Wednesday, March 30, 2022 // (IG): BB //Weekly Sponsor: DiyGarage SoCal
Mars Stealer malware pushed via OpenOffice ads on Google
FROM THE MEDIA: A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it. Mars Stealer emerged as a redesign of the Oski malware that shut down development in 2020, featuring extensive info-stealing capabilities targeting a broad spectrum of apps. Promoted on hacking forums at affordable prices in the range of $140-$160, Mars Stealer grew slowly until recently, when the abrupt shut down of Raccoon Stealer forced cybercriminals to seek alternatives. Mars Stealer was overwhelmed by an influx of new users, as the service is operating similarly to how Raccoon used to run, so it’s about to become the springboard of numerous new campaigns. Threat analysts at Morphisec report having spotted several of these new campaigns, including one using a cracked version of the malware that circulates with instructions on how to use it. A new Mars Stealer campaign uncovered by Morphisec is using Google Ads advertising to rank cloned OpenOffice sites high on Canadian search results.
READ THE STORY: Bleeping Computer
Surveillance software firm FinFisher declares insolvency
FROM THE MEDIA: Munich-based spyware company FinFisher declared insolvency last month, Bloomberg and Netzpolitik Monday, amid an ongoing investigation into its business dealings. The controversial firm was accused of selling surveillance spyware to repressive regimes to target dissidents, activists, and journalists. “FinSpy,” the company’s most profitable spyware, has been monitored by the German government and human rights organizations for years. German officials launched an investigation into FinFisher in 2019 after a number of NGOs filed a criminal complaint claiming that FinSpy was sold to the Turkish government — without having the legal documentation to do so — and used in a 2017 Turkish operation that preyed on anti-government protestors. The complaint filed by Reporters Without Borders, Netzpolitik, the Society for Civil Rights, and the European Center for Constitutional and Human Rights accused FinFisher of failing to abide by European export regulations including the requirement to obtain a permit granting trade to non-EU countries by the Federal Office of Economics and Export Control (BAFA). The spyware is highly invasive, essentially offering its users an all-access pass to a chosen target’s device including chat and phone call conversations, and to a device’s camera and microphone.
READ THE STORY: The Record
Mutating Verblecon malware in illicit crypto mining
FROM THE MEDIA: Internet fiends are using a relatively new piece of a malicious code dubbed Verblecon to install crypto miners on infected computers. The mutating malware attempts to evade detection by antivirus tools and similar defenses, meaning bad news all round if the software was used to deploy more destructive payloads — and that the crooks using Verblecon may not realize the power of the loader's full potential. "The activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who may not realize the capabilities of the malware they are using," Symantec's threat hunting team warned today. "However, if it fell into the hands of a more sophisticated actor the potential is there for this loader to be used for more serious attacks, including potentially ransomware and espionage campaigns." Security analysts at Symantec, now a division of Broadcom Software, say they discovered Verblecon in January being used to install miners and potentially steal access tokens for chat app Discord. The Java-based malware uses server-side polymorphism, which helps it evade detection. This is a sneaky technique that, through encryption and obfuscation, allows Verblecon to change its appearance to security scanners every time it's downloaded, potentially fooling them into thinking it's harmless.
READ THE STORY: The Register
Ronin Network Ethereum theft is ‘largest-ever DeFi exploit,’ investigator says
FROM THE MEDIA: The $620 million stolen from Sky Mavis’ Ronin Network — mostly in Ethereum (ETH) cryptocurrency — ranks as the largest decentralized finance (DeFi) theft in history, according to a firm that is investigating the incident. Sky Mavis disclosed Tuesday that the Ronin Network, which supports its Axie Infinity game, has been hacked. The thieves stole 173,600 in Ethereum cryptocurrency, equivalent to $594.6 million, along with $25.5 million in U.S. dollars for a total of $620 million in stolen funds. Chainalysis, which offers crypto compliance and investigation software, said on Twitter that the theft amounts to the “largest-ever DeFi exploit.” “We can confirm Chainalysis is tracking the funds on their behalf,” the company said. “This is an active investigation and we will provide updates when possible.” VentureBeat has reached out to Chainalysis for any further available details on the investigation. Cryptocurrency intelligence firm Blockchain Intelligence Group said in an email that among the stolen funds, 4,970 ETH ($16.9 million) “has already moved to exchanges,” as of Noon PST Tuesday.
READ THE STORY: Venture Beat
VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations
FROM THE MEDIA: VMware on Tuesday announced the availability of patches for a vCenter Server vulnerability that could facilitate attacks against many organizations. The vulnerability, tracked as CVE-2022-22948, is described as an information disclosure issue caused by improper file permissions. The flaw was reported to the virtualization giant by Pentera, a company that helps organizations reduce their cyber exposure. Pentera on Tuesday disclosed the details of the security hole, warning that while CVE-2022-22948 may not seem very dangerous — it has been assigned a “moderate severity” rating — it can be chained with other vulnerabilities for a complete server takeover. For example, an attacker can obtain initial access to an endpoint hosting a vCenter Server client by exploiting CVE-2021-21972, a flaw that has been used by malicious actors since at least the spring of 2021. Once they have gained initial access, attackers can exploit the newly disclosed vulnerability to extract sensitive information. Specifically, a hacker can exploit CVE-2022-22948 to obtain the credentials for a high-privilege account that can be used to take complete control of the server.
READ THE STORY: Security Week
Australia Sends a $7.5 Billion Cyber Signal to China
FROM THE MEDIA: With no land borders and one of the world’s longest coastlines, Australia is a particularly challenging place to invade, or defend. But the internet changes that equation by making the nation more vulnerable to threats in cyberspace than on the battlefield. So the government is stepping up, with China clearly at top of mind. A new A$10 billion ($7.5 billion) spending package unveiled Tuesday for the Australian Signals Directorate over a decade is a massive increase for the Defense Department’s unit in charge of signals intelligence and cybersecurity. The funds will help the division double in size and triple its offensive capabilities. A further A$38 billion was outlined to boost the nation’s defense force. Dubbed REDSPICE — Resilience, Effects, Defense, Space, Intelligence, Cyber, Enablers — the program’s acronym is a clumsy dig at China, but the target is clear. “It responds to the deteriorating strategic circumstances in our region, characterized by rapid military expansion, growing coercive behavior and increased cyber attacks,” the ASD said in a statement. The announcement, part of the center-right Liberal government’s annual budget, comes less than two months before Prime Minister Scott Morrison must call a federal election and says a lot about the signal he wants to send both to Beijing, and his own electorate. The spending bill as a whole — which includes cuts in fuel taxes and one-off cash payments to families — is seen as a desperate attempt by Morrison to buy voter support amid a slide in popularity. It’ll be largely funded by an increase in tax revenues driven by rising commodity prices.
READ THE STORY: Washington Post
Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT
FROM THE MEDIA: SentinelOne this week detailed a handful of bugs, including two critical remote code execution vulnerabilities, it found in Microsoft Azure Defender for IoT. These security flaws, which took six months to address, could have been exploited by an unauthenticated attacker to compromise devices and take over critical infrastructure networks. Microsoft Azure Defender for IoT is supposed to detect and respond to suspicious behavior as well as highlight known vulnerabilities, and manage patching and equipment inventories, for Internet-of-Things and industrial control systems. Energy utilities and other customers can deploy the product on-premises, and for Azure-connected devices. The aforementioned five vulnerabilities have since been patched, and neither Microsoft nor SentinelOne's research arm are aware of any in-the-wild abuse. However, they highlight the challenges in securing aging operational technology networks, and the expanding attack surface that the growing number of IoT devices enables. "Successful attack may lead to full network compromise, since Azure Defender For IoT is configured to have a TAP (Terminal Access Point) on the network traffic," according to a technical analysis by SentinelLabs' Kasif Dekel and independent researcher Ronen Shustin. "Access to sensitive information on the network could open a number of sophisticated attacking scenarios that could be difficult or impossible to detect."
READ THE STORY: The Register
'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
FROM THE MEDIA: As Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight back the best way he knew how -- by sabotaging one of the most formidable ransomware gangs in Russia. Four days into Russia's invasion, the researcher began publishing the biggest leak ever of files and data from Conti, a syndicate of Russian and Eastern Europe cybercriminals wanted by the FBI for conducting attacks on hundreds of US organizations and causing millions of dollars in losses. The thousands of internal documents and communications include evidence that appears to suggest Conti operatives have contacts within the Russian government, including the FSB intelligence service. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic advantage. The Ukrainian computer specialist behind the leak spoke exclusively to CNN and described his motivation for seeking revenge after Conti operatives published a statement in support of the Russian government immediately after the invasion of Ukraine. He also described his desperate efforts to track down loved ones in Ukraine in recent weeks.
READ THE STORY: CNN
Hackers Are Impersonating Police to Subpoena People’s Data
FROM THE MEDIA: In recent years, it’s become alarmingly routine for law enforcement agencies to subpoena tech platforms for user data—a practice that some critics see as an invasive privacy violation. Criminals are taking note, and now they’re doing it, too. Security blogger Brian Krebs reports that hackers have been hijacking law enforcement email accounts and using them to submit phony data demands to tech companies. The ploy has been working—hoodwinked firms have handed over troves of user information to crooks by accident. Krebs details a recent incident in which cybercriminals took over the email account of an unnamed law enforcement agency. The hackers then used the account to submit a data request to chat platform Discord, asking for information on an 18-year-old user from Indiana. Discord fell for it and forked over the data. “This tactic poses a significant threat across the tech industry,” a Discord representative told Gizmodo. Discord confirmed that the company had mistakenly provided data to a “malicious actor” using a cop’s compromised email account: “We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies. We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
READ THE STORY: Gizmodo
4,000 letters and four hours of sleep: Ukrainian leader wages digital war
FROM THE MEDIA: Weeks after Russia invaded, Ukraine’s youngest cabinet minister launched a complaint to the Chinese drone company DJI, claiming that Russia’s military was using its popular technology to target missile attacks. “@DJIGlobal are you sure you want to be a partner in these murders?” tweeted Mykhailo Fedorov, Ukraine’s minister of digital transformation. “Block your products that are helping Russia to kill the Ukrainians!” DJI has long attempted to keep an arms-length from geopolitics, especially as China maintains a pro-Kremlin lean during the war in Ukraine. But the company responded within hours, offering to attempt to block drone flights by installing a geofence throughout the country. With a single provocative tweet, Fedorov had notched another victory. “Following these attacks, you would get a growing and a burning sense of injustice and a sense of just preservation of yourself, your nation and your freedom,” he said through an interpreter during an exclusive Zoom interview with The Washington Post. “This sense will be something that propels you to fight for your very existence as a nation.”
STORY: Washington Post
UK Cyber Security Centre advises review of risk posed by Russian tech
FROM THE MEDIA: The UK's National Cyber Security Centre (NCSC) has advised users of Russian technology products to reassess the risks it presents. In advice that builds on 2017 guidance about technology supply chains that include links to hostile states, NCSC technical director Ian Levy stated that the agency has not found evidence "that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests." But he added that "the absence of evidence is not evidence of absence" – so "it would be prudent to plan for the possibility that this could happen." Think about how you could insulate yourself from compromise or misuse of Russian technology. In 2017 NCSC advice was that "some UK government and critical national systems" were at risk from Russia, and that "systems with a national security purpose" should not use Russian products. The advice suggested that the "wider public sector, more general enterprises, or individuals" had nothing to worry about. Not any more. The new advice wants the entire public sector to rethink its exposure to Russian tech products and services. Critical infrastructure service providers, and "organizations or individuals doing work that could seen as being counter to the Russian State's interests" also need to rethink their exposure.
READ THE STORY: The Register
Items of interest
This is not your father’s Cold War(Article)
FROM THE MEDIA: In the Eisenhower-Khrushchev era, the West, Russia and China lived in rigidly separated economic spheres. Nuclear weapons posed a limited threat because neither the United States nor Russia could strike the other without risking annihilation. American forces were capable of fighting across two oceans. These days America is under-armed, overcommitted and too reliant on diplomacy that is not backed up by military power. Sanctions are great virtue-signaling but won’t push Russia out of Ukraine. Those can’t be complete enough because Europe can’t quit Russian natural gas fast enough. And the West appears unlikely to be politically able to bear the inflation imposed by the loss of Russian and Ukrainian agricultural fertilizer ingredients and other commodities. Russia will replace MasterCard and Visa with a domestic payments system or by piggyback on China’s Union Pay. Unless the West cuts off all trade and financial dealings with Russia and penalizes financial institutions in China and elsewhere that help Moscow circumvent those sanctions, the Russian people may face hard times, but the Russian army will get what it needs. We are terribly dependent on China for rare earth minerals, components for the build-out of wind and solar energy and lithium and lithium battery technology. Our Asian allies are too hamstrung by their trade dependence on China to cooperate in meaningful secondary sanctions against the Middle Kingdom.
READ THE STORY: Washington Times
LAPSUS$ Hacker Group Arrests; Okta Breached(Video)
The Okta breach, alleged Lapsus$ members get arrested, and Kaspersky gets the boot! All that coming up now on ThreatWire.
Threat Actor of in-Tur-est: Unveiling Balkan Targeting(Video)
FROM THE MEDIA: Who would want to recompile Open Hardware Monitor and backdoor it? In 2020, the PwC Cyber Threat Intelligence team identified an espionage threat actor, which we’ve named ‘White Tur’, targeting government and defense organizations in Serbia and Republika Srpska from 2017-2021. In early 2020 we identified some initial tools, techniques and procedures which provided us with greater understanding of this threat actor. In particular, we observed attempts to recompile Open Hardware Monitor with a backdoor, connections to criminally motivated threat actors, and multiple custom backdoors to gain access to victim networks. In this talk we take a deep dive into the backdoors, PowerShell scripts, and weaponized documents used by White Tur. From these technical findings, we then discuss the strategic implications of this threat actor and some of the geopolitical factors at play in this part of the world, an area which often flies ‘under the radar’. Whilst we often observe case studies from Russia-based and China-based threat actors in threat intelligence, gaining insight into other intrusion sets - particularly those which have limited public reporting - can help to challenge frequent attribution biases. This talk will provide attendees insight into how we identified a threat actor with persistent targets in the Balkans and the difficulties in its attribution. Viewers will gain insight into a threat actor who is rarely discussed in public reporting and access to indicators of compromise to investigate and hunt further.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com