Daily Drops (133)

5-13-22

Friday, May 13, 2022 // (IG): BB //Weekly Sponsor: Unsafe Waters

Global Semiconductor Supplier Signs Million-Dollar-Deal with Darktrace

FROM THE MEDIA: Darktrace, a global leader in cyber security AI, today announced that a leading global technology company has selected Darktrace's Self-Learning AI to protect both its IT and OT environment in a million-dollar-deal, adding to Darktrace's roster of customers in the semiconductor sector. 

The technology company, which has over 1,000 employees globally, develops semiconductor solutions for use across industries including transportation, healthcare, manufacturing and construction. It has selected Darktrace's Industrial Immune System to secure its intellectual property and sensitive telemetry data exchanged in its industrial control systems (ICS) environments. 

READ THE STORY:  PR Newswire

Italy stops wide-ranging Russian attack on websites of parliament, military, health agency

FROM THE MEDIA: The websites of Italy’s parliament, military and National Health Institute faced disruptions on Thursday by a pro-Russian hacking group previously implicated in a similar cyberattack on the Romanian government. 

The attack also affected the Automobile Club d’Italia and several other Italian institutions. On Telegram, the Killnet hacking group took credit for the incidents. Several of the sites are back up and running after being down for several hours.

Italy’s National Cybersecurity Agency did not respond to requests for comment, but the president of Italy’s Senate, Maria Elisabetta Alberti Casellati, said there was no lasting harm to the parliament’s websites. 

READ THE STORY:  The Record

Emotet reemerges as top malware in circulation

FROM THE MEDIA: The relatively quick recovery of Emotet, following an international crackdown, emphasizes the threat actor’s ability to change tactics and targets as common vendors attempt to outmaneuver its previously preferred point of attack, Microsoft Office.

“These rapid shifts indicate that attackers have a large arsenal of tactics and techniques they can draw upon to attack companies,” Patrick Schläpfer, malware analyst at HP, wrote in an email. “Generally, these are foreseeable reactions by threat actors to increasingly well-protected companies.”

READ THE STORY:  Cyber Security Dive

Researchers find 134 flaws in the way Word, PDFs, handle scripts

FROM THE MEDIA: Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it's proven so effective they've found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000.

The tool is named "Cooper" – a reference to the "Cooperative mutation" technique employed by the tool.

Speaking at the Black Hat Asia conference in Singapore, PhD student Xu Peng of the Chinese Academy of Sciences – one of the tool's co-authors – explained that the likes of Word and Acrobat accept input from scripting languages. Acrobat, for example, allows JavaScript to manipulate PDF files.

READ THE STORY:  The Register

Anonymous Challenges Russia's Supposed Cyber Prowess With Repeat Rosatom Breach, Leaks Data on Clients And Contracts

FROM THE MEDIA: Apart from vodka, Matryoshka dolls and Vladimir Putin, Russia is also famous — even feared — for its army of hackers. But since Kremlin's invasion of Ukraine in February, Russian government agencies, financial institutions, oil and gas companies and even close circuit cameras across the country have come under relentless cyber attacks from Anonymous, the international decentralized hacking collective and movement.

Anonymous' campaign has been highly effective: it hacked and defaced Russian websites and pried out sensitive information and data from Russia's business and government entities. The collective has promised it will not stop its crusade until the Kremlin ends its war against Ukraine and its latest exploit has been to hack none other than Russia's state-run nuclear energy behemoth Rosatom. Interestingly, it is the second time in less than three months Anonymous has breached Rosatom. The latest attack is bigger than the first one carried out in March, and despite the Kremlin's supposed prowess in the cyber realm, it has not been able to prevent this repeat intrusion into one of its most valued companies. 

READ THE STORY:  International Business Times

How VPNs are steering information in Russia-Ukraine War

FROM THE MEDIA: As Russia-Ukraine War enters its third month, like any modern era conflict, information war has become a critical facet of the aggression that has appalled the world. Wars are no longer fought just on the battlefield. Wars are no longer merely about sophisticated artillery and weapons. Increasingly, it has become as much about controlling the narrative and delivering your version of events in the most emphatic way to the world. Ever since the war broke out, the Russian government has blocked thousands of websites including Twitter, Facebook, Instagram, and a host of Western media outlets in the country, restricting access to the content for its citizens. Consequently, more and more Russians are turning to Virtual Private Network (VPN) in a bid to circumvent this censorship and avoid surveillance. British PM Boris Johnson has called upon Russians to use an online VPN connection to access alternative, independent news sources to see the alleged war crimes being committed by Russian President Putin. 

Surfshark, one of the leading VPN companies, reported that their average weekly sales in Russia increased by 3500% in the week following Russia’s decision to ban various media platforms, including Facebook, Twitter, and Instagram, in the wake of February 24 Russia’s invasion of Ukraine.

READ THE STORY:  New SD

Elon Musk says Russia is ramping up cyberattacks on SpaceX's Starlink systems in Ukraine

FROM THE MEDIA: SpaceX's Starlink internet communications systems in Ukraine are experiencing increasing cyberattack from Russia, the company's founder Elon Musk said this week.

SpaceX, with the help of the United States Agency for International Development (USAID), has sent at least 5,000 Starlink terminals to the country, whose cities have been besieged by Russian forces since February. 

But Musk says it's been a difficult environment. "Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but they're ramping up their efforts," he wrote on Twitter Tuesday (May 10).

READ THE STORY:  Space // Hindustan Times

India’s critical need for cyber doctrine

FROM THE MEDIA: Cyber power projection will deter the adversary from initiating attacks on India in the first place

The news regarding attempts of Chinese hackers in December 2021 and January 2022 to attack State Load Dispatch Centers (SLDCs) near the LAC was considered by many as routine. Of course, the military establishment would have taken a serious note. However, the people of India should understand the more significant consequences of cyber-attack, which do not remain restricted only to disruption in internet connectivity or financial transactions.

From a security point of view, such cyber-attacks aim to collect information to prepare for any future activity by the People’s Liberation Army. China’s ‘Science of Military Strategy’, published by the PLA’s Academy of Military Sciences, speaks of “winning local wars under the conditions of informationization” (2013).

READ THE STORY:  The Northlines

Nokia opens 5G security testing lab dedicated to cyber security

FROM THE MEDIA: The lab will go beyond looking at individual network elements and focus on the larger context of network use and abuse scenarios, Nokia says.

Nokia provides context: 5G continues to see the nature and scale of information networks evolving as well as the scale of security threats.

However, this scale left vulnerabilities, with Nokia warning that there are now more avenues of attack open to hackers, state actors, and corporate espionage due to interworking endpoints, extensive use of open-source software and large-scale use of 5G.

READ THE STORY:  iTwire

Anatomy of a campaign to inject JavaScript into compromised WordPress sites

FROM THE MEDIA: A years-long campaign by miscreants to insert malicious JavaScript into vulnerable WordPress sites, so that visitors are redirected to scam websites, has been documented by reverse-engineers.

An investigation by analysts at Sucuri into malware found on WordPress installations revealed a much larger and ongoing campaign that last month, we're told, hijacked more than 6,600 websites. The team has seen a spike in complaints this month related to the intrusions, according to analyst Krasimir Konov.

READ THE STORY:  The Register

Red Hat Strengthens Security From Supply Chain to Edge

FROM THE MEDIA: Red Hat introduced a series of new security capabilities this week during its annual summit to advance security across open hybrid cloud environments. 

The vendor announced a software supply chain security pattern, delivered via its OpenShift platform to simplify the security feature implementation in the build, deploy, and run process.

The pattern uses a Kubernetes-native pipeline through OpenShift Pipelines and GitOps for version control and integrates with open source project Sigstore through Tekton Chains to make the cryptographic signing of code more accessible.

READ THE STORY:  SDX Central

Google Search Ads Seem to Promote Stalkerware Even Though They Were Banned

FROM THE MEDIA: According to a report by MIT Technology Review, stalkerware companies can easily penetrate through Google's ad restrictions on spyware with just a simple search for apps that can spy on your partner's text or other people's text messages.

Google has already updated its advertising policies for stalking apps in August 2022. They have explicitly stated that spyware and other surveillance apps are banned from being promoted in search ads. But apps that can help parents track their children or employers track their worker's devices are exempted from the restrictions.

However, the tech giant seems to have failed in implementing its policy since search ads are still promoting these hacking apps.

READ THE STORY:  Tech Times

Ransomware gangs adopt new techniques to avoid detection

FROM THE MEDIA: Despite REvil and some of the other most notorious ransomware gangs being shut down this year, the cybercriminals behind them have continued to develop and succeed with new cross-platform capabilities, updated business processes and more.

Over the past few years, ransomware operations have grown from their clandestine and amateur beginnings to become fully-fledged businesses with distinctive brands and styles that rival each other on the dark web. To raise awareness in advance of Anti-Ransomware Day, the cybersecurity firm Kaspersky has released a new report highlighting some of the new ransomware trends spotted so far this year. 

READ THE STORY:  Tech Radar

DEA Investigating Breach of Law Enforcement Data Portal

FROM THE MEDIA: The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, issuing only a brief statement in response.

READ THE STORY:  Krebson Security

BPFdoor: Stealthy Linux malware bypasses firewalls for remote access

FROM THE MEDIA: A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years.

BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.

The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from any IP address on the web, making it the ideal tool for corporate espionage and persistent attacks.

READ THE STORY:  BleepingComputer

Zyxel silently patches command injection vulnerability with 9.8 severity rating

FROM THE MEDIA: Hardware manufacturer Zyxel quietly released an update fixing a critical vulnerability that gives hackers the ability to control tens of thousands of firewall devices remotely.

The vulnerability, which allows remote command injection with no authentication required, carries a severity rating of 9.8 out of a possible 10. It’s easy to exploit by sending simple HTTP or HTTPS requests to affected devices. The requests allow hackers to send commands or open a web shell interface that enables hackers to maintain privileged access over time.

READ THE STORY:  Ars Technica

Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

FROM THE MEDIA: During the development lifecycle of a new product, it is tempting to quickly fulfill security requirements by blindly applying protection primitives on top of already existing components. However, implementing security measures without a proper understanding of the underlying context and the effective threat model may actually result in a decrease of the overall security posture of the product.

Recently, we had the opportunity to do a security analysis of the Siemens PXC4.E16, a building automation system (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In this blog, we are publishing the details of a vulnerability (tracked under Siemens SSA-626968 and CVE-2022-24040) that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It also could have been abused to perform a Denial-of-Service (DoS) attack against the controller.

READ THE STORY:  Security Boulevard

Items of interest

To predict the targets of Chinese malware, look at the target of Chinese laws

FROM THE MEDIA: Keep an eye on new Chinese government policies, if you want to anticipate malware attacks, a threat intelligence analyst suggested at the Black Hat Asia conference on Thursday.

In a presentation about an emerging China-nexus modular trojan named "Pangolin8RAT", Taiwan-based cybersecurity firm TeamT5's Silvia Yeh noted that attacks on online gambling operators occurred around the same time that China announced action against such outfits.

While Yeh said the timing could be coincidental – attacks on gambling and online gaming companies are not exactly new – Pangolin8RAT appears to be a weapon of choice for Chinese state-sponsored cyber operations.

Yew later told The Register the attacks against foreign gambling firms might also be attempts to collect data for the crackdown campaigns.

"In our opinion, we surmise that the COVID-19 pandemic and China's crackdown on casinos (ie, crackdown against casinos in Macau) have made the online gambling industry become prosperous. So, these online gambling firms which possess an abundant amount of money and data have become top targets of threat actors," said Yew.

"Our opinion is that the Chinese policies will affect the cyber threat landscape in the region as we observed some crackdown campaigns were followed by cyber operations," added the threat intelligence analyst in an email.

READ THE STORY:  The Register

Cyber Is a Tool in Russia’s War Playbook: Inglis (Video)

FROM THE MEDIA: U.S. National Cyber Director Chris Inglis discusses Russia’s cybersecurity efforts since the start of the war in Ukraine, how the U.S. is combatting the threat and his outlook on ransomware attacks. He speaks on “Bloomberg Markets: Asia.”

The Good Days Are Gone: Important Cyber Insurance Changes You MUST Plan For (Video)

FROM THE MEDIA: The Good Days Are Gone: Important Cyber Insurance Changes You MUST Plan For.

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com