Tuesday, February 28, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
How a fleet of private satellites can help secure the US military’s future
Analyst Comments: A civil reserve fleet could expand capabilities that the US military can draw upon in times of crisis, as demonstrated by the use of commercial satellites in the war in Ukraine. The US government and corporations should work together to create common software and hardware standards to allow communication between government and commercial satellites, assign specific roles to participate in commercial satellites in the event of a crisis, and conduct military exercises using commercial satellites to improve the efficiency of the system and demonstrate its capabilities to adversaries.
FROM THE MEDIA: The US Space Force is exploring the creation of a civilian reserve satellite fleet, the Commercial Augmentation Space Reserve (CASR), which would be used to support the military in emergencies. The military relies heavily on satellites for communication, precision-guided munitions, and spy activities, making it vulnerable to anti-satellite weapons from countries like China and Russia. By enlisting a commercial satellite constellation numbering in the tens of thousands, CASR could reduce the impact of hostile action against US satellite networks and dissuade adversaries from attacking. The US military has purchased hundreds of small, low-Earth orbit satellites to increase its space resiliency and mitigate the threat from anti-satellite weapons. In addition to increasing resiliency, a civil reserve satellite fleet could also expand the capabilities that the US military can draw upon in times of crisis. To incentivize private sector participation, the government should offer a preferential contract award system and fixed payment structures for the services provided, and indemnify companies for financial losses sustained as a result of participation.
READ THE STORY: Atlantic Council
Former US National Security Agency chief Michael Rogers warns WA mining industry’s cybersecurity at risk
Analyst Comments: China's dominance as a supplier of rare earth materials has raised concerns among several countries, particularly as it has previously used this control as a political lever. The United States and other nations have grown increasingly anxious about their reliance on China for rare earth materials, prompting efforts to establish alternative sources of supply.
FROM THE MEDIA: Former US National Security Agency chief Michael Rogers has warned that China poses a "significant" cybersecurity threat to Western Australia's mining industry. Admiral Rogers pointed out that the espionage activity directed against Australia had surged as it took on a broader regional and global role. He highlighted that mining was a Chinese target and that China would be interested in understanding the dynamics in the industry, how it views China, and its long-term economic strategy. He also noted that as WA's biggest trading partner, China could also be interested in the State's political processes. Rogers emphasized that cybersecurity should be a concern, and nations must figure out the best way to deal with the issue.
READ THE STORY: The West Australian
US Warns of Massive Chinese Cyberattacks in Taiwan Scenario
Analyst Comments: It also suggests that China may be willing to use cyberattacks as a means of undermining the unity of the United States and its allies, even if it doesn't actually want to take military action against Taiwan. This highlights the need for the United States and its allies to take steps to improve their cybersecurity defenses and to be prepared for potential cyberattacks in the event of a conflict in the Taiwan Strait.
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency Director Jen Easterly has warned that a Chinese invasion of Taiwan would likely be accompanied by massive cyberattacks against the West and the US, aimed at creating "panic and chaos" in cyberspace. Easterly said that such an invasion could be coupled with attacks on critical infrastructure, including gas pipelines, water systems, telecommunication systems, and transportation nodes. US intelligence agencies and military officials have warned that China is actively preparing plans to take Taiwan by force by 2027. Despite this, Director of National Intelligence Avril Haines recently said there is no indication that China wants to put those plans into action. Easterly warned that China's potential preference for aggression and its likely willingness to lash out in cyberspace comes as China's leadership increasingly takes a dim view of Russia's "endless missteps" in Ukraine.
READ THE STORY: VOA
The government cannot win at cyber warfare without the private sector
Analyst Comments: Proposed legislation, such as the Office of Critical Technologies and Security proposed by Sens. Marco Rubio and Mark Warner, aims to coordinate efforts between government agencies and develop a long-term, whole-of-government strategy to protect against state-sponsored technology theft and risks to critical supply chains. This legislation recognizes the need for a public-private partnership and a coordinated effort to address the threats posed by cyber-attacks from digital dictatorships.
FROM THE MEDIA: The threat of cyber attacks from digital dictatorships such as China and Russia cannot be overstated, according to an op-ed in The Hill. While the Biden administration has made cyber attacks a major diplomatic front, government agencies are not properly equipped to deal with the threat. The op-ed recommends a program of deepening public-private collaboration between the Defense Department and the defense industry to stop these hacks. Additionally, federal procurement officers should consider outsourcing more of the public sector’s responsibilities to private-sector companies. Senators Marco Rubio and Mark Warner have proposed legislation to create a government office to coordinate efforts to protect against state-sponsored technology theft and risks to critical supply chains.
READ THE STORY: The Hill
More trouble from an APT with Colombia and Ecuador on its mind
Analyst Comments: Blind Eagle — classified as an advanced persistent threat (APT) group — has been operating since at least 2018, researchers say. Several cybersecurity companies have said the hackers operate from within South America, though there is no consensus on a specific country.
FROM THE MEDIA: The Blind Eagle or APT-C-36 hacking group has been found to be using phishing techniques to steal information from government agencies and financial institutions in Colombia and Ecuador, according to BlackBerry’s Research & Intelligence Team. The group recently used an email claiming to be from Colombia’s Directorate of National Taxes and Customs to target industries including health, finance, law enforcement, and immigration. Researchers suggest the group, which has been operating since at least 2018, is likely to be from South America.
READ THE STORY: The Record
Tech manufacturers are leaving the door open for Chinese hacking, Easterly warns
Analyst Comments: Jen argues that companies should take ownership of customer security outcomes, embrace transparency, and build products with cybersecurity in mind from the beginning. This is particularly important as cyberattacks could have devastating effects on critical infrastructure, including power, water, transportation, and healthcare. The Biden administration is expected to unveil a National Cybersecurity Strategy, with initiatives to improve cybersecurity protections across the country and tackle private sector collaboration with the government.
FROM THE MEDIA: Jen Easterly, has warned of the dangerous consequences if technology manufacturers do not improve the security of their products. Easterly criticized the industry for rushing products to market and accepting defective products that would be unacceptable in other critical fields. The lack of security and defects in technology products is a significant vulnerability to the country, according to Easterly, and the burden of cybersecurity has been placed on those who can do little against seasoned cybercriminals and nation-states. Easterly proposed that technology manufacturers should take ownership of customer security outcomes, build products with cybersecurity in mind from the beginning, and include in their basic pricing the types of features that secure a user's identity. She also called for universities to integrate more-secure languages into the classroom, rather than unsafe coding languages.
READ THE STORY: The Record
Researchers Share New Insights Into RIG Exploit Kit Malware's Operations
FROM THE MEDIA: According to a report from Swiss cybersecurity company PRODAFT, the RIG exploit kit (EK) achieved an all-time high successful exploitation rate of almost 30% in 2022. RIG EK has been active since 2014, with a service model that enables threat actors to compensate the RIG EK administrator for installing malware of their choice on victim machines. The kit's operators primarily employ malvertising to ensure a high infection rate and large-scale coverage, allowing visitors using a vulnerable version of a browser to access an actor-controlled web page or a compromised-but-legitimate website to be redirected using malicious JavaScript code to a proxy server, which communicates with an exploit server to deliver the appropriate browser exploit. Since 2014, RIG EK has been observed delivering a wide range of financial trojans, stealers, and ransomware such as AZORult, CryptoBit, Dridex, Raccoon Stealer, and WastedLoader. Recent RIG EK campaigns have targeted a memory corruption vulnerability impacting Internet Explorer (CVE-2021-26411) to deploy RedLine Stealer. Furthermore, the exploit kit is said to have attracted traffic from 207 countries, reporting a 22% success rate over the past two months alone.
READ THE STORY: THN
Russian hacktivists DDoS hospitals, with pathetic results
FROM THE MEDIA: A group of hackers called Anonymous Sudan claimed responsibility for a series of distributed denial-of-service (DDoS) attacks on Sunday that briefly shut down the websites of nine Danish hospitals. The group, which claims to be based in Sudan but is thought to have links to pro-Russia DDoS gang Killnet, said the attack was in retaliation for the burning of a copy of the Quran by a Swedish-Danish far-right politician earlier this year. Last month, Anonymous Sudan took credit for DDoS attacks against the websites of the German foreign intelligence service and the Cabinet of Germany, also in support of Killnet.
READ THE STORY: The Register
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults
FROM THE MEDIA: Password manager LastPass has disclosed that its December 2022 data breach resulted from a second attack launched by the same threat actor. The firm said the latest attack was part of a sustained campaign running between August 12 and October 26 last year, in which an employee's home computer was breached and infected with a keylogger. This was used to steal sensitive data from the company's Amazon AWS cloud storage servers. LastPass said the attacker used information from the first incident and a third-party data breach, plus a vulnerability in a third-party media software package, to launch the attack. In the December breach, the attacker gained access to a backup of customer vault data, protected by 256-bit AES encryption.
READ THE STORY: THN
Danish hospitals hit by a cyberattack from ‘Anonymous Sudan’
FROM THE MEDIA: On Sunday evening, nine hospitals in Denmark experienced DDoS attacks which resulted in their websites being taken offline by a group identifying itself as Anonymous Sudan. Copenhagen’s health authority confirmed the outages but stated that medical care at the hospitals was not impacted. Anonymous Sudan claims that the attacks were carried out in response to Quran burnings, a reference to the burning of the holy book by Swedish-Danish far-right politician Rasmus Paludan. The group is not an authentic part of the anonymous movement and according to a report by Swedish cybersecurity firm Truesec, it was most likely created as part of a Russian information operation to harm Sweden's NATO application. Truesec also noted that Anonymous Sudan's DDoS traffic was not generated by an illegal botnet but from a cluster of 61 paid servers hosted at IBM/Softlayer in Germany, which were taken down following the report. While the use of paid infrastructure suggests the group receives financing, it does not prove the attacks are government-sponsored.
READ THE STORY: The Record
The Ethics of Crypto Fundraising in Conflict Zones
FROM THE MEDIA: The use of cryptocurrency for fundraising in conflict zones raises ethical questions and concerns about the potential for illicit activities, particularly in the context of the Ukraine-Russia conflict. The need for increased regulation and oversight of the crypto industry is necessary to prevent such activities and promote the ethical use of blockchain technology. The development of ethical standards and best practices is a shared responsibility that requires collaboration and cooperation from all parties. Alternative fundraising models that prioritize transparency and accountability will need to be developed to mitigate the risks associated with crypto fundraising. Finally, the need for greater collaboration between the crypto industry, regulators, and law enforcement is clear, as is the need for continued investment in ethical standards and practices.
READ THE STORY: IN
From war crimes to spies and cyberattacks: Ukraine’s domestic spy chief on fighting Russia across all fronts
FROM THE MEDIA: Ukraine's domestic spy chief, Maj Gen Vasyl Malyuk, has said that Russia's aggression against Ukraine extends beyond the battlefield to include cyberattacks, human rights violations, and war crimes. He claimed that the Security Services of Ukraine (SBU) has launched more than 64,000 criminal proceedings against Moscow’s forces, including 24,600 based on violations of the laws and customs of war. Maj Gen Malyuk also revealed that the SBU has uncovered or detained 360 enemy agents and is successfully countering an average of more than 10 cyberattacks daily. The SBU cybersecurity agency has reported that the number of recorded cyber incidents has tripled in 2022 compared to the previous year.
READ THE STORY: Independent
Weak Oversight of Foreign Farmland Deals Sparks Concern Amid China Purchases
FROM THE MEDIA: A group of lawmakers criticized the US Agriculture Department for lack of oversight over foreign purchases of US farmland, an issue that has gained attention due to concerns over Chinese acquisitions. In a letter addressed to Agriculture Secretary Thomas Vilsack, the lawmakers expressed concern over the department’s decision not to assess any penalties between 2015 and 2018 for lapses in reporting foreigners’ purchases of US farmland. The lawmakers argued that more oversight was needed to protect local farmers, rural communities, and national security as the foreign acquisition of farmland increased. The Agriculture Department has previously cited limited staffing and other priorities as reasons for not assessing penalties.
READ THE STORY: WSJ
CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability
FROM THE MEDIA: The addition of the ZK Framework vulnerability to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is significant because evidence of active exploitation has been found. The high-severity flaw (CVE-2022-36537) could allow cyber criminals to retrieve sensitive information via specially crafted requests. The vulnerability was patched in May 2022, but it has since been exploited en masse. The Huntress and Numen Cyber Labs teams have both published proof-of-concept exploits, and NCC Group's Fox-IT research team recently found evidence of initial access and deployment of a web shell backdoor on 286 servers. A majority of the infections are in the U.S., South Korea, the U.K., Canada, Spain, Colombia, Malaysia, Italy, India, and Panama.
READ THE STORY: THN
Experts Spot Half a Million Novel Malware Variants in 2022
FROM THE MEDIA: According to SonicWall's Cyber Threat Report, global malware detections have increased by 2% YoY to reach 5.5 billion in 2022. The report also highlights a 5% increase in never-before-seen malware variants, a 43% increase in crypto-jacking malware to reach 139 million "low-and-slow" attacks, and an 87% increase in IoT malware to hit 112 million. While there was a 21% decline in ransomware volumes, the education, finance, and healthcare sectors witnessed large increases in ransomware attacks. Intrusion attempts reached a staggering 6.3 trillion globally, and Log4j remained a persistent challenge for network defenders, with over one billion intrusion attempts using the Log4Shell exploit recorded in 2022.
READ THE STORY: InfoSecMag
Russia will prove a more formidable spoiler than Iran
FROM THE MEDIA: The ongoing conflict between Russia and Ukraine is expected to escalate, as Putin becomes increasingly frustrated with the lack of progress in his efforts to conquer Ukraine. Putin is expected to turn to asymmetric warfare, such as cyberattacks, proxy wars, and disinformation campaigns, to weaken NATO unity rather than rely on military and economic power that Moscow no longer has. In the coming months, Russia is predicted to become a global version of Iran, using espionage, support for terrorism, and other means to advance its aims and aggravate its enemies. Putin's nuclear threats are also expected to become more explicit, although they are intended to persuade voters in Europe and America that their governments' military and financial support for Ukraine is becoming too risky, rather than actually using these weapons. Western policymakers will be occupied with Russia's ongoing threats to global security, Western political systems, the cybersphere, food security, and millions of Ukrainian civilians for as long as Putin remains in power.
READ THE STORY: Nikkei Asia
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware
FROM THE MEDIA: Security researchers at CYFIRMA have discovered a new post-exploitation framework called Exfiltrator-22, which allows hackers to spread ransomware in corporate networks without detection. The framework is believed to have been developed by former LockBit 3.0 affiliates who are experts in anti-analysis and defense evasion. The Exfiltrator-22 features include establishing a reverse shell with elevated privileges, capturing a screenshot from the victim’s computer, extracting authentication tokens from the breached system, and activating a ransomware module to encrypt files on the infected device. The framework is being offered for a subscription fee that ranges between $1,000 per month and $5,000 for lifetime access.
READ THE STORY: Bleeping Computer
Ransomware attack on US Marshals Service affects ‘law enforcement sensitive information
FROM THE MEDIA: The US Marshals Service has suffered a ransomware attack that compromised a computer system containing "law enforcement sensitive information", including personal data belonging to those under investigation. The system also contained administrative information and personally identifiable information on USMS employees and third parties. The hack occurred on 17 February, with the department of justice subsequently launching an investigation. Drew Wade, a USMS spokesperson, said that the service had "disconnected the affected system". It marks the second significant cyber attack to affect US law enforcement in February, with the FBI also recently having to contain malicious activity on its network.
READ THE STORY: CNN
ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks
FROM THE MEDIA: A new malware campaign named ChromeLoader has been discovered that is being distributed via virtual hard disk (VHD) files, which marks a departure from the ISO optical disc image format. ChromeLoader initially emerged as a browser-hijacking credential stealer but has since evolved into a multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs. The malware's primary objective is to compromise web browsers, modify browser settings to intercept and direct traffic to dubious advertising websites, and carry out click fraud. The malware has gone through many changes over the past few months, and the shift to VHD files indicates that users looking for pirated software and video game cheats are the main targets, leading to the download of VHD files from fraudulent websites appearing on search results pages. To mitigate such risks, users are advised to refrain from following suspicious links and download software only from official sources.
READ THE STORY: THN
The Resurgence of Infostealers
FROM THE MEDIA: The resurgence of Infostealer malware, which is a form of malware that infects a computer or mobile device to capture sensitive information and send it back to the botnet's command and control servers. The malware is able to steal stored credentials, Autofill data, and cookies, and even capture screenshots of a user's desktop. The recent success of Infostealers is attributed to advancements in technology and threat actor capabilities, as well as the emergence of malware as a service and the ability of Infostealers to impersonate legitimate software. Despite the use of antivirus software and other security measures, Infostealers can still slip through, which is why Constella Intelligence offers a solution to monitor clients' data for exposure and quickly alert them of any incidents.
READ THE STORY: Security Boulevard
All CVEs Are Not Created Equal
FROM THE MEDIA: The number of disclosed vulnerabilities, as tracked by Common Vulnerabilities and Exposures (CVEs), has been increasing at an alarming rate, with over 23,000 disclosed vulnerabilities in 2022 alone, a 2,200% increase in 22 years. Coalition anticipates over 1,900 new CVEs per month in 2023, with varying degrees of exploitability and difficulty in creating exploits. The healthcare and real estate sectors, although having more security vulnerabilities or issues detected per asset or technology services, tend to be targeted with less harmful CVEs. Consumer services and technology have the highest average severity of the industries analyzed, with the consumer services sector having an average CVE criticality of 9.36 out of 10 and technology having an average of 9.29 out of 10. Organizations in different industries need to prioritize vulnerabilities differently and allocate technology defenses and human resources accordingly.
READ THE STORY: DARKReading
How the Ukraine War Opened a Fault Line in Cybercrime, Possibly Forever
FROM THE MEDIA: The Russian invasion of Ukraine has had significant impacts on the cybercrime landscape. Cybercriminals have been physically moving, with some Ukrainian threat actors fleeing the country to avoid conscription, while a "brain drain" in Russia has seen IT and cybersecurity professionals leave the country. The authors of the report suggest this has led to decentralization and a decrease in the overall volume of activities in the region. The conflict has also caused fractures within the cybercrime underground, with Russian cybercriminals historically having worked with those in Ukraine, but now split over political differences. Additionally, the seizure of the world's No. 1 cybercrime forum, Hydra, and the shifting of Russian-language dark web marketplaces have further compounded the situation. The authors speculate that the epicenter of cybercrime may shift to English-speaking dark web forums, shops, and marketplaces over the next year.
READ THE STORY: DARKReading
Items of interest
Social engineering with generative AI
FROM THE MEDIA: Researchers from Safeguard Cyber have discovered a social engineering campaign on LinkedIn that used the DALL-E generative AI model to create images for fake ads. The ads offered a link to a whitepaper that promised to provide “next-level insights and strategies” to sales teams and requested users to enter their personal information to receive the whitepaper. The information collected could be used for targeted phishing attacks, and the campaign is a reminder of new social engineering dangers when coupled with generative AI. The researchers warned that threat actors could easily iterate on messaging, creative, and audience targeting to achieve more refined and targeted phishing ads.
READ THE STORY: The Cyberwire
Rare earth’s crunch? Why we need them and who has them | Business Beyond (Video)
FROM THE MEDIA: Rare earth plays a crucial role in the development of clean energy technology, making them essential in the fight against climate change. As the demand for these materials grows, concerns have arisen about their sourcing and potential future scarcity. Without taking steps to address these concerns, there may not be enough rare earth to meet demand in the future. Additionally, restrictions on exporting rare earth can be used as a political tool to harm geopolitical rivals. Despite efforts to mine rare earth in an environmentally-friendly way, market incentives may not be aligned with sustainability.
Extracting Firmware from Linux Router using the U-Boot Bootloader and UART (Video)
FROM THE MEDIA: Our plan is to extract the firmware from an embedded Linux system using the uboot tool via uart. We have already found the uart port on the board and connected it to our computer using a UART-to-USB adapter. When we power on the system, we see the u-boot output.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.