Security daily (06-05-2020)

039| Deconstructing the Dukes: A Researcher's Retrospective of APT29

APT29, aka Cozy Bear or the Dukes, is a cyber espionage group whose misdeeds include famously hacking into the DNC servers in the run-up to the 2016 US election. Now, as the subject of MITRE's latest ATT&CK Evaluation, the group is in focus again. The Dukes are familiar to F-Secure's Artturi Lehtio, who extensively researched them in 2015. But hindsight is 20/20, and Artturi joins the show to discuss how his views on the group have changed since his research.  Also in this episode: How APT groups behave after being burned and why the Dukes are different; why calling them a single organization is too strong; and why published APT research has generally dwindled in recent years. Links: Episode 39 transcript The Dukes: 7 Years of Russian Cyberespionage - F-Secure whitepaper MITRE ATT&CK Evaluation: APT29 Operation Ghost - ESET No Easy Breach by Matthew Dunwoody & Nick Carr - DerbyCon 2016 Dukes activity after their "return" in 2016 - Volexity (Cyber Security Sauna)

Facebook removed Russian propaganda network only after accounts got sloppy

Two networks of inauthentic Facebook accounts and pages removed last month had spent years leveraging the social media company’s reach to amplify thinly-veiled Russian propaganda criticizing the U.S. and antagonists of the Kremlin. Facebook announced Tuesday it removed 91 accounts, 46 pages, two groups and one Instagram page connected to Crimea-based media agencies, News Front and South Front, which researchers now say have connections to Russian intelligence services. Both outlets have existed for years, though Facebook removed them last month after detecting that they used fake accounts to post content and generate engagement. It’s a dichotomy that exemplifies Facebook’s approach to information operations: The company historically has been reluctant to remove political misinformation or conspiracy theories, but acts against account operators caught misrepresenting their identity. “The disclosure of this network is not necessarily new, but its amplification through the use of coordinated and inauthentic behavior is,” the Atlantic Council’s Digital […] The post Facebook removed Russian propaganda network only after accounts got sloppy appeared first on CyberScoop. (CyberScoop)

A Department of Defense bulletin on a 'leaking' sinkhole has baffled cybersecurity experts

In mid-April, an obscure agency housed under the Department of Defense issued a bulletin that a little-known, Chinese-linked hacking group is likely responsible for some suspicious activity aimed at defense contractors in the U.S. But how the Defense Counterintelligence and Security Agency (DCSA) came to that conclusion is complicated. The alert, sent to 38 contractors, says DCSA detected the group was making “inbound and outbound connections” with contractors’ facilities as of Feb. 1. The targeting, which appeared to have stopped by March 25, was directed at several critical infrastructure sectors, including aerospace, health care and maritime, according to a copy of the bulletin obtained by CyberScoop. A DCSA official tells CyberScoop the document was meant to raise awareness among the contractors, but numerous sources tell CyberScoop that it is more confusing than clarifying. The bulletin, which was first reported by Politico, has raised questions about the attributed hacking group and if the actions described […] The post A Department of Defense bulletin on a 'leaking' sinkhole has baffled cybersecurity experts appeared first on CyberScoop. (CyberScoop)

European health care giant Fresenius Group grappling with computer virus

Fresenius Group, a big European health care conglomerate, said Wednesday that a computer virus had infected at least one of its businesses’ IT systems. It’s another sign that malicious hackers see medical organizations as fair game despite a global health crisis. The Germany-based corporation said the security incident had hampered some production in its pharmaceutical business, Fresenius Kabi, which makes everything from nutritional products and infusion therapies to pain relievers that are in high demand during the coronavirus pandemic. Fresenius Group spokesperson Steffen Rinas declined to specify which production units were affected by the malware. He did say that Fresenius’s hospitals — said to be the largest private network in Europe — were not affected by the incident. The company did not specify the nature of the virus. “As a precautionary measure in accordance with the security protocol drawn up for such cases, steps have been taken to prevent further spread,” Rinas said in an email. “Nevertheless, our production […] The post European health care giant Fresenius Group grappling with computer virus appeared first on CyberScoop. (CyberScoop)

How hackers are updating the EVILNUM malware to target the global financial sector

Hackers behind a series of targeted financial attacks have been updating their malware to better evade detection over the last year, according to new Prevailion research slated to be published Wednesday. Since at least February 2019, the hackers, who have begun impersonating CEOs and banks in their lure documents, have introduced at least seven updates to the malicious software known as EVILNUM, which enables attackers to upload and download files, harvest tracking cookies, and run arbitrary commands. While internet scammers frequently masquerade as corporate executives to tempt victims into clicking on malware, attackers behind EVILNUM are rapidly working to make their tools more obscure. The unknown attackers began rolling out the newest version of the EVILNUM malware three days ago. By press time, the hacking tool only was detected by eight of the 59 vendors on VirusTotal, a malware-sharing repository indicating many common software security vendors are not capable of […] The post How hackers are updating the EVILNUM malware to target the global financial sector appeared first on CyberScoop. (CyberScoop)

Firefox 76.0 released with critical security patches – update now

Firefox's latest version is out, with new password management features and a raft of security fixes. (Naked Security)

Air gap security beaten by turning PC capacitors into speakers

Researchers have poked another small hole in air gapped security by showing how the electronics inside computer power supply units (PSUs) can be turned into covert data transmission devices. (Naked Security)

Adult live-streaming site CAM4 leaks millions of emails, private chats

The leak exposed millions of records with full names, emails, user conversations, payment logs, and IP addresses dating back to March. (Naked Security)

Become an In-Demand Data Scientist with 140+ Hours of Training

The overarching and expanding field of data science and analysis has become virtually inseparable from areas such as programming and development.

As the driving force behind web development and marketing, engineering, white-hat hacking, and even finance, large-scale data analytics can be found at the heart of today's most exciting and important tech industries and platforms.

So if you want to become a truly successful programmer, developer, or cybersecurity specialist, you'll need to have a detailed understanding of how to use the world's most popular data science languages and platforms... more (Null Byte « WonderHowTo)

Expand Your Analytical & Payload-Building Skill Set with This In-Depth Excel Training

It's nearly impossible not to be at least somewhat familiar with Microsoft Excel. While it's needed for many office jobs and data analysis fields, hackers could also benefit from improving their spreadsheet skills. Many white hats already know some of the essential Excel hacks, such as cracking password-protected spreadsheets, but there's so much more to know from an attack standpoint.

For instance, you could exploit Dynamic Data Exchange (DDE) vulnerabilities to make malicious code run when an XLS, XLSX, XLSM, XML, or different file type is opened in Microsoft Excel, as well as launch remote... more (Null Byte « WonderHowTo)

Hacker Finds Old Tesla Parts On eBay Full Of User Data

(News ≈ Packet Storm)

GoDaddy Hack Breaches Hosting Account Credentials

(News ≈ Packet Storm)

Search Provider Algolia Discloses Security Incident

(News ≈ Packet Storm)

Apple's Corellium Lawsuit Causes Chilling Effect With Security Researchers

(News ≈ Packet Storm)

Zoom Tackles Hackers With New Security Measures

(News ≈ Packet Storm)

Facebook Launches 'Discover,' A Secure Proxy to Browse the Internet for Free

More than six years after Facebook launched its ambitious Free Basics program to bring the Internet to the masses, the social network is back at it again with a new zero-rating initiative called Discover.

The service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps.

Facebook Discover is currently being tested in Peru in partnership (The Hacker News)

Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability

Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert.

Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data (The Hacker News)

Lazarus Group Hides macOS Spyware in 2FA Application

The Dacls RAT has been ported from an existing Linux version. (Threatpost)

InfinityBlack Dismantled After Selling Millions of Credentials

In the Europol-led takedown, police shut down databases with more than 170 million entries. (Threatpost)

Microsoft Shells Out $100K for IoT Security

A three-month Azure Sphere bug-bounty challenge will offer top rewards for compromising Pluton or Secure World within Microsoft's IoT security suite. (Threatpost)

Ransomware Attack Takes Down Toll Group Systems, Again

Australian transportation company Toll Group has been hit by the Nefilim ransomware, causing customers to experience delays. (Threatpost)

Attackers Claim Identity of Financial NGO to Steal Sharepoint, Office Credentials

Investment brokers are the target of a new wave of socially engineered phishing attacks, warns FINRA. (Threatpost)


/security-daily/ 07-05-2020 23:44:21