Thursday, February 16, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
State of emergency as City of Oakland grapples with ransomware attack
Analyst Comments: Key here is the growing use of cyberattacks as part of hybrid warfare tactics, which combine traditional military operations with digital weapons and online propaganda. The report provides insight into the extent of Russia's cyber activities in the ongoing conflict in Ukraine and the impact on the global cybercrime ecosystem.
FROM THE MEDIA: The City of Oakland in California has declared a state of emergency due to a ransomware attack that started on February 8, which has resulted in non-emergency systems including phone lines being impacted or offline. This declaration will enable the city to expedite the procurement of equipment and materials, activate emergency workers if necessary, and issue orders on an expedited basis. The city is working with cybersecurity firms to remediate the incident, and the IT department has implemented workarounds to business processes. The city noted that multiple state and federal agencies are now involved in the response. The ransomware attack has delayed emergency response times, and 911 emergency services are still functioning. At least six local governments have reported ransomware attacks this year, with at least four of them having had data stolen.
READ THE STORY: The Record
The return of ICEFALL: Two critical bugs revealed in Schneider Electric tech
Analyst Comments: The critical nature of programmable logic controllers (PLCs) in various industrial sectors and critical infrastructure systems is well known, with several examples to illustrate this. One such example is the cyber attack launched against Ukraine's power grid in December 2016, which left 230,000 people without electricity for several hours. The attackers used a malware named "Industroyer" to take control of industrial control systems (ICS) and cause physical damage. Schneider Electric's involvement in this type of attack, as one of the largest sellers of PLCs, emphasizes the severity of the potential damage that can be caused by exploiting these systems.
FROM THE MEDIA: Researchers have disclosed two critical vulnerabilities, CVE-2022-45788 and CVE-2022-45789, in Schneider Electric’s Unity line of Modicon programmable logic controllers (PLCs), which are widely used in systems such as water and wastewater processing, mining, manufacturing, and energy production. These PLCs can be found in everything from traffic lights to elevators and form part of critical infrastructure systems. The vulnerabilities allow attackers to bypass functional and safety constraints to control such systems and potentially cause physical harm. The researchers said the bugs highlight the need for critical infrastructure organizations to undertake consequence-driven risk assessments and take steps to improve system security. They also noted that such attacks could be carried out by nation-states or militaries seeking to cause physical impact. The vulnerabilities were disclosed to Schneider Electric in April and July 2022.
READ THE STORY: The Record
Ransomware gang uses new zero-day to steal data on 1 million patients
FROM THE MEDIA: Community Health Systems (CHS), one of the largest healthcare providers in the United States, has confirmed that criminal hackers have accessed the personal and protected health information of up to 1 million patients. The data breach is believed to have been caused by a vulnerability in GoAnywhere MFT, a file-transfer software developed by Fortra (previously known as HelpSystems), which is used by large businesses to share and send large sets of data securely. Clop, a Russia-linked ransomware gang, has claimed responsibility for exploiting the new zero-day in a new hacking campaign, and has reportedly already breached over a hundred organizations that use Fortra’s file-transfer technology, including CHS. The exploitability of the bug is considered to be "very high" given the sensitivity of the data that companies send through GoAnywhere. Fortra released an emergency patch for the vulnerability and urged all GoAnywhere customers to apply the fix as soon as possible.
READ THE STORY: TC
Data Breach on Instant Checkmate and Truthfinder Background Check Services Leaked 20 Million Records
FROM THE MEDIA: PeopleConnect, the operator of background check services such as TruthFinder and Instant Checkmate, confirmed a data breach that exposed over 20 million user records from accounts created between 2011 and 2019. The stolen data includes names, email addresses, phone numbers, hashed passwords, and expired password reset tokens, but not payment data or individual searches. The company claimed the breach was an “inadvertent leak or theft of a particular list” originating from its background check services and did not involve network infiltration. However, cybersecurity experts warn that initial probes are usually inconclusive and urge users to take additional precautions such as changing passwords, enabling 2FA, using strong passwords, and avoiding password reuse. They also recommend monitoring financial statements and utilizing credit monitoring services to prevent identity theft.
READ THE STORY: CPO
Emsisoft says hackers are spoofing its certs to breach networks
FROM THE MEDIA: Cybersecurity firm Emsisoft has warned that hackers are using fake code-signing certificates with the company's name to target customers who use its security products. Code signing certificates, used to sign an application so that users, software and operating systems can verify that the software has not been tampered with, are targeted by hackers who create fake certificates whose name appears to be associated with a trustworthy entity but, in reality, are not valid certificates. In a recent security advisory, Emsisoft warned that one of its customers was targeted by hackers using an executable signed by a fake Emsisoft certificate. The company warns that executables should only be trusted after confirming a file is not malicious and to contact security vendors before allowing an executable to run with an invalid signature.
READ THE STORY: BleepingComputer
Ukraine war shows urgency of military AI, Palantir CEO says
FROM THE MEDIA: The successful use of artificial intelligence (AI) by Ukraine to target Russian forces has put the technology on the agenda of military and political leaders worldwide, according to the CEO of US software company Palantir, Alex Karp. Speaking at the first international summit on responsible military use of AI, Karp said the technology had moved from a "highly erudite ethics discussion" to a top concern. Karp added that the need to understand the technology and implement it would determine what happened on the battlefield. Karp also called for mandated transparency in the use of AI by law and purchasing regulations.
READ THE STORY: Reuters
Spy balloons, sky clutter and UFOs: what flies in the ‘forgotten space’
FROM THE MEDIA: The layer of sky between the cruising height of commercial aircraft and satellite orbits, known as the “forgotten space,” has been in the news recently after a Chinese balloon drifted across North America. While spy balloons can be used for intelligence gathering, the majority of objects in the near space are weather balloons carrying radiosondes that provide meteorologists with important data on atmospheric conditions. Surveillance balloons can be equipped to image the ground below and pick up electronic intelligence. In addition, communications balloons can provide internet connectivity, while aerospace companies are developing stratospheric balloons for remote sensing and surveillance. There are also some experimental craft in the upper atmosphere, but discarded materials should not be a hazard to aircraft.
READ THE STORY: FT
China to employ BeiDou satellite-based augmentation system in railway survey
FROM THE MEDIA: China's railway survey and construction will use the BeiDou satellite-based augmentation system (BDSBAS) to provide high-precision positioning service, according to the China Railway Siyuan Survey and Design Group. Four satellite-based and 12 ground-based observation stations will be set up along the Wufeng-Enshi railway section in central China's Hubei Province. It will be the first time that the BDSBAS will be used in the field of intelligent railway surveys, said the company. The construction of BDSBAS and BeiDou ground-based augmentation system (BDGBAS) in the Wufeng-Enshi section will enhance the railway survey efficiency, and lay the foundation for high-precision geographic information services of intelligent survey and design.
READ THE STORY: ECNS
On National Security | A coming of age for commercial satellite imagery
FROM THE MEDIA: The ongoing conflict in Ukraine is the first war that can be tracked extensively through social media, including satellite imagery. Jeffrey Lewis, a professor of nonproliferation studies at the Middlebury Institute of International Studies, has used open-source intelligence and commercial satellite data to track Russian movements before and during the conflict. Lewis and other analysts have credited synthetic aperture radar (SAR) satellite data as the "breakout technological capability" of the Ukraine war. Radar imagery requires specific software tools and trained analysts to make sense of the data, but Lewis believes the geospatial intelligence community will view the conflict as a turning point in the use of satellite imagery to inform and shape world events.
READ THE STORY: SN
Hyundai, Kia to provide anti-theft software updates following viral TikTok challenge
FROM THE MEDIA: Hyundai and Kia are releasing software updates to their vehicles in response to a viral TikTok challenge that demonstrated how to hotwire and steal several models. The “Kia challenge” began last July and led to at least 14 reported crashes and eight fatalities, according to the US National Highway Traffic Safety Administration. Hyundai and Kia manufactured some vehicles without an electronic immobilizer, which is attached to the car key and is an RFID security device. The update will now require the key to be in the ignition to turn the vehicle on. Immobilizers have been legally required in new cars in several jurisdictions for almost two decades, but they are not mandatory in the United States.
READ THE STORY: The Record
Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware
FROM THE MEDIA: A new ransomware campaign dubbed MortalKombat, along with a clipper malware known as Laplas, has been observed targeting individuals, small businesses, and large organizations primarily in the US, along with those in the UK, Turkey, and the Philippines. The campaign started in December 2022 and relies on a phishing email containing a malicious ZIP file to deliver the ransomware or the clipper malware. MortalKombat encrypts system, application, backup, and virtual machine files, corrupts Windows Explorer, disables the Run command window, and removes applications and folders from Windows startup. Laplas clipper is a Golang variant that detects cryptocurrency wallet addresses on the victim's computer and replaces them with attacker-controlled wallet addresses for fraudulent transactions. The campaign's threat actor scans the internet for victim machines with an exposed Remote Desktop Protocol port 3389 and uses cryptocurrency-themed email lures impersonating CoinPayments.
READ THE STORY: THN
How Ukraine war has shaped US planning for a China conflict
FROM THE MEDIA: The United States is drawing lessons from the ongoing conflict in Ukraine, as it prepares for a possible clash with China over Taiwan. Although the next major conflict involving the US is unclear, U.S. military officials warn that China wants to invade Taiwan by 2027, and the US is Taiwan's main ally and supplier of defense weapons. There are clear parallels between the Russian invasion of Ukraine and a possible Chinese attack on Taiwan, according to a report from the Center for Strategic and International Studies. One of the main lessons is that Taiwan must be fully armed in advance, as China could isolate the island for weeks or even months. The U.S. is facing stockpile pressures, as it sends Ukraine vast amounts of weapons, exposing that neither the U.S. nor European defense stockpiles were ready for a major conventional conflict. The supply chain has not reflected the need for the US to be able to conduct one war while deterring another. Furthermore, as the Ukraine conflict has shown, space technology has become increasingly important for intelligence, communications, and propaganda, while cyber warfare is also likely to be used in a future conflict.
READ THE STORY: AP
Following the Money: Killnet’s ‘Infinity Forum’ Wooing Likeminded Cybercriminals
FROM THE MEDIA: The pro-Kremlin hacktivist group Killnet has created a new forum called “Infinity” for hacktivists and cybercriminals to share ideas and ideology. Infinity is marketed as a platform for pro-Kremlin groups to exchange know-how and talk about politics, and is already an online market for cybercrime tools and stolen data, as well as a guarantor of deals. It has ambitions to become a conduit between hacktivists and cybercriminals and ill-gotten money. Infinity has a “marketplace” section where users can buy and sell stolen data, network accesses, exploits, or services of various sorts, ranging from odd jobs to tasks requiring experienced hackers. To ensure deals struck on the forum are transparent, Infinity maintains an escrow service. Infinity also partnered with a cryptocurrency mixing and laundering service, “Dark Swap”, which offers to exchange dirty cryptocurrency for tokens. Killnet and its partners aim to increase Infinity’s user engagement to realize any significant financial gains.
READ THE STORY: Security Boulevard
Build Cyber Resiliency With These Security Threat-Mitigation Considerations
FROM THE MEDIA: 2022 was supposed to be a break for CISOs, but new threats emerged and old ones evolved. Cyberattacks increased, and ransomware evolved to double and triple extortion with data theft and denial of service. Supply chain security risks will balloon as businesses outsource to multiple cloud and software-as-a-service vendors. Cybercriminals will target vulnerable ones to gain easy access. Cybercriminals will start targeting data wells to manipulate systems. Threats are evolving, and so is the regulatory landscape, compelling organizations to ensure ethical data collection, storage, and use. To create a security strategy that can steer them through a challenging year, organizations need to focus on aligning security with business strategy, building cyber resiliency, and determining cyber-risk tolerance. Cybersecurity must be treated as a business risk, not just an IT issue, with addressing cyber-risks frequently on the board's agenda. Organizations must also prioritize employees' education, satisfaction, and mental health, or they will see a surge in insider threats on top of everything else.
READ THE STORY: DARKReading
Scandinavian Airlines hit by cyberattack, ‘Anonymous Sudan’ claims responsibility
FROM THE MEDIA: Scandinavian Airlines (SAS) was hit by a cyberattack that took its website offline and exposed customer data, including contact information and itineraries. The airline said passport details were not part of the compromised information, and that there was "no risk that this information could be exploited". Swedish companies, universities and telecom operators were also hit by cyberattacks on the same day, with a group calling themselves "Anonymous Sudan" claiming responsibility. Airlines globally have increasingly become the target of cyberattacks and technical issues. Lufthansa had to cancel or divert flights to Germany's busiest airport due to an IT failure that left thousands of passengers stranded.
READ THE STORY: The Record
Security Pros Break Into Buildings to Help Beef Up Defenses
FROM THE MEDIA: Jenny Radcliffe, head of the Liverpool-based consulting firm Human Factor Security. Her job involves finding vulnerabilities in her clients’ physical and computer security systems using psychological and observational techniques, as well as good old-fashioned burglary tactics. Radcliffe and her team spend nights and weekends scouting out office buildings, looking for ways to slip past security guards, and also try to learn about targets by sitting in bars near office locations to eavesdrop on workers’ conversations. The aim is to help companies plug any holes in their security systems before hackers and scammers can exploit them. According to the 2022 Verizon data breach investigations report, human fallacy represents a key driver in 82% of cyber incidents. Radcliffe and her team are paid to use their powers of psychology and observation to help companies mitigate this risk.
READ THE STORY: Bloomberg
How Cybercriminals are Using ChatGPT to Create Malware
FROM THE MEDIA: According to cybersecurity experts, cybercriminals are utilizing OpenAI's chatbot, ChatGPT, to quickly construct hacking tools and create chatbots impersonating young women to trick individuals. Check Point, an Israeli security company, discovered examples of hackers utilizing ChatGPT to create malware and other tools. Although the malware appeared "rudimentary," Check Point warns that more experienced hackers could eventually find ways to exploit the AI to produce more complex, equally dangerous malware. Furthermore, security experts are concerned that ChatGPT could be used to develop phishing attacks and other social engineering-based scams. To prevent this, experts suggest that regulation may eventually be necessary to restrict the use of AI by cybercriminals. At the time of publication, OpenAI had not issued a comment on the issue.
READ THE STORY: Analytics Insight
Israeli cyberespionage firm meddled in 33 elections worldwide
FROM THE MEDIA: A team of Israeli cyber-espionage contractors, led by Tal Hanan, also known as "Jorge," has been exposed for engaging in virtual extortion and blackmail campaigns worldwide. The team has targeted presidential-level elections, manipulated lawsuits, influenced nuclear energy deals, and meddled in cryptocurrency prices. The team has claimed to have carried out disinformation and manipulation campaigns for over a decade, sometimes attributed to China and Russia, meddling in 33 presidential-level elections, 27 of which were successful. The team's services include hacking and disinformation services offered to intelligence agencies, political figures, campaigns, and private corporations. The team has been able to penetrate even the safest media accounts such as Gmail and Telegram. The team's activities have been exposed by a consortium of journalists who were able to verify their claims.
READ THE STORY: Almayadeen
Moldova isn’t on the front page, but it could be in Putin’s crosshairs
FROM THE MEDIA: Moldova, a small country bordering Ukraine and Romania, is facing multiple challenges, including energy shortages, missile attacks, and a potential Russian invasion. The country is also hosting more than 108,000 refugees who have fled the war in Ukraine. Moldova's strategic location makes it a buffer zone between NATO and Russia, and any invasion of the country could bring Putin into direct conflict with NATO. Moldova needs outside help and military support to keep it from being perceived as an easy target by Russia. The country's pro-EU government is fighting extreme poverty and corruption, and the world needs to pay more attention to the situation to prevent all-out war.
READ THE STORY: CNN
Lufthansa IT meltdown strands thousands of passengers
FROM THE MEDIA: An IT failure at Lufthansa due to damaged broadband cables stranded thousands of passengers and forced more than 200 flights to be canceled at Frankfurt airport, one of Europe's busiest airports. Lufthansa and Germany's national train operator blamed third-party engineering works on a railway line extension for the incident. The check-in and boarding systems at Lufthansa seized up, and German air traffic control had to suspend incoming flights, though they have resumed since then. Scores of flights were also delayed, and several German airports reported cancellations as a knock-on effect.
READ THE STORY: Reuters
Give Me Libre or Give Me Dread: The Fleeting Promise of Centralized Illicit Communities
FROM THE MEDIA: The emergence of Libre Forum, a centralized illicit community that some see as a replacement for the currently offline Dread. The article explains the difference between centralized and decentralized platforms and how centralized forums have long played a role as communication channels for dark web vendors and customers. It also discusses the challenges that previous cybercriminal communities, such as AlphaBay and Reddit, have faced and how Libre's association with Incognito Market could limit its ability to bill itself as an impartial party. Despite filling much of the same functionality, each of these past cybercriminal communities have faced challenges unique to their operating environments. However, the demand for reliable, centralized communities suggests that even if Dread returns, threat actors may continue to seek other centralized communities to navigate the dark web, avoid scammers and exit scams, evade law enforcement, and continue their illicit dealings.
READ THE STORY: Security Boulevard
North Korean hackers target phones, Windows devices with new malware
FROM THE MEDIA: A group of North Korean hackers known as APT37 has been seen distributing malware called M2RAT to spy on and extract sensitive data from targeted endpoints. The malware can log key entries, steal files, run various commands, and take screenshots automatically. One unique feature is its ability to scan for portable devices connected to the compromised Windows endpoint and exfiltrate their files and voice recordings to the attacker. APT37 was last seen in December last year when it used a flaw in Internet Explorer to target individuals in South Korea.
READ THE STORY: Gamachar Central
UK Police Crack Down on Crypto ATMs, Regulators Deny Granting Approvals
FROM THE MEDIA: UK police are conducting raids on crypto ATMs after the Financial Conduct Authority (FCA) directed law enforcement agencies to disable them, citing lack of registration and non-compliance with money laundering laws. The FCA claims that no crypto ATM installer has sought permission to operate in the UK, rendering their operations illegal. Crypto-related firms in the UK must register with the FCA and pledge to comply with the country's money laundering laws. The UK has maintained a strict approach to crypto promotional activities, including the ban on advertisers working with crypto brands. In contrast, nations such as the US, Australia, Canada, and Spain have welcomed crypto ATMs.
READ THE STORY: Gamachar Central
Why does China need its own version of ChatGPT
FROM THE MEDIA: Chinese tech companies are developing their own AI chatbots like ChatGPT for three reasons: ChatGPT is not currently available to Chinese users, most large language models are trained on English and are inferior in Chinese, and there are concerns about data security. In the short term, it is difficult for Chinese AI chatbots to compete with ChatGPT due to large investments required, but in the long term, Chinese AI chatbots will become more powerful. Chinese-developed chatbots need to comply with Chinese laws and regulations, and must communicate in a way that fits Chinese culture and expression. While AI-powered chatbots have achieved impressive results, there is still room for improvement, especially in context and emotion understanding, coherence, and creativity. StarBitech is a digital asset startup in Shanghai that provides algorithm-driven digital asset creation and publishing services, and is developing AI-generated content services using GPT, DALL-E, and reinforcement learning.
READ THE STORY: Technode
The Quad May Be Just the Thing to Apply to China’s Cyber Activities
FROM THE MEDIA: The Quadrilateral Security Dialogue (Quad) of the United States, Australia, India, and Japan has launched a joint cybersecurity initiative called "the Challenge," which aims to enhance the security of the cyberspace and foster a global digital economy while countering Chinese cyber activities in the Indo-Pacific region. The collaboration seeks to establish common cybersecurity requirements for critical infrastructures, promote threat information sharing, and deliver political and economic sanctions against transgressors. Other countries such as New Zealand, South Korea, and Vietnam have expressed interest in joining the Quad. The initiative could undermine China's global aspirations by disrupting its cyber networks, and rallying other regional victims to push back against its brazen activity.
READ THE STORY: OODALOOP
Russian Hackers Almost Took The US Electrical Grid Down
FROM THE MEDIA: According to Robert M. Lee, the founder and CEO of cybersecurity firm Dragos, hackers linked to Russia came close to shutting down a dozen US electric and gas plants during the early weeks of the Ukraine conflict using a malware called "PIPEDREAM." Lee claims that this threat was more severe than US officials had revealed, and the vulnerability of the US energy system to a crippling cyber attack is highlighted. PIPEDREAM malware is very dangerous as it is capable of infecting various industrial control systems across sectors and was designed to disrupt a range of systems. Cyberattacks have targeted German administrations, airports, NATO, and American nuclear research labs, which have been linked to Russian hackers.
READ THE STORY: The Deep Dive
Experts Warn of 'Beep' - A New Evasive Malware That Can Fly Under the Radar
FROM THE MEDIA: Cybersecurity researchers have discovered a new evasive malware called Beep that is designed to evade analysis and drop additional payloads on compromised systems. The malware uses anti-debugging and anti-VM techniques to resist detection and delay execution. Beep comprises three components: a dropper, a PowerShell script, and an injector. Once the malware infiltrates a system, it can easily download and spread other malicious tools, including ransomware. The malware's primary function is to steal and exfiltrate system information and enumerate running processes. In related news, antivirus vendor Avast has identified a new dropper strain named NeedleDropper, which is used to distribute various malware families since October 2022.
READ THE STORY: THN
ALPHV (BlackCat) ransomware gang claims attack on Irish university
FROM THE MEDIA: The ALPHV ransomware group, also known as BlackCat, has allegedly stolen just over 6GB of data from the Munster Technological University (MTU) in Ireland. The stolen data listed on ALPHV's .onion site includes sensitive information such as employee records and payroll details. Last week, MTU closed its campuses following a "significant IT breach and telephone outage," and it warned that classes would be canceled. The university's investigation of the incident is ongoing, particularly regarding the release of data on the "dark web." This attack is not the first time that higher education establishments in Ireland have been impacted by a cyberattack.
READ THE STORY: The Record
Items of interest
Ukraine-Russia war: Wagner is losing the cloak of deniability
Analyst Comments: The increasing visibility of the Wagner mercenary group on the frontlines of Russia's war in Ukraine may have implications for its future operations due to its now more apparent links with the Putin regime. Furthermore, the article addresses the varying degrees of effectiveness of Russian disinformation campaigns in shaping Western and NATO countries' perspectives.
FROM THE MEDIA: The emergence of Russia's Wagner mercenary group in Ukraine's frontlines could hinder the group's growth prospects as its ties with the Putin regime are exposed, making it less able to deny its status as an asset of the Russian state. This change could impact how the group is perceived globally and make it more difficult to operate as a proxy force. The UK has recently announced new sanctions targeting Russian defense industrial capability and financial networks, including individuals and entities that help maintain wealth and power among Kremlin elites. Russia has also used information operations to shape the narrative around the war in Ukraine, with mixed success in Western and NATO countries.
READ THE STORY: Army - Technology
Honeypots Hacking Though Evading IDS,IPS and Firewalls (Video)
FROM THE MEDIA: A honeypot is a cybersecurity tool that simulates a target to attract and track cyber attackers. It works by luring hackers into a trap, a decoy computer system, to gain information on their behavior and methods. Honeypots can be beneficial in exposing vulnerabilities, providing training opportunities for security staff, and refining other cybersecurity systems. However, high-interaction honeypots are resource-intensive and can pose risks if not properly secured. Honeypots have a low false positive rate compared to traditional intrusion detection systems and can also catch internal threats.
The Unified Kill Chain Explained | Cyber Threat Intelligence | TryHackMe (Video)
FROM THE MEDIA: There are different versions of the Unified Kill Chain, but they all aim to provide a model to help analysts understand the various stages that attackers go through during a cyberattack. The model includes multiple phases such as reconnaissance, weaponization, delivery, exploitation, and more. By understanding the different stages of the kill chain, analysts can better identify potential vulnerabilities and develop more effective strategies to defend against cyberattacks. The video provides a practical example of how to use the Unified Kill Chain to identify the objectives of an attack.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.