Wednesday, February 08, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
‘Strange’ Russian satellite blows up into cloud of debris
Analyst Comments: Why do we care? The increasing amount of space junk in orbit increases the risk of collision with other satellites, which could result in further debris and potential harm to operational spacecraft. This highlights the need for responsible behavior in space and effective measures to mitigate and manage the threat posed by space debris.
FROM THE MEDIA: The 18th Space Defense Squadron has confirmed that a Russian satellite, Cosmos 2499, blew up last month at an altitude of 1170km, creating a cloud of debris and adding to the existing space junk. US satellite trackers had initially catalogued the satellite as a piece of debris but later identified it as a payload. This is the second time the satellite has broken up and its debris is likely to remain in orbit for many years. The problem of space debris is becoming increasingly serious, with the US Pentagon noting that the probability of collision between massive derelict objects is rising. Last year, the International Space Station had to conduct an avoidance maneuver to avoid debris from Russia’s missile tests.
READ THE STORY: Independent (UK)
China’s tech weapons roll in to quell demonstrations, identify protesters
Analyst Comments: The utilization of censorship algorithms, GPS tracking and facial recognition technology to control and curb the spread of protests showcases the lengths the Chinese government is willing to go to hold onto its power. This also highlights the growing trend of using technology to monitor and regulate populations, raising questions about the delicate balance between individual liberty and state authority in the technological era.
FROM THE MEDIA: In October 2020, a Chinese activist named Peng Lifa unfurled two banners condemning President Xi Jinping's "zero-COVID" policies. This was one of the precursors to the largest street demonstrations in China since 1989. In order to keep the protests from getting out of hand, the Chinese government employed a digital arsenal that included censoring algorithms, GPS tracking and facial recognition software. Despite this, videos of protests from all over China began appearing on international social media sites due to people finding ways to trick the system. The Chinese government also used spambots to inject distracting content into feeds outside of China. Meanwhile, they were using their sophisticated surveillance system to track protesters and round up anyone who was deemed a threat.
READ THE STORY: The Record
Ways The Russian Machinery Tries To Manipulate Us
Analyst Comments: Why do we care? The report highlights the use of image and video manipulation, cross-posting, and impersonation of legitimate entities, and shows that Russian diplomatic channels are a key part of the disinformation ecosystem.
FROM THE MEDIA: The first EEAS Report on Foreign Information Manipulation and Interference (FIMI) Threats was released today. It offers a common framework to counter foreign threat actors and details the most common manipulative techniques, tactics, and procedures (TTPs) used by pro-Kremlin actors. The report indicates that Russian diplomatic channels are an important part of the ecosystem and that malicious narratives are often spread in multiple languages. Impersonation of legitimate entities is also a featured technique. The findings of the report will help to support global efforts to counter disinformation and information manipulation.
READ THE STORY: The Paradise
CERT-UA Alerts Ukrainian State Authorities of Remcos Software-Fueled Cyber Attacks
Analyst Comments: The phishing campaign using Remcos software poses a serious threat to the victims, as it grants full access to their computer system to the attacker. UAC-0050, who is likely motivated by espionage, only adds to the significance of this alert. It is important for individuals and organizations to be vigilant and take necessary precautions to protect themselves from such attacks.
FROM THE MEDIA: CERT-UA has issued an alert warning of a phishing campaign using Remcos software, which is a legitimate remote access tool. The malicious emails masquerade as being from Ukrtelecom and have a decoy RAR archive attached. The second RAR archive contains an executable file that installs the Remcos software on the victim's computer, granting full access to their system. The threat actor behind this campaign is UAC-0050 and is likely motivated by espionage. The Remcos software can be used to steal user credentials, gain control over online accounts and deploy additional malware variants.
READ THE STORY: THN // The Record
UK Financial Regulator: Country’s Cyber Insurance Providers Lack Consistency in Risk Assessments, Modeling Capability
FROM THE MEDIA: A critical report from the Bank of England’s Prudential Regulation Authority has found that the UK cyber insurance market lacks the desired level of consistency in a number of elements. The regulator tested industry responses to three underwriting scenarios involving cyber attacks or accidents and found large discrepancies in areas such as loss calculations and anticipated risks of specific events. UK financial regulators are urging cyber insurance firms to work on developing greater consensus going forward in anticipation of future supervision, including working on policy language that is not ambiguous and may stand up in court. The study also revealed that firms rely heavily on third-party and related party reinsurance as a loss mitigatory, and that SCR coverage remains above 120% in all scenarios.
READ THE STORY: CPO
Balloons vs. satellites: Popping some misconceptions about capability and legality
Analyst Comments: The Chinese weather balloon is a security and psyops concern as it may be utilized for espionage, reconnaissance, interception of communications, and intelligence gathering on civilian populations and key infrastructure. It's worth mentioning that during the Cold War, the Soviet Union was known to have flown weather balloons over the US for the purpose of espionage and reconnaissance.
FROM THE MEDIA: The Chinese spy balloon shot down by an American F-22 fighter off the coast of South Carolina has caused questions about why China would use a balloon for spying. Balloons have certain advantages over satellites, but they are subject to international aviation law and the US has a legal right to shoot down foreign aircraft entering its airspace without permission. Sen. Rick Scott's call to issue a warning to China by declaring the intent to shoot down any future balloons within 100 miles of the US coast goes beyond the US territorial water boundary.
READ THE STORY: Breaking Defense
Linux Variant of Clop Ransomware Spotted, But Uses Faulty Encryption Algorithm
FROM THE MEDIA: SentinelOne has detected the first-ever Linux variant of the Clop ransomware in the wild. Despite its early-stage development, it still contains a flawed encryption algorithm that makes it possible to decrypt locked files without paying the ransom. The attack is targeting educational institutions in Colombia, and threat actors are increasingly venturing beyond Windows to target other platforms. To prevent such attacks, users should ensure that all their systems are up-to-date with the latest security patches, and use endpoint protection solutions to detect malicious activity.
READ THE STORY: THN
Medusa botnet returns as a Mirai-based variant with ransomware sting
FROM THE MEDIA: A new version of the Medusa DDoS botnet has been spotted in the wild, featuring a ransomware module and a Telnet brute-forcer. It is based on Mirai code and promises stability, anonymity, and support for DDoS/mining as a service. The ransomware function appears to be broken, making it more of a data wiper than a true extortion tool. Additionally, it features a data exfiltration tool and a Telnet attack function. The malware is still under development and incompletely supports the “FivemBackdoor” and “sshlogin” commands.
READ THE STORY: BleepingComputer
New QakNote attacks push QBot malware via Microsoft OneNote files
FROM THE MEDIA: A new QBot malware campaign dubbed "QakNote" has been observed in the wild since last week, using malicious Microsoft OneNote .one attachments to infect systems with the banking trojan. The attacks employ two distribution methods: emails with an embedded link to the weaponized .one file and a “thread injection” method where the QBot operators hijack existing email threads and send a “reply-to-all” message with a malicious attachment. To defend against this attack vector, administrators should consider blocking all .one file extensions, as they are not commonly sent as attachments.
READ THE STORY: BleepingComputer
Tackling the New Cyber Insurance Requirements: Can Your Organization Comply?
FROM THE MEDIA: To qualify for a cyber insurance policy, companies must close gaps in their identity protection. However, identifying those gaps can be extremely difficult without the right tools. A thorough assessment can reveal any MFA and privileged account protection weaknesses, as well as other areas of vulnerability, such as old passwords, orphaned user accounts, or shadow admins. Sign up today for a free identity protection assessment to get complete visibility into your environment and uncover any deficiencies that need to be addressed so your organization can qualify for a cyber insurance policy.
READ THE STORY: THN
Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework
FROM THE MEDIA: Researchers from AhnLab Security Emergency response Center (ASEC) have discovered that threat actors are leveraging known security vulnerabilities in Sunlogin, a remote desktop program developed in China, to install the Sliver command-and-control (C2) framework and other malicious payloads. Attack chains commence with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33, followed by delivering Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner. The threat actor is also said to be using the BYOVD (Bring Your Own Vulnerable Driver) technique to incapacitate security products and install reverse shells.
READ THE STORY: THN
The Importance of Reverse Engineering in Network Analysis
FROM THE MEDIA: Reverse engineering is essential for creating accurate network signatures that can detect malicious activity. By analyzing the source code of a backdoor exploit, it is possible to create effective detection rules and reduce false positives. Reverse engineering allows researchers to gain a better understanding of the protocol and flow of malicious traffic, enabling them to create more efficient rules that can accurately detect any variants of the exploit. Additionally, by reverse engineering the binary of malicious tools, researchers can understand how they work, determine patterns in their execution, and develop rules that detect all forms of exploitation.
READ THE STORY: Security Boulevard
AI and Data: Balancing Progress, Privacy, and Security
FROM THE MEDIA: Data security is a major concern as the use of AI/ML technologies increases. Individuals are increasingly vulnerable to surveillance and data breaches due to the increasing collection of data and emerging technologies. AI/ML models can be used for cyberattacks in seven categories: probing, scanning, spoofing, flooding, misdirecting, executing, and bypassing. Organizations must integrate AI/ML into their cybersecurity strategies, and researchers need to develop new approaches that consider adversaries. Awareness must be raised about the dangers posed by weaponized AI/ML models.
READ THE STORY: Hacker Noon
Encrypted Messaging App Exclu Used by Criminal Groups Cracked by Joint Law Enforcement
FROM THE MEDIA: A joint law enforcement operation conducted by Germany, the Netherlands, and Poland has cracked an encrypted messaging application named Exclu used by organized crime groups. 45 individuals were arrested and 79 locations were raided, resulting in the seizure of €5.5 million in cash, 300,000 ecstasy tablets, 20 firearms, and 200 phones. Two drug laboratories have further been shut down. Investigation into Exlcu started in June 2020 and the platform had an estimated 3,000 users, of which 750 were Dutch speakers. It was advertised as a secure communication platform with sophisticated encryption protocols.
READ THE STORY: THN
LockBit ransomware group threatens Royal Mail with data leak deadline
FROM THE MEDIA: Royal Mail is now listed on the LockBit ransomware group’s extortion site, with criminals giving the company a deadline of Thursday, February 9 to make an extortion payment. It is not known what information the group has stolen, but the listing suggests that Royal Mail has not paid the ransom or that negotiations have stalled. The attack caused their international shipment capabilities to grind to a halt last month and their share value has plummeted more than 50% since January 2022. British cyber authorities have stressed the importance of recovery as well as resistance to combat the impact of attacks.
READ THE STORY: The Record // The Cyberscoop
Germany hires new cybersecurity chief in wake of Russian scandal
FROM THE MEDIA: Germany's Interior Ministry has appointed Claudia Plattner, formerly the director general for information systems at the European Central Bank (ECB), as its new cybersecurity chief. This comes after former president of the Federal Office for Information Security (BSI) Arne Schönbohm was suspended last October due to accusations that he had associated with a business connected to Russia's intelligence services. The allegations were contradicted in a later report by Der Spiegel, and Protelion, the company in question, was expelled from the Cyber Security Council Germany following the outcry.
READ THE STORY: The Record
Cybercrime and ChatGPT – A New Challenge
FROM THE MEDIA: Cybercriminals have been using ChatGPT, the AI powered chatbot, to generate malicious content such as phishing emails and malware code. Now, researchers from CheckPoint Research have uncovered another method of bypassing OpenAI's restrictions: by creating Telegram bots that use the OpenAI API. These bots are advertised on underground forums, allowing cybercriminals to create malicious content without the barriers or limitations set by ChatGPT.
READ THE STORY: CXO Today
Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware
FROM THE MEDIA: A Russian national pleaded guilty in the U.S. on February 7, 2023 to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks. Denis Mihaqlovic Dubnikov was arrested in Amsterdam in November 2021 and extradited from the Netherlands in August 2022. He is estimated to have laundered at least $150 million in ransom payments. If convicted, he faces a maximum sentence of 20 years in prison, three years' supervised release, and a fine of $500,000. The case is being investigated by the FBI and prosecuted by the U.S. Attorney’s Office for the District of Oregon.
READ THE STORY: THN // Cyberscoop
FBI thwarts neo-Nazi plot to attack Baltimore Gas & Electric substations, ‘completely destroy’ city
FROM THE MEDIA: Two suspects have been charged with planning a firearms attack on five Baltimore Gas and Electric substations in a plot to “completely destroy” the city. Had the attack been successful, the resulting outage could have been “significant and lengthy.” The suspects are allegedly members of a neo-Nazi group, and the electric utility sector is working closely with law enforcement to ensure that these criminals are prosecuted to the fullest extent of the law. If the five targeted substations substantially comprised the high voltage feed to the Baltimore distribution network, then the resulting outage would have been significant and lengthy.
READ THE STORY: SmartCitiesDive
Russian ‘WhisperGate’ hackers are using new data-stealing malware to target Ukraine
FROM THE MEDIA: Security researchers have recently observed a Russian hacking crew, known as TA471, targeting Ukrainian entities with a new information-stealing malware. The group is linked to WhisperGate, a destructive data-wiping malware used in previous cyberattacks. The latest campaign relies on an info-stealing malware called "Graphiron", which masquerades as legitimate Microsoft Office files and can exfiltrate screenshots and SSH keys. This comes after another Russian state-sponsored hacking group, UAC-0010, was discovered to be conducting frequent cyber attack campaigns against Ukrainian organizations.
READ THE STORY: TechCrunch
World’s largest drone maker is unfazed — even if it’s blacklisted by the U.S.
FROM THE MEDIA: DJI is a Chinese technology company founded in 2006 by Frank Wang in a college dorm room. It currently has over 14,000 employees and controls more than 70% of the global drone market. In December 2021, it was placed on an investment blacklist by the U.S. government because of its alleged ties to the surveillance of Uighur Muslims. DJI products have been used for military purposes, but the company denies supporting such use. DJI has also faced scrutiny in regards to data security, but has implemented improvements to their data security, including bringing a local data mode to their drones.
READ THE STORY: CNBC
A Conversation with OODA Network Expert Kristin Del Rosso on Cybersecurity and National Vulnerability Database Research
FROM THE MEDIA: Kristin Del Rosso is a product manager at Sophos focusing on Incident Response, Threat Intelligence, and the SecOps ecosystem. She discussed her presentation last year at labscon.io 2022 in Scottsdale, AZ, entitled “Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure.” Through her research, she found that the U.S. is still lagging behind China in terms of vulnerability discovery and disclosure due to a lack of incentives for individuals to report vulnerabilities in the U.S. compared to China's gamified system. Furthermore, China has mandated companies with more than five people to disclose vulnerabilities and they have set up an arm dedicated to harvesting vulnerabilities at scale. The Ministry of State Security runs the CNNVD and the CNVD, and the NVDB.ORG.CN which only available from 8 am to 8 pm Chinese time.
READ THE STORY: OODALOOP
China’s global police stations: Surveillance of Uyghur exiles
FROM THE MEDIA: The Canadian Parliament recently unanimously voted in favour of a proposal to resettle 10,000 Uyghur Muslim refugees. This comes as China has increased intimidation and pressure on the Uyghur diaspora and exiles to return to the mainland through extrajudicial means such as global police stations and cyber targeting. To counter the exposure of their atrocities against Muslim minorities in Xinjiang, Beijing has also signed joint police patrol agreements with some European countries to monitor and repatriate Uyghurs. Canada’s resettlement of 10,000 Uyghur refugees sets an example for other developed democracies to follow. However, if China is allowed to continue its extrajudicial policing, there is little hope for self-exiled vulnerable Uyghurs. Democratic regimes must continue to expose and punish China’s genocide of its Muslim minorities and show more sincerity in providing humanitarian aid.
READ THE STORY: ORF
First Linux variant of Clop ransomware targeted universities, colleges but was flawed
FROM THE MEDIA: SentinelOne researcher Antonis Terefos observed the first Linux variant of the Clop ransomware on December 26. It had issues that allowed researchers to create a decryptor tool for victims. The Linux version was used to target educational institutions and left the ransom note in a .txt format while the Windows version left it in .rtf. Despite the arrests of several actors connected to Clop, the group has not stopped operating and the development of a Linux version should prompt defenders to be ready for anything. Ransomware groups are constantly seeking new targets and methods, making Linux and cloud systems increasingly attractive targets.
READ THE STORY: The Record
Hostile Regimes Such as China’s Pose ‘Greatest Strategic Cyber Threat’ to Canada, MPs Told in Committee
FROM THE MEDIA: The House of Commons Standing Committee on National Defense heard testimony on Feb. 7 about Canada's two main cybersecurity threats: state-sponsored cyber programs from hostile nations like Russia, China, Iran and North Korea, and cyber crimes such as ransomware attacks. The committee was also informed of the Russian invasion of Ukraine as a laboratory for cyber warfare, and expressed concern over a Chinese high-altitude balloon that floated over Canada and the U.S. for a week before being shot down. Other topics discussed included cyber crime and ransomware attacks, social media manipulation by foreign actors, and possible incentives to get smaller companies to follow protocols on cyber security.
READ THE STORY: The Epoch Times
Suspect in Finnish psychotherapy center blackmail hack arrested
FROM THE MEDIA: A 25-year-old Finnish man has been arrested in France for hacking a psychotherapy clinic and stealing the therapy notes of over 22,000 patients. He then demanded ransom payments from them and leaked their private info on a Tor website. The suspect, Julius Kivimäki, is also accused of aggravated attempted extortion, computer break-in, and dissemination of private information. If extradited to Finland, he faces remand hearings and a possible conviction. The breach dates back to November 2018, when Vastaamo, the psychotherapy center, became aware of the attack and declared bankruptcy. Victims were reportedly blackmailed with €200-€500 demands and had their names and contact details published on the dark web.
READ THE STORY: The Register
Toyota hacked again but this time it was a security researcher with no ill intent
FROM THE MEDIA: Toyota Motor Co. was recently hacked by security researcher Eaton Zveare, who gained access to its Global Supplier Preparation Information Management System in October. Fortunately for Toyota, the hacker had no malicious intent. The vulnerability allowed anyone with a valid email to access everything in the portal, which could have been a major security breach if discovered by malicious actors. As a result of this incident, Toyota and other organizations should consider their own vendor and supplier cybersecurity, while also implementing access control measures and user account privileges to protect against data breaches.
READ THE STORY: Silicon Angle
Voice.ai denies claim it violated open source software license requirements
FROM THE MEDIA: Voice.ai, maker of a voice-changing SDK and similar apps on several platforms, has been accused of violating two open source licenses in its libraries by a software developer and security researcher called Ronsor. Voice.ai denies the claims but admits that it includes a number of open source libraries. It is currently removing the GPL licensed code from its app and plans to make the relevant source code available on a GitHub repository. It has also banned Ronsor from its Discord server for discussing DRM circumvention.
READ THE STORY: The Register
CISA says Killnet DDoS attacks on U.S. hospitals had little effect
FROM THE MEDIA: Nate Fick, the US Ambassador at Large for Cyberspace and Digital Policy, had his personal Twitter account hacked over the weekend. The US Department of State did not provide any details about who was responsible or how they accessed Fick's account. Fick is currently in South Korea discussing cybersecurity cooperation and securing IT infrastructure, and prior to joining the State Department he was CEO of security software company Endgame. It is unclear if Fick's password was weak, but it is likely that he takes cybersecurity seriously as an experienced infosec executive.
READ THE STORY: The Record
More than 2,000 cybersecurity patent applications filed since 2010: report
FROM THE MEDIA: The number of cybersecurity patent applications has skyrocketed in the past decade, with U.S. companies leading the way. According to IS Decisions, about 2,270 patents have been filed since 2000, 97% of which were filed since 2010. The U.S. is the most prolific office receiving 1,087 applications, followed by patent applications under the Patent Cooperation Treaty with 326. China, the leader in general patent applications, only filed 13% of global cyber patents and ranks third. Most patents involve the development of tools to counter DoS and DDoS attacks, while telecom companies applied for the most DDoS and DoS-related patents. Tools against advanced persistent threats and malware attacks account for less than 2% of all patent applications.
READ THE STORY: The Record
How to Think Like a Hacker and Stay Ahead of Threats
FROM THE MEDIA: The hacker mindset is characterized by three core values: a strong sense of curiosity, an adversarial attitude, and persistence. Understanding the MITRE ATT&CK framework can help organizations better identify and prioritize their security efforts, and to develop more effective defenses against cyber threats. By understanding the tools and techniques used by attackers, cybersecurity analysts can gain visibility into critical assets and preemptively detect and remediate vulnerabilities.
READ THE STORY: The Record
Biden adds Mandia and other cybersecurity execs to advisory committee
FROM THE MEDIA: Joe Biden has added several cybersecurity executives to the National Security Telecommunications Advisory Committee (NSTAC), including Mandiant CEO Kevin Mandia, Rapid7 CEO Corey Thomas and Trellix CEO Bryan Palma. The committee provides the White House with national security and emergency preparedness solutions through policy recommendations. This is part of the Biden administration's larger push to bolster the nation’s cyber defenses, which includes a forthcoming executive order on data privacy and a National Cybersecurity Strategy.
READ THE STORY: The Record
Items of interest
More Than Hot Air
FROM THE MEDIA: On Feb. 2, a Chinese spy balloon was spotted in Montana and shot down off the coast of South Carolina three days later. It is clear that China is here and watching, and their espionage tactics have been well-known for two decades. Analysts worry about what China is watching, as its intelligence services gather both classified and open-source information from individuals who may not even have U.S. security clearance. The U.S. has taken steps to improve its cybersecurity defenses and increase its ability to detect and respond to cyberattacks. China's goal is to gain superiority over its regional neighbors and maintain an advantage over resources within global supply chains. This balloon is just further evidence of China's multipronged approach to collecting intelligence.
READ THE STORY: Rutgers
Cyber Operations vs Information Operations - CyCon 2019 Twilight Talk (Video)
FROM THE MEDIA: This video discusses the differences between cyber operations and information operations, how they require different types of intelligence, and their effectiveness in disrupting adversary actions. It also highlights the need for a comprehensive approach to foreign policy and better regulation of social media platforms.
TinyML: Using Machine Learning on Microcontrollers to Recognize Speech: Shawn Hymel (Video)
FROM THE MEDIA: In this video Shawn Hymel explains how to use machine learning on microcontrollers to recognize speech. He provides an introduction to the concepts involved, and shows how to install necessary packages, run a script to collect data, extract background noise from audio files, pick keywords, and run the machine learning model. He also covers topics such as data augmentation, deep learning, artificial intelligence, and ML ops.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.