Friday, February 03, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Russia Developing Weapons to Target Critical Subsea Cables, Pipelines
FROM THE MEDIA: In the face of Russia's development of new capabilities to target critical subsea infrastructure such as pipelines and cables, Western naval forces are having to adapt to this new threat. This was brought into sharp relief in September when the Nord Stream pipelines were damaged by suspected sabotage. In response, Britain has announced plans to enhance its undersea defense capabilities while NATO and the European Union launched a joint task force on protecting critical infrastructure. Analysts such as Sidharth Kaushal of Britain’s Royal United Services Institute are encouraging the West to clarify its rules of engagement in order to effectively address this growing vulnerability.
READ THE STORY: VOA
New High-Severity Vulnerabilities Discovered in Cisco IOx and F5 BIG-IP Products
FROM THE MEDIA: F5 has warned of a high-severity flaw impacting BIG-IP appliances that could lead to denial-of-service (DoS) or arbitrary code execution. The issue is rooted in the iControl Simple Object Access Protocol (SOAP) interface and affects various versions of BIG-IP. A format string vulnerability exists in iControl SOAP that could allow an authenticated attacker to crash the process or execute arbitrary code as root. Cisco also released updates to fix a flaw in Cisco IOx application hosting environment (CVE-2023-20076, CVSS score: 7.2) that could permit an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. Trellix also found a security check bypass during TAR archive extraction which could allow an attacker to write on the underlying host operating system as the root user.
READ THE STORY: THN
China to build satellite ground stations in Antarctica
FROM THE MEDIA: China is constructing new ground station facilities at its Zhongshan research base in Antarctica to support satellite data acquisition. The project, which will cost 43.95 million yuan ($6.52 million), involves four radome-covered antennas. It is part of a long-term marine economic development plan and could be used for military purposes such as receiving remote sensing, weather, surveillance and other data faster than before. Concerns have been raised internationally about China's construction of ground stations, while other countries with research stations in Antarctica also have them. China's launch rate has increased significantly in recent years, leading to a greater need for ground station support infrastructure.
READ THE STORY: SN
Ukraine’s Coming Electricity Crisis: How to Protect the Grid from Russian Attacks
FROM THE MEDIA: Ukraine's electric grid is under attack by Russia, with the potential to cause a total system collapse. This could lead to devastating consequences such as humanitarian and refugee crises, nuclear reactor meltdowns, flooding, and food shortages. The West has the capability to avert this disaster by providing swift and targeted aid for the country’s electric grid. Russia is familiar with Ukraine's vulnerabilities and has been attacking vital transmission nodes, leading to rolling blackouts throughout the country. If Western democracies do not rise to this challenge, it could give confidence to bad actors that striking electrical infrastructure is the best way to bring a country to its knees.
READ THE STORY: Foreign Affairs
Dragos CEO on Opening Execs' Eyes to OT Security Threats
FROM THE MEDIA: Executives have become increasingly aware of the security risks associated with operational technology (OT) networks as COVID-19 has made them more connected than ever before. This has led to an increase in human-operated ransomware attacks targeting OT systems, which are often less protected than IT systems. Dragos CEO Robert M. Lee says this is causing executives to focus more on securing their OT environments. Lee, who is a highly respected authority in the industrial cybersecurity community, serves on the Department of Energy's Electricity Advisory Committee and the World Economic Forum's subcommittees on Cyber Resilience for Oil and Gas and Electricity.
READ THE STORY: BankInfoSec
Hackers Breached Multiple Federal Agencies via Remote Monitoring and Management Software
FROM THE MEDIA: U.S. federal agencies issued a joint cybersecurity advisory warning that hackers are leveraging legitimate remote monitoring and management software to compromise federal networks in widespread helpdesk-themed phishing campaigns. The malicious actors use the software to gain persistence and evade malware detection on federal networks. CISA, NSA, and MS-ISAC recommended implementing email security rules, employee security awareness training, auditing RMM software, monitoring RMM software logs, and blocking remote connections over standard ports to protect against such attacks.
READ THE STORY: CPO
Cyber Attacks Are Not the Only Threat to Power Infrastructure
FROM THE MEDIA: The number of physical attacks on U.S. power grids rose to an all-time high last year, putting the network at risk in more than three dozen states and affecting about 90,000 customers. The majority of these disturbances are acts of vandalism or other suspicious activity, but cyber events have also been reported. Regulators, federal authorities and the industry have been working to identify the most vulnerable components of the grid to prevent big blackouts. Last year, a small plane that got tangled among transmission tower wires in Maryland caused power outages, and Duke Energy Corp. and Exelon Corp. had their substations and operations respectively threatened.
READ THE STORY: GOVTECH
MITRE Launches Cyber Resiliency Engineering Framework Navigator
FROM THE MEDIA: MITRE released the Cyber Resiliency Engineering Framework (CREF) NavigatorTM, a free visualization tool that helps organizations better structure their cyber resiliency strategies and aligns with NIST SP 800-160, Volume 2 (Rev. 1). The tool provides engineers with access to searchable and visualized data, allowing them to make informed decisions when designing resilient cyber solutions. It also integrates with MITRE ATT&CK® techniques and mitigations found in ATT&CK and NIST SP 800-160 Volume 2 (Rev. 1) Appendices. Future enhancements are planned for automated support for organizations interested in building stronger defenses for their critical infrastructure.
READ THE STORY: NewsWires
When Hackers Hobbled Ireland’s Hospitals, They Took Themselves Down, Too
FROM THE MEDIA: In March 2021, hackers attacked Ireland's public-health system, encrypting reams of data and demanding a $20 million ransom. The government refused to pay, but the hackers eventually backed down without receiving any money. The attack caused immense disruption and suffering, as hospitals struggled to keep track of patient information and provide treatment without their computers. It also had devastating effects on Conti, the criminal group responsible, as some of its members were spooked by the more visceral consequences of the attack. In the end, Conti disbanded in May 2022, with many of its hackers joining other gangs.
READ THE STORY: Bloomberg
Hackers linked to North Korea targeted Indian medical org, energy sector
FROM THE MEDIA: Security researchers have attributed a cyberattack on public and private sector research organizations, an Indian medical research firm, and other businesses in the energy sector to North Korea's Lazarus Group. The attackers were focused on intelligence gathering and used two bugs affecting the Zimbra mail server to gain access. The tools used by the group were similar to tools used by other North Korean military arms, and WithSecure was able to tie the campaign to several other victims after an investigation. The U.S. State Department has offered a reward of up to $5 million for information about actors connected to North Korean digital operations, which are responsible for $1.7 billion worth of cryptocurrency thefts.
READ THE STORY: The Record
Soon AI will battle AI in cyberspace, Israeli experts predict
FROM THE MEDIA: AI can create an infinite amount of content in seconds, but experts already are warning of AI-based cyberattacks. Cybersecurity experts have raised concerns about generative AI, which can be used to create sophisticated phishing campaigns and ransomware attacks. Companies are relying on AI for defense purposes, such as autonomously mapping, detecting and investigating exposures in companies' critical information assets. Ultimately, it may require a whole new set of capabilities for AI to independently and autonomously manage the defense campaign against an AI-based attack.
READ THE STORY: JPOST
New Russian-Backed Gamaredon's Spyware Variants Targeting Ukrainian Authorities
FROM THE MEDIA: The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country. The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, uses GammaLoad and GammaSteel spyware in their campaigns to steal sensitive information. CERT-UA has attributed a similar malicious campaign to a threat actor it calls UAC-0114, which is also known as Winter Vivern. Additionally, Trellix recorded a 20-fold surge in email-based cyber attacks on Ukraine’s public and private sectors in November 2022, with Houdini RAT, FormBook, Remcos, and Andromeda being the most commonly used malware families.
READ THE STORY: THN
Russian Hackers Focused on Espionage, Not System Destruction
FROM THE MEDIA: Gamaredon, a Russian-sponsored APT group, has been using modified variants of the GammaLoad and GammaSteel info stealer malware in their latest campaign against Ukrainian state authorities and critical information infrastructure entities. The attack begins with a phishing email containing malicious LNK files stored in RAR archives. Both malware variants are designed to abuse trusted, signed system utilities and maintain persistence on the victim's system. They are used to steal valuable information from the victims and send it to the Gamaredon command-and-control server.
READ THE STORY: BankInfoSec
Google ads push ‘virtualized’ malware made for antivirus evasion
FROM THE MEDIA: SentinelLabs has recently spotted a Google ads malvertising campaign that is spreading malware installers that use KoiVM virtualization technology to evade detection when installing the Formbook data stealer. The KoiVM virtualization framework obfuscates code so that it can only be understood by its virtual machine, which translates the code back into its original form at runtime. This virtualization technique makes malware analysis difficult and enables it to bypass static analysis mechanisms. In addition, the MalVirt loaders use invalid digital signatures and other techniques such as patching the AmsiScanBuffer function, Base-64 encoding and AES-encryption of strings, and the use of a signed Microsoft Process Explorer driver loaded at system start-up to dodge detection. Formbook itself hides its real C2 traffic and IP addresses by mixing it with encrypted, encoded "smokescreen" HTTP requests.
READ THE STORY: BleepingComputer // The Register
OneNote Documents Increasingly Used to Deliver Malware
FROM THE MEDIA: Proofpoint recently reported an increase in the use of Microsoft OneNote documents as a delivery mechanism for malware in email by threat actors. In December 2022, six campaigns were observed maliciously utilizing OneNote documents, with a significant increase to 50 involved campaigns seen last month. The majority of these attacks are distributed across many sectors and have impacted organizations globally. TA577 was observed using this method to distribute Qbot malware at the end of January 2023. OneNote documents contain embedded files that require user interaction to be executed, and they are not detected by numerous anti-virus vendors on VirusTotal.
READ THE STORY: The Cyberwire
Pentagon Says It Detected a Chinese Spy Balloon Hovering Over Montana
FROM THE MEDIA: The United States has detected a Chinese surveillance balloon hovering over the northwestern part of the country, the Pentagon said. President Biden chose not to shoot it down due to the risk of debris hitting people on the ground. Canada is also tracking the balloon, and senior U.S. officials have warned their Chinese counterparts about the incident. F-22 fighter jets were sent to track the balloon, leading to flights being temporarily grounded at the Billings airport. The balloon has raised tensions between the two countries ahead of Secretary of State Antony J. Blinken's visit to Beijing. Lawmakers have called for the Biden administration to take action to counter any threat posed by the balloon.
READ THE STORY: The New York Times
A crypto merger in the shadow of war
FROM THE MEDIA: Tech CEO Vlad Panchenko is optimistic about the future of Web3 and Mythical despite recent setbacks. He was forced to charter a plane to fly his employees out of Ukraine as war broke out, and has since set up DMarket in Montenegro and Lisbon. He believes that gamers will be drawn to Web3 games once they see them functioning well, but he understands their wariness towards NFTs. His optimism is driven by his own experience with Ultima Online, and he is certain that two plus two will always equal four.
READ THE STORY: AXIOS
US Cyber Diplomat Calls for Bolstering American Advantage in Global Tech Policy
FROM THE MEDIA: Nathaniel Fick, the U.S. ambassador at large for cyberspace and digital policy, has said that it is critical for the U.S. to strengthen its foreign policy on technology topics in order to maintain global leadership and counter adversarial nations. This includes more effectively promoting the United States’ tech and cyber interests globally, bolstering American allies in support of shared diplomatic interests, and engaging with unaligned or “middle countries” on issues of internet governance. Domestic policy issues related to technology and cybersecurity have also begun to play a more prominent role in foreign affairs, such as with President Joe Biden’s call for federal data privacy protections. U.S. officials are also engaging with international allies to come to an agreement on export controls designed to limit China’s access to advanced semiconductors and related equipment.
READ THE STORY: NextGov
AIs as Computer Hackers
FROM THE MEDIA: Humans and computers traditionally have different strengths and weaknesses. Humans are smart but slow, while computers are fast but dumb. AI is not going to be able to do something new unless it can learn the rules of an environment, including a society within it, and distinguish between game rules and strategies of humans. This requires observation of games and learning from them. AI can find optimal strategies in bounded environments with fixed rules, but it may still be limited in its ability to recognize patterns beyond what it has already been trained on. To attack a system, AI must include some random element, such as a fuzzing tool, to account for the unknowns of the environment.
READ THE STORY: Security Boulevard
API Security Meets Government Regulators
FROM THE MEDIA: The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security. As more businesses move to the cloud and data moves through APIs, API-based attacks are on the rise. The ACSC recently added API vulnerabilities to its Information Security Manual (ISM). To combat these threats, organizations must take a unified and integrated approach to API protection that includes outside-in discovery, inside-out inventory, compliance monitoring, threat detection, threat prevention, and ongoing API testing. Cequence Unified API Protection helps organizations comply with regulations, industry requirements and security controls while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
READ THE STORY: Security Boulevard
Russia-Ukraine war has improved US cyber cooperation
FROM THE MEDIA: Nathaniel Fick, the U.S. ambassador at large for cyberspace and digital policy, said that the Russia-Ukraine war prompted the government to significantly increase its partnership with the private sector. He noted how public-private partnership in cyberspace helped Ukraine counter Russian cyberattacks. Last year, Microsoft announced that it had thwarted Russian cyberattacks targeting Ukraine, organizations in the United States and the European Union. The U.S. government has also stepped up its efforts to assist Ukraine and other Eastern European countries in shoring up their cyber defenses. Fick promised to focus on foreign threats, including Russian cyberattacks and the U.S.'s digital competition with China.
READ THE STORY: The Hill
Data breach at Vice Media involved SSNs, financial info
FROM THE MEDIA: Vice Media has suffered a data breach involving the sensitive information and financial data of more than 1,700 people. This includes Social Security numbers, financial account numbers, credit and debit card numbers, as well as access codes, passwords, and PINs. Victims are being offered 12 months of credit and identity monitoring services, identity restoration services, and up to $1 million in identity theft insurance through Equifax. People affected by the breach should review their credit reports and enroll in the free identity and credit monitoring services being offered.
READ THE STORY: The Record
Last year was the worst on record for crypto hacks, as North Korean groups cash in
FROM THE MEDIA: Cryptocurrency platforms were hit with a record-breaking $3.8 billion in cyberattacks in 2022, mostly targeting DeFi platforms. Much of the hacking activity was attributed to North Korean hackers, who stole $1.7 billion worth of cryptocurrency overall and laundered it through services like Tornado Cash and Sinbad. In December and January, they sent an additional $24.2 million to Sinbad alone. The trend is expected to continue, with companies encouraged to collaborate to prevent future attacks. These warnings came shortly after the BonqDAO hack, in which $120 million was allegedly stolen.
READ THE STORY: The Record
CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack
FROM THE MEDIA: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. The first vulnerability is CVE-2022-21587, an issue impacting Oracle Web Applications Desktop Integrator, and the second is CVE-2023-22952, a missing input validation in SugarCRM that could lead to arbitrary PHP code injection. Federal Civilian Executive Branch agencies are required to apply the patches by February 23, 2023. Oracle strongly recommends that all organizations prioritize timely remediation of these vulnerabilities as part of their vulnerability management practice.
READ THE STORY: THN
Passion botnet cyberattacks hit healthcare, as actors offer threat as DDoS-as-a-service
FROM THE MEDIA: The Passion Group, affiliated with Killnet and Anonymous Russia, is offering DDoS-as-a-Service to pro-Russian hacktivists. The Passion Botnet was used in cyberattacks on January 27th targeting medical institutions in the U.S., Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the UK as retaliation for sending Ukraine tanks. The group is using Telegram to offer access to their botnet service, which can be customized with 10 attack vectors and purchased for a subscription fee. Healthcare entities should review Radware's report and strengthen their security measures to mitigate the impact of these types of attacks.
READ THE STORY: SCMAG
Widely used stealthy malware packer uncovered
FROM THE MEDIA: The shellcode-based packer TrickGate has been operating unnoticed for over six years, allowing threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil. This packer is offered as a service to other malicious actors, which helps them hide their payloads behind wrapper code in an attempt to bypass security solutions installed on a host. Data shows that manufacturing is the sector most targeted by TrickGate, followed by education, healthcare, government, and finance sectors. Phishing emails with malicious attachments or links lead to the download of a shellcode loader responsible for decrypting and launching the payload into memory.
READ THE STORY: SCMAG
Lack of Emerging Tech Framework is 'Weakening' US Stance Against China, Lawmakers Warn
FROM THE MEDIA: In a House Energy and Commerce Subcommittee hearing on Wednesday, lawmakers and experts stressed the need for Congress to pass comprehensive federal privacy legislation and develop a national framework for autonomous vehicles in order to counter China's growing tech dominance. The subcommittee's chairman called for "foundational frameworks for developing emerging technologies," while ranking member Rep. Frank Pallone mentioned the American Data Privacy and Protection Act, which seeks to provide Americans with meaningful control over their personal information. Additionally, members of the committee have introduced the SELF DRIVE Act multiple times since 2017, which seeks to create a federal regulatory framework to speed up the production and development of driverless vehicles.
READ THE STORY: NextGov
North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign
FROM THE MEDIA: A new cyberattack linked to the North Korea-sponsored Lazarus Group has been uncovered, in which the threat actors exploited security flaws in unpatched Zimbra devices to gain access to sensitive information. The malicious campaign included the deployment of backdoors such as Dtrack and an updated version of GREASE, with data exfiltration taking place between November 5 and 11, 2022. This is the latest in a series of malicious activities attributed to North Korean hacking groups, who have stolen over $3.8 billion worth of cryptocurrency during the year.
READ THE STORY: THN
The Cybercrime Assembly Line
FROM THE MEDIA: Cybercrime is on the rise and its costs are estimated to be around $600 billion annually. This is largely due to the commodification of cybercrime through the use of “as a Service” (aaS) models which allow even novice threat actors to access sophisticated tools and services. Ransomware as a Service (RaaS) is one example, with ransomware group LockBit being the most active in the world. Other examples include Phishing as a Service, DDoS as a Service, Malware as a Service, and Cybercrime as a Service. Organizations must stay ahead of these threat actors by knowing how they operate and their tactics and techniques, and by using tools such as Flare to help accelerate threat identification speed by five times.
READ THE STORY: Security Boulevard
IoT Devices the Target of Realtek Jungle SDK Vulnerability
FROM THE MEDIA: Realtek Jungle SDK is a global company that provides integrated circuit (IC) products for “connected media, communications network, computer peripheral, multimedia and smart interconnect applications.” It is vulnerable to the critical remote code execution (RCE) vulnerability CVE-2021-35394. This vulnerability has been exploited in 134 million attempted attacks, 97% of which have occurred in the past four months. Organizations and individuals should take steps to secure their IoT devices by patching and changing default passwords, segmenting high-risk devices on their own networks, and subscribing to vendor security bulletins. Expect to see an increase in consumer-focused IoT attacks in 2023.
READ THE STORY: Security Boulevard
Cyberattack Sends Derivatives Trading Back to the 1980s
FROM THE MEDIA: Derivatives shops were thrown back to the 1980s and 1990s this week as they resorted to manual processing of trades after a cyberattack on ION Trading UK. Banks, brokers, and exchanges had to deal with transactions manually, and many lacked the staff or experience to meet the crisis. The attack has caused liquidity issues for some firms, delays in regulatory reporting, and investigations by the CFTC, FCA, and FBI. ION has warned that its systems won't be fully operational until Feb. 5.
READ THE STORY: Bloomberg
We can’t rely on goodwill to protect our critical infrastructure
FROM THE MEDIA: Hackers can present a serious risk to critical national infrastructure (CNI) like hospitals, power grids, and oil pipelines by using ransomware attacks. To protect CNI, organizations should use layered security measures, such as firewalls, ACLs, and zero-trust policies, in combination with an agentless approach that monitors and prevents cyber threats in real time without the need for downtime or software updates. This approach enables organizations to detect sophisticated APT attacks and maintain continuous operations while protecting against potential damage.
READ THE STORY: HelpNetSecurity
How RAT Mutants, in Python, Steal Data and Evade Detection
FROM THE MEDIA: Malicious actors are constantly evolving their RAT mutant malware in order to evade detection and steal crypto wallets, passwords, and other sensitive information. We recently uncovered a series of Python packages that were created by bad actor BillyTheGoat and copied by user zeeckt. These packages included malicious code designed to launch PowerShell scripts, exfiltrate data, and hijack clipboard data to replace cryptocurrency wallet addresses with the attacker's address. Developers should take steps to protect their software supply chains from these threats.
READ THE STORY: Hackernoon
Items of interest
What to make of the strikes in Iran? Watch these three indicators
FROM THE MEDIA: Iran's official version of Saturday's drone attack is that only minimal damage was done to an "workshop" in Isfahan. However, multiple media reports point to Israel as the responsible party and suggest that Iran's missile program may have been the target. To begin to determine how Iran views the incident and how it will respond, three indicators are worth watching: changes to its military plans, the physical destruction of its facilities, and steps taken to retaliate. Ultimately, it is too early to say exactly what was behind the attack, but looking for these indicators will help answer the questions.
READ THE STORY: Atlantic Council
What You Need to Know About OpenAI's New ChatGPT Bot - And How it Affects Cybersecurity? SANS Panel (Video)
FROM THE MEDIA: OpenAI's new chatbot, ChatGPT, has the potential to revolutionize cybersecurity by predicting the next word in a conversation based on previous words. However, there are still some risks associated with using it, as it is not perfect and could generate code that is not executable. Additionally, while it can be used to provide entertainment, caution must be taken when using it, as it could become racist or Nazi-like. Human operators will still be needed to curate the information provided by ChatGPT and more questions about its implications for cybersecurity remain.
Multifaceted Extortion: Analysis of Data Exfiltration TTPs Used by Ransomware Threat Actors (Video)
FROM THE MEDIA: This video discusses data exfiltration techniques used by ransomware threats, including data discovery, staging, and exfiltration via Windows forensic artifacts. It also covers methods for identifying relevant network drives and hosts, such as Windows user access logs and path analysis. Filezilla, SCP, and SAP are identified as popular acceleration tools, and memory forensic hacks are used to identify the name of the files that were exfiltrated. This information can help incident responders identify the data that has been stolen.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.