USTRANSCOM Cybersecurity Newsletter 22-20

Aug 10, 2022 | Your Source

Overview
First, the US House of Representatives has passed a bill designed to increase visibility of foreign ransomware attackers.  Second, the Cybersecurity and Infrastructure Security Agency (CISA) and the Ukrainian State Service of Special Communications and Information Protection of Ukraine (SSSCIP) sign a Memorandum of Cooperation (MOC) to strengthen collaboration on shared cybersecurity priorities. Third, an article on a critical security vulnerability in an Android System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed. Fourth, a blog post from SentinelOne on threat actors abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads. Fifth, a warning from Atlassian that a remote, unauthenticated attacker with knowledge of a hardcoded password could exploit Confluence Server or Data Center to log into Confluence.  Sixth, an article on findings of a dark web investigation into ransomware spread via malicious macros in Microsoft’s Office applications. Seventh, an article on CYBERCOM looking to industry to help do for cyber tools what the Air Force’s Kessel Run has done for software development.  Eight, an article on ducktail malware targeting Facebook business and advertising accounts. Ninth, an article analyzing the trends and metrics associated with an increase in cyber-attacks year-over-year. Finally, an article on phishing attacks leveraging the Microsoft and Facebook brands.

 

EO/Legislative/National Publication updates

Ransomware Bill Passes House; infosecurity-magazine, Bradbury, July 2022
The Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act (also known as the RANSOMWARE Act) will make it easier for the US to respond to ransomware attacks from foreign adversaries according to its author, Republican Florida Representative Gus Bilirakis.

Link to Article: https://www.infosecurity-magazine.com/news/ransomware-bill-passes-house/

Link to H.R. 4551: https://www.congress.gov/bill/117th-congress/house-bill/4551/all-info

United States and Ukraine Expand Cooperation on Cybersecurity; CISA 27 July 2022
CISA and the Ukrainian SSSCIP signed a MOC this week to strengthen collaboration on shared cybersecurity priorities. The MOC expands upon CISA’s existing relationship with the Government of Ukraine in the areas of:  Information exchanges and sharing of best practices on cyber incidents; Critical infrastructure security technical exchanges; and Cybersecurity training and joint exercises.

Link to Article: https://www.cisa.gov/news/2022/07/27/united-states-and-ukraine-expand-cooperation-cybersecurity 

Vulnerabilities

Google Patches Critical Android Bluetooth Flaw in August Security Bulletin; infosecurity, Mascellino, 2 Aug 2022
Google published its monthly security bulletin for August on Monday, detailing the latest available patches for Android.  A total of 37 vulnerabilities have been patched, including a critical security flaw in the System component that could lead to remote code execution via Bluetooth with no additional execution privileges needed.

Link to Article: https://www.infosecurity-magazine.com/news/google-patches-critical-android/

Link Android Security Bulletin: https://source.android.com/security/bulletin/2022-08-01

Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool; Sentinelone, Dantas, Haughom, Reisdorffer, 28 July 2022
LockBit has been receiving a fair share of attention recently. Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike

Link to Article: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak; securityweek, Arghire, 25 July 2022
A knowledge sharing application, Questions for Confluence helps Confluence users quickly access information or share it with others, as well as to connect with experts when needed. The application is a paid, optional add-on and is not installed by default on Confluence.  Last week, Atlassian announced patches for a critical vulnerability in the application that impacts the Confluence Server and Data Center products.

Link to Article: https://www.securityweek.com/atlassian-expects-confluence-app-exploitation-after-hardcoded-password-leak

Confluence Security Advisory: https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html

 

Intelligence Reporting (unclassed or open source)

87% of the ransomware found on the dark web has been delivered via malicious macros; helpnetsecurity, 3 Aug 2022
Venafi announced the findings of a dark web investigation into ransomware spread via malicious macros. Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analyzed 35 million dark web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine.

Link to article: https://www.helpnetsecurity.com/2022/08/03/ransomware-malicious-macros/

Link to blog: https://www.venafi.com/blog/babuk-source-code-darkside-custom-listings-exposing-thriving-ransomware-marketplace-dark-web

Faster attacks have Cyber Command looking to add all-too-scarce experts; FCW, Williams, 29 July 2022
U.S. Cyber Command is looking to expand its acquisition shop and buy the tools it needs to keep pace with digital warfare. But it’ll have to contend with a tight labor market where technical talent is in high demand.  “Recently as two or three years ago,” said Michael Clark, the command’s director of cyber acquisition and technology, “when a new vulnerability was identified in a in a piece of software, or even a piece of hardware, it was probably six months to a year before we would see adversaries throwing [it] at us, as an exploit to try to break into our networks or achieve an outcome against us.”

Link to article: https://fcw.com/security/2022/07/faster-attacks-have-cyber-command-looking-add-all-too-scarce-experts/375121/

New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts; thehackernews, Lakshmanan, 27 July 2022
Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation. “The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report.

Link to Article: https://thehackernews.com/2022/07/new-ducktail-infostealer-malware.html

Link to Report: https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf

 

Information sharing resources

Weekly Cyber Attacks increased by 32% Year-Over-Year; 1 out of 40 organizations impacted by Ransomware; checkpoint, 26 July 2022
Check Point Research (CPR) reports that the second quarter of 2022 saw an all-time peak, where global cyber-attacks increased by 32%, compared to Q2 2021. The average weekly attacks per organization worldwide reached a peak of 1.2K attacks.  The most attacked industry in Q2 2022 was the Education/Research sector, while Africa saw the highest volume of attacks peaking at 1.7K attacks on average per organization, and unprecedently, 1 out of 40 organizations worldwide was impacted by Ransomware, representing a 59% increase compared to numbers in the previous year.

Link to Blog: https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands; threatpost, Nelson, 26 July 2022
The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday.  According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.

Link to Article: https://threatpost.com/popular-bait-in-phishing-attacks/180281/

Share This