Daily Drop (97)
China-Backed Hacking Group Cicada Is Using VLC Media Player for Cyberattacks.
FROM THE MEDIA: Cicada, a hacking group allegedly backed by the Chinese government, is using VLC Media Player to deploy a malicious malware loader as part of a long-running cyberattack campaign, security experts have discovered. In at least three continents, the campaign appears to be aimed at espionage and has targeted numerous groups involved in political, legal, and religious activities, as well as non-government organizations (NGOs). The hacking has been traced to threat actor Cicada, also known as menuPass, Stone Panda, Potassium, APT10 and Red Apollo, that has been active for over 15 years. Many of the organizations targeted in this campaign appear to be government-related as well as telecommunications, legal and pharmaceutical firms. The Cicada campaign has victims in the United States, Canada, Hong Kong, Turkey, Israel, Montenegro, Italy and India, according to Symantec experts. Only one of the victims is from Japan, which has long been a target of the Cicada gang. However, the victims in this campaign show that the threat actor’s interests have diversified, as opposed to the previous targeting, which focused on Japanese-linked companies. Cicada has also previously targeted healthcare, defence, aerospace, finance, maritime, biotechnology, energy, and government sectors.
READ THE STORY: News18
Website of Russian oil firm Gazprom Neft goes down after apparent hack
FROM THE MEDIA: The website of Gazprom Neft (SIBN.MM), the oil arm of Russian state gas giant Gazprom (GAZP.MM), went down on Wednesday after an apparent hack, in what looked like the latest attack on government-linked sites following Russia's actions in Ukraine. The website briefly showed a statement purporting to be from Gazprom chief executive Alexei Miller, a close ally of President Vladimir Putin. Miller last month urged the gas giant's 500,000 employees to rally around Putin to preserve Russia as a great power in the face of foreign hostility. The statement attributed to him on what looked like a hacked version of the site cited him as making critical comments about Russia's decision to send tens of thousands of troops into neighboring Ukraine, where thousands of soldiers and civilians have been killed. The website stopped working soon afterwards. "The information published on the site on the morning of April 6 is not true and cannot be regarded as an official statement of the company's representatives or shareholders," Gazprom Neft said.
READ THE STORY: Reuters
Jordan Denies Using Pegasus Software to Hack Its Citizens' Phones
FROM THE MEDIA: The National Cyber Security Center (NCSC) has categorically denied allegations in a report by Front Line Defenders that government agents had hacked the phones of Jordanian citizens using the "Pegasus" spyware.
"These allegations are baseless. Jordan has not cooperated with any agents with the aim of spying on citizens' phones or censoring their calls," the center said in a statement on Tuesday. Telephone calls and private communications are confidential by law and may not be violated, the center confirmed, adding that if any cyber attacks are detected, immediate and quick measures are taken to protect citizens. The center called on citizens or entities facing such problems to contact it to report any vulnerability, penetration or cyber incident, to conduct digital forensics, stressing the need to implement national cybersecurity policies and pursue best practices for protecting information and networks. It pointed out that "no country in the world is able to completely stop cyber intrusions, however, capabilities are being advanced to face any such cases."
READ THE STORY: Albawaba
Darknet takedown: Russian accused of operating Hydra
FROM THE MEDIA: Hydra Market, the world’s largest and longest-running darknet market, was seized by U.S. and international law enforcement agencies on Tuesday. Hydra accounted for 80 percent of all darknet market-related cryptocurrency transactions last year, according to the U.S. Justice Department. Since 2015, the marketplace allegedly received $5.2 billion in cryptocurrency. Hydra servers and cryptocurrency wallets were seized Tuesday in Germany by the German Federal Criminal Police, also known as the “Bundeskriminalamt,” in coordination with U.S. law enforcement. In conjunction with the shutdown of Hydra, criminal charges were filed against 30-year-old Dmitry Olegovich Pavlov, a resident of Russia, for conspiracy to distribute narcotics and conspiracy to commit money laundering. Robert Leach, a prosecutor who successfully prosecuted Theranos founder Elizabeth Holmes for wire fraud and conspiracy, will be one of four attorneys prosecuting the Hydra case. Leach is an assistant U.S. Attorney for the Northern District of California. According to an indictment, Hydra was an online criminal marketplace that enabled users to buy and sell illicit goods and services, including illegal drugs, stolen financial information, fraudulent identification documents, and money laundering and mixing services, anonymously and outside the reach of law enforcement. Transactions on Hydra were conducted in cryptocurrency.
READ THE STORY: WKRG
Defending Firmware in the Firmament
FROM THE MEDIA: The recent attacks against the ViaSat satellite network in February and March of this year have gone largely unnoticed amid the din of the Russian assault on Ukraine. And this is understandable: these attacks are cold and distant and in a sense unreal, not at all like the heartbreak we see on the ground in Kharkiv and Mariupol, or the sheer brutality we see in Irpin and Bucha. But it’s worth paying close attention to these attacks. Not only is this the first time a nation has waged cyber war side-by-side with armored columns, but it may also be the first time firmware – code that resides in non-volatile storage – has served as the primary battleground. On 24 February 2022, a “multifaceted and deliberate cyber-attack” was waged against the land-based portion of ViaSat’s KA-SAT network. The attack resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. The attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe. February 24 was, of course, the same day Russia began its current military aggression in Ukraine, with missiles and airstrikes accompanying armored assault. It was also the first day of civilian deaths in the conflict. Weeks later, several sources doing forensic analysis of the attacks have focused on firmware updates in the affected modems.
READ THE STORY: Security Boulevard
Watch out for new Russian scam targeting WhatsApp users, it will leave you out of pocket!
FROM THE MEDIA: WHATSAPP users have been put on alert about a dangerous new scam, which has already targeted tens of thousands of people. If you want to make sure you don't fall foul of it - this is what you need to know. WhatsApp users need to keep their eyes peeled for a sneaky new scam which is spread via email and could leave you seriously out of pocket. The email, which has already been sent to almost 30,000 people, claims to be a notification from WhatsApp telling you that you've received a new private voicemail – with a button in the email that claims to send you to the recording within the app. However, that's not the case. Clicking on the button will download malware on your device capable of stealing all login information saved in your web browser – including bank login credentials, logins for payment software like PayPal, and more. WhatsApp will never notify you about an unread message or voicemail over email, instead the service sends a notification on your smartphone. Cyber crooks are turning to emails because it allows them to bypass security measures implemented by WhatsApp. By clicking on the link, you'll also leave your email app – stopping Gmail, Outlook, or another provider from warning about the site you're being linked to. The fake email impersonating WhatsApp is sent from an address belonging to the Centre for Road Safety for the Moscow Region. Because this email address belongs to a legitimate entity the bogus WhatsApp message isn't flagged or blocked by email security systems.
READ THE STORY: Express
China rolls out bots to enforce ‘temporary closed-off management’ of Shanghai
FROM THE MEDIA: State-controlled media in China is proudly reporting the use of robots to facilitate the “temporary closed-off management” of Shanghai, which has experienced a new surge of COVID. The city of 26 million plus residents has been locked down as cases reportedly surge past the 13,000 mark each day, a new high for the city and a level of infection that China will not tolerate under its zero COVID policy. City authorities have quickly created 47,000 temporary hospital beds and increased capacity to four million tests each day. All residents have been required to take a test. Robots are helping to enforce the lockdown. Police have employed “drones equipped with a broadcasting system to patrol key areas.” The craft “publicize latest news and anti-pandemic prevention and control measures to the local communities." Which looks and sounds like this. Friendlier drones are carrying medicines to residents who are unable to leave their homes or visit doctors. Food delivery has been turned over to rolling drones loaded by staff wearing full personal protective equipment. State media proudly points out that the rolling drones can carry between three and four times as much cargo as a single human delivery driver.
READ THE STORY: The Register
Apple patched critical flaws in macOS Monterey but not in Big Sur nor Catalina
FROM THE MEDIA: Apple last week patched two actively exploited vulnerabilities in macOS Monterey yet has left users of older supported versions of its desktop operating system unprotected. In a blog post on Tuesday, security biz Intego said fixes applied to address CVE-2022-22675 (AppleAVD bug) and CVE-2022-22674 (Intel Graphics Driver bug) in macOS Monterey were not backported to macOS Big Sur or macOS Catalina. The AppleAVD issue is unpatched for macOS Big Sur, said Joshua Long, chief security analyst for Intego, while Catalina isn't affected because it lacks the AppleAVD component for decoding audio and video. The Intel Graphics Driver flaw, he said, looks like it affects both Big Sur and Catalina. This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities for Big Sur and Catalina. "This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities for Big Sur and Catalina," said Long. "The previous three actively exploited vulnerabilities were each patched simultaneously for Monterey, Big Sur, and Catalina." Apple did not respond to a request to explain why it has left older macOS installations without updates for these particular issues.
READ THE STORY: The Register
Google issues new warning to BILLIONS of Chrome users to fix app – days after urgent ‘hack alert’
FROM THE MEDIA: GOOGLE has hastily released ANOTHER emergency security patch for Chrome – the second in as many weeks. The update, which is rolling out to the browser's 2.6billion users this week, fixes a critical vulnerability that exposes people to hackers. Details on the flaw are scarce. Google keeps a lid on where in its code vulnerabilities lie in order to protect users who are yet to update. Thankfully, it appears that hackers are yet to exploit the defect for nefarious purposes. Security holes allow hackers to potentially take over computer systems – compromising your devices. If a hacker can hijack part of your computer, they could potentially wreak havoc on your digital life. Google regularly releases security patches for Chrome, typically mending over a dozen vulnerabilities at a time. However, emergency fixes issued for solitary security bugs are unusual. It suggests that the potential consequences of cyber crooks getting wind of the defect are severe.
READ THE STORY: The Sun
US Gets a Win Against Dark Web Crimes, Confiscates $34M Worth of Stolen Crypto From South Florida Hacker
FROM THE MEDIA: The U.S. Department of Justice confiscates crypto worth $34 million tied to operations in illegal dark web activities. A cryptocurrency forfeiture action filed by federal prosecutors in the Southern District of Florida resulted in the successful seizure of approximately $34 million in cryptocurrency linked to illegal Dark Web activity. This operation makes it one of the largest cryptocurrency confiscations ever in the United States. Following the filing of a civil forfeiture complaint with the United States Department of Justice, law enforcement agents singled out a "South Florida resident" using the Dark Web to sell illegal items and hacked accounts for millions of dollars. The police department also acquired a number of cryptocurrency wallets believed to be linked to illegal Dark Web activity on the internet. As part of an investigation, it was discovered that the South Florida resident used so-called Cryptocurrency tumblers. A tumbler is service users utilize in mixing cryptocurrency transactions. Tumbler mixes multiple cryptocurrency transactions into a single transaction. The tumbler then distributes the cryptocurrency to a designated cryptocurrency wallet at random times and in random increments, according to a predetermined algorithm. The goal is to conceal the identity of the original source of funds. This is usually used for privacy and also money laundering.
Threats Hiding Behind Trusted Microsoft Domains
FROM THE MEDIA: Throughout 2021 there was a growing increase in cyber threats hosted on legitimate services like Microsoft Teams, OneDrive, SharePoint, and OneNote to deliver phishing campaigns. These domains’ trusted reputation enables cybercriminals to easily evade current detection technologies using domain reputation and blocklists like SEG, proxy, SASE, and endpoint security tools. Attackers use shared services to get around domain reputation technologies with increased frequency. Using mainstream, legitimate commercial infrastructure sites to avoid detection has been a successful tactic, and the growth in these threats continues in 2022. It’s important to understand how these cyber criminals gain access to legitimate hosted domains. One popular tactic is account takeover. Once a cybercriminal has access to Microsoft 365 credentials from one company, they can initiate attacks against other companies, and those targets will have a sense of trust. In the real-world example below, a fake login page is used to steal the initial credentials delivered through a spear-phishing campaign. The email address is blacked out, but what is most interesting about this fake login page is the URL. The URL is unique to the user. While the email is already pre-populated with the user’s name, it’s not visible in the URL, which could be easily identified by domain reputation tools and blocked. But in these new attacks, every single URL is unique, and most SEGS, domain reputation, URL filtering tools, and blocklists struggle to detect these highly sophisticated credentials stealing attacks.
READ THE STORY: Security Boulevard
Items of interest
The Myth of the Missing Cyberwar
Russia’s Hacking Succeeded in Ukraine—And Poses a Threat Elsewhere.
FROM THE MEDIA: After Russia invaded Ukraine, many observers initially expected cyberattacks to steal the limelight as a major instrument in Russia’s arsenal. But after a month of fighting, a host of prominent scholars and analysts of cyberconflict have reached the opposite conclusion. Russia’s activities in cyberspace, they claim, have been paltry or even nonexistent. They have dismissed the role of cyber-operations, variously proposing that digital preparations for the invasion in Ukraine never occurred, were haphazard or lacked any real impact, or were mere continuations of Russia’s long-term cyber-activity against Ukraine that fell below the threshold of outright war. This is a dangerous misdiagnosis. All available evidence indicates that Russia has employed a coordinated cyber-campaign intended to provide its forces with an early advantage during its war in Ukraine. The apparent disconnect between these observed incidents, on the one hand, and the public analysis that Russian cyber-operations have been minimal, on the other, is jarring. Preconceived notions of the role of cyberattacks on the battlefield have made it hard for analysts to see cyber-operations in Ukraine for what they are and for the role they play within Russia’s military campaign. Leaning on these preconceptions will only lead to future policy and intelligence failures. Cyberspace is still a nascent domain of operations, and events in Ukraine will have outsized implications not just for any appreciation of Russian cyberpower but for an understanding of the nature of cyberconflict itself.
READ THE STORY: Foreign Affairs
Irregular Warfare and the Future of Global Competition After Ukraine(Video)
FROM THE MEDIA: For Day 22 of The Realignment's Daily Ukraine coverage, Marshall spoke with Dr. Seth G. Jones, author of Three Dangerous Men: Russia, China, Iran and the Rise of Irregular Warfare and Senior VP and Director of the International Security Program at the Center for Strategic & International Studies. They discussed how the conventional military strength of great powers such as the United States and Russia are increasingly challenged by irregular warfare approaches: cyber attacks, the use of proxy forces, propaganda, espionage, and disinformation. While Three Dangerous Men focused on how China, Iran, and Russia favored irregular warfare to challenge the United States, the Ukraine war has demonstrated that irregular warfare presents a serious challenge to any nation's ambitions.
UAS Cyber terror implications & Spoof-proof ADS-B/GPS using ECD(Video)
FROM THE MEDIA: This presentation will cover a new evolution in terroristic threats. Weaponization of small / medium sized Unmanned Aircraft Systems (UAS/drones) combined with cyber attacks on SCADA and GPS systems represent both probable and potentially high-risk threats to aircraft, infrastructure, civilians, and Vessels at sea. The presentation will discuss countermeasures for these attacks on air defense systems (ADS) and a robust / unique anti-spoofing algorithm to detect, mitigate and recover from GPS false signals. Special attention is given to incidents in the South China Seas (SCS).
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at firstname.lastname@example.org