Facebook says it disrupted Iranian Tortoiseshell hacking campaign

Facebook claims its cyber espionage investigations team has disrupted who they believe to be the Iranian Tortoiseshell group, attempting to distribute malware via malicious links from fake personas. The social network has responded by disabling the accounts and have notified roughly 200 users primarily comprised of US aerospace and defense industry personnel. In many cases, attackers spent months on social engineering efforts with the goal of directing victims to attacker-controlled domains where their devices could be infected with malware. Facebook said the campaign used distinct malware, at least part of which was developed by an IT company in Tehran call MRA which has ties to the Islamic Revolutionary Guard Corps. Facebook said the highly focused campaign marked a departure from Tortoiseshell’s usual attack pattern which targets IT, not aerospace and defense.


US offers $10 million reward for info on state-sponsored cyberattacks on critical infrastructure

On Thursday, the US State Department announced its plan to offer rewards of up to $10 million for information that helps US authorities locate criminals acting at the direction of foreign governments to carry out cyberattacks against US critical infrastructure. The announcement comes on the heels of a spike in major cyberattacks on US infrastructure, headlined by those on JBS Foods and Colonial Pipeline, that impacted US food and fuel supply for days. Many cyber security companies and experts have accused Russia of allowing cybercriminals to operate within its borders while other gangs have been seen operating from China, Iran, and North Korea. The reward is offered through the State Department’s Rewards for Justice (RFJ) program, the same system previously used to offer rewards for info on state-sponsored North Korean hackers as well as hackers meddling in US elections.

(The Record)

Report identifies top threats to Tokyo Olympic Games

On Thursday, Recorded Future’s Insikt Group released a report which analyzed the threat landscape ahead of the upcoming Olympic Games in Tokyo. The report concludes that state-sponsored threat actors pose the most significant threat to the games and that Russian APT groups are likely most motivated to cause disruption, due to Russia’s ongoing dispute with the International Olympic Committee (IOC). The report also states that ransomware likely poses the greatest threat to Olympic organizations sighting a ransomware attack on the Japanese Olympic Committee (JOC) back in April 2020. While the report also notes that state-sponsored propaganda and disinformation outlets are already beginning to undermine the event as unpopular, unsafe, or unfair, Recorded Future has not observed any direct physical threats aimed toward the Tokyo Olympics or the athletes themselves.

(Recorded Future)

Cybercriminals behind banking trojans arrested in Spain

On Wednesday, Spanish law enforcement agencies arrested 16 individuals belonging to a criminal network in connection with operating the Mekotio and Grandoreiro banking trojans as part of a social engineering campaign targeting European and Latin American financial institutions. The malware, which was delivered through phishing emails, infected at least 68 email accounts to intercept bank transactions and siphon the funds. Computer equipment, mobile phones, and documents were confiscated, and more than 1,800 spam emails were analyzed, enabling law enforcement to successfully block transfer attempts totaling €3.5 million and recover another €87,000.

(The Hacker News)

Thanks to our episode sponsor,

We all know devasting ransomware goes beyond the endpoint. Big game ransomware defense for your cloud and on-prem data is on everyone’s mind. Varonis can help ease your worries with a free ransomware preparedness assessment. Visit varonis.com/risk for more information.

Chinese cyberspies target Southeast Asian governments

According to researchers at Kaspersky, a highly active spear-phishing campaign first observed October 2020 attacking roughly 100 targets in Myanmar has broadened its focus to nearly 1,400 Philippine targets, including government entities. The campaign consists of an email containing a Dropbox download link that directs victims to a RAR archive disguised as a Word document but actually contains malicious DLL libraries and executables. Kaspersky has dubbed the threat actor “LuminousMoth,” which it believes is connected to a Chinese state-sponsored hacking group known as HoneyMyte or Mustang Panda. Variants of the attack have leveraged signed-but-rogue Zoom video conferencing software as well as a cookie stealer designed for Google Chrome browser.

(The Hacker News)


Singapore to launch $50 million AI cybersecurity research program

Earlier this week, Singapore’s Deputy Prime Minister, Heng Swee Keat, announced plans to invest $50 million in an AI and cybersecurity research program which would invest in new 5G and beyond-5G communications testbeds, support technology development, and build up a local talent pool. Many new technologies, such as self-driving cars, are underpinned by rapid developments and global deployment of 5G networks. Singapore plans to have full island-wide standalone 5G coverage by 2025. Heng said at the Asia Tech x Singapore conference, that the program will “support AI and cybersecurity research for next-generation communications infrastructures.”


BazarBackdoor sneaks in using multi-compressed archives

Security researchers at Cofence detected a new phishing campaign attempting to deliver Trickbot’s BazarBackdoor malware by using multi-compressed ZIP and RAR archives containing a highly obfuscated JavaScript file. Multi-compression is not a new technique but has recently gained popularity as it can trick email security gateways into mislabeling malicious attachments as clean. The latest BazarBackdoor campaign detected earlier this month lured recipients with an “Environmental Day” theme.

(Bleeping Computer)

PS4 cryptomining farm busted in Ukraine

As part of a Ukrainian sting operation, authorities seized 3,800 Sony PlayStation4 gaming consoles which were strung together, forming one of the largest underground cryptomining operations ever found. While cryptomining itself isn’t illegal, stealing the vast amounts of electricity needed to power their computer farms is. According to the Security Service of Ukraine, the cryptomining ring was stealing roughly between $186,000 to $259,000 in electricity each month and alleges the electricity consumption likely led to power surges and outages in the area. According to the SSU, the cryptominers will be charged with theft of utilities through unauthorized use.