Saturday, February 18, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Multiple Chinese APTs are attacking European targets, EU cyber agency warns
Analyst Comments: The warning from the EU Agency for Cybersecurity and CERT-EU about Chinese military hacking groups targeting European businesses and organizations highlights the ongoing threat of APT groups and their deliberate strategy to gather sensitive information. The attribution of these attacks to China's military hacking groups raises concerns about state-sponsored cyber espionage and the importance of robust cybersecurity measures and international cooperation.
FROM THE MEDIA: Chinese military hacking groups have been targeting businesses and organizations in Europe, according to a warning from the European Union Agency for Cybersecurity (ENISA) and the Computer Emergency Response Team of the European Union (CERT-EU). The government hacking groups, known as advanced persistent threats (APT), include APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda, all of which have been linked to China's People's Liberation Army or government. The groups have been conducting "malicious cyber activities against business and governments in the Union," with recent operations focused on information theft through establishing persistent footholds within the network infrastructure of organizations of strategic relevance. Phishing, reconnaissance, and targeted spearphishing activity were also attributed to the groups. ENISA noted that APT27 had also been observed engaging in ransomware-based cybercriminal activities. Mustang Panda has become one of the most notorious hacking groups operating out of China, with widespread attacks on government bodies, nonprofits, religious entities, and other non-governmental organizations in the EU, US, Germany, Mongolia, Myanmar, Pakistan, and Vietnam.
READ THE STORY: The Record
Civilian hackers could become military targets, Red Cross warns
Analyst Comments: Mauro Vignati, expressed concerns about the potential undermining of humanitarian laws protecting civilians during wartime due to the civilianization of military cyber activities. Vignati said that digital volunteers have complicated the legal calculus for distinguishing between who is a civilian and who is an active participant in war. The rise in cyber volunteerism is especially noticeable during the ongoing conflict between Russia and Ukraine.
FROM THE MEDIA: The International Committee of the Red Cross (ICRC) has warned that civilians participating in hostilities between Russia and Ukraine in cyberspace could lawfully be exposed to military actions in response. The organization is concerned that the "civilianization of military cyber and other digital activities" could undermine humanitarian laws protecting civilians during wartime. Digital volunteers are complicating the legal calculus, making it challenging to distinguish between civilians and active participants in the conflict. ICRC is strongly recommending states to reverse the trend of civilianization of the digital battlefield to protect civilians from the effects of armed conflict.
READ THE STORY: The Record
The World’s Most Vulnerable Supply Chain Impacts All Supply Chains
Analyst Comments: Semiconductors are critical components used in a variety of products, but they are vulnerable due to a complex and concentrated supply chain that relies heavily on Taiwan. The recent shortage of semiconductors has led to production cuts and delays in the tech industry. The US is investing in domestic research and manufacturing to build redundancy, while China has the world's largest reserves of rare earth elements, which are critical materials used in semiconductor production. However, the US is also working to develop alternative sources of rare earth materials.
FROM THE MEDIA: The book "Chip War: The Fight for the World’s Most Critical Technology" by economic historian Chris Miller has won the Financial Time's business book of the year award. It explains the ongoing battle for semiconductor supremacy, which is critical to not just computers and smartphones but also all manner of products, including cars, planes, home goods, toys, and military devices. Taiwan Semiconductor Manufacturing Company (TSMC) is the world's largest contract chip manufacturer, producing the world's most sophisticated chips, and its location in Taiwan is the center of risk for the semiconductor supply chain. Disrupting TSMC's production would have devastating consequences, but it is also vulnerable to natural disasters such as typhoons and earthquakes. The semiconductor industry is a global supply chain, and its dependence on a few firms creates choke points. The US is committed to building redundancy, but it will take several tense years before critical new fabs come online.
READ THE STORY: Forbes
‘A Wolf in Sheep’s Clothing’: Cybersecurity Expert Raises the Alarm About China’s Cyber Actors
Analyst Comments: Chinese intelligence officers use various methods to target individuals with access to innovation, trade secrets, and intellectual property. One common approach is to co-opt staff from Chinese universities or national businesses to develop what appears to be a "collaborative" relationship.
FROM THE MEDIA: FBI Director Christopher Wray has warned American companies operating in China of the threat of Chinese government hacking. He cited concerns over “non-Chinese companies operating in China” who are at risk of having malware delivered into their networks through tax software that the Chinese government requires them to use. Wray also noted that the Chinese Communist Party’s hacking program is bigger than that of every other major nation combined, and that its cyber efforts are working hand-in-hand with its intelligence gathering efforts. According to the director, “the overall result of PRC efforts is deep, job-destroying damage across a wide range of industries” and the FBI is running over 2,000 PRC-related counterintelligence investigations across its 56 field offices.
READ THE STORY: The Daily Signal
TA444 Is a New Crypto Hacking Group in North Korea
FROM THE MEDIA: A new hacking group called TA444 is reportedly stealing cryptocurrencies for the North Korean government. The group has been operating for at least six years and has recently started focusing on crypto assets. Unlike Lazarus, North Korea's main state-funded hacking organization, TA444 is using a variety of payment-garnering methods, including posting fake job advertisements and salary adjustments from big-name companies and utilizing blockchain-related lures. The group has also worked with other crypto hacking groups to funnel the stolen digital funds to those in power in North Korea. It is estimated that North Korea has made off with billions in digital assets, which it has used to fund its ongoing nuclear program.
READ THE STORY: Live Bitcoin News
Renewed Iran-China Ties
Analyst Comments: China's investment in Iran's energy sector and the purchase of Iranian oil can help Iran to bypass Western sanctions, which can undermine Western efforts to isolate Iran and limit its influence in the region. China's growing economic and political influence in the Middle East can challenge Western dominance in the region and undermine their traditional alliances with countries in the region. The cooperation between Iran and China in areas such as cybersecurity, research and development in defense production, and transportation can have potential implications for Western security and intelligence interests.
FROM THE MEDIA: The recent visit of the Iranian President to China has resulted in a significant strategic agreement between the two countries. China has agreed to import Iranian oil, defying American sanctions, while Iran will provide market access to China for its products. The partnership also includes investment in railways, energy, sports, transportation, cyber security, research, and development in defense production, which is expected to help Iran come out of economic burdens causing socio-economic stress at home and abroad. The partnership has also created ripples on the geopolitical chessboard in the Middle East, as China seeks to engage both Iran and Saudi Arabia. The increasing cooperation between Iran and China has the potential to make the region more connected and inclusive for growth, and open new doors of opportunity for enhancing cooperation between the two countries.
READ THE STORY: Daily Times (PK)
Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only
FROM THE MEDIA: Twitter is limiting the use of SMS-based two-factor authentication (2FA) to its Blue subscribers only, citing the method's abuse by bad actors. Users who have not subscribed to Blue and have already enrolled in SMS-based 2FA have until March 20, 2023, to switch to an alternative method such as an authenticator app or a hardware security key. After this cutoff date, non-Twitter Blue subscribers will have their option disabled. Twitter's own data shows that only 2.6% of active accounts have enabled at least one form of 2FA, with SMS accounting for 74.4%, authenticator apps for 28.9%, and security keys for 0.5%.
READ THE STORY: THN
GoDaddy Discloses Multi-Year Security Breach Causing Malware Installations and Source Code Theft
FROM THE MEDIA: GoDaddy, a web hosting services provider, has disclosed a multi-year security breach where a sophisticated and organized group targeting hosting services installed malware to siphon source code related to some of its services. The company attributed the incident to an unauthorized third party gaining access to servers hosted in its cPanel environment, which resulted in sporadic redirection of customer websites to malicious sites. The ultimate objective of the intrusions was to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities. The incident is connected to two other security events in March 2020 and November 2021, according to a related 10-K filing with the US Securities and Exchange Commission.
READ THE STORY: THN
Experts Warn of RambleOn Android Malware Targeting South Korean Journalists
FROM THE MEDIA: A journalist in South Korea was targeted by North Korean nation-state actors using a malware-laced Android app in a social engineering campaign. The non-profit Interlab identified the malware, which it named RambleOn, and said it has the ability to collect information from the target's SMS messages, voice call content, location and contact list. The spyware camouflages as a secure chat app called Fizzle and was sent as an Android Package file over WeChat to the journalist under the pretext of discussing a sensitive topic. Interlab said it identified overlaps in the functionality between RambleOn and FastFire, a piece of Android spyware attributed to Kimsuky by South Korean cybersecurity company S2W last year.
READ THE STORY: THN
Armenian Entities Hit by New Version of OxtaRAT Spying Tool
FROM THE MEDIA: In a cyber attack on entities in Armenia, a new version of the backdoor OxtaRAT has been used to enable remote access and desktop surveillance. The backdoor permits the threat actor to search for and exfiltrate files, remotely control the compromised machine, perform port scanning, install a web shell, and record video from the web camera and desktop. The campaign, known as Operation Silent Watch, targeted human rights organizations, dissidents, and independent media in Azerbaijan for several years. The November 2022 attacks marked the first time that the threat actors have expanded their focus beyond Azerbaijan. The .SCR files that activate the kill chain already contain the OxtaRAT implant, which saves actors from needing to make additional requests for binaries to the command-and-control (C2) server, hides the main malware from being easily discovered on the infected machine, and bypasses type-specific protections. This new version of OxtaRAT has been updated to become a Swiss Army knife malware.
READ THE STORY: THN
FBI tackles 'isolated' IT security breach
FROM THE MEDIA: The FBI has reported an isolated incident involving an IT security breach in their New York field office that allegedly involved computer systems being used to investigate child sexual exploitation. CNN first reported the intrusion, and the FBI confirmed that it is working to gain more information but declined to answer specific questions on the incident. Former FBI agent Austin Berglas, however, suggested that the breach may have involved an infected device collected during an investigation and evaded malware scans, which infected the forensic computer used to extract information from the device. Berglas claimed that the infected devices would never be processed on classified networks, and added that such breaches are part and parcel of the nature of the work. The incident, therefore, was not likely to have led to any classified information being accessed.
READ THE STORY: The Register
Russia Asked German Spy For Ukraine War Intel: Report
FROM THE MEDIA: A German intelligence officer who is suspected of passing state secrets to Russia was asked to gather information about Ukraine's artillery and air defense positions, including the exact positioning of US-supplied Himars precision rocket launchers and Iris-T air defense systems supplied by Germany, according to reports by German media. The suspect, identified as Carsten L., was arrested in December 2021 on suspicion of treason. A second suspect, identified as Arthur E., was arrested in January and accused of complicity in the treason. Investigations reportedly found at least 100,000 euros in cash in a safe-deposit box belonging to Carsten L., which is thought to have been handed over to him by Arthur E. The case has heightened concerns in Germany about Russian espionage plots, attempted sabotage of critical infrastructure, and cyber attacks.
READ THE STORY: Barrons
Items of interest
In Munich, everyone’s talking weapons
FROM THE MEDIA: China has a bigger hacking program than any other country in the world, with a bigger AI program than any other nation in the world, warned FBI Director Christopher Wray. China has used its AI capabilities and espionage tactics to hack rival nations' computer systems to obtain trade secrets and sensitive information. Similarly, Russian cyberattacks have increased against the U.S. since the Russia-Ukraine war began. Cyberattacks have been employed to infiltrate the U.S. government and private sectors, and Chinese state-linked firms may facilitate intelligence sharing with the Chinese government. China has also launched espionage efforts against U.S. politicians. Beijing has set up police stations around the world to target Communist Party critics, according to Spain-based NGO Safeguard Defenders.
READ THE STORY: Politico
Life Inside North Korea’s Hacker Army (Video)
FROM THE MEDIA: This video explores the role of North Korea's state-sponsored hacking operations and the impact it has on the individuals involved in carrying out these cyber attacks. The video suggests that North Korea has a dedicated "hacker army" that is responsible for infiltrating foreign computer systems to gather sensitive information, and that those who carry out these attacks are subject to strict loyalty requirements and propaganda sessions to maintain their allegiance to the regime. The video also suggests that those who do not meet their hacking quotas may face pressure to return home. It is worth noting that North Korea has denied engaging in hacking, although accusations of state-sponsored hacking are common.
What North Korea Doesn’t Want You To See (Video)
FROM THE MEDIA: This video provides an overview of recent events in North Korea, including the arrest of top officials and the demolition of construction projects. It also discusses the stratification of the North Korean population and the attempted infiltration of the author's computer systems by North Korean state-sponsored agents.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.