Thursday, March 09, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob
Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity
Analyst Comments: The Lazarus Group's attacks on South Korean financial institutions demonstrate their persistence and adaptability in the face of security measures. By exploiting a zero-day vulnerability in undisclosed software, the attackers were able to bypass existing security measures and successfully infiltrate the financial business entity. The group's use of the BYOVD technique and timestomping further demonstrates their ability to evade detection and analysis. The attack's deployment of backdoor payloads designed to connect to a remote command-and-control server highlights the group's long-term goals and intentions.
FROM THE MEDIA: The North Korea-linked Lazarus Group has breached a financial business entity in South Korea twice within a span of a year by weaponizing a zero-day vulnerability in an undisclosed software. The attackers exploited a vulnerable version of a certificate software in the first attack in May 2022 and then used a zero-day vulnerability in the same program for the second attack in October 2022. Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) refrained from disclosing more specifics due to the fact that "the vulnerability has not been fully verified yet and a software patch has not been released." The attackers used the Bring Your Own Vulnerable Driver (BYOVD) technique to perform a BYOVD attack, and an anti-forensic technique referred to as timestomping to conceal their malicious behavior. The attack resulted in the deployment of backdoor payloads designed to connect to a remote command-and-control server and retrieve additional binaries.
READ THE STORY: THN
Foresight-Driven Warfare: Bringing Futures Thinking Into The Next Fight
Analyst Comments: The importance of scenario planning in envisioning future warfare cannot be overstated. The unpredictability of modern conflicts highlights the need for states to prepare for a wider range of futures. By testing current plans against multiple plausible futures, states can position themselves with the means necessary to fight the next fight. Scenario-focused planning can move strategic decision-makers away from short-term thinking regarding resourcing or policies, encouraging them to look at trends and project those ideas forward into the future. In a complex system, looking at a problem begins to shape it in the future. Therefore, states must make the proactive choice to plan for the future by utilizing scenario planning to work toward foresight-driven warfare.
FROM THE MEDIA: The article highlights the difficulty in predicting outcomes, as seen in the example of the Taliban taking control of Afghanistan in a matter of days after coalition forces departed and the Ukrainian forces continued to fight and win against the Russians a year later. The article recommends that achieving foresight-driven national strategy, defense policy, and modernization begins with finding an effective model for planners, which might include scenario planning. The report emphasizes that history is essential in feeding theory, which, when tested, drives doctrine. However, it is important to take historical knowledge a step further, as history often provides stale lessons, and only portions of these lessons apply to the next conflict.
READ THE STORY: TSB
Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks
Analyst Comments: The vulnerabilities are a significant threat to the security of Jenkins servers and could result in a complete compromise of the system. The vulnerabilities result from the way Jenkins processes plugins available from the Update Center, potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. Since the vulnerabilities involve stored XSS, the attack can be activated without having to install the plugin or visit the URL of the plugin in the first place. The vulnerabilities could be exploited even in scenarios where the server is not publicly accessible over the internet since the public Jenkins Update Center could be "injected by attackers."
FROM THE MEDIA: Two severe security vulnerabilities, collectively referred to as CorePlague, have been identified in the Jenkins open-source automation server. The vulnerabilities, tracked as CVE-2023-27898 and CVE-2023-27905, affect the Jenkins server and Update Center and could lead to arbitrary code execution on targeted systems. The vulnerabilities result from the way Jenkins processes plugins available from the Update Center, potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. The vulnerabilities affect all versions of Jenkins prior to 2.319.2 and could be exploited even in scenarios where the server is not publicly accessible over the internet since the public Jenkins Update Center could be "injected by attackers."
READ THE STORY: THN
US Sees Russia Reducing Goals in Ukraine, Deepening China Ties
Analyst Comments: This information report highlights the ongoing threat posed by China to the US, while also providing an assessment that Russia is unlikely to make major territorial gains in Ukraine in the near future. The report emphasizes the importance of maintaining vigilance against the rapidly advancing war-fighting capabilities of China and the potential national security concerns posed by Chinese-owned applications like TikTok. Overall, the report serves as a reminder that the US must continue to stay informed and prepared to address evolving threats from multiple adversaries.
FROM THE MEDIA: On March 8, 2023, the US Director of National Intelligence, Avril Haines, testified before the Senate Intelligence Committee and presented the annual assessment of worldwide threats. The report highlighted the primary threat to the US, which is China, with concerns about its control of global supply chains, its dominance of critical minerals, and its control over the video-sharing app TikTok. Haines predicted that Russia is likely to downgrade its ambitions in Ukraine and focus on hanging onto territory seized after the start of its invasion. She noted that Putin is likely better understand the limits of what his military is capable of achieving and appears to be focused on more limited military objectives for now. Lt. Gen. Scott Berrier, director of the Defense Intelligence Agency, stated that “The Chinese are advancing very very rapidly in every war-fighting domain that exists.”
READ THE STORY: Bloomberg
Suspected Chinese cyber spies target unpatched SonicWall devices
Analyst Comments: The fact that the malware can successfully compromise managed appliances suggests attackers with "a fair amount of resource and effort." This campaign is consistent with Chinese threat actors' pattern of targeting network devices for zero-day exploits, which suggests that a Beijing-backed crew is behind this latest effort. The main takeaway from this campaign is that "cyberespionage groups continue to focus on exploiting systems that do not support EDR [endpoint detection and response] solutions." The attack highlights the importance of regularly patching software and keeping devices up to date.
FROM THE MEDIA: Suspected Chinese cybercriminals are targeting unpatched SonicWall gateways, infecting them with credential-stealing malware that persists through firmware upgrades. The spyware targets the SonicWall Secure Mobile Access (SMA) 100 Series, which is a gateway device that provides VPN access to remote users. A spokesperson for SonicWall confirmed the malware campaign, which targeted an extremely limited number of unpatched SMA 100 series appliances from the 2021 timeframe. The newly identified campaign uses malware that consists of bash scripts and one Executable and Linkable Form binary identified as a TinyShell backdoor. The campaign is consistent with Chinese threat actors' pattern of targeting network devices for zero-day exploits. Cyberespionage groups continue to focus on exploiting systems that do not support EDR solutions.
READ THE STORY: The Register
New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access
Analyst Comments: The critical vulnerability in FortiOS and FortiProxy that could allow a threat actor to take control of affected systems has significant tactical and strategic implications. If exploited, the vulnerability could lead to the execution of arbitrary code on the device and/or DoS on the GUI, which may cause significant disruptions to operations. Organizations using Fortinet products should apply the available patches immediately to mitigate the risk of exploitation.
FROM THE MEDIA: Fortinet has released fixes for 15 security flaws, including a critical vulnerability, CVE-2023-25610, which impacts FortiOS and FortiProxy. The vulnerability is caused by a buffer underwrite vulnerability in FortiOS and FortiProxy administrative interface that may enable remote unauthenticated attackers to execute arbitrary code on the device and/or perform a DoS on the GUI via specifically crafted requests. Fortinet has recommended that users either disable the HTTP/HTTPS administrative interface or limit IP addresses that can reach it as workarounds until they apply patches. The patches are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9. Fortinet is not aware of any malicious exploitation attempts against the flaw.
READ THE STORY: THN
Chinese influence operations are growing more aggressive, more similar to Russia’s
Analyst Comments: China is challenging the US economically, technologically, politically, and militarily, making it the US's top priority. Although Chinese leader Xi Jinping seeks to return China to its proper place among the community of nations and as a regional power, his focus is on domestic and economic development concerns. In the event of a conflict, China would almost certainly undertake aggressive cyber operations against US critical infrastructure and military assets worldwide. China is growing increasingly aggressive in attempting to covertly influence US public opinion, including by redoubling its efforts to build influence at the state and local levels. This increased aggressiveness is motivated by Beijing's belief that local officials are more pliable than their federal counterparts. Chinese operations are growing more similar to Russia's, and Russia is expected to continue targeting US elections with covert influence operations. The CIA has launched a Transnational and Technology Mission Center to address questions of foreign technology development. US officials are concerned about security concerns posed by the Chinese app TikTok and its ability to drive narratives.
FROM THE MEDIA: US intelligence officials warned about China's increasing influence operations against the US and its efforts to influence American public opinion, which is becoming similar to Russian operations. The conflict between the US and China is playing out along technological lines. The US intelligence community's annual threat assessment describes a wide-ranging technological competition with China, where cyber and influence operations play a major role.
READ THE STORY: Cyberscoop // TIME
Hackers Compromised Two Large Data Centers in Asia and Leaked Major-Tech Giants’ Login Credentials
Analyst Comments: The breach of the two large data centers in Asia and the theft of login credentials from high-profile companies highlight the growing threat posed by cybercriminals and the importance of ensuring cybersecurity measures are in place. The incident also highlights the risk of using third-party service providers to store sensitive data. The stolen credentials could potentially be used to compromise companies’ networks and downstream customers, leading to significant financial and reputational damage.
FROM THE MEDIA: Hackers breached two large data centers in Asia and stole over 3,000 login credentials of high-profile companies, including Amazon, Apple, Huawei, Microsoft, and Samsung, among others. The breached data centers were operated by Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centers (STT GDC). The hackers used the stolen credentials to probe portals, users, and services, and access CCTV cameras. Cybersecurity firm Resecurity discovered the breach in September 2021, but it was only recently made public when a threat actor leaked the stolen login credentials on a hacking forum.
READ THE STORY: CPO
Russian Cyberwar in Ukraine Stumbles Just Like Conventional One
Analyst Comments: The cyber warfare in Ukraine from the fall of 2021 to December 2022 was a persistent deluge of digital attacks, including distributed denial-of-service attacks, malicious software, and zeroing in on Viasat Inc.’s commercial satellite network. Ukraine was ready for it and had considerable help from technology companies based in the US and elsewhere to bolster its cyber defenses. Russian President Vladimir Putin blitzed Ukraine with troops and cyberattacks to quickly collapse the government, but the cyber operations as part of a
FROM THE MEDIA: State-sponsored Russian hackers targeted the Ukrainian government and financial websites with distributed denial-of-service attacks aimed at creating chaos. They bombarded government, nonprofit, and IT organizations with malicious software designed to render computers inoperable. In addition, they zeroed in on Viasat Inc.'s commercial satellite network, causing major disruptions in Ukrainian communications, including for military units, at a crucial early stage in the war. Ukrainian officials started preparing for Russian hackers in the fall of 2021, with support from Western governments and technology companies like Microsoft, Google, and others.
READ THE STORY: Bloomberg
US frets China will use supply chains and cyber sphere as an additional weapon
Analyst Comments: The ATA report highlights the strategic and tactical significance of China's control of global supply chains in several technology sectors, its dominance in critical mineral markets, and its cyber capabilities. China's control over these sectors could pose a significant risk to US and Western manufacturing and consumer sectors. The ATA's warnings about China's cyber capabilities raise concerns about the potential disruption of critical infrastructure services within the US, including against oil and gas pipelines and rail systems. In light of these threats, the US and its allies should consider developing non-China-based alternative sources or substitutes to minimize the potential impact of any future disruptions in China-controlled supply chains.
FROM THE MEDIA: The Director of National Intelligence's "Annual Threat Assessment" highlights the risks posed by China's dominance in global supply chains for technology sectors such as semiconductors, critical minerals, batteries, solar panels, and pharmaceuticals. China's control over these markets could be leveraged for political or economic gain, potentially causing significant risks for US and Western manufacturing and consumer sectors. China's dominance in the mining and processing of critical minerals like rare earth elements, combined with its cyber capabilities, also poses a threat to US national security. The report suggests that China could restrict critical mineral supplies for commercial advantage or use cyber operations against US critical infrastructure services, such as oil and gas pipelines and rail systems. The report warns that the US and its allies must consider developing non-China-based alternative sources or substitutes to minimize the potential impact of any future disruptions in China-controlled supply chains. Failure to do so could have significant implications for national security and economic stability.
READ THE STORY: TEM
CIA future will be defined by US technology race with China
Analyst Comments: The CIA director's statement emphasizes the significance of technology in determining the agency's future and highlights the importance of preparing for China's cyber threats. The report's emphasis on China as the biggest national security threat facing America due to its use of cyber tactics to surveil Americans, steal intellectual property, and acquire foreign technologies, suggests that the US needs to take measures to protect its critical infrastructure services against cyberattacks. Additionally, China's ability to gather US health and genomic data through cyber breaches and the acquisition of US companies is a concern, and the US needs to strengthen its cybersecurity measures to prevent such data breaches. The warning that China would undertake aggressive cyber operations against US homeland critical infrastructure and military assets worldwide if it feared a major conflict with the US highlights the strategic significance of cybersecurity in national security.
FROM THE MEDIA: During the Senate hearing for the Annual Threat Assessment of the U.S. Intelligence Community, CIA Director William Burns stated that the future of the agency will be defined by America's ongoing technology race with China. He pointed out that technology is not only the main arena for competition with China, but it is also the main determinant of the agency's future. Burns' statement follows the release of the report, which cited China as the biggest national security threat facing America due to its use of cyber tactics to surveil Americans, steal intellectual property, and acquire foreign technologies. The report also emphasized China's "expansion of technology-driven authoritarianism globally." The intelligence directors warned that if China feared a major conflict with the US, it would almost certainly undertake aggressive cyber operations against US homeland critical infrastructure and military assets worldwide. The report pointed out that China is capable of launching cyberattacks that could take out critical infrastructure services, including against oil and gas pipelines and rail systems. Moreover, China has gathered US health and genomic data through cyber breaches and the acquisition of US companies.
READ THE STORY: Reuters
Russia needs to deal with its hackers, says Australia
Analyst Comments: Pezzullo's statement reflects Australia's growing concerns about the increasing cyber threat from Russia and its hackers. The call to rein in hackers highlights the government's intention to hold Russia accountable for the actions of its hackers, joining the US and the UK in imposing sanctions on seven Russian hackers from the cybercrime syndicate Trickbot. The proposed changes to cybersecurity policies, including giving the Australian Signals Directorate additional powers to prevent future hacks and appointing a new cybersecurity coordinator, underscore the government's commitment to improving the country's cybersecurity resilience. The need for information sharing among companies to combat cybercrime is also critical. The warning that cyberattacks could be unattributed, criminal acts, proxy actors working with or on behalf of a state, or a state, highlights the ambiguity generated by cyber threats and the challenges in developing policies and regulations to combat them.
FROM THE MEDIA: Home Affairs Secretary Michael Pezzullo has urged Russia to reduce the number of hacking groups that launch attacks from within its borders, noting that Russia is not a rule-of-law country where conventional law enforcement disciplines are effective. He called on the Russian government to bring hackers under control and said that Australia would not take cyber blows without retaliating. Pezzullo identified Russia's high hacker count and the risk of an attack on critical infrastructure as the most significant threats to Australia's national security, particularly following the major hacks on Medibank and Optus last year. Telstra's chief information security officer, Narelle Devine, highlighted the importance of information sharing among companies to take on the threat of cybercrime.
READ THE STORY: CyberSecurityConnect // The Record
Pakistan Looking for a Cyber Way Forward
Analyst Comments: Pakistan's cybersecurity challenges in the context of hybrid warfare are significant, given the country's vulnerability to cyber attacks from various state and non-state actors. While Pakistan has established its National Center for Cyber Security and published its National Cybersecurity Strategy, a parliamentary committee's assessment of its cybersecurity efforts as "incompetent" underscores the need for further improvement. Pakistan must speed up its ability to confront the new threat of hybrid warfare, given that cyber-attacks are especially effective in disrupting the day-to-day functions of civilians and government alike. As India is believed to be engaging in its own form of hybrid warfare against Pakistan, the longer Pakistan continues to lack a comprehensive security strategy and policy formulation addressing this threat, the more it's in peril of being victimized by the dynamism of hybrid warfare directed against it.
FROM THE MEDIA: The recent Ukraine crisis has demonstrated how geopolitical tensions can quickly spill over into cyberspace and draw in a range of state and non-state actors. Pakistan, which has been embroiled in a territorial conflict with India since 1947, has been closely monitoring the developments on the cyber front. While patriotic hacktivists from both sides have engaged in low-level attacks, the Ukraine conflict has highlighted how nonstate elements and cybercriminal communities can be harnessed to create a more effective cyber presence. However, Pakistan's cyber security posture is not where it wants to be, with more than 900,000 daily hacking incidents targeting the country. Between 2018 and 2020, cybercrime targeting Pakistan increased by 83% over the three-year period. As such, Pakistan has made cybersecurity a governmental priority, establishing its National Center for Cyber Security in 2018 and publishing its National Cybersecurity Strategy in 2021.
READ THE STORY: OODALOOP
TSA Issues Urgent Directive to Make Aviation More Cyber Resilient
Analyst Comments: The new guidelines are timely, given the increasing escalation of attacks and geopolitical tensions. As airports and airline operators have been caught in the crosshairs of Russian and Iranian cyber crews, there is a need for the aviation industry to protect all digital controls. While the new guidelines may not make any real, material difference in airline security, it is a step towards enhancing cybersecurity resilience across critical industries. The guidelines reinforce the new National Cybersecurity Strategy document and are considered industry best practices. The TSA's efforts will require coordination directly with TSA's stakeholders, and the details of compliance enforcement are still hazy. However, advanced tools like micro-segmentation of networks, managed detection and response services, runtime application self-protection, and multifactor authentication can help protect against future intrusions. The significance of these guidelines is that the TSA is taking proactive steps to mitigate cybersecurity threats, which is essential in a world where cyber-attacks can have severe consequences.
FROM THE MEDIA: The Transportation Security Administration (TSA) has issued a new set of cybersecurity requirements for airport and aircraft operators. The TSA has described this initiative as an "emergency action" because of the persistent cybersecurity threats against US critical infrastructure, including the aviation sector. The guidelines include measures to enhance cybersecurity resilience and prevent disruption and degradation of infrastructure. The TSA has called for the implementation of network segmentation policies, access control measures, continuous monitoring and detection policies, and risk-based security patching.
READ THE STORY: DARKReading
'Skinny' Cyber Insurance Policies Create Compliance Path
Analyst Comments: The turmoil in the cyber insurance industry could be significant for organizations that require cyber insurance to remain compliant with contracts and regulations. As coverage decreases and prices increase, some companies may be unable to afford policies that meet their needs. The lack of a standardized policy also creates complexity and confusion for organizations. However, the CIS self-assessment tool and lobbying efforts for national standardized policies offer potential solutions.
FROM THE MEDIA: The cyber insurance industry is facing turmoil due to the surge of ransomware attacks. Carriers are reducing coverage, increasing prices, and enforcing stricter rules on who can qualify for coverage. Due to the low capacity and high prices, many companies cannot afford as much insurance as they would like. However, some contracts and compliance regulations require companies to have a cyber insurance policy. Organizations are struggling to obtain policies and are seeking to fill gaps with other forms of coverage. The Center for Internet Security (CIS) offers a free self-assessment tool to help organizations understand the financial impact of various breaches. Some experts suggest lobbying the National Association of Insurance Commissioners to create national standardized policies to help companies manage insurance more easily.
READ THE STORY: DARKReading
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic
Analyst Comments: The use of ScrubCrypt by the 8220 Gang for cryptojacking operations is a significant event in the cybersecurity world. The use of crypters to evade detection by security programs is a common tactic used by threat actors, and the use of ScrubCrypt highlights the continued evolution of these tools. The 8220 Gang's track record of exploiting publicly disclosed vulnerabilities to infiltrate targets emphasizes the need for organizations to stay vigilant about patching and updating their systems. This event also highlights the continued threat of cryptojacking attacks and the need for organizations to have robust cybersecurity measures in place to detect and prevent such attacks.
FROM THE MEDIA: The cryptocurrency miner group, known as the 8220 Gang, has been observed using a new crypter called ScrubCrypt to carry out crypto-jacking operations. The attack chain begins with exploiting Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. The crypter is designed to evade detection by security programs and comes with features to bypass Windows Defender protections as well as check for the presence of debugging and virtual machine environments. ScrubCrypt is used to secure applications with a unique BAT packing method, and the encrypted data at the top can be split into four parts using backslash '.'. In the final stage, the crypter decodes and loads the miner payload in memory, launching the miner process. The 8220 Gang has a track record of exploiting publicly disclosed vulnerabilities to infiltrate targets, including the use of ScrubCrypt.
READ THE STORY: THN
TSA issues emergency cybersecurity mandates for the aviation sector
Analyst Comments: The new set of guidelines by TSA for airport and aircraft operators is significant in a tactical sense as it reinforces the best practices already established in the industry to improve cybersecurity resilience. It is also a timely initiative as geopolitical tensions continue to escalate, and airports and aircraft operators have been caught in the crosshairs of Russian and Iranian cyber crews. However, whether these guidelines will make any significant material difference remains to be seen.
FROM THE MEDIA: The Transportation Security Administration (TSA) has amended security directives for airport and aircraft operators to address persistent cybersecurity threats against US infrastructure, including the aviation sector. Regulated entities in the aviation sector must now develop plans to harden resilience to their digital networks and infrastructure in the face of ongoing cyberattacks. The requirements include segmenting network activity, implementing access controls, monitoring for cybersecurity threats, timely patching of vulnerable systems, and testing the effectiveness of protections. The move represents the latest effort by federal agencies under the Biden administration to establish baseline cybersecurity rules for critical infrastructure sectors that underpin essential services to Americans.
READ THE STORY: SCMAG
Supporters of surveillance law must 'lean in' to transparency, Sen. Warner says
Analyst Comments: The expiration of Section 702 of the Foreign Intelligence Surveillance Act is a significant event for the U.S. intelligence community. The law allows the National Security Agency to conduct surveillance on overseas targets without a warrant, but it also incidentally collects the personal information of Americans. The debate over renewing the law highlights the tension between the need for intelligence agencies to collect information to protect against cyberattacks, terrorism, and other threats and the need to protect the privacy of American citizens. The push for greater transparency and declassification of information is an important step in ensuring that the public and policymakers understand the value of the program and the need for its renewal. The outcome of this debate could have significant implications for the future of U.S. surveillance programs and the privacy of American citizens.
FROM THE MEDIA: Sen. Mark Warner, chair of the Senate Intelligence Committee, has called on U.S. intelligence leaders to show "courage" in their campaign to renew the expiring surveillance law, Section 702 of the Foreign Intelligence Surveillance Act. The statute, which allows the National Security Agency to intercept the digital traffic of overseas targets without a warrant but also vacuums up personal information on an unknown number of Americans, is set to expire at the end of the year. Warner warns that a lack of transparency with the public and dubious policymakers could sink the effort to renew the law. The intelligence leaders, including FBI Director Christopher Wray, emphasized the program's importance and attempted to allay concerns about its use.
READ THE STORY: The Record
Remcos RAT Spyware Scurries Into Machines via Cloud Servers
Analyst Comments: Pezzullo's statement reflects Australia's growing concerns about the increasing cyber threat from Russia and its hackers. The call to rein in hackers highlights the government's intention to hold Russia accountable for the actions of its hackers, joining the US and the UK in imposing sanctions on seven Russian hackers from the cybercrime syndicate Trickbot. The proposed changes to cybersecurity policies, including giving the Australian Signals Directorate additional powers to prevent future hacks and appointing a new cybersecurity coordinator, underscore the government's commitment to improving the country's cybersecurity resilience. The need for information sharing among companies to combat cybercrime is also critical. The warning that cyberattacks could be unattributed, criminal acts, proxy actors working with or on behalf of a state, or a state, highlights the ambiguity generated by cyber threats and the challenges in developing policies and regulations to combat them.
FROM THE MEDIA: A new phishing campaign targeting organizations in Eastern Europe has been discovered, using an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), allowing the attackers to perform cyber-espionage across the region. The campaign uses emails that appear to come from legitimate institutions in the targeted country to lure victims, relying on the reputations of the organizations to trick users. The emails contain attachments that typically masquerade as financial documents, such as invoices or tender documentation, and when a user decompresses the attachment and runs the executable within, the DBatLoader malware loader downloads and executes an obfuscated second-stage payload from a public cloud location to bypass Windows UAC and drop the RAT. Researchers have recommended vigilance against malicious network requests to public cloud instances, monitoring for suspicious file creation activities, and configuring Windows UAC to "always notify" to avoid compromise.
READ THE STORY: DARKReading
Offensive Cyber: Moral Hazards and Externalities
Analyst Comments: The event's significance is of great importance in a strategic sense because cyberspace is now in the foreground for geopolitical competition. Countries that can achieve their geopolitical goals and avoid military provocation using cyber operations, like Iran, North Korea, China, and Russia, are becoming more competitive. Offensive cyber operations could replace diplomacy, leading to a perpetual global war. Thus, it is essential to safeguard against things getting worse by focusing on defense and implementing strong and unique passwords, backing up data regularly, keeping all software and devices updated with the latest security patches, using anti-virus and anti-malware software, using threat intelligence and advanced threat detection, and having an incident response and disaster recovery plan.
FROM THE MEDIA: The world is now competing for geopolitical advantage in cyberspace, and highly advanced and targeted cyber weapons are required for uninterrupted destruction, espionage, sabotage, and surveillance. Offensive cyber goals produce strange moral hazards and externalities, making everyone less secure. As countries like Iran, North Korea, China, and Russia achieve their geopolitical goals and avoid military provocation using cyber operations, demand is growing for everyone to build these capabilities, and the losers will be civilians, business owners, and infrastructure companies. Defensive strategies, such as avoiding offense, using strong and unique passwords, backing up data regularly, keeping all software and devices updated with the latest security patches, using anti-virus and anti-malware software, using threat intelligence and advanced threat detection, and having an incident response and disaster recovery plan are some of the ways to safeguard against things getting worse.
READ THE STORY: OODALOOP
Suspected Chinese Interference Causes Internet Outages in Taiwan
Analyst Comments: The disruption caused by the loss of internet in Matsu not only affects the daily lives of its residents but also poses a threat to national security. Suspicions that China deliberately cut the cables highlight tensions between Taiwan and China, and the high cost of repairing the cables shows the economic impact of such disruptions. The Taiwanese government's efforts to install a surveillance system, rely on microwave transmission as a backup and explore alternative internet providers demonstrate the importance of preparedness in the face of cyber threats.
FROM THE MEDIA: Residents of Matsu, a small island in Taiwan, have been facing significant disruptions to their internet connectivity for over a month after two submarine cables leading to Taiwan's main island were cut. The cut has led some residents to buy SIM cards from Chinese telecoms or relies on Wi-Fi hotspots provided by Chunghwa Telecom. While the Taiwanese government has not confirmed if Beijing was responsible for the cut, experts suspect China may have deliberately cut the cables to intimidate Taiwan's democratic government. Repairing the cables will cost $30 million in New Taiwan Dollars, and the earliest cable-laying ships can arrive is on April 20. To address this, the Taiwanese government is considering installing a surveillance system for the undersea cables, relying on microwave transmission as a backup, and asking for bids from low-Earth orbit satellite operators to provide internet in a backup plan.
READ THE STORY: CircleID
Russian facing surge of ICS attacks exploiting Bitrix CMS flaw
Analyst Comments: The increase in cyberattacks on ICS computers in Russia and neighboring countries due to the exploitation of CVE-2022-27228 is significant because it underscores the vulnerability of critical infrastructure to opportunistic cyber threats. The Bitrix Site Manager application has a large market share in Russia and neighboring countries, which makes them particularly vulnerable to cyberattacks. The fact that Kaspersky was able to block threats on 40.6% of protected devices globally in 2022 is a positive sign that cybersecurity measures are effective, but the continued exploitation of vulnerabilities highlights the need for continued vigilance.
FROM THE MEDIA: Kaspersky's latest ICS threat landscape report focused on the second half of 2022 and found a significant increase in cyberattacks on industrial control system (ICS) computers in Russia and neighboring countries. The surge was attributed to an exploitation of a vulnerability affecting a content management system, tracked as CVE-2022-27228, which allows remote, unauthenticated attackers to execute arbitrary code. The Bitrix Site Manager application, which uses the CMS, was particularly vulnerable. The increase in malicious scripts and phishing pages blocked in Russia in August and September 2022 was due to mass infections of websites, including industrial organizations, that use the Bitrix CMS. Kaspersky was able to block threats on 40.6% of protected devices globally, compared with 39.6% in 2021 and 38.6% in 2020.
READ THE STORY: SCMAG
Items of interest
Canadian engineering giant with military ties hit by ransomware
FROM THE MEDIA: Engineering multinational Black & McDonald, which works with Canada's military, power, and transportation infrastructure, has reportedly been hit by a ransomware attack. While fears initially arose that Ontario Power Generation (OPG) operations and information might have been affected, a spokesman for OPG confirmed the incident was unrelated. Black & McDonald has not yet issued a public statement on the cyberattack, but the Department of National Defence reported that it blocked all incoming emails from Black & McDonald as a precaution and conducted business by phone or in person. No further details are available at this time.
BACKGROUND:
Black & McDonald, an engineering multinational headquartered in Canada, has reportedly suffered a ransomware attack. The company works with the country's military, power, and transportation infrastructure. There are concerns that the attack may have affected Ontario Power Generation (OPG) operations and information, but a spokesman for OPG confirmed that the incident was unrelated. Black & McDonald has yet to release a statement about the cyberattack.
ASSESSMENT:
The ransomware attack on Black & McDonald underscores the vulnerability of critical infrastructure to cyber threats. Companies that work with military, power, and transportation infrastructure are particularly vulnerable to cyberattacks, and the damage caused by such attacks can be significant. The precautionary measures are taken by the Department of National Defence to block incoming emails from Black & McDonald and conduct business by phone or in person highlight the need for contingency plans in the event of a cyberattack. While no further details are available about the ransomware attack, the incident serves as a reminder of the need for ongoing vigilance against cyber threats.
READ THE STORY: Cybernews
A Guide to Propaganda (Video)
FROM THE MEDIA: The transcript is a summary of the book "Propaganda" by Edward Bernays, a pioneer in the art of propaganda. Bernays used propaganda to manipulate public opinion for profit, such as convincing women to smoke cigarettes in the 1920s. The book discusses the use of propaganda to shape events and influence the relations of the public to an enterprise, idea, or group. Bernays defends propaganda as necessary for an orderly life but admits that it can be used with bad intentions. He advocates for the use of propaganda by an intelligent minority to lead the masses toward progress. The transcript concludes by encouraging readers to question who is paying for messages, events, news, and opinions and what their end goal is.
Here's How the U.S. Military Hacks People's Brains Darknet Diaries Ep. 65: PSYOP (Video)
FROM THE MEDIA: The podcast episode explores the topic of psychological operations (PSYOP) used by the US military to persuade, change, and influence the behavior of a target audience, whether friendly or adversarial. The host interviews a PSYOP reservist and a PSYOP veteran who shares his experiences conducting PSYOP missions. The episode also touches on the use of technology and propaganda in PSYOP and raises questions about the legality and ethics of conducting such operations. Overall, the episode delves into the dark side of the internet and how the US military is using psychological tactics to achieve its objectives.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.