Search This Blog

Showing posts with label Cyber Security. Show all posts

Stolen Card Validation Service Illuminated A New Corner of the Skimming Ecosystem

 

In the recent analysis, experts discovered that the digital credit card skimming ecosystem evolves as experts identify new players, tooling, services, and economies that make it up in much of the recent threat infrastructure studies. Experts also noticed that significant patterns emerge in the infrastructure that these groups utilize and share. 

Many domains used for digital skimming and other criminal activities have been hosted on Alibaba IP space in recent years. Because bulletproof hosting companies host a large percentage of skimming campaigns, Alibaba IP space's popularity could be due to one of these bulletproof services exploiting Alibaba hosting services. Some of these domains have recently been accused of abusing Google's user content hosting service. 

While looking into the MobileInter skimmer's infrastructure, the analysts discovered that one of its skimmer domains was temporarily hosted by a Google IP address. This IP then hosted a domain that offered card skimmers a useful service that allowed them to validate stolen payment data for a fee. The experts were able to discover multiple associated websites, services, and social media accounts connected to this authentication activity known as bit2check using RiskIQ's Internet Intelligence Graph. Some bit2check names have been spotted abusing Alibaba and Google hosting services in the same way as that of Magecart domains.

Following additional investigation, the analysts discovered that the person behind bit2check is a Kurdish actor who goes by the name Hama. There was no apparent relationship between an individual and the bulletproof hosting operation seen on Alibaba. On the other hand, this connection could lead to more information about who is providing these malicious hosting services. 

The bit2check website advertises a bit2check Telegram group and promotes itself as the "greatest CVV/cc checker in town." Many Kurdish language telegram channels also link to the bit2check site and others, including bin-checker[.]net, which is a free version of bit2check. These card-skimming services promote each other through links on their websites and Telegram channels. 

The domains and accounts linked to Hama are also associated with the activities of other players in the carding sector. Code produced by another actor known as namso can be seen on some of Hama's websites. A directory called namso_files can be found in Hama's Github source. 

Since RiskIQ first reported on Magecart in 2016 and its historic attack against British Airways in 2018, they have been investigating browser-based card skimming. 

Bit2check is another part of this vast ecosystem that caters to skimmers looking to validate their loot or buy more stolen information. Many of the companies in this ecosystem network, both the skimmers and the services that cater to them, are using the same strategies and infrastructure, according to RiskIQ.

Chinese Military Unit Linked to Cyber Espionage Campaign Targeting India

 

Recorded Future, a US security firm, revealed a cyber espionage campaign linked to a suspected Chinese state-sponsored threat activity group, named RedFoxtrot. Recorded Future's threat research arm Insikt Group, discovered evidence dating back to 2014 that interconnects RedFoxtrot and Chinese military-intelligence apparatus, the People's Liberation Army (PLA) Unit 69010. 

Before restructuring in 2015, PLA’s cyber-attack unit 69010 was known as the Lanzhou Military Region’s Second Technical Reconnaissance Bureau, and now it has been incorporated into the Network Systems Department of the PLA’s Strategic Support Force (SSF). According to a report published by Recorded Future’s Insikt Group, cybersecurity experts have detected intrusions targeting aerospace, defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan.

“Notable RedFoxtrot victims over the past 6 months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region. Activity over this [past six-month] period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC,” analysts explained.

According to the research team, for its attacks, the RedFoxtrot group employs both bespoke and publicly available malware families, including IceFog, ShadowPad, Royal Road, PCShare, PlugX, and web server infrastructure to host and deliver payloads and to collect stolen information. Some of the group’s past campaigns have been previously documented by other security firms under different names in something that has become a common sight in modern-day threat hunting.

“The recent activity of the People's Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government's security posture", Christopher Ahlberg, CEO, and Co-Founder of Recorded Future, stated.

Recorded Future researchers were successful in making connections inside this nebula of Chinese state-sponsored hacking activity to RedFoxtrot (and subsequently to PLA Unit 69010) due to lax operational security (OpSec) measures of one of its members. 

“Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy located in Wuhan,” the researchers further stated.

The Polish Prime Minister asked the Sejm to hold a closed meeting on cyber attacks

 The lower house of the bicameral parliament of Poland (Sejm) will hold a closed session on hacking attacks against representatives of the country's authorities on Wednesday. This was announced on Tuesday at a briefing by the official representative of the Government of the republic, Peter Muller.

"The Prime Minister [Mateusz Morawiecki] asked the Speaker of the Sejm, Elzbieta Witek, to organize a meeting of the chamber in closed mode, so that the government could inform about the cyber attacks that were aimed at Poland," he informed, stressing that during the meeting, the deputies will be acquainted with the classified data.

"Recently, we have been the target of an unprecedented cyber attack aimed at Poland, at Polish institutions, at individual email users," said Muller.

Witek has already confirmed that a closed meeting on the topic of cyber attacks will be held on Wednesday. "We will listen to the Prime Minister's explanations and information," she informed journalists.

On June 9, the head of the office of the head of the Polish government, responsible for the implementation of the National Vaccination Program, Michal Dvorczyk, said that he was attacked by hackers. E-mail and social media pages belonging to him and his wife were hacked. In a statement, the politician suggested that Russian-speaking hackers were involved in the attack, as the information was published in the Russian social network Telegram. The incident is being investigated by the Polish special services and the prosecutor's office.

On Tuesday, Radoslaw Vogel, deputy press secretary of the Poland's ruling conservative Law and Justice (PiS), said that"today someone made an attempt to get data from parliamentary emails." "Anyone can be under threat, there is a constant arms race in matters of online security," he wrote on Twitter.

In addition, on June 11, the UK accused Russia of aiding cyberattacks and called on the G7 to unanimously oppose such acts.

Growing Cyber-Underground Market for Initial-Access Brokers

 

Ransomware groups are increasingly purchasing access to corporate networks from "vendors" who have previously placed backdoors on targets. 

Email is a well-known entry point for fraudsters attempting to breach a corporate network. According to researchers instead of doing the heavy lifting themselves, ransomware groups are teaming with other criminal groups who have already opened the path for access using first-stage software. 

As per the report released Wednesday by Proofpoint, researchers discovered a "lucrative criminal ecosystem" that works together to launch effective ransomware attacks, such as the ones that have lately made headlines (Colonial Pipeline) and caused substantial damage around the world. 

According to the analysis, recognized ransomware gangs such as Ryuk, Egregor, and REvil first link up with threat actors who specialize in initial infection utilizing various forms of malware, such as TrickBot, BazaLoader, and IcedID, before unleashing the ultimate ransomware payload on the network. 

“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.” states report. 

Proofpoint has identified at least ten threat actors who utilize malicious email campaigns to spread first-stage loaders, which are then exploited by ransomware groups to deliver the final payload. Researchers discovered that the relationship between such threat actors and ransomware groups is not one-to-one, as multiple threat actors employ the same ransomware payloads. 

“Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021,” according to the report. 

Proofpoint has also seen ransomware spread via the SocGholish malware, which infects users with fake updates and website redirects, as well as the Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators employ to avoid detection, according to researchers. 

About Attackers and Malware of Choice: 

Proofpoint identifies 10 threat actors that researchers have been watching as initial access enablers to their malware and techniques of choice for getting network access, which they subsequently sell to various ransomware groups for more sinister objectives, according to the study. 

Researchers discovered that TA800, a prominent cybercrime actor that Proofpoint has been tracking since mid-2019, provides banking malware or malware loaders to the Ryuk ransomware gang, including TrickBot, BazaLoader, Buer Loader, and Ostap. 

Since mid-2020, Proofpoint has been tracking TA577, a cybercrime threat actor that "conducts broad targeting across numerous businesses and regions" to distribute payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike via emails with malicious Microsoft Office files. 

According to the research, the Sodinokibi or REvil ransomware organization is linked to TA577, which has had a 225 percent increase in activity in the last six months. 

Many other cybercrime groups were tracked like TA569, TA551, TA570, TA547, TA544, TA571, and TA575, which is a Dridex affiliate that has been tracked by Proofpoint since late 2020 and distributes malware via malicious URLs, Office attachments, and password-protected files, with each campaign transmitting an average of 4,000 emails to hundreds of businesses.

Indian Hacker Discovers a New Instagram Bug

 

Instagram has addressed a new flaw, which allows everyone to access private profiles without having to follow them and also lets them view archived posts and stories. 

The Facebook group recently rewarded an Indian programmer and Bug Bounty Hunter with Rs 22 lakh to identify the Instagram bug that can permit anybody, without following, to view different posts on a private Instagram account. The issue that the programmer, Mayur Fartade, has just reported on a media post might've been a big privacy violation that leads to target identity fraud and harassment given the hazards posed by it. On April 15, 2021, this flaw was notified to Instagram and now it is patched. 

The flaw might have enabled hackers or those intending to cyber spy – to target particular users' posts and gain access without having to follow their private account, according to Fartade. 

Fartade noted in his post that the high privileges which attackers may have gained would be utilized for looking at elements like “private/archived posts, stories, reels (and) IGTV, details including like/comment/save count, display_url, image. uri, Facebook linked page(if any) and other particulars, without following the user and by using Media ID”. 

The flaw may allow any brute person to force a "Media ID" post which is an ID for any post created on Instagram and then use it to regenerate legitimate links to archived posts and private posts. For this purpose, attackers can use the Instagram GraphQL tool on their developer library, input any targeted post's brute-forced media ID, and execute the tool to gain access to information such as the post link and other related details.

This issue might have revealed numerous sensitive facts and surely breached privacy, as non-followers having access to content on a private account could result in many untoward occurrences including identity theft, challenges, or harassment. 

Facebook in its letter to Fartade thanked him for his report: “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future,” the company said. 


Suspects Linked to the Clop Ransomware Gang Detained in Ukraine

 

Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department. 

While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement. 

The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash. 

Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added. 

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. 

In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.

Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.

The white hat hacker has estimated the probability of a hacker attack on the websites of Internet giants

There is no need to worry about the security of Russian systems after a global failure in the work of world sites, since the servers of all state institutions are located on the territory of Russia

Information security expert Denis Batrankov explained that the problem of modern systems is that many companies do not have the opportunity to create their own office to host their servers there. As a result, they order servers from other hosting providers where they host their product. All responsibility in this case falls on the hosting provider, but the risk of failures increases significantly.

Vakulin illustrated his opinion with an example of Amazon Web Services hosting.

"Many sites are hosted by Amazon Web Services, including small and medium — sized businesses. Since there was a large and large-scale failure, then all the sites that were generally hosted on this platform go down after it", the hacker said.

The expert believes that, despite the recent attacks on the American pipeline company Colonial Pipeline and World’s Biggest Meat Supplier JBS, Russia should not worry too much about industrial safety.

"As for government agencies, their servers are located in Russia. The data is stored in our country. From a security point of view, everything has been done to prevent third parties from accessing this data", the expert said.

The programmer also drew attention to the fact that the State Duma was going to oblige foreign IT companies with an audience of more than 500 thousand people a day to open branches in Russia.

"This law can still be finalized to the point that all data will be stored on Russian servers," Vakulin said.

In conclusion, the programmer shared his vision of the future in the IT field. He believes that neural networks will control the servers.

"I carefully monitor how our technologies and knowledge of artificial intelligence and neural networks are improving," Vakulin said. " Most likely, neural networks will simply monitor everything in the future: they will be engaged in tracking the site. In 20 years, programmers and cryptographers will simply observe the work of artificial intelligence, somehow refine it, and it will already do the work for them."

Earlier, Internet users reported a global failure in the work of the sites of a number of media outlets, companies and social networks around the world. Problems were observed, for example, at CNN, Twitter, Guardian, Amazon, Reddit, New York Times. The problems occurred due to a failure in the work of the American cloud service provider Fastly. Within an hour, the problems were fixed.

Inadvertently Exposed Secrets and Tokens are promptly Scanned by GitHub

 

GitHub recently updated its insights to include repositories that contain registry secrets for PyPI and RubyGems. This approach protects millions of Ruby and Python programmers' who can unintentionally commit secrets and credentials to their GitHub repository. 

GitHub, Inc. is a software development and version control Internet hosting service utilizing Git. It provides Git's distributed version control, source code management as well as its features. GitHub provides users with Advanced Security licenses with security features available. These functionalities are also available for public repositories on GitHb.com. 

It was recently reported by GitHub that repositories that expose PyPI and RubyGems secrets, such as passwords and API tokens are now routinely scanned. 

To take advantage of this functionality, developers must make sure that GitHub Advanced Security is activated for their repository that is the default situation for public repositories. 

"For public repositories on GitHub.com, these features are permanently on and can only be disabled if you change the visibility of the project so that the code is no longer public," states GitHub. 

Secrets or tokens are strings that one can validate themselves when using a service, comparable to a username and a password. 

Third-party API applications often utilize private secrets in their code to access API services. As being such, one should be careful not to expose secrets, since this can lead to far more attacks in the broader supply chain. 

GitHub might inspect, among other things, for the secrets of the mistakenly committed npm, NuGet, and Clojars. 

As observed the list of GitHub Advanced Security currently supports more than 70 distinct kinds of secrets which are comprehensive. 

The advisory further read, “For other repositories, once you have a license for your enterprise account, you can enable and disable these features at the organization or repository level. For more information, see "Managing security and analysis settings for your organization" and "Managing security and analysis settings for your repository." If you have an enterprise account, license use for the entire enterprise is shown on your enterprise license page. For more information, see "Viewing your GitHub Advanced Security usage”."

GitHub tells the administrator when it spots a password, an API token, private SSH keys, or any other secrets that have been disclosed in public repositories. For instance, recently introduced PyPI and RubyGems, the registry maintainers would then remove the disclosed authorization and email the developer as to why. 

"If we find one, we notify the registry, and they automatically revoke any compromised secrets and notify their owner," explains GitHub software engineer Annie Gesellchen in a blog post. The benefit of GitHub's RubyGems and PyPI cooperation is that it revokes disclosed secrets automatically in seconds instead of waiting for the developer to take manual action. 

Automated secrecy scanning takes the user one inch ahead to protecting the developer's infrastructure from inadvertent leakage and increasing security in the supply chain.

International Sting Operation Cracks Down Encryption Criminal Groups

In an international sting operation targeting drug suppliers led to an arrest of a man. The suspect's face was blurred by the Australian Federal Police on privacy matters. The criminals while dealing with drug smuggling and money laundering, texted with each other, they were pretty confident that they'd not get caught because of a special encrypted platform the criminals were using for communication. However, the was only one issue with the group, that all these texts, which were in millions, were being tapped by the FBI. 

As a matter of fact, the FBI had sent these Anom devices to the black market. Operation Trojan Shield has these details and allegations revolving around it. It is an international operation led by the FBI which has resulted in more than 800 arrests. NPR says "the document includes transcripts of smugglers' conversations in which they name their prices and handling fees and describe their methods. Many of them also sent snapshots to each other, showing packages of cocaine and other drugs. They discussed strategies, from adding drugs to diplomatic pouches to filling pineapples and tuna cans with cocaine." 

Law enforcement agencies captured around 8 tonnes of cocaine, around 22 tonnes of cannabis, and several other drugs (in tonnes). Besides this, authorities have seized "55 luxury vehicles and over $48 million in various worldwide currencies and cryptocurrencies," says Interpol, a European law enforcement agency. As per the FBI, the agencies worked together to provide these criminal organization that operates all over the world more than 12,000 devices. Europol says it has been one of the largest and sophisticated crackdown operations on encryption criminal activities to date. Using Anom, FBI, and Europol around 300 Transnational Criminal Organizations (TCO). 

These include Italian organized crime group Outlaw Motorcycle gangs and other narcotics source (international), distribution systems, and transportation. "Law enforcement agencies were in a unique position to help the new Anom device find its market. In recent years, they've taken down three similar networks — Phantom Secure, EncroChat and, earlier this year, Sky Global — boosting criminals' demand for a new alternative," said NPR.

Hackers Target American Retail Businesses, FINRA Scolds Brokerage Firms

 

Besides the American corporations facing threats from overwhelming cyberattacks, American retail businesses are also struggling to fight against the rise of hackers hacking into their accounts and investments. FINRA (Financial Industry Regulatory Authority), the market's self-regulatory body, in a recent notice said that it received several complaints related to customer accounts being hacked. The incident involved attackers using stolen customer information like login credentials to hack into online customers' brokerage accounts. 

According to Market Watch "Ari Jacoby, chief executive and co-founder of cybersecurity firm Deduce, backed up this statement with data showing that account-takeover fraud increased by roughly 250% from 2019 to 2020. He told Security.org that account-takeover prevention is a $15 billion market that is “growing significantly year-over-year.“ FINRA finds two factors that might be responsible for the surge in account takeover incidents. 

First is an increase in the use of online services and brokerage apps, that allows hackers to break into user accounts using login I'd and passwords that they buy from Darkweb. It becomes very easy for hackers to find the login credentials of the customers as many users use the same password combinations for multiple accounts. The second aspect is the Covid-19 factor. "Customer account-takeovers have been a recurring issue, but reports to FINRA about such attacks have increased as more firms offer online accounts, and as more investors conduct transactions in these accounts. In part due to the proliferation of mobile devices and applications and the reduced accessibility of firm’s physical locations due to the COVID-19 pandemic," reports FINRA. 

The Security and Exchange Commission is also keeping an eye on this incident and is pressing hard on brokerage firms for not keeping a check on suspicious activities. Market Watch says "But most individual investors don’t have to wait for the SEC or FINRA to come to their rescue, because this sort of criminal activity is largely enabled by a lack of vigilance on the part of victims, including requesting that their broker send them suspicious login alerts and using two-factor authentication, according to Jacoby."

Ransomware Hits News Stations in US, Affects Local Broadcast

 

Two local television news stations have been shut down since Thursday, experts say it because of a ransomware attack on their parent company. Parent company Cox media group, which owns NBC affiliate WPXI in Pittsburgh, and ABC affiliate WFTV in Orlando, Florida, told their managers to shut down their company phones and computers. The employees have to communicate using only personal phones and text messages. However, both stations still somehow managed to run local broadcasts at the station, but their operations are somewhat limited. 

Cox has refused to release any statement about the attack, but experts believe that the ransomware was behind the attack where hackers breached the network and held the files hostage in demand of ransom.  

According to experts, if an incident in IT expands to its multiple organizations, it is most likely a ransomware attack. Experts believe that the primary reason for the attack where it is unplanned and widespread IT exploit is a ransomware breach. It can also be malware that is used to plant ransomware software. It is less likely than any other form of cyberattack can cause this shutdown.  

Meanwhile, in Orlando, the employees were asked to not go to the office on Thursday and Friday, however, they weren't told clearly what happened with the computer networks of the company. An employee in Pittsburgh said that the company on Thursday morning shut down its servers as a safety measure to avoid any security breach. 

As of now, the staff has been restricted off the computer networks, so there's not much that they can do, the situation has also become a bit tense at the stations. Actors are continuously attacking US organizations, schools, hospitals, and businesses for a long time. 

But the issue became a major threat when recently, the US federal government faced a major problem when an attack on the country's one of the biggest company Colonial Pipeline led to stoppage of gas supply for 5 days in the US. 

"Many of the most prolific ransomware gangs, including those responsible for the JBS and Colonial hacks, speak Russian and have at least some members based in Russia who appear to operate with impunity, leading President Joe Biden to say he's "looking closely" at retaliating," reports NBC news.  

Hacking Group DarkSide Attacks Colonial Pipeline With a Ransomware

Hacking group DarkSide, which was behind the recent ransomware attack on Colonial Pipeline, operates in a much common way than people assume. It works in a franchise manner, in a way that independent hackers would get to use ransomware software, along with the name of DarkSide, as the aim was to steal money from the victims, which are based in the US mostly. 

"Cybereason reports that DarkSide has a perverse desire to appear ethical, even posting its own code of conduct for its customers telling them who and what targets are acceptable to attack. Protected organizations not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Also apparently protected are entities based in former Soviet countries," says CNBC. Ransomware is a kind of harmful software that stops access to a computer when planted. In return for providing the access, hackers demand hefty ransom. 

Reports suggest that Colonial paid a sum of $5 million as a ransom to DarkSide. The business model upon which DarkSide operates, allows a hacker to carry out an attack without much computer knowledge, unlike earlier scenarios where it was much needed. It is because the hackers are provided readymade ransomware software from DarkSide. The hacker only has to perform a small task and the software takes care of the rest of it. As per the experts, DarkSide appears to be a new hacking group, but the experts know enough about it to get an idea about how dangerous it is. Experts say DarkSide provides a 'Ransomware as a service' business model. 

In simple terms, DarkSide hackers make ransomware tools and put them up in the market, where cybercriminals buy them and use them for their attacks. You may say it is an evil replica of silicon valley software startup. The FBI earlier this week confirmed that DarkSide was behind the Colonial Pipeline attack. CNBC says "DarkSide also maintains that it will donate a portion of its profits to charities, although some of the charities have turned down the contributions. Hackers continue to expand: Cybereason reports they recently released a new version of their malware: DarkSide 2.0."

The first users got SIM cards with Russian encryption

Voentelecom has started implementing SIM cards that should create a "trusted environment" on smartphones. The transition to such SIM cards may become mandatory for everyone with the development of 5G

One of the project participants, IDX (developer of identification services), told that Voentelecom is testing SIM cards equipped with Russian cryptography. So far, there are several hundred SIM cards and networks for the military in the experiment.

It should be noted that Voentelecom is a strategic telecommunications company of Russia, which fulfills the state defense order in the construction of military communications.

According to IDX CEO Svetlana Belova, Voentelecom is the first operator to start testing. It was the first to use a hardware security module on its network (HSM; it allows to implement domestic cryptography in telecommunications equipment used by mobile operators). Thus, Voentelecom has made its virtual mobile operator (MVNO) of the necessary security class.

"For various Russian payment applications such as SberPay, TinkoffPay, etc., foreign mobile operating systems, both iOS and Android, are untrusted environments, neither the FSB nor the bank can take responsibility for operations in them. Using a trusted SIM card, on which payment data will be stored, allows us to solve this problem,” said Svetlana Belova.

According to her, many users express dissatisfaction because of the need to provide their data in the public domain. A trusted SIM card allows to provide reliable information for business without disclosing data. For example, when buying alcohol or cigarettes, SIM card users can confirm that they are over 18 years old without disclosing the date of birth.

According to the representative of Voentelecom, the main target segments of their virtual operator are b2b and b2g.

It is worth noting that SIM cards with Russian encryption will work on imported chips. The developer is already testing chips from Samsung, although at first it was planned to use a domestic analog.

Work on the creation of trusted SIM cards began in 2013, its goal was to improve the security of domestic networks.

Poisoned Installers Found in SolarWinds Hackers Toolkit

 

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a "poisoned update installer" for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan Andrés Guerrero-Saade, SentinelOne's principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless' downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade's analysis of the campaign, serves as an "early scout" that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don't have visibility into its distribution channels, they won't call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update' by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.

The Secretary of the Russian Security Council spoke about the new information security strategy

The Secretary of the Security Council also reported on cyber security threats in the draft of the new National Security Strategy

The national security strategy needs to be updated, as the nature of threats in this area has undergone serious changes in recent years, said Secretary of the Security Council of the Russian Federation Nikolai Patrushev.

"The desire of the United States and a number of Western countries to maintain their global hegemony provokes the growth of interstate contradictions, leads to a weakening of the system of ensuring international security," Patrushev stressed.

According to him, both political and economic pressure are used to suppress Russia, attempts are being made to destabilize the country from the outside, to radicalize the protest movement, and to weaken the morality of Russian society. He also noted that the West is conducting a targeted campaign to falsify history, deliberately cultivating Russophobia.

Mr. Patrushev stressed that the double standards of a number of states hinder multilateral cooperation in many areas. "Such counterproductive approaches are increasingly spreading to new threats related to the emergence of previously unknown infectious diseases, ensuring international information security, and solving environmental problems," he said.

Patrushev also spoke about the security threats in the cyber sphere, which are reflected in the draft of the new National Security Strategy of the Russian Federation. "First of all, this is the use of information and communication technologies to interfere in the internal affairs of Russia, a significant increase in the number of computer attacks on Russian information resources, the desire of multinational corporations to consolidate control over the information resources of the Internet, as well as the large-scale dissemination of false information and the growth of crime using digital technologies," he said.

As the Secretary of the Security Council noted, "the more active manifestation of these threats has made it necessary to form a new strategic national priority." It became information security. "The implementation [of this priority] should ensure the country's sovereignty in the information space," concluded Patrushev.

What is a Supply Chain Attack? Here's How is it Making Your Software Vulnerable

 

Users receive warnings from public and private organizations asking them to be aware of fraud links and sources, to not share their credentials with anybody, and save their sensitive data from dark websites, etc. commonly. However, the sophisticated hacking market is generating a sense of fear in minds of the public with questions like what if the legal software and hardware that makes up your network has been already compromised at the source? Which leads us to our main question: What is a supply chain attack? 

A very common form of cyber-hacking is known as a "supply chain attack”, it is also called a value-chain or third-party attack. This umbrella term ‘supply chain attack’ includes those cyber attacks that target software developers and suppliers so that several clients and customers of the fine products and services can be affected directly. 

By leveraging a single developer or supplier, threat actors or spies can steal its distribution systems and install the application that they want to send to the victims. 

By compromising a single chain, the hackers can well-place intrusion and can successfully can create a springboard to the networks of a supplier's consumers in which thousands of people can be victimized. 

Supply chain attacks have always been understood as daunting tasks. The reason behind this is their consequences can be very severe, a single attack can leave the whole organization with severe vulnerabilities and can break the trust between an organization and the customers. 

"Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology," says Nick Weaver, a security researcher at UC Berkeley's International Computer Science Institute. "You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor." 

In December 2020, the worst face of the supply chain attack had already been witnessed, when it was discovered that the Russian malicious actors later identified as Russian foreign intelligence service (SVR) compromised the software firm SolarWinds and installed malicious code in its IT management tool Orion. With this, hackers attacked at least nine US federal agencies. 

The spy operation ‘SolarWinds’ wasn't unique, there is a list of events that already hit the world’s big companies including a Chinese hacking group known as Barium carrying out at least six supply chain attacks over the past five years. 

In 2017, the Russian threat actors ‘Sandworm’, hijacked the software updates of the Ukrainian accounting software MEDoc, which ultimately inflicted $10 billion in damage worldwide. This attack is the costliest cyberattack in history.

With the available statistics and data, we can conclude that supply chain attacks are a huge problem that's not going away anytime soon. 

US Soldiers Exposed Information About the Nuclear Weapons Stockpile

 

According to a new report, U.S. soldiers stationed at several bases in Europe accidentally revealed confidential data connected to America's nuclear weapons arsenal while using inadequately secured flashcard apps to memorize those secrets. 

The soldiers accidentally revealed “not just the bases” where the nukes were stored, but also “the exact shelters with ‘hot' vaults that likely contain nuclear weapons,” writes Foeke Postma, a researcher with the OSINT-focused investigative team Bellingcat, in what appears to be a mind-boggling mishandling of America's most sensitive national security information. They also gave a slew of other information, including secret codes, passwords, and security layouts in various locations. 

According to Postma's investigation, the troops utilized common study apps like Chegg, Cram, and Quizlet to save highly classified data on European nuclear bases, then forgot to change the applications' settings from public to private. 

Some of the same soldiers allegedly made their usernames public, which “included the full identities of the persons who established them,” and used the same images they had on their LinkedIn pages, making them easier to track down. 

Postma believes that he was able to find a lot of this information by Googling official words and acronyms related to the US nuclear weapons development. When he did, he discovered a set of 70 public-facing flashcards titled "Study!" that disclosed details on the alleged nuclear inventory at Volkel Air Base in the Netherlands (a long-rumored locale of a U.S. nuke stockpile). Postma further alleges that subsequent open-source searches uncovered further flashcard caches, which revealed “details about vaults at all the other facilities in Europe that supposedly host nuclear weapons.” 

"Some flashcards detailed the number of security cameras and their positions at various bases, information on sensors and radar systems, the unique identifiers of restricted area badges (RAB) for Incirlik, Volkel, and Aviano as well as secret duress words and the type of equipment carried by response forces protecting bases," Postma said. 

"The scale to which soldiers have uploaded and inadvertently shared security details represents a massive operational security failure,” said Postma. “Due to the potential implications around public safety, Bellingcat contacted NATO, US European Command (EUCOM), the US Department of Defence (DoD), and the Dutch Ministry of Defence (MoD) four weeks in advance." The flashcards linked to these disclosures have been taken down since then, according to Postma.

Apple’s Big Sur 11.4 Patches a Security Flaw that Could be Exploited to Take Screenshots

 

Big Sur 11.4 was updated this week to fix a zero-day vulnerability that allowed users to capture screenshots, capture video, and access files on another Mac without being noticed. The flaw lets users go around Apple's Transparency Consent and Control (TCC) architecture, which manages app permissions. 

According to Jamf's blog, the issue was identified when the XCSSET spyware "used this bypass especially for the purpose of taking screenshots of the user's desktop without requiring additional permissions." By effectively hijacking permissions granted to other programmes, the malware was able to get around the TCC. 

Researchers identified this activity while analyzing XCSSET "after detecting a considerable spike of identified variations observed in the wild". In its inclusion in the CVE database, Apple has yet to offer specific details regarding the issue. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers said. 

Last August, Trend Micro researchers identified the XCSSET malware after they detected fraudsters introducing malware into Xcode developer projects, causing infestations to spread. They recognized the virus as part of a package known as XCSSET, which can hijack the Safari web browser and inject JavaScript payloads that can steal passwords, bank data, and personal information, as well as execute ransomware and other dangerous functionalities. 

At the time, Trend Micro researchers discovered that XCSSET was exploiting two zero-day flaws: one in Data Vault, which allowed it to bypass macOS' System Integrity Protection (SIP) feature, and another in Safari for WebKit Development, which permitted universal cross-site scripting (UXSS). 

According to Jamf, a third zero-day issue can now be added to the list of flaws that XCSSET can attack. Jamf detailed how the malware exploits the issue to circumvent the TCC.

Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 

Social Media Giants Seek Futher Extension in Deadline to Comply with Government Rules

 

Social media companies such as Facebook, Twitter, YouTube, Instagram, and WhatsApp will lose their status as ‘intermediaries” that granted them legal protection for the user content posted on their platforms.

Till 26th May 2021, they were enjoying the legal immunity offered by Section 79 of the Information Technology Act, 2001. They were only obligated for taking down any illegal content that they noticed on their own, or when it was highlighted to them by the state, or the courts, or any responsible/aggrieved party. Now it’s a civil and criminal liability on them for any illegal post, be it in words, or a picture or a video.

Nobody in the information transmission business enjoys such immunities from legal claims of defamation, etc. For example, while newspapers and broadcasters have always operated under the threat of legal liability for defamation and other speech related offences, intermediaries have escaped liability despite behaving as publishers because of the immunity offered by Section 79. 

As soon as these laws came into force from 26th May, the companies were unnerved and requested for further extension to implement the norms. Some of these platforms requested for more time up to six months for furnishing compliance and some social media firms (user base of 50 lakhs and above) stated that they will wait for further instructions from their company headquarters in the USA. 

“They do business in India, earn good revenues, but grievance redressal will have to await instructions from the US. Some platforms, such as Twitter, keep their own fact-checkers whose names (are) neither made public nor is there any transparency as to how they are selected and what is their standing,” security analyst stated.

“Though they claim the protection of being an intermediary, they exercise their discretion to also modify and adjudicate upon the content through their own norms without any reference to Indian Constitution and laws. One can appreciate fake posts or a post injuring the dignity of women or promoting terrorism etc., but to be judgmental on free expression of views by coloring them by a self-appointed norm is something that travel beyond the mandate of exemption, which they are doing,” security expert added.