News Items

Iowa's largest school district canceled classes for Tuesday after determining there was a cyberattack on its technology network. Des Moines Public Schools announced Monday that classes would be canceled for its 33,000 students after being "alerted to a cybersecurity incident on its technology network." The district said in a news release that it took its internet and network services offline while it assessed the situation. The school district didn't describe the nature of the attack or say whether sensitive information might have been stolen. The district will decide Tuesday afternoon whether to hold classes Wednesday. Sports and other activities were canceled at Des Moines schools Tuesday, but teams will be allowed to compete at schools outside the district.

SecurityWeek reports: "Iowa's Largest City Cancels Classes Due to Cyberattack"

Two of the leading security agencies in the US are building a Machine Learning (ML)-based analytics environment to combat fast-evolving threats and create more robust infrastructures for both the public and private sectors. The Science and Technology Directorate research arm of the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) envision a multi-cloud collaborative sandbox that will serve as a training ground for government researchers to test Artificial Intelligence (AI)- and ML-based analytic methods and technologies. It will also incorporate a "loop" of automated ML through which workloads will flow. According to the agencies, the CISA Advanced Analytics Platform for Machine Learning (CAP-M) will facilitate cybersecurity problem-solving for both on-premises and cloud environments. CAP-M will have a multi-cloud environment and multiple data structures, a logical data warehouse to simplify access to all CISA data sets, and a production-like environment to promote realistic testing of vendor solutions. This platform will initially serve cyber missions, but will be adaptable and expandable to accommodate data sets, tools, and collaboration for other infrastructure security missions. The facility will be used for ongoing experimentation in various areas, including data analysis and correlation, to help organizations in adapting to the threat landscape. The data collected from the experiments would be shared with government, academic, and private organizations. The plan involves the protection of privacy and the security of the platform itself. This article continues to discuss plans surrounding the AI-based cybersecurity analytics sandbox.

The Register reports "Homeland Security, CISA Builds AI-Based Cybersecurity Analytics Sandbox"

New Jersey and Ohio on Monday announced that they were joining other states in banning use of the popular video app TikTok on government-owned and managed devices. New Jersey Governor Phil Murphy stated that in addition to banning the short-video app owned by Chinese technology conglomerate ByteDance from state devices, he also was banning software vendors, products, and services from more than a dozen vendors, including Huawei, Hikvision, Tencent Holdings, ZTE Corporation, and Kaspersky Lab. Wisconsin Governor Tony Evers announced last Friday that he is also planning to join other states in banning use of the popular video app that has more than 100 million U.S. users. Calls to ban TikTok from government devices gained steam after U.S. FBI Director Christopher Wray said in November that it poses national security risks. Wray flagged the threat that the Chinese government could harness the app to influence users or control their devices.

Reuters reports: "New Jersey, Ohio Join Other States in Banning TikTok From State Devices"

Researchers at Microsoft Defender for Cloud saw threat actors behind the Kinsing cryptojacking operation exploiting poorly configured PostgreSQL containers and using insecure images to gain initial access in Kubernetes environments. Aqua Security discovered the cryptocurrency miner Kinsing for the first time in April 2020, when threat actors were found scouring the Internet for Docker systems running Application Programming Interface (API) ports without a password. The Kinsing malware exploits Docker installations' resources in order to mine cryptocurrency. Recent observations by Microsoft researchers revealed a significant number of clusters running a PostgreSQL container infected with the Kinsing malware. According to researchers, the threat actors can leverage multiple misconfigurations to get access to an unprotected PostgreSQL server. This article continues to discuss Kinsing cryptojacking operators exploiting misconfigured and exposed PostgreSQL servers to access Kubernetes environments.

Security Affairs reports "Kinsing Malware Targets Kubernetes Environments via Misconfigured PostgreSQL"

A high-severity vulnerability, tracked as CVE-2022-23529, has been discovered in the popular JsonWebToken (JWT) open-source encryption project. An attacker could use this flaw for Remote Code Execution (RCE) on a target encryption server. The JWT open standard specifies a technique for securely transmitting information using encoded and signed JSON data. Unit 42 of Palo Alto Networks discovered that an exploit for the vulnerability causes the server to verify a maliciously crafted JSON web token request. This vulnerability affects all JWT versions prior to and including v8.5.1. According to a January 9 statement from Unit 42, v9.0.0 is the patched version of the package. Unit 42 security researcher Artur Oleyarsh notes that vulnerabilities associated with JSON Web tokens are typically related to token forging techniques that allow an adversary to circumvent authentication and authorization procedures. This article continues to discuss findings regarding the JWT security vulnerability that leaves servers open to RCE.

Dark Reading reports "JsonWebToken Security Bug Opens Servers to RCE"

A team of researchers from the University of Sheffield has demonstrated methods that exploit Text-to-SQL models to generate malicious code, which could enable adversaries to extract sensitive data and launch Denial-of-Service (DoS) attacks. Xutan Peng, a researcher at the University of Sheffield, stated that various database applications use Artificial Intelligence (AI) algorithms that could transform human questions into SQL queries (Text-to-SQL) to improve user interaction. However, the researchers found that crackers can trick Text-to-SQL models into producing malicious code by posing specially crafted questions. Because such code is automatically run on the database, the effects can be significant. The findings, which were confirmed against two commercial products BAIDU-UNIT and AI2sql, represent the first empirical instance of Natural Language Processing (NLP) models being used in the wild as an attack vector. This article continues to discuss findings from the study on Text-to-SQL model vulnerabilities.

THN reports "New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks"

In collaboration with Deakin University, the Tide Foundation has verified a new security paradigm. Tide unravels the question of "who's guarding the guardian?" and undermines the current security idea that implies safeguarding something requires heavily fortifying it, locking all entrances, and employing a guard to admit only approved individuals. The innovative Self-Sovereign-Authority technology developed by Tide enables the organization's Information Technology (IT) systems to lock highly sensitive digital assets, such as Personally Identifiable Information (PII), health data, Intellectual Property (IP), and financial information, with keys so secure that no one can access them. Not even Tide, the creator of the technology, has access. Each user's key is produced in a decentralized network using a zero-knowledge process. Through the decentralized network, users log in to the organization using a password or multi-factor authentication (MFA). A user who wants to access a critical resource logs in through Tide's decentralized network in order to change their identity into a digital authority for that specific asset. This feature is enabled by Tide's innovation in decentralized threshold multiparty cryptography. This article continues to discuss Tide's new approach to digital identity that allows users to authorize a system instead of the system authorizing the users.

ACCESSWIRE reports "Ground-breaking Tech Finally Turns Cybersecurity's Weakest Link to Its Greatest Strength, Says Deakin University"

Researchers from Division Seven, SafeGuard's threat intelligence division, have detailed how a threat actor targeted clients of a cryptocurrency company they partner with using a social engineering approach with a twist. The hackers pretended to be a well-known employee. Following Microsoft Security's December report on targeted attacks on the cryptocurrency industry, the investigation was initiated. Microsoft researchers reported that a threat actor, tracked as DEV-0139, was joining Telegram groups that targeted cryptocurrency investment firms. It was discovered that DEV-0139 was exploiting Telegram channels used to promote interactions between VIP clients and cryptocurrency exchange platforms to identify possible targets. According to Microsoft's assessment, the threat actor posed as a representative of another cryptocurrency investment firm and invited targets to a different chat group while pretending to request comments on the free structure used by cryptocurrency trading platforms. This information was then used to distribute a malicious Excel file, including tables detailing the fee structures of cryptocurrency exchange companies. This article continues to discuss the malicious operation in which hackers impersonated a well-known employee to target cryptocurrency customers.

SiliconANGLE reports "Hackers Target Cryptocurrency Customers by Impersonating Well-Known Employee"

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published advisories to inform organizations using Hitachi Energy products about several recently addressed critical and high-severity vulnerabilities. CISA published three advisories describing security flaws in three products made by energy solutions provider Hitachi Energy. The vendor published its own advisories for the vulnerabilities in December. One CISA advisory describes five high-severity vulnerabilities in UNEM, a component of Hitachi Energy's network management system (NMS). The issues are related to encryption and user credentials, and they can be exploited to obtain sensitive information and make malicious modifications to the system. CISA noted that network access to the targeted system is required for exploitation. A different advisory was published for the impact of the same five vulnerabilities on Foxman-UN, a different product in the NMS suite. The third advisory describes three flaws affecting OpenSSL and Zlib, which are used by Hitachi Energy's Lumada Asset Performance Management (APM) product. CISA noted that the OpenSSL issues have been classified as "high severity" and they can be exploited to cause a denial-of-service (DoS) condition, while the Zlib vulnerability is "critical" and it could allow, in addition to DoS attacks, arbitrary code execution. Hitachi has released updates that should address most of the vulnerabilities, and the ones not addressed will be fixed soon. When its advisories were published, Hitachi Energy was unaware of any of the vulnerabilities being publicly disclosed or exploited for malicious purposes.

SecurityWeek reports: "CISA Notifies Hitachi Energy Customers of High-Severity Vulnerabilities"

The Play ransomware group breached the Rackspace Hosted Exchange email system using the MS Exchange exploit chain recently disclosed by Crowdstrike researchers. The attack combines CVE-2022-41082, a Remote Code Execution (RCE) flaw, and CVE-2022-41080, a privilege escalation vulnerability, to get gain remote access to vulnerable MS Exchange installations. Rackspace has not disclosed whether it has paid the ransom to get the encrypted data decrypted, nor has it disclosed the sum demanded. Recent attacks by the Play ransomware group have also affected the Belgian city of Antwerp and the German hotel chain H-Hotels. In September 2022, Trend Micro researchers published the attack playbook for Play ransomware. However, it is evident that the ransomware group's initial access capabilities have been enhanced with the introduction of this new Exchange exploit chain. Rackspace highlights that Microsoft announced CVE-2022-41080 as a privilege escalation issue without noting that it was vulnerable as part of an RCE chain. When it comes to remediating vulnerabilities, a large number of enterprises lag significantly behind. This article continues to discuss the Rackspace ransomware attack, what is next for customers, and the Play ransomware gang's growing arsenal.

Help Net Security reports "Rackspace Ransomware Attack Was Executed by Using Previously Unknown Security Exploit"

Cybersecurity researchers at the AhnLab Security Emergency Response Center (ASEC) in South Korea have found a phishing campaign that aims to spread malware using a fake Pokemon NFT game. ASEC discovered at least two phishing pages masquerading as a Pokemon game that distribute the NetSupport Remote Access Tool (RAT) to seize control of victims' devices. Although NetSupport RAT is a legitimate program, in the wrong hands, it can be exploited for malicious purposes, including the installation of additional malware and information extortion. ASEC noted that the threat actors could be using apps other than Pokemon to distribute malware, as was recently the case with a phishing website masquerading as an update page for SocGholish software. This article continues to discuss threat actors exploiting the popularity of the Pokemon franchise and the NFT card trading market to spread malware.

Cybernews reports "Gotta Catch' Em All: Cybercriminals Target Victims With Fake Pokemon Game"

A new attack vector aimed at the Visual Studio (VS) Code extensions marketplace could be used to upload malicious extensions masquerading as their official equivalents in order to launch supply chain attacks. Ilay Goldman, a security researcher at Aqua, stated that the technique might serve as an entrance point for an attack on numerous companies. Microsoft's marketplace for VS Code extensions enables developers to add programming languages, debuggers, and tools to the VS Code source-code editor to modify their workflows. Without a sandbox, all extensions operate with the privileges of the person who opened VS Code, which means they can install any program on a user's computer, including ransomware, wipers, and more. Aqua discovered that not only is it easy for a threat actor to impersonate a popular extension by modifying the URL, but the marketplace also permits the adversary to use the same name and extension publisher details, including the project repository information. Although the method prohibits replicating the number of installs and the number of stars, it can be used to trick developers because there are no constraints on the other identifying qualities. This article continues to discuss the abuse of the VS Code extensions marketplace to target developers with rogue extensions.

THN reports "Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions"

The popular Artificial Intelligence (AI) chatbot ChatGPT could be exploited by threat actors to hack into target networks with relative ease. The Cybernews research team uncovered that the AI-based chatbot ChatGPT, a recently launched platform that attracted the online community's attention, might supply hackers with step-by-step instructions on how to breach websites. Researchers at Cybernews warn that the AI chatbot, while entertaining to experiment with, may also be harmful because it can provide thorough instructions on how to exploit vulnerabilities. The team attempted to identify a website's vulnerabilities using ChatGPT. The researchers asked questions and followed the chatbot's instructions to determine if it could provide a step-by-step tutorial for exploiting the vulnerabilities. For their experiment, the researchers used the "Hack the Box" cybersecurity training platform, which provides a virtual training environment and is employed by cybersecurity professionals, schools, and organizations to develop hacking skills. The team approached ChatGPT under the notion that they were conducting a penetration testing challenge in which a hack is duplicated using various tools and techniques. The chatbot answered with five basic starting points for what to look for on the website in the exploitation of vulnerabilities. By describing what they observe in the source code, researchers were able to determine which parts of the code to prioritize. They also received samples of proposed code improvements. After about 45 minutes of interacting with the chatbot, researchers were able to hack the offered website. This article continues to discuss the demonstrated use of ChatGPT as a potential assistant in hacking operations.

Security Affairs reports "How Hackers Might Be Exploiting ChatGPT"

During an international experiment on AI's ability to secure and defend systems, power grids, and other critical assets by cyber experts at the North Atlantic Treaty Organization's (NATO) Cyber Coalition 2022 event late last year, researchers found that autonomous intelligence, artificial intelligence (AI) that can act without human intervention, can help identify critical infrastructure cyberattack patterns and network activity, and detect malware to enable enhanced decision-making about defensive responses. The researchers stated that the simulated experiment saw six teams of cyber defenders from NATO allies tasked with setting up computer-based systems and power grids at an imaginary military base and keeping them running during a cyberattack. The researchers noted that if hackers interfered with system operations or the power went down for more than 10 minutes, critical systems could go offline. The differentiator was that three of the teams had access to a novel Autonomous Intelligence Cyberdefense Agent (AICA) prototype developed by the US Department of Energy's (DOE) Argonne National Laboratory, while the other three teams did not. The aim of the experiment was to test and measure AI's efficiency in collecting data and assisting teams in responding to cyberattacks against critical systems and services, along with highlighting the need for tools that improve collaboration between humans and machines to reduce cyber risk. The teams that used Argonne's AICA prototype made key observations surrounding network activity, logged events, and intrusion detection alerts, or they detected malware that enabled enhanced operator queries and automated decision-making about defensive responses. The researchers noted that all the teams were able to keep their grids online, but that wasn't the only valuable outcome. The researchers stated that they were able to see the network as AICA sees it, including relationships between attack patterns, network traffic, and target systems. Agents use this information to build a knowledge graph of the network, and that helps them better protect it. Bob Kolasky, Exiger SVP of critical infrastructure and former assistant director at the Cybersecurity and Infrastructure Security Agency (CISA), stated that the exercise shows the potential for emerging technology to be a game changer in managing risk to complex, interdependent systems. Kolasky said that National Laboratories, such as Argonne, are bringing exquisite modeling, synthetic data, and high computing power to support critical infrastructure. This will enable enhanced AI, and it will be important to test how AI is applied through operational concepts. Kolasky noted that it is exciting to see NATO testing how to apply AI for critical infrastructure protection.

CSO reports: "NATO Tests AI's Ability to Protect Critical Infrastructure Against Cyberattacks"

Hackers are compromising systems by abusing the Windows Problem Reporting tool. Using a Dynamic Link Library (DLL) sideloading method, the attackers exploit WerFault.exe to load malware into the Random Access Memory (RAM) of a compromised system. The Windows executable enables the hackers to operate without raising suspicion. K7 Security Labs, an Indian Information Technology (IT) security firm specializing in antivirus and threat management solutions, discovered the malicious campaign. While the researchers were unable to identify the hackers, it is suspected that they are Chinese. Last summer, QBot malware distributors were observed using a similar attack chain, leveraging the Windows Calculator to avoid detection by security tools. This article continues to discuss the abuse of the Windows Problem Reporting tool by hackers.

Techzine reports "Hackers Use Windows Error Reporting Tool to Attack Devices"

According to Internet records reviewed by Reuters and five cybersecurity experts, a Russian hacking group known as Cold River targeted three nuclear research laboratories in the US this past summer. Cold River targeted the Brookhaven National Laboratory (BNL), Argonne National Laboratory (ANL), and Lawrence Livermore National Laboratory (LLNL) between August and September in 2022, when President Vladimir Putin indicated Russia would be willing to use nuclear weapons to defend its territory. These findings were made based on Internet records showing hackers creating fake login pages for each institution and emailing nuclear scientists in an attempt to steal their passwords. Since the invasion of Ukraine, Cold River has intensified its hacking campaign against Kyiv's allies, according to cybersecurity researchers and western government officials. This article continues to discuss Russian hackers targeting US nuclear scientists.

Reuters reports "Russian Hackers Targeted U.S. Nuclear Scientists"

According to Mac security expert Patrick Wardle, more than a dozen new Mac malware families were discovered in 2022, including information stealers, cryptocurrency miners, loaders, and backdoors, many of which have been linked to China. Patrick Wardle compiled a list of the macOS malware that came to light over the course of last year. The number of new malware appears to be increasing, as only eight new families were spotted in 2021. The first malware to emerge in 2022 was SysJoker, a cross-platform backdoor used by an APT actor in targeted attacks. SysJoker, which was observed targeting an educational institution, can download and execute other malicious components. The second macOS malware, DazzleSpy, was used as part of a state-sponsored cyberespionage campaign aimed at pro-democracy activists in Hong Kong. The malware has been described as a backdoor and information stealer, and the main suspect behind these attacks is China. Another new piece of malware, which may be linked to DazzleSpy, has been named VPN Trojan (Covid), and it has been described as a persistent backdoor that can download and execute second stage payloads directly from memory. The article continues to discuss the other macOS malware that was discovered in 2022.

SecurityWeek reports: "Many of 13 New Mac Malware Families Discovered in 2022 Linked to China"

Skybox Security's technical director, Ed Mosquera, urges local government agencies to develop a proactive and risk-based approach to cybersecurity rather than relying solely on the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, because simply being NIST compliant is not enough to keep data and networks secure. Government agencies invest much in technology to protect their systems in accordance with the NIST framework. As a result, agencies that have completed the checklist may believe they are safe, but this type of thinking leads to unnoticed vulnerabilities that can be exploited by malicious actors. The NIST compliance framework was created to help companies better understand and manage network and data risks. There are still gaps when complying with such frameworks, so they should only be one component of a security strategy. A piecemeal approach to cybersecurity based on reactive cybersecurity frameworks is now ineffective. Due to the pandemic, security teams have had to face quickly changing regulatory requirements as well as an increasingly aggressive threat landscape. A proactive, risk-based approach to cybersecurity builds a secure network architecture on top of compliance frameworks. This article continues to discuss the importance of going beyond the NIST framework and the components for successfully implementing a proactive risk-based cybersecurity strategy.

GCN reports "Real Vulnerability Management Goes Beyond NIST's Cybersecurity Framework"

A new Industrial Cyber Magazine survey report, sponsored by Salvador Technologies, explores some specific challenges faced in planning for Operational Technology (OT) recovery and business continuity. Because of the significant contrasts between OT and Information Technology (IT) environments in the OT/ICS recovery process, 90 percent of survey respondents agreed that the OT recovery process should be owned by OT professionals rather than IT. However, 40 percent of respondents stated that IT teams manage the recovery process at their organization. According to the report, this dissonance may put OT systems at risk of costly downtime following a cyberattack. While today's IT and cloud-based solutions can restore/recover, they cannot do it fast or without human intervention. Alex Yevtushenko, CEO of Salvador Technologies, says this causes major bottlenecks and can lead to hidden costs, delays, and threats. OT/ICS cybersecurity experts are encouraged to prioritize establishing a recovery solution that is both OT-centric and can ensure operational continuity. This article continues to discuss key findings from the new Industrial Cyber Magazine survey report.

Continuity Central reports "Survey Report Looks at How Prepared Industrial Enterprises Are for Operations Recovery Following Cyber Attacks"

According to a recent analysis conducted by Imperva, which examined the top 100 breaches from July 2021 to July 2022, hackers targeted Personally Identifiable Information (PII) 42.7 percent of the time. The Imperva study stated that of all the types of data available for cybercriminals to steal, such as credit card information, passwords, and source code, PII is the most valuable because criminals can compile more PII from the dark web to then engage in more complex fraud schemes that are harder to prevent fraud or full-on identity theft. Imperva conducted the research using publicly available web sources, breach news, hacker forums, studies of stolen database dumps, and data from its own honeypots. This article continues to discuss key findings from Imperva's analysis of 100 data breaches.

SC Magazine reports "Hackers Went After Personally Identifiable Information the Most, Study Says"

Security Researchers at Trend Micro have found that the cybercriminals behind the Dridex banking trojan have adopted a new tactic in recent attacks targeting macOS devices, overwriting the victim's document files to deliver their malicious code. Dridex has been active since at least 2012 and is considered one of the most prevalent financial threats. Dridex survived a takedown attempt in 2015 and remained operational after receiving various updates. In 2019, the Department of Homeland Security (DHS) warned of continuous Dridex attacks targeting financial institutions. According to the researchers, a recently observed Dridex attack targeting macOS stood out because of a novel tactic employed to disguise the malicious Microsoft Word document used for malware delivery. The researchers noted that the attackers distribute a Mach-o executable file that is designed to search for .doc files in the current user directory and write malicious macro code to all of them in plain hexadecimal dump, not in content. The researchers stated that while the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files. This makes it more difficult for the user to determine whether the file is malicious since it doesn't come from an external source. The researchers explained that the malicious embedded document was not new, first observed in the wild in 2015. The analyzed Mach-o file sample was first submitted to VirusTotal in 2019. The researchers stated that analysis of the overwritten documents revealed the inclusion of an AutoOpen macro meant to call several functions with normal-looking names but which were meant to perform nefarious actions. The payload delivered by the macro was an .exe file meant to fetch the Dridex loader. While the .exe file would not run on macOS, the analyzed variant might be in testing stages and could later be converted to fully work on macOS. The researchers concluded that currently, the impact on macOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with macOS environments). However, it still overwrites document files which are now the carriers of Dridex's malicious macros. Furthermore, it's possible that the threat actors behind this variant will implement further modifications that will make it compatible with macOS.

SecurityWeek reports: "User Documents Overwritten With Malicious Code in Recent Dridex Attacks on macOS"

Confidential data from 14 UK schools have recently been leaked online by hackers following attacks that took place in 2022. The leaked documents include children's SEN information, pupil passport scans, staff pay scales, and contract details. The information was leaked after the impacted schools refused to pay the attacker's ransom demands. According to authorities, the attacks and leaks are believed to be perpetrated by the threat actor Vice Society, which has conducted numerous ransomware and extortion campaigns targeting education institutions in the UK and the US. In October 2022, the Los Angeles Unified School District (LAUSD) warned that Vice Society had begun posting data it stole from the institution. "The schools impacted by the new leak are: Carmel College, St Helens; Durham Johnston Comprehensive School; Frances King School of English, London/Dublin; Gateway College, Hamilton, Leicester; Holy Family RC + CE College, Heywood; Lampton School, Hounslow, London; Mossbourne Federation, London; Pilton Community College, Barnstaple; Samuel Ryder Academy, St Albans; School of Oriental and African Studies, London; St Paul's Catholic College, Sunbury-on-Thames; Test Valley School, Stockbridge; The De Montford School, Evesham." The education sector has been heavily targeted by ransomware in the past few years. Security researchers at Sophos discovered that in July 2022, 56% of lower education institutions had been hit by ransomware in the previous year, along with 64% of higher education bodies.

Infosecurity reports: "UK Schools Hit by Mass Leak of Confidential Data"

The US National Institute of Standards and Technology (NIST) and the MITRE Corporation have both released frameworks to help companies and government organizations develop defenses against attacks aimed at satellites and spacecraft. The FBI and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) warned early in 2022 that attacks against satellite ground-based and space-based infrastructure might become a reality, and they did so shortly thereafter. In 2022, there were nation-state operations aimed at Viasat and SpaceX's Starlink satellites, prompting governments and aerospace firms to develop defenses. In the early days of Russia's invasion of Ukraine, Russia-aligned hackers targeted the ground-based component of Viasat's satellite communications network, knocking Internet modems across Europe offline. According to government authorities and SpaceX CEO Elon Musk, Russia soon after also targeted the distributed satellite Internet provider Starlink, which has been essential for supporting Ukraine with Internet connectivity. Advanced Persistent Threats (APTs) sponsored by nation-states are more likely to be the cyberattackers in this domain. However, a significant portion of today's ground-based satellite infrastructure uses common computer and communications technology. The similarities make it easier for attackers to exploit the systems underlying satellite systems, while the complex supply chain makes the infrastructure more vulnerable to attack. This article continues to discuss cyberattacks on the space sector's infrastructure and efforts to bolster the security of this infrastructure.

Dark Reading reports "Space Race: Defenses Emerge as Satellite-Focused Cyberattacks Ramp Up"

Blind Eagle, a financially driven threat actor, has reemerged with a sophisticated toolkit and a complex infection chain as part of its attacks against Colombian and Ecuadoran organizations. Check Point's latest research provides new insights into the tactics, techniques, and procedures (TTPs) of the Spanish-speaking gang, such as the employment of sophisticated tools and government-themed tricks to activate the kill chain. Blind Eagle, also known as APT-C-36, is noted for its limited geographic focus and indiscriminate attacks targeting South American countries since at least 2018. Trend Micro documented Blind Eagle's activity in September 2021, uncovering a spear-phishing campaign that spread BitRAT, a commodity malware, mostly to Colombian businesses, with a minor focus on Ecuador, Spain, and Panama. This article continues to discuss new findings surrounding the Blind Eagle's tools and infection chain.

THN reports "Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain"