Saturday, December 31, 2022 // (IG): BB // THM:Windows RE // Coffee for Bob
Why the US must view cyberspace as one battlespace
FROM THE MEDIA: The United States is at an inflection point when it comes to the future of our nation’s cybersecurity. To harden our defenses, top U.S. cyber officials are providing fresh vision and new national-level strategies: This fall saw the unveiling of the Cybersecurity and Infrastructure Security Agency (CISA)’s first comprehensive strategic plan, followed by the release of the new U.S. National Security Strategy, which emphasizes the need to secure cyberspace. As we look to the new year, the Office of the National Cyber Director will soon release a National Cybersecurity Strategy, laying the foundation for how our nation responds to cyberattacks.
READ THE STORY: The Hill
Europe’s pipelines and cables under threat as Putin’s Russia accused of launching deep-sea sabotage campaign
FROM THE MEDIA: Situated off Norway’s forbidding north-eastern coast, the Lofoten-Vesteralen Ocean Observatory uses a matrix of underwater sensors to monitor the sensitive ecological balance in the surrounding frigid seas. But alongside its work recording passing shoals of fish and other marine life, the observatory has another delicate role – forming part of the front line of NATO’s defences by listening out for submarines from Russia’s Northern Fleet, entering or exiting the Arctic en route to executing the Kremlin’s orders in spheres from the Atlantic to the Mediterranean.
READ THE STORY: iNews
Hacked Russian files reveal propaganda agreement with China
FROM THE MEDIA: Soon after Russia invaded Ukraine, a Russian defense ministry spokesperson resuscitated debunked claims about a U.S.-funded bioweapons program in the region, accusing Ukrainian labs of experimenting with bat coronaviruses in an attempt to spark “the covert spread of deadliest pathogens.” Disinformation is an old Russian government tactic. But this time Russia had help. Within days, Chinese officials and media outlets had picked up the lies and were amplifying and expanding on the biolabs yarn. The Chinese Communist Party tabloid Global Times created two splashy spreads, one sourced in part to Sputnik News, the other featuring a quote from Russian President Vladimir Putin. “What is the U.S. hiding in the biolabs discovered in Ukraine?” it screamed.
READ THE STORY: The Intercept
War and Geopolitical Conflict: The New Battleground for DDoS Attacks
FROM THE MEDIA: As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time. Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.
READ THE STORY: DARKReading
Cyber highlights in the $1.7 trillion government spending bill
FROM THE MEDIA: President Joe Biden on Thursday signed a $1.7 trillion federal spending bill that includes a significant funding increase for the Cybersecurity and Infrastructure Security Agency (CISA). The bipartisan legislation boosts the agency’s budget by roughly $313 million, for a total of $2.9 billion. That is a 12% increase over fiscal year 2022 and 15% more than the White House sought for the Homeland Security Department’s cyber wing. The bill allocates more than $1.7 billion for cybersecurity efforts, including the “protection of civilian federal networks that also benefit” state, local, tribal and territorial government networks. It also grants CISA $46 million for “threat hunting and response capabilities” across those systems.
READ THE STORY: The Record
Google will pay $9.5 million to settle Washington DC AG’s location-tracking lawsuit
FROM THE MEDIA: Google has agreed to pay $9.5 million to settle a lawsuit brought by Washington DC Attorney General Karl Racine, who accused the company earlier this year of "deceiving users and invading their privacy." Google has also agreed to change some of its practices, primarily concerning how it informs users about collecting, storing and using their location data. “Google leads consumers to believe that consumers are in control of whether Google collects and retains information about their location and how that information is used,” the complaint, which Racine filed in January, read. “In reality, consumers who use Google products cannot prevent Google from collecting, storing and profiting from their location.”
READ THE STORY: Engadget
China looks to build space partnerships with Gulf nations
FROM THE MEDIA: China is aiming to grow cooperation with emerging space nations including Saudi Arabia and the United Arab Emirates. Space was named as one of a number of priority areas for the next three to five years during the first China-Gulf Cooperation Council (GCC) Summit held in Riyadh earlier this month. “China stands ready to work with GCC countries on remote sensing and communications satellite, space utilization, aerospace infrastructure, and the selection and training of astronauts,” according to the text of the keynote speech made by Chinese President Xi Jinping at the summit, Dec. 9. The GCC intergovernmental group comprises Saudi Arabia, the United Arab Emirates, Bahrain, Kuwait, Oman and Qatar.
READ THE STORY: SpaceNews
The Password Isn’t Dead Yet. You Need a Hardware Key
FROM THE MEDIA: The internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers.
READ THE STORY: Wired
3Commas API key leak will ‘not be easy to resolve’
FROM THE MEDIA: An anonymous Twitter user published a set of 10,000 API keys allegedly obtained from the 3Commas cryptocurrency trading platform. 3Commas bots use these API keys to generate profit for the customers by interacting with cryptocurrency trading exchanges without requiring account credentials. An application programming interface (API) key is a code used to identify and authenticate an application or user. According to Yahoo! news, 3Commas CEO Yuriy Sorokin confirmed the authenticity of the leak in a tweet on Wednesday, adding that “as an immediate action, we have asked that Binance, KuCoin, and other supported exchanges revoke all the [API] keys that were connected to 3Commas.”
READ THE STORY: Digital Journal
North Korean hackers targeting Japanese financial firms with new malware
FROM THE MEDIA: A new report from cybersecurity firm Kaspersky has uncovered a new hacking spree linked to notorious North Korean hackers using malware. The report identified BlueNoroff, an arm of the state-sponsored Lazarus Group, as the principal suspect behind the recent attacks. BlueNoroff’s main targets appear to be digital asset startups, commercial banks, and venture capitalist (VC) firms in Europe and the Far East. Kaspersky’s researchers note that BlueNoroff has been under the radar for most of the year, but in the last quarter, the group showed signs of activity. BlueNoroff created nearly 80 fake websites, mimicking popular VC firms and financial institutions, with the majority of sites focused on Japanese companies.
READ THE STORY: CoinGeek
New Linux malware uses 30 plugin exploits to backdoor WordPress sites
FROM THE MEDIA: A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities. The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works. If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.
READ THE STORY: BleepingComputer
Ukraine: Russian Hackers' Focus is Civilian Infrastructure
FROM THE MEDIA: State-backed Russian hacking groups are continuing to focus less on Ukrainian military targets and much more on civilian infrastructure, Ukrainian cybersecurity officials report. Ukraine's lead cybersecurity defense agency, the State Service of Special Communication and Information Protection, or SSSCIP, reports that the intensity of cyberattacks aimed at Ukrainian critical infrastructure has more or less remained constant since Russia launched its full-blown invasion on Feb. 24. Cyber incidents and cyberattacks counted so far this year by the Ukrainian Computer Emergency Response Team - CERT-UA - totaled more than 2,100, it reports.
READ THE STORY: BankInfoSecurity
Why Attackers Bank on Lateral Movement and How to Stop Them
FROM THE MEDIA: Cyber-attacks are becoming increasingly complex, and once an attacker successfully compromises an endpoint, they love to move laterally through connected networks and devices, often undetected. And now, with our expanded supply chain via the cloud and SaaS, a breach in one level of your supply chain can have devastating impacts on your operations, regardless of how mature you think your cyber controls may be. In fact, according to VMware’s “2022 Global Incident Response Threat Report”, a quarter of all attacks used lateral movement. Additionally, one out of every 10 respondents said lateral movement was part of at least half of their engagements, and an earlier VMware report discovered that almost half of all intrusions included lateral movement.
READ THE STORY: Security Boulevard
Watchdog in Ireland investigates Twitter over alleged data leaks
FROM THE MEDIA: Regulators in Ireland are digging into Twitter’s potential data leaks that hackers claim exposed millions of people’s personal information online. Ireland’s Data Protection Commission began an investigation this month in response to news reports that datasets of Twitter users’ information had become available on the internet. “These datasets were reported to contain personal data relating to approximately 5.4 million Twitter users worldwide,” the commission said in a statement. “The datasets were reported to map Twitter IDs to email addresses and/or telephone numbers of the associated data subjects.”
READ THE STORY: Washington Times
SentinelOne observes abuse of legitimately signed Microsoft drivers
FROM THE MEDIA: US-Israeli cybersecurity company SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes. The company first reported its discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number. In multiple recent investigations, SentinelOne’s Vigilance DFIR team observed a threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products.
READ THE STORY: Israel Defense
Russia attacks Ukraine with ‘kamikaze’ drones after barrage of missiles
FROM THE MEDIA: Russia attacked Ukraine with 16 Iranian-made “kamikaze” drones overnight, hours after unleashing dozens of missiles in one of its largest barrages aimed at annihilating the war-torn country’s critical infrastructure in the dead of winter. Air attack sirens blared in the capital, Kyiv, around 2 a.m. local time, and several explosions and the sound of anti-aircraft fire south of the city were heard. By dawn, the attack appeared to be over and residents ventured outside after a relentless day and night of bombardment. The Ukrainian military said all 16 Shahed drones had been shot down by air defenses. Seven had targeted Kyiv, where an administrative building was damaged, Mayor Vitali Klitschko said.
READ THE STORY: NYPOST
Attacks on power substations are growing: Why is the electric grid so hard to protect
FROM THE MEDIA: Even before Christmas Day attacks on power substations in five states in the Pacific Northwest and Southeast, similar incidents of attacks, vandalism and suspicious activity were on the rise. Federal energy reports through August—the most recent available—show an increase in physical attacks at electrical facilities across the nation this year, continuing a trend seen since 2017. At least 108 human-related events were reported during the first eight months of 2022, compared with 99 in all of 2021 and 97 in 2020. More than a dozen cases of vandalism have been reported since September.
READ THE STORY: TechExplore
The Recovery Of Crypto Requires More Aggressive Solutions To Fraud
FROM THE MEDIA: It would not be an exaggeration to say that our industry is facing tough times. We’ve been in the midst of a “crypto winter” for a while now, with mains including bitcoin (BTC) and ether (ETH) falling in price. Similarly, monthly non-fungible token (NFT) trading volumes have fallen by more than 90% since their multi-billion dollar peak in January this year. Of course, these declines have only been accelerated by the many Black Swan events that have shaken the crypto world, such as the FTX and Three Arrows Capital meltdowns. Overall, it should come as no surprise that crypto is facing a trust deficit. While the destructive actions of reckless CEOs must be addressed and the individuals responsible for these incidents held accountable, our industry cannot stop there if we are to rebound. To address the trust deficit facing crypto, better security for the end user against the threat of scams and hacks should be a priority.
READ THE STORY: Cryptosaurus
The Twitter Files Raised A Lot Of Questions About Twitter And The FBI. The Bureau Hasn’t Answered Any Of Them
FROM THE MEDIA: The FBI has left important questions unanswered after documents from the “Twitter Files” revealed that the bureau influenced Twitter’s content moderation. The FBI had a major influence on Twitter’s decision to censor the New York Post’s reporting on Hunter Biden’s laptop and made numerous censorship requests to Twitter in the lead-up to the 2020 election, as documented in the “Twitter Files” reporting by independent journalists Michael Shellenberger and Matt Taibbi. Former Twitter Head of Trust and Safety Yoel Roth had weekly meetings with the FBI in the months before the 2020 election, he said in a Dec. 2020 sworn deposition.
READ THE STORY: Daily Caller
Ukraine Receives Another Batch Of Starlinks To Be Forwarded To 'Invincibility Points'
FROM THE MEDIA: Ukraine has received from Poland another batch of Starlink satellite communication terminals, which will be sent to Invincibility Points set up across country to provide emergency power and heating to people in areas affected by long blackouts in the winter period. That's according to Prime Minister Denys Shmyhal, who reported the news on telegram , Ukrinform saw. 'Ukraine received another batch of Starlinks. And already today they will go to the Invincibility Points, as well as to support the health care and energy spheres,' Shmyhal wrote.
READ THE STORY: MENAFN
Hacker Selling Gemini’ User Data On DarkWeb
FROM THE MEDIA: Reportedly the data of Gemini Crypto exchange was hacked by hackers & now they are selling on DarkWeb. Gemini is an averagely popular Crypto exchange, which is ranking at 6th position in the Crypto space, in terms of 24 hours global Crypto trade volume on its platform. The services of this exchange are available in multiple countries, including 49 US States. On 30 Dec, A Twitter user reported that the user database of Gemini Crypto exchange was stolen by a hacker and now that data is being sold on the Dark Web. According to reports, in the stolen database there are details of more than 5.7 million Gemini users. Earlier this month, Gemini admitted that the platform faced some security issues but failed to disclose the actual problem that the platform faced.
READ THE STORY: Bitcoinik
Russia intensifying cyberattacks on Poland
FROM THE MEDIA: More and more Russian cyberattacks against government bodies, aimed to destabilize the country, are recorded in Poland’s cyberspace. Stanisław Żaryn, the representative of the Polish government for the protection of the information space, noted, that this is Russia's response to the country’s consistent aid to Ukraine, Ukrinform reports with reference to Poland’s government website. Since the Russian invasion of Ukraine, Poland has been a constant target of Kremlin's hybrid efforts, including cyberattacks. Hostile activity in cyberspace against Poland has intensified recently. This is a consequence of our active participation in helping Ukraine, which is fighting (against the aggressor - ed.), as well as our determination to strengthen support for Kyiv in the international arena.
READ THE STORY: UKRINFORM
Accenture ransomware attack lock bit gang leaks
FROM THE MEDIA: According to the ransomware group, LockBit, the customers of the consulting giant have been targeted using credentials obtained during the Accenture breach. According to the ransomware-as-a-service (RaaS) provider, they claimed to have infiltrated and encrypted the computers of an airport that used Accenture software on Wednesday. According to BleepingComputer, LockBit refuses to name particular businesses that were compromised by Accenture. “We have finished a comprehensive forensic analysis of the documents on the compromised Accenture computers.
READ THE STORY: Technology Malt
China cracks advanced microchip technology in blow to Western sanctions
FROM THE MEDIA: China has cracked a microchip design method previously only mastered by the West, in a challenge that could undermine sanctions. Patent filings reveal that Huawei has made advances in a crucial method of chip manufacture, raising the prospect that the company could eventually start making some of the smallest and most powerful microchips by itself. Such a development would allow Beijing to skirt Western sanctions. Washington, Brussels and London are currently all blocking access to advanced Western-made computer chips in China over fears the Communist nation could develop new military capabilities beyond the power of Western armies to resist.
READ THE STORY: Telegraph
Breaking Defense’s 10 most read stories from 2022
FROM THE MEDIA: This year was a busy one in the world of defense, from the geopolitical earthquake that was the Russian invasion of Ukraine, to unveilings of and contract awards on some of the most high-profile US military programs. As I noted last year, Breaking Defense is proud to count among its readers policymakers, industry leaders and defense practitioners, and it’s mostly for them that we break stories or dive headlong into the details of complex, sometimes inscrutable defense news. But every now and then a story hits a broader audience, and we’re happy to watch it’s wider appeal. The list below is a reflection of the latter, the most popular stories on the site for 2022.
READ THE STORY: Breaking Defense
Wabtec Corporation - Notice of Data Security Incident
FROM THE MEDIA: On June 26, 2022, Wabtec became aware of unusual activity on its network and promptly began an internal investigation. It was subsequently determined that malware was introduced into certain systems as early as March 15, 2022. Wabtec, with the assistance of leading cybersecurity firms, assessed the scope of the incident to, among other things, determine if personal data may have been affected. Additionally, shortly after discovery of the event, Wabtec notified the Federal Bureau of Investigation.
READ THE STORY: Yahoo Entertainment
Items of interest
CMMC operations now halted
FROM THE MEDIA: The CMMC is owned by Mitsubishi Materials Corporation. It generates an average of 100 million pounds of copper per year and has an anticipated mineral reserve capacity for another 32 years. The Canadian Copper Mountain Mining Corporation (CMMC), which is located in British Columbia, recently made an announcement stating that it was the subject of a ransomware attack, which caused disruptions to its operations. Late in the day on December 27, 2022, a malicious cyberattack was launched against the corporation. In a prompt manner, the company’s information technology staff reacted by putting in place the planned risk management systems and processes. CMMC made measures to control the situation by isolating the affected systems and shutting down other components so that they could be properly examined and the effect of the ransomware attack determined.
READ THE STORY: Security Newspaper
Assembly Calling Conventions For Reverse Engineers (Video)
FROM THE MEDIA: A practical look at x86 calling conventions from a reverse engineering perspective. We take a look at __cdecl __stdcall __fastcall __thiscall
Process Memory Basics for Reverse Engineers - Tracking Memory With A Debugger (Video)
FROM THE MEDIA: Process Memory Basics for Reverse Engineers - Tracking Memory With A Debugger.
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com