Thursday, March 31, 2022 // (IG): BB //Weekly Sponsor: DiyGarage SoCal
Threat actors using Ukraine war as lure in phishing campaigns: Google
FROM THE MEDIA: According to TAG, financially motivated and criminal actors are using Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. For instance, one such threat actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. Google's Threat Analysis Group (TAG) said on Wednesday that a growing number of government-backed threat actors from China, Iran, North Korea and Russia as well as various unattributed groups are using the Ukraine war as a lure in phishing and malware campaigns. According to TAG, financially motivated and criminal actors are using Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. For instance, one such threat actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. "The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone's focus on this region," Billy Leonard, Threat Analysis Group, wrote in a blog post.
READ THE STORY: Devdiscourse
Lapsus$ Not Yet Dead as Software Company Globant Becomes Latest Victim
FROM THE MEDIA: Lapsus$ is back in the hacking business. The hackers just breached confidential data from another giant tech company, Globant. Lapsus$ has been attacking major tech companies this year one after the other and Globant seems to be of no exception. Globant issued a press release following the leak. The IT and software consultancy company confirmed the hacking by the Lapsus$ data extortion group. The breached data in Globant is reported to be sensitive information including administrator credentials and source code. Part of the leak included the release of a 70GB archive of data stolen from Globant described as "some customers' source code" by the malicious actors. Globant stated, "We have recently detected that a limited section of our company's code repository has been subject to unauthorized access". Lapsus$ shared the data they breached from Globant in their Telegram group chat. There has been a screenshot of what the group claims to be an archived directory from Globant. The photo contains folder names that appear to be those of the company's customers. Abbott, apple-health-app, C-span, Fortune, Facebook, DHL, and Arcserve are just a few of the source code folders listed in the screenshot.
READ THE STORY: Itechpost
A Sinister Way to Beat Multifactor Authentication Is on the Rise
FROM THE MEDIA: Lapsus$ and the group behind the SolarWinds hack have utilized prompt bombing to defeat weaker MFA protections in recent months. MULTIFACTOR AUTHENTICATION (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential. This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast. That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection. The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use.
READ THE STORY: Wired
Extradition of Russian hackers implausible, Oireachtas committee told
FROM THE MEDIA: The extradition of the criminals who carried out the the HSE cyberattack last year would be difficult because of the attitude of the Russian government, an Oireachtas committee has heard. The head of the State’s cybersecurity agency has confirmed it was hackers based in Russia who were responsible for the HSE data breach in May last year. However, Dr Robert Browne, the director of the National Cyber Security Centre (NCSC), said the agency “cannot substantiate” if the Russian government itself was involved. He saw little chance of Russia ever extraditing the criminals that took down the HSE system even if they could be identified by gardaí. “If the host nation is not willing to play ball on a law enforcement basis, and in this case the Russian state does not have a very good history in terms of engaging in criminal investigations, you are relatively limited in what you can do in that regard,” he said. Dr Browne told the committee that Ireland has never attributed any cyberattack to another state. “The widely promulgated responsible actor for the HSE attack is in Russia and is largely regarded as being based in a Russian city. We would not demure from that analysis,” he said. The “threat actor” involved in the HSE attack has not been named.
READ THE STORY: IrishTimes
Ukraine War – Crippled By Cyber Attacks, Why Russia’s Counter ‘Digital Offensive’ Has Been Languorous?
FROM THE MEDIA: When Russia invaded Ukraine more than a month ago, it was feared that there would be massive cyber attacks on Ukraine and its supporters, including the NATO powers led by the United States. But such is the situation today that it is Russia that is complaining of being the target of cyber offensives. In a statement on March 29, the website of the Russian foreign ministry said, “In fact, state institutions, the media, critical infrastructure facilities and life support systems are subjected to powerful blows every day with the use of advanced information and communication technologies. At the instigation of the Kiev regime, an ‘international call ‘of anti-Russian computer specialists has been announced, in fact, forming ‘offensive cyber forces’. The bill for malicious attacks against us goes to hundreds of thousands per day.” Of course, the Russian statement talked of Moscow’s capacity to resist these attacks. In fact, it went to the extent of warning that “No one should have any doubts: the cyber aggression unleashed against Russia will lead to serious consequences for its instigators and executors. The sources of attacks will be established, the attackers will inevitably be held responsible for what they have done in accordance with the requirements of the law.”
READ THE STORY: EurAsianTimes
Hive claims responsibility for ransomware attack on Northern California health care network
FROM THE MEDIA: A ransomware group called Hive is claiming to have stolen private data for 850,000 members of Partnership HealthPlan of California, a nonprofit that manages health care for Medi-Cal patients in 14 counties. On March 21, the health plan notified a local community health center that its computer systems were down. Last week, Partnership, which serves more than 618,000 Medi-Cal members in 14 Northern California counties, posted on its website a single page saying it is experiencing “technical difficulties, resulting in a disruption to certain computer systems.” Brett Callow, a threat analyst at New Zealand-based cybersecurity firm Emsisoft, alerted The Press Democrat that a ransomware group called Hive is claiming a cyber attack on Partnership. Callow said Hive posted on its website on the dark web that it had stolen Partnership’s data. A screenshot of the claim describes the “stolen data includes...850,000 unique records of name, SSN, date of birth, address, contact, etc.” It also states that 400 gigabytes of data were stolen from Partnership’s file server. The claim has since been removed. “We are aware of the claims. As our investigation is ongoing, we are unable to provide additional information at this time,” Partnership spokesman Dustin Lyda said in an email Wednesday. The Federal Bureau of Investigations’ press office in Washington, D.C., could not immediately be reached for comment Wednesday morning. The California Department of Managed Health Care also could not immediately be reached for comment.
READ THE STORY: North Bay Business Journal
Red flag for ransomware: attackers are using Log4Shell vulnerability to deliver backdoors to virtual servers, Sophos research shows
FROM THE MEDIA: Sophos, a global leader in next-generation cyber security, today released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks. A new technical paper: “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers. The backdoors are possibly delivered by initial access brokers. Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021. “Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information. Sophos believes that some of the backdoors may be delivered by initial access brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.”
READ THE STORY: ITweb
Hackers got user data from Meta with forged request
FROM THE MEDIA: Facebook owner Meta gave user information to hackers who pretended to be law enforcement officials last year, a company source said Wednesday, highlighting the risks of a measure used in urgent cases. Imposters were able to get details like physical addresses or phone numbers in response to falsified "emergency data requests," which can slip past privacy barriers, said the source who requested anonymity due to the sensitivity of the matter. Criminal hackers have been compromising email accounts or websites tied to police or government and claiming they can't wait for a judge's order for information because it's an "urgent matter of life and death," cyber expert Brian Krebs wrote Tuesday. Bloomberg news agency, which originally reported Meta being targeted, also reported that Apple had provided customer data in response to forged data requests. Apple and Meta did not officially confirm the incidents, but provided statements citing their policies in handling information demands. When US law enforcement officials want data on a social media account's owner or an associated cell phone number, they must submit an official court-ordered warrant or subpoena, Krebs wrote. But in urgent cases authorities can make an "emergency data request," which "largely bypasses any official review and does not require the requestor to supply any court-approved documents," he added. Meta, in a statement, said the firm reviews every data request for "legal sufficiency" and uses "advanced systems and processes" to validate law enforcement requests and detect abuse.
READ THE STORY: France24
Russian hackers targeted NATO, eastern European militaries
FROM THE MEDIA: Russian hackers have recently attempted to penetrate the networks of NATO and the militaries of some eastern European countries, Google's Threat Analysis Group said in a report published on Wednesday. The report did not say which militaries had been targeted in what Google described as "credential phishing campaigns" launched by a Russian-based group called Coldriver, or Callisto. "These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown," the report said. Russia, which is now under heavy Western economic sanctions following its decision to invade Ukraine on Feb. 24, regularly denies accusations of mounting cyber attacks on Western targets. In 2019, Finnish cybersecurity firm F-Secure Labs described Callisto as an unidentified and advanced threat actor "interested in intelligence gathering related to foreign and security policy" in Europe. The group also targeted a NATO Centre of Excellence, Wednesday's Google report said, without elaborating. In a statement, NATO did not directly address Google's report but said: "We see malicious cyber activity on a daily basis."
READ THE STORY: Reuters
Cyber insurers face hefty Ukraine war-related claims, despite fine print
FROM THE MEDIA: Insurers face potential multi-billion dollar claims for cyber attacks related to Russia’s invasion of Ukraine, despite policy wording designed to get them off the hook for war, industry sources say. Following the Feb. 24 attack on Ukraine and Western sanctions against Moscow, the U.S. government said last week it had seen “preparatory” Russian hacking activity aimed at numerous U.S. companies, though it said it had “no certainty” such an attack would occur. Western financial regulators have already warned banks of the risks of cyber attacks though none have been confirmed so far. European and U.S. insurers, already facing mounting losses in the past year, have been driving up premiums due to the increased coverage cost and prevalence of so-called ransomware attacks. If Russia carries out a large cyber attack which spills over into several countries, it could lead to claims totaling $20 billion or more, similar to insurance claims from a large U.S. hurricane, the industry sources said on condition of anonymity. This comes as insurers also face losses related to the conflict in other business sectors such as aviation, which is seen as particularly exposed to the impact of what Russia calls a “special military operation” to disarm Ukraine. Lloyd’s of London, one of the world’s biggest players in cyber and other commercial insurance policies, said last week that it faced “major” claims from the invasion.
STORY: WTVB
FAA Deploys ‘Comprehensive Approach’ As U.S. Braces For Potential Russian Hacking
FROM THE MEDIA: The agency says it is collaborating closely on cybersecurity with the Department of Homeland Security, the Department of Defense, airports, and airlines. The FAA says it is deploying a “comprehensive approach” to securing air traffic facilities amid heightened warnings of possible Russian cyberattacks on U.S. businesses and infrastructure. “The Federal Aviation Administration is responsible for securing systems and services at its air traffic facilities and has a comprehensive approach to protect them from cybersecurity threats,” a spokesperson from the FAA told FLYING. “…the FAA and its partners identify cyber risks, measures to address them, and ways to increase cybersecurity.” FAA spokesperson to FLYING “The FAA requires manufacturers to keep key control systems safe from cyber threats as part of their aircraft certification, and the FAA continuously monitors aircraft to identify emerging issues through several programs. “The FAA also collaborates closely on cybersecurity with the Department of Homeland Security, the Department of Defense, airports and airlines,” the spokesperson said. “Through the Aviation Cyber Initiative taskforce, the FAA and its partners identify cyber risks, measures to address them, and ways to increase cybersecurity.”
READ THE STORY: FlyingMag
Items of interest
Trump claims ignorance of ‘burner phones’. Here’s how they work(Article)
FROM THE MEDIA: Let’s say you’re the president of the United States. You’re coordinating with a team of shady lawyers, elected officials, and political extremists to pull off a coup at the nation’s Capitol. And let’s just assume – in this hypothetical scenario – that you don’t want there to be a record of your highly incriminating calls. You’d probably want to use a burner phone. Investigators are now asking whether this matches what happened in the White House on 6 January 2021. The Washington Post and CBS News reported on Tuesday that a House investigation had found a seven-hour-and-37-minute gap in Donald Trump’s official call logs that day, during which hundreds of his supporters unleashed a deadly rampage at the US Capitol. Trump has pleaded ignorance, claiming in a statement to the outlets: “I have no idea what a burner phone is, to the best of my knowledge I have never even heard the term.” But the president’s former national security adviser John Bolton has disputed this, saying Trump used the phrase several times, in discussions about how to avoid having calls scrutinized. Either way, it’s important that all of us – including the president – understand what a burner phone is and does. A burner phone is a simple idea: a disposable phone, typically purchased prepaid and without a contract, that someone buys to make calls or send messages over a short period of time before “burning” the phone. Who uses them? In the popular imagination, burner phones are associated with crime. As Detective Carlton Lassiter quipped in the American sitcom Psych: “The only people who use these are low-life criminals, like drug dealers, terrorists, and people with subpar credit.” Breaking Bad’s antihero drug lord Walter White frequently uses cheap flip phones to make calls before snapping them in half. And in The Wire, Bernard, a drug hustler, visits convenience stores to buy prepaid phones for the rest of his organization.
READ THE STORY: The Guardian
Russians Hacking WordPress Sites(Video)
he Russians Are Attack WordPress Sites Globally Running a WordPress site? Then you need to update your WordPress site immediately. Russian cybercriminals are using malware to infect WordPress sites globally to launch Denial Of Service Attacks against Ukrainian targets.
FBI says Russia scanning for new cyberattack targets(Video)
FROM THE MEDIA: Cyber security expert Kristopher Schroeder says Ukraine has done a great job defending itself from Russian cyberattacks amid continued warnings from the U.S. of Russian cyber warfare.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com