InfoSec News 20220314
Top News
-
Ubisoft Resets Employee Passwords Following Cyberattack
"Ubisoft says it has initiated a company-wide password reset operation after learning that it fell victim to a cyberattack.
In a short cyber incident notification, the French video game company said that the attack – which took place during the week of March 1 – caused some disruptions, but provided no specific details on that."
TLP1 : Green
-
Critical Infrastructure Threat as Ransomware Groups Target 'Enemies of Russia'
"The cybercrime underground has fractured into pro-Ukraine and pro-Russia camps, with the latter increasingly focused on critical national infrastructure (CNI) targets in the West, according to a new report from Accenture.
The consulting giant’s Accenture Cyber Threat Intelligence (ACTI) arm warned that the ideological schism could spell mounting risk for Western organizations as pro-Kremlin criminal groups adopt quasi-hacktivist tactics to choose their next victims."
TLP1 : Green
-
French Bank Denies Access to Russian Workforce
"French bank BNP Paribas has reportedly blocked its Russian-based employees from accessing its internal computer systems.
According to a Reuters source, the bank rescinded the access privileges of its Russian workforce over fears that connections to the local network could leave BNP Paribas vulnerable to cyber-attacks by Russian threat actors.
The restriction is reportedly part of the French lender's strategy to improve its cybersecurity in response to the increase in geopolitical tensions between NATO member countries and Russia, triggered by Russia's invasion of Ukraine. "
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
Fake Ukraine Charity Scams Taking Their Toll
"The more emotional the crisis, the more scammers will use it to generate money for themselves."
TLP1 : Green
-
Russia-Ukraine cyber conflict poses critical infrastructure at risk
"While the Russia-Ukraine cyber conflict goes on, nation-state actors, crooks, and hacktivists continue to pose critical infrastructure at risk. Critical infrastructure is a privileged target for almost any kind of threat actor, the ongoing Russia-Ukraine cyber conflict is posing them at risk.
Ongoing attacks could cause severe damages to multiple sectors, including transportation, communication, financial services, government facilities, nuclear reactors, and critical manufacturing."
TLP1 : Green
-
Hackers Target German Branch of Russian Oil Giant Rosneft
"The German subsidiary of Russian energy giant Rosneft has been hit by a cyberattack, the Federal Office for Information Security (BSI) said on Monday, with hacker group Anonymous claiming responsibility.
Rosneft Deutschland reported the incident in the early hours of Saturday morning, the BSI said. Anonymous had published a statement on Friday claiming responsibility for the attack and saying it had captured 20 terabytes of data.
Prosecutors in Berlin have opened an investigation, according to a report in Der Spiegel magazine."
TLP1 : Green
-
Anonymous sent a message to Russians: “remove Putin”
"The hacker collective Anonymous has published a new message for Russians inviting them to wake up and remove Putin, who is responsible for war crimes against Ukrainian.
Putin is killing a defenseless population, it is exterminating entire families in full delirium.
“You are trapped behind an iron curtain of propaganda, with your government trying to keep you in the dark about the international deal, out of fear of what you might find out. Vladimir Putin’s regime is committing war crimes with its recent invasion of Ukraine, which has caused a huge refugee crisis and countless deaths. It is a terrible situation you have been placed in, but your only chance to prevent impending economic collapse and a potential world war is to act to resist the war and Putin’s regime.” states the message. “Putin has exposed the population to a sacrifice. At this point, the most peaceful way in which this conflict can end is for the people of Russia to rise up against Putin and remove him from power”."
TLP1 : Green
-
Filter Blocked 70,000 Emails to Indiana Lawmakers on Bill
"A spam filter blocked as many as 70,000 emails sent to Indiana legislators about a contentious bill that aimed to place restrictions on teaching about racism and political topics.
The Indiana State Teachers Association said it found out less than a week before the legislative session ended early Wednesday about emails sent through a form on its website not reaching the accounts of lawmakers, The Indianapolis Star reported."
TLP1 : Green
-
FCA: Crypto ATMs Are Illegal in the UK
"The UK’s financial regulator has warned consumers not to use cryptocurrency ATMs operating in the country, as they are doing so illegally.
The Financial Conduct Authority (FCA) said any machines offering crypto-asset exchange services in the UK must be registered and comply with UK Money Laundering Regulations (MLRs).
“None of the crypto-asset firms registered with us have been approved to offer crypto ATM services, meaning that any of them operating in the UK are doing so illegally and consumers should not be using them,” it said."
TLP1 : Green
-
VPN provider bans BitTorrent after getting sued by film studios
""No logs" VPN provider TorGuard has reached a legal settlement this month with over two dozen movie studios that sued the company for encouraging piracy and copyright infringement.
In the settlement, TorGuard has agreed to block BitTorrent traffic for its users."
TLP1 : Green
-
Avast Suspends Operations in Russia and Belarus
"Czech-based multinational cybersecurity software company Avast has suspended the sale and marketing of its products in Russia and Belarus.
In a statement shared Thursday, Avast said it was ceasing business in Russia and offering its premium products free of charge to the people of Ukraine.
"With immediate effect, we have withdrawn the availability of all of our products from Russia and Belarus and suspended all marketing and sales operations in these countries," said Avast.
"We do not take this decision lightly; we’ve offered our products in Russia for nearly 20 years and users in this country are an important part of our global community.""
TLP1 : Green
-
Mar 06- Mar 12 Ukraine – Russia the silent cyber conflict
"This post provides a timeline of the events related to the Russia invasion of Ukraine from the cyber security perspective."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
Ransomware Gang Threatens to Leak Files Stolen From Tire Giant Bridgestone
"A well-known ransomware group is threatening to leak files stolen from tire and rubber giant Bridgestone Americas.
The cyberattack came to light in late February. Bridgestone at the time decided to disconnect many of its manufacturing and retreading facilities in the Americas from its network, which led to some plant operations getting shut down and employees being sent home. The company has 50 production facilities and 55,000 employees."
TLP1 : Green
-
Over 500,000 Patients Hit by Data Breaches at Healthcare Firms in Alabama, Colorado
"The information of more than half a million individuals was likely compromised after three healthcare services providers in Alabama and Colorado suffered cybersecurity breaches.
The most recent cyberattack – and most impactful – targeted South Denver Cardiology Associates and resulted in the data of more than 287,000 patients being exfiltrated.
The Colorado firm identified the attack on January 4 and later discovered that an unknown party had access to certain systems in its network between January 2 and January 5, 2022."
TLP1 : Green
-
Data breach at US heart disease treatment center impacts 287,000 individuals
"TA data breach at US health clinic South Denver Cardiology Associates (SDCA) has exposed the medical information of more than 287,000 people.
In a data breach notice (PDF), SDCA admitted that an unnamed attacker broke into its systems and had access to confidential databases for three days between January 2, 2022, and January 5, 2022, before the breach was detected and thwarted.
SDCA notified law enforcement and called in the help of an external computer forensics firm to determine the scope of the compromise."
TLP1 : Green
-
Leak of Russian Censorship Data
"The transparency organization Distributed Denial of Secrets has released 800GB of data from Roskomnadzor, the Russian government censorship organization."
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
Critical Vulnerabilities Patched in Veeam Data Backup Solution
"Veeam over the weekend announced patches for two critical vulnerabilities impacting Backup & Replication, a backup solution for virtual environments.
The application provides data backup and restore capabilities for virtual machines running on Hyper-V, vSphere, and Nutanix AHV, as well as for servers and workstations, and for cloud-based workloads.
Tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS score of 9.8), the two security holes could be exploited to execute code remotely, without authentication."
TLP1 : Green
-
Microsoft removes Windows 11 update block for VirtualBox users
"Microsoft has removed the last Windows 11 safeguard hold after Oracle addressed a known VirtualBox issue causing errors and virtual machine start failures when Hyper-V or the Windows Hypervisor were installed.
Safeguard holds prevent users from upgrading to Windows 11 to protect their systems against potential upgrade issues, in this case, software instability caused by compatibility issues between Windows and VirtualBox."
TLP1 : Green
-
AMD Updates Spectre Mitigations Following Intel Research
"AMD last week informed customers that it has updated mitigations for a variant of the Spectre side-channel attack. The update comes in response to research conducted by Intel.
The Meltdown and Spectre attack methods, which can be exploited to obtain potentially sensitive bits of information from a device’s memory by abusing CPUs, were disclosed in January 2018. The most dangerous of the Spectre attacks was dubbed Spectre v2 and Spectre BTI (Branch Target Injection), and it’s tracked as CVE-2017-5715."
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
Human Factors: Why Technology Alone Will Never Equal Cyber Secure
"Cybersecurity is a vast professional field. There is so much technology that can protect all the systems that we use on a daily basis. All of these systems can help us to remain secure, yet, no matter how many systems are in place, we have to remember the human element as well."
TLP1 : Green
-
The VC View: Incident Response and SOC Evolution
"The evolution of cybersecurity incident response and the modern SOC continues to be one of the biggest post-pandemic security trends."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
Brazilian trojan impacting Portuguese users and using the same capabilities seen in other Latin American threats
"A new variant of a Brazilian trojan has impacted Internet end users in Portugal since last month (February 2022). Although there are no significant differences and sophistication in contrast to other well-known trojans such as Maxtrilha, URSA, and Javali, an analysis of the artifacts and IOCs obtained from this campaign is presented below."
TLP1 : Green
-
Stay Alert of Facebook Credential Stealer Applications Stealing User's Credentials.
"ocial media credentials are always a lucrative thing for threat actors. They use various techniques to get them. Some use overlays with fake user interfaces, some use key-logging, and some use simple social engineering to trap users. Another way threat actors have been used in the recent past is JavaScript code injection in WebView to steal Facebook credentials. The script directly hacked the entered Facebook login credentials."
TLP1 : Green
-
Russian Ransomware Gang Retool Custom Hacking Tools of Other APT Groups
"A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found.
The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week."
TLP1 : Green
-
Hackers Using Cheat Lures to Distribute Powerful Information Stealer Malware
"A malware distribution campaign has been detected recently by Korean cybersecurity researchers and ASEC security firm. In this malicious campaign, to trick the Velorant players on YouTube, the hackers are using the Valorant cheat lures."
TLP1 : Green
-
Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers
"New findings released last week showcase the overlapping source code and techniques between the operators of Shamoon and Kwampirs, indicating that they "are the same group or really close collaborators."
TLP1 : Green
-
Automotive giant DENSO hit by new Pandora ransomware gang
"Automotive parts manufacturer DENSO has confirmed that it suffered a cyberattack on March 10th after a new Pandora ransomware operation began leaking data allegedly stolen during the attack.
DENSO is one of the world's largest automotive components manufacturers, supplying brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat, and General Motors with a wide range of electrical, electronic, powertrain control, and various other specialized parts.
The company operates out of Japan but has over 200 subsidiaries and 168,391 employees worldwide and reports $44.6 billion in revenue for 2021."
TLP1 : Green
-
Android malware Escobar steals your Google Authenticator MFA codes
"The Aberebot Android banking trojan has returned under the name 'Escobar' with new features, including stealing Google Authenticator multi-factor authentication codes.
The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft.
The main goal of the trojan is to steal enough information to allow the threat actors to take over victims' bank accounts, siphon available balances, and perform unauthorized transactions."
TLP1 : Green
-
Does the Free World Need a Global Cyber Alliance?
"The increasing incidence of aggressive cyber activity from Russia, China, Iran and North Korea, together with heightened concerns over the war in Ukraine, raises an important question: should the free world unite with a global cyber alliance in response?
At Cybertech Tel Aviv 2022 (March 1-3, 2022), founder of VC firm JVP, Erel Margalit, called for a global cyber alliance in response to the Russian invasion of Ukraine. “Leadership is required to establish a democratic cyber alliance, including NATO and other free countries, in order to lead values-based cyber that will support democracies and people, and will say ‘enough!’ to dictators and to those who support them,” he said."
TLP1 : Green
-
Raccoon Stealer Crawls Into Telegram
"The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware.
A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.