Tuesday, February 07, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Putin’s Disinformation War in Africa
Analyst Comments: Why do we care? Russosphère's disinformation campaign is a threat to the West's influence in Africa. It is breeding mistrust between African nations and the West, and has the potential to create a new geopolitical reality in the region. Russia has been vying for influence in Africa for some time, and this campaign has been successful in promoting its agenda.
FROM THE MEDIA: A coalition of activists on various social networks is helping Russia expand its influence in some of France’s former colonies in Africa. The Russosphère call promotes posts accusing France of “modern colonialism”, praising Putin and the Wagner group, and calling the Ukrainian army “Nazi” and “Satanist”. Experts say this disinformation campaign breeds mistrust between African nations and the West. The BBC recently uncovered the man behind it all: a 65-year-old Belgian politician named Luc Michel. He claims to have created the network without receiving financial support from Russia, and says his goal is for Russia to replace the French in Africa. While it’s difficult to measure the impact of specific disinformation campaigns, Russian flags are being flown at protests in several African countries, indicating the success of pro-Russian operations.
READ THE STORY: The Goa Spotlight
Darknet drug market BlackSprut openly advertises on billboards in Moscow
Analyst Comments: Why do we care? Due to the anonymity these platforms can be difficult to monitor and take down. Darknet marketplaces have been linked to serious criminal activities, including sales of illicit items and services. More public exposure can increase access to the general public.
FROM THE MEDIA: Recently in Moscow, electronic billboards caught the attention of residents and the Russian media. They advertised BlackSprut, a Russia-linked darknet drug trading platform. It's unclear why the ads were permitted, but it could be that no one in a position of authority simply cared. BlackSprut is known for backing the Kremlin, donating cryptocurrency to pro-Russian paramilitary fighters, and supporting Russia’s invasion of Ukraine. It's difficult for law enforcement to capture darknet marketplaces because they are anonymous and can easily migrate to new infrastructure. In Russia, cybercrimes are usually investigated slowly and not very efficiently.
READ THE STORY: The Record
Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack
Analyst Comments: The goal of this attack is to undermine public confidence but also shows the Iranian ATP’s ability to action on media targets internationally. Their growing effectiveness is linked to support of Russia and China.
FROM THE MEDIA: Microsoft has attributed a hack of the French satirical magazine Charlie Hebdo in early January 2023 to a state-backed Iranian nation-state group called NEPTUNIUM. The attack was likely a retaliation against the publication for a cartoon contest "ridiculing" the Iranian Supreme Leader Ali Khamenei. NEPTUNIUM posted a sample of the 200,000 stolen customer records on YouTube and hacker forums and amplified their leak using false-flag personas, sockpuppet accounts, and impersonation of authoritative sources. The goal is to undermine public confidence in the security of the victim's data and embarrass companies and countries.
READ THE STORY: THN
TrickGate crypter discovered after 6 years of infections
FROM THE MEDIA: Check Point Research has uncovered TrickGate, a crypter that has remained undetected for six years and is responsible for several major malware infections around the globe. TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs. It has been used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more. To combat the threat, security solutions need to implement specific detections for crypters that are known to be malicious. Additionally, reverse engineers should focus on analyzing both the malware itself and the packers/crypters used to deliver it.
READ THE STORY: TechRepublic
Crypto Drainers Are Ready to Ransack Investor Wallets
FROM THE MEDIA: Crypto drainers are malicious scripts used to steal victims' crypto assets through phishing, which deploy pages that imitate popular crypto services. They are becoming increasingly popular and easy to deploy for cybercriminals, who can purchase them for a relatively low price or even get them for free. Crypto investors should be aware of these threats and exchanges and other platforms must provide education to users about the dangers of crypto drainers. Furthermore, DeFi platforms should invest in better security measures, such as code auditing, simulated attacks, and transaction fail-safes.
READ THE STORY: DARKReading
Balloons to cyber attacks: How China has spied on the US for decades
FROM THE MEDIA: China has a long history of espionage against the United States, using many forms, including human, signals, electronic, and cyber intelligence. China has captured a Navy EP-3 spy plane, planted an alleged mole in the FBI, and hacked the Office of Personnel Management, while they are also believed to be rerouting global internet traffic to study communications. China sent a surveillance balloon over the United States, but this is only one part of their wide-ranging efforts. The U.S. military is taking measures to counter Chinese espionage, such as arresting agents and finding moles. Last month, Chinese national Ji Chaoqun was sentenced to eight years in prison for espionage.
READ THE STORY: Task & Purpose
Hive takedown puts ‘small dent’ in ransomware problem
FROM THE MEDIA: The Justice Department's disruption campaign and seizure of the Hive ransomware group's IT infrastructure was a significant win in the fight against ransomware, but experts don't expect it to ultimately diminish the persistent threat. The Hive members will likely regroup or splinter to join other ransomware groups, and the majority of target victims don’t report attacks. Threat actor takedowns can slow activity in one circle of cybercrime but are not an effective deterrent, as ransomware remains a lucrative business. Lowering the overall impact requires organizations to improve their defense and resilience while reducing threat actor capabilities. Law enforcement observed Hive's tools and tactics during its months-long presence on the group's infrastructure, which may provide long-term benefits for potential victims, but whether law enforcement or threat actors gain meaningful and prolonged advantages from the Hive takedown remains an open question.
READ THE STORY: CyberSecurityDive
UN report: North Korea stole more crypto in 2022 than ever before
FROM THE MEDIA: A confidential United Nations report has revealed that North Korea set a record for its cryptocurrency crimes last year, with South Korea estimating that North Korean-linked hackers stole virtual assets worth at least $630 million in 2022. The U.N. report said groups controlled by the Reconnaissance General Bureau, North Korea’s primary intelligence organization, carried out the majority of the reported cyber attacks. Additionally, the report noted that North Korea used increasingly sophisticated cyber techniques to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programs. The report is due to be released publicly later this month or early next month.
READ THE STORY: The Hill
New strike against encrypted criminal communications with dismantling of Exclu tool
FROM THE MEDIA: Judicial and law enforcement authorities in the Netherlands, Germany and Poland have dismantled the Exclu application, which was used by criminal networks for encrypted communication. 45 arrests were made in the Netherlands and Belgium, 79 locations were searched, 1 200 police officers were deployed, and EUR 5.5 million in cash, 300 000 ecstasy tablets and 20 firearms were seized. Eurojust and Europol provided support for the operation. This follows the successful dismantling of the EncroChat and Sky ECC communication tools in 2020 and 2021. Dismantling such tools sends shockwaves through organized crime groups across Europe.
READ THE STORY: EUROJUST
Google unveils ChatGPT rival
FROM THE MEDIA: Google launched an AI tool called Bard that can provide detailed answers to queries. Meanwhile, bipartisan lawmakers are pushing for a ban on TikTok due to national security and privacy concerns, while Texas has proposed its own ban. Dell Technologies is cutting 6,600 jobs due to the challenging economic environment, and Senate Majority Leader Charles Schumer is facing pressure from advocacy groups to prioritize antitrust bills targeting tech giants. Lastly, Rep. Marjorie Taylor Greene is calling for an investigation into why former President Trump was apparently not informed of previous Chinese surveillance balloons.
READ THE STORY: The Hill
Rethinking the AI wave in digital warfare
FROM THE MEDIA: The next 10 years will see the implementation of a new AI-driven revolution in military affairs (AI RMA). This will involve the integration of artificial intelligence, cyber power and data science, cognitive science and robotics into all levels of military operations. Early signs of this AI wave are already appearing, with militaries using algorithms to automate threat detection and identify anomalies in data sets. The weaponization of algorithmic warfare is also likely to increase with rapid advances in science and technology. Militaries must adapt by re-engineering existing C4ISR strategies and doctrines, and grapple with the ethical implications of new weapons technologies. The gap between the “haves” and “have-nots” in military capabilities between countries may widen further.
READ THE STORY: East Asia Forum
Cybercrime Shows No Signs of Slowing Down
FROM THE MEDIA: 2022 and 2023 will see a continuation of global risks from population pressures and climate change to political conflicts and industrial supply chain challenges. Cybercriminals will take advantage of this chaos to exploit trending topics, such as significant events, public affairs, social causes, and more. CaaS offerings will rise, supply chains will be bigger targets than ever, dwell time for attackers will decrease, attackers will rebrand, endpoint protection won't be enough, and leaked source code will lead to forks in malware.
READ THE STORY: DARKReading
Microsoft Visual Studio exploited in malware attacks
FROM THE MEDIA: Threat actors have been leveraging Microsoft Visual Studio Tools for Office (VSTO) to enable .NET-based malware integration within Office add-ins, as an alternative to sneaking into documents VBA macros that fetch malware from an external source. These malicious add-ins are packaged with the document files or downloaded from a remote location and are executed when launching the document with the associated Office app. The payload dependencies are typically stored alongside a document in an ISO container and attackers often set them to "hidden" in order to trick the victim into allowing the action.
READ THE STORY: SCMAG
Here's a list of proxy IPs to help block KillNet's DDoS bots
FROM THE MEDIA: SecurityScorecard has developed a free tool to help organizations defend against KillNet’s distributed-denial-of-service (DDoS) bots. The tool is an open proxy IP blocklist that lists tens of thousands of proxy IP addresses used by the Russian hacktivists in their network-traffic flooding events. The US Department of Health and Human Services has also issued warnings about the threat Killnet poses to the health-care sector. While DDoS attacks are normal, they can be used to mask more intrusive actions. Akamai noted that healthcare is likely to continue as a prime target and these attacks usually focus on organizations that aren't well protected.
READ THE STORY: The Register
The Challenges of Hybrid Warfare in Pakistan
FROM THE MEDIA: Hybrid warfare refers to the use of a mixture of conventional and unconventional military tactics and techniques in order to achieve strategic objectives. It has become increasingly prevalent in recent years and has been used by numerous actors, including state and non-state actors. In Pakistan, hybrid warfare has been a persistent issue due to its strategic location and the presence of numerous internal and external security threats. Major contributors to the security situation in Pakistan include the state's use of hybrid warfare tactics in its foreign policy, the rise of extremist and militant groups, India’s use of proxies in the area to wage a Low-Intensity Conflict (LIC), sectarianism, and foreign intelligence agencies such as the CIA. To combat hybrid warfare in Pakistan, a multi-faceted approach is needed that addresses the root causes of the conflict and provides stability, security, and prosperity to the people of the country. This could involve economic and social reforms, strengthening institutions, improving governance, and building resilience.
READ THE STORY: Modern Diplomacy
NYC to boost communication between privacy and cyber efforts
FROM THE MEDIA: The New York City Office of Information Privacy has updated its citywide data-privacy policy in order to refine interoperability and collaboration between cybersecurity and privacy efforts. The update includes a refresher training on the requirements of a 2017 law, and urges privacy officers to establish monthly meetings with their agencies’ chief information security officers. The update also includes an agency privacy officer toolkit hosted in the city intranet with compliance models and guidance on data retention. This is all part of the city's effort to create standardized privacy practices across its agencies that stand independent of cybersecurity efforts.
READ THE STORY: StateScoop
OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability
FROM THE MEDIA: OpenSSH 9.2 has been released to address a memory safety vulnerability in the OpenSSH server (sshd) introduced in version 9.1. Tracked as CVE-2023-25136, it is classified as a pre-authentication double free vulnerability that is not believed to be exploitable due to protective measures implemented by modern memory allocators and the robust privilege separation and sandboxing of the sshd process. Users are advised to update to OpenSSH 9.2 to mitigate potential security threats.
READ THE STORY: THN
Hackers backdoor Windows devices in Sliver and BYOVD attacks
FROM THE MEDIA: A new hacking campaign has been discovered exploiting Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks. The attackers target two 2022 vulnerabilities in Sunlogin, using readily available proof of concept (PoC) exploits to execute an obfuscated PowerShell script to disable security products before deploying backdoors. The script loads a modified version of the Mhyprot2DrvControl open-source tool to exploit a vulnerable driver for kernel-level privileges, allowing it to terminate anti-malware processes. Microsoft recommends enabling the vulnerable driver blocklist to protect against these attacks, as well as blocking the AV killer hash and monitoring event logs for newly installed services named "mhyprot2."
READ THE STORY: BleepingComputer
GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry
FROM THE MEDIA: Cybersecurity firm Trellix recently disclosed an ongoing GuLoader malware campaign targeting e-commerce industries in South Korea, the U.S., Germany, Saudi Arabia, Taiwan and Japan. The malspam activity has shifted away from using macro-laced Word documents to NSIS executable files embedded within ZIP or ISO images. NSIS is a script-driven open source tool used to develop installers for the Windows operating system. GuLoader has become increasingly sophisticated in its obfuscation and encryption layers, as threat actors look for alternative methods of distribution in response to Microsoft's blocking of macros in Office files.
READ THE STORY: THN
West Virginia students returning to class after days-long outage following cyberattack
FROM THE MEDIA: Berkeley County Schools in West Virginia was hit with a cyberattack on Friday, forcing officials to cancel classes on Monday while they investigate the attack and work to restore operations. It is the sixth reported incident of a school district facing a cyberattack in 2023 and part of a larger trend of increasing K-12 cyber incidents across the country. Law enforcement has been contacted, but it is not known yet if any personal data has been breached. Classes will resume on Tuesday.
READ THE STORY: The Record
‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims
FROM THE MEDIA: Cybersecurity authorities in Europe are warning of a massive ransomware campaign targeting VMware ESXi servers. The attack began on February 3rd, 2023 and has already affected over 3200 systems in Europe and North America. The vulnerability used is CVE-2021-21974 and the attackers are using an additional file with the extension .args for encryption information. It is important to update unpatched servers immediately and use secure connections if external access is necessary. Additionally, the Juniper blog should be checked for Indicators of Compromise (IOCs).
READ THE STORY: The Record
Russian Hacktivists Actively Targeting Hospitals With DDoS Attacks in the US and Pro-Ukraine Countries
FROM THE MEDIA: The US Department of Health and Human Services (HHS) warned about a widespread DDoS attack campaign targeting healthcare organizations by the Russian hacktivist group Killnet. The attack is part of a politically-motivated campaign against countries supporting Ukraine, such as NATO members. The attacks have targeted hospitals in multiple countries, including the US, UK, Germany, Netherlands, and Norway. HHS has published a list of recommended mitigations, such as testing and monitoring, implementing response plans, upscaling, deploying upstream defenses, and understanding the connected services. It is unclear how Killnet will be dismantled given its suspected political connections in the Kremlin and public support within Russia.
READ THE STORY: CPO
Rogue Russia will become a global version of Iran
FROM THE MEDIA: Russia is increasingly turning to asymmetric warfare and cyberattacks to try to weaken Western unity and exert pressure on Ukraine. This includes threats of moving tactical nuclear weapons, increased cyberattacks on governments and private companies, political interference in elections, and sabotage of energy and communications infrastructure. While Putin will avoid a direct military confrontation that could result in his quick defeat or the use of nuclear weapons, these sorts of games can lead to miscalculations and accidents. Fortunately, Russia is unlikely to launch major cyberconflicts with Western governments for fear of retaliation. These threats will continue to strengthen transatlantic unity and occupy US and European policymakers until Putin leaves power.
READ THE STORY: Financial Review
Russia-linked Lockbit hackers threaten to publish Royal Mail data
FROM THE MEDIA: A Russia-linked hacking gang has claimed responsibility for the cyber attack that shut down Royal Mail's international export services, causing significant delays. The LockBit ransomware gang has threatened to publish stolen data from the company on Feb 9th and have already demanded payment in order to unlock the machines. Royal Mail believes no customer data was stolen and have been using alternative systems to get mail moving, subject to delays.
READ THE STORY: The Telegraph
Embarrassment as US cyber ambassador's Twitter account is hacked
FROM THE MEDIA: Nate Fick, the US Ambassador at Large for Cyberspace and Digital Policy, had his personal Twitter account hacked over the weekend. The US Department of State did not provide any details about who was responsible or how they accessed Fick's account. Fick is currently in South Korea discussing cybersecurity cooperation and securing IT infrastructure, and prior to joining the State Department he was CEO of security software company Endgame. It is unclear if Fick's password was weak, but it is likely that he takes cybersecurity seriously as an experienced infosec executive.
READ THE STORY: The Register
Russian Pleads Guilty In U.S. On Money-Laundering Charge
FROM THE MEDIA: Russian citizen Denis Dubnikov pleaded guilty on February 6 to one count of conspiracy to commit money laundering, according to the U.S. District Court of Oregon. Dubnikov is scheduled to be sentenced on April 11. The Russian national, who had been sought by U.S. prosecutors for allegedly laundering cryptocurrency tied to a notorious ransomware gang, was extradited to the United States from the Netherlands in August. U.S. prosecutors accuse Dubnikov and his co-conspirators of laundering the proceeds of ransomware attacks. They allegedly laundered $400,000 in payments from victims of Ryuk, a ransomware gang believed to have extracted $70 million from individuals and companies around the world, including in the United States.
READ THE STORY: RFE
Brazilian financial orgs subjected to new PixPirate attacks
FROM THE MEDIA: The Hacker News has reported that several financial institutions in Brazil have been targeted by the novel Android banking trojan PixPirate. The malware exploits the PIX payments platform for fraudulent activities and features Automatic Transfer System capabilities to allow automated malicious money transfers. Additionally, the malware also uses accessibility services API to gather SMS messages, deactivate Google Play Protect, and curb uninstallation. Researchers believe that this could lead to more sophisticated mobile malware in the future.
READ THE STORY: SCMAG
Items of interest
A Fool With a Tool Is Still a Fool: A Cyber Take
FROM THE MEDIA: It is possible to have too many security tools if they are not used properly. New security tools may require new approaches and understanding to get the best use out of them. Additionally, it is important for CISOs to regularly assess their security stack to ensure that all tools are providing effective coverage and not causing any harm. This can be done by following frameworks such as the CIS Critical Security Controls and using a security philosophy to prioritize which controls are most important. By taking the time to assess the locks on the supply closet door, CISOs can ensure that their organization is properly secured and not wasting resources.
READ THE STORY: DARKReading
Can AI Hack Websites with XSS (Video)
FROM THE MEDIA: The video demonstrates how an AI can be used to exploit websites with XSS vulnerabilities by bypassing validation and sanitization. It explains how to create an input string that will bypass the Escape function, and then how to exploit the Escape function using cross scripting. The AI is impressive because it was able to figure out some intricate code, but it still lacks human understanding. The speaker mentions that it may be used for other challenges in the future.
Creating a Profitable Trading Bot in MetaTrader with AI (Video)
FROM THE MEDIA: This YouTube video tutorial demonstrates how to create a profitable trading bot with ChatGPT, a program for MetaTrader that converts code from MetaTrader to Pine Script for Trading View. It covers setting up the program, modifying the code, testing the bot, and coding errors into it. It also discusses using chatbot technology to research and trade stocks, and using ChatGT to generate documents and detect AI-generated content.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.