Australian Senate recommends banning WeChat
The Australian Senate’s Select Committee on Foreign Interference recommended banning all Chinese social media apps in the country, including the popular WeChat service. The committee’s report found that these apps are “increasingly being weaponized to spread disinformation to deliberately mislead or obscure the truth for malicious or deceptive purposes.” It also recommended all social networks, not just Chinese ones, be bound by transparency standards set by legislators, which would include setting up local offices in the country. These recommendations won’t directly lead to any policy implications, but it’s worth noting given Australia’s history of online legislation.
US company accused of aiding APT
A new report from Halcyon details how advanced threat actors levered services the US-incorporated company Cloudzy as a command-and-control provider in attacks. The researchers found that the company very likely operates our of Tehran, Iran. Command-and-control providers do not have to ensure their infrastructure isn’t being illegally used, providing legal cover. Advanced persistent threat groups based out of China, India, North Korea, Pakistan, Russia and Vietnam, as well as several cybercrime organizations and ransomware affiliates, used Cloudzy services. Cloudzy makes working with these organizations easy, only requiring an email address and cryptocurrency payments to use its services.
Hacking group to detail P2P protocol at DEF CON
The Cult of the Dead Cow plans to detail its Veilid (vay-lid) protocol at the conference. This will allow developers to use it for end-to-end encrypted messaging in apps without the need to tie an account to a phone number. Built on a decentralized peer-to-peer model, the protocol will gain in performance with more users. Cult of the Dead Cow worked on the protocol for the last three years. The group plans to show a demo app and technical documentation at the show.
(WaPo)
Data brokers offer competitor information on Amazon
CNBC’s Annie Palmer profiled the market for illicit data brokers claiming to offer access to information on Amazon third-party sellers. These brokers operate groups on Telegram, WeChat, WhatsApp, and Facebook, some with tens of thousands of members. These services also claim to help remove negative reviews and perform other actions that would otherwise risk an account suspension on the platform. Sources say these brokers reach out to Amazon employees on LinkedIn to obtain access. Amazon says it actively monitors for insider threats trying to improperly access information.
(CNBC)
Thanks to our sponsor, Opal
APT attacked Norway for weeks using zero-day
In a joint advisory, US Cybersecurity and Infrastructure Security Agency and the Norwegian National Cyber Security Center said Norwegian authorities discovered attacks against government systems using an Ivanti EPMM zero-days on July 24th. These exploits allowed for bypassing ACL and authentication, as well as changing data on impacted systems. We reported on this attack when initially discovered. The advisory clarified that the APT behind the attack used the zero day from at least April, accessing several organizations and the country’s government agency’s network. The advisory shared indicators of compromise for similar attacks.
The challenges with cyber insurance underwriting
We recently covered a study showing that organizations with cyber insurance do not carry an increased risk of ransomware attacks. Good news, but it doesn’t change that getting a cyber insurance policy remains challenging. Dark Reading’s Robert Ackerman detailed the difficulty in underwriting these policies, which often rely on simplistic self-assessment questionnaires. Verification on information submitted generally only comes when making a claim. Even if verified, the information submitted becomes outdated almost immediately. Ackerman suggests insurers take an example from third-party risk management platforms, and look toward continuous controls monitoring, either directly or through managed service providers.
SpecterOps rewrites BloodHound
SpecterOps first released BloodHound at DefCon in 2016, an open source tool to map attack paths in Active Directory and related Azure services. It recently released a complete rewrite of its free Community Edition tool, offering a simplified installation, claiming it takes install time down from several hours to 1 minutes using a simple Docker compose command. This new version now uses the same codebase as its commercial enterprise edition. Essentially, this open sources the commercial product, differentiating it with service and support offerings.
New malware finds its way into air-gapped systems
Researchers at Kaspersky documented a new malware attributed to the China-linked Zirconium threat group, targeting air-gapped systems at industrial sites across Eastern Europe. The first attacks appeared in April 2022, showing continued development since then. The attack comes in from removable drives, initially gaining persistence. The attackers used a legitimate McAfee executable as a malicious DLL payload, which then loads onto the airgap system with the drive attached. File are eventually exfiltrated from another connected machine using Dropbox.