Top five Cyber Threat Intel stories of the week: 11/28 to 12/02/2022
Top 5 general threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share with anyone inside or outside the company you think would benefit and enjoy reading about these events. Please reach out if you have any questions on any of these events. Thank you!
General Worldwide activity:
1st: Hackers are spreading malware via trending TikTok challenge
Overview: Hackers are using a popular TikTok challenge to get people to download information-stealing malware, according to a new report from cybersecurity firm Checkmarx. The campaign takes advantage of a TikTok trend called the “Invisible Challenge” in which people use a special video effect called “invisible body” to pose naked. The effect produces a blurred, contoured image of a person. The hackers posted their own TikTok videos with links to fake software called “unfilter” that claims to be able to remove the TikTok filters and expose people’s naked bodies. “What alarms us the most is his use of legitimate services — Tiktok, Discord and GitHub. The attacker used an open-source malicious code (W4SP-stealer) hosted on GitHub, uploaded his project to GitHub, and used a TikTok trend to trick people into using his malicious project. Further, he built a community around his project.”
Breakdown: Hopefully no one is using a company owned device in this scenario to post videos of themselves in this state, but there is still a whole group of people who do not see the separation of work and personal devices as all that necessary, so I am sure someone is going to do this and cause an issue. This is a perfect example for current security awareness discussions with all employees and also serves as a very obvious reason why this exact type of behavior is so dangerous.
2nd: Killnet Gloats About DDoS Attacks Downing Starlink, White House
Overview: Killnet and its band of hacker collaborators are claiming they were able to pull off a trio of symbolic distributed denial-of-service (DDoS) attacks aimed at punishing some of the most critical supporters of Ukraine against the Russian invasion — Elon Musk’s Starlink satellite broadband service and the websites of the White House in the US and the Prince of Wales in the UK. Researchers at Trustwave were able to find evidence corroborating the Russian-backed threat group’s claims. Killnet claimed it took down Starlink service on Nov. 18, which has been critical for providing the Ukraine war effort with Internet connectivity. Indeed, Trustwave found Starlink customers on Reddit on the same day complaining they couldn’t log in to their accounts for several hours.
Breakdown: Killnet’s pro-Russian stance and attacking organizations it feels are against the country keeps them in the news cycle at least every couple weeks since the Russia/Ukraine started last spring. While this was another DDoS event that was more symbolic than damaging, like the last “attack” against several airlines, it does show a follow-through on Russia’s claim to potentially add commercial satellite companies to the list of available combatants. Luckily again this time we are talking a DDoS of Starlink and not actual kinetic action, as was threatened to occur, and hopefully more defense and commercial satellite providers are not impacted.
3rd: How Google and Mandiant are forging synergies in cyber security
Overview: Just over a month after Google completed its purchase of Mandiant, the cloud provider has demonstrated its synergies with its latest acquisition, baking threat intelligence capabilities into its Chronicle security operations platform. Called Mandiant Breach Analytics for Chronicle, the offering combines Mandiant’s threat intelligence with Chronicle’s threat detection capabilities.
Breakdown: While not a specific threat intelligence event or update, many people are interested in the final outcome for Mandiant after the recent Google purchase. Now we are finally seeing some details of the plans for the joint venture between both companies.
4th: Sec firm MDSec slams Proofpoint for post on pen-testing framework
Overview: European security firm MDSec has taken exception to the release of a blog post by another security outfit, Proofpoint, about its penetration testing framework Nighthawk, accusing the latter of making “unsubstantiated and speculative projections” about the framework. Nighthawk is an advanced C2 framework similar to Cobalt Strike and Brute Ratel; it can be used by both black hats and red teams and is commercially licensed.
Breakdown: Proofpoint’s post was picked up by major news sources earlier this week and started the discussion on what looked to be a new attack tool in the works, along with Cobalt Strike, which has been abused for years and the recent leak of source code for the Brute Ratel framework. MDSec, the creator of Nighthawk, has responded with anger against the negative stance, as there is currently no evidence the code has been leaked or any threat actor groups are using the tool to attack anyone. This is partly a discussion around responsible disclosure, this time from a well-known research and threat sharing infosec company putting a negative light on commercial software that will also affect MDSec’s core business model if customers do not feel the product is secure.
5th: Should Ukraine rein in its patriotic hackers?
Overview: When Russia invaded Ukraine in February, a 23-year-old from Kyiv who goes by Vlad decided to fight back. But instead of a rifle, he picked up the weapon he knows how to use best — his computer. Vlad, who works as an information security specialist, and his friends started to hack Russian websites and leak sensitive data. They also took control of Russian surveillance cameras to monitor the movement of enemy troops. Vlad declined to go into detail about his activities and asked The Record not to use his last name due to safety concerns — he does not serve in the military and may be criminally liable for his cyberattacks, as well as targeted by Russia.
Breakdown: After Australia’s recent comments on hack back activity, the banning of an InfoOp campaign attributed to the U.S. military by Meta on Facebook and Instagram, we also have the moral or ethical issue of Ukraine’s IT Army continuing almost this entire year to ponder as well. Here is a discussion from one of the actual members of the group speaking with some level of anonymity around details of the things that have occurred. It is fascinating to get an inside look at this activity, but you still need to consider it is also a potential legal grey area at the same time, when someone living in the United States would be committing a federal crime if they participated. This also brings up the issue around attribution that always accompanies any attack activity, as the people in charge of picking targets need to be one hundred percent certain they are targeting the right systems. Being certain for targeting, even with an abundance of evidence, is a very hard thing to do.
Contact Us
contact@hunterstrategy.net
