Friday, April 1, 2022 // (IG): BB //Weekly Sponsor: DiyGarage SoCal
Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks
FROM THE MEDIA: Ghostwriter is one of 3 campaigns using war-themed attacks, with cyber-fire coming in from government-backed actors in China, Iran, North Korea & Russia. ghostwriter – a threat actor previously linked with the Belarusian Ministry of Defense – has glommed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” (BitB) credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine. In a Wednesday post, Google’s Threat Analysis Group (TAG) said that they’d already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month. The fresh attention was triggered by a penetration tester and security researcher – who goes by the handle mr.d0x – who posted a description of BitB. Ghostwriter actors quickly picked up on BitB, combining it with another of the advanced persistent threat’s (APT’s) phishing techniques: namely, hosting credential-phishing landing pages on compromised sites.
READ THE STORY: Threatpost
New 'AcidRain' malware may be connected to Viasat attack
FROM THE MEDIA: Viasat, a U.S.-based communications company, confirmed via press release Wednesday that it suffered a cyber attack last month. The attack targeted the company's KA-SAT satellite internet network and affected "several thousand" customers in Ukraine, as well as tens of thousands of fixed broadband customers across Europe. The internet provider called the attack "multifaceted and deliberate," and gave some specific attack details in its press release. Viasat did not attribute the attack to a specific threat actor however, nor did it provide complete details regarding how the attack occurred. A Thursday blog post by SentinelOne's SentinelLabs discussed the attack as well as a potential malware -- and threat actor -- behind it. The security vendor described AcidRain as a "malware designed to wipe modems and routers." Wipers are a destructive class of malware intended to erase the storage contents of the devices it infects, as opposed to something like ransomware, which typically has an end goal of extortion. SentinelLabs researchers and post authors Juan Andres Guerrero-Saade and Max van Amerongen referred to AcidRain as the seventh wiper used in the ongoing Russian war with Ukraine.
READ THE STORY: Techtarget
Additional Sanctions on Russia’s Technology Companies and Cyber Actors
FROM THE MEDIA: The United States will continue to impose severe costs on the Russian Federation in response to President Putin’s illegal war. Today, we are targeting entities and individuals in our efforts to shut down the Kremlin’s sanctions evasion networks, which play an important role in the Russian Federation’s ability to continue its unconscionable war on the citizens of Ukraine. This follows our March 15 and March 24 designations of individuals and companies in Russia’s defense-industrial base that are directly supporting Putin’s war machine. Today, the United States is designating 21 entities and 13 individuals. Of those being designated, 10 of those individuals and 17 entities are involved in sanctions evasion networks to procure of western technology. These designations will further impede Russia’s access to western technology and the international financial system. We will continue to target President Putin’s war machine with sanctions from every angle, until this senseless war of choice is over. The Russian Federation not only continues to violate the sovereignty of Ukraine with its attacks, but it is escalating the devastation of population centers, including schools, hospitals, residential areas, and places where civilians are taking shelter from the Russian bombardment.
READ THE STORY: US Embassy
Ukraine, Conti, and the law of unintended consequences
FROM THE MEDIA: The Russian invasion of Ukraine has demonstrated the law of unintended consequences in a most unexpected way. By publicly backing the invasion, the heretofore most prolific ransomware group in the world inspired a backlash that appears to have temporarily crippled the group’s ability to operate and given unprecedented insight into the world of ransomware operators. Advances in cryptography have spawned new types of applications and business models. Unfortunately, one of them is ransomware. Combined with cloud computing, you get an especially virulent variety, ransomware-as-a-service (RaaS). Among the practitioners of this dark art, the most successful in 2021 was Conti, a Russia-based group. The basic premise behind ransomware is to encrypt data on computer systems such that only the holder of the decryption key can decipher the data (in Conti’s case, a variant of AES-256). The organization behind the attack then offers to sell the key to the victim. This is often combined with a dual-extortion scheme, where stolen data is threatened to be released. The basic idea has a wide range of variations in the wild. The most prominent perpetrators of this kind of extortion are organized gangs. Many of these gangs are known to operate in Russia, with the tacit (or possibly explicit) approval of Russian security services. These often explicitly do not attack targets within Russia.
READ THE STORY: CSO Online
Spring4Shell Zero-Day Attack: What You Need to Know
FROM THE MEDIA: A zero-day remote code execution vulnerability in the Spring Core Framework is named as Spring4Shell, or SpringShell by cybersecurity researchers. The vulnerability, which is being considered the next Log4Shell by some researchers, has the potential to affect various software. The 0-day vulnerability was exposed with the POC on a Chinese Twitter account on March 29, 2022. Although the tweets were deleted, cybersecurity experts determined that the vulnerability was open to exploitation. For the time being, there is no patch for Spring4Shell which has not been assigned any CVE ID at the moment, is still being worked on. It is stated that the vulnerability discovered by cyber security researchers yesterday is different from the Spring Cloud RCE vulnerability with the code CVE-2022-22963, which was also announced. To exploit Spring4Shell, attackers need to make specially developed requests to the vulnerable server. It is worth noting that certain prerequisites are required to benefit from Sprin4Shell. That is, the code needs to be exploitable.
READ THE STORY: Spring4Shell
Financial firms shouldn’t pay ransoms, trade group says
FROM THE MEDIA: Financial firms that face ransomware attacks shouldn’t pay, U.S. industry trade group the Securities and Financial Markets Association (SIFMA) says. Following the latest industry-wide cybersecurity exercise, SIFMA published recommendations for dealing with cyber threats — including ransomware attacks that were the focus of the latest biennial event. The exercise in November involved rehearsing incident response protocols for significant ransomware attacks targeting the financial sector and identifying gaps in the industry’s response plans. “SIFMA does not recommend paying a ransom,” it said. “Executives need to carefully consider the realities of taking such actions, including the possibility that they still may not recover stolen data.” Instead, it recommends firms “invest in robust ransomware recovery” and response plans for cyber incidents, including frequent cybersecurity exercises and tests. At the same time, firms should prepare for the possibility that regulators fall victim to ransomware attacks of their own and establish back-up plans for that scenario, too. “In the event a regulatory authority is impacted by a ransomware event and goes offline, firms should have processes in place to use alternate communications channels,” it said. The group also advises firms to follow best practices, such as employing multi-factor authentication, using automated password systems to guard against social engineering, protecting critical infrastructure from public internet exposure, developing identity verification systems to detect “back door” accounts, and proactively hunting for cyber threats.
READ THE STORY: Investment Executive
State-Sponsored Actors Using Russia-Ukraine War for Phishing
FROM THE MEDIA: Researchers have observed a growing number of threat actors using the Russia-Ukraine war as a lure in phishing and malware campaigns to target the military of multiple Eastern European countries, as well as a NATO Center of Excellence. Google's Threat Analysis Group observed that government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used themes related to the Russia-Ukraine war in an effort to get targets to open malicious emails or click on malicious links. "Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense," says Billy Leonard of TAG. TAG researchers also recently uncovered a full-time initial access broker group that serves both the Conti and Diavol ransomware groups. The financially motivated threat actor, dubbed Exotic Lily, was found exploiting a zero-day in Microsoft MSHTML tracked as CVE-2021-40444. Investigating Exotic Lily's activity, researchers determined that it appeared to be working with the Russian cybercrime gang known as FIN12/Wizard Spider (see: Google Exposes Initial Access Broker Ties to Ransomware).
READ THE STORY: Bank Infosecurity
UK Spy Chief Warns Russia Looking for Cyber Targets
FROM THE MEDIA: A U.K. intelligence chief warned that the Kremlin is hunting for cyber targets and bringing in mercenaries to shore up its stalled military campaign in Ukraine. Jeremy Fleming, who heads the GCHQ electronic spy agency, praised Ukrainian President Volodymyr Zelenskyy’s “information operation” for being highly effective at countering Russia’s massive disinformation drive spreading propaganda about the war. While there were expectations that Russia would launch a major cyberattack as part of its military campaign, Fleming said such a move was never a central part of Moscow’s standard playbook for war. “That’s not to say that we haven’t seen cyber in this conflict. We have — and lots of it,” Fleming said in a speech in Canberra, Australia, according to a transcript released in London on Wednesday. He said GCHQ’s National Cyber Security Centre has picked up signs of “sustained intent” by Russia to disrupt Ukrainian government and military systems. “We’ve seen what looks like some spillover of activity affecting surrounding countries,” Fleming said. “And we’ve certainly seen indicators which suggest Russia’s cyber actors are looking for targets in the countries that oppose their actions.” He provided no further details. He said the U.K. and other Western allies will continue to support Ukraine in beefing up its cybersecurity defenses.
READ THE STORY: SecurityWeek
Texas power grid, energy sectors facing elevated Russian cyber threats during war in Ukraine
FROM THE MEDIA: "Texas power grid, energy sectors facing elevated Russian cyber threats during war in Ukraine" was first published by The Texas Tribune, a nonprofit, nonpartisan media organization that informs Texans — and engages with them — about public policy, politics, government and statewide issues. Russian hackers have been probing Texas’ energy infrastructure for weak points in digital systems that would allow them to steal sensitive information or disrupt operations, according to interviews with energy companies, state officials and cybersecurity experts. State regulators and energy companies — from utilities to oil and gas transportation hubs to their associated vendors — said they have been aware of the elevated Russian cyber threats since the Russian invasion of Ukraine last month, but they’re careful to not say too much. “We are on super high alert,” said Thad Hill, CEO of Texas power giant Calpine, adding that he has been closely monitoring Russia’s cyber actions. President Joe Biden last week warned that the White House has “evolving intelligence that the Russian government is exploring options for potential cyberattacks” — the administration’s starkest warning yet. Worst-case scenarios in Texas include hackers breaching the state’s power grid system and shutting off electricity to millions of Texans, seeking to halt shipments of oil and gas from sea ports, or breaking into a refinery’s network so it is unable to produce gasoline and other petroleum products.
READ THE STORY: KRGV
Defense cancels SkyGuardian drones to fund REDSPICE cyber plan
FROM THE MEDIA: The Department of Defense has scrapped its $1.3 billion SkyGuardian armed drone program to partially fund the expansion of Australia’s offensive and defensive cyber security capabilities over the coming decade. Officers revealed the decision during a senate estimates hearing on Friday, with the remaining funding to now be used for the resilience, effects, defense, space, intelligence, cyber and enables (REDSPICE) project. REDSPICE was provided with $9.9 billion in this week’s budget to double the size of the Australian Signals Directorate, which will see 1900 staff join the agency over the next decade in light of the changing geopolitical landscape. Of the $4.2 billion to be provided over the next four years, around $588.7 million is new funding, with the remainder to be offset from Defence’s integrated investment program, according to budget documents. In response to questioning from Labor senator Penny Wong, assistant secretary Matt Yannopoulos told the committee SkyGuardian was cancelled “by government as part of the decision for REDSPICE”, though would not say when the decision was taken. SkyGuardian – or AIR7003 Phase 1 – was to see the Royal Australian Air Force acquire 12 MQ-9B SkyGuardian armed remotely piloted aircraft (RPA), with initial operating capability expected in the mid-2020s.
STORY: ITNEWS
Apple forced to issue emergency fixes for two zero-days
FROM THE MEDIA: One, tracked as CVE-2022-22674, is an out-of-bounds read issue in the Intel Graphics Driver and could allow malicious apps to read kernel memory. The Apple advisory said: “An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation. Apple is aware of a report that this issue may have been actively exploited.” No details were given about how and where this was being exploited. The second vulnerability, tracked as CVE-2022-22675, is an out-of-bounds write issue that affects the AppleAVD media decoder. Exploitation could allow an attacker to read kernel memory and this could the enabling of apps to execute arbitrary code with kernel privileges. “An application may be able to execute arbitrary code with kernel privileges.” the advisory said. “An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.“ The issues were fixed in macOS 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1 and watchOS 8.5.1.
READ THE STORY: ITWIRE
Items of interest
Kyiv under siege, Ukraine gives Russia a tough fight in ‘cyberia’
FROM THE MEDIA: As Ukrainian troops and volunteers engage Russian forces in street battles, hundreds of thousands of hackers are taking on the far superior foe in what has been termed the first “hybrid war”. And they are beating Russia at its own game, in a way. Over 3 lakh techies – as against the 2 lakh to 2. 5 lakh-strong Ukrainian army – have come together on a Telegram group called the ‘IT Army Of Ukraine’, launched by the Ukrainian government to coordinate attacks against Russian websites and other online assets. From mounting DDoS attacks (distributed denial-of-service, involving taking down a website by flooding it with internet traffic) to attempting to disrupt web properties, pro-Ukraine cyber specialists have adopted multiple means to send Russia to the “stone ages”, as one of them told a US news outlet. Some are leading campaigns on social media to “review bomb” companies into shunning business with Russia while others try to penetrate the Russian firewall to bring a true picture of the war to Russian citizens. The first blow in the digital war may not have been struck by Ukraine, though. The Russian government is alleged to control crack teams of hackers accused of consistently targeting Ukraine. The beginning of the Russian invasion was marked by multiple low-grade attacks against Ukrainian government and corporate websites that were defaced with threatening messages from suspected Russian hackers. According to a cybersecurity firm, cyberattacks on Ukraine’s government and military went up by 196% in the first three days after Russia launched its invasion on February 24.
READ THE STORY: Times of India
We're not out of the woods yet from potential cyber attacks(Video)
Matthew Prince, Cloudflare co-founder and CEO, joins 'TechCheck' to discuss the state of M&A in the cybersecurity space, lessons learned from prior cyber attacks and whether post-attack law enforcement decisions could help mitigate future attacks. For access to live and exclusive video from CNBC subscribe to CNBC PRO: https://cnb.cx/2NGeIvi
Russia-Ukraine War: Cyber Warfare in Focus(Video)
FROM THE MEDIA: Dyma Budorin, Hacken co-founder and CEO, explains the role of cyberwarfare in the ongoing conflict between Russia and Ukraine as Ukraine’s “IT Army” targets Russian state propaganda and critical infrastructure to the Russian economy.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com