Monday, April 4, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco
Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers
FROM THE MEDIA: A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially. "The Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits," Fortinet's FortiGuard Labs Research team said. "Five new exploits were added within a month, with three targeting various models of TOTOLINK routers." The other exploits targeted by Beastmode include flaws in TP-Link Tapo C200 IP camera (CVE-2021-4045, CVSS score: 9.8), Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8), video surveillance solutions from NUUO and Netgear (CVE-2016-5674, CVSS score: 9.8), and discontinued D-Link products (CVE-2021-45382, CVSS score: 9.8).
READ THE STORY: The Hacker News
UK Claims China Initiated Cyberattack Against Ukraine Before Start Of War
FROM THE MEDIA: The latest report suggests that just before the Russian invasion of Ukraine, China initiated cyber-attacks on Ukrainian military and nuclear targets. The latest report suggests that just before the Russian invasion of Ukraine, China initiated cyber-attacks on Ukrainian military and nuclear targets. UK government stated that the National Cyber Security Centre was looking into the accusations by Ukraine, which claim that the Chinese government coordinated thousands of hacking attempts against a number of websites, including Ukraine's defense ministry. The memos titled "Chinese Attacks on Ukrainian Government, Medical, and Education Networks," obtained by the Times stated that over 600 websites belonging to Kyiv's defense ministry and other organizations were hacked thousands of times. A source in Ukraine's security service, the SBU, stated that the effort was coordinated by the Chinese government, according to the Times. Chinese attacks began before the end of the Winter Olympics and peaked on February 23, the day before Russian troops and tanks crossed the border, indicating that China was complicit in the invasion. Jamie MacColl, a research person at the Royal United Services Institute for Defense and Security Studies stated that the claimed attempts looked to fit a Chinese technique of scanning for loopholes in IT infrastructure, such as firewalls and virtual private networks.
READ THE STORY: Republic World
Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums
FROM THE MEDIA: A previously undocumented "sophisticated" information-stealing malware named BlackGuard is being advertised for sale on Russian underground forums for a monthly subscription of $200. "BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients," Zscaler ThreatLabz researchers Mitesh Wani and Kaivalya Khursale said in a report published last week. Also sold for a lifetime price of $700, BlackGuard is designed as a .NET-based malware that's actively under development, boasting of a number of anti-analysis, anti-debugging, and anti-evasion features that allows it to kill processes related to antivirus engines and bypass string-based detection. What's more, it checks the IP address of the infected devices by sending a request to the domain "https://ipwhois[.]app/xml/," and exit itself if the country is one among the Commonwealth of Independent States (CIS).
READ THE STORY: The Hacker News
Lapsus$ may still be hacking even after alleged members were arrested in the UK
FROM THE MEDIA: Just because police in the United Kingdom have arrested some alleged members of the hacker group Lapsus$ doesn't mean that the group is finished terrorizing big tech. It looks like some bad actors are active and causing trouble, using various methods to steal information and disrupt businesses. Arrests and charges are a positive step, but Lapsus$ is still hacking away. According to a report from Gizmodo, the remaining members of Lapsus$ hacked major software developer Globant and dumped a load of passwords before linking some 70 gigabytes of the company's internal data. It seems that the group has access to some internal systems and data, but it's not yet clear how much damage they've done or how they plan to use the information. Globant directed Gizmodo to a statement in which it said that "the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected."
READ THE STORY: Android Police
Russian food delivery app data leak exposes secret police info
FROM THE MEDIA: A data leak in Russia's popular food delivery service Yandex Food has exposed personal information of 58,000 users, including those associated with the government's secret police. Among the users affected are serving agents of Russia's security services and military who even ordered food to their places of work using their official email addresses, according to findings from Netherlands-based investigative journalism group Bellingcat. The leak includes user emails, a large number of phone numbers, addresses and orders made on the food delivery platform. "One address Bellingcat searched for is Dorozhnaya Street 56 in Moscow. This facility is linked to the Russian National Guard (Rosgvardia), which has been active in the invasion of Ukraine," the research group said. Researchers even gained access to an individual linked to the poisoning of jailed Russian opposition figure Alexei Navalny. By searching the database, Bellingcat uncovered the name of the person who was in contact with Russia's Federal Security Service (FSB) to plan Navalny's poisoning. This person "also used his work email address to register with Yandex Food, allowing researchers to further ascertain his identity". Yandex has blamed one of its employees for the hacking and subsequent leak of data from Yandex Food. Russia's state media watchdog Roskomnadzor has attempted to block the data leak. The communications regulator has also threatened to penalize the online food delivery service up to $1,166 for the leak.
READ THE STORY: Daiji World
Iranian hackers new challenge, say experts
FROM THE MEDIA: India’s cyber security grid has now been facing newer challenges from the Middle-East countries, particularly from Iran, as hackers from there have been making attempts to breach strategic online architecture of the country’s government departments, say experts. According to sources in the India’s cyber security grid, till a few months ago “we were facing challenges from hackers based out in Pakistan and China, but now a new phenomenon has emerged where hackers sitting in Middle East countries, particularly in Iran, are found trying to breach computers of strategic government departments”. They said that in recent weeks, several government departments, including defense, banking, police, education and telecom, and private IT companies have come under attack by the hackers. The sources claimed that maximum attacks were noticed in Kerala, as Delhi witnessed fewer cases than the southern state. Cyber attacks were also reported in Bihar, Assam, West Bengal, Andhra Pradesh, Telangana and Maharashtra, they added. In view of the emerging threats, officials in the Union Ministry of Home Affairs (MHA) confirmed that the government has roped in experts from both public and private sectors to deal with the attacks whose sources have been traced back to Middle East, including Iran. Experts working with cyber security cell of the Government of India termed such attacks “lock and leak” operations by the hackers. In these attacks, the hackers lock down an online system completely by using ransomware, download the sensitive information from the system, and then blackmail the victims, they added.
READ THE STORY: Tribune India
Cyber security incident hits Nordex
FROM THE MEDIA: German wind turbine manufacturer Nordex SE (ETR:NDX1) has been affected by a cyber security incident and has decided to shut down IT systems across multiple locations and business units as a precautionary measure. Nordex has shut down several of its IT systems after detecting a cyber security incident. The company said over the weekend that Nordex Group IT security detected the incident late last week. “The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units,” said the German turbine company. “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.” Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems, added the company. The incident at Nordex comes after in late February the remote monitoring of about 5,800 turbines of sector player Enercon GmbH was partially impaired by a satellite outage. The disruption was caused by a cyberattack but it was not targeted at Enercon or its customers, the company pointed out.
READ THE STORY: Renewables Now // Renews
Russian Invasion of Ukraine, Cyber attacks and War Exclusions in P/C Policies
FROM THE MEDIA: The Russian invasion of Ukraine may result in cyberattacks causing widespread and severe losses in Ukraine and beyond. Even before the current invasion, some Russian cyberattacks aimed at Ukraine spread to other nations. The most prominent of these was the NotPetya attack in 2017. NotPetya was the name given to a strain of one of the most destructive types of malware, known as “Wiper” malware, which is designed to functionally destroy computers by wiping their contents completely. It was designed to spread to other computer networks, and did. It caused an estimated $10 billion in losses throughout the world. (NotPetya will be discussed in greater detail later in this article.) The current threat matrix is multidimensional. Russia may intentionally target companies in the United States, Europe, Australia, Japan and elsewhere, in response to support given to Ukraine, and in retaliation for the economic sanctions that have been imposed. If the war drags on or escalates, Russia may seek tactical or strategic benefit by increasing the overall level of distress in other nations. After the conflict ends, however it ends, Russia will be the object of extreme resentment and suspicion. It may launch cyberattacks to increase disorder, believing that an environment of disorder would best serve its position as a significant power. In addition to the nations in conflict, cyberattacks could be launched by groups affiliated with them, as well as independent groups sympathetic to one of them.
READ THE STORY: Insurance Journal
Axie Infinity’s Ronin Bridge Hacker Starts to Move Stolen Ethereum (ETH)
FROM THE MEDIA: There has been some activity on the blockchain address that was flagged as being involved in the hack on the Axie Infinity Ronin bridge last month. There have been several transactions over the past couple of hours from the suspect Ethereum address. The first was the movement of 1,000 ETH valued at approximately $3.5 million to another address. Several more transactions of 100 ETH subsequently followed, all of them going to the Tornado Cash Ethereum mixing service. The movements were noticed by Chinese crypto analyst Colin Wu on Monday morning. Major exchanges are seldom used by criminals because most of them now require extensive KYC (know-your-customer) procedures. Even those that do not provide fiat conversions have had to bow to global regulators. However, CryptoPotato did report that some of the funds were moved into exchanges such as FTX, Huobi, and CryptoCom, all of which have vowed to take action. Malicious actors are more likely to attempt to obfuscate the transactions, often several times, before they can finally cash out into fiat somewhere. The founder of Immutable Vision commented that this could lead to tighter regulations and punishment for legitimate investors.
READ THE STORY: Crypto Potato
VMware sprung by Spring4shell vulnerability
FROM THE MEDIA: VMware has issued a warning that it has products that contain the Spring4Shell vulnerability, first discovered last week, while other vendors are investigating their offerings. Late last week, the SANS Internet Storm Centre first saw exploit code appear on their honeypot systems, for the bug in the Spring Framework for Java, indicating that attackers are scanning for vulnerable systems. The Spring project has released patched versions of its software. VMware’s advisory identifies three products that use the Spring Framework: its Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition (TKGI). The company says the products can be attacked over the network, “to gain full control of the target system”. Versions affected are Tanzu Application Service for VMs versions 2.8 through to 2.13, Tanzu Operations Manager 2.8 to 2.10, and TKGI 1.12 and 1.13. Fixed versions have been released for Tanzu Application Service for VMs and Operations Manager, but the patch is still pending for TKGI. Last week, the Computer Emergency Response Team at Carnegie-Mellon warned that Spring4Shell could lead to remote code execution. “By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application,” the CERT advisory stated.
STORY: ITnews
The Ransomware Files, Episode 6: Kaseya and REvil
FROM THE MEDIA: The REvil ransomware gang's attack against the U.S. software company Kaseya in 2021 is not only among the largest ransomware attacks of all time, it's also one of the most intriguing. It involves the use of zero-day software vulnerabilities known only to a handful of people, a race between attackers trying to snare ransom payments and defenders developing a patch, and a secret operation that hacked back against the REvil hackers. And in the end, a rare action happened: Someone was actually arrested. This episode of "The Ransomware Files" talks to those who had a role in this incredible event. It also coincides with the release of new technical information about the software vulnerabilities exploited by the ransomware gang, which were found by the Dutch Institute for Vulnerability Disclosure, or DIVD. REvil managed to exploit zero-day vulnerabilities in the Virtual Systems Administrator, which is remote management software made by Kaseya and widely used by managed service providers. The vulnerabilities allowed the group to spread its ransomware, which was disguised as a software update.
READ THE STORY: Bank Info Security
Items of interest
Nordex second German OEM to suffer cyberattack since Russia's war began
FROM THE MEDIA: IT security at Nordex last week detected that the wind turbine manufacturer was subject to a “cyber security incident.” The intrusion was noted in an early stage on Thursday and response measures initiated immediately in line with crisis management protocols, the company said, which nevertheless decided to shut down IT systems across multiple locations and business units. Nordex was the second German wind OEM to suffer a cyberattack since Russia’s war on Ukraine began. Privately-held premium manufacturer Enercon was hit by a cyberattack almost exactly coinciding with the start of the Russian invasion that cut remote service links to almost 6,000 wind turbines in central Europe. The cyberattack on Nordex came amid a heated debate in Germany over a possible embargo on Russian oil & gas deliveries Moscow is eager to avoid as it would lose billions in fossil fuel revenues. Russia accounts for about 55% of German fossil gas supplies, for half of its hard coal, and about a third of its oil consumption. German economics and climate minister Robert Habeck declared an early warning level in the country’s gas emergency plan, meaning Europe’s largest economy is preparing for a possible stop of Russian gas flows. The step came in the wake of the Russia’s demand to only accept payments for gas in roubles, following western sanctions against its invasion of Ukraine. While the atrocities committed by Russian troops in suburbs of the Ukrainian capital Kiev may sway German public opinion towards favoring an energy embargo even at a heavy economic cost, a simultaneous threat to its electricity supply could unsettle consumers.
READ THE STORY: Recharge News
All quiet on the cyber front: Ukraine's internet infrastructure remains resilient (Video)
FROM THE MEDIA: At the start of Russia's invasion of Ukraine, hackers brought down tens of thousands of satellite internet modems across Ukraine and Europe. This week, Reuters revealed that the same attacks are still underway. It raises questions about the state of the cyberwar in Ukraine: given the piecemeal information we receive about an attack, weeks after it happened, how can we assess Russia's cyber offensive? Is it working, and has it begun to spill out internationally, as first predicted? So far, Ukraine's internet infrastructure has remained resilient. FRANCE 24's tech editor Peter O'Brien explains.
Russian aviation authority suffered a major cyber attack (Video)
FROM THE MEDIA: Russian aviation authority switches to paper after losing 65TB of data.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com