Saturday, February 26, 2022 // (IG): BB //Weekly Sponsor: ISG
Hacking forum Raidforums.com allegedly seized by authorities
FROM THE MEDIA: Raidforums.com is one of the largest clearnet hacking forums. It offers stolen databases, login credentials, adult content, and hacking tools for free download. The official domain of the infamous cybercrime marketplace and hacking forum Raidforums.com has been allegedly seized by unknown authorities. For your information, Raidforums.com is one of the largest clearnet hacking forums. It offers stolen databases, login credentials, adult content, and hacking tools for free download. For instance, LinkedIn’s scraped databases containing billions of user records were leaked on Raidforums.com. Facebook’s 500 million scraped users database from 106 countries was also leaked on the same forum for free. Some hackers sell databases depending on the value of the targeted company. However, the forum’s popularity was merely for leaking and downloading stolen databases for free.
READ THE STORY: Hackread
A QUICK LOOK:
Conti ransomware gang backs Russia, vows retaliation for ‘war activities’ against Moscow
FROM THE MEDIA: Two ransomware groups have endorsed Russia’s attack on Ukraine, with one promising to retaliate against any nation that takes action against Moscow. According to Brett Callow, a Canadian-based threat analyst for Emsisoft, the Conti gang made the retaliation statement on its data leak site, used to show proof of hacks and data thefts. “The Conti Team is officially announcing a full support of Russian government,” the statement says. “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all of our possible resources to strike back at the critical infrastructure of an enemy.” In addition, Callow said, the CoomingProject gang issued this statement: “Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia.” Conti has been known for bold words. When U.S. government authorities went after the REvil ransomware gang, Conti protested against the “unilateral, extraterritorial and bandit mugging behavior of the United States in world affairs.” and complained about the “Neo-fascist alliance between the US and EU kleptocracies.”
READ THE STORY: IT World Canada
A QUICK LOOK:
Cuba Ransomware Exploits Microsoft Exchange Flaws
FROM THE MEDIA: The Cuba ransomware, known for impacting dozens of organizations globally including critical infrastructure, has over the past year started targeting Microsoft Exchange vulnerabilities in order to gain initial access. The ransomware, which is known for encrypting the files on compromised networks with the “.cuba” extension, has previously been distributed via the Hancitor malware, a loader known for executing second-stage malware onto victim networks, including stealers, remote access trojans (RATs) and ransomware. In order to gain initial access, the malware leverages phishing emails or compromised credentials. However, researchers with Mandiant have observed that as early as August the attackers behind the ransomware started directly targeting the ProxyShell and ProxyLogon flaws, rather than being deployed via the loader. “Shifting towards vulnerabilities for initial access could offer threat actors more accurate targeting and higher success rates when compared to malicious email campaigns, which rely more on uncontrollable factors, such as victims’ interacting with malicious links or documents,” said Tyler McLellan, Joshua Shilko and Shambavi Sadayappan, with Mandiant, in an analysis this week. "As the number of vulnerabilities identified and publicly disclosed continues to increase year after year, Mandiant has also observed an increase in the use of vulnerabilities as an initial compromise vector by ransomware threat actors including utilizing both zero-day and n-day vulnerabilities in their activity."
READ THE STORY: DUO
A QUICK LOOK:
Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store
FROM THE MEDIA: A new malware capable of controlling social media accounts is being distributed through Microsoft's official app store in the form of trojanized gaming apps, infecting more than 5,000 Windows machines in Sweden, Bulgaria, Russia, Bermuda, and Spain. Israeli cybersecurity company Check Point dubbed the malware "Electron Bot," in reference to a command-and-control (C2) domain used in recent campaigns. The identity of the attackers is not known, but evidence suggests that they could be based out of Bulgaria. "Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud," Check Point's Moshe Marelus said in a report published this week. "It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by the attackers." The first sign of malicious activity commenced as an ad clicker campaign that was discovered in October 2018, with the malware hiding in plain sight in the form of a Google Photos app, as disclosed by Bleeping Computer. In the years since, the malware is said to have undergone numerous iterations that equip the malware with new features and evasive capabilities. In addition to using the cross-platform Electron framework, the bot is designed to load payloads fetched from the C2 server at run time, making it difficult to detect.
READ THE STORY: THN
A QUICK LOOK:
Russia-Ukraine war: Anonymous hackers launch cyberwar against Russia taking down government websites
FROM THE MEDIA: British Airways said "significant technical issues" had resulted in a number of flight cancellations and disruption across its operation on Friday. The airline said the problem, which was affecting its website, app, and airport operations, had not been caused by a cyber attack. "We are experiencing significant technical issues this evening which are affecting the running of our operation and regrettably has led to the cancellation of a number of flights," it said in a statement. It was working to get as many flights away as possible, it said, and customers on flights that had not been cancelled could still check in at the airport. The airline, owned by IAG (ICAG.L), was hit by a major computer system failure in 2017 that stranded 75,000 passengers over a holiday weekend, sparking a public relations disaster and pledges from the carrier that it would do better in future. Users on Twitter posted messages on Friday asking BA when the problem would be fixed, with one customer showing a video of lengthy queues at check-in for what he said was a Miami to London flight, while another user posted pictures of blank screens. BA and Virgin Atlantic began routing flights around Russian airspace on Friday after London and Moscow banned each other's airlines in tit-for-tat retaliation over the Ukraine invasion. Britain's National Cyber Security Centre (NCSC), a part of the GCHQ eavesdropping intelligence agency, had warned companies and organizations to bolster their online defenses against cyber attacks after Russia invaded Ukraine.
READ THE STORY: Reuters
A QUICK LOOK:
Russia-linked hacker gang launches ransomware attack on McDonald's: CISA issue 'shields up' alert for ALL American companies to 'prepare for disruptive cyber activity’
FROM THE MEDIA: A ransomware group linked to Russia has claimed a cyberattack on McDonald's Corporation, as federal officials warn of potential widespread targeting of US businesses after Russia's unprovoked invasion of Ukraine. The hacker gang Snatch on Friday claimed to have stolen 500 gigabytes of data from the fast-food giant headquartered in Chicago, posting their demand for an undisclosed ransom on the dark web. A McDonald's spokesperson did not immediately respond to a request for comment from DailyMail.com. The iconic company, which signifies America's economy and culture around the world with more than 38,000 locations in 100 countries, has a market capitalization of $186 billion. The purported McDonald's breach comes as the US Cybersecurity and Infrastructure Security Agency issues a 'shields up' alert to all American businesses and organizations, urging them to take measures to protect themselves from potential Russian cyberattack. The group behind the Snatch ransomware refer to themselves as the 'Snatch Team' and all appear to be Russian-speaking, according to a 2019 report from security firm Sophos. The report said that the group behind the ransomware appeared to have been active since the summer of 2018, though they have maintained a fairly low profile, executing few headline-making breaches. The malware used by the hacker gang is highly sophisticated, and operates by rebooting victim computers in Safe Mode, in which most security measures are deactivated.
READ THE STORY: DailyMail
A QUICK LOOK:
Nvidia confirms cyber incident
FROM THE MEDIA: America’s biggest microchip company is investigating a potential cyber attack that has taken parts of its business offline for two days, The Telegraph can reveal. Nvidia’s email systems and developer tools are understood to have been suffering from outages over the last two days, after what is believed to have been a malicious network intrusion. The suspected hack comes amid Russian cyberwarfare against Ukraine and heightened security concerns about attacks on the West in retaliation for hitting the Kremlin with sanctions. There is no evidence linking Nvidia's outages to the conflict. An Nvidia spokesman said: “We are investigating an incident. We don’t have any additional information to share at this time." The intrusion was described by one insider as having “completely compromised” the company’s internal systems, although some email services were working on Friday. It is unclear if any data has been stolen or deleted from Nvidia or from its customers, or if the attack has merely disrupted its systems, and customers said they had not been informed of any incident. The company is not yet believed to have identified a culprit. Nvidia, based in Silicon Valley, is worth over $600bn, putting it among the world’s most valuable corporations. It is best known for graphics processing units, which power video games and advanced computer simulations. However, the chips are also central to artificial intelligence programs and robotics, making them of growing national security importance.
READ THE STORY: AXIOS // The Telegraph // SFGATE
A QUICK LOOK:
Russia Sanctions May(WILL) Spark Escalating Cyber Conflict
FROM THE MEDIA: President Biden joined European leaders this week in enacting economic sanctions against Russia in response to its invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure. Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia. The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyber weapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software. Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak. “The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”
READ THE STORY: Krebs on Security
A QUICK LOOK:
Iran-backed hackers now active to deliver ransomware globally
FROM THE MEDIA: As Russia goes to war against Ukraine, hackers linked to the Iranian Ministry of Intelligence and Security are exploiting bugs to conduct cyber espionage and other malicious attacks against organizations globally including in Asia, the US and the UK, cyber and law authorities have warned. As Russia goes to war against Ukraine, hackers linked to the Iranian Ministry of Intelligence and Security are exploiting bugs to conduct cyber espionage and other malicious attacks against organizations globally including in Asia, the US and the UK, cyber and law authorities have warned. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom's National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater. "It is conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organisations across sectors - including telecommunications, defense, local government, and oil and natural gas - in Asia, Africa, Europe, and North America," the agencies said in a statement late on Thursday. According to CISA, the aim of the attacks is to gain access to networks to steal passwords and sensitive information "to share these with other malicious cyber actors". MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
READ THE STORY: CIO
A QUICK LOOK:
Will 2022 Be the Year of the DDoS Attack?
FROM THE MEDIA: During the last quarter of 2021, there was a huge rise in the number of DDoS attacks. After the huge leap in the rates of malware cases starting in 2020, it’s time to ask if 2022 is going to be the year of the DDoS attack. In today’s article, we’ll discuss the possibility of a 2022 DDoS spike, and how to protect yourself and your business. What is a DDoS Attack? DDoS stands for Distributed Denial of Service and is a modern variant of the broader denial of service (DoS) attack. A denial of service attack is a type of cyber attack where hackers attempt to take down a site or service and make it unavailable to its intended userbase. DDoS attacks seek to take down service by flooding the target with traffic from many different sources at once. This style of attack using multiple sources is where the distributed part of the acronym comes from. Part of the reason these attacks are so dangerous is that they’re hard to stop with traditional methods. Because a DDoS attack comes from many sources, you cannot block a single source to prevent it. According to Cloudflare, a company that provides DDoS mitigation services, the number of DDoS attacks has increased rapidly over the past year. From Q3 to Q4 of 2021, there was a 175% increase in the number of DDoS attacks. Even more alarmingly, these attacks are commonly followed by ransom demands. 1 in 3 of the victims surveyed in December 2021 said they had been targeted by DDoS attacks with extracting ransom as the primary goal. Q4 of 2021 saw the highest ever number of ransom demands associated with DDoS attacks of all time.
READ THE STORY: Protocol
A QUICK LOOK:
AI thinkers grapple with modern war
FROM THE MEDIA: AI eggheads try to solve the Ukraine question — on Twitter In a world in which banks tell us that buying something with the right carbon-offset credit card can cure climate change, it comes as no surprise that AI researchers think AI can solve entrenched geopolitical conflicts like what’s happening in Ukraine right now. And of course, that conversation has been happening on Twitter. Nando de Freitas, a machine-learning researcher at Google’s DeepMind, posed a question to the Twitterverse on Thursday: “What role can the AI community play in a world where bullies attack peaceful democratic countries and threaten the world? I’m really curious to hear from everyone.” Putting aside the question of whether or not “peaceful democratic countries” can be bullies themselves, de Freitas got a handful of responses from techno-optimists who see potential solutions AI could create to tackle these threats.
READ THE STORY: Protocol
A QUICK LOOK:
Items of interest
Russia appears to deploy digital defenses after DDoS attacks(Article)
FROM THE MEDIA: The conflict online is mirroring the conflict offline: Amid Russia’s invasion of Ukraine, attacks and defense are being deployed in cyberspace. The Russian government appears to have deployed a digital drawbridge to protect websites, the Ukrainian government has issued a call to arms among local hackers, and alleged hacktivists have claimed credit for knocking the website of Russian state-run news service RT News offline. On Thursday, Russian government websites went dark to some parts of the world after being targeted with a flood of web traffic via a distributed denial-of-service (DDoS) attack attempting to knock them offline. It’s unclear who directed the attack or if it was successful in disrupting the sites. However, cybersecurity researchers say the Russian government appears to be deploying a defensive technical measure known as geofencing to block access to certain sites it controls, including its military website, from areas outside Russia’s sphere of influence—complete with a joking nod to internet infrastructure.
READ THE STORY: The Record
Cloudflare mitigated 2 Tbps DDoS attack, the largest attack explainer(Video)
FROM THE MEDIA: Cloudflare, Inc., web infrastructures and website security firm based in the United States, stated that it had mitigated a dispersed denial-of-service (DDoS) attack with a peak of just under 2 terabytes every second (Tbps), the greatest attack Cloudflare has encountered to date. A Malicious computer variant with 15,000 bots carried out the attack, which included DNS amplification & UDP flooding. IoT devices & GitLab instances were among the botnet's victims. It was a multi-vector assault that incorporated DNS amplification & UDP floods. The whole thing only lasted a minute. Around 15,000 bots were used to start the attack, which was carried out on IoT devices with unpatched GitLab instances using a variation of the initial Mirai code. Internet backbone DDoS attacks climbed by 44 percent quarter over quarterly, according to Cloudflare's Q3 DDoS Trends survey. The business declared in August that this has successfully mitigated the greatest volumetric dispersed denial-of-service to date. The malicious traffic hit a new high of 17.2 million requests every second (rps), 3 times the volume of previous HTTP DDoS attacks. Microsoft reported in October that one's Azure cloud service has successfully mitigated a 2.4 terabytes every second (Tbps) DDoS attack that had happened at the end of August, making it the greatest DDoS attack ever recorded.The hack targeted an Azure client in Europe, although Microsoft won't reveal the victim's name. The evening of August 2020, when analysts saw a 1 Tbps attack, this was the greatest DDoS attack that affected Azure customers.
SHOW LESS
Implications of Ukrainian DDoS Attacks(Video)
On Security Now, Leo Laporte and Steve Gibson consider the implications of the technology behind last week's denial of service attacks on some of Ukraine's critical infrastructure.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com