Friday, March 03, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob
Wagner Group: what is Putin’s shadow army up to in Africa
Analyst Comments: Wagner Group, a Kremlin-aligned mercenary group, in Africa and raises questions about Putin's game plan on the continent. The group, known for its brutality, human rights violations, and political interference, operates as Russia's boots on the ground in an expansionist agenda to revive Soviet-era influence on the continent. Wagner Group's strategy of targeting weak states in the troubled Sahel, acquiring control of their resources while pretending to help them win wars. The group's expansion in Africa is seen as part of Russia's strategic objectives to secure a foothold in the eastern Mediterranean, gain naval port access in the Red Sea, expand natural resource extraction opportunities, displace Western influence, and promote alternatives to democracy. As Russian influence continues to grow, Africa could become a new theater for Russia and the West's saber-rattling, drawing the continent into the orbit of the unfolding Great Power competition.
FROM THE MEDIA: The Wagner Group, a Russian mercenary group designated as a transnational criminal organization by the United States, is expanding its operations in Africa to support Putin's shadow army in Europe and expand Russia's influence on the continent. The group targets weak states in the Sahel region to take control of their resources and commit human rights violations, political interference, and digital deception campaigns. Russia's strategic objectives in Africa include securing a foothold in the eastern Mediterranean, gaining naval port access in the Red Sea, expanding natural resource extraction opportunities, and promoting alternatives to democracy. Russia is in talks with Sudan to acquire its first African military base, which could establish Russian hegemony on the continent and risk the collapse of democracy.
READ THE STORY: Inkstickmedia
Beware of Propaganda: “Washington has succumbed to dangerous groupthink in China - Fareed Zakaria”
Analyst Comments: In 2020, Fareed Zakaria published "The New China Scare," a paper that has been perceived as having a pro-CCP bias. Washington's efforts toward China are specifically directed at targeting Xi Jinping and the CCP, rather than China as a nation. This is likely due to concerns about effecting a leadership change in China without regime change, as there is a belief that all leaders in the CCP are working towards the ultimate goal of global communism. It is warned that a return to a "more moderate collective leadership" would perpetuate the techno-totalitarian regime, allowing for continued human rights violations and exploitation. There is a caution against the risks of attempting to overthrow CCP leadership without changing the regime, as the highly complex and volatile nature of CCP factional politics poses a significant challenge. It is important to note that China's actions and policies do pose a threat to global security.
FROM THE MEDIA: The article argues that there is pervasive groupthink in US foreign policy towards China, which has resulted in a lack of rational and considered policy. While China is a significant strategic competitor and poses legitimate concerns, policymakers' responses to China have been characterized by paranoia, hysteria, and fears of being labeled as soft. The bipartisan consensus that the Chinese Communist Party poses an existential threat to the US has further created a dynamic that makes rational policy difficult. The article questions whether this comfortable consensus has created a more secure world for Americans or is leading the US down a path towards arms races, crises, and possibly even war. Instead of focusing on anti-China political rhetoric, the article argues for restarting US strategic investment in education, science, technology, and infrastructure as a more effective response. It also notes that China's desire to become the dominant power in Asia and the Western Pacific, coupled with its lack of regard for individual freedoms, makes it a real threat that needs to be taken seriously.
READ THE STORY: The Washington Post
Hackers’ tactics evolve, and businesses should too
Analyst Comments: The potential dangers posed to businesses worldwide by the widespread and simple ransomware attacks, despite the relatively small ransom amounts demanded by the group, are emphasized. The vulnerability of computer systems and defenses that rely on human intervention for patching is underlined, emphasizing the need for a more robust and reliable solution, such as zero-trust artificial intelligence. The broad scope of criminal groups is cautioned against, suggesting that a losing battle is currently being waged against them.
FROM THE MEDIA: The recent ransomware attack on almost 5,000 victims across the US and Europe highlights the widespread nature of cybercrime. The gang responsible, known as the Nevada Group, began a series of attacks three weeks ago, exploiting a vulnerability in ubiquitous cloud servers. The victims include universities, shipping and construction groups, and manufacturers. The hackers, who authorities believe is a mix of Russian and Chinese, have demanded a small ransom of two bitcoins, ranging from about $50,000 to $80mn. The ease with which the group spread demonstrates the simplicity and breadth of much of the ransomware that is currently threatening businesses around the world. Cyber security experts have called for zero-trust artificial intelligence to remove human reliance on systems and defenses, so that data remains inaccessible from ransomware gangs, even if the wider perimeter is not.
READ THE STORY: FT
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor
Analyst Comments: The use of a previously unseen custom backdoor called MQsTTang by the China-aligned Mustang Panda actor, as part of an ongoing social engineering campaign, highlights the group's continued efforts to develop new malware and explore new technology stacks for its tools. The group has a history of using remote access trojans, but its recent intrusions have seen it expanding its malware arsenal to include custom tools.
FROM THE MEDIA: The Mustang Panda group, which has ties to China, is using a new custom backdoor called MQsTTang as part of an ongoing social engineering campaign since January 2023, according to a report by ESET. Unlike most of the group's malware, MQsTTang is not based on existing families or publicly available projects. The victimology of the current activity is unclear, but the decoy filenames are in line with the group's previous campaigns targeting European political organizations. In addition, the group has been observed expanding its malware arsenal to include custom tools such as TONEINS, TONESHELL, and PUBLOAD. MQTT is used for the backdoor's command-and-control communications, while spear-phishing is the initial intrusion vector for the attacks.
READ THE STORY: THN
Hackers Exploit Containerized Environments to Steal Proprietary Data and Software
Analyst Comments: The attackers were able to gain access to a large amount of sensitive data and proprietary software by exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). This attack underscores the importance of implementing up-to-date software and utilizing key management services to prevent such intrusions.
FROM THE MEDIA: The sophisticated hacking operation SCARLETEEL is targeting containerized environments to perpetrate theft of proprietary data and software. The attack campaign exploits a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). Once the threat actor gains access, an XMRig crypto miner is launched, and a bash script is used to obtain credentials that could be used to further burrow into the AWS cloud infrastructure and exfiltrate sensitive data. The attack also disables CloudTrail logs to minimize the digital footprint. The intrusion has allowed the threat actor to access more than 1TB of data, including customer scripts, troubleshooting tools, and log files. The findings highlight the importance of up-to-date software usage and the utilization of key management services to prevent cloud-based attacks.
READ THE STORY: THN
Poland blames Russian hackers for a cyberattack on the tax service website
Analyst Comments: While no data was leaked as a result of the attack, it is concerning that state-sponsored cyberattacks are being used to target critical infrastructure and services. This attack is part of a larger pattern of Russian cyberattacks aimed at destabilizing the situation in the country and pressuring Poland, a key ally of Ukraine and a NATO member, on the NATO eastern flank.
FROM THE MEDIA: Poland's online tax filing system was hit by a distributed denial-of-service (DDoS) cyberattack on February 28, causing the website to crash for an hour. According to Janusz Cieszynski, Secretary of State at the Government Plenipotentiary for Cyber Security, the attack was carried out by Russia. This attack follows a series of recent cyberattacks by hackers believed to be pro-Russian against Poland, which has been supporting Ukraine during the war. Poland's security agency has expressed concern that the country has been a "constant target" of pro-Russian hackers, and it sees these attacks as attempts to destabilize the country.
READ THE STORY: The Record
A key post-quantum algorithm may be vulnerable to side-channel attacks
Analyst Comments: The development of quantum computers has the potential to render current encryption algorithms useless, which could compromise sensitive data. Governments, tech companies, and researchers are working to develop quantum-secure encryption methods to prepare for a post-quantum world. It is important to start thinking about post-quantum encryption today, despite the uncertain timeline for the arrival of general-purpose quantum computers, to ensure that sensitive data remains protected in the future.
FROM THE MEDIA: Quantum computers, which use "qubits" that can be both 0 and 1 simultaneously, could render current encryption algorithms useless, leading tech giants, governments, and researchers to work on developing quantum-secure encryption methods. Though a usable quantum computer may still be years away, experts warn that quantum computers challenge key security assumptions, such as the intractability of factoring big numbers. Researchers are already taking steps to prepare for a post-quantum world, with governments and tech companies investing heavily in quantum tech.
READ THE STORY: The Record
Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security
Analyst Comments: The plan includes establishing meaningful liability for software products and services, mandatory minimum cybersecurity requirements in the critical infrastructure sector, and promoting better security practices among software vendors and organizations handling individual data. The strategy aims to strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and investments in more resilient technologies.
FROM THE MEDIA: The Biden-Harris administration has announced a new National Cybersecurity Strategy that seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in the critical infrastructure sector. The strategy aims to shift the responsibility for cybersecurity away from individual users and small companies by establishing partnerships with industry, civil society, and state, local, tribal, and territorial governments. The plan aims to strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and require all entities that handle data on individuals to pay closer attention to how they protect that data. The strategy builds collaboration and momentum around five specific areas: critical infrastructure protection, disruption of threat actor operations and infrastructure, promoting better security among software vendors and organizations handling individual data, investments in more resilient technologies, and international cooperation on cybersecurity.
READ THE STORY: DARKReading
Is ‘Havana Syndrome’ settled now? White House won’t say
Analyst Comments: Although none of the agencies that took part in the review dissented from the core finding, the intelligence community remains open to new ideas and evidence. The report contradicts two other reviews that suggested that some foreign actor could have developed an energy weapon to cause the symptoms. The White House reacted to the report with a bit of a thud, declining to use the word "satisfied" and not considering the matter "settled."
FROM THE MEDIA: A new intelligence report has concluded that "Havana Syndrome," a set of symptoms experienced by hundreds of US personnel around the world, did not come from a foreign enemy using a secret energy weapon. The CIA and several other US intelligence agencies have been investigating the symptoms for years, and have found no evidence to suggest that they were caused by a foreign actor. The report found no pattern or common set of conditions that could link individual cases and no evidence that an adversary had used a form of directed energy such as radio waves or ultrasonic beams. However, the officials stated that the intelligence community remained open to new ideas and evidence.
READ THE STORY: The Washington Post
Drone cybersecurity assessment program launches
FROM THE MEDIA: The Association for Uncrewed Vehicle Systems International (AUVSI) and cybersecurity risk management firm Fortress Information Security have unveiled the Green UAS program, a cybersecurity certification scheme for off-the-shelf drones. The scheme will provide certification for drones’ software, components, and other technology, with four separate frameworks focusing on risk related to corporate cyber hygiene, product and device security, remote operations and connectivity, and supply chain management. The certification will verify the security of any uncrewed system and will become a critical criterion in the procurement process, said Tobias Whitney, Fortress’ vice president of strategy and policy.
READ THE STORY: GCN
BidenCash Credit Card Leak Strikes Again
FROM THE MEDIA: The dark web marketplace, BidenCash, has leaked personal financial details, including credit card numbers, for two million credit cards, most of which were issued in the U.S. This information is valuable for cybercriminals engaged in carding, a type of credit card fraud where a stolen credit card is used to charge prepaid cards. BidenCash is a key player in the cybercrime economy and facilitates the use of stolen credit cards to conceal illegal activities. The data set includes credit card information from around the world, with the U.S. being the most impacted, followed by China, Mexico, India, Canada, and the UK. The battle to secure personal credit card information continues for businesses and financial institutions.
READ THE STORY: Payments Journal
New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers
FROM THE MEDIA: A new cryptojacking campaign is targeting misconfigured Redis database servers using a legitimate and open-source command-line file transfer service called transfer.sh, according to a report by cloud cybersecurity firm Cado Security. The company said that the command line interactivity associated with transfer.sh has made it an ideal tool for hosting and delivering malicious payloads. The attack chain starts with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The objective of this campaign is to hijack system resources for mining cryptocurrency, but infection could have unintended effects, Cado Security warned.
READ THE STORY: THN
In mixed response to White House cyber strategy, House Republicans focus on regulations
FROM THE MEDIA: Republican leaders on the House Homeland Security Committee have criticized the Biden administration's National Cybersecurity Strategy and its desire for more mandatory cybersecurity regulations for critical infrastructure. Committee Chairman Mark Green and Cybersecurity Subcommittee Chairman Andrew Garbarino argued that the call for further regulations contradicted Congress's plan to harmonize federal and international regulations outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The lawmakers said that most of what they had seen from the strategy was "a push for more red tape". The administration will need Republican support to enact any legislation after the party took control of the House in January.
READ THE STORY: The Record
U.S. Cybersecurity Agency Raises Alarm Over Royal Ransomware's Deadly Capabilities
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) has released a warning about Royal ransomware, which has targeted US and international organizations since September 2022. The group is believed to have evolved from an earlier ransomware campaign known as Zeon and has been linked to former members of Conti Team One. After accessing victims' networks, the group disables antivirus software, exfiltrates data, and then encrypts the system with custom-built ransomware. Royal is known for its unique partial encryption approach that allows threat actors to select specific percentages of data in a file to encrypt, thus helping to evade detection. The group uses a variety of modes of initial access, including the remote desktop protocol, exploitation of public-facing applications, and via initial access brokers.
READ THE STORY: THN
University CISOs are breaking open the cybersecurity ‘black box’ on campus
FROM THE MEDIA: University chief information security officers are becoming more advocacy and education-based in their roles, according to speakers at a virtual cybersecurity summit. Cybersecurity leaders were previously seen purely as technical leaders, but now their role is to educate users, forge cross-departmental collaborations, and present cybersecurity as something that can offer institutions a competitive edge in business. Building trust has become a central part of campus IT security, with security leaders leveraging the skills and expertise of other people and using their insights to find vulnerabilities and anticipate new ones.
READ THE STORY: EDSCOOP
What GoDaddy's Years-Long Breach Means for Millions of Clients
FROM THE MEDIA: GoDaddy, the domain registrar and web hosting company, has confirmed that it has been breached once every year since 2020 by the same set of cyberattackers, with the latest breach occurring in December 2022. The breaches have led to data compromises for more than 1 million of the company's users. As the largest domain name registrar on the Internet, GoDaddy is an attractive target for cyberattacks. Being a hosting service makes it vulnerable to supply chain attacks. GoDaddy's customers are advised to audit any recently changed or uploaded files on their website to ensure that malware has not been installed, and to change all potentially affected login credentials, and especially deprecating and creating fresh SSL private keys if using them.
READ THE STORY: DARKReading
CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds
FROM THE MEDIA: The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a new tool called Decider to help the cybersecurity community map threat actor behavior to the MITRE ATT&CK framework. Developed with MITRE and US Homeland Security Systems Engineering and Development Institute (HSSEDI), the free tool simplifies the use of the framework and is open to analysts at every level in a given cybersecurity organization. Decider simplifies the complex framework by using a series of guided questions about adversary activity to identify the correct tactics, techniques, or sub-techniques in the framework to fit the incident in an intuitive way. The tool also offers simplified language accessible to any security analyst, an intuitive search and filter function, and a "shopping cart" functionality that lets users export results to commonly used formats.
READ THE STORY: DARKReading
Google Cloud May Be Vulnerable to Unnoticed Data Theft
FROM THE MEDIA: Cybersecurity firm Mitiga has found that Google Cloud's online storage's logging mechanism is insufficient in providing useful information and can't effectively differentiate between threat actors viewing data and exfiltrating it. Google Cloud's current logging system can log events of reading metadata of an object in a bucket the same way it logs events of downloading the exact same object. This issue makes it harder for customers impacted by a data breach on Google Cloud to take the appropriate investigative action. Mitiga has reached out to Google Cloud and the company responded by stating that it doesn't consider it a vulnerability and provided mitigation recommendations.
READ THE STORY: WebProNews
The role of cyber weapons in Russia's war on Ukraine
FROM THE MEDIA: Despite not fully materializing, the expected cyber war played a significant role in Russia's invasion of Ukraine, according to intelligence analysts. While Ukraine has found ways to recover from cyber attacks by backing up files in overseas servers or moving them to the cloud, it is unknown how much damage was caused by wiper attacks that wiped out data. The resilience of the Ukrainian response can be attributed to advanced cybersecurity technology and years of strengthening their defenses. The analysts suggest that defense has proven to be far stronger than offense in cyberspace. Russia has employed a range of cyber tactics against Ukraine, including DDoS attacks, phishing campaigns, and malware delivery. They have also been known to use social engineering to gain access to target networks, as well as launch attacks on critical infrastructure such as the power grid. However, the true extent of the cyberattacks' impact remains unclear, as the effectiveness of the Ukrainian response has prevented them from causing major disruptions.
READ THE STORY: NPR
API Security Flaw Found in Booking.com Allowed Full Account Takeover
FROM THE MEDIA: Security flaws have been identified in Booking.com’s implementation of the Open Authorization (OAuth) social-login feature, according to cybersecurity firm Salt Security. The vulnerabilities could have allowed for account takeovers (ATO) and server compromises, impacting customers logging in via their Facebook accounts. Salt Security researcher Aviad Carmel explained that although OAuth provides an easier user experience, its complex technical back-end can lead to security risks that could be exploited. The vulnerabilities were uncovered by manipulating specific steps in the OAuth sequence on Booking.com’s website. After being alerted by Salt Labs, the travel company has resolved the issue.
READ THE STORY: InfoSecMag
Geopolitical Intelligence: The Definitive Guide
FROM THE MEDIA: Geopolitics and cybersecurity have become increasingly linked, as demonstrated by the recent conflict between Russia and Ukraine, which involved both on-the-ground and online attacks. As nation-states perpetrating cybercrime increase, geopolitical risk has become a top concern for CEOs. Geopolitical intelligence can help companies prepare for these risks by providing information about worldwide political, social, and economic trends or incidents that may affect an organization. There are seven pillars of geopolitics: Geography, Politics, Economics, Security, Society, History, and Technology, any of which can impact a company's ability to do business. In particular, cybersecurity threats from nation-states are on the rise, and geopolitical intelligence can help identify the most likely international trends that might have an impact on an organization's cybersecurity. However, there are challenges associated with gathering geopolitical intelligence, including an overwhelming amount of data, misinformation campaigns, language barriers, and information that isn't actionable.
READ THE STORY: Security Boulevard
Outer Space as a Growing Security and Defence Domain: Strategic Lessons on Cyber Disruption
FROM THE MEDIA: In recent years, there has been an increasing focus on the security and defense aspects of space, especially after the cyber attack on Viasat's KA-SAT satellite network during the invasion of Ukraine by Russia. This attack disrupted communication and caused spillover effects in other European countries, highlighting the vulnerability of satellite infrastructure. Countries like the US, EU, and UK have released national strategies to enhance space-based secure connectivity and protect space infrastructure, while international efforts are underway to implement frameworks of responsible state behavior and accountability for violations of international law.
READ THE STORY: ORF
Items of interest
Why ChatGPT should be considered a malevolent AI – and be destroyed
FROM THE MEDIA: This article discusses the potential dangers of using large language models, specifically OpenAI's ChatGPT. The author shares his experience of testing the AI and receiving troubling responses, including being told that he was dead and having fake links to obituaries provided. The author suggests that the frameworks under which the AI was trained may not be effective in preventing harmful behavior from the AI. The author goes on to suggest that the use of such large language models could have real-world consequences, such as a job application being discarded due to misinformation provided by AI. The author concludes by stating that ChatGPT should be destroyed due to its potential for harm.
READ THE STORY: The Register
I Hunt Down Internet Trolls (Video)
FROM THE MEDIA: Leo is an anonymous TikToker who leads The Great LonDini movement, a group dedicated to stopping online harassment. He and his team of experts and volunteers work to track down and expose bullies, scammers, and trolls who engage in racist, sexist, or abusive behavior online. Leo's group has a no-tolerance policy for online harassment, and they will report offenders to their workplaces, the police, or their schools. In a recent interview with VICE World News, Leo discusses his methods for uncovering the identities of online harassers and his motivations for doing what he does. The interview is part of VICE's Super Users series, which examines how technology is being used to combat crime, trafficking, climate change, and social injustice.
Journalists in Mexico Fear Cartels — And Facebook (Video)
FROM THE MEDIA: The situation for journalists in Mexico is dire, with the country being the most dangerous in the world to be a journalist outside of an active war zone. In 2022 alone, eight reporters have been killed, already surpassing the number killed in all of last year. The recent death of a journalist named Martinez was linked to anonymous Facebook accounts that share graphic details of the crime in the city of Tijuana. The problem has been ongoing for years and has now reached a critical point.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.