential exploits. Additionally, users should be aware of previous vulnerabilities in the software, such as ImageTragick and shell injection, which can lead to remote code execution when processing user-submitted images.
READ THE STORY: THN
South Korea picks Vega C to launch satellite grounded by Russian sanctions
FROM THE MEDIA: South Korea has selected Arianespace's Vega C rocket to launch a multipurpose imaging satellite, KOMPSAT-6, due to sanctions imposed on Russia for invading Ukraine. This satellite will monitor the Earth from about 505 kilometers above the Earth’s surface with a resolution of 0.5 meters per pixel for five years. The satellite bus was developed by the state-funded Korea Aerospace Research Institute (KARI) while its payload was made by domestic aerospace manufacturers LIG Nex1 and Airbus Defence and Space. There are two other delayed Korean satellite missions, CAS500-2 and SNIPE, which are expected to be launched in the near future. Recently, a fire broke out at Naro Space Center during a test of a turbo pump, but no casualties have been reported.
READ THE STORY: SN
Canada’s Power Nickel to Use Fleet Space Satellite-Based Mineral Exploration System
FROM THE MEDIA: Fleet Space Technologies, a leader in satellite-based mineral exploration systems, has partnered with Power Nickel, a Canadian metal exploration company, to deploy their ExoSphere technology at Power Nickel's NISK project in Quebec. This advanced technology combines ambient noise tomography (ANT) with a constellation of low-Earth orbit (LEO) satellites to quickly and accurately map vast areas of land with minimal environmental disruption, making it an invaluable tool for discovering new nickel deposits in support of Canada's transition to clean energy. This partnership is a great example of how technology and responsibility can work together to achieve positive outcomes.
READ THE STORY: VS
Nearly All Firms Have Ties With Breached Third Parties
FROM THE MEDIA: This analysis from Cyentia Institute and SecurityScorecard highlights the significance of third- and fourth-party relationships for corporations, which can drastically increase their security risks. With the average firm having 60 to 90 times more fourth parties than third parties, and 98% of firms having at least one third-party partner who had suffered a breach, the report emphasizes the need for organizations to be aware of their extended risks and to take steps to reduce them.
READ THE STORY: DARKReading
US chipmaker to build semiconductor plant in Germany
FROM THE MEDIA: Wolfspeed, a US semiconductor producer, has announced plans to build a €3bn factory in the west German region of Saarland to produce silicon carbide chips for electric vehicles and industrial use. The move has been welcomed by senior German officials as a sign that Europe can compete against the US in green investments, and is an attempt to reduce the EU's vulnerability to supply chain disruption and dependence on nations such as the US and Asia. The factory is expected to employ about 600 people when fully operational and contribute to stabilizing supply chains and accelerating the transition to new forms of transport.
READ THE STORY: FT
New Marine information command aims to sync up data operations
FROM THE MEDIA: The Marine Corps has recently activated a two-star command to better coordinate its information operations and simplify the coordination burden of the Force Design 2030 plan. This new command, the Marine Corps Information Command, is led by Maj. Gen. Ryan P. Heritage and takes over some units previously assigned to the Deputy Commandant for Information. This command is expected to synchronize global cyber, space, influence and intelligence effects for the service and Fleet Marine Force.
READ THE STORY: C4ISRNET
Rapid7’s Metasploit Framework 6.3 is now available
FROM THE MEDIA: Rapid7's latest release of Metasploit Framework 6.3 provides native support for Kerberos authentication and incorporates new modules for Active Directory attacks and streamlining of Kerberos and Active Directory attack workflows. With this release, users can authenticate themselves on multiple services through Kerberos, request, forge and convert tickets between formats for use in other tools, and store tickets in the Metasploit database as loot. This capability is vital for allowing pen testers and security researchers to demonstrate risks to clients and the public.
READ THE STORY: Security Brief (NZ)
Firebrick Ostrich and business email compromise
FROM THE MEDIA: This article from Abnormal Security details the techniques used by the BEC gang Firebrick Ostrich to launch more than 350 third-party reconnaissance attacks since April 2021. These attacks rely on open-source information, such as government contracts and vendor websites, to impersonate vendor organizations in order to trick customers into paying fake invoices. The attackers target a wide range of industries, usually impersonating the company's Chief Financial Officer. Erich Kron, security awareness advocate at KnowBe4, emphasizes the importance of employee education and awareness in order to protect against these attacks.
READ THE STORY: The Cyberwire
Arnold Clark customer data stolen in attack claimed by Play ransomware
FROM THE MEDIA: Arnold Clark, Europe's largest independent car retailer, recently suffered a cyberattack by the Play ransomware group on December 23, resulting in the theft of customers' personal information such as names, contact details, dates of birth, vehicle details, ID documents, National Insurance numbers and bank account details. The company has since disconnected from the Internet and is in the process of restoring its systems in a new segregated environment. Customers have been warned of potential phishing attacks and advised to be wary of suspicious emails. Arnold Clark is also in communication with the police and relevant authorities to better understand the extent of the incident and to protect other companies from similar situations.
READ THE STORY: BleepingComputer
Cybersecurity organizations fight back against rise of emotet and omnatuor malvertising
FROM THE MEDIA: In this article, the authors examine the current state of the malicious threats of emotet and omnatuor malware, which have been increasingly concerning the cybersecurity community. Through a combination of advanced tactics, such as email conversation thread hijacking, the malware can evade detection and spread rapidly through networks. The authors discuss the importance of robust security measures to protect against these threats, including awareness training, endpoint detection and response, and sandboxing. Additionally, they discuss the role of AI and ML in cybersecurity, and recommend organizations employ risk management tools with AI and ML to detect threats and ensure applications can react to them.
READ THE STORY: VB
Solving Problems With The IoT
FROM THE MEDIA: The Internet of Things has become increasingly popular and complex over the past few decades, with applications covering almost every consumer, commercial, and industrial segment. The IoT has the potential to solve many problems, such as energy efficiency, safety in manufacturing, and prevention of power-grid attacks, but it also poses security risks. To mitigate these risks, organizations have proposed various standards and protocols, such as ETSI, Matter, LoRaWAN, and the IoT Artificial Intelligence Framework. Security is of utmost importance in IoT, and developers must stay vigilant in order to ensure their devices are secure.
READ THE STORY: Semiconductor Engineering
Dronetag launches the Most Compact OEM Solution for Standard Remote ID and C-class Drones
FROM THE MEDIA: Dronetag's launch of their most compact OEM solution for standard remote ID and C-class drones. This solution allows users to easily identify drones and provides a secure platform for data exchange. The article also highlights the benefits of the solution, such as its flexibility, scalability, and cost-effectiveness. This is an important advancement in the drone industry and could have positive implications for users and manufacturers.
READ THE STORY: sUAS News
Items of interest
Flipper Zero: How to install third-party firmware (and why you should)
FROM THE MEDIA: The Flipper Zero is an all-purpose, pocket-sized hacking and penetration testing tool that looks like a kid's toy. It has built-in infrared transceiver, sub-GHz wireless antenna, NFC, RFID, iButton, and GPIO connectors, and is powered by a dual-core ARM processor. It can be used to hack the planet, control TVs, operate wireless devices, access control systems, emulate EM-4100 and HID Prox RFID cards, and read, write, store, and emulate NFC tags. It can also be extended by installing custom third-party firmware, which can extend the features and functionality far beyond what is possible out of the box. With its affordability and portability, the Flipper Zero is an interesting device for exploring and experimenting with NFC and RFID technologies.
READ THE STORY: ZDNET
Warflying! Hack WiFi from the Sky (Video)
FROM THE MEDIA: This video provides an overview of the process of using a drone to collect data from wireless networks and map it to Google Earth, with the help of a Raspberry Pi, Kismet, and Google Earth. It demonstrates the steps needed to establish connectivity to the Raspberry Pi and capture data from wireless networks, and how to use Google Earth to view the data.
Top 3 Burp Suite Plugins for a More Collaborative Workflow (Video)
FROM THE MEDIA: Provides an introduction to three Burp Suite plugins that can be used to improve collaboration within a team. Pen Test Mapper, API Mapper, and Replicator provide a comprehensive set of tools for tracking and reporting on vulnerability scans, replicating specific API calls, and keeping track of conversations and issues related to a given issue. These tools can help teams to quickly and easily collaborate on security issues.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com