Russian Forces Routed Internet Traffic Through Russia After Blackout in Kherson
Russia-linked APT threat group steals corporate M&A emails, CIA urges Russians to share info via dark web, Health and prayer apps use bad privacy practices, Grindr user location data for sale, more
After Russian forces created a near-total internet blackout in Kherson and parts of Zaporizhzhia in Ukraine this past weekend, they reinstated service but routed it through Russia’s network instead of Ukrainian telecommunications infrastructure.
The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said the disconnection was “caused by line breakages at fiber-optic backbones and by a power outage with service operators’ equipment in these regions.” The goal of the rerouting was to make Russia’s “false propaganda an uncontested source of information,” according to the SSSCIP, which added that Russian forces also wanted to show some signs of success in the conflict by creating “people’s republics” in occupied territory. (Jonathan Greig / Cyberscoop)
Related: Reuters, The New Voice of Ukraine, CIP.gov.ua
Researchers at Mandiant say that a newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group tracked as UNC3524 is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions.
The researchers say the group has demonstrated its "advanced" capabilities as it maintained access to its victims' environments for more than 18 months (in some cases). The threat actor would target a subset of mailboxes in each victim environment, focusing on executive teams and employees working in corporate development, mergers, and acquisitions, or IT security staff. In some cases, the group employed the reGeorg web shell (a version linked by the NSA to the Russian-sponsored APT28/Fancy Bear group) on DMZ web servers to create a SOCKS tunnel as an alternate access point into its victims' networks. UNC3524 deployed a novel backdoor tracked by Mandiant as QUIETEXIT, which is based on the open-source Dropbear SSH client-server software. (Sergiu Gatlan / Bleeping Computer)
Related: Security Affairs, Bleeping Computer, Mandiant, IT Wire, The Hacker News
The CIA has taken to YouTube and various social media platforms to push Russians with information to reach out to the spy agency on the dark web.
The social media posts, written in Russian, provide instructions on how Russians could use secure virtual private networks, or VPNs, to download a secure browser to contact the agency via the dark web's anonymity. While Russia is blocking Western social media, YouTube remains accessible. The agency is also using other undisclosed means to push out its instructions. (Julian Barnes / New York Times)
Related: Raw Story
Researchers at Sentinel One say that a Chinese-aligned cyberespionage group called Moshen Dragon has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.
Moshe Dragon has tactical overlaps between the collective and another threat group called Nomad Panda (RedFoxtrot). Earlier this year, Secureworks attributed distinct ShadowPad activity clusters to Chinese nation-state groups that align with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA). (Ravie Lakshmanan / The Hacker News)
Related: Heimdal Security Blog, Security Affairs, Industrial Cyber, Bleeping Computer, Sentinel One
Researchers at Mozilla say that mental health and prayer apps have worse privacy protections for users than most other apps.
The team analyzed 32 mental health and prayer apps. Of those apps, 29 were given a “privacy not included” warning label, indicating that the team had concerns about how the app managed user data. The apps with the worst practices, according to Mozilla, are Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace. Mozilla reached out to these apps, but only three responded. (Nicole Wetsman / The Verge)
Related: ZDNet Security, Heimdal Security Blog, NDTV Gadgets360.com, YouGov, Mozilla Foundation, Gizmodo, PCMag.com, SlashGear » security
Clients of mobile-advertising company UM have been able to purchase the bulk phone movement data that included many gay-dating app Grindr users since at least 2017 and possibly earlier. UM was able to access Grindr data from the advertising network MoPub.
The data didn’t contain personal information such as names or phone numbers but, in some cases, were detailed enough to infer things like romantic encounters between specific users based on their device’s proximity to one another, as well as identify clues to people’s identities such as their workplaces and home addresses based on their patterns, habits, and routines. Being gay is illegal in some countries, even punishable by death, and still grounds for blackmail even in countries where homosexuality is not illegal. (Byron Tau and Georgia Wells / Wall Street Journal)
Related: Engadget, Gizmodo, Silicon Angle, New York Post
The U.S. Department of Justice (DoJ) has announced the conviction of California resident Sercan Oyuntur on multiple counts relating to a phishing operation that caused $23.5 million in damages to the U.S. Department of Defense (DoD).
Oyuntur managed to divert DoD funds destined for a jet fuel supplier to his bank account. Following a trial, he was found guilty of conspiracy to commit wire, mail, and bank fraud, unauthorized device access, aggravated identity theft, and making false statements to federal law enforcement officers. (Bill Toulas / Bleeping Computer)
Related: Justice Department, Decipher
A year-long Pentagon vulnerability disclosure pilot program found an array of software vulnerabilities in dozens of defense contractors as Russian and Chinese hackers continue to try to steal sensitive data from the US defense industrial base.
Forty-one companies participated in the VDP pilot program for defense contractors. Some defense contractors in the pilot program were unaware that certain IT systems were publicly accessible until researchers pointed them out. The Pentagon declined to identify the participating contractors or the exact software that was probed. (Sean Lyngaas / CNN)
A man living in Russia, Aleksandr Sikerin, also known as Lalartu or Sheriff, whom the U.S. government accused of being involved in multiple REvil ransomware attacks, may be involved in a phony emergency disclosure request (EDR) to Twitter used to threaten a ransomware researcher in recent weeks and force them offline.
Sikerin has in recent weeks threatened a blogger and their family and threatened a cybersecurity researcher with planting articles accusing the researcher of being a pedophile. A person claiming to be Sikerin said they’ve been threatening the researchers and the blogger because they make his work harder, and because they hate Americans. (AJ Vicens / Cyberscoop)
After a cyberattack targeted their vendor, European library lending app Onleihe announced problems lending several media formats offered on the platform, like audio, video, and e-book files.
The app said there was a system failure last week, deleting files that were encrypted with copy protection which will have to be re-encrypted and uploaded onto the library to be made available again. (Bill Toulas / Bleeping Computer)
Related: The Record, Onleihe
Israel's government ordered communications firms to step up their cyber security efforts under new mandatory and unified standards in the wake of a rise in attempted hacking attacks.
Under the new requirements, firms must formulate plans to protect communications networks using a combination of monitoring and control mechanisms to make it possible to establish an up-to-date picture of cyber protection while ensuring privacy. "We are trying to put the right standard on communications companies in order to protect Israel and create a kind of 'Iron Dome' from cyber security attacks. We are suffering from thousands of cyber attacks every year," Communications Minister Yoaz Hendel told a news conference. (Steven Scheer / Reuters)
Related: Times of Israel
After Motherboard published leaked documents that revealed Facebook’s systems are designed in such a way that the company can struggle to track users’ data within its own systems, several U.S. and European lawmakers called for stronger oversight of the tech giant to make sure it complies with existing regulations such as the EU’s GDPR and Calfornia’s Consumer Privacy Act.
Senator Ed Markey (D-MA), who is a member of the Subcommittee on Consumer Protection, Product Safety, and Data Security, said in a statement that “leaked document after leaked document show that Big Tech continues to play fast and loose with users’ personal information.” (Lorenzo Franceschi-Bicchierai / Motherboard)
Related: protocol
Dell Technologies is expanding its cybersecurity recovery options for companies across public clouds and their data centers with a trio of new offerings that will provide more control over how data is stored, controlled, and protected.
The new offerings include an expansion of Dell’s APEX infrastructure-as-a-service portfolio, which allows enterprises to rent technology hardware from Dell on demand, paying only for what they use. (Mike Wheatley / Silicon Angle)
Related: xda-developers, iTnews - Security, CRN, PR Newswire, CRN, Channel Futures, Dell
Google plans to begin testing fenced frames, a proposed web API to help its Privacy Sandbox ad technologies meet commitments to privacy.
Fenced frames are designed to take the place of inline frames, or iframes, for specific scenarios like delivering interest-based ads without betraying interest data to the web page in which they're embedded. Fenced frames share some conceptual similarities to Firefox's Total Cookie Protection, which creates separate spaces for cookies so they can't communicate. (Thomas Claburn / The Register)
Related: Security Week, Google Groups