Tuesday, March 07, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob
From Disinformation to Deep Fakes: How Threat Actors Manipulate Reality
Analyst Comments: Deep fakes are not only a cyber security threat but also a concern for psychological warfare. The potential use of deep fakes for manipulating public opinion by creating fake news and propaganda is a significant concern. Malicious actors can use deep fakes to create a sense of confusion and uncertainty among people, making them doubt the authenticity of real information. By undermining trust in institutions and individuals, such as world leaders or journalists, deep fakes can lead to a loss of trust in important societal institutions, which can have lasting effects on the fabric of our society.
FROM THE MEDIA: Deep fakes are a dangerous and growing threat in our modern world of advanced technology. They involve using AI and ML to create fake images, videos, and audio that are incredibly realistic and can deceive people into thinking they are real. The potential uses for deep fakes are numerous, and they can be used to spread disinformation, influence public opinion, and even impersonate world leaders or CEOs. They can be used for cybercrime, social engineering, fraud, and other malicious activities. To detect deep fakes, there are two main methods: low-level detection and high-level detection. Low-level detection methods rely on ML models trained to identify imperceptible artifacts or pixelation introduced through the deep fake generation process. High-level detection methods use models that can identify semantically meaningful features, such as unnatural movements, unique mannerisms, and phoneme-viseme mismatches. While today's detection methods are effective, they will need to be updated and improved as deep fake technology becomes more sophisticated. It's essential to verify the media source of videos and images we receive to help detect deep fakes. By understanding how deep fakes are created, how they can be used, and how to detect them, we can protect ourselves, our businesses, and our societies from this type of malicious manipulation.
READ THE STORY: THN
EPA orders US states to check cyber security of public water supplies
Analyst Comments: As part of its mission to safeguard critical infrastructure from cyber threats, the US government has directed states to evaluate the cybersecurity capabilities of their drinking water systems. The Environmental Protection Agency (EPA) has mandated the inclusion of cybersecurity assessments in their 'sanitary surveys' of water systems, as public water systems have become frequent targets of malicious cyber activity. The directive comes in the wake of a survey that found that while some public water systems have cybersecurity programs in place, many others do not. However, the fragmented nature of the drinking water supply environment in the US presents a challenge in implementing uniform cybersecurity standards.
FROM THE MEDIA: The US government has directed states to evaluate the cybersecurity capabilities of their drinking water systems in an attempt to protect critical infrastructure from cyber threats. The Environmental Protection Agency (EPA) has mandated cybersecurity assessments in their 'sanitary surveys' of water systems, following a survey showing that while many public water systems have cybersecurity programs in place, too many others do not. The report highlights that the drinking water supply environment in the US is fragmented, with about 153,000 public drinking water systems in the country that provide drinking water to 80% of the American population. The EPA is urging all public water systems to build up protections against cyber attacks to improve recovery if an attack occurs.
READ THE STORY: The Register
The Cyber Vulnerabilities of Dynamic Positioning Systems
Analyst Comments: As DP systems are linked to physical components of the vessel and vulnerable to cyberattacks, disruptions to the system can have serious consequences, including unplanned downtime, environmental incidents, or even loss of life. The article emphasizes the need for cybersecurity measures to protect DP systems and recommends an end-to-end approach, including awareness, training, and regular assessments of cyber threats.
FROM THE MEDIA: Dynamic positioning (DP) systems are computerized systems that direct and monitor a vessel's position using onboard sensors and drives. They are used in research ships, drilling vessels, and vessels for offshore asset installation and maintenance. DP systems allow for maintaining a position without being anchored, but their computerized and connected nature puts them at risk for cyberattacks. There are three levels of DP systems, and disruptions could lead to unplanned downtime, environmental or safety incidents, or even the loss of life. DP systems are vulnerable to malware, botnets, spoofing, and jamming attacks. Some attacks have already happened, highlighting the importance of implementing cybersecurity measures and regular assessments.
READ THE STORY: Maritime-executive
Israel's National Cyber Directorate: 'Iran Behind the Cyberattack on Technion'
Analyst Comments: MuddyWater is a cyberattack group that is affiliated with Iran's Ministry of Intelligence and Security. The group has been attributed to many attacks around the world, including in the United States and the United Kingdom. They are known for using spear-phishing tactics to infiltrate networks and steal sensitive information. MuddyWater has been active since at least 2017 and has targeted organizations in various industries, including telecommunications, finance, and government. They are considered to be a sophisticated and persistent threat actor.
FROM THE MEDIA: Iran's Ministry of Intelligence and Security is reportedly responsible for a recent cyberattack on Israel's Technion servers. The National Cyber Authority conducted an investigation in cooperation with the Technion and identified the MuddyWater attack group as being behind the attack. This group has been linked to various cyberattacks in the US, the UK, and other countries around the world. The attack on Technion involved malware designed to encrypt operating systems. The cyber directorate has distributed identifiers of the attack and recommendations for the defense to prevent similar incidents. The directorate also reminds organizations in Israel to strengthen their security during Ramadan when cyber attackers often target various targets in the country.
READ THE STORY: Haaretz
U.S. Special Forces want to use DEEPFAKES for PSY-OPS
Analyst Comments: While the U.S. government routinely warns against the risk of deep fakes and is openly working to build tools to counter them, this instance represents a nearly unprecedented signal of the American government's desire to use the technology offensively. The article raises ethical concerns about the use of deep fakes for military and intelligence operations and advocates for review and oversight of their use.
FROM THE MEDIA: The US Special Operations Command (SOCOM), known for its secretive military missions, is reportedly planning to conduct internet propaganda and deception campaigns online using deep fake videos, according to federal contracting documents reviewed by The Intercept. The documents reveal that SOCOM is seeking "a next-generation capability to collect disparate data through public and open source information streams such as social media, local media, etc. to enable MISO (Military Information Support Operations) to craft and direct influence operations." The documents also outline SOCOM's desire to obtain new and improved means of carrying out "influence operations, digital deception, communication disruption, and disinformation campaigns at the tactical edge and operational levels." The use of deep fakes to deliberately deceive could have a destabilizing effect on civilian populations exposed to them, according to government authorities. However, SOCOM's new plans represent an almost unprecedented instance of the American government openly signaling its desire to use the highly controversial technology offensively.
READ THE STORY: The Intercept
The CIA ruled out a foreign weapon in ‘Havana Syndrome’ cases
Analyst Comments: Havana Syndrome is a term used to describe a set of mysterious symptoms that have been experienced by American and Canadian embassy workers in Havana, Cuba, and other locations around the world since 2016. The symptoms include chronic headaches, ringing in the ears, vertigo, and nausea, among others. The cause of the illness is still unknown, but one theory is that it may be caused by directed radio frequency energy, such as microwaves. However, a recent investigation by the CIA and six other intelligence agencies found no evidence that the symptoms were caused by a weaponized attack by a foreign power, and the exact cause of the illness remains a mystery.
FROM THE MEDIA: The cause of the reported cases of Havana Syndrome, which includes symptoms such as chronic headaches, ringing in the ears, vertigo, and nausea among others, remains unknown despite years of investigation by the US intelligence community. One theory was that the symptoms were caused by directed radio frequency energy, but a panel of experts concluded that there was little evidence to support this theory. US officials suspected that the Russian military intelligence agency, GRU, was the most likely culprit, but the CIA's investigation alongside six other intelligence agencies found no evidence of a weaponized attack. The CIA acknowledges that what its personnel experience is real, but they do not yet have an explanation for it. Doctors and intelligence officials now conclude that the symptoms did not fall into any discernible patterns. The investigation is ongoing.
READ THE STORY: We are the mighty
War of the future: Rethinking deterrence in the age of AI
Analyst Comments: AI-enabled systems may process data much faster than humans, which can help shorten the OODA (Observe-Orient-Decide-Act) cycle, thereby removing the fog of war. However, AI still cannot be programmed with situational awareness mirroring human understanding. During a crisis, if states use AI to detect and target, and the adversary perceives that its opponent will act sooner via AI, it can compel the adversary to resort to preemptive strikes due to the fear of being attacked first.
FROM THE MEDIA: The growing use of artificial intelligence (AI) in military operations and the potential implications it may have on national security and strategic stability. The article highlights that the use of AI in military operations can cause miscalculations, induce trust deficits among nuclear weapon states, and lower nuclear thresholds, thereby increasing the chances of preemptive strikes during crises. Additionally, the article emphasizes that there is a need to rethink traditional concepts of deterrence and strategic stability in this third nuclear age due to greater emphasis on emerging technologies. The article suggests that there is a need for a collective moratorium on the use of AI for military purposes until a legally binding instrument is concluded as the most viable solution.
READ THE STORY: TRT World
Data security flaws found in China-owned DJI drones
Analyst Comments: Researchers found that users could modify crucial identification details and even bring down the devices remotely in flight. While DJI had implemented traditional countermeasures to enforce the safe and secure use of drones, the vulnerabilities discovered by the researchers compromise the operator's privacy and allowed attackers to gain elevated privileges on two different DJI drones and their remote control. DJI has since fixed the issues, but it underscores the importance of addressing cybersecurity risks associated with the increasing use of drones.
FROM THE MEDIA: According to researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security, DJI drones had serious security vulnerabilities that could allow users to modify critical identification details and even bring down the devices remotely during flight. The researchers discovered that the data transmitted to and from the drone was not encrypted, and therefore accessible to anyone, potentially compromising the drone operator’s privacy. They also found critical flaws in the drone firmware that allowed attackers to abuse the devices and “gain elevated privileges on two different DJI drones and their remote control”. A total of 16 vulnerabilities were found, 14 of which could be triggered remotely via the operator’s smartphone, allowing attackers to take over the phone and crash the drone mid-flight. Although DJI has reportedly fixed the issues, the vulnerabilities raise concerns about the security of drones and the potential for them to be used maliciously.
READ THE STORY: Cybernews
Private Malware for Sale: A Closer Look at AresLoader
Analyst Comments: The XSS forum is a top-tier Russian-language hacking forum where cybercriminals and threat actors can buy and sell various types of hacking tools, services, and malware. It is known for being a popular marketplace for cybercriminals, and its name "XSS" refers to the cross-site scripting vulnerability often exploited in web attacks. The forum is only accessible through the dark web and requires a special browser to access it.
FROM THE MEDIA: Researchers have reported the discovery of a new private loader for sale on a Russian-language hacking forum called XSS. The loader, named AresLoader, is designed to camouflage itself as legitimate software while downloading harmful payloads covertly. The article describes how AresLoader works and how it communicates with the C2 server managed and hosted by the malware seller. The IP address of the C2 server is registered to Partner LLC, which is a bulletproof hosting provider. The article suggests that identifying bulletproof hosting provider ASNs can be useful to security researchers and organizations with the ability to block IP ranges. Finally, the article concludes by promoting Flashpoint's suite of actionable intelligence solutions to proactively identify and mitigate cyber and physical risk.
READ THE STORY: Security Boulevard
APT-C-36 Targets Colombia With New Spear-Phishing Campaign
Analyst Comments: APT-C-36, also known as Blind Eagle, is a South American espionage group that has been actively targeting Latin America-based entities since at least 2019. The group relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns, with the initial infection vector typically being a PDF attachment sent by email. The group has been associated with various RATs, including AsyncRAT, njRAT, QuasarRAT, LimeRAT, and RemcosRAT, and has been using spear-phishing emails disguised as government entities, such as Colombia’s Directorate of National Taxes and Customs (DIAN), to deceive their victims into downloading malware.
FROM THE MEDIA: On Feb. 20, the BlackBerry Research & Intelligence team reported on a new spear-phishing campaign conducted by Blind Eagle (APT-C-36), a South American espionage group that has been targeting Latin America-based entities since at least 2019. The group sent targeted phishing emails to key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiations in the country. The campaign involved a fake webpage of Colombia’s Directorate of National Taxes and Customs, which contained a ‘download’ button that, when clicked, initiated the download of a malicious file from the Discord content delivery network. The final goal was to load AsyncRAT into memory, which allowed the threat actor to connect to the infected endpoint at any time they like and to perform any operations they desire. APT-C-36 continues to concentrate its operations within a Hispanic geographic region, with its main targets being government institutions and other organizations primarily based in Colombia.
READ THE STORY: Blackberry
Threat actors are using advanced malware to backdoor business-grade routers
FROM THE MEDIA: The APT-C-36, a threat actor group, has been found to be behind an ongoing campaign dubbed Hiatus, which has been infecting end-of-life DrayTek Vigor routers since at least last July. The malware used in the campaign turns routers into attacker-controlled listening posts, allowing the attackers to passively capture email traffic and steal files. The backdoor installed by the malware enables the attackers to download files and run commands, as well as funnel data from other servers through the router to conceal the true origin of the malicious activity. The campaign has primarily affected routers running an i386 architecture, and the researchers suspect that the threat actor is deliberately keeping its footprint small to avoid detection. It is not yet known how the devices are being hacked in the first place, but once hacked, the malware is installed through a bash script that installs two main binaries, one of which is a remote access Trojan (RAT) that comes with the ability to turn the compromised device into a covert proxy for the threat actor.
READ THE STORY: arsTECHNICA
Thousands of appointments canceled after ransomware hits major Barcelona hospital
FROM THE MEDIA: The main hospital in the city of Barcelona, Hospital Clinic de Barcelona, was hit by a ransomware attack on Saturday, leading to the cancellation of thousands of appointments. The attack affected computers across the hospital's numerous clinics, laboratories, and emergency rooms, leading to the shutdown of the institution's website. The hospital confirmed that the Ransom House gang was behind the attack, and although no extortion demand had been received, officials stated that the hospital would not pay any ransom. The Catalan Cybersecurity Agency is leading the response to the attack, and the hospital's IT staff is working to restore the system gradually while ensuring that attackers do not maintain access to the system.
READ THE STORY: The Record
Experts Reveal Google Cloud Platform's Blind Spot for Data Exfiltration Attacks
FROM THE MEDIA: According to a report by cloud incident response firm Mitiga, insufficient forensic visibility into Google Cloud Platform (GCP) could allow malicious actors to exfiltrate sensitive data. The report explains that GCP's storage access logs do not provide adequate transparency with regard to potential file access and read events, instead grouping them all as a single "Object Get" activity, making it difficult to differentiate between malicious and legitimate user activity. This could enable attackers to harvest sensitive data without being detected, especially if they have gained control of an identity and access management (IAM) entity in the targeted organization. Mitiga recommends Virtual Private Cloud (VPC) Service Controls and using organization restriction headers to limit cloud resource requests as mitigation recommendations.
READ THE STORY: THN
Patient data was breached at West Virginia University
FROM THE MEDIA: West Virginia University accidentally exposed patient data after uploading it to a public website used by software developers who were not university employees. While patients' medical records were not exposed, the file names of the medical records were accessed by external parties. A document containing the file names of more than 500 patients' medical records was downloaded by members of the software development community, who were not university staff. The university reported the incident to the Department of Health and Human Services and notified affected individuals.
READ THE STORY: EDSCOOP
Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine
FROM THE MEDIA: Law enforcement authorities from Germany and Ukraine, with support from the Dutch National Police and the US FBI, have conducted an operation targeting suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware. The operation included a raid on a German national's home and searches in Kiev and Kharkiv in Ukraine. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group. The suspects are accused of targeting at least 37 companies in Germany, with victims in the US paying no less than €40m ($42.5m) between May 2019 and March 2021.
READ THE STORY: THN
Twitter rival Mastodon hit with a cyberattack, and some users hit
FROM THE MEDIA: The social media platform Mastodon has suffered a distributed denial of service (DDoS) attack, according to its creator Eugen Rochko. One of the platform's servers, called Mastodon.social, was hit by the attack. Mastodon is an open social media platform from Germany that functions similarly to Twitter but consists of a collection of independently-run servers, or instances, each with its own rules and moderation policies. The platform gained around 500,000 users in 10 days after Elon Musk took over Twitter. The news of the DDoS attack comes just hours after several Twitter users complained of links within tweets not working and images failing to load.
READ THE STORY: Times of India
The Sandbox discloses security breach
FROM THE MEDIA: A third party gained unauthorized access to the computer of an employee at blockchain metaverse company, The Sandbox, and used the data to launch phishing attacks. The threat actor accessed several email addresses and sent phishing emails impersonating the company, which contained a hyperlink to malware that could remotely install malware on a user’s computer and access their personal information. The Sandbox stated that the third-party access was limited to a single employee’s computer and that they had reached out to all email recipients with instructions on what to do next. The company blocked the employee’s accounts, reformatted the laptop, and reset all related passwords, including implementing two-factor authentication. The Sandbox is working with its team to enhance its security policies and practices.
READ THE STORY: Cybernews
LastPass Hack: Engineer's Failure to Update Plex Software Led to Massive Data Breach
FROM THE MEDIA: Lawyers for the Class Action against Intelsat shareholders and the company chairman have submitted a detailed claim for the Northern District of California Court stating that “any reasonable person – and juror – would believe that there was insider trading.” The action claims that the defendants in the case sold shares worth $246m, avoiding $185m in losses, but “innocent investors were left [with nothing].” The action argues that each of the named defendants “owed a fiduciary duty to Intelsat shareholders” and that investors expect that those who have special access to information should be barred from using it to gain an advantage. The case is due to be heard on April 28.
READ THE STORY: THN
Shein's Android App Caught Transmitting Clipboard Data to Remote Servers
FROM THE MEDIA: The Shein Android app, version 7.9.2, had a bug that allowed the app to capture and transmit clipboard contents to a remote server. The issue was discovered by the Microsoft 365 Defender Research Team and has since been fixed as of May 2022. Shein, a Chinese online fast fashion retailer, has over 100 million downloads. Google has made improvements to Android to mitigate such privacy risks, such as displaying toast messages when an app accesses the clipboard and barring apps from getting data unless it is actively running in the foreground. Clipboard contents can be an attractive target for cyberattacks, as users often use the clipboard to copy and paste sensitive information like passwords or payment information.
READ THE STORY: THN
China using LinkedIn, and Indeed to recruit spies, target experts in the US
FROM THE MEDIA: National security experts have warned that job portals like LinkedIn and Indeed have become hunting grounds for foreign spies who are looking to target people in academia, research and development, and the private sector. Social media platforms have amplified the espionage effort, allowing foreign agents to engage with tens of thousands of people online without ever meeting them. The problem is further exacerbated by the fact that spies can gain direct access to targets thousands of miles away with a few clicks of a button, making it easier for them to collect classified information. China, North Korea, Iran and Russia are all involved in this type of activity, according to Mirriam-Grace MacIntyre, executive director of the National Counterintelligence and Security Center.
READ THE STORY: News Nation
What Is Mirai Malware and Who Is at Risk
FROM THE MEDIA: Mirai is a type of malware that was first discovered in 2016 and primarily attacks IoT (Internet of Things) devices running on Linux with ARC processors. Mirai works by infecting targeted devices and adding them to a botnet, which is a network of computers that work together to carry out malicious actions. The key goal of Mirai botnets is to conduct DDoS (Distributed Denial of Service) attacks on targeted websites, which involves flooding a website with traffic to overload servers and cause a crash. To avoid Mirai, users should ensure that their antivirus software is up-to-date, frequently update their application software and operating system, and be aware of signs of botnet infection such as frequent crashes and slow internet connection. Botnet solutions can also be installed to detect and tackle botnet infection and protect websites from DDoS attacks.
READ THE STORY: MUO
Old Windows ‘Mock Folders’ UAC bypass used to drop malware
FROM THE MEDIA: A new phishing campaign has been discovered that targets organizations in Eastern European countries with the Remcos RAT malware using an old Windows User Account Control (UAC) bypass discovered over two years ago. The phishing emails contain fake invoices or other financial documents as attachments, and the attachment is a tar.lz archive that includes the DBatLoader executable. The malware loader disguises the second-stage payload as a Microsoft Office, LibreOffice, or PDF document using double extensions and app icons to trick the victim into opening it. Before loading Remcos RAT, DBatLoader creates and executes a Windows batch script to abuse a Windows UAC bypassing method that was first documented in 2020. The method involves using a combination of DLL hijacking and mock trusted directories to bypass UAC and run malicious code without prompting the user. The malware loader creates mock trusted directories, imitating trusted folders with trailing spaces, and copies legitimate executables and malicious DLLs to them. Eventually, Remcos is executed through process injection, configured with keylogging and screenshot-snapping capabilities. System administrators should configure Windows UAC to "Always Notify" and monitor for suspicious file creations or process executions in trusted filesystem paths with trailing spaces.
READ THE STORY: Bleeping Computer
Items of interest
Gottheimer Announces Federal Action Against Chinese-owned TikTok
FROM THE MEDIA: U.S. Congressman Josh Gottheimer, joined by New Jersey's cybersecurity agency, has raised concerns about the threats that TikTok and the Chinese Communist Party pose to the safety of American citizens, data, and national security. The Congressman argued that TikTok, with over 100 million monthly active users, collects far-reaching and sophisticated data from its users, including usernames, passwords, personally identifiable information, pictures, and videos of millions of Americans, which could be leveraged by the Chinese government to breach U.S. institutions, steal intellectual property, collect data, and access the systems that control critical infrastructure. The Congressman also highlighted the addictive qualities of TikTok, which could have a negative impact on children's mental health. In addition, Chinese law obligates TikTok's parent company to "support, assist, and cooperate with state intelligence work." Gottheimer is pushing for legislation that would grant the President the power to ban TikTok in the United States or force the sale of its U.S. operations to an American company if the President believes there is continued data collection and a clear threat to national security.
READ THE STORY: House.gov
SIGINT Cyclic Survey (Video)
FROM THE MEDIA: The video discusses how Signals Intelligence (SIGINT) agencies struggle to monitor internet traffic and how they use cyclic survey to overcome this challenge. The cyclic survey is a method where the captured traffic is searched in near real-time for matches based on the criteria defined by the SIGINT analysts, reducing the amount of data they have to record, store, and process. The cyclic survey is implemented by running a survey on a batch of links for a predefined interval of time, ignoring everything else, and then moving to the next batch of links. While this method may pose the risk of missing something important, it makes processing enormous amounts of network traffic possible.
Basic Tactical SIGINT: Tracking Aircraft and SDR Scanning (Video)
FROM THE MEDIA: The transcript discusses signals intelligence (SIGINT) and its various subcategories, including communications intelligence (COMINT) and electronic intelligence (ELINT). The speaker provides an overview of basic SIGINT collection equipment, including a computer, antennas, and software such as SDRSharp and Plane Plotter. The speaker also explains how to use conditional expressions to track specific aircraft and mentions the usefulness of range rings and polar diagrams. The importance of being selective in choosing advice when building a radio network is also emphasized.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.