Monday, March 13, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob
Ctrl-Alt-Defeat: White Castle facing "annihilation" over worker surveillance; Congress gets hacked
Analyst Comments: The ruling against White Castle highlights the importance of adhering to privacy regulations, especially in regard to the collection and sharing of personal user information. The potential $17 billion in damages underscores the high-cost companies can face for violating privacy laws.
FROM THE MEDIA: White Castle could be on the hook for $17 billion in damages after collecting biometric data from nearly 9,500 workers in violation of Illinois’ Biometric Information Privacy Act (BIPA). The state’s high court ruled against White Castle last month, clarifying that each instance of the fingerprint swipe counts as a violation, potentially leading to the sum of $17 billion in damages, which one dissenting justice called “annihilative liability.”
READ THE STORY: Salon
Wagner Group and the IRGC: The Rise of Self-Sustaining Military Proxies
Analyst Comments: The use of self-sustaining fighting groups is becoming more prevalent in modern warfare and international relations. The Wagner Group and IRGC have both demonstrated the effectiveness of this model in expanding their influence and power beyond their own borders. The financial self-sufficiency of these groups allows them to impose greater losses and costs on their enemies and alter the global order. The increasing use of this model could have significant strategic implications for the future of conflict. Sanctions have been effective in targeting the economic aspect of these groups, but they have also demonstrated their ability to circumvent them and sustain their model.
FROM THE MEDIA: The article discusses the increasing use of self-sustaining fighting groups by states and their potential impact on global security and stability. The article notes that these groups allow states to exert greater influence over vulnerable regions and fill power vacuums, but also raises concerns about their potential security threats and ethical implications. The article highlights the differences between Russia’s Wagner Group and Iran’s IRGC, while also noting some similarities in their activities. The article suggests that the use of sanctions as a foreign policy tool can be effective in countering the activities of these groups, particularly by targeting affiliated individuals and entities. Overall, the article emphasizes the need for careful consideration and management of the activities of self-sustaining fighting groups by states.
READ THE STORY: National Interest
MI5 will help firms fend off Chinese and Russian spies
Analyst Comments: The news is significant as it highlights the UK’s updated diplomatic and defense strategy to address the “epoch-defining challenge” of China. MI5’s direct help to businesses dealing with Chinese and Russian spying shows the severity of the threat and the UK’s commitment to combating it. However, Sunak’s refusal to promise permanently higher defense spending and the military receiving only half of what it requested in this week’s budget may raise concerns about the UK’s ability to effectively address the threat.
FROM THE MEDIA: MI5, the British domestic intelligence agency, will offer direct help to businesses to deal with spying from China and Russia. The move is part of the UK’s updated diplomatic and defense strategy to address the “epoch-defining challenge” of China. The UK Prime Minister, Rishi Sunak, plans to “fortify our national defenses” as part of the updated strategy. Sunak has also rebuked members of his party who insist on defining China as a threat to Britain, saying it is not “smart or sophisticated foreign policy.” However, Sunak has refused to promise permanently higher defense spending and is set to give only half of what the military requested in this week’s budget.
READ THE STORY: The Times
KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets
Analyst Comments: Dark Pink's use of legitimate web services as a command-and-control (C2) server, such as Telegram, remains a common tactic among threat actors. The group's improved obfuscation routine for the KamiKakaBot malware has made it more difficult to detect, posing a greater risk to government and military entities in Southeast Asia. The attacks serve as a reminder for organizations to remain vigilant against social engineering lures and to implement strong security measures to protect against APTs.
FROM THE MEDIA: Dark Pink has been linked to a fresh set of attacks in February 2023, using a malware called KamiKakaBot to steal sensitive information stored in web browsers and execute remote code. The group is suspected to be cyber espionage-motivated and exploits relations between ASEAN and European nations to create phishing lures. Dark Pink has been active since mid-2021, with an increased tempo observed in 2022.
READ THE STORY: THN
Researchers Uncover Over a Dozen Security Flaws in Akuvox E11 Smart Intercom
Analyst Comments: The discovery of these vulnerabilities is significant and highlights the importance of ensuring security measures are in place in IoT devices. Organizations are advised to disconnect the device from the internet until patches are available and to change the default password used to secure the web interface. The findings also demonstrate the need for continued efforts to strengthen IoT security measures to prevent unauthorized access and data breaches.
FROM THE MEDIA: Over a dozen security flaws have been discovered in the Akuvox E11, a smart intercom product made by the Chinese company Akuvox. The vulnerabilities could allow attackers to remotely control the device's camera and microphone, steal multimedia data and images, or gain a foothold in the network. The most severe of these vulnerabilities is that the Akuvox E11 password recovery webpage can be accessed without authentication, allowing attackers to reset the password back to default. A majority of the 13 security issues remain unpatched to date, although Akuvox has addressed the FTP server permissions issue. The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory, cautioning against the successful exploitation of these vulnerabilities, which could cause loss of sensitive information, and unauthorized access, and grant full administrative control to attackers.
READ THE STORY: THN
Unveiling the Shadow AI: The Rise of AI Reliance in Cybersecurity
Analyst Comments: The use of Shadow AI in cybersecurity can introduce risks and complicating factors to an organization's cybersecurity strategy. The potential for incorrect answers, over-reliance on AI tools, and unauthorized information disclosure can compromise sensitive data and harm the organization's security posture. Organizations must ensure that the use of AI tools is adequately monitored and controlled to prevent Shadow AI from posing a threat to their cybersecurity.
FROM THE MEDIA: Artificial Intelligence (AI) has been gaining popularity in the cybersecurity domain as it offers faster and more accurate threat analysis. However, the use of personal AI tools by employees without the knowledge or consent of their organization, known as Shadow AI, can cause potential problems for organizations. Cybersecurity analysts are using Shadow AI tools to deobfuscate code, analyze malicious code, and simulate attacks. However, the use of Shadow AI can introduce additional complicating factors, such as a lack of standardization and unauthorized information disclosure. Cybersecurity analysts may also rely too heavily on AI tools, leading to a decline in the quality of their work and a loss of valuable skills. Organizations should provide adequate training for employees to use AI tools, to avoid the pitfalls of Shadow AI.
READ THE STORY: Security Boulevard
Despite the evidence, Lopez Obrador denies espionage, he says it is “intelligence work”
Analyst Comments: The significance of this event is the potential breach of privacy and violation of the human rights of Mexican citizens by the military. The denial by the Mexican President raises concerns about government transparency and accountability. Additionally, the use of spyware and intelligence technology to monitor citizens has implications for free speech and democratic principles.
FROM THE MEDIA: Mexican President denied the government carried out unauthorized monitoring of its citizens after reports accused the military of hacking the communications of human rights activist Raymundo Ramos. Mexican digital rights group R3D published documents this week that showed the armed forces had access to Ramos' messages. Persons: Mexican President Andres Manuel Lopez Obrador, human rights activist Raymundo Ramos
READ THE STORY: Mexico Daily Post
Cyber attack affecting Gloucester museum's system one year on
Analyst Comments: The cyber attack on Gloucester City Council has had significant financial and operational consequences, with the latest estimate suggesting costs to the taxpayer approaching £1m. The ongoing impact on the Museum of Gloucester highlights the lasting effects of cyber attacks on institutions and their ability to carry out important functions.
FROM THE MEDIA: A cyber attack on Gloucester City Council in December 2021 has affected the Museum of Gloucester's access to its artifact database, hindering investigations into the city's historic monuments. The harmful software was embedded in an email sent to a council officer, and the attack has been linked to Russian hackers. The council has had to rebuild all of its servers as a result of the attack, with an estimated cost of nearly £1m to the taxpayer.
READ THE STORY: BBC
AI being used to create digital con artists on YouTube warns analyst
Analyst Comments: The use of AI-generated video personas to trick victims into downloading malware represents a new trend in cybercrime. Cybercriminals are using popular tools to make their bogus adverts seem more credible and are targeting popular software programs such as Photoshop and AutoCAD. While YouTube is a popular platform for cybercriminals to distribute these videos, the platform's regulations and review process make it difficult for them to have long-term active accounts. It is advised that users should avoid downloading or using pirated software to avoid the risks of malware.
FROM THE MEDIA: CloudSek, a cybersecurity firm, has discovered that threat actors are using AI-generated video personas to make their bogus adverts seem more credible. The AI-generator tools used by the cybercriminals were identified as Synthesia and D-ID. In November, CloudSek found that YouTube videos containing malware links to information-stealer programs increased by as much as 300% month-on-month. These videos typically lure users by pretending to be tutorials on how to download cracked versions of licensed software such as Photoshop, Premiere Pro, Autodesk 3ds Max, and AutoCAD.
READ THE STORY: Cybernews
CASPER attack steals data using an air-gapped computer's internal speaker
Analyst Comments: The CASPER attack poses a significant threat to air-gapped, network-isolated systems used in critical environments such as government networks, energy infrastructure, and weapon control systems. This new covert channel attack leverages the internal speakers inside the target computer and uses frequency modulation to achieve an imperceptible ultrasound in a range between 17 kHz and 20 kHz. The maximum reliable transmitting bit rate of the attack is 20 bits/s, making it a slower data transfer method than other covert channel technologies using optical methods or electromagnetic methods. Defenders could implement a high-pass filter or remove the internal speaker from mission-critical computers to mitigate this attack.
FROM THE MEDIA: Researchers have developed a new covert channel attack named CASPER, which can leak data from air-gapped computers to a nearby smartphone at a rate of 20bits/sec. The attack leverages the internal speakers inside the target computer as the data transmission channel to transmit high-frequency audio that the human ear cannot hear and convey binary or Morse code to a microphone up to 1.5m away. The malware can autonomously enumerate the target's filesystem, locate files or file types that match a hardcoded list, and attempt to exfiltrate them. The researchers experimented with the described model using a Linux-based (Ubuntu 20.04) computer as the target, and a Samsung Galaxy Z Flip 3 as the receiver, running a basic recorder application with a sampling frequency of up to 20 kHz.
READ THE STORY: Bleeping Computer
New Version of Xenomorph Android Malware Attacks 400 Banks Customers
Analyst Comments: The discovery of a new and more capable version of the Android banking trojan Xenomorph highlights the continued threat of mobile banking attacks by criminals. The trojan's ability to steal credentials for 400 banks and automate fund transfers between banks is a significant concern for both individuals and financial institutions. The use of third-party hosting services for distribution, such as the Discord Content Delivery Network, also highlights the need for caution when installing apps from the Google Play store. The updated capabilities of the Xenomorph trojan, including the use of authenticator apps for two-factor authentication and cookie-stealing capabilities, make it a significant threat to mobile banking security.
FROM THE MEDIA: ThreatFabric, a cybersecurity firm, has discovered a new variant of the Android banking Trojan called Xenomorph, which contains several new features that can be used to conduct malicious attacks on Android devices. The Trojan has the ability to steal credentials for 400 banks and automate the transfer of funds between banks. Users are advised to be cautious when installing apps from the Google Play store and to read reviews and run background checks on the publishers. Xenomorph has been using overlay attacks to collect PII such as passwords and usernames for the past few years. The new attack includes new features such as app_start, show_push, cookies_handler, send_sms, make_ussd, call_forward, and execute_rum. The Xenomorph trojan incorporates an ATS module that allows it to extract the authenticator codes from an authenticator app. The malware has been distributed via third-party hosting services, specifically Discord Content Delivery Network. This new variant of the Xenomorph Android banking Trojan is significant in terms of its impact on mobile banking security, as it represents a more refined and professional approach to the world of mobile banking.
READ THE STORY: GBhackers
Medusa ransomware gang picks up steam as it targets companies worldwide
Analyst Comments: The Medusa ransomware operation is significant both tactically and strategically as it targets corporate victims worldwide and demands million-dollar ransoms. The recent increase in activity and launch of the Medusa Blog for data leakage shows that the operation is becoming more sophisticated in its tactics. The attack on the Minneapolis Public Schools district shows that even public organizations are not immune to these attacks, and the potential loss of sensitive data can be damaging.
FROM THE MEDIA: Medusa ransomware operation began in June 2021 with relatively low activity but has picked up steam in 2023. Medusa launched a 'Medusa Blog' to leak data for victims who refused to pay a ransom. Medusa gained media attention after claiming responsibility for an attack on the Minneapolis Public Schools district and sharing a video of the stolen data.
READ THE STORY: Bleeping Computer
AT&T informs 9M customers about data breach
Analyst Comments: The incident is significant as it highlights the vulnerabilities of the telecom industry, which is increasingly becoming a major target of cyberattacks due to the increased use of IoT devices and the push towards 5G. The incident also underscores the importance of implementing strong cybersecurity measures to protect against such breaches.
FROM THE MEDIA: Exposed first names, wireless account numbers, wireless phone numbers, email addresses, past due amounts, monthly payment amounts, and various monthly charges and minutes used. No sensitive personal or financial information, such as social security numbers or credit card information, was accessed. AT&T notified affected customers, offered extra security to passwords free of cost, and notified federal law enforcement agencies about the incident.
READ THE STORY: ARN
Mechatronics vs. IoT: What Do Packaging Lines Really Need
Analyst Comments: The use of mechatronics and Industry 4.0 technologies in packaging lines is a significant development that can improve productivity and output. However, the cybersecurity risks associated with increased connectivity must also be addressed to ensure the safety and security of these systems. The decision to implement these technologies must consider the potential benefits against the potential risks.
FROM THE MEDIA: The packaging industry is faced with the question of whether embracing Industry 4.0 and the Industrial Internet of Things (IIoT) is necessary for survival in today's competitive environment. While mechatronics, which is a blending of mechanical and electrical systems, has helped improve packaging lines, it has its limitations in terms of productivity and output. Mechatronics provides the flexibility to quickly implement format changes, but IIoT provides connectivity to many data points inside and outside a system. The analysis of data gathered by IIoT technologies is what gives a manufacturer the insight needed to optimize control algorithms. However, connecting packaging lines to the plant network and IIoT implementation exposes them to increased cyber-attack threats. Companies need to weigh the value of the improvements to their systems against the potential for cyber damage.
READ THE STORY: Packaging Digest
China's role in Saudi-Iran deals a tricky test for the U.S.
Analyst Comments: The agreement could offer a possible path to rein in Tehran's nuclear program and a chance to cement a ceasefire in Yemen. It could also provide a potential partner for the US and Israel in reviving talks on the Iran nuclear issue. However, the involvement of China as a peace broker could contribute to the narrative of a shrinking US global presence and rising Chinese power and influence.
FROM THE MEDIA: The recent deal between Iran and Saudi Arabia to restore diplomatic ties, brokered by China, offers potential benefits for the United States, including a possible path to rein in Tehran's nuclear program and a chance to cement a ceasefire in Yemen. However, the role of China in brokering the deal in a region where the US has long wielded influence has made officials in Washington uneasy. While the White House believes that internal and external pressure, including effective Saudi deterrence against attacks from Iran or its proxies, ultimately brought Tehran to the table, some experts see China's role as the most significant aspect of the agreement. The involvement of China in brokering the deal could have significant implications for the US, indicating a growing Chinese power and influence that contributes to a narrative of a shrinking US global presence.
READ THE STORY: Japan Today
Intel Committees Warn China Is A Threat To US Through Espionage And TikTok
Analyst Comments: The concerns raised by the heads of Congress' intelligence committees and the director of National Intelligence about China's growing threat to U.S. national security are significant in a strategic sense. The expansion of China's nuclear arsenal and shipbuilding, as well as its attempts to challenge U.S. dominance in the global economy, technology, and military, present a serious challenge to U.S. security and influence. The use of TikTok by China to potentially undermine U.S. security and spread state propaganda adds another dimension to this threat. The Biden administration's pursuit of banning TikTok from federal government-issued phones reflects a commitment to secure U.S. digital infrastructure.
FROM THE MEDIA: The chairpersons of the House Intelligence Committee and the Senate Intelligence Committee have expressed concern over China's growing threat to the United States in an interview with ABC News. They warn that China poses a national security threat to the U.S. through espionage, technology, and TikTok. Last week, the director of National Intelligence, Avril Haines, revealed that China is the "most consequential threat" to U.S. national security and is attempting to challenge the U.S.'s dominance in the global economy, technology, and military. The Biden administration has pursued banning the popular Chinese video-sharing app TikTok from federal government-issued phones to protect official data, and federal government agencies have been instructed to purge TikTok from official devices within 30 days.
READ THE STORY: IBT
Items of interest
Telehealth startups gave private health information to Google, Meta, TikTok, and more
Analyst Comments: Cerebral's use of tracking technologies and data-sharing practices, along with its delayed and obscure disclosure, indicates a lack of regard for user privacy and inadequate security measures. The fact that social media companies now have access to this data without any obligation to delete it further highlights the need for stricter regulations and accountability in data handling. This breach also underscores the importance of user vigilance and caution when sharing personal information online.
FROM THE MEDIA: Cerebral used tracking technologies from third parties to share users' protected health information, such as names, phone numbers, email addresses, birthdays, IP addresses, results of their mental health self-assessments, treatments, and other clinical information with Google, Meta, and TikTok. This sharing of data is a violation of the U.S. health privacy law HIPAA.
READ THE STORY: Mashable
Custom Cyberdeck For (Legal) Satellite Hacking (Video)
FROM THE MEDIA: In the video, the presenter demonstrates how he is building a custom portable computer system for his satellite and radio experiments. He wants to combine all the cables and equipment he has into one self-contained unit that is portable. He starts with an old broken laptop and connects it to an external VGA monitor and USB-powered monitor. He tries to install drivers for the USB monitor and uses a broken Chromebook as the brains of the cyberdeck. However, he faces several issues such as a short circuit, lack of power supply, and flaky USB ports. Finally, he decides to use a pile of old Windows XP all-in-one cop car computers, which he got for a dollar, to build his cyberdeck.
A Crash Course in Railway Safety (Video)
FROM THE MEDIA: The speaker in the YouTube video is Anthony Williams, a safety critical software engineer who has spent his career working on air traffic control and train-borne ETRMS/ETCS equipment. In his talk, he covers railway safety throughout history, with a focus on the periods up to 1890 and from 1980 to the present day. He discusses early railway accidents, the formation of Her Majesty's Railway Inspectorate, and significant events like the Armargh disaster of 1889, which led to the adoption of "lock, block, and brake" by railway companies. Williams also gives a brief overview of signaling and acknowledges that another speaker covered it in more detail.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.