Wednesday, March 01, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
The Satellite Hack Everyone Is Finally Talking About
Analyst Comments: The attack was a wake-up call for the commercial satellite industry, which has underinvested in security measures and essentially ignored what might happen if its systems were hacked on a grand scale. Viasat's network was found to have vulnerabilities, including a lack of authentication, which allowed attackers to overload the network with malicious traffic. It would take 35 days for Viasat to even begin to say publicly what it thought had happened, and 75 days for any country to point the finger officially at Russia. The attack on Viasat was widely considered a harbinger of attacks to come and highlighted the need for alternatives to satellite communications.
FROM THE MEDIA: Satellite internet is becoming increasingly important as more people rely on it, but the commercial satellite industry has underinvested in security measures, leaving systems vulnerable to hacking on a grand scale. The 2022 hack of Viasat Inc.’s 13,560-pound satellite, KA-SAT, demonstrated how a cyber attack could disrupt tens of thousands of internet connections in at least 13 countries, with the most critical being Ukraine. The attack left the Ukrainian military and intelligence services struggling to coordinate troop and drone movements in the hours after the invasion of Ukraine by Russian forces. The hack was a wake-up call, demonstrating the industry’s lack of investment in security measures, and the vulnerability of the machines and networks that run them. Despite the industry’s growth, little is being done to improve satellite security for the long term, in part due to complex supply chains and self-interest. There is a need for alternative forms of communication and military space systems should be kept separate from civilian ones. The commercial satellite industry must improve its security measures, as the consequences of a major hack could be catastrophic.
READ THE STORY: Bloomberg
Ukraine’s drone whisperers: What the weapons are telling us
Analyst Comments: When these drones are recovered by Ukrainian forces, they are handed over to weapons investigators such as Damien Spleeters, who works for Conflict Armament Research. Spleeters' work provides physical and irrefutable evidence that Iran has supplied Russia with weapons, despite their denial. The evidence also highlights vulnerabilities in the supply chain that adversaries can exploit. By examining the components of weapons and drones, investigators can trace them back to specific manufacturers and distributors and uncover the acquisition networks that Russia and Iran have been using.
FROM THE MEDIA: Drones have played a significant role in the conflict in Ukraine, with Russia launching around 600 drones in the last three months of 2022. When the drones are retrieved by Ukrainian forces after being shot down or crashing, they are handed over to weapons investigators like Damien Spleeters from Conflict Armament Research, who examines the components to trace their supply chain. Spleeters notes that Russia and Iran are dependent on non-domestic technology, particularly from U.S. and European companies. By tracing the markings on components, investigators can identify the acquisition networks used by Russia and Iran. The nature of the semiconductor business means that manufacturers have very little visibility and control over their own supply chain, with issues often occurring at the distribution level. While sanctions have been imposed on Iran and Russia, the majority of the products that Conflict Armament Research found were produced between 2014 and 2021, so the full impact of the sanctions is yet to be seen.
READ THE STORY: The Record
MIT takes steps to stop foreign espionage, but some faculty say it goes too far
Analyst Comments: The measures implemented to safeguard research labs from international espionage and spying, specifically by countries such as China, Russia, and India, have raised concerns among experts that they may deter skilled researchers from working in the US or estrange them. MIT professors have expressed discomfort regarding the alterations and fear that they may harm their connections with students and colleagues. It is worth noting that China has been identified as infiltrating US universities in the past.
FROM THE MEDIA: MIT has implemented new national security guidelines to protect research labs from spying and international espionage, which includes on-campus briefings by the FBI and a requirement for professors who receive federal funding to sign a disclosure form certifying that their students are not participating in suspicious activities. The guidelines have been enacted to prevent rogue nations, such as China, Russia, and India, from stealing intellectual property from university labs. While some experts believe it is a necessary precaution, others fear the measures may alienate talented researchers or discourage them from working in the US. Critics have also raised concerns about the loss of global talent and potential overreach by law enforcement.
READ THE STORY: GBH
Ukrainian drones fly deep inside Russia, breaching defenses
Analyst Comments: A long-range drone capability means that the drone is able to fly over longer distances without requiring refueling or recharging, allowing it to operate farther away from its launch site. This type of capability can be useful in a variety of situations, including military reconnaissance and surveillance, border control, and scientific research. It can allow operators to gather data or intelligence from remote areas that might be difficult or dangerous to reach by other means, and can also provide a way to monitor large areas continuously. However, long-range drones can also be used for offensive purposes, such as carrying out airstrikes or other attacks on targets far from the operator's location.
FROM THE MEDIA: Drones, which the Kremlin claims were launched by Ukraine, were flown deep inside Russian territory, including one that came within 100 kilometers of Moscow. The drone attacks targeted several areas in southern and western Russia, causing no injuries and little damage, but raising questions about Russian defense capabilities more than a year after the country's invasion of its neighbor. Russian authorities blamed Kyiv for the assaults, but Ukrainian officials did not immediately claim responsibility. Putin ordered stepped-up protection at the border and urged the service to tighten security on the Ukraine border. In Ukraine, Russian forces have continued their weeks-long drive to encircle and capture the eastern city of Bakhmut, where the situation was described as "extremely tense" by Ukraine's commander of ground forces.
READ THE STORY: The Sydney Morning Herald
Belgium’s cyber security agency links China to spear phishing attack on MP
Analyst Comments: A cyber attack on a Belgian MP who drafted a resolution warning of "crimes against humanity" against Uyghur Muslims in China. This marks a significant shift in European cyber agencies' approach towards calling out China over alleged cyber offenses. The cyber attack on the Belgian MP is a reflection of China's treatment of Uyghur Muslims, which has been widely condemned by the international community as "genocide".
FROM THE MEDIA: Belgium's Centre for Cyber Security (CCB) has attributed a cyberattack on Belgian MP Samuel Cogolati to a specific Chinese state actor called APT31. The cyberattack was a spear-phishing campaign that used a fake news organization email to target Cogolati, who was working on a resolution warning about the alleged crimes against humanity of Uyghur Muslims in China. APT31 has a history of targeting those who criticize the Chinese Communist Party. European cyber agencies have become increasingly willing to call out China over alleged cyberattacks, with Belgium's foreign ministry taking the unusual step of asking China to curb its malicious cyber activity. The CCB's attribution of the attack to APT31 signals a shift in Europe's willingness to challenge China over suspected cyber offenses, which they had previously been reticent to do out of fear of harming relations with a major economic power.
READ THE STORY: FT
Chinese company sent satellite images to Russia's Wagner Group
Analyst Comments: The motivation behind China's decision to provide the Wagner Group with satellite images is not publicly clear, and there could be various reasons behind it. However, some analysts suggest that it may be part of China's broader strategy to counter the US and its allies' influence in the region, as both China and Russia share similar geopolitical goals and have been collaborating more closely in recent years. China may also see this as an opportunity to undermine the US and its allies by indirectly supporting Russia's actions in Ukraine. It's important to note that the information disclosed by Assistant Secretary of State Daniel Kritenbrink has not been independently verified.
FROM THE MEDIA: During a Foreign Affairs Committee meeting in the US House of Representatives, Assistant Secretary of State Daniel Kritenbrink revealed that a Chinese company provided satellite images to a Russian private military group, the Wagner Group, which has been sending fighters to Ukraine. Kritenbrink, who is in charge of East Asian and Pacific Affairs, stated that China has increased economic engagement and purchases from Russia while emphasizing that the US has warned China against providing "lethal support" to the Russian military. He added that China's increasing repression at home and aggression abroad has made it a challenge for US diplomacy, but the US is not seeking conflict and does not want a new Cold War.
READ THE STORY: NHK
Senior DOJ official warns lapse of surveillance law would harm cyber investigations
FROM THE MEDIA: The Justice Department and the White House have urged Congress to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA), a controversial internet surveillance program for non-US citizens, highlighting its critical use in cybersecurity investigations. Assistant Attorney General Matthew Olsen said that the law, set to expire at the end of the year, has given law enforcement agencies important powers since 2008 that have allowed them to stop terrorist activity, espionage, and cyberattacks. Section 702 permits the National Security Agency and the FBI to take data from US-based providers such as Google and Apple without the need for a warrant. However, the scope of the surveillance powers has drawn criticism from politicians and rights groups for fear of overreach. The law has bipartisan skepticism, and there have been violations by the FBI when querying the government’s database for information about Americans.
READ THE STORY: The Record
New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises
FROM THE MEDIA: A new post-exploitation framework called EXFILTRATOR-22 (EX-22) has recently emerged with the aim of deploying ransomware in enterprise networks undetected. According to cybersecurity firm CYFIRMA, EX-22 comes with various capabilities, including establishing a reverse shell with elevated privileges, logging keystrokes, uploading and downloading files, and performing lateral movement via a worm, among others. EX-22 can also persist after the system reboots and is advertised as fully undetectable on Telegram and YouTube. CYFIRMA believes that the threat actors responsible for the malware are operating from North, East, or Southeast Asia and are likely former affiliates of the LockBit ransomware enterprise. Criminal actors can purchase the toolkit for $1,000 per month or $5,000 for lifetime access, giving them access to the EX-22 server's login panel to remotely control the malware. EX-22 is the latest post-exploitation-framework-as-a-service model available for attackers looking to maintain secret access to compromised devices over an extended period. Other similar frameworks that have been co-opted for malicious purposes include Cobalt Strike, Metasploit, Sliver, Empire, Brute Ratel, and Havoc, among others.
READ THE STORY: THN
Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist
FROM THE MEDIA: Cloud-security firm Sysdig has reported a sophisticated cyber attack called “SCARLETEEL,” in which an attacker exploited a vulnerable Kubernetes container to access Elastic Compute Cloud (EC2) services deployed in the targeted company's infrastructure. The attacker used a service to gain temporary credentials and then enumerated other EC2 services. The company limited the scope of permissions, which limited the attack. However, the incident highlights the need for careful configuration of controls that allow cloud resources to interact with one another. Misconfigurations combined with other issues could lead to a larger breach, says Sysdig's Michael Clark.
READ THE STORY: DARKReading
BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11
FROM THE MEDIA: A bootkit malware called BlackLotus has emerged, becoming the first publicly known malware to bypass Secure Boot. It can run even on Windows 11 systems with UEFI Secure Boot enabled, allowing it to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges. BlackLotus exploits a security flaw, tracked as CVE-2022-21894, to bypass UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update. The powerful and persistent toolkit is offered for sale at $5,000 and $200 per new subsequent version. The toolkit also features geofencing capabilities to avoid infecting computers in certain countries.
READ THE STORY: THN
Internet Shutdowns On The Rise Worldwide, Says Report
FROM THE MEDIA: The report from digital rights organization Access Now reveals that internet shutdowns are increasingly becoming a norm of authoritarianism, used to silence criticism, stifle dissent, and control the population. The report found that 35 countries imposed internet shutdowns in 2022 alone, with India having the highest number of shutdowns at 84, the fifth consecutive year it has held the top spot. Shutdowns have been implemented during protests, active conflict, school examinations, elections, and periods of political instability. The report emphasizes the need for governments worldwide to ensure internet access remains available and unrestricted during times of crisis and conflict to protect the right to freedom of expression and access to information.
READ THE STORY: CircleID
Putin warns of espionage as Russia presses Ukraine’s Bakhmut
FROM THE MEDIA: Russian forces continue their offensive to capture the Ukrainian city of Bakhmut, with the situation described as “extremely tense” by Ukraine’s ground forces commander. Russia has been shelling settlements around Bakhmut, which has been reduced to ruins after months of trench warfare. The Russian president, Vladimir Putin, has instructed the Federal Security Service to bolster forces in four regions, which are only partially under Russian control, and also to counter-espionage and sabotage operations by Ukraine and the West. Peskov, the Kremlin spokesperson, has stated that Russia is open to peace negotiations but that Ukraine and its Western allies must accept Russia’s annexation of four Ukrainian regions. The US undersecretary of defense for policy, Colin Kahl, has described the front line in Ukraine as a “grinding slog” and does not expect Russia to make significant territorial gains in the near term. The EU is planning to extend gas consumption reduction measures into next winter to replenish stocks.
READ THE STORY: Aljazeera
Josh Chin and Liza Lin on China’s Domestic Surveillance
FROM THE MEDIA: Wall Street Journal reporters Josh Chin and Liza Lin discuss the scope of surveillance in China and its impact on Chinese citizens. They explain that China's internal and external surveillance operations are both militarized and that they gather different types of information. Chinese citizens encounter surveillance in both the physical and virtual world, including security cameras on the streets, face-scanning cameras, and data collection by Chinese internet companies. While the Chinese government has better access to data than any other government in the world, surveillance is still fragmented due to bureaucratic inefficiencies. There is widespread acceptance of state surveillance among Chinese citizens, but government surveillance mechanisms intended to control the spread of COVID-19 led to widespread unhappiness and some of the largest protests in recent decades. Finally, the authors address concerns about Chinese company ByteDance's video app TikTok and the potential for Chinese government spying, but they believe that spying on the vast majority of TikTok users would not be practical.
READ THE STORY: The Diplomate
Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain
FROM THE MEDIA: Bitdefender has released a free universal decryptor for MortalKombat, a nascent file-encrypting malware based on commodity ransomware known as Xorist. MortalKombat has been observed in attacks targeting entities in the US, the Philippines, the UK, and Turkey, and is notable for encrypting a wide range of files, corrupting Windows Explorer, and disabling the Run command window. MortalKombat does not exhibit wiper behavior or delete volume shadow copies, but it is known to corrupt the deleted files in the Recycle Bin folder and alter the file names and types.
READ THE STORY: THN
Parallax RAT Targeting Cryptocurrency Firms with Sophisticated Injection Techniques
FROM THE MEDIA: A new campaign has emerged targeting cryptocurrency companies with the remote access trojan (RAT) Parallax RAT. The malware is difficult to detect, as it uses injection techniques to hide in legitimate processes, making it difficult to detect, and once injected, attackers, can communicate with their victim through Windows Notepad. Parallax RAT can record keystrokes, access data stored in the clipboard, and remotely reboot or shut down the compromised machine. The RAT has been put to use since early 2020 and was previously delivered through COVID-19-themed lures. The use of Telegram by the threat actor and coded language is also noted as an increasing concern for law enforcement and security researchers.
READ THE STORY: THN
Gmail and Google Calendar Now Support Client-Side Encryption (CSE) to Boost Data Privacy
FROM THE MEDIA: Google has announced that client-side encryption (CSE) is now generally available for Gmail and Calendar. This comes after piloting the feature in late 2022. The solution aims to reduce the "burden of compliance" for enterprises and public sector organizations by allowing them to become arbiters of their own data and ensuring no third party, including Google, can access confidential data. CSE will be available to Workspace Enterprise Plus, Education Standard, and Education Plus customers globally. Users can send and receive emails or create meeting events within their organizations or to other external parties in a manner that's encrypted "before it reaches Google servers." A decrypter tool is also available in beta for Windows to decrypt client-side encrypted files and emails exported via its Data Export tool or Google Vault, with macOS and Linux versions expected to be released in the future.
READ THE STORY: THN
How threat intelligence helps SecOps prevent cyber events before they happen
FROM THE MEDIA: Enterprises and their CISOs are seeking to identify threats rather than analyzing them after an event, and are pushing for greater real-time visibility to help reduce false positives, filter inbound noise, and provide threat intelligence that triggers automated detection and remediation actions. To solve this challenge, the next generation of threat intelligence solutions is purpose-built to provide post-attack analytics, including forensic visibility across all events. Threat intelligence is a highly effective tool that can automatically determine who should come into a network and who should not, giving an organization risk-based control, according to Centripetal CEO Steven Rogers.
READ THE STORY: VB
Employee’s hacked home PC allowed threat actor access to LastPass corporate vault
FROM THE MEDIA: Password manager LastPass has released an update regarding the cyber attack in August last year, revealing that a DevOps engineer's corporate vault was breached and data exfiltrated from cloud-storage resources. The attacker had used valid credentials to gain access to the cloud storage and exfiltrate data without being detected. The attacker later accessed the decryption keys needed to access the engineer's corporate vault after infiltrating the engineer's home PC by exploiting a third-party media software package. LastPass has a zero-knowledge architecture, meaning that customer passwords were safely encrypted. The company's update follows its December announcement that an unknown actor had breached its cloud-based storage environment.
READ THE STORY: SCMAG
DHS to require election security spending in homeland security grants
FROM THE MEDIA: A new malware campaign named ChromeLoader has been discovered that is being distributed via virtual hard disk (VHD) files, which marks a departure from the ISO optical disc image format. ChromeLoader initially emerged as a browser-hijacking credential stealer but has since evolved into a multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs. The malware's primary objective is to compromise web browsers, modify browser settings to intercept and direct traffic to dubious advertising websites, and carry out click fraud. The malware has gone through many changes over the past few months, and the shift to VHD files indicates that users looking for pirated software and video game cheats are the main targets, leading to the download of VHD files from fraudulent websites appearing on search results pages. To mitigate such risks, users are advised to refrain from following suspicious links and download software only from official sources.
READ THE STORY: Statescoop
Arm of global cyber security firm NCC Group valued at £240m as sell-off tipped
FROM THE MEDIA: NCC Group, a Manchester-based cyber security firm, is set to sell its software resilience business in a strategic review aimed at increasing investment in its cyber security services arm, Assurance. The review was prompted by the group's recent announcement of job cuts due to a "lengthening of the sales cycle", particularly in the UK and North America. Analysts at Panmure Gordon have valued the resilience business at £240m ($328m) and predict a disposal as the "most likely result" of the review. The cyber security services sector is experiencing strong growth, driven by the increased demand for digital transformation and remote working solutions during the Covid-19 pandemic.
READ THE STORY: Business Live
Web3: Embracing The Future, Trusting The Present
FROM THE MEDIA: In 2023, Web3 will continue to develop, leveraging edge computing, blockchain, and AI to create a decentralized internet that is open, trustless, and permissionless. While edge computing is already well-established, the key to sustained use for blockchain and AI will be to ensure organizations don't forget the lessons of the past. Mature technologies should not require a complete replacement of what came before and should be used when it's the best tool for the job. Businesses need to invest in the underlying technology, skills, and architecture to support new technologies effectively and ensure they provide value. Organizations that understand use cases and investigate how to bring value out of their tech will be best placed to embrace Web3's possibilities.
READ THE STORY: Forbes
Tech innovation helps Ukraine even the odds against Russia’s military might
FROM THE MEDIA: The Russian invasion of Ukraine has had significant impacts on the cybercrime landscape. Cybercriminals have been physically moving, with some Ukrainian threat actors fleeing the country to avoid conscription, while a "brain drain" in Russia has seen IT and cybersecurity professionals leave the country. The authors of the report suggest this has led to decentralization and a decrease in the overall volume of activities in the region. The conflict has also caused fractures within the cybercrime underground, with Russian cybercriminals historically having worked with those in Ukraine, but now split over political differences. Additionally, the seizure of the world's No. 1 cybercrime forum, Hydra, and the shifting of Russian-language dark web marketplaces have further compounded the situation. The authors speculate that the epicenter of cybercrime may shift to English-speaking dark web forums, shops, and marketplaces over the next year.
READ THE STORY: Atlantic Council
Items of interest
Foreign interference is not just a Canadian problem. What are our allies saying
FROM THE MEDIA: Former Canadian diplomat to China, Charles Burton, has called for greater transparency from Canadian intelligence officials regarding foreign interference in Canadian society, following recent reports of China's alleged efforts to influence Canadian society. Burton argues that officials' reluctance to provide details on interference makes it difficult for lawmakers to recommend improved legislation or for the government to enforce existing regulations. Meanwhile, allies such as Australia and the US have publicly raised concerns over foreign interference in their own nations, with Australian Security Intelligence Organisation chief Mike Burgess warning of an unprecedented threat to the country. Burton warns that if Canada fails to address the issue of foreign interference, it risks undermining its alliances with the Five Eyes intelligence-sharing partners, potentially leading to limited intelligence sharing with the US and other allies, and impacting Canadian security and sovereignty.
READ THE STORY: GlobalNews
Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine (Video)
FROM THE MEDIA: Tom Hagel holds the position of senior threat researcher at Sentinel One, while Juan Andre Rosade is a member of the Sentinel Labs team at Sentinel One, a company you may have encountered at the airport. In this discussion, we will delve into specific facets of the Ukrainian invasion and related cyber activities.
Russian Electronic Warfare Unit Attacks SpaceX Starlink (Video)
FROM THE MEDIA: It was reported that there was a catastrophic SpaceX Starlink outage in Ukraine and Elon Musk was criticized for this outage. There were a few possible explanations for the outage, and one theory was that the movement of the Ukrainian military into a newly liberated area caused a blackout. An article from Euro Asia Times was found, which suggested that this theory was plausible, and the speaker wants to discuss it further to get the listener's thoughts on the matter, as the previous video on this topic received a lot of attention.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.