Daily Drop (98)

4-7-22

Thursday, April 7, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco

FBI Shut Down Russia-linked "Cyclops Blink" Botnet That Infected Thousands of Devices

FROM THE MEDIA: The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet," the DoJ said in a statement Wednesday. In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet. The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May 2018. Cyclops Blink, which is believed to have emerged as early as June 2019, primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group leveraging a previously identified security vulnerability in WatchGuard's Firebox firmware as an initial access vector.

READ THE STORY:  The Hacker News

Malicious Android apps target Malaysian bank customers, warns ESET

FROM THE MEDIA:  ESET researchers have analyzed three malicious Android applications targeting customers of eight Malaysian banks. According to security vendor ESET to make a profit off customers who have increasingly turned to online shopping during the pandemic, cybercriminals are tricking these eager shoppers into downloading malicious applications. In an ongoing campaign, the threat actors are trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying the original. ESET says these websites use similar domain names to the services they are impersonating. “To make the already couch-friendly approach of online shopping even more convenient, people are increasingly using their smartphones to shop. Smartphone purchases make up the majority of online shopping orders – most of them from vendor-specific applications,” says ESET researcher Lukáš Štefanko, who analyzed the malicious applications. This campaign was first reported at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u.

READ THE STORY:  IT Wire

Suspected Chinese Hackers Collect Intelligence From India’s Grid

FROM THE MEDIA: Suspected state-sponsored Chinese hackers have targeted the power sector in India in recent months as part of an apparent cyber-espionage campaign, the threat intelligence firm Recorded Future Inc. said in a report published Wednesday. The hackers focused on at least seven “load dispatch” centers in northern India that are responsible for carrying out real-time operations for grid control and electricity dispersal in the areas they are located, near the disputed India-China border in Ladakh, the report said. One of the load dispatch centers previously was the target of another hacking group, RedEcho, which Recorded Future has said shares “strong overlaps” with a hacking group that the U.S. has tied to the Chinese government. “The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence gathering opportunities,” the Recorded Future report states. “We believe this is instead likely intended to enable information gathering surrounding critical infrastructure and/or pre-positioning for future activity.” In addition, the hackers compromised an Indian national emergency response system and a subsidiary of a multinational logistics company, according to the report. The hacking group, dubbed TAG-38, has used a kind of malicious software called ShadowPad, which was previously associated with China’s People’s Liberation Army and the Ministry of State Security, according to Recorded Future. Researchers didn’t identify the victims by name.

READ THE STORY:  Bloomberg

Israeli officials are being catfished by AridViper hackers

FROM THE MEDIA:  High-ranking Israeli officials are being catfished in a new cyberespionage campaign launched by AridViper. AridViper, also known as APT-C-23, Desert Falcon, and Two-tailed Scorpion, is a politically-driven advanced persistent threat (APT) group active in the Middle East. In the past, AridViper has conducted spear-phishing attacks against Palestinian law enforcement, military, and educational establishments, as well as the Israel Security Agency (ISA). In February, Cisco Talos researchers uncovered AridViper attacks against activists associated with the Israel-Palestine conflict. On Thursday, Cybereason's Nocturnus Research Team published new findings on the APT's latest activities. Dubbed "Operation Bearded Barbie," the latest campaign targets "carefully chosen" Israeli individuals to compromise their PCs and mobile devices, spy on their activities, and steal sensitive data. The researchers say the AridViper group, alongside MoleRATs, are subset APTs of the Hamas cyberwarfare division and are working to benefit the Palestinian political group. The operation's victims include individuals working in Israel's defense, law enforcement, and emergency service sectors. According to Cybereason, the first step in AridViper attacks relies on social engineering: after conducting reconnaissance on a victim, the group creates fake Facebook social media accounts, makes contact, and tries to entice the target to download Trojanized message apps.

READ THE STORY:  ZDNET

GOVERNMENT NEEDS TO BE ‘POSTURED FOR THE FUTURE’ OF CYBER THREATS

FROM THE MEDIA:  The shortage of skilled cybersecurity professionals that has faced the private sector for years is now becoming an increasingly thorny issue for the military and the United States government agencies, as both defensive and offensive cyber operations become a larger part of the national security picture. Each branch of the U.S. military has a sizeable force of trained cyber operators, united under U.S. Cyber Command, as do the National Security Agency, CIA, and other intelligence agencies. Those teams each have their own missions and areas of operation, and the competition for people with the specific background and skill sets they require is fierce, not only in the military but also in the private sector, where the financial rewards are exponentially higher. Finding the people who are willing to apply their skills in the military or government agencies can be difficult, and it’s a challenge that is becoming ever more pressing as foreign adversaries continue to use cyber operations for disruption, espionage, and financial gain. The traditional avenues of recruitment and talent development have proven effective, but they may not be enough in the near future. “We need as large a pool of people as possible. Cyberspace is where the nation stores its wealth and treasure. Data science, coding, artificial intelligence, machine learning are all capabilities that we need,” Gen. Paul Nakasone, commander of Cyber Command and director of the National Security Agency, said in a Senate hearing Tuesday.

READ THE STORY:  Decipher

Demand for cyber threat intel growing

FROM THE MEDIA: Private sector companies are increasingly asking the federal government for cyber threat intelligence as they seek to shore up their defenses against growing online threats, a White House cyber official told lawmakers on Wednesday. Robert Knake, a U.S. official in charge of budget and policy at the White House’s Office of the National Cyber Director, told a House Homeland Security subcommittee that companies are increasingly pushing for more data from government agencies. “What we’ve heard from every private sector company we talked to is to make sure that we can provide the one thing that private companies can’t do on their own, which is intelligence,” Knake said. “Only the U.S. government can collect intelligence, and only the U.S. government can provide it back. So that’s a major focus of our efforts,” he added. The White House official was testifying before the cybersecurity subcommittee on steps the government can take to strengthen its partnership with the private sector. Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), and Tina Won Sherman, director of homeland security and justice at the Government Accountability Office, also testified. Knake explained that many companies, especially large ones, already have the resources, funds and technical support to defend their networks against cyberattacks, but they have repeatedly emphasized that intelligence from the government would help bolster their systems.

READ THE STORY:  The Hill

Ukraine Warns of Cyber attack Aiming to Hack Users' Telegram Messenger Accounts

FROM THE MEDIA: Ukraine's technical security and intelligence service is warning of a new wave of cyber attacks that are aimed at gaining access to users' Telegram accounts. "The criminals sent messages with malicious links to the Telegram website in order to gain unauthorized access to the records, including the possibility to transfer a one-time code from SMS," the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said in an alert. The attacks, which have been attributed to a threat cluster called "UAC-0094," originate with Telegram messages alerting recipients that a login had been detected from a new device located in Russia and urging the users to confirm their accounts by clicking on a link. The URL, in reality a phishing domain, prompts the victims to enter their phone numbers as well as the one-time passwords sent via SMS that are then used by the threat actors to take over the accounts. The modus operandi mirrors that of an earlier phishing attack that was disclosed in early March that leveraged compromised inboxes belonging to different Indian entities to send phishing emails to users of Ukr.net to hijack the accounts.

READ THE STORY:  The Hacker News

U.S. says it secretly removed malware worldwide, preempting Russian cyberattacks

FROM THE MEDIA:  The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to preempt Russian cyberattacks and send a message to President Vladimir Putin of Russia. The move, made public by Attorney General Merrick Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure — including financial firms, pipelines and the electric grid — in response to the crushing sanctions that the United States has imposed on Moscow over the war in Ukraine. The malware enabled the Russians to create "botnets" — networks of private computers that are infected with malicious software and controlled by the GRU, the intelligence arm of the Russian military. But it is unclear what the malware was intended to do, since it could be used for everything from surveillance to destructive attacks. A U.S. official said Wednesday that the United States did not want to wait to find out. Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the FBI disconnected the networks from the GRU's own controllers. "Fortunately, we were able to disrupt this botnet before it could be used," Garland said. The court orders allowed the FBI to go into domestic corporate networks and remove the malware, sometimes without the company's knowledge. President Joe Biden has repeatedly said he would not put the U.S. military in direct conflict with the Russian military, a situation he has said could lead to World War III. That is why he refused to use the U.S. Air Force to create a no-fly zone over Ukraine or to permit the transfer of fighter jets to Ukraine from NATO air bases.

READ THE STORY:  Startribune

Cryptocurrency-mining AWS Lambda-specific malware spotted

FROM THE MEDIA:  Cado Security says it has discovered a strain of malware specifically designed to run in AWS Lambda serverless environments and mine cryptocurrency. The team admitted it doesn't quite know how the software nasty, dubbed Denonia, is deployed, though you're welcome to take a guess. "It may simply be a matter of compromising AWS access and secret keys then manually deploying into compromised Lambda environments," Cado's Matt Muir suggested in a technical write-up on Wednesday. While the security firm has only seen the malware running in AWS Lambda, it can be made to run in other Linux-flavored environments, Cado Security CTO and co-founder Chris Doman told The Register this week. And although Denonia isn't being used, as far as we know, for anything worse than illicit mining activities, "it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks," wrote Muir, who thanked Doman, Al Carchrie and Paul Scott for their help in probing the code.

READ THE STORY:  The Register

New threat group underscores mounting concerns over Russian cyber threats

FROM THE MEDIA: As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear. CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organizations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence. Ember Bear is responsible for using the WhisperGate wiper malware against Ukrainian networks in January before Russia invaded Ukraine. The malware masquerades as ransomware but lacks a payment or data recovery mechanism, masking WhisperGate’s true intent, which is the destruction of data. The WhisperGate campaigns began with website defacements containing threatening messages in Ukrainian, Russian and Polish languages. Despite its state-sponsored Russia nexus, Ember Bear differs from its better-known kin such as Fancy Bear or Voodoo Bear because CrowdStrike can’t tie it to a specific Russian organization. Its target profile, assessed intent, and technical tactics, techniques, and procedures (TTPs) are consistent with other Russian GRU cyber operations.

STORY:  CSO Online

Hamas-linked cyber-spies 'target high-ranking Israelis'

FROM THE MEDIA: A prolific Middle East team with links to Hamas is said to be using malware and infrastructure to target high-ranking Israeli officials and steal sensitive data from Windows and Android devices. The advanced persistent threat (APT) group – known by some as APT-C-23, Arid Viper, Desert Falcon, and FrozenCell, among other names – set up an elaborate cyberespionage campaign, spending months rolling out fake Facebook accounts to target specific potential Israeli victims, according to Cybereason's Nocturnus threat intelligence team. "These fake accounts have operated for months, and seem relatively authentic to the unsuspecting user," the security shop's Nocturnus outfit wrote in a report released today. "The operators seem to have invested considerable effort in 'tending' these profiles, expanding their social network by joining popular Israeli groups, writing posts in Hebrew, and adding friends of the potential victims as friends," the researchers found. "Over time, the operators of the fake profiles were able to become 'friends' with a broad spectrum of Israeli citizens, among them some high-profile targets that work for sensitive organizations including defense, law enforcement, emergency services and other government-related organizations."

READ THE STORY:  The Register

Items of interest

‘Hit back hard’: Top cyber spy warns Russia not to send Ukraine dark

FROM THE MEDIA: Australia’s top cyber spy has suggested Russia has not launched a major cyber attack on Ukraine because it fears what Western countries such as Australia would do in return. Australian Signals Directorate boss Rachel Noble also confirmed Australia was concerned about China’s “intent and their long-term interests” in the Pacific after revelations of a pending security deal between Beijing and the Solomon Islands. Leading up to Russia’s invasion of Ukraine, there were widespread fears that there would be a major cyber attack to cut off electricity and communications given the nation’s long history of cyber warfare. But this hasn’t materialized, with no significant hack during the invasion that could have sent large parts of the country dark. In an exclusive interview with The Sydney Morning Herald and The Age, Ms Noble warned Russia could still launch a major hack attack against Ukraine. “I wouldn’t easily conclude that because we haven’t seen Russia deploy yet its capabilities, that it doesn’t have the capabilities that could cause such damage,” she said. Ms Noble said Western intelligence agencies had not overestimated Russia’s cyber capabilities, pointing to the SolarWinds attack in 2020 by hackers connected to Russia, which was “incredibly clever”.

READ THE STORY:  SMH

Integrated Intelligence (Video)

FROM THE MEDIA: ntegrated Intelligence is a presentation about integrating threat intelligence into information / cybersecurity departments that most companies may not currently integrate. It is customary for threat intelligence to partner with Vulnerability Management, Security Operations, and Red Teams. However, there is plenty of opportunity for integration with Business Information Security Officers, GRC, Third Party Risk, Architecture, and many others. The goal and purpose of this conversation is to inspire people to think outside of the box when it comes to threat intelligence.

Ukraine sells NFT to support its military (Video)

FROM THE MEDIA:  The world's first NFT war museum opened to support Ukraine. The Ukrainian government decided to raise money by converting and selling the timeline of the Russian invasion into NFTs. He raised more than $600,000 in donations for Ukraine. Ukraine decided to timeline the ongoing invasion of Russia and raise money by selling NFTs. The world's first NFT war museum has raised more than $600,000 to support Ukraine. This amount was collected by the museum on the first day of the virtual exhibition sale. A total of 1282 digital works were purchased. Funds raised will go to a cryptocurrency fund set up by Ukrainian cryptocurrency exchange KUNA to support the Ukrainian military and digital and cyber resistance.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com