Tuesday, February 21, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
CIA seeing a lot of effort’ from Russia to close down US intelligence visibility
Analyst Comments: By disrupting the CIA's intelligence collection efforts, Russia could limit the amount of information the U.S. has about its activities, which could reduce the effectiveness of U.S. policy and strategic decision-making. It could also help Russia to maintain its military advantage in Ukraine and other regions, and limit the U.S.'s ability to support its allies in the region.
FROM THE MEDIA: In a speech at the Munich Security Conference, CIA Director William Burns stated that Russia has been trying to disrupt the agency's intelligence collection efforts, but without significant success. The U.S. has been providing usable intelligence to Ukraine, which has been critical to the country's defense. Burns acknowledged that the initial rules about sharing intelligence were too restrictive, but when they were changed, the CIA was able to provide tactical intelligence that had an impact on the battlefield. Burns also spoke about the broader impact of the war and how it may influence China's actions, saying that no foreign leader is watching Ukraine more intently than Xi Jinping, and that China's leadership "already had doubts" about their ability to successfully conduct a military invasion of Taiwan. However, Burns warned that China's ambitions towards Taiwan should not be underestimated and that the risk of an invasion increases the further we get into this decade and beyond.
READ THE STORY: The Record
Chinese security researchers claim to have identified ‘Against The West’ hackers
Analyst Comments: The claims by Chinese cybersecurity companies and state media outlets exposing Western hacking activities should be viewed with skepticism, as the evidence supporting these claims is not always credible or originating from civilian sources. Given China's own extensive cyber capabilities and alleged involvement in cyber espionage against Western targets, the claims may not be entirely unbiased or objective. It is important to evaluate the sources and evidence before drawing conclusions.
FROM THE MEDIA: Chinese cybersecurity company Qi An Pangu Lab claims to have identified six members of the "Against The West" hacking group that allegedly has connections to or sponsorship from Western nation-states. The hackers display a pro-US and pro-West slant and claim to target organizations that are "against the West." The Pangu Lab's analysis showed that the group's members are mainly located in Switzerland, France, Poland, Canada, and other countries, and they are mainly engaged in programming and network engineer-related occupations. The group has become known for releasing source code belonging to Chinese organizations, and its activities mainly involve scanning and attacking technical vulnerabilities on open-source network systems. The Chinese cybersecurity industry has been criticized in recent years for claims, often published by state-controlled media outlets, regarding Western hacking activities. The substance of these claims has been questioned by Western experts, who noted they made extensive reference to malware that had previously been publicly linked to the US National Security Agency.
READ THE STORY: The Record
Google Reveals Alarming Surge in Russian Cyber Attacks Against Ukraine
Analyst Comments: These attacks have targeted critical infrastructure, government, and military entities, indicating an aggressive multi-pronged effort to gain a decisive wartime advantage in cyberspace. This also suggests a notable shift in the Eastern European cybercriminal ecosystem, blurring the lines between financially motivated actors and state-sponsored attackers.
FROM THE MEDIA: Google's Threat Analysis Group (TAG) and Mandiant have jointly reported that cyber attacks by Russian actors against Ukraine have increased by 250% in 2022 compared to two years ago. This rise coincides with the country's military invasion, and the attacks have focused on the Ukrainian government, military, critical infrastructure, utilities, public services, and media sectors. Mandiant observed more destructive cyber attacks during the first four months of 2022 than in the previous eight years, with up to six wiper strains deployed against Ukrainian networks. The report suggests that there is a notable shift in the Eastern European cybercriminal ecosystem, blurring the lines between financially motivated actors and state-sponsored attackers.
READ THE STORY: THN
Coinbase Employee Falls for SMS Scam in Cyber Attack, Limited Data Exposed
FROM THE MEDIA: Cryptocurrency exchange platform Coinbase has reported a cybersecurity attack in which an employee was targeted in an SMS phishing campaign. Although the cyber attacker was unsuccessful in accessing the company's systems due to its multi-factor authentication protections, some data from its directory was exposed, including employee names, email addresses, and phone numbers. The company said it was alerted to the attack within 10 minutes of it taking place, and its incident responders were able to prevent any loss of funds or compromise of customer information. The attack is believed to be linked to the 0ktapus phishing campaign which targeted over 130 companies last year. Coinbase has urged other firms to be aware of potential attempts to install remote desktop software and to watch out for incoming phone calls and text messages from specific providers.
READ THE STORY: THN
Derivatives market still hit by fallout from Ion Markets cyber attack
Analyst Comments: The cyber attack on Ion Markets, a little-known but critical vendor in the global derivatives trading industry, has significant implications for the financial markets. Ion Markets is one of the few companies that handle the complex but critical job of matching and reconciling brokers' trades, and the disruption caused by the cyber attack has rattled the global futures market.
FROM THE MEDIA: Three weeks after the cyber attack on Ion Markets, the business has yet to return to normal in global derivatives trading. Ion's derivatives systems were disabled by the attack, forcing many trading desks to manually keep track of data on spreadsheets. Ion is aiming to restore business as usual and transfer all clients to clean systems this week, according to a person familiar with the matter. The delay has resulted in trading firms and regulators paying greater attention to the risks to daily trading operations of a single point of failure. The disruption has also affected regulators, unable to compile weekly reports of derivatives trading activity.
READ THE STORY: FT
Twitter hacker to be extradited
FROM THE MEDIA: The approval by Spain's High Court of the US State Department's request to extradite a British man in connection with the 2020 Twitter hack, which affected high-profile accounts of politicians and celebrities, is significant because it highlights the growing international cooperation in cybersecurity. The suspect, Joseph James O'Connor, who is accused of hacking 130 Twitter accounts and trying to extort a public figure, had refused to be transferred voluntarily to the US. This extradition could set a precedent for other countries to follow, enabling cross-border collaboration in dealing with cybercrime. It also shows the severity of the crime and the US's willingness to prosecute cybercriminals even when they are based abroad.
READ THE STORY: The New Times
HardBit ransomware wants insurance details to set the perfect price
Analyst Comments: The HardBit 2.0 ransomware is a significant threat to organizations, as it can lower the victim's security, disable security features, and encrypt files in a way that makes it harder to recover the original data. The operators of this ransomware have also introduced a new tactic of trying to negotiate a ransom payment that would be covered by the victim's insurance company, which could be appealing to some organizations. However, this approach is still not a reliable or recommended strategy for dealing with ransomware attacks, as paying the ransom only fuels the attackers and incentivizes them to continue their criminal activities.
FROM THE MEDIA: The emergence of the HardBit 2.0 ransomware threat has been reported by Varonis, a data security and analytics company. The ransomware operators have introduced a new tactic to try and negotiate payment from the victim's insurance company. The attackers claim that if the victim discloses all insurance details, they can adjust their ransom demand, so the insurer covers all costs. The threat actors claim that insurers never negotiate with ransomware actors with their client's interests in mind, so they make counter-offers to their demands just to derail the negotiations and refuse to pay. HardBit 2.0 features capabilities that lower the victim's security, like modifying the Registry to disable Windows Defender's real-time behavioral monitoring, process scanning, and on-access file protections. The malware also targets 86 processes for termination, to make sensitive files available for encryption.
READ THE STORY: BleepingComputer
DNA testing biz vows to improve infosec after criminals break into the database it forgot it had
FROM THE MEDIA: DNA Diagnostics Center (DDC) has reached a settlement deal with states' attorneys general in Ohio and Pennsylvania after a 2021 attack exposed the data of over 2.1 million people who had undergone genetic testing. The stolen customer data had been previously bought by DDC from a British company in 2012 and was inadvertently transferred to DDC from Orchid Cellmark without its knowledge. DDC will pay $400,000 and tighten its security in the wake of the breach. DDC ignored warnings from its MSP for months before taking action, leading to the discovery of Cobalt Strike malware and the exfiltration of sensitive personal information. The Ohio Attorney General found DDC engaged in "deceptive or unfair business practices" by making "material misrepresentations" in its customer-facing privacy policy.
READ THE STORY: The Register
Frebniis Malware Exploits Microsoft IIS Feature
FROM THE MEDIA: Cybersecurity researchers have discovered a new malware that leverages a legitimate feature of Microsoft's Internet Information Services (IIS) to install a backdoor in targeted systems. The malware, dubbed "Frebniis," was used by a previously unknown threat actor against targets in Taiwan and involves injecting malicious code into the memory of a DLL file related to an IIS feature used to troubleshoot and analyze failed web page requests. This tool enabled the malware to stealthily monitor all HTTP requests while also automatically recognizing specially formatted HTTP requests sent by the attacker. To use this technique, an attacker would need to gain access to the Windows system running the IIS server by some other means.
READ THE STORY: InfoSecMag
Researching North Korea online? You could be a victim of a malware attack
FROM THE MEDIA: Earth Kitsune, a nascent threat actor, breached a pro-North Korea website and used a backdoor dubbed WhiskerSpy to steal files, take screenshots, and deploy additional malware. The backdoor grants the threat actors a number of different capabilities, including downloading files to the compromised endpoint, uploading files, deleting them, listing them, taking screenshots, loading executables and calling its export, and injecting shellcode into processes. However, not all visitors are at risk. Trend Micro discovered that Earth Kitsune only activates when visitors from Shenyang, China, or Nagoya, Japan open the site and that Brazil was only used to test if the attack works. The malware uses the native messaging host in Google's Chrome browser to install a malicious extension called Google Chrome Helper.
READ THE STORY: TechRadar
How to Detect New Threats via Suspicious Activities
FROM THE MEDIA: Unknown malware is a significant cybersecurity threat, as it can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. It can take on a variety of forms, such as polymorphism, FUD, encrypted code, and a "low and slow" approach. To detect and respond to new threats, researchers must use reverse engineering to identify their purpose and malicious nature, static analysis to examine their behavior, payloads, and vulnerabilities, and signature-based security solutions to detect and block. Different signatures are used to detect threats, such as behavioral ones. To identify malicious code, it is important to focus on indicators of malicious behavior, such as abnormal file system activity, suspicious process creation and termination, abnormal networking activity, reading or modifying system files, accessing system resources, creating new users, connecting to remote servers, executing other malicious commands, and exploiting known vulnerabilities in the system. This can be done using tools such as Process Monitor and Wireshark to analyze the results of reverse engineering, static analysis, dynamic analysis, sandboxing, and heuristics. It is also possible to detect any threat by its behavior, even without signatures.
READ THE STORY: THN
GoDaddy Hosting Hacked — for FOURTH Time in 4 Years
FROM THE MEDIA: GoDaddy reported a multi-year security breach in December 2022, which was linked to previous breaches in November 2021 and March 2020. The breach occurred around the time CEO Aman Bhutani moved from Expedia to GoDaddy, and the attackers had access to the company's network for multiple years. GoDaddy found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years. GoDaddy has admitted to a multi-year security compromise that allowed unknown attackers to steal company source code, and customer and employee login credentials, and gain access to the cPanel hosting servers customers use to manage websites hosted by GoDaddy. This incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy for phishing campaigns, malware distribution and other malicious activities. GoDaddy is using lessons from this incident to enhance the security of their systems, but this is the fourth time they have been breached by the same hacker group in as many years.
READ THE STORY: Security Boulevard
Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers
FROM THE MEDIA: The Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. This comes more than 10 months after the U.S. Treasury Department implicated the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge. The confiscation comes as crypto exchanges Binance and Huobi froze accounts containing approximately $1.4 million in digital currency that originated from the June 2022 hack of Harmony's Horizon Bridge. The funds siphoned in the wake of the Horizon Bridge heist were "laundered through a complex series of transactions involving exchanges, cross-chain bridges, and mixers." Tornado Cash was used once again, but in place of Blender, another Bitcoin mixer was used: Sinbad.
READ THE STORY: THN
Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies
FROM THE MEDIA: A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT. ThreatMon attributed the activity to a threat actor tracked as SideCopy, which mimics the infection chains associated with SideWinder to deliver its own malware. The infection journey begins with a phishing email containing a macro-enabled Word document, which triggers the execution of malicious code that leads to the deployment of ReverseRAT on the compromised system. ReverseRAT collects data, encrypts it using RC4, and sends it to the command-and-control (C2) server. It waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.
READ THE STORY: THN
DeFi security: How trustless bridges can help protect users
FROM THE MEDIA: Blockchain bridges allow decentralized finance (DeFi) users to use the same tokens across multiple blockchains, but they are at risk of exploitation by malicious actors. Over $2.5 billion was stolen from cross-chain bridges between 2020 and 2022. Trustless bridges, known as noncustodial or decentralized bridges, could improve users' security of cross-chain transfers. Cross-chain bridges allow two or more separate blockchain networks to talk to each other and share information, making it possible to move assets from one network to another.
READ THE STORY: OODALOOP
Hackers Start Selling Data Center Logins for Some of the World’s Largest Corporations
FROM THE MEDIA: Hackers have stolen login credentials for data centers in Asia used by some of the world's biggest businesses, a potential bonanza for spying or sabotage, according to a cybersecurity research firm. The previously unreported data caches involve emails and passwords for customer-support websites for two of the largest data center operators in Asia: Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres. Hackers have logged into the accounts of at least five of them, including China's main foreign exchange and debt trading platform and four others from India. Resecurity and executives at four major US-based companies that were affected said the stolen credentials represented an unusual and serious danger, primarily because they control who is allowed to physically access the IT equipment housed in the data centers. The data loss reported by Resecurity highlights the growing risk companies face due to their reliance on third parties to house data and IT equipment and help their networks reach global markets.
READ THE STORY: Yahoo Finance
APNIC calls in lawyers to handle election code of conduct breach allegations
FROM THE MEDIA: The Asia Pacific Network Information Centre (APNIC) has appointed external lawyers to consider allegations of multiple breaches of its election nominee's code of conduct, including threats related to the election. The organization has received 14 reports within hours of its last notice, and the total is now at least 18. Maddocks will now assess complaints about the conduct of the election and warn members to watch out for fake election phone calls. Candidates supporting a position have been endorsed by an organization called the Number Resource Society (NRS), a Morocco-based entity that once shared a physical address with Larus Limited, a Hong Kong IP address broker. Larus' CEO, Lu Heng, holds the same position at a company called Cloud Innovation that is involved in legal disputes with the African Network Information Centre (AFRINIC).
READ THE STORY: The Register
How Blackbird AI is striking back at ChatGPT and AI-based attacks
FROM THE MEDIA: Blackbird AI, a defensive AI, and risk intelligence provider, has announced the release of RAV3N Copilot, an AI assistant for security analysts. The AI assistant uses narrative intelligence and risk reports to offer defenders greater context for security incidents, and can automatically generate executive briefings, key findings, and mitigation steps to help security teams manage security incidents more efficiently. This announcement comes as more and more technology vendors are looking to generative AI to automate security operations, such as Orca Security's ChatGPT integration and ARMO's ARMO integration. Blackbird's launch highlights the potential impact of generative AI on enterprise security, as it can be used to augment contextual information around threats targeting data assets. Blackbird AI's RAV3N Copilot is a tool to enhance an analyst's contextual understanding of security incidents and tasks in the SOC.
READ THE STORY: VB
New Stealc malware emerges with a wide set of stealing capabilities
FROM THE MEDIA: A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of its capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline. Security researchers at cyber threat intelligence company SEKOIA spotted the new strain in January and noticed it started to gain traction in early February. The malware was advertised on hacking forums by a user called "Plymouth," who presented the malware as a piece of malware with extensive data-stealing capabilities and an easy-to-use administration panel. After the initial post, Plymouth started to promote the malware on other hacking forums and on private Telegram channels, offering test samples to potential customers. SEKOIA researchers discovered more than 40 C2 servers for Stealc and several dozens of samples in the wild, indicating that the new malware has attracted the interest of the cybercriminal community.
READ THE STORY: Bleeping Computer
Understanding critical infrastructure and security challenges necessary for ensuring the continuity of essential services for enterprises
FROM THE MEDIA: Critical infrastructure is the new frontier within cybersecurity, with industries such as transportation, oil and gas, power, healthcare, dams, ports, and several others being prime targets of cyber-attacks. Krishna Chaitanya Tata, a senior Operational Technology cyber security architect with IBM, shares his insights and expertise on how vulnerable critical infrastructure industries are to cyberattacks and what are the best practices to help secure their critical control networks. OT networks are increasingly getting connected to the outside world, with common threat vectors such as IoT and SCADA. Organizations need to prepare holistically and look at operational technology security as a parallel function to safety to ensure no injuries or loss of life occurs. A comprehensive security strategy should start with a comprehensive security reference architecture and a layered onion-peel model of a defense-in-depth strategy. An optimal security solution stack should include industrial intrusion detection systems (IIDS), secure remote access solutions (SRA), and deception technologies to simulate real-life attack scenarios.
READ THE STORY: B2BCHIEF
Big Data and War: Can a Cyberattack Justify an Armed Response
FROM THE MEDIA: Paul Stephan, a University of Virginia distinguished professor of law and expert in international dispute resolution and comparative law, recently posed an interesting question: if big data is a resource and therefore a potential target of armed conflict, what kinds of attacks justify an armed response and what are the rules governing such attacks? His post comes at an interesting time when surveillance-oriented states use big data to guide and bolster the monitoring of their own people as well as potential foreign threats. He argues that big data is, in fact, a resource, "and a potential target in an armed conflict." UVA Today reached out to Stephan to learn more about his thoughts about the potential of the theft of big data leading to war. Paul Stephan, an expert in international dispute resolution and comparative law, argues that big data is a potential target in an armed conflict due to its two economically valuable features: it can be mined to learn about trends and developments, and it can be used for the development of artificial intelligence. China and the US are the world leaders in the exploitation of big data for both commercial and public interests, and many important social systems rely on it to operate. Traditionally, attacks on data or data infrastructure have been met with cyber retaliation.
READ THE STORY: UVAToday
DDoS Attack by Russian Hackers Disrupt Turkey-Syria Earthquake Relief, Other NATO Operations
FROM THE MEDIA: The Killnet hacking collective, which has pledged to involve itself in the Ukraine invasion on the side of the Putin government, has claimed responsibility for recent DDoS attacks against NATO that disrupted a number of its operations, including an earthquake relief program assisting those impacted by the Turkish-Syrian earthquake. Killnet used its Telegram channel to advertise the fact that it is attacking NATO, and has primarily been known for DDoS attacks. The attack on NATO earthquake relief is probably its most impactful to date in terms of real-world damage, as it disrupted the Strategic Airlift Capability, which has previously been used to deliver equipment to Ukraine and is currently performing search and rescue in the earthquake's damage zone. It also disrupted a secured restricted network used by NATO for transmitting classified data. The Russian hackers KillNet have been targeting earthquake relief efforts and hospitals in ally countries in a way that could spark a military conflict.
READ THE STORY: CPO
Ukraine's Volunteer Cyber Army Could Be Blueprint for the World: Experts
FROM THE MEDIA: The Ukraine National Defense Hackathon took place Nov. 24-26 in the Maidan Nezalezhnosti subway station in Kyiv, Ukraine, which was the safest place in the city and had the most reliable power. The hackathon involved personnel from NATO as well as Ukrainian defense and security officials and worked on problems such as the production and deployment of military drones, and the legal framework for Kyiv's unprecedented multinational volunteer cyberwar militia, the IT Army. As the first anniversary of Russia's invasion approaches, the architects of Ukraine's cyber approach are declaring it a model that more democracies should emulate. Ukraine is waging a new form of war, which critics argue blurs legal lines between combatants and civilians, ignores norms of international behavior, disrupts intelligence operations, risks dragging other countries into the war, and could give the Russians an excuse to escalate the conflict. Ukrainian Deputy Prime Minister and Minister for Digital Transformation Mykhailo Fedorov told Newsweek the cyber war started after Russia's 2014 invasion of Eastern Ukraine. Hacktivist collectives have long been employed as proxies, but Ukraine is the first country to use them.
READ THE STORY: Newsweek
This is a Raspberry Pi running a 5G network
FROM THE MEDIA: Vodafone has unveiled a prototype 5G network built on a Raspberry Pi, which can provide an affordable and portable 5G network to users. The system is Raspberry Pi 4 with a small 5G compatible embeddable software-defined radio (SDR) circuit board and can be used as a dedicated private network or as an extension of a larger network. It is part of Vodafone's plans to make mobile private networks (MPNs) more accessible to 22 million small-and-medium-sized enterprises across Europe, while also offering extended internet coverage to households.
READ THE STORY: ZDNET
Items of interest
Iran’s pursuit of soft power in the Balkans
FROM THE MEDIA: The Balkan region is strategically important for western countries as a geographic bloc through which they can increase their influence in former Soviet Eastern European states, including Russia. Iran views the region as a gateway to the west and its markets due to similarities in culture, religion, and discourse. Iran began its modern-day influence in the Balkans at the onset of the Bosnian war in 1992, sending military trainers, intelligence officers, food, money, and humanitarian assistance to Bosnians struggling against their heavily armed adversaries. In 2020, Iran exported approximately $16 million worth of goods to Serbia, making it Iran's 37th largest trading partner. Despite having plenty of room for growth, the volume of economic exchanges between the two countries has increased by 50 percent in the past year.
READ THE STORY: The Cradle
How the PLA Is Changing the Game with Asymmetric Warfare Tactics (Video)
FROM THE MEDIA: The People's Liberation Army (PLA) of China is known for its innovative use of asymmetrical warfare tactics. One such tactic is the use of spy balloons, which are unmanned aerial vehicles (UAVs) that are designed to float high in the sky for extended periods of time and collect intelligence. In this video, we will explore how the PLA uses spy balloons as part of an asymmetrical warfare strategy.
Russia’s private military force, explained (Video)
FROM THE MEDIA: On January 10, 2023, the Ukrainian town of Soledar was reportedly captured. But it wasn’t captured by the Russian army under Vladimir Putin’s command. The announcement came from a relatively unknown man, Yevgeny Prigozhin, who said his troops now controlled the town. The troops are part of the Wagner Group, a private army that has become a prominent force alongside Russian troops in the war against Ukraine.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.