Daily Drop(93)

4-2-22

Saturday, April 2, 2022 // (IG): BB //Weekly Sponsor: Cloakedentryco

China 'launched huge cyber-attack' on Ukraine's military and nuclear infrastructure days before Russia invaded, Kyiv intelligence claims

FROM THE MEDIA: China have been accused of launching a flurry of cyber attacks on Ukraine's military and nuclear infrastructure days before Russia's invasion - indicating initial support for Putin's war. Intelligence memos from the SBU, Ukraine's spy agency, claim that more than 600 websites belonging to Ukraine's ministry of defense were attacked by the Chinese government, according to The Times. Despite the Chinese government's lukewarm public reaction to the invasion of Ukraine, the move indicates prior knowledge of the invasion plans on the part of Xi Jinping's government before troops entered on February 24. The SBU said they had identified the source of the attack because the tools and methods used were consistent with the common tactics of the cyber warfare wing of the Chinese armed forces. Speaking to the Times, the SBU said that border defense, banking and railway infrastructure was targeted with a computer network exploitation (CNE) intended to gather information about Ukrainian weaknesses. The SBU said there was an 'increase in activity against our country's networks in mid-February' from both Russian and Chinese hackers which peaked on February 23. The agency added: 'Intrusions that are of particular concern include the CNE campaigns directed at the State Nuclear Regulatory Inspectorate, and the Ukrainian Investigation Website focused on Hazardous Waste.

READ THE STORY:  Dailymail

Let’s Put Cyber Back in Cybersecurity

FROM THE MEDIA:  “You run the, um, net-trace command?” he finally responded after a long pause. He had checked the network cable, refreshed the browser, and rebooted the router twice! How could the user still have no Internet? At this point, we both knew that the interview was over. Granted, this one was a rather unusual case — a Computer Science graduate fresh out of college looking for an internship position — but you would be surprised to hear how many “experienced” cybersecurity analyst and engineering candidates have gotten off to a good start on my interviews, only to crash and burn when it gets to answering some of the most basic IT questions: Which layer of the OSI model does HTTP operate on? How do you kill a process on Linux? What is the Hosts file for? Let’s face it, Cybersecurity — not to be confused with the broader field of Information Security — is about technology. To quote from CISA, “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.” In other words, to be successful in Cybersecurity, one must understand and truly appreciate technology! Think about it. If a SOC analyst is not familiar with the default file structure of a Windows or Linux machine, how can you expect her to identify an LFI attack when she sees one?

READ THE STORY:  Medium

Russia’s slow cyberwar in Ukraine begins to escalate

FROM THE MEDIA: The war in Ukraine has come with an ever-present threat of cyber catastrophe, as experts and US military officials remain on high alert for potential hacks. And while the big one has yet to come, the battle online continues to escalate. UK intelligence officers warned on Thursday that Russia is increasingly seeking out cyber targets as its ground military campaign in Ukraine stalls. Additional reports on Wednesday revealed Russian hackers recently attempted to penetrate the networks of NATO and the militaries of some eastern European countries. These developments showed that “things are heating up” on the cyber front, said Theresa Payton, cybersecurity expert and former White House chief information officer. “We should prepare for the worst and operate at our best,” she said. Still, Payton noted, Russia had been very slow to deploy cyber tactics in the war to date. There could be a number of reasons for this, she said: Putin might not feel the need to use cyber-attacks in his strategy at this juncture in the war, or he might want to avoid additional retaliation promised by the US in the case of a cyberwar. Putin might also be “playing a long game” and having his cyber operatives infiltrate various adversaries and gain footholds, then wait until he decides to launch a cyber-attack.

READ THE STORY:  The Guardian

Ukrainians harvesting soldiers' organs? Canada's digital spy agency warns of new Russian disinformation

FROM THE MEDIA:  Ukrainians harvesting fallen soldiers’ organs and Russian anti-war protesters supporting “neo-Nazis and genocide” are just some of the disinformation campaigns Russia has conducted online since it launched its invasion of Ukraine, according to Canada’s cyber security agency. In posts on Twitter Friday morning, the Communications Security Establishment (CSE) said it was sharing information from its classified reporting on Russia’s latest disinformation campaigns to help protect Canadians who may fall prey to the country’s propaganda. “Since Russia’s brazen and unjustifiable invasion of Ukraine, we have observed numerous Russia-backed disinformation campaigns online designed to support their actions” namely by creating and spreading false information about both Ukrainians or anti-war protesters in Russia, CSE wrote on Twitter. CSE said it had found evidence that Russia was promoting horrible and fake stories saying Ukraine was “harvesting organs of fallen soldiers, women and children” and then hiding the evidence through mobile cremating devices.

READ THE STORY:  National Post

Lazarus Using Trojanized DeFi App to Deliver Malware

FROM THE MEDIA:  North Korean advanced persistent threat group Lazarus has emerged with a fresh spear-phishing campaign that uses a Trojanized DeFi application containing a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. In a report, researchers at cybersecurity firm Kaspersky say that Lazarus - an entity sanctioned by the U.S. and the United Nations and tied to North Korea's primary intelligence agency, the Reconnaissance General Bureau - exclusively used compromised web servers located in South Korea for this attack. In 2016, the group launched an attack on Bangladesh Bank that resulted in the theft of $81 million. The attackers planted malware on Bangladesh Bank's systems, using it to hide fraudulent money-moving messages they sent from the bank to the Federal Reserve Bank of New York via the SWIFT interbank messaging system (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist). "For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group's targeting of the financial industry keeps evolving," the Kaspersky report says.

READ THE STORY:  Gov Info security

Patch, remediation advice emerges for Spring4Shell vulnerability

FROM THE MEDIA: The Spring4Shell vulnerability, now publicized as CVE-2022-22965, set off any number of alarmist cries that Spring4Shell was more serious than the Log4Shell vulnerability that was discovered late last year. When details were first made available on Wednesday, prior to a formal CVE being named and yesterday’s patch by Spring, there was confusion between CVE-2022-22963 and CVE-2022-2947, which affected Spring Cloud, as opposed to Spring4Shell, which hits the core Spring Framework. Spring Cloud is a microservices framework for larger distributed systems that helps develop applications for use in shared and remote environments accessed from multiple locations: the cloud. Spring Framework functions as the core underlying technology for Spring solutions within the Java programming language and Java runtime environments — the “internal plumbing.” 

READ THE STORY:  SCMAGAZINE

Crowd Strike finds 'logging inaccuracies' in Microsoft 365

FROM THE MEDIA: The Microsoft 365 platform is not properly maintaining its user sign-in logs and providing false-positive reports for user logins. In a blog post published Thursday, security vendor CrowdStrike said has conducted "multiple investigations" of the way Microsoft 365 Azure Active Directory (Azure AD) logs information on user sign-in attempts. Specifically, the team found that under certain configurations, a successful log-in will be recorded when the attempt has in fact been blocked. "In recent investigations, CrowdStrike has found a pattern of inaccurate logging in the Azure AD sign-in logs that seems to falsely indicate a mailbox sync via legacy authentication protocols (IMAP or POP)," CrowdStrike researchers Christopher Romano and Vaishnav Murthy wrote in the blog post. "This pattern appears to manifest in M365 tenants that: do not have legacy authentication configured to be blocked via a conditional access policy (CAP); have POP and IMAP blocked at an individual mailbox level; and have the SMTP authentication protocol allowed at the mailbox level." Having an inaccurate set of logs could always pose a threat to network security as it gives administrators a distorted view of how well their network security protections are performing. But in some instances, it can be devastating. The CrowdStrike researchers explained that the mishandling of the legacy protocol logins is particularly bad for data breach investigators. "These protocols result in downloading a mailbox's contents locally to the client from where the authentication request was initiated," Romano and Murthy explained. "Hence, whenever these protocols are seen to be used in an investigation involving email compromise, an assumption is made that the entirety of the mailbox contents, which often include sensitive information, has been exfiltrated by the threat actor."

READ THE STORY:  Techtarget

Mysterious malware linked to Russian hackers tracks you, records audio, can utterly invade your life

FROM THE MEDIA:  Russian hackers have been linked to several high-profile cyberattacks, including interfering in the 2016 US presidential campaign. The Kremlin's motives in carrying out these attacks aren't always clear, but generally, they are intended to sow chaos, create distrust, and coincidentally line the hackers' — or their sponsors' — pockets as well. Russian state-supported hackers aren't just interested in going after targets in the US or Ukraine, either. The Turla group — state-sponsored Russian hackers first identified in 2020 — has been using some particularly sneaky Android malware buried inside a seemingly innocent app. By way of Bleeping Computer, we learn that cybersecurity researchers with Lab52 have uncovered a piece of spyware masquerading as a helpful Android tool called "Process Manager." The malware is designed to look like a harmless APK, but once installed, it begins collecting sensitive information and sending it back to the attackers. Once you download it, the app asks for 18 permissions, including access to messaging, location, and audio recording functions. Researchers are unsure as to how the malware is granting itself permission, but malicious code often does this by leveraging the Android Accessibility service.

READ THE STORY:  Android Police

Anonymous Claims It Hacked Russian Orthodox Church, Leaked 15 GB Data And 57,500 Emails

FROM THE MEDIA:  Hacker group Anonymous has launched another attack on Russia. The Russian Orthodox Church and the Russian Lipetsk Mechanical Plant, which manufactures components for anti-aircraft missile launchers and other military equipment, were hacked by them on Friday. The hacker group posted on Twitter that they have merged and posted about 15 GB of data from the Russian Orthodox Church's charity wing on the internet. Not only that, they have released roughly 57,500 emails via DDoSecrets (Distributed Denial of Secrets). DDoSecrets, or Distributed Denial of Secrets, is a non-profit news whistleblower site launched in 2018. In their tweet, the Anonymous hacker group said that due to the nature of the leaked data, DDoSecrets has been offering the data to journalists and researchers. Hacker group Network Battalion 65 or 'NB65’ claimed last Sunday that it hacked All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio, as the Russia-Ukraine war continues. The group linked to hacker group ‘Anonymous’, said that it had retrieved over 870 gigabytes of information from the company and said that the data would be released soon, stated Anonymous TV. NB65 claimed to hack the All-Russia State Television just days after hacker group 'Anonymous' said it hacked the Central Bank of Russia on Thursday. 

READ THE STORY:  Republic World

Online misinformation: A menace to be fought

FROM THE MEDIA: The world is smaller than ever before. It only takes seconds to transfer data from one corner of the world to another. Though Bangladesh ranks 137th among 139 countries in internet speed, the netizens are reluctant to lag when it comes to their social media presence. The rising number of social media users has largely contributed to the increased use of the internet. Uploading content on the web is no longer an abstruse matter, anyone can post and share a piece of text, image, video, or audio. Contents from unfiltered or unverified sources, as we call them UGC (User Generated Contents), made the process of journalism easier. But it has its loopholes as well. Some people are taking advantage of these loopholes and are exploiting the cyber world. The dark side of this phenomenon manifested in its worst form during the Covid-19 pandemic. Since the beginning of the pandemic, misinformation regarding the origin of the virus, usage of masks and eventually the efficacy of vaccines have been circulated online, particularly on social media. Misinformation has its toll on human society, whether it's national security or social harmony. Last October, I received a phone call to verify the claimed incident of a Hindu girl raped in Hajiganj, Chandpur. Social media, mainly Facebook, were being flooded with a post that a Hindu girl has been 'raped' by Muslim men. 

STORY:  TBS NEWS

Why the Russia-Ukraine war threatens to splinter the internet

FROM THE MEDIA: Splintering is the idea of splitting the internet into disparate realms controlled by different dispensations or powers. The events of the past four weeks pose the first serious challenge to the way the internet has evolved. In 2001, when the internet was staring at a slew of regulations from across the globe, Clyde Wayne Crews, a researcher at libertarian think-tank Cato Institute, proposed the idea of ‘splinternet’ — an internet splintered into disparate realms controlled by different dispensations or powers. The fundamental proposal was to have more internets instead of having more regulations. Over the past two decades, a splintering of internet has occurred in some limited ways. China’s ‘Great Firewall’ keeps American tech giants out while pushing online services developed indigenously. Russia, in 2019, passed the sovereign internet law — or the online Iron Curtain — that enabled the country to disconnect its internet from rest of the world. Crews may have been ahead of his time in propounding a splinternet. But the events of the past four weeks pose the first serious challenge to the way the internet has evolved into a global system of interconnected computer networks, that use the Internet Protocol suite (TCP/IP) to communicate between networks and devices. However dystopian the idea may have seemed over these years, Russia’s invasion of Ukraine does seem as a potential trigger for a splintered internet. France’s digital affairs envoy Henri Verdier, in an interview to Bloomberg News, recently stated that the combination of Moscow’s increasing online censorship attempts, combined with Ukraine’s repeated calls for Russia to be taken offline, could potentially offer the trigger for the eventual “fragmentation of the internet.”

READ THE STORY:  IndianExpress

Items of interest

Defense industry cashes in as Western weapons stop Russia in its tracks

FROM THE MEDIA: International missile and body armor makers are gearing up for a long war in Ukraine as the UK and its allies promise more weapons to the country. Since the start of Putin’s aggression more than a month ago, investors have piled into global defense firms as foreign countries aid Ukraine with weapons, while governments commit to greater defense budgets amid a return to conventional warfare. Share prices in France’s Thales have risen by 35pc since the invasion, and in Sweden’s Saab by 62pc. In the US, Lockheed Martin is up 14pc and Raytheon has gained 8pc. With peace talks between Russia and Ukraine yet to reach an agreement, manufacturers look set for further gains while the Ukrainian army continues to depend on weapons made overseas and supplied by foreign governments. The UK has agreed to send 6,000 more missiles to Ukraine after committing more than 4,200 of the popular Next Generation Light Anti Tank missiles (NLAW), finished in Belfast by Thales UK and based on a design by Sweden’s Saab. It has also sent supplies including body armor, boots and helmets. The US has committed $1bn of military aid to Ukraine including 2,000 Javelin anti-tank weapons made by Raytheon and Lockheed Martin in the US, as well as 1,000 light anti-armor weapons, and 6,000 Saab-made AT-4 anti-tank systems. That comes on top of 800 Raytheon-made Stinger anti-aircraft systems, plus hundreds of rifles, pistols, machine guns and shotguns - and thousands of sets of body armor. In total, more than 17,000 anti-tank weapons and more than 2,000 anti-aircraft weapons have been sent to the country by Nato members. In reality, the number is likely to be far higher as the last update of US donations was just two weeks ago, and France has not revealed its exact aid.  

READ THE STORY:  Telegraph UK

Jim Lawler on the Art of Espionage and the Perfect Intelligence Operation (Video)

In this OODAcast, we talk with Jim Lawler who is a Senior Partner at MDO Group, which provides HUMINT training to the Intelligence Community and the commercial sector focused on WMD, CI, technical and cyber issues. Mr. Lawler is a noted speaker on the Insider Threat in government and industry. Prior to this, Mr. Lawler served for 25 years as a CIA operations officer in various international posts and as Chief of the Counterproliferation Division's Special Activities Unit.  We talk with Jim about his career in intelligence and national security, his views on the current threats including some of his fictionalized accounts in his novels, and his most notable intelligence operation; the A.Q. Khan nuclear takedown. Mr. Lawler was a member of CIA's Senior Intelligence Service (SIS-3) from 1998 until his retirement in 2005. He was a specialist in the recruitment of foreign spies, and he spent well over half of his CIA career battling the proliferation of weapons of mass destruction. As Chief of the A.Q. Khan Nuclear Takedown Team, which resulted in the disruption of the most dangerous nuclear weapons network in history, Mr. Lawler was the recipient of one of the CIA's Trailblazer Awards in 2007, marking the 60th anniversary of CIA. In 2004, former DCI George Tenet sent Mr. Lawler a note which stated, “Jim, what you and your team have achieved will rank up there as one of the most spectacular intelligence accomplishments in the history of the CIA. It occurred because of your exemplary leadership. Not only are we in the process of taking down a network, we are also in the process of disarming a country as a result of your fine work. With respect, George J. Tenet” And former DDCI John McLaughlin noted that the effort was “the closest thing I’ve ever seen to a perfect intelligence operation.”

Robert W. Gehl and Sean T. Lawson: Propaganda, Deception, and the Manipulation of Information (Video)

FROM THE MEDIA:  The United States is awash in manipulated information about everything from election results to the effectiveness of medical treatments. Corporate social media is a particularly effective channel for manipulative communication — Facebook being a particularly willing vehicle for it, as evidenced by the increased use of warning labels on false or misleading posts. Not to mention the inconsistent, confusing, and controversy-stirring ways that comments and posts are moderated in social media spaces. While the methods of distributing misinformation have shifted with technological advancement, the principles of manipulative communication are nothing new. In Social Engineering, authors Robert Gehl and Sean Lawson explore how online misinformation is rooted in earlier techniques: mass social engineering of the early twentieth century and interpersonal hacker social engineering of the 1970s. The two methods converge today into what they call “masspersonal social engineering.” Through a mix of information gathering, deception, and truth-indifferent statements, the practice has one goal: to get people to take the actions desired by the social engineer.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com