Thursday, February 23, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Cyberattack on food giant Dole temporarily shuts down North American production, company memo says
Analyst Comments: Other high-profile hacks against the food and agriculture sector in the last two years have threatened supply chains and caused distributors to strengthen their cybersecurity. A May 2021 ransomware attack by alleged Russian-speaking hackers forced JBS, the world’s largest meat supplier, to temporarily close factories in the US, Canada, and Australia. JBS said it paid the hackers $11 million to unlock their systems.
FROM THE MEDIA: Produce company Dole was hit by a cyberattack that led to the temporary shutdown of production plants in North America and halted food shipments to grocery stores. The hack, which a source familiar with the matter said was ransomware, caused some grocery shoppers to complain on social media about missing Dole-made salad kits. After learning of the incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts to remediate the issue and secure systems. The impact on Dole operations was limited, according to the company, but two grocery stores in Texas and New Mexico were unable to stock Dole salad kits for days.
READ THE STORY: CNN
Trove of L.A. Students’ Mental Health Records Posted to Dark Web After Cyber Hack
Analyst Comments: This incident highlights a gap in existing federal privacy laws, as school districts are not required to notify the public when students’ personal information, including medical records, is exposed. This lack of transparency places students and their families at heightened risk of harm, as they may not be aware that their sensitive information is readily available online.
FROM THE MEDIA: An investigation by The 74 has revealed that sensitive mental health records of hundreds, and possibly thousands, of former students of the Los Angeles Unified School District, were published online after the district was hit by a massive ransomware attack. The student psychological evaluations were published on a “dark web” leak site by the Russian-speaking ransomware gang Vice Society. The records include highly personal information about students who received special education services, including their detailed medical histories, academic performance, and disciplinary records. Tens of thousands of individual files, including scanned copies of Social Security cards, passports, financial records, and other personnel files, were also leaked. The district has not alerted those whose information was exposed, and federal privacy laws do not require school districts to notify the public when students’ personal information, including medical records, is exposed. Experts have warned that a lack of transparency by the district highlights a gap in existing federal privacy laws.
READ THE STORY: The 74
The Energy Department’s Puesh Kumar on grid hacking, Ukraine, and Pipedream malware
Analyst Comments: The energy sector is a critical infrastructure sector that provides essential services to society and plays a vital role in the functioning of the economy. As a result, it is a high-priority target for cybercriminals who seek to disrupt, damage or steal sensitive information from energy companies or utilities. Cyberattacks on the energy sector can have far-reaching and severe consequences, including power outages, economic disruption, and even threats to public safety.
FROM THE MEDIA: Puesh Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response at the US Department of Energy (DOE), discussed how the agency is working to ensure that the energy sector is protected from cyberattacks. CESER, the agency responsible for this area, was established in 2018 to focus on threats to the sector, including physical and digital security risks, as well as climate-based threats. CESER has partnered with the National Association of Regulatory Utility Commissioners to develop cyber baselines for distribution systems and distributed energy resources, to ensure that cybersecurity is incorporated into these systems. DOE is also working to ensure that R&D keeps pace with the evolving threats and building pathways that are secure, as new technologies emerge. The agency is running a pilot program called the Energy Threat Analysis Center, which aims to bring industry and government together to develop solutions to cyber threats, including the risks of supply chains. Pipedream malware is a concern, with the US DOE working with DHS, NSA, and FBI to help author an alert.
READ THE STORY: Cyberscoop
Venture capital financing of cyber companies slid to $18.5 billion in 2022
Analyst Comments: The decline in venture capital investments in cybersecurity firms in the second half of 2022 suggests that investors may have been cautious due to a volatile economy. This could potentially impact the growth and development of cybersecurity startups and the overall cybersecurity industry
FROM THE MEDIA: According to data collected by Momentum Cyber, venture capital investments in cybersecurity firms decreased significantly in the second half of 2022, reaching $18.5 billion for the whole year, representing a decline from the $30.3 billion seen in 2021. This decline tracks with the overall economics for publicly traded cybersecurity companies, as almost all of them saw their valuations decrease in 2022 compared to 2021. However, while VC financing slowed in the second half of the year, the need for cybersecurity products and services hasn’t decreased, according to Momentum Cyber executive chairman Dave DeWalt. In addition to VC financing, last year saw some of the biggest mergers and acquisitions deals ever in the industry, totaling $119.8 billion, up from $80.9 billion in 2021.
READ THE STORY: The Record
No, ChatGPT hasn't won a security bug contest … yet
Analyst Comments: Softing edgeAggregator Siemens is a software that provides connectivity at the interface between OT (operational technology) and IT in industrial applications. It is used in industrial automation and relies on the OPC Unified Architecture (OPC UA) machine-to-machine communication protocol.
FROM THE MEDIA: The recent Pwn2Own exploit in which bug hunters used ChatGPT as a tool to help develop a remote code execution attack against Softing edgeAggregator Siemens could be a sign of things to come in the world of hacking. Although ChatGPT did not find the vulnerability or write and run code to exploit a specific flaw, its successful usage in the bug-reporting contest could indicate that AI may become a great assistant for researchers when they come up against a piece of code they aren't familiar with or a defense they weren't expecting. The exploit also demonstrates how AI can help to turn a vulnerability into an exploit, provided the researcher knows how to ask the right questions and ignore the wrong answers. While Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, does not expect to see AI-generated tools writing exploits, he does believe that ChatGPT could provide the last piece of the puzzle needed for success.
READ THE STORY: The Register
Dutch intelligence: Many cyberattacks by Russia are not yet public knowledge
Analyst Comments: Dutch General Intelligence and Security Service (AIVD), alongside its Military Intelligence and Security Service (MIVD), highlights the extensive and ongoing cyberattacks and espionage conducted by Russia against Ukraine and NATO members. The report emphasizes the broad scope of Russian targets, which includes not only military and diplomatic agencies but also civilian organizations that are not involved in political decision-making.
FROM THE MEDIA: According to a joint report by two Dutch intelligence services, many of Russia's cyber operations against Ukraine and NATO members during the past year have not yet become public knowledge. The report cited two reasons why "many of these attempts have not yet become public knowledge": the pace of Russian cyber operations is fast, and the nature of many targeted institutions such as military and diplomatic agencies leads to secrecy about their vulnerabilities. The report describes the findings of the intelligence agencies about the threat posed by the Russian state conducting cyberattacks on various institutions, physical sabotage on maritime infrastructure, and information operations. The report warns that the Ukrainian defense was "not guaranteed" and "can probably only be sustained as long as Western support remains as intensive and adaptive as the cyber operations of the Russian intelligence services." The Dutch infrastructure in the North Sea, which includes internet cables, gas pipelines, and wind farms, was also identified as potentially vulnerable to sabotage.
READ THE STORY: The Record
‘Nevada Group’ hackers target thousands of computer networks
FROM THE MEDIA: A mysterious hacking group has launched one of the most extensive ransomware attacks on record, paralyzing the computer networks of almost 5,000 victims across the US and Europe. The Nevada Group, as it was initially called by security researchers, began its attacks by exploiting an easily fixable vulnerability in a piece of code that is ubiquitous in cloud servers. Victims include universities in the US and Hungary, shipping and construction groups in Italy, and manufacturers in Germany. The group has demanded a small ransom of as little as two bitcoins (about $50,000) in some cases. The attackers left their ransom notes publicly visible, and this allowed researchers to track 4,468 likely victims, with France, the US, the UK, and Germany making up the vast majority. The attack underscores the nature of much of the ransomware that threatens businesses worldwide, and most of the attacks are relatively simple, yield small sums, and often go unnoticed.
READ THE STORY: FT
Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia
Analyst Comments: The group is thought to have targeted shipping companies and medical laboratories in Asia, with an interest in industry verticals that are involved in COVID-19-related treatments or vaccines. The campaign does not involve bespoke malware, with the threat actor employing open-source tools for intelligence gathering, allowing the group to not only confuse attribution efforts but also make the attacks stealthier. The infection vector used by Hydrochasma was most likely a phishing email, and the attackers have been observed deploying a trove of tools like Fast Reverse Proxy, Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and Gost proxy.
FROM THE MEDIA: A new threat actor named Hydrochasma has been identified by cybersecurity company Symantec, by Broadcom Software, in a suspected espionage campaign that has been ongoing since October 2022. The group is thought to have targeted shipping companies and medical laboratories in Asia, with an interest in industry verticals that are involved in COVID-19-related treatments or vaccines. The campaign does not involve bespoke malware, with the threat actor employing open-source tools for intelligence gathering, allowing the group to not only confuse attribution efforts but also make the attacks stealthier. The infection vector used by Hydrochasma was most likely a phishing email, and the attackers have been observed deploying a trove of tools like Fast Reverse Proxy, Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and Gost proxy. Symantec did not observe data being exfiltrated, but some of the tools deployed by Hydrochasma allow for remote access and could potentially be used to exfiltrate data. The lack of custom malware used in this campaign is notable, as it can help make an attack stealthier, while also making attribution more difficult.
READ THE STORY: THN
Hacked Russian radio stations broadcast false information about the missile attack
FROM THE MEDIA: The incident of commercial radio stations in Russia being attacked by hackers, resulting in false broadcasts of an air raid and missile strike alert, is significant as it highlights the potential dangers of cyber attacks on critical infrastructure and public safety. The false information spread rapidly through social media, causing panic and confusion among the public. The incident raises questions about the motives and capabilities of the hackers responsible and emphasizes the need for improved cybersecurity measures to prevent such attacks in the future. It also serves as a reminder of the ongoing tensions between Russia and Ukraine, with the fake alerts coming just two days before the one-year anniversary of Russia's unprovoked attack on Ukraine.
READ THE STORY: The Register // Egypt Independent
China's Zhurong rover may be dead: NASA images show no sign of life
FROM THE MEDIA: The China National Space Administration's Zhurong rover, launched in July 2020 as part of the Tianwen-1 mission, is not moving, according to images captured by NASA's Mars Reconnaissance Orbiter released on Tuesday. Zhurong, China's first interplanetary mission, landed on Mars in May 2021 and has been designed to study Martian geology. The latest images from the HiRISE camera revealed the rover hasn't moved since September 2022, and officials have remained silent on its current state. Mars' harsh arid climate and dust may be preventing the solar panels from converting sunlight into energy efficiently, making it challenging for the rover to conserve enough power.
READ THE STORY: The Register
China cuts off two chatbots: a local effort that flopped, and ChatGPT
FROM THE MEDIA: The recent launch of MOSS, a university-developed version of the language model ChatGPT in China, resulted in a crash due to overwhelming traffic. The MOSS team has since shut down public access to the platform, citing the need for upgrades to ensure a better user experience. MOSS still has a long way to go in matching ChatGPT for sophistication and scale and is reportedly more proficient in English than Chinese. Chinese firms such as Tencent Holdings and Ant Group have reportedly been instructed not to integrate ChatGPT into their platforms due to Beijing's censorship policies. However, Alibaba, Tencent, NetEase, JD.com, and Baidu are all developing their own versions of the tool, with Baidu planning to release its conversational AI bot, Ernie, in March. Baidu aims to make these technologies widely available to its customers, developers, and ecosystem partners, to help boost productivity across industries.
READ THE STORY: The Register
Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links
FROM THE MEDIA: The open source ecosystem has come under attack again as over 15,000 spam packages flooded the npm repository to distribute phishing links. The spam packages were created using automated processes that closely resembled each other and referred to retail websites using referral IDs to profit from referral rewards. The fake packages were disguised as free resources, cheats, and followers for social media platforms. The phishing sites were designed to be deceptive, luring victims to fill out surveys that lead to more surveys or legitimate e-commerce portals. The packages were uploaded to npm from multiple user accounts within a short time frame of February 20 and 21, 2023, using a Python script that automated the whole process. The adversary used automation to publish a large number of packages and create multiple users accounts to conceal the scale of the attack. The incident highlights the sophistication and determination of attackers and the challenges of securing the software supply chain.
READ THE STORY: THN
Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices
FROM THE MEDIA: Apple has disclosed three new vulnerabilities in its iOS, iPadOS, and macOS operating systems. The first flaw, CVE-2023-23520, is a race condition in the Crash Reporter component that could allow an attacker to read arbitrary files as root. The two other medium-to-high-severity vulnerabilities, CVE-2023-23530 and CVE-2023-23531, reside in the Foundation framework and could allow an app to execute arbitrary code out of its sandbox or with certain elevated privileges, leading to escalation of privileges and sandbox escape on both macOS and iOS. These vulnerabilities could also bypass Apple's mitigations that were put in place to address zero-click exploits. The vulnerabilities were patched in the latest releases of iOS, iPadOS, and macOS that were shipped on January 23, 2023.
READ THE STORY: THN
Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries
FROM THE MEDIA: Cybersecurity researchers have discovered 41 malicious "imposter packages" posing as popular libraries on the Python Package Index (PyPI) repository. The packages, which have names including httplat, httpssp, and urolib3, mimic legitimate modules including HTTP, AIOHTTP, requests, urllib, and urllib3. While their descriptions do not hint at their malicious intent, the packages contain downloaders that deliver second-stage malware or information stealers designed to exfiltrate sensitive data. The development is part of an increasing trend to poison open-source repositories to propagate malware to developer systems and carry out supply chain attacks.
READ THE STORY: THN
Virginia municipality discovers a dangerous backdoor
FROM THE MEDIA: A midsized county in Virginia enlisted the services of Assura to assess its cybersecurity posture and determine its strengths and vulnerabilities. The assessment revealed that the county lacked visibility into threat activity in their environment beyond anti-virus software. Assura recommended their Security Information and Event Management (SIEM) service, which made them the watchdog and first responder for critical systems and data, allowing them to identify and protect against cyber threats 24/7/365. After the SIEM was up and running, the Assura team discovered a backdoor that provided an unknown access point into the county's network, bypassing existing security measures. Assura immediately alerted the county and, in collaboration with its IT team, determined the root cause of the backdoor. Assura then conducted a threat hunt to ensure that the environment was clean and free of persistent footholds that could allow a threat actor to return at any time. The Assura team and the county collaborated quickly to close the backdoor and ensure the environment was safe. If the services of Assura were not enlisted at the right moment, the results could have gone the opposite way. Assura's SIEM identifies and protects against cyberattacks 24/7/365, allowing organizations to detect and mitigate malicious activity swiftly.
READ THE STORY: Security Boulevard
Hackers Advertising New Info-Stealing Malware on Dark Web
FROM THE MEDIA: Security researchers from Sekoia have released details of a new malware called Stealc, which has surfaced on several underground hacking forums and on the Dark Web. Stealc is being developed and advertised by a threat actor known as "Plymouth", who is offering the malware for free on some forums. The malware targets Windows devices and steals data from browsers, cryptocurrency wallets, messengers, and email clients. Once installed, Stealc starts an anti-analysis check to ensure it isn't running on a sandbox or a virtual environment. It then loads Windows API functions and establishes a connection with the C2 center, from which it receives commands. Stealc can target 75 plugins, 22 browsers, and 25 desktop wallets, and can hide most of its strings using base64 and RC4. Researchers have discovered over 40 C2 servers and concluded that Stealc is gaining traction quickly. Users should ensure their security software is updated regularly and avoid downloading and installing software from suspicious or unauthorized sources.
READ THE STORY: HACKRead
The Hacker Mind Podcast: The Hacker Revolution Will Be Televised
FROM THE MEDIA: Jordan Wiens, from Vector 35, maker of Binary Ninja, has played in ten final DEF CON CTFs and was part of DARPA’s Cyber Grand Challenge. In an interview with Robert Vamosi, Wiens discussed how his company, Vector 35, grew out of a history of capture-the-flag competitions, where it built hackable video games and ran several CTFs. Wiens also talked about the importance of reverse engineering in capture the flag competitions, which is a foundational skill for multiple categories in Capture the Flag, including in the Opponent Bowler Exploitation (OBOE) category, where the goal is to find a flaw and write the exploit. In addition, reverse engineering is also necessary for the Attack and Defend or King of the Hill category, where participants are not only attacking someone else’s server but also defending their own server from attacks. Wiens also talked about his company's product, Binary Ninja, which fits nicely in the middle of the market, as it is neither free like Ghidra nor expensive like IDA Pro.
READ THE STORY: Security Boulevard
Activision Got Hacked but Didn't Tell Its Employees
FROM THE MEDIA: Gaming company Activision was hacked in December 2022 through a phishing campaign that targeted one of its employees, according to security researchers who have been investigating the breach. While the company claimed that no sensitive data had been accessed, researchers and gaming journalists have suggested that the attacker exfiltrated “sensitive workplace documents” and gained access to employee email addresses, phone numbers, and salary information. The hacker then abused an employee’s Slack account to try to phish other workers. Reports suggest that no official notification of the breach was sent to Activision’s employees, despite the incident occurring in December 2022.
READ THE STORY: Gizmodo
Google is turning its attention to improving a vital part of Android security
FROM THE MEDIA: Google has announced plans to improve the security of firmware running on Android devices by implementing compiler-based mitigations in future versions of Android. Firmware is software that powers devices, and it is executed early when a device is powered on. According to Google, firmware attacks are not as widespread as phishing or spreading malicious applications, but when successful, they can grant malware persistence. Google is working with "ecosystem partners" to harden the security of firmware on Android by using compiler-based sanitizers to detect bugs in code and to prevent exploits that target memory corruption vulnerabilities. Firmware hardening is one of Google's top priorities for Android security, and the company plans to expand these mitigations to more "bare metal targets" in the future.
READ THE STORY: Ghacks
Threats from Russia, disinformation rises in Sweden
FROM THE MEDIA: The Swedish Security Services (Säpo) has stated in a report that the country's security is increasingly threatened, mainly by Russia, due to a rise in disinformation campaigns and cyberattacks. Säpo also warned of China's long-term and growing threat, and Iran is described as a tangible security threat. The report notes that the threat to Sweden is becoming more complex as several authoritarian countries interact to a greater extent than before. Furthermore, Sweden has faced an increased threat of attacks, as conspiracy theories and anti-state messages are widely spread online. The report stated that Sweden is lacking in protecting security-sensitive activities across sectors, even though this could lead to the disclosure of information about the country's defense capabilities.
READ THE STORY: EURACTIV
House Democrats want a briefing on domestic terrorism at energy facilities, including malware
FROM THE MEDIA: Leading congressional Democrats have called for a briefing from the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security on the potential for domestic terrorists to use cyberattacks against energy infrastructure. The lawmakers cited concerns about recent physical attacks on energy infrastructure by neo-Nazi and racially motivated groups and the possibility that such groups could deploy malware. They asked for an understanding of evolving cybersecurity threats to the energy sector, such as the PIPEDREAM malware, and how domestic extremists might seek to exploit cyber vulnerabilities for ideological purposes.
READ THE STORY: The Record
Apple's Chinese contract manufacturer to develop AR device
FROM THE MEDIA: Apple's Chinese manufacturer Luxshare Precision Industry is reportedly taking over the development of Apple's long-awaited augmented reality (AR) device. The AR development team in Shanghai, which was previously owned by Taiwan's Pegatron, will be handled by Luxshare, with Taiwan-based Foxconn also helping with the project. Apple has also asked two of its biggest suppliers, Taiwan Semiconductor Manufacturing Co and Sony, to develop micro OLED displays for the device. The AR device is expected to be launched at this year's spring event, with a price tag of around $3,000. The company reportedly hopes to lower the price for the second generation of the device.
READ THE STORY: ET
China a threat in Space
FROM THE MEDIA: US Space Force General B. Chance Saltzman has warned that China is becoming a major threat to satellites and military operations in space. He cited the threat from anti-satellite missiles, ground-based directed energy weapons, and orbiting robot satellite interception capabilities. The Pentagon’s most recent annual report on the Chinese military states that the People’s Liberation Army continues to acquire and develop a range of space warfare systems, which are supported by expanding surveillance systems that can monitor objects in space and guide weapons to those targets. Despite the Biden administration’s arms control-centered approach, skeptics say China and Russia have shown little interest in holding talks with the United States on establishing norms of behavior in space. Instead, both nations have sought arms agreements that they expect will limit US space warfare capabilities as they pursue their own space weapons unimpeded.
READ THE STORY: The Washington Times
Russian Invasion Sparks Global Wiper Malware Surge
FROM THE MEDIA: According to cybersecurity firm Fortinet, the war in Ukraine has led to a spike in wiper malware being used outside the country, with a 53% increase in activity recorded in the fourth quarter of 2022. Wiper malware is now being more widely used by cybercriminal groups that offer Cybercrime-as-a-Service (CaaS). Additionally, Fortinet warns that threat actors are reusing old botnet and malware code, while ransomware continues to pose a major threat to organizations due to the "as-a-service" model used to streamline its use in attacks by affiliate groups. GandCrab, a RaaS malware introduced in 2018, was the top ransomware family in H2 2022, accounting for roughly 37% of all ransomware.
READ THE STORY: InfoSecMag
Russia-Ukraine War: Cybersecurity Lessons for Tech Pros
FROM THE MEDIA: Russia and Ukraine continue to engage in both physical and cyber warfare, with Russia's cyber capabilities expected to increase in 2023. Ukraine has seen a three-fold increase in attacks but has proven more cyber-resilient than anticipated, with assistance from Western governments and the private sector. Experts warn of potential collateral damage and encourage constant vigilance, cloud migration, and high-fidelity detections. Misinformation and disinformation campaigns are also a concern. The cyber aspect of the Russia-Ukraine war is likely to accelerate, with consequences for tech and cybersecurity pros.
READ THE STORY: DICE
Items of interest
Ukraine won the ‘geek war’ but it wasn’t enough on the front line
Analyst Comments: The Ukrainian army's ability to creatively use civilian technology and develop DIY solutions to adapt to the conflict proved effective in the early stages of the war. However, it also underscores the importance of heavy military equipment in more static phases of the conflict. The article also raises questions about the use of emerging technologies in warfare and the blurring of the line between combatants and civilians.
FROM THE MEDIA: When Russia invaded Ukraine in 2022, the Ukrainian army's ability to adapt commercially available technology helped them to counter the Russian advance. However, a year after the invasion, Ukraine is requesting Western tanks, ammunition, and fighter jets, highlighting the insufficiency of DIY weapons against Russia. While the use of drones and apps was effective during the initial phase of the conflict, when Russia hoped to swiftly subdue Ukraine, they proved less useful when the front line froze. However, Ukraine has continued to show ingenuity in building portable rocket launchers, installing them on civilian vehicles to improve firepower. The war has demonstrated that developing technologies do not need to be high-tech to be useful on the battlefield, and the line between combatants and civilians is now more blurred because of the use of cheap, easily available technology in war.
READ THE STORY: France 24
Pwning a mobile drilling rig Hacking an oil rig (Video)
FROM THE MEDIA: The story is based on a real-life incident where a semi-submersible drilling rig was hacked. The rig was in a warm stack state, meaning it was still operational but not drilling at the time. However, this still presented some challenges for the hackers.
C2 over Maritime AIS and commercial aggregation (Video)
FROM THE MEDIA: Julian Blanco gives a talk on using a maritime automatic identification system (AIS) and commercial aggregation websites for command and control (C2) purposes. Blanco is a Coast Guard officer stationed at Coast Guard Cyber Command in Las Vegas, and the talk is not government-sponsored work and is solely his own.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.