Friday, April 8, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco
FBI disrupts Russian state-controlled network of hacked computers
FROM THE MEDIA: The FBI removed malware from a network of hacked computers, which infected thousands of devices worldwide under the control of a Russian state-sponsored threat actor dubbed Sandworm. The U.S. Department of Justice announced on Wednesday the court-authorized disruption of the so-called "botnet," a network of computers infected by malware and controlled by a hacker, in March. "The court-authorized removal of malware deployed by the Russian GRU (foreign military intelligence agency) demonstrates the department's commitment to disrupt nation-state hacking using all of the legal tools at our disposal," Attorney General Matthew G. Olsen, of the Justice Department's National Security Division, said in a statement. "By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country's cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes."
READ THE STORY: UPI
Microsoft Obtains Court Order to Take Down Domains Used to Target Ukraine
FROM THE MEDIA: Microsoft on Thursday disclosed that it obtained a court order to take control of seven domains used by APT28, a state-sponsored group operated by Russia's military intelligence service, with the goal of neutralizing its attacks on Ukraine. "We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium's current use of these domains and enable victim notifications," Tom Burt, Microsoft's corporate vice president of customer security and trust, said. APT28, also known by the names Sofacy, Sednit, Pawn Storm, Fancy Bear, Iron Twilight, and Strontium, is a cyber espionage group and an advanced persistent threat that's known to be active since 2009, striking media, governments, military, and international non-governmental organizations (NGOs) that often have a security focus. The tech giant noted that the sinkhole infrastructure was used by the threat actor to target Ukrainian institutions as well as governments and think tanks in the U.S. and the European Union so as to maintain long term persistent access and exfiltrate sensitive information.
READ THE STORY: The Hacker News
Facebook says Ukraine military accounts were hacked to post calls for surrender
FROM THE MEDIA: Facebook today reported an increase in attacks on accounts run by Ukraine military personnel. In some cases, attackers took over accounts and posted "videos calling on the Army to surrender," but Facebook said it blocked sharing of the videos. Specifically, Facebook owner Meta's Q1 2022 Adversarial Threat Report said it has "seen a further spike in compromise attempts aimed at members of the Ukrainian military by Ghostwriter," a hacking campaign that "typically targets people through email compromise and then uses that to gain access to their social media accounts across the Internet." Ghostwriter has been linked to the Belarusian government. "Since our last public update [on February 27], this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel," Meta wrote today. Ghostwriter successfully hacked into the accounts in "a handful of cases" in which "they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners. We blocked these videos from being shared." In its February 27 update, Meta said it detected Ghostwriter's "attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender." Meta said it had "taken steps to secure accounts that we believe were targeted by this threat actor" and "blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts." But Ghostwriter continued its operations and hacked into accounts of Ukrainian military personnel, as previously mentioned.
READ THE STORY: Arstechnica
US Cyber Command reinforces Ukraine and allies amid Russian onslaught
FROM THE MEDIA: U.S. Cyber Command has played a pivotal role in shielding networks and critical infrastructure stateside and abroad in the run up to and during Russia’s attack on Ukraine, its leader told Congress this week. Along with tasking teams with identifying cyber vulnerabilities and threats — operations that have since “bolstered the resilience of Ukraine” and others — the command has gleaned and shared intelligence, worked hand-in-glove with U.S. government and industry, and pursued extensive contingency planning, Gen. Paul Nakasone said April 5. “In conjunction with interagency, private sector and allied partners, we are collaborating to mitigate threats to domestic and overseas systems,” he continued in written testimony provided to the Senate Armed Services Committee. In Ukraine, specifically, Cyber Command has provided remote analytic support and conducted network defense activities, Nakasone testified. The general is also the director of the National Security Agency. Senate Armed Services Committee Chairman Jack Reed and Sen. Mazie Hirono on Tuesday applauded Cyber Command’s ongoing efforts and its earlier exposure of Russian plans. “That was very helpful to enable all of us to be much better prepared for this sudden, terrible war that is happening in the Ukraine,” said Hirono, a Hawaii Democrat. Russia’s latest invasion of Ukraine, which began in earnest Feb. 24, was preceded by a flurry of cyberattacks. They continue to this day, according to the Ukrainian government, with communications systems and other infrastructure as primary targets. The State Service of Special Communication and Information Protection of Ukraine on March 29 declared “cyberwar is underway,” noting “cyberoffenders keep on attempting to cause harm to Ukraine’s information infrastructure or to collect important information.”
READ THE STORY: C4ISRNET
Suspected China-backed hackers target seven Indian electricity grid centers
FROM THE MEDIA: China on Thursday denied any connection to cyberattacks targeting seven facilities managing the electricity grid in Northern India after a new report from Recorded Future implicated a group potentially connected to the country’s military. Recorded Future, which owns The Record, said it observed “likely network intrusions targeting at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch” near the disputed India-China border in Ladakh. SLDCs are responsible for carrying out real-time operations for grid control and electricity dispatch, making them critical for maintaining access to supervisory control and data acquisition (SCADA) systems. The company added that it also “identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group.” China and India – the two countries with the largest populations in the world – have been engaging in a border conflict since 2020, when there were brief skirmishes in the Himalayan region of Ladakh. At least four Chinese soldiers and 20 Indian soldiers were killed in the fighting. The Foreign Ministry offices for India and China did not respond to requests for comment, but a reporter for Bloomberg asked Foreign Ministry spokesperson Zhao Lijian about the report during a press conference on Thursday.
READ THE STORY: The Record
A new malware FFDroider is hacking social media accounts by stealing browser data
FROM THE MEDIA: The internet is a vast place that attracts people with both good and bad intentions. The people with bad intentions usually take the mantle of scammers or hackers who steal personal information. They make use of malwares to get into people’s devices and online accounts. The same happened recently as a malware named FFDroider has appeared which steals credentials and cookies which are stored in websites and uses them to hack into people’s social media accounts. The accounts which are more at risk are the ones which are verified. Because of their reach they can be used to carry out scamming involving cryptocurrency and can be used to distribute malware. Hackers mostly tend to hack the accounts which are verified and have ad access. Ad access can be used to run inappropriate ads on the social media platform. According to a detailed report from Zscaler, like most malware, FFDroider is distributed through games, apps, free software and files that are downloaded from torrent sites. Once the app or file is installed the malware will too, but it will be disguised as the Telegram desktop app to avoid detection. When the malware is launched windows will automatically create a file with the name “FFDroider”, thus the name. The research also found out that this malware specifically targets cookies and credentials that are stored in websites on browsers that include Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. The malware reads Chromium SQLite cookie and decrypts the entries by making misuse of the Windows Crypt API app’s feature “CryptUnProtectData”. In the other browsers the procedure is the same but the difference is that in Edge and in Explorer thieves abuse features like InternetGetCookieRxW and IEGet ProtectedMode Cookie.
READ THE STORY: Digital Information World
Actions Target Russian Govt. Botnet, Hydra Dark Market
FROM THE MEDIA: The U.S. Federal Bureau of Investigation (FBI) says it has disrupted a giant botnet built and operated by a Russian government intelligence unit known for launching destructive cyberattacks against energy infrastructure in the United States and Ukraine. Separately, law enforcement agencies in the U.S. and Germany moved to decapitate “Hydra,” a billion-dollar Russian darknet drug bazaar that also helped to launder the profits of multiple Russian ransomware groups. FBI officials said Wednesday they disrupted “Cyclops Blink,” a collection of compromised networking devices managed by hackers working with the Russian Federation’s Main Intelligence Directorate (GRU). A statement from the U.S. Department of Justice (DOJ) says the GRU’s hackers built Cyclops Blink by exploiting previously undocumented security weaknesses in firewalls and routers made by both ASUS and WatchGuard Technologies. The DOJ said it did not seek to disinfect compromised devices; instead, it obtained court orders to remove the Cyclops Blink malware from its “command and control” servers — the hidden machines that allowed the attackers to orchestrate the activities of the botnet. The FBI and other agencies warned in March that the Cyclops Blink malware was built to replace a threat called “VPNFilter,” an earlier malware platform that targeted vulnerabilities in a number of consumer-grade wireless and wired routers. In May 2018, the FBI executed a similar strategy to dismantle VPNFilter, which had spread to more than a half-million consumer devices. On April 1, ASUS released updates to fix the security vulnerability in a range of its Wi-Fi routers.
READ THE STORY: Security Boulevard
2 alleged Pakistani spies in US try to hack President's secret service, arrested
FROM THE MEDIA: The United States on Thursday busted an alleged ISI cell trying to intrude into the American intelligence and security apparatus, including its high profile Secret Service, which is in charge of the security of the President. Arian Taherzadeh, 40, and Haider Ali, 35, were arrested by the FBI in Southeast Washington on Wednesday on a criminal complaint charging them with the federal offence of False Impersonation of an Officer of the United States. Four members of the Secret Service have been placed on administrative leave. During their court appearance on Thursday, Assistant US Attorney Joshua Rothstein told Magistrate Judge G Michael Harvey in the US District Court for the District of Columbia that Ali had told witnesses that he was affiliated with the Inter-Services Intelligence agency in Pakistan. Ali also had multiple visas from Pakistan and Iran, federal law enforcement officials said. “We have not verified the accuracy of his claims but Ali made claims to witnesses that he had ties to ISI which is the Pakistani intelligence service,” Rothstein told the judge. Taherzadeh and Ali attempted to use their false and fraudulent affiliation with the Department of Homeland Security to ingratiate themselves with members of federal law enforcement and the defense community.
READ THE STORY: Tribune India
A New Battlefront: Ukraine Resistance Includes Leaks of Russian Trade Secrets
FROM THE MEDIA: In addition to conventional warfare, it was recently confirmed by an arm of the Ukraine Ministry of Defense that it hacked trade secrets from a Russian state nuclear utility, and then leaked the trade secrets to a public website to harm the utility’s commercial prospects. Such “hack and leak” operations have been done before by nation-affiliated hackers to attempt to influence political activities of other nations, but this may be the first operation of this type concerning technical trade secrets during warfare. Although the economic impact from this particular operation may be difficult to gauge at this time, this hack and leak of nation state-affiliated company trade secrets may be a sign of things to come in future armed conflicts. Recent reports indicate that the Ukrainian government has teamed up with groups of volunteer hackers; not to topple the infrastructure of Russia, but rather to demonstrate to Russia that they have a collective ability to perform overt acts of cyber resistance concerning Russian-affiliated companies’ intellectual property. In a recent report, the Main Intelligence Department of the Ministry of Defense of Ukraine (GURMO), together with a volunteer team of hackers, hacked into the Beloyarsk nuclear power plant to obtain valuable trade secret information on fast breeder reactor technology. This Russian nuclear power plant houses the only operating commercial-scale fast breeder reactor in the world. This technology reportedly significantly reduces, if not eliminates, the amount of nuclear waste from a nuclear power plant. The Russian fast breeder technology, embodied in the Beloyarsk nuclear power plant, has been kept as a trade secret by the Russian state nuclear utility Rosenergoatom.
READ THE STORY: Lexology
How to stop an Iranian cyber Armageddon in Israel
FROM THE MEDIA: Reports on Wednesday said that Hamas’s offensive cyber social engineering strategies against Israel have gotten more sophisticated. Wednesday’s news that Hamas’s offensive cyber social engineering strategies against Israel have gotten more sophisticated was just the tip of the iceberg of threats Jerusalem faces, compared to, say, the Iranian threat, especially after new cyberweapons have been used in Russia’s invasion of Ukraine. A quick anecdote illustrates how big the consequences are for the cyberwar with the Islamic Republic and how fast it moves. It was late October and an official from the Israel National Cyber Directorate (INCD) warned Cyberserve, an online domain provider for a plethora of Israeli companies, on a Thursday that they were imminently in danger of being hacked by Iran-affiliated groups. Despite the INCD official repeatedly insisting that Cyberserve (which provided a domain to the LGBT website Atraf, among many others) plug holes in its cyberdefenses immediately, the private sector cyber defender official said he would get to it on Sunday due to his weekend plans. By Sunday, Cyberserve and Atraf had become the black eye of cyberdefense train wrecks in Israel, with mayhem created by sensitive and intimate personal details leaked online.
STORY: JPOST
How do China's cyber-spies snoop on governments, NGOs? Probably like this
FROM THE MEDIA: A China-backed crew is said to be running a global espionage campaign against governments, religious groups, and non-governmental organizations (NGOs) by, in some cases, possibly exploiting a vulnerability in Microsoft Exchange servers. +Symantec's Threat Hunter Team said the campaign, which aims to spy on targeted victims and steal information, likely started in mid-2021, with the most recent activity detected in February. It may still be going on, the researchers observed in a report this week. The Threat Hunter Team team is attributing the attacks to Cicada, also known as APT10 – a group that has been operating for more than a decade and that intelligence agencies in the US have linked to China's Ministry of State Security. The researchers are pointing at Cicada because a custom loader and custom malware that have been used exclusively by the group were found in victims' networks. The attacks have hit countries all over the world – including the United States, Canada, Italy, India, and Hong Kong.
READ THE STORY: The Register
Items of interest
India Claims It Foiled Chinese Cyber-Attack on Disputed Border
FROM THE MEDIA: India on Thursday claimed it foiled an attempted cyber-attack by Chinese hackers targeting its power distribution system near a disputed frontier where the two countries are engaged in a military stand-off. Ties between the world’s two most populous nations are at a low ebb after a deadly skirmish in the Himalayan region of Ladakh that left at least 20 Indian and four Chinese soldiers dead in 2020. “Two attempts by Chinese hackers were made to target electricity distribution centers near Ladakh but were not successful,” power minister R.K. Singh told reporters in New Delhi. Singh added that India had deployed “defense systems” to counter such attacks. New Delhi’s claim came a day after US-based intelligence firm Recorded Future said suspected Chinese hackers had made at least seven attempts to target Indian power infrastructure in recent months. The attacks targeted infrastructure “responsible for carrying out real-time operations for grid control and electricity dispatch”, the group reported. “This targeting has been geographically concentrated… in north India, in proximity to the disputed India-China border in Ladakh.” Recorded Future said it had alerted Indian officials before publishing the report but did not specify the scale of the alleged attacks, nor whether they were successful.
READ THE STORY: The Defense Post
China's virtual attack on Indian power sector; Hackers target grids to collect intel near Ladakh (Video)
FROM THE MEDIA: Suspected state-sponsored Chinese hackers have targeted the power sector in India in recent months as part of an apparent cyber-espionage campaign, the threat intelligence firm Recorded Future Inc. said in a report published Wednesday. Bloomberg reported that The hackers focused on at least seven “load dispatch” centers in northern India that are responsible for carrying out real-time operations for grid control and electricity dispersal in the areas they are located, near the disputed India-China border in Ladakh.
How China Uses Cyber Warfare And Its Hacker Army Against India (Video)
FROM THE MEDIA: This is the age of cyber warfare where an army of hackers launch daily cyber attacks on each other, triggering blackouts, switching off petrochemical lines, erasing critical data and much more. While the 2 big boys, Russia and the US play this game openly, the silent player in this cyberwarfare is China. And on its target is India.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com