31 July 2021

ADVANCED PERSISTENT THREATS Time After Time, Always Disclosed Late Months After-The-Fact

Let's compare two different stories - 1 from Adios and 1 from their source.
They are quite different 
Comedian Standup GIF by South Park - Find & Share on GIPHY
1 from Axios 

DOJ: Russians hacked federal prosecutors

The Russian hackers behind the massive SolarWinds cyber-espionage campaign broke into the email accounts of some of the most prominent federal prosecutors' offices around the country last year, the Justice Department announced.

State of play: DOJ said 80% of Microsoft email accounts used by employees in the four U.S. attorney offices in New York were breached.

  • 27 U.S. attorney offices had at least one employee's email account compromised during the hacking campaign, from May to Dec. 2020.

Context: The SolarWinds campaign infiltrated dozens of private-sector companies and think tanks, as well as at least nine U.S. government agencies. The hack was discovered and publicized in mid-December.

=========================================================================
1 from their source > It says nothing about Russia
Updated July 30, 2021
 
UPDATE: DEPARTMENT OF JUSTICE STATEMENT ON SOLAR WINDS
The United States Department of Justice

"In a statement issued January 6, 2021, the Department of Justice acknowledged that the global SolarWinds incident involved intrusion into the Department’s Microsoft O365 email environment and that this activity constituted a major incident under the Federal Information Security Modernization Act (FISMA).  After learning of the malicious activity, the Office of the Chief Information Officer eliminated the identified method by which the actor was accessing the O365 email environment and in accordance with FISMA, the department took steps to notify the appropriate federal agencies, Congress, and the public as warranted.

The Department of Justice understands that when victims make information public about the nature and scope of computer intrusions they suffered, others can use that information to prepare themselves for the next threat. To encourage transparency and strengthen homeland resilience, today we are providing additional details about the SolarWinds intrusion in December 2020.  The following United States Attorneys’ offices had one or more employees’ Microsoft O365 email accounts compromised in connection with the SolarWinds incident affecting the U.S. government and the private sector:

  • Central District of California;
  • Northern District of California;
  • District of Columbia;
  • Northern District of Florida;
  • Middle District of Florida;
  • Southern District of Florida;
  • Northern District of Georgia;
  • District of Kansas;
  • District of Maryland;
  • District of Montana;
  • District of Nevada;
  • District of New Jersey;
  • Eastern District of New York;
  • Northern District of New York;
  • Southern District of New York;
  • Western District of New York;
  • Eastern District of North Carolina;
  • Eastern District of Pennsylvania;
  • Middle District of Pennsylvania;
  • Western District of Pennsylvania;
  • Northern District of Texas;
  • Southern District of Texas;
  • Western District of Texas;
  • District of Vermont;
  • Eastern District of Virginia;
  • Western District of Virginia; and
  • Western District of Washington.

The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts. The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020.  The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time.

While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.  The Executive Office for U.S. Attorneys has notified all impacted account holders and the Department has provided guidance to identify particular threats.  

The Department’s objective continues to be mitigating the operational, security, and privacy risks caused by the incident.

==========================================================================

RELATED CONTENT

DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices

The US Department of Justice says that the Microsoft Office 365 email accounts of employees at 27 US Attorneys' offices were breached by the Russian Foreign Intelligence Service (SVR) during the SolarWinds global hacking spree.

"The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020," the DOJ said in a statement issued earlier today.

"The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time,

"While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York." [emphasis ours] . . .

___________________________________________________________________________________

INSERT for emphasis: ". . .In April, the United States government formally accused the Russian government of orchestrating the SolarWinds attack.The White House named the SVR's hacking division (aka APT29, The Dukes, or Cozy Bear) as the group behind the cyber espionage activity exploiting the SolarWinds Orion platform, which allowed them to access the networks of multiple US federal agencies and private tech sector firms.

The SolarWinds Orion supply-chain attack

The attackers breached SolarWinds' internal systems and trojanized the Orion Software Platform source code and builds released between March 2020 and June 2020.

These malicious builds were later used to deploy a backdoor tracked as Sunburst to "fewer than 18,000" victims, but, luckily, the Russian hackers only picked a substantially lower number of targets for second-stage exploitation.

Before the attack was disclosed, SolarWinds displayed a list of 300,000 customers worldwide [12] on its website: over 425 US Fortune 500 companies, all top ten US telecom companies, as well as a long list of govt agencies (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States).

Multiple US govt agencies later confirmed that they were breached, including:

SolarWinds reported expenses of $3.5 million from last year's supply-chain attack in March, including costs related to remediation and incident investigation.

__________________________________________________________________________________

 

RUSSIA IS BUILDING MORE ICEBREAKERS TO PREPARE FOR ARCTIC WAR || 2021

MILES DAVIS - Time After Time

TELL ME WHY: Could The Stock Market Switch To 4-Days A Week?

Nouriel Roubini Says a Stagflationary Debt Crisis Is on the Way

Europe To The Middle East Seen From The ISS: Earth From Space At Night

Afghanistan staring at the abyss...The End of War

MAZEL TOV : You Go Guys! Ben & Jerry Guys of Principle

Opinion

Guest Essay

We’re Ben and Jerry. Men of Ice Cream, Men of Principle.

Bennett Cohen and

Mr. Cohen and Mr. Greenfield founded Ben & Jerry’s Homemade Holdings in 1978.

We are the founders of Ben & Jerry’s. We are also proud Jews. It’s part of who we are and how we’ve identified ourselves for our whole lives. As our company began to expand internationally, Israel was one of our first overseas markets. We were then, and remain today, supporters of the State of Israel.

But it’s possible to support Israel and oppose some of its policies, just as we’ve opposed policies of the U.S. government. As such, we unequivocally support the decision of the company to end business in the occupied territories, which a majority of the international community, including the United Nations, has deemed an illegal occupation.

While we no longer have any operational control of the company we founded in 1978, we’re proud of its action and believe it is on the right side of history. In our view, ending the sales of ice cream in the occupied territories is one of the most important decisions the company has made in its 43-year history. It was especially brave of the company. Even though it undoubtedly knew that the response would be swift and powerful, Ben & Jerry’s took the step to align its business and operations with its progressive values.

That we support the company’s decision is not a contradiction nor is it anti-Semitic. In fact, we believe this act can and should be seen as advancing the concepts of justice and human rights, core tenets of Judaism.

Ben & Jerry’s is a company that advocates peace. It has long called on Congress to reduce the U.S. military budget. Ben & Jerry’s opposed the Persian Gulf war of 1991. But it wasn’t just talk. One of our very first social-mission initiatives, in 1988, was to introduce the Peace Pop. It was part of an effort to promote the idea of redirecting 1 percent of national defense budgets around the world to fund peace-promoting activities. We see the company’s recent action as part of a similar trajectory — not as anti-Israel, but as part of a long history of being pro-peace.

In its statement, the company drew a contrast between the democratic territory of Israel and the territories Israel occupies. The decision to halt sales outside Israel’s democratic borders is not a boycott of Israel. The Ben & Jerry’s statement did not endorse the Boycott, Divestment and Sanctions movement.

The company’s stated decision to more fully align its operations with its values is not a rejection of Israel. It is a rejection of Israeli policy, which perpetuates an illegal occupation that is a barrier to peace and violates the basic human rights of the Palestinian people who live under the occupation. As Jewish supporters of the State of Israel, we fundamentally reject the notion that it is anti-Semitic to question the policies of the State of Israel.

When we left the helm of the company, we signed a unique governance structure in the acquisition agreement with Unilever back in 2000. That structure is the magic behind both Ben & Jerry’s continued independence and its success. As part of the agreement, the company retained an independent board of directors with a responsibility to protect the company’s essential brand integrity and to pursue its social mission.

We believe business is among the most powerful entities in society. We believe that companies have a responsibility to use their power and influence to advance the wider common good. Over the years, we’ve also come to believe that there is a spiritual aspect to business, just as there is to the lives of individuals. As you give, you receive. We hope that for Ben & Jerry’s, that is at the heart of the business. To us, that’s what this decision represents, and that is why we are proud that 43 years after starting an ice cream shop in a dilapidated gas station in Burlington, Vt., our names are still on the package.

Bennett Cohen and Jerry Greenfield founded Ben & Jerry’s Homemade Holdings in 1978.

The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: letters@nytimes.com.

Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.

Yes You Can Help Determine The Shape and Boundaries for Re-Districting The Mesa City Council

It's that time again ten years after the 2010 Census. In that time the tools for mapping are much more technologically advanced and available now to use for decisions to be made about the city of Mesa's current six districts to equalize the populations in each district as much as possible after all the uneven growth when the prior three council districts increased to six. Now it is necessary to make some 'adjustments' required by the data taken from the 2020 Census.
That won't be officially released until August 16, 2021 in a form that will take city officials until September to figure out.
Reference:https://districtr.org/

"In the U.S., there’s a big redistricting cycle every 10 years after new Census data is released. In most states, elected representatives in the state legislature are responsible for drawing the lines—including the districts for their own re-election. This time around, many states will have redistricting commissions for the first time, putting a bit more distance between the legislature and the process. And many states will be experimenting with collecting more and richer public input than ever before.

Try your hand at redistricting! Make plans of your own and share them widely—in some cases, you can submit them as public input in your state.

You draw the lines.

Districtr is a free, public web tool for districting and community identification, brought to you by the MGGG Redistricting Lab.

 
new logo

Origin Story

The goal of Districtr is to put the tools of redistricting in the hands of the public, with an emphasis on meeting the needs of civil rights organizations, community groups, and redistricting commissions.

Districtr came about from a conversation with Lawyers for Civil Rights (LCR), the Boston arm of the national Lawyers’ Committee for Civil Rights Under Law. LCR was describing their work with community members in Lowell, MA, who were frustrated about not having a voice in the city council. In those conversations, a few places kept coming up...

> Like Clemente Park, a much-loved meeting point for the city’s Asian and Latinx populations, which felt unsafe at night because the city had not provided lighting...

> And Lowell High School, the city’s only public high school, which serves over 3000 students. The city announced plans to move it from its traditional downtown location, but without sufficient outreach to communities around the city about possible new sites.

Our idea was to create a mapping tool whose fundamental principle is to ask the community what matters. With maps that build COIs around relevant zones and landmarks, paired with community narratives, we can start to see local interests come to life

Help shape our democracy!

                hands showing community participation

Redistricting is dividing up a jurisdiction (like a state, county, or city) into pieces that elect representatives. Where and how the lines are drawn influences everything from who has a shot at getting elected to how resources get allocated. Since the founding of the U.S. as a representative democracy, we’ve had the ideal that districts should be a way to communicate very local interests to our wider governing bodies.

This only works if districts are built around communities of shared interest.

Insert copy: Our Values

Accessibility. Participating in the redistricting process should be approachable for everyone. Districtr is engineered for maximum accessibility. It’s entirely in-browser with no login and no downloads, it works on tablets as well as computers, and we assign each plan its own web address for easy sharing.

Openness and transparency. The entire project is open source, with permissive licenses. We don’t collect any information about users. All of the underlying shapefile data is freely available, with the fullest documentation we can provide. We tell you where we get our data, how we’ve processed it, and why it’s the best available.

Maps not metrics. We don’t think that good maps can be measured in one-size-fits-all metrics, so we’ve built a more lightweight mapping experience that doesn’t put scores front and center. You can export maps from Districtr in forms that can be read in the other major redistricting software.

All politics is local. We’ve got 720,000-person congressional districts and 13,000-person city council districts, and every scale in between: county commissions, school zones, sanitation districts—you name it, we map it.

Responsiveness to the community. We aim to highlight specific local rules, principles, and priorities whenever possible. You can request a custom module for your locality. We also build event pages for organizers so they can see an overview of maps from the group at a glance.

=======================================================================

Still have questions?

If you’d like a custom module for your locality, fill out our request form. If you are interested in partnering with us or sponsoring a voting rights project, reach out to us at Districtr@mggg.org.

YOU CAN DRAW YOUR COMMUNITY
Communities of Interest (known as “COIs”) are groups or neighborhoods with significant shared interests that deserve consideration by representatives. Many states have rules that indicate that COIs should be kept whole by districting plans whenever possible.
But this has been one of the hardest to handle of all the priorities in the redistricting world—if you show up at a meeting to say your community matters, how does that information make its way to the line-drawers?Districtr lets you put your community on the map (literally!) by marking places that matter to make your shared interests visible.This year, more states than ever will be collecting community input in the redistricting process.
If you’re interested in getting involved, our team is hosting training sessions twice a week to share our best tips for collecting community maps with Districtr.
Register here to attend or check out our training materials.

For a detailed walkthrough of Districtr, visit our Guide page.

Where would you like to start?

Import an Existing Plan or Community Map

Insert copy
Insert copy

The Epic of Gilgamesh - one of the world’s oldest works of literature from The Middle East before The Christian Era

Don't know about any of you, dear readers, but 'once-upon-a-time' not so long ago but way before the current controversies in public education over teaching Critical Race Theory, studying The Epic of Gilgamesh was required reading in an advanced-placement high school class on World History.
The Epic of Gilgamesh - Home | Facebook                   No one objected or complained . . .

Ancient Gilgamesh tablet seized from Hobby Lobby by US authorities

The craft store had acquired the 3,600-year-old artefact for its Bible museum, but court says it had been smuggled and should be returned to Iraq

The Gilgamesh Dream Tablet seized by US authorities.
The Gilgamesh Dream Tablet seized by US authorities. Photograph: US Immigration and Customs Enforcement

Hobby Lobby Forfeits Rare Gilgamesh Tablet Smuggled From Iraq

The arts and crafts chain is once again under scrutiny for its collecting practices

In 2014, the craft retailer Hobby Lobby purchased a rare cuneiform tablet inscribed with a portion of the Epic of Gilgamesh, one of the oldest known works of literature. The artifact was acquired for display at the Museum of the Bible, a Washington, D.C. institution funded by the family of Hobby Lobby founder David Green. But this week, reports Jordan Freiman for CBS News, the Department of Justice (DOJ) ordered the tablet’s forfeiture on the grounds that it was illegally imported into the United States and sold to Hobby Lobby under false pretenses.
Gilgamesh's Search for Meaning

Known as the “Gilgamesh Dream Tablet,” the artifact is inscribed in the Akkadian language and details a dream sequence from the ancient epic, according to Agence France-Presse (AFP). It is around 3,500 years old and originated in modern-day Iraq.

 

Hobby Lobby's Illegal Antiquities Shed Light On A Lost, Looted Ancient City In Iraq

<div class=__reading__mode__extracted__imagecaption>
                Ancient artifacts seized from Hobby Lobby are shown at a May 2 event returning the artifacts to Iraq in Washington, D.C. The seized artifacts include cuneiform tablets from the little-known ancient city of Irisagrig.
                
                
                    
                    Win McNamee/Getty Images
                    
                hide captiontoggle caption
        
        Win McNamee/Getty Images

Ancient artifacts seized from Hobby Lobby are shown at a May 2 event returning the artifacts to Iraq in Washington, D.C. The seized artifacts include cuneiform tablets from the little-known ancient city of Irisagrig. Win McNamee/Getty Images

Archaeologist Eckart Frahm didn't have much time to determine where the 4,000-year-old clay tablets had come from. Homeland Security officials had given him just 2 1/2 days in a dimly lit New York warehouse to pore over the cuneiform inscriptions etched into the fragile, ancient pieces and report back.

"They were not in great shape. They had infestations of salt in them, so it's not that I could say I had been able to read everything," says the Yale University professor. "My main goal was to provide a general assessment from when and where did these tablets actually originate."

Frahm determined the tablets at the center of a federal case against the Oklahoma-based Hobby Lobby arts and crafts chain were from a place few had ever heard of — an ancient Sumerian city called Irisagrig.

"You could argue that this is a lost city because this place has never been properly excavated and you don't even know exactly where it is," Frahm tells NPR.

But looters know. The roughly 250 tablets Frahm examined in 2016 were among 5,500 objects, including ancient cylinder seals and clay seal impressions known as bullae, smuggled into the U.S. starting in 2010. Shipped from the United Arab Emirates and Israel without declaring their true Iraqi origin, some of them were marked "ceramic tiles" or "clay tiles (sample)."

They'd been purchased by Hobby Lobby for $1.6 million.

In a settlement last year with the Justice Department, Hobby Lobby agreed to forfeit the objects and paid a $3 million fine. In May, about 3,800 objects were handed back to the Iraqi government at a ceremony at its Washington, D.C., embassy, and will be returned to Iraq later this year.

Last November, Hobby Lobby president Steve Green, the son of the craft store chain's founder David Green, opened a Museum of the Bible in Washington, D.C., which contains another $201 million worth of ancient artifacts tied to Hobby Lobby. . .

Those tablets marked the first time archaeologists were known to have seen the name Irisagrig. According to one of the cuneiform tablets, it took four days to tow boats upstream from Umma, a better-known ancient Sumerian city, giving Molina a rough probable location of the lost city in the south of the country.

Umma itself is one of the most heavily looted of all known ancient sites in Iraq. Thieves dug hundreds of holes into the tells — the mounds under which the ancient city is buried — after security collapsed following the 2003 U.S. invasion.

Archaeologist Lamia al-Gailani at the Iraq Museum in Baghdad. The museum was looted in 2003 after the U.S. invasion of Iraq. Some of its antiquities were recovered but looting has continued in the south of Iraq, where thousands of ancient sites yet to be excavated by archaeologists are unprotected. Jane Arraf/NPR hide captiontoggle caption Jane Arraf/NPR

The remains of thousands of other ancient towns and cities likely exist under other mounds, archaeologists believe.

Identity (an acrostic poem) – Never Short On Words"Don't forget, even if we take only ancient Iraq, it's 3,000 years — so they didn't live in just one or two cities," says Lamia al-Gailani, a British-Iraqi archaeologist with the Iraq Museum in Baghdad and the University of London's School of Oriental and African Studies. . .

> Frahm says apart from the Irisagrig archive, the Hobby Lobby artifacts that are being returned to Iraq also include tablets dating from about 2500 BCE (an alternative to "B.C." commonly used by scholars to denote "before the common era") with incantations to the gods, Babylonian letters from between 1900 and 1700 BCE and hymns from several hundred years BCE.

Frahm describes the incantations as some of the most important pieces in the collection. The tablets, about 300 years older than the Irisagrig tablets, invoke three Mesopotamian gods. He says another text from the first millennium BCE is written in both Babylonian and Emesal, a dialect of Sumerian he says was originally a language used only by women.

 

WHOA! Just a "Computer Glitch" Was It (or so they say) > Watch Russia's Nauka module perform retrograde maneuver to correct a tilt on International Space Station

FAST-FORWARD > We're Running Out of Time...The Urgency of Now For Climate Emergency Action

WORDS > Nothing is more dangerous than the mirage of action shrouding the truth of inaction, because it breeds either false confidence that we will be OK or cynicism and despair about meaningless political promises.

Our biggest enemy is no longer climate denial but climate delay

OPENING: "Future generations will look back on the climate events of 2021 and say:
“That was the year they ran out of excuses.”
Heatwaves and flooding here in the UK, temperatures topping 50C in Pakistan, hundreds killed by a heatwave in British Columbia, deadly floods in Germany and China. All within a single month. Add to that the recent dire warning from the Met Office that the age of extreme weather has just begun.
The wake-up call that this offers is not just the obvious one: that climate breakdown is already here. It also illustrates that we, in this generation, are in a unique position in the history of this crisis. Climate breakdown can no longer be plausibly denied as a threat etched only in the future. And all too soon, avoiding it may be a luxury lost to the past. The window to avoid catastrophe is closing with every passing day. We’re in the decisive decade in this fight, and we must treat the climate crisis as an issue that stands alone in the combination of its urgency and the shadow it casts over future generations. . .The actions we take defy the normal rhythm of political cycles.
. . .The accompanying truth is that our biggest enemy is no longer climate denial but climate delay. The most dangerous opponents of change are no longer the shrinking minority who deny the need for action, but the supposed supporters of change who refuse to act at the pace the science demands.
As Bill McKibben, environmentalist and climate scholar, says on climate:
“Winning slowly is the same as losing.”
Nothing is more dangerous than the mirage of action shrouding the truth of inaction, because it breeds either false confidence that we will be OK or cynicism and despair about meaningless political promises.
The case for investing now is not just clear as a question of intergenerational equity, it’s also the only conclusion to draw from a hard-headed fiscal analysis of the costs and benefits.
We should act now not just because we must avoid future generations living in a disaster movie but because rewriting the script can produce a better world. Rapid decarbonisation is the imperative, but we can do so in a way that fixes the inequalities that exist in our current economic system. This is the promise of the Green New Deal – that this transformative programme of investment can also generate good jobs, help existing industries transition and create new ones, ensure warmer homes, cleaner air, and a lasting shift in wealth and power across our country. This is the vision we must fight for. . .

Just over 50 years ago, Martin Luther King said of the fight for racial and economic justice: “We are now faced with the fact that tomorrow is today. We are confronted with the fierce urgency of now. In the unfolding conundrum of life and history, there is such a thing as being too late.” As the generation that stands astride the causes and consequences of this climate emergency, we must take heed of those words.

  • Ed Miliband is the Labour MP for Doncaster North and shadow business, energy and industry secretary

 

30 July 2021

ESPORTS GAMBLING BETTING ARRIVING IN ARIZONA > Esports Entertainment Group (NASDAQ: GMBL) Projecting $100 Million in Revenue

EVERYTHING BLEEPING COMPUTER

  
About BleepingComputer.com
https://www.bleepingcomputer.com
Bleeping Computer® is an information security and technology news publication created in 2004 by Lawrence Abrams. Millions of visitors come to BleepingComputer.com every month to learn about the latest security threats, technology news, ways to stay protected online, and how to use their computers more efficiently.

For our work in analyzing ransomware, issuing news alerts about the latest security threats, and offering free ransomware decryptors, BleepingComputer is the first news and support site to be added as a partner of the No More Ransom Project. This project was started in 2016 as an alliance between Europol's European Cybercrime Centre, the National High Tech Crime Unit of the Netherlands police, and McAfee to battle ransomware.

In addition to news, we provide a wide array of free technical support services, downloads, and self-education tools that allow users to resolve issues on their computer. Whether you are a novice user here to learn basic concepts about computers or an advanced user infected with ransomware, BleepingComputer can offer solutions to your problem for free.

Ultimately, our goal is to turn your #$@!* computer that never does what you want into one that you praise as a well-tamed tool.

Mission Statement

Our mission: To provide accurate and relevant information about the latest cybsecurity threats and technology advances so you can protect and take control of your network, devices, and data.

Ways to contribute

As part of our mission to help you take control of your data and devices, we always welcome news tips and research that you think our readers would find interesting.

To share a news tip with BleepingComputer, you can our News Tip form to share the information confidentially.

Editorial Team

Lawrence Abrams
Lawrence Abrams, Owner, Editor-in-Chief
Lawrence Abrams is the Editor-in-Chief and owner of BleepingComputer.com. Lawrence’s area of expertise includes security, malware research, ransomware, and computer forensics. Lawrence Abrams is also a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and technical editor for Rootkits for Dummies.
Ionut Ilascu
Ionut Ilascu, Cybersecurity Editor
Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.
Sergiu Gatlan
Sergiu Gatlan, Cybersecurity Editor
Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple, Google, and a few other topics at Softpedia for more than a decade. Email or Twitter DMs for tips.
Mayank Parmar
Mayank Parmar, Staff Writer, Computing
Mayank Parmar is journalist covering technology news, but with a strong focus on Microsoft and Windows related stories. He is always poking under the hood of Windows looking for the latest secrets to reveal.
Ax Sharma
Ax Sharma, Staff Writer
Ax Sharma is a Security Researcher, Engineer, and Tech Columnist. His works and expert analyses have frequently been featured by leading media outlets like Fortune, The Register, TechRepublic, CIO, etc. Ax's expertise lies in vulnerability research, reverse engineering, software development, and web app security. He's an active member of the OWASP Foundation and the British Association of Journalists (BAJ).
 
 
 
 
 
 
 
 
 

New destructive Meteor wiper malware used in Iranian railway attack

 
New destructive Meteor wiper malware used in Iranian railway attack

New destructive Meteor wiper malware used in Iranian railway attack

A new file wiping malware called Meteor was discovered used in the recent attacks against Iran's railway system.

Earlier this month, Iran's transport ministry and national train system suffered a cyberattack, causing the agency's websites to shut down and disrupting train service. The threat actors also displayed messages on the railway's message boards stating that trains were delayed or canceled due to a cyberattack.

Some of these messages told passengers to call a phone number for more information, which is for the office of Supreme Leader Ali Khamenei.

Hackers posting messages to the railway's message boards
Hackers posting messages to the railway's message boards
Source: Twitter

In addition to trolling the railway, the threat actors locked Windows devices on the network with a lock screen that prevented access to the device.

New Meteor wiper used in Iran attacks

In a new report by SentinelOne, security researcher Juan Andres Guerrero-Saade  revealed that the cyberattack on Iran utilized a previously unseen file wiper called Meteor.

A wiper is malware that intentionally deletes files on a computer and causes it to become unbootable.

Unlike ransomware attacks, destructive wiper attacks are not used to generate revenue for the attackers. Instead, their goal is to cause chaos for an organization or to distract admins while another attack is taking place.

While Iranian cybersecurity firm Aman Pardaz previously analyzed the wiper, SentinelOne could find additional missing components to provide a clearer picture of the attack.

"Despite a lack of specific indicators of compromise, we were able to recover most of the attack components described in the post along with additional components they had missed," explains Guerrero-Saade in SentinelOne's research.

"Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker."

The attack itself is dubbed 'MeteorExpress,' and utilizes a toolkit of batch files and executables to wipe a system, lock the device's Master Boot Record (MBR), and install a screen locker.

MeteorExpress attack chain
MeteorExpress attack chain
Source: SentinelOne

To start the attack, threat actors extracted a RAR archive protected with the 'hackemall' password. The attackers then added these files to a network share accessible to the rest of the computers on the Iranian railway's network.

The threat actor then configured Windows group policies to launch a setup.bat batch file that would then copy various executables and batch files to the local device and execute them.

Setup.bat batch file
Setup.bat batch file
Source: SentinelOne

As part of this process, the batch files would go through the following steps:

  • Check if Kaspersky antivirus was installed and terminate the attack if found.
  • Disconnect the device from the network.
  • Add Windows Defender exclusions to prevent the malware from being detected.
  • Extract various malware executables and batch files to the system.
  • Clear Windows event logs.
  • Delete a scheduled task called ‘AnalyzeAll’ under the Windows Power Efficiency Diagnostics directory.
  • Use Sysinternals 'Sync' tool to flush the filesystem cache to the disk.
  • Launche the Meteor wiper (env.exe or msapp.exe), MBR locker (nti.exe), and screen locker (mssetup.exe) on the computer.

When completed, the device will be unbootable, its file deleted, and a screen locker installed that displays the following wallpaper background before the computer is rebooted for the first time.

MeteorExpress screen locker
MeteorExpress screen locker
Source: SentinelOne

While SentinelOne was unable to find the 'nti.exe' MBR locker, the researchers from Aman Pardaz claim that it shares overlap with the notorious NotPetya wiper.

"One interesting claim in the Padvish blog is that the manner in which nti.exe corrupts the MBR is by overwriting the same sectors as the infamous NotPetya," explained Guerrero-Saade.

"While one’s first instinct might be to assume that the NotPetya operators were involved or that this is an attempt at a false flag operation, it’s important to remember that NotPetya’s MBR corrupting scheme was mostly cribbed from the original Petya used for criminal operations."

Initially thought to be a ransomware attack, NotPetya was a wiper that wreaked havoc across the globe in 2017 by spreading to exposed networks via NSA's ETERNALBLUE exploit and encrypting devices.

In 2020, the USA indicted six Russian GRU intelligence operatives believed to be part of the elite Russian hacking group known as "Sandworm" for the NotPetya attack.

At this time, the motive for the Meteor wiper attacks on Iran's railway is not clear, and the attacks have not been attributed to any particular group or country.

"We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators," concludes SentinelOne's report.

"At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive."

Related Articles:

Microsoft: Russian hackers used 4 new malware in USAID phishing

PyPI packages caught stealing credit card numbers, Discord tokens

Fake Windows 11 installers now used to infect you with malware

Kaseya obtains universal decryptor for REvil ransomware victims

NPM package steals Chrome passwords on Windows via recovery tool

========================================================================
LATEST ARTICLES
FBI

DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices

The US Department of Justice says that the Microsoft Office 365 email accounts of employees at 27 US Attorneys' offices were breached by the Russian Foreign Intelligence Service (SVR) during the SolarWinds global hacking spree.

 

 

1
1 Windows 10

Microsoft shares mitigation for recent Windows Server printing issues

Microsoft has released temporary mitigation info for a known issue that might cause print and scan failures on multiple Windows Server versions after installing July 2021 security updates on domain controllers.

 

2 Python malware

PyPI packages caught stealing credit card numbers, Discord tokens

The Python Package Index (PyPI) registry has removed several Python packages this week aimed at stealing users' credit card numbers, Discord tokens, and granting arbitrary code execution capabilities to attackers. These malicious packages were downloaded over 30,000 times according to the researchers who caught them.

 
3Android

Google to block logins on old Android devices starting September

Google is emailing Android users to let them know that, starting late September, they will no longer be able to log in to their Google accounts on devices running Android 2.3.7 (Gingerbread) and lower.

4Linux eBPF bug gets root privileges on Ubuntu - Exploit released

Linux eBPF bug gets root privileges on Ubuntu - Exploit released

A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF (Extended Berkeley Packet Filter) that can give an attacker increased privileges on Ubuntu machines.

5GDOR

Amazon gets $888 million GDPR fine for behavioral advertising

Amazon has quietly been hit with a record-breaking €746 million fine for alleged GDPR violations regarding how it performs targeted behavioral advertising.

6WSL

Windows 10 now lets you install WSL with a single command

Microsoft says the Windows Subsystem for Linux (WSL) can now be installed on Windows 10, version 2004 or later using a single terminal command.

7CISA

CISA launches vulnerability disclosure platform for federal agencies

The Cybersecurity and Infrastructure Security Agency (CISA) today launched a new vulnerability disclosure policy (VDP) platform for US federal civilian agencies.

8NodeJS

Node.js fixes severe HTTP bug that could let attackers crash apps

Node.js has released updates for a high severity vulnerability that could be exploited by attackers to crash the process and cause unexpected behaviors. The use-after-free vulnerability, tracked as CVE-2021-22930 is to do with how HTTP2 streams are handled in the language.

9Lock Keyhole

The Week in Ransomware - July 30th 2021 - €1 billion saved

Ransomware continues to be active this week, with new threat actors releasing new features, No More Ransom turning five, and a veteran group rebrands.

10FBI

DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices

The US Department of Justice says that the Microsoft Office 365 email accounts of employees at 27 US Attorneys' offices were breached by the Russian Foreign Intelligence Service (SVR) during the SolarWinds global hacking spree.

Gopuff Shakes Up the Delivery Services Industry

STONE COLD ALEC AGENDA: AZ Governor Doug Ducey Sent This ...Tim Phillips is president of Americans for Prosperity. Grover Norquist is president of Americans for Tax Reform.

Newsweek Opinion: Arizona Tax Reform Is a National Model

Tim Phillips & Grover Norquist
Newsweek
July 30, 2021

"As America recovers from shutdowns imposed in response to COVID-19, many states are experiencing surges in tax revenues unthinkable a year ago. Even so, the federal government has provided trillions in unnecessary spending and "stimulus" funds—even with a number of states experiencing surpluses before they received any federal dollars.

While some legislators see these windfalls as an opportunity to waste money on unnecessary programs, Arizona lawmakers have wisely chosen to reduce the state tax burden.

The coronavirus pandemic and the lockdowns that accompanied it were traumatic and costly for the American people. Millions continue to struggle to make up for lost income, rebuild their small businesses or make sure their kids are prepared to succeed in school again. At a minimum, they ought to be able to keep as much of their hard-earned money as possible. That's the best way to help them accomplish all these goals, and to build the American dream.

Fortunately, the state of Arizona agrees.

The budget recently signed by Governor Doug Ducey includes meaningful, comprehensive tax reforms that address many of the shortcomings in the state's current tax code. Instead of the five different brackets in the existing system, all Arizona workers will soon pay a personal income tax rate of 2.5 percent, except for the highest earners, who will pay 4.5 percent.

This reform was made possible in part by the fact that Arizona was projected to build up a budget surplus of nearly $4 billion over the next three years.

By lowering the income tax rate and making the tax code flatter, the tax burden on all Arizonans is reduced, and families will see real, long-term relief that's desperately needed.

This tax reduction will also boost Arizona's competitiveness, making the state more desirable for both individuals and pass-through businesses, as a majority of small businesses pay taxes under the individual tax code. This will help grow the economy and create jobs going forward—a positive contrast with the past year, which saw so many lost jobs and reduced hours. This reform package sets up the state to recover stronger than ever.

Americans rely on elected officials to recognize and address genuine public priorities, and to do so responsibly and in a way that's consistent with the Constitution. That means keeping taxes as low as possible, so workers can benefit from their labor and don't wind up surrendering their hard-earned money only for it to be wasted.

When tax revenues unexpectedly surge beyond what's needed to respond to real priorities, those funds should be returned to the workers who earned them. Lawmakers can't respond to surpluses by acting like they won the lottery, spending wildly on boondoggles and pet projects. Instead, they should act as careful stewards of tax dollars, ensuring that families pay no more in taxes than is necessary.

This is not the course being taken in Washington D.C., where the White House is forcing through another massive spending bill, this one ostensibly intended to build infrastructure. Washington D.C. sets a bad example.

Arizona, on the other hand, provides a good example: lower the tax rates to let people keep more of what they earn and invest in what they care about most. Limit government spending to grow no faster than the incomes of the citizens who pay the taxes. Create a magnet for job-creating investment and hardworking Americans who simply wish to be left alone to work hard, take care of their families and support their communities.

The Arizona reform is a positive model and one that should be followed by other states and the federal government."

Tim Phillips is president of Americans for Prosperity. Grover Norquist is president of Americans for Tax Reform.

Beyond the Bell 07/30/2021

From The Office of Arizona Governor Doug Ducey: Heading into August...

WHAT A WEEK it was all over the world, but let's take a scant look to scroll it down here to check if he forgot to mention or include anything important to most people

The last week of July was a busy one for Governor Ducey. The highpoint may have been when the Governor joined KORE Power to announce it selected Arizona for its lithium-ion battery manufacturing facility, which will generate about 13,000 jobs. 

What's more, Arizona's new tax plan is garnering praise at the national level, the hospitality industry is bouncing back, and education leaders are coming together to protect students and school choice. Read about all this and more below.
Governor Ducey Issues Statement On New CDC Guidance
"Public health officials in Arizona and across the country have made it clear that the best protection against COVID-19 is the vaccine. Today’s announcement by the CDC will unfortunately only diminish confidence in the vaccine and create more challenges for public health officials 一 people who have worked tirelessly to increase vaccination rates."
 
Kore Power Selects Arizona Site One Million Square Foot "Koreplex" Lithium-ion Battery Manufacturing Facility
KORE Power plans to employ more than 3,000 full-time personnel at the facility, which will generate upwards of an estimated 10,000 direct and indirect jobs. The construction of KOREPlex will employ an estimated 3,400 workers during peak construction.
Governor Ducey Urges Delegation To Protect Charter School Students 
Governor Ducey this week urged Arizona’s Congressional Delegation to oppose federal legislation that will jeopardize critical funding the state’s public charter schools receive and put thousands of students at risk. 
Governor Ducey Thanks ADHS Director Dr. Christ For Longtime, Dedicated Service To Arizona
Governor Ducey this week announced Arizona Department of Health Services Director Dr. Cara Christ, who has been instrumental in the state’s COVID-19 response, will leave her position on August 27 for another leadership role as chief medical officer for Blue Cross Blue Shield of Arizona.
Newsweek Opinion: Arizona Tax Reform Is A National Model
"By lowering the income tax rate and making the tax code flatter, the tax burden on all Arizonans is reduced, and families will see real, long-term relief that's desperately needed. This tax reduction will also boost Arizona's competitiveness, making the state more desirable for both individuals and pass-through businesses, as a majority of small businesses pay taxes under the individual tax code."
Governor Ducey Statement On The Dobbs V. Jackson Women's Health Organization Amicus Brief
“The Constitution preserves the rights of the states by specifically enumerating the authority granted to the federal government. Unfortunately, almost 50 years ago, the U.S. Supreme Court decided to ignore the Constitution and created policy which has led to the over-politicization of this issue for decades."
Governor Ducey, Hospitality Leaders Discuss Continued Economic Growth
Governor Ducey this week met with leaders of the hospitality industry at the Sanctuary Camelback Mountain Resort to discuss Arizona’s job recovery, growing economy and tourism opportunities.