Friday, February 17, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
The Nation's Critical Infrastructure : Security vulnerabilities in Schneider Electric Modicon PLCs, is the US rail system under attack
Analyst Comments: While Schneider Electric Modicon PLCs are commonly used in transportation systems like railways to ensure safe and efficient operation of trains, there is currently no evidence to suggest that the recent train derailments in East Palestine, Ohio, and Van Buren Township near Detroit were due to cyber attacks. Instead, the Ohio derailment was caused by a track issue, and the Michigan regulators have reported no environmental concerns from the Van Buren Township derailment, which involved a tanker carrying ferric chloride solution. Nonetheless, the use of known OT PLCs in the transportation industry and the possibility of attacks on the same network have raised concerns about the vulnerability of critical infrastructure systems.
FROM THE MEDIA: The vulnerabilities are tracked as CVE-2022-45788 (CVSS score: 7.5) and CVE-2022-45789 (CVSS score: 8.1), and are part of a larger collection of security defects tracked by Forescout as OT:ICEFALL. Successful exploitation of the vulnerabilities could enable an attacker to execute unauthorized code, trigger denial-of-service, or obtain sensitive information. Schneider Electric Modicon PLCs are used in various industries, including transportation systems such as railways to control various functions like speed, braking, and signaling. However, these PLCs are also used in a range of other industries, including airports, mining, solar and hydro power generation, and chemical manufacturing, among others. Unfortunately, more than 1,000 Modicon Unity PLCs are vulnerable to exploitation of the two recently discovered vulnerabilities (CVE-2022-45788 and CVE-2022-45789). France has the highest number of exposed devices, followed by Spain, Italy, and the United States.
READ THE STORY: THN // Mlive // BBC // SCMAG
US launches ‘disruptive technology’ strike force
Analyst Comments: There have been numerous instances of American tech IP being stolen, with China being one of the primary countries accused of carrying out such thefts. The U.S. has accused China of using a range of tactics, including cyber-attacks and espionage, to steal American intellectual property, trade secrets, and other sensitive data. These thefts are seen as a major threat to U.S. national security and economic interests, and the U.S. government has been taking steps to combat these threats and safeguard American technology from foreign adversaries.
FROM THE MEDIA: The US government is launching a "Disruptive Technology Strike Force" to protect American technology from theft and block threats to critical assets like semiconductors. The initiative will be led by the Departments of Justice and Commerce and will use intelligence and data analytics to target illicit actors, enhance public-private partnerships to harden supply chains, and identify early warning of threats to critical assets. The strike force will focus on protecting corporate intellectual property, US supply chains, and private data about Americans from foreign adversaries, particularly China. The move comes amid heightened scrutiny over who should have access to technology, with Dutch chip equipment maker ASML accusing a former employee in China of stealing data related to its proprietary technology. The company is known for its prowess in making lithography machines, which is crucial in the mass production of microchips. Because of its dominance in the market, ASML has been cited as a bellwether of the growing rift between China and the West over the control of advanced technology, including semiconductors.
READ THE STORY: Dawn // The Record
In wake of Ukraine war, U.S. and allies are hunting down Russian spies
Analyst Comments: The fact that this campaign has resulted in the arrests of suspected Russian operatives in several European countries and has apparently blunted Russia's ability to carry out influence operations in Europe is significant. It suggests that Western governments are taking a more aggressive approach to countering Russian intelligence activities, which could have broader implications for international relations, including the potential for escalating tensions between the West and Russia.
FROM THE MEDIA: There is a shadow war that U.S. and European security services are waging against Russian spy networks in Europe. The campaign has resulted in arrests of suspected Russian operatives in various European countries, including Germany, the Netherlands, Norway, Sweden, Austria, Poland, and Slovenia. The moves amount to precision strikes against Russian agents still in Europe after the mass expulsion of more than 400 suspected Russian intelligence officers from Moscow’s embassies across the continent last year. U.S. and European security officials caution that Russia retains significant capabilities but said that its spy agencies have sustained greater damage over the past year than at any time since the end of the Cold War. Russia has sought to compensate for its losses by relying more heavily on cyberespionage and by trying to take advantage of border crossings and refugee flows to deploy new spies and replenish its depleted ranks.
READ THE STORY: The Washington Post
A Secretive Israeli Company Says It Manipulated More Than 30 Elections Worldwide
Analyst Comments: The revelations about Team Jorge's activities highlight the potential harm of technology on individuals and democratic processes. It calls for increased regulation, oversight, and collaboration among governments, civil society organizations, and the private sector to ensure technology is used in a way that promotes the public interest and protects the democratic process.
FROM THE MEDIA: The reported activities of the Israeli cyber company, Team Jorge, are important because they raise serious concerns about the manipulation of democratic processes and the use of disinformation and hacking tools to sway elections and discredit public figures. The fact that the company claims to have been involved in 33 presidential-level campaigns, 27 of which were successful, suggests that their methods have been effective in achieving their goals. The use of disinformation tactics, such as the creation of fake social media accounts and the spread of false information, can have a significant impact on public opinion and electoral outcomes. The potential for such tactics to be used in a clandestine manner by foreign actors, such as intelligence agencies or political parties, represents a threat to the integrity of democratic systems around the world. Furthermore, the fact that Team Jorge claims to have worked alongside Cambridge Analytica during a 2015 operation to influence the presidential race in Nigeria highlights the potentially global reach and influence of such operations.
READ THE STORY: Gizmodo
New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East
FROM THE MEDIA: Telecommunication service providers in the Middle East are reportedly being targeted by an unknown threat actor suspected to be engaged in intelligence gathering. Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster, referred to as WIP26, which uses public cloud infrastructure to evade detection by making malicious traffic look legitimate. This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control purposes. The threat actor's initial intrusion vector uses "precision targeting" of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files, which actually contain malware loaders. The malware loaders then deploy custom .NET-based backdoors that leverage cloud services for C2. This campaign by WIP26 highlights the continued attempts by threat actors to evade detection and also the susceptibility of telecom providers in the Middle East to espionage groups.
READ THE STORY: THN // The Record
Cyber companies’ aid to Ukraine is vital, report says, but the efforts also have limitations
FROM THE MEDIA: Ukraine's response to Russian aggression in cyberspace largely depends on international assistance, according to a report released by the Aspen Institute. The Cyber Defense Assistance Collaborative (CDAC), a volunteer group drawn from Western cybersecurity companies and organizations, aims to provide intelligence, technology, training, advisory, and other services to Ukrainian institutions. CDAC's involvement has helped many Ukrainian organizations mitigate the effects of cyberattacks, but the Aspen report notes that most of CDAC’s efforts lacked long-term vision and coordination, and were mostly organized on the fly. The report recommends institutionalizing the lessons learned from the ad hoc conduct of cyber defense assistance in Ukraine to provide new approaches and tools for preventing and managing cyber conflicts going forward. The report suggests initiating joint cyber projects between assistance providers and recipients and setting clear expectations at the beginning of the cooperation.
READ THE STORY: The Record
Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps
FROM THE MEDIA: Chinese-speaking individuals in Southeast and East Asia are being targeted by a new rogue Google Ads campaign that delivers remote access trojans to compromised machines. The ads involve purchasing ad slots to appear in Google search results and direct users looking for popular applications to rogue websites hosting trojanized installers. Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office. The attackers’ end goals are unclear. The findings arrive less than a year after Trend Micro disclosed a Purple Fox campaign that leveraged tainted software packages to propagate FatalRAT. The attacks also come amid a broader abuse of Google Ads to serve malware.
READ THE STORY: THN
Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software
FROM THE MEDIA: Cisco has issued a security update to patch a critical flaw in the open-source antivirus engine ClamAV that could allow remote code execution on vulnerable devices. Tracked as CVE-2023-20032, the flaw is related to a remote code execution vulnerability present in the HFS+ file parser component. The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Successful exploitation of the flaw could allow threat actors to execute arbitrary code and crash the process, leading to a denial-of-service (DoS) situation. Cisco has also fixed a remote information leak vulnerability in ClamAV's DMG file parser (CVE-2023-20052).
READ THE STORY: THN
Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon
FROM THE MEDIA: The Gamaredon APT group is a Russian state-sponsored threat actor that has been conducting cyberattacks against Ukraine and NATO allies since 2014, specifically for collecting intelligence that is likely to benefit Russian troops in Ukraine. EclecticIQ researchers have identified three different cases of phishing lures, which analysts assess are probably attributed to the Gamaredon group. These attacks target the Security Service of Ukraine, NATO allies such as Latvia, and private companies like Culver Aviation. The attacks use various malware delivery techniques, including spear-phishing with a TAR attachment, a specially crafted Word document that exploits CVE-2017-0199 to gain code execution without macros, and HTML smuggling. The group has used techniques such as living-off-the-land binaries (LOLBAS) and similar infrastructure and adversary techniques in these attacks that have been seen in previous Gamaredon attacks, such as command and control infrastructures, user execution of malicious files, exploitation for client execution, and HTML smuggling.
READ THE STORY: Security Boulevard
New Mirai Malware Variant Targets IoT Devices and Linux Servers
FROM THE MEDIA: Recently, Unit42 security researchers from Palo Alto Networks have identified a new Mirai botnet variant, known as "V3G4," that has been used to exploit 13 security vulnerabilities for remote code execution to create a botnet. The botnet malware targets IoT devices and Linux-based servers, and once a connection is established with the command-and-control (C2) server, the threat actor can issue commands to launch distributed denial-of-service (DDoS) attacks. The same threat actor is believed to be behind each attack, which included the use of a racial slur. The Mirai botnet variants have been a popular choice for launching attacks since 2016, targeting various platforms, such as Minecraft, Amazon, Netflix, and PayPal. Botnets remain a dangerous and effective attack vector for cybercriminals, and more kinds of botnet malware may emerge in the future, possibly from Mirai's creators.
READ THE STORY: MUO
ESXi Ransomware Update Outfoxes CISA Recovery Script
FROM THE MEDIA: Recently, a modified version of the EXSiArgs ransomware has been discovered, rendering useless the decryptor script issued by the Cybersecurity and Infrastructure Security Agency (CISA) to recover virtual machines targeted by ransomware. Around 3,800 servers worldwide have already been affected by the ransomware, according to CISA and the FBI. The new variant of the malware features an updated encryption routine that encrypts small 1MB pieces of data, making it harder to recover files. Targets can recognize if they have been infected with the new variant if the ransom note instructs them to contact the threat actor via the TOX encrypted messenger. The previous version of the ransom note directed victims to pay using Bitcoin.
READ THE STORY: DARKReading
Atlassian: Leaked Data Stolen via Third-Party App
FROM THE MEDIA: A hacker group named SiegedSec recently published a cache of employee and operations information reportedly stolen from Atlassian, the workforce collaboration tool provider. The Australian company has stated that its third-party app, Envoy, was breached, resulting in the exposure of employee data such as names, emails, departments, and floor plans of certain office locations in San Francisco and Sydney. However, Atlassian also affirmed that no Atlassian product or customer data is accessible through the Envoy app and, therefore, not at risk. Envoy reported that the breach likely occurred due to the threat actor obtaining an Atlassian employee's valid credentials to gain access to the Atlassian employee directory and office floor plans held within Envoy's app. An ongoing investigation is underway.
READ THE STORY: DARKReading
SideWinder APT Spotted Stealing Crypto
FROM THE MEDIA: The Sidewinder advanced persistent threat (APT) group, also known as Rattlesnake or T-APT4, has been linked to two malicious campaigns by Group-IB, one in 2020 and one in 2021, which further showcase the breadth of the group's tactics and tools. The researchers also revealed more about the geographical locations of Sidewinder's operations, with IP addresses controlled by the group located in the Netherlands, Germany, France, Moldova, and Russia. Additionally, the group's phishing infrastructure was demonstrated to be vast, as spear-phishing is the group's primary initial-access method. Sidewinder's phishing campaign also showed an interest in cryptocurrency, with attempts to steal it by imitating an Airdrop of NCASH crypto.
READ THE STORY: DARKReading
Researchers Hijack Popular NPM Package with Millions of Downloads
FROM THE MEDIA: A popular npm package with over 3.5 million weekly downloads has been found vulnerable to an account takeover attack that can enable threat actors to publish trojanized versions of the package to conduct supply chain attacks. Software supply chain security firm Illustria said the package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password. The GitHub password was reset using the recovered domain, bypassing the npm user account that was properly configured with two-factor authentication. While Illustria did not disclose the name of the module, it informed the maintainer who has since taken steps to secure the account. This incident is similar to the May 2022 takeover of a Python package's maintainer account via an expired domain name.
READ THE STORY: THN
Scandinavian Airlines hit by cyberattack, ‘Anonymous Sudan’ claims responsibility
FROM THE MEDIA: Scandinavian Airlines (SAS) was hit by a cyberattack that took its website offline and exposed customer data, including contact information and itineraries. The airline said passport details were not part of the compromised information, and that there was "no risk that this information could be exploited". Swedish companies, universities and telecom operators were also hit by cyberattacks on the same day, with a group calling themselves "Anonymous Sudan" claiming responsibility. Airlines globally have increasingly become the target of cyberattacks and technical issues. Lufthansa had to cancel or divert flights to Germany's busiest airport due to an IT failure that left thousands of passengers stranded.
READ THE STORY: The Record
Senior FBI official warns US states about threat posed by Chinese hackers
FROM THE MEDIA: A senior FBI official has warned secretaries of state across the US that Chinese state-backed hackers pose a "growing threat" and that their willingness to target political parties' infrastructure ahead of the 2022 election means we "could see more significant Chinese cyber activity against your states in the coming year." The official made the statement at a conference in Washington, DC, held by the National Association of Secretaries of State. The FBI's concerns about Chinese cyber-espionage come as the US accuses Beijing of having a bigger hacking program than all other countries combined. China routinely denies such allegations.
READ THE STORY: CNN
Why does China need its own version of ChatGPT
FROM THE MEDIA: Chinese tech companies are developing their own AI chatbots like ChatGPT for three reasons: ChatGPT is not currently available to Chinese users, most large language models are trained on English and are inferior in Chinese, and there are concerns about data security. In the short term, it is difficult for Chinese AI chatbots to compete with ChatGPT due to large investments required, but in the long term, Chinese AI chatbots will become more powerful. Chinese-developed chatbots need to comply with Chinese laws and regulations, and must communicate in a way that fits Chinese culture and expression. While AI-powered chatbots have achieved impressive results, there is still room for improvement, especially in context and emotion understanding, coherence, and creativity. StarBitech is a digital asset startup in Shanghai that provides algorithm-driven digital asset creation and publishing services, and is developing AI-generated content services using GPT, DALL-E, and reinforcement learning.
READ THE STORY: Technode
Nvidia users targeted by malware hidden in fake adverts for drivers
FROM THE MEDIA: A new malvertising campaign is using fake Nvidia ads on Google search to deploy the information-stealing malware AuroraStealer, which targets cryptocurrency wallets. The payload domains appear in links like nvidia.services and nvidia1.top, and are directing victims to nefarious websites via Google search ads. AuroraStealer has been sold as a botnet since September 2022 but now appears in infostealer form, allowing cybercriminals to carry out lucrative campaigns by collecting valuable data. The fact that criminals are targeting Nvidia shows they are changing their approach to specific targets. Malvertising is becoming increasingly sophisticated, posing a greater threat to enterprise networks. To mitigate this threat, companies need to verify the identities of people claiming to represent companies, while Google needs to continue to ramp up its advertiser verification process to detect and prevent scams.
READ THE STORY: Techmonitor
Hackers start using Havoc post-exploitation framework in attacks
FROM THE MEDIA: Security researchers have identified a new open-source command and control (C2) framework called Havoc, which is becoming an alternative to paid options such as Cobalt Strike and Brute Ratel. One of the most interesting aspects of Havoc is that it is cross-platform and bypasses Microsoft Defender using sleep obfuscation, return address stack spoofing, and indirect syscalls. Havoc has a web-based management console that allows the attacker to perform various tasks on compromised devices. Havoc was recently deployed in an attack campaign against an undisclosed government organization. Havoc generates a malicious agent with remote access trojan (RAT) functionalities and supports building malicious agents in several formats, including Windows PE executable, PE DLL, and shellcode. Havoc is one of several tools deployed by threat actors to evade antivirus and Endpoint Detection and Response (EDR) solutions, alongside Brute Ratel and Sliver.
READ THE STORY: BleepingComputer
The war in Ukraine has shaken up the cybercriminal ecosystem, Google says
FROM THE MEDIA: The war in Ukraine, which started a year ago when Russia invaded, has continued and has significant implications for the future of cybersecurity worldwide. According to a report from Google's Threat Analysis Group, Mandiant, and Google Trust & Safety, the war has disrupted the Eastern European cybercriminal ecosystem and blurred the lines between financially motivated and government-backed attackers. Cybercriminals now target Russian infrastructure and have begun specializing in the ransomware ecosystem. While the report notes that there wasn't a surge in attacks against critical infrastructure, it states that "cyber will now play an integral role in future armed conflict, supplementing traditional forms of warfare." The report aims to serve as a call to action for preparing for potential future conflicts around the world.
READ THE STORY: ZDNET
Paper dragons: is Chinese science all it’s cracked up to be
FROM THE MEDIA: This piece delves into China's assertions regarding their technological advancements in quantum computing, gene editing, and military technology, and questions the authenticity of these claims. The writer contends that while China may publish more scientific papers than the West and have several world-class institutions, doubts remain regarding their ability to match or exceed the West's prowess in several industries. The article posits that China's more permissive approach to ethics and risk-taking may give it an advantage, but its reluctance to embrace theory and abstract thought could hinder progress in certain fields. In conclusion, the article notes that the West is apprehensive about Chinese technology's potential for surveillance, but China's accomplishments may fall short of its aspirations.
READ THE STORY: The Spectator
Items of interest
Chinese espionage efforts in the US examined
FROM THE MEDIA: China has a bigger hacking program than any other country in the world, with a bigger AI program than any other nation in the world, warned FBI Director Christopher Wray. China has used its AI capabilities and espionage tactics to hack rival nations' computer systems to obtain trade secrets and sensitive information. Similarly, Russian cyberattacks have increased against the U.S. since the Russia-Ukraine war began. Cyberattacks have been employed to infiltrate the U.S. government and private sectors, and Chinese state-linked firms may facilitate intelligence sharing with the Chinese government. China has also launched espionage efforts against U.S. politicians. Beijing has set up police stations around the world to target Communist Party critics, according to Spain-based NGO Safeguard Defenders.
READ THE STORY: SCMAG
Webinar: TS-50701 Impact on Cybersecurity in Rail Networks (Video)
FROM THE MEDIA: In this webinar, experts will discuss the TS-50701 technical standard, which amalgamates all critical rail cybersecurity requirements into a single framework. The webinar will cover the governing principles and requirements of TS-50701, its impact on the rail industry, and how rail companies can use CylusOne to tackle it. Practical recommendations and actionable insights for railway professionals will also be provided. The webinar aims to educate participants on the new standard and how it can help create a safer and more secure rail environment.
How a New Cyber Attack Paralyzed Iranian Train Systems (Video)
FROM THE MEDIA: A hacking group called Indra has claimed responsibility for several cyber attacks against Syrian and Iranian companies supporting the Iranian Revolutionary Guard's activities. The group used wiper tools and left their mark to discourage stealth. It is unclear who is behind Indra, but it could be an Iranian opposition group or a cover for a nation-state group.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.