Wednesday, February 22, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
A Cyber United Nations? No, But a Treaty Organization Is Needed After the Ukraine Conflict Ends
Analyst Comments: The call for a "Cyber United Nations" and the challenges in creating one highlight the increasing importance of cybersecurity in international relations and conflicts. With cyber-attacks becoming a common tool in statecraft and conflict, there is a need for international cooperation and coordination in addressing these threats.
FROM THE MEDIA: The article highlights the increasing willingness of state and non-state actors to engage in cyber attacks during geopolitical conflicts, with hacktivists and cybercriminal groups joining the fray. The Ukraine conflict, in particular, has seen an uptick in cyber attacks, leading Ukraine's cybersecurity leader to call for the creation of a "Cyber United Nations" that would serve as a hub for cyber threat awareness, intelligence sharing, and international experts to respond to cyber fallout. However, the United Nations has struggled to gain global consensus on how states should responsibly operate within cyberspace, making it difficult to codify norms of behavior or create an international cybercrime treaty. The article suggests that a treaty-bound cyber organization, modeled after NATO, maybe a more formalized and effective solution that could quickly mobilize and respond to cyber attacks against members, set cyber norms, and establish red lines against cyber attackers.
READ THE STORY: OODALOOP
Ukrainian hackers claim disruption of Russian TV websites during Putin speech
Analyst Comments: A Ukrainian hacktivist group claimed responsibility for a distributed denial-of-service (DDoS) attack on Russian media websites during a live broadcast of President Vladimir Putin's address to the country's elite. The incident is just one example of how pro-Ukrainian and pro-Russian hackers are using cyber attacks to target each other's media outlets and spread their respective messages. As such attacks continue to escalate, there are concerns about the potential impact on global internet infrastructure and the risk of significant economic damage.
FROM THE MEDIA: Russian media websites went down during a live broadcast of President Vladimir Putin's address to Russia's elite on Tuesday. The Ukrainian hacktivist group IT Army claimed responsibility for the attack and listed the Russian state-controlled television channel 1TV as one of its victims. Over the past year, Ukrainian hacktivists have attacked more than 15,000 Russian websites, including government services, banks, and private companies. Pro-Kremlin hackers are also following a similar playbook. In July, two radio stations owned by one of Ukraine's largest broadcasters were hacked to spread fake messages that Zelensky was hospitalized and in critical condition.
READ THE STORY: The Record
Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks
Analyst Comments: Havoc is an advanced post-exploitation command-and-control framework that is capable of bypassing the most current and updated version of Windows 11 defender. It is difficult to detect and comes with a wide variety of features, making it a lucrative tool in the hands of threat actors. The fact that it is open-source means that it is widely accessible, allowing anyone with the necessary skills to use it.
FROM THE MEDIA: According to cybersecurity firm Zscaler, a new campaign observed in January 2023 targeted an unnamed government organization utilizing an open-source command-and-control (C2) framework called Havoc. This framework is being adopted by threat actors as an alternative to other well-known legitimate toolkits, such as Cobalt Strike, Sliver, and Brute Ratel. Havoc is capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation. It is an advanced post-exploitation command-and-control framework that comes with a wide variety of features that makes it difficult to detect, turning it into a lucrative tool in the hands of threat actors, even as cybersecurity vendors are pushing back against the abuse of such legitimate red team software. After the Havoc Demon is deployed successfully on the target's machine, the server can execute various commands on the target system, log the command and its response upon execution, and transmit the encrypted results back to the C2 server. Havoc has also been employed in connection with a fraudulent npm module dubbed aabquerys that, once installed, triggers a three-stage process to retrieve the Demon implant. The package has since been taken down.
READ THE STORY: THN
Mideast governments accused of using fake dating profiles in arrests of LGBT people
Analyst Comments: The HRW report highlights the disturbing and systematic abuse of LGBT people in several Middle Eastern and North African countries. It is important because it sheds light on the use of digital platforms by governments to target a vulnerable minority group, and shows the devastating impact this has on the lives of LGBT people in the region.
FROM THE MEDIA: Human Rights Watch (HRW) has reported that the governments of several Middle Eastern and North African countries have used fake social media or dating app profiles to lure and arrest LGBT people. HRW found that authorities in Egypt, Iraq, Jordan, Lebanon, and Tunisia entrapped, detained, and tortured people over their identities. The report cites documented evidence of at least 45 cases where LGBT people were targeted and arbitrarily arrested in four of these countries. In 23 cases, people were acquitted after appealing charges that included “inciting debauchery,” “debauchery,” and “prostitution,” while 22 people were not charged but instead held in prison for various amounts of time. Five of the cases saw people convicted and sentenced to three years in prison or less. HRW found that most of those arrested were not provided access to a lawyer and were eventually forced to sign confessions in order to leave. Representatives for all five countries did not respond to requests for comment about the claims made in HRW’s report. HRW said social media giants like Meta and dating apps like Grindr must be more proactive in addressing the abuse LGBT people face in Arab-speaking countries.
READ THE STORY: The Record
U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog
Analyst Comments: Mitsubishi Electric's MELSOFT iQ AppPortal is a software platform that is used to manage and monitor industrial control systems, including those used in critical infrastructure such as energy, water, and transportation systems. It allows authorized users to remotely access and control various industrial systems and devices, as well as view real-time data from sensors and other sources.
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with three new security flaws that are being actively exploited. The flaws include CVE-2022-47986, a code execution vulnerability in IBM Aspera Faspex, and two vulnerabilities impacting Mitel MiVoice Connect that allow attackers to execute arbitrary code. The nature of the attacks is unclear, but the vulnerabilities were patched by Mitel in October 2022. Federal Civilian Executive Branch agencies are required to apply the necessary updates by March 14, 2023, to secure networks against potential threats. CISA also released an Industrial Control Systems (ICS) advisory highlighting critical flaws in Mitsubishi Electric's MELSOFT iQ AppPortal.
READ THE STORY: THN
Spying Versus Spying
Analyst Comments: Countries engage in espionage and surveillance for national security reasons, and it is a long-standing practice that is unlikely to stop any time soon. While public denouncements of spying are common, most countries recognize the strategic value of gathering intelligence on their adversaries and engage in some form of spying against each other. Therefore, it's not surprising that the United States and China are engaging in surveillance activities against each other, despite the potential for tension and conflict.
FROM THE MEDIA: The recent dispute between the United States and China over the use of weather balloons for surveillance, with each country accusing the other of overflights. The article highlights the extensive and intrusive surveillance capabilities of both countries and argues that expecting either country to stop trying to achieve parity in the field of surveillance is naive. The article suggests that greater cooperation on the surveillance of global threats, such as carbon emissions, humanitarian disasters, and disease spread, should be a priority given the current era of existential threats. Additionally, it is worth noting that China's use of economic warfare, such as its trade policy, could also impact the global balance of power, making cooperation on non-economic issues even more crucial.
READ THE STORY: Eurasia Review
Cyber researcher claims a Department of Defense email server was open for the public to peruse
FROM THE MEDIA: Cybersecurity researcher Anurag Sen has reported discovering an unsecured Department of Defense computer server that contained nearly three terabytes of data, including a large number of U.S. military emails. The server was located on Microsoft Azure and had no password protection after a misconfiguration. It was not clear who else had access to the data, although Mr. Sen reported some of the information to The Washington Times, which included emails involving the U.S. Special Operations Command. The vulnerability was reported to TechCrunch, who then alerted the U.S. government. SOCOM declined to comment and referred questions to U.S. Cyber Command, which did not immediately answer. Emsisoft Threat Analyst Brett Callow warned that server misconfigurations can enable spearphishing scams, which can trick someone into providing access to sensitive information. There was no immediate comment from Microsoft on its responsibility for the exposed server. Microsoft's technology has previously enabled hacks from China-sponsored attackers, with the Biden administration blaming China's Ministry of State Security for cyberattacks against Microsoft Exchange Server email software in 2021.
READ THE STORY: The Washington Times
China is giving Hong Kong behind-the-scenes approval to become a crypto hub
Analyst Comments: China has been seeking to increase its global influence and challenge the dominance of the US dollar in international trade and finance. By exerting control over the global cryptocurrency market, China could potentially gain more control over global financial flows and challenge the US's position as the dominant economic power. Furthermore, blockchain technology has the potential to disrupt traditional financial systems, and China may see this as an opportunity to gain a competitive advantage over other countries.
FROM THE MEDIA: Hong Kong is reportedly pushing for the development of the country's blockchain ecosystem, including the legalization of cryptocurrency trading for retail traders, following the announcement of a new licensing regime by the Securities and Futures Commission (SFC) set to take effect on June 1, 2023. Amid rumors that Hong Kong's government is preparing crypto legislation, it has been reported that representatives from China's Liaison Office and other officials have been regularly attending Hong Kong's crypto gatherings over the past few months. They have been actively networking by exchanging business cards and WeChat details while also checking on developments and requesting reports. This perceived openness has led to an influx of crypto firms from the mainland and overseas that are now pushing to register their businesses and return to Hong Kong, with the SFC interested in obtaining the public's input on whether licensed platform operators should be allowed to serve retail investors. The regulator intends to publish lists on their website to inform the public of the different regulatory statuses of the various trading platforms and will continue working with the Investor and Financial Education Council to educate the Hong Kong public about virtual assets.
READ THE STORY: KITO
This ChatGPT feature has huge potential—but really needs work
FROM THE MEDIA: The author of the article recounts his experience using OpenAI's chatbot, ChatGPT, to summarize articles for work. While ChatGPT is adept at generating code and text, including summarizing articles, the author found that the summaries often were not accurate and frequently contained errors. For example, in summarizing the author's recent articles for Fast Company, ChatGPT frequently included tips or advice that were not in the original articles or misrepresented the main point of the article. The author suggests that ChatGPT's summarizing feature may be more effective for summarizing books, which are more static in terms of their content, and that the chatbot's ability to summarize articles may be hampered by the freshness of the content and the AI model's inability to accurately analyze and interpret recent articles. The author concludes that while ChatGPT has a lot of knowledge, it needs to learn how to read better in order to generate more accurate summaries.
READ THE STORY: Fast Company
Whistleblower Leaks Documents And Software Of Israeli Surveillance Tech Company Cellebrite
FROM THE MEDIA: Hackers have stolen 1.7 TB of data from Cellebrite, an Israeli mobile forensics firm, and posted it online for download, according to Enlace Hacktivista and Distributed Denial of Secrets. Among the documents released by the anonymous whistleblower are some relating to Cellebrite's UFED4PC, a surveillance software that is already used by Delhi police. The leaked zip files are titled “Nokia Lumia Windows Phone Extractions,” “Phone Detective,” and “User Lock Code Recovery Tool”, among others. The company's Universal Forensics Extraction Device is among its most famous services and has been widely criticized for aiding governments in monitoring the activities of human rights activists, officials, dissidents, and journalists. Cellebrite's data has been a frequent target of hackers and this is not the first time that the company has suffered a data breach.
READ THE STORY: Medianama
New Transmitter Design For Small Satellite Constellations Improves Signal Transmission
FROM THE MEDIA: A research team from Tokyo Institute of Technology has designed a transmitter (TX) for small satellites that meet the stringent needs of the devices for efficient and precise beam steering capabilities while generating left-handed and right-handed circularly polarized signals to avoid interference with other signals. The proposed TX operates in the Ka-band and its beam steering capabilities are governed by a 256-element active phased-array configuration. The team tested the TX and found that it achieved 63.8 dBm of equivalent isotropically radiated power with a power consumption of 26.6 W, which is a 62% reduction compared to the state-of-the-art TX with the same level of equivalent power. The small TX can be developed using standard manufacturing techniques.
READ THE STORY: SPACEREF
LockBit gang takes credit for attack on water utility in Portugal
FROM THE MEDIA: The LockBit ransomware group has claimed responsibility for a cyberattack on Águas e Energia do Porto, a water utility company owned by the city and serving half a million people in Porto, Portugal. The attack took place on February 8, and while the security team of the utility company was able to limit the damage, LockBit added the company to its leak site on February 18. The group has demanded a ransom and threatened to publish stolen information from the company's systems if the deadline passes without payment. Water utilities are a frequent target for ransomware gangs because of the sensitive information they typically hold, including customer data and financial information.
READ THE STORY: The Record
Black Hat to Launch Official Certification Program
FROM THE MEDIA: Black Hat, the leading cybersecurity conference, has announced the launch of its first-ever certification program, the Black Hat Certified Pentester (BCPen). The program is designed for professional penetration testers, bug bounty hunters, in-house red and blue team personnel, and SOC analysts. The eight-hour, in-person exam covers application security and infrastructure hacking topics and is intended to provide a credible certification that is up-to-date and represents real-life business risks. The program was developed in partnership with IT security firm The SecOps Group and will be officially launched at Black Hat USA 2023 in Las Vegas in August.
READ THE STORY: DARKReading
Cyber leaders mock Twitter's decision to yank 2FA for non-subscribers
FROM THE MEDIA: Twitter has announced that it will be removing two-factor authentication (2FA) for all unpaid accounts, in an effort to reduce abuse of phone-based 2FA by threat actors. Non-subscribers already enrolled in the 2FA phone-based method have been given 30 days to disable it and enroll in another authentication method, after which time all non-paid-subscribers will not be allowed to use text messages as a 2FA method. Twitter will also disable all accounts with text message 2FA still enabled at that time. Officials are encouraging non-subscribers to use an authentication app or another security key instead. Critics have suggested that a move is a form of bribery, with Twitter users being forced to pay or face being phished. Others have suggested that the move is a way of promoting the once-all-important blue-check feature.
READ THE STORY: SCMAG
House Dems Call for Info on Racially-Motivated Cyber Attacks
FROM THE MEDIA: Democratic lawmakers are calling on the Office of Intelligence and Analysis within the Department of Homeland Security to work with the Cybersecurity and Infrastructure Security Agency to gauge the level of domestic extremist threats to critical infrastructure on a physical and digital scale. The lawmakers are specifically interested in learning more about domestic attacks on critical infrastructure linked to extremist activity and beliefs, citing a recent racially motivated attempt to sabotage the electrical grids in Baltimore, Maryland. The lawmakers are seeking a broad assessment of the threat landscape to the energy sector, as well as more information on how prevalent racial, ethnic, and other ideological motivations are to the ongoing cyber attacks.
READ THE STORY: Nextgov
Researchers Discover Numerous Samples of Information Stealer 'Stealc' in the Wild
FROM THE MEDIA: French cybersecurity company SEKOIA has reported the emergence of a new information stealer called Stealc, which is being advertised on the dark web and could pose a significant threat. The malware has been marketed by an actor called Plymouth and is being distributed via YouTube videos posted from compromised accounts that link to a website selling cracked software. The malware is written in C and has the capability to steal data from web browsers, crypto wallets, email clients, and messaging apps. SEKOIA discovered more than 40 Stealc samples distributed in the wild and 35 active command-and-control servers.
READ THE STORY: THN
MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily
FROM THE MEDIA: A botnet called MyloBot has been identified by BitSight as compromising thousands of systems, with many located in India, Iran, the US, and Indonesia. The botnet uses multi-stage techniques to launch and runs as a downloader, waiting to execute any type of payload after infecting a host. It then waits for 14 days before attempting to contact the command-and-control server to sidestep detection. The botnet is also thought to be connected to BHProxies, a residential proxy service, and is believed to be part of a larger network. MyloBot was first identified in 2018 when it was spotted sending extortion emails from hacked endpoints.
READ THE STORY: THN
Gcore Thwarts Massive 650 Gbps DDoS Attack on Free Plan Client
FROM THE MEDIA: Gcore mitigated a significant DDoS attack of over 650 Gbps that targeted a client using a free CDN plan. The attack used UDP flood, TCP ACK flood, and a mix of TCP and UDP attacks. Gcore's distribution of infrastructure, private peering with the cloud provider used to launch the attack, and large capacity with over 11,000 peering partners and 500 servers located in data centers worldwide allowed for successful mitigation of the attack. DDoS attacks are expected to continue to grow, so businesses of all sizes should use distributed content delivery networks for protection.
READ THE STORY: THN
Ukraine’s largest charity wants to raise $1.3 million for ‘cyber offensive’
FROM THE MEDIA: Come Back Alive, Ukraine’s largest charitable foundation, has launched a fundraising campaign to raise $1.3 million to purchase technology and equipment that will help Ukraine's cyber forces impede Russian advances on the real battlefield. The funds raised will help build infrastructure and boost cyber warfare capabilities to create logistical difficulties for Russia and help Ukraine locate and target Russian troops. Come Back Alive is not disclosing the specific hardware or software it intends to buy for security reasons. In the past, the organization conducted another fundraising campaign and raised over $200,000 to buy equipment for the Ukrainian cyber forces, which aids in the early detection of Russian operations. Crowdfunding efforts have proved effective during the war in Ukraine, and in August, another Ukrainian charity raised $17 million and bought a satellite for the army.
READ THE STORY: The Record
Civil liberties groups call for EU-wide ban on spyware
FROM THE MEDIA: The European Digital Rights (EDRi) association has called for a ban on spyware technologies in the EU, arguing that "no safeguard can mitigate the human rights violations [spyware tools] entail." The EDRi has requested that the European parliamentary inquiry into spyware technology, known as The Committee of Inquiry to Investigate the Use of Pegasus and Equivalent Surveillance Spyware (PEGA), call for a ban on the technology. PEGA currently does not have significant power to shape legislation, although it has the ability to recommend that the European Council and Commission create a change in the law. A draft report from PEGA's rapporteur found that EU governments have used spyware on their citizens for political purposes, and to cover up corruption and criminal activity. Despite the potential risks the industry poses, few attempts have been made to mitigate them, and regulating the industry is a challenge under EU law.
READ THE STORY: The Record
Clop Ransomware Breaches 130 Organizations, Steals 1 Million CHS Healthcare Patients’ Records
FROM THE MEDIA: The Clop ransomware group has claimed to have stolen data from more than 130 organizations, including 1 million CHS Healthcare patients, by exploiting a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. The gang told Bleeping Computer that it was able to exploit the vulnerability for 10 days, allowing it to exfiltrate the data. The remote code execution vulnerability affects unpatched Fortra GoAnywhere MFT file transfer instances with internet-exposed administrative consoles. The attack resembles the December 2020 Accellion File Transfer Appliance data breach that affected around 100 organizations. CHS Healthcare also suffered a similar data breach in 2014.
READ THE STORY: CPO
Analyzing Your Existing API Testing Through a Security Lens
FROM THE MEDIA: The importance of API testing with a focus on security to ensure that APIs are resilient to attacks by malicious actors looking to take advantage of them. The author emphasizes the need to consider negative behavior and error detection in API testing to build defensible code that can handle abuse. The article explores different types of API testing, including unit testing, functional testing, integration testing, GUI testing, fuzz testing, and performance testing, and discusses how to introduce API security testing to the team. The author also stresses the importance of input validation and highlights different techniques that should be used to ensure that only valid and expected data is accepted by APIs, making sure that bad or malicious input can't make its way through and exploit any potential vulnerabilities in the system. The article concludes by stating that having confidence in the security of web services should be a priority for every organization, and running security tests on them regularly is essential
READ THE STORY: Security Boulevard
Alcatraz AI streamlines facial recognition access control with mobile update
FROM THE MEDIA: Access control provider Alcatraz AI is introducing web-based, mobile enrollment, and privacy consent management features to its facial authentication product, the Rock. The update includes mobile enrollment to allow new employees and visitors to register securely through their own mobile devices and tablets, as well as an opt-in choice via mobile devices for privacy consent management, enabling Alcatraz’s enterprise customers to inform end-users about the usage and management of their personal data, which they can choose to accept or decline. The new enhancements are designed to reduce the cost and complexity of the enrollment process, while also enabling compliance with privacy laws such as the EU's General Data Protection Act (GDPR), the US' Biometric Information Privacy Act (BIPA), and India's Central Consumer Protection Authority (CCPA) guidelines.
READ THE STORY: CSO
What is Traffic Light Protocol? Here's how it supports CISOs in sharing threat data
FROM THE MEDIA: The Traffic Light Protocol (TLP) is a way to classify threat information according to its sensitivity and determine how to share it with others without giving aid to bad actors or violating data privacy regulations. TLP's color-coded classifications indicate how the data can be shared, with red meaning stop, amber meaning stop unless doing so would be dangerous, and green meaning the data can be shared assuming it's safe to do so. The updated TLP 2.0 has sharpened the language used in the standards and included a colors table, while TLP:WHITE has become TLP:CLEAR. TLP is not about products but a way of life, and IT managers should examine how they share threat data across their organizations, including how to communicate to suppliers and partners and across their software supply chain.
READ THE STORY: CSO
Items of interest
Biden presses on as Putin suspends New START
FROM THE MEDIA: President Joe Biden marked the one-year anniversary of the war in Ukraine with a speech in Warsaw, Poland. Biden spoke of supporting Ukraine and promised more sanctions, accountability, and justice for war crimes. He spoke directly to the Russian people, reassuring them that the U.S. did not seek to control or attack Russia. Putin also addressed the conflict, suspending Russia's participation in the New START Treaty, which limited the two countries' strategic long-range nuclear warheads. He also said that Russia should stand ready to resume nuclear weapons tests if the US does so. Meanwhile, the Supreme Court heard arguments in Gonzalez v. Google, the big case challenging the Section 230 protections for tech companies regarding content hosted on their platforms.
READ THE STORY: Politico
Russia's electronic warfare capability |C4ISRNET Conference highlight
FROM THE MEDIA: Todd Tremper notes that the electronic warfare (EW) scenario in Ukraine is different from what has been seen in examples of Russian EW capabilities in recent years. He suggests that in some of the more peer-to-peer operations in Ukraine, there is not as much dependence on the electromagnetic spectrum (EMS). Tremper also mentions that there is a lot of learning going on about the state of Russian EW and the Russian hierarchy.
Hijack FM Radio Stations with a Raspberry Pi (Video)
FROM THE MEDIA: The steps to hijack FM radio stations using a Raspberry Pi are described in the first text, including setting up the Raspberry Pi with Kali Linux, installing the necessary software, and broadcasting on an FM channel. In the second text, a video tutorial shows how to perform the hijack, with a warning to take precautions to avoid interference and use the Raspberry Pi with caution.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.