Friday, February 24, 2023 // (IG): BB // BSidesCharm// Coffee for Bob
Great Leap Nowhere: The Challenges of China’s Semiconductor Industry
Analyst Comments: The Chinese government has invested heavily in the semiconductor industry, but the country's efforts have been hindered by political and institutional factors, such as corruption, lack of oversight, and the absence of an effective innovation ecosystem. As a result, China has struggled to achieve significant breakthroughs in independent chip design and manufacturing.
FROM THE MEDIA: China's attempts to develop advanced semiconductor technology have faced challenges due to political and institutional factors within its innovation base. Despite massive government investment and high political priority, the semiconductor industry has not made significant breakthroughs due to issues such as corruption and misallocation. Additionally, the top-down approach to innovation in China has been found to impede originality and breakthroughs. As a result, the US and its allies can be cautiously optimistic about their long-term competitiveness in semiconductor technologies. However, China's relative success with creative adaptation means that it can still boost certain sectors of the chip industry by exploiting leaky export controls and engaging in cyber espionage. US policymakers should be aware of these challenges and work to make export controls against China as airtight as possible, as well as support the cybersecurity efforts of domestic semiconductor firms.
READ THE STORY: War on the Rocks
Russian national accused of developing, and selling malware appears in U.S. court
Analyst Comments: The United States Department of Justice (DOJ) can request the extradition of a foreign citizen from another country through formal diplomatic channels, typically by submitting an extradition request to the relevant foreign government. The U.S. government would have to provide evidence supporting the charges against the individual, and the foreign government would have to agree to the extradition, which can be subject to various legal and political considerations. Once the foreign government approves the extradition, the individual would be transported to the United States to face charges in a U.S. court.
FROM THE MEDIA: The extradition of a 28-year-old Russian malware developer, Dariy Pankov, to the United States highlights the growing problem of cybercrime and the illegal use of stolen login credentials. Pankov developed and sold a malicious password-cracking tool called NLBrute, which was marketed to cybercriminals for a small bitcoin fee. He is accused of obtaining login credentials for more than 35,000 computers globally, which he sold through a site on the dark web, netting nearly $360,000 in illicit proceeds between 2016 and 2019. Pankov's victims were located in several countries, including the United States, France, the UK, Italy, and Australia. He could face a maximum penalty of 47 years in federal prison if convicted on all counts, and the U.S. also plans to seize $350,000 from him, which was allegedly obtained from illegal activities. The case underscores the need for increased efforts to combat cybercrime and protect sensitive data.
READ THE STORY: Cyberscoop // The Hill // Yahoo News // The Record
UK military intelligence team wins Western Europe’s ‘largest cyber warfare exercise’ held in Estonia
Analyst Comments: The Defense Cyber Marvel 2 exercise, where the British military intelligence team won, is significant because it provides an opportunity for cyber defense experts from different countries to test their skills and strategies in responding to simulated cyber threats, including those similar to tactics used by Russia to disrupt Ukrainian cyberspace.
FROM THE MEDIA: A team from British military intelligence has won a cyber warfare exercise called “Defence Cyber Marvel 2” (DCM2), described as “Western Europe’s largest” by the UK Ministry of Defence. The exercise took place at the CR14 cyber range in Tallinn, Estonia, where 34 teams from 11 countries competed in responding to simulated cyber threats over seven days. The tasks the teams undertook were not disclosed, but the MoD said that the challenges simulated Russian cyber tactics used to disrupt Ukrainian cyberspace at the start of the Ukraine crisis a year ago. The British team was judged on the speed and effectiveness of its response, and how quickly it identified and adapted to new threats. The competition included teams from India, Italy, Ghana, Japan, the US, Ukraine, Kenya, and Oman. The British military has used the CR14 range for training exercises since it was established in 2019.
READ THE STORY: The Record
Ukraine invasion blew up Russian cybercrime alliances
Analyst Comments: The war has broken long-established taboos, such as the rule that Russian-language dark web forums wouldn't target organizations located in the former Soviet Union. Looking ahead, the report predicts that volatility and instability across the Russian-speaking dark-web economy will continue into 2023, and more hack-and-leak operations from the IT Army of Ukraine can be expected. The article suggests that Russia is likely to abandon all pretenses of cracking down on cyber criminals operating inside its borders, and may even grant legal immunity to hackers acting in the interest of Russia.
FROM THE MEDIA: The war in Ukraine has disrupted Russia and the former Soviet Union's criminal ecosystem, with far-reaching consequences affecting almost all aspects of cybercrime, according to new research by Recorded Future's Insikt Group. The research suggests that the war led to the dissolution of the "brotherhood" of Russian-speaking cybercriminals, and has created new threats and challenges for defenders. Before the war, all criminal elements were bound by a common purpose not to target entities located in the Commonwealth of Independent States. However, the invasion disrupted this understanding, leading to the breaking of a taboo and a new precedent of targeting Ukraine and other 'hostile nations' on Russian-language dark web forums. The research team also predicts more insider criminal gang leaks, unimpressive hacktivist attacks, and more database and credential leaks targeting .ru and .by domains in 2023. The team also expects Russia to abandon all pretenses of cracking down on cyber criminals operating within its borders and to absolve Russian criminals of any liability within the next few months.
READ THE STORY: The Register
Popular IBM file transfer tool vulnerable to cyberattacks, CISA says
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) has reported that the IBM Aspera Faspex file transfer tool has a bug that is being actively exploited by malicious hackers. The vulnerability has been given the name CVE-2022-47986 and was added to CISA's catalog of known exploited vulnerabilities this week. This vulnerability poses significant risks to the federal enterprise, says CISA, adding that the tool is so widely used that it won an Emmy in 2014 for enabling faster media production workflows. IBM issued a patch on January 18, and federal civilian agencies have until March 14 to patch the vulnerability. The vulnerability is easy to exploit and can allow a remote attacker to take actions on a system without having to get around network authentication processes, according to Bud Broomhead, CEO of cybersecurity company Viakoo. Aspera Faspex is widely used to transfer large datasets, such as genomics and biomedical research, media production, military signals intelligence, or financial services.
READ THE STORY: The Record
Darktrace Newsroom monitors open-source intelligence sources
FROM THE MEDIA: Darktrace has launched Darktrace Newsroom, an AI-driven system that monitors open-source intelligence sources for new critical vulnerabilities, assesses each organization’s exposure, and provides mitigation advice specific to the organization to keep it protected. The new critical vulnerabilities make news headlines regularly, and the average time to exploitation has shrunk to just fifteen days. Darktrace Newsroom uses AI to monitor threat feeds and OSINT sources for new critical vulnerabilities and publishes them on the Darktrace PREVENT dashboard. Newsroom shows a summary of the vulnerability, the affected software, and reveals how many assets have been found to run this software within the organization. The capability augments the human security team by determining whether an organization is affected by a new vulnerability, alleviating lengthy, labor-intensive manual processes.
READ THE STORY: Help Net Security
Ukraine says Russian hackers backdoored govt websites in 2021
FROM THE MEDIA: The Computer Emergency Response Team of Ukraine (CERT-UA) has reported that multiple government websites in Ukraine have been breached this week by Russian state hackers using backdoors that were planted as far back as December 2021. CERT-UA discovered the attacks after detecting a web shell on one of the hacked websites that the threat actors used to install additional malware. The attackers tracked as UAC-0056, Ember Bear, or Lorec53, used GOST (Go Simple Tunnel) and Ngrok tools to deploy the HoaxPen backdoor during the early stages of their attack. The group has been active since at least March 2021 and primarily targets Ukrainian entities with backdoors, information stealers, and fake ransomware delivered via phishing emails. The group's operators are also suspected of orchestrating attacks against North American and Western European organizations. CERT-UA is working with other cybersecurity organizations to isolate and investigate the cyber incident, which has not caused essential system failures or disruptions.
READ THE STORY: BleepingComputer
China’s calculation on supplying Russia with weapons
Analyst Comments: The events unfolding in Ukraine and their impact on global politics are of great significance. The possible escalation of the conflict due to China considering sending weapons to Russia is an alarming development that could further destabilize the region and could have serious implications for global security. Additionally, the increase in U.S. military support to Taiwan and the announcement of sweeping sanctions on Russia highlight the escalating tensions and shifting power dynamics in the region.
FROM THE MEDIA: U.S. officials say that they have intelligence suggesting that China is considering sending weapons to Russia, a move that could further escalate the ongoing conflict in Ukraine. This has led to the White House warning Beijing to back down, and there are reports that they may even go public with the information to build their case. Some experts believe that Beijing would have little to gain from such a move and that it could harm its relationship with Europe and the U.S. Further, it could lead to a significant deterioration in relations with the United States, which has called the shipment of weapons a "red line" in its own relationship with Beijing. However, other experts argue that China may decide to send weapons to Russia to prevent Moscow's forces from being successfully pushed back to pre-war borders by a U.S.-led coalition.
READ THE STORY: Politico
VMware warns admins of critical Carbon Black App Control flaw
FROM THE MEDIA: The incident of commercial radio stations in Russia being attacked by hackers, resulting in false broadcasts of an air raid and missile strike alert, is significant as it highlights the potential dangers of cyber attacks on critical infrastructure and public safety. The false information spread rapidly through social media, causing panic and confusion among the public. The incident raises questions about the motives and capabilities of the hackers responsible and emphasizes the need for improved cybersecurity measures to prevent such attacks in the future. It also serves as a reminder of the ongoing tensions between Russia and Ukraine, with the fake alerts coming just two days before the one-year anniversary of Russia's unprovoked attack on Ukraine.
READ THE STORY: BleepingComputer
Russia Hits Meta With Spam As Ukraine Conflict Takes On A Tech Dimension
FROM THE MEDIA: According to a report from Meta, Russia has turned to spammer techniques to promote propaganda for the Ukraine war after more sophisticated influence efforts at Facebook and Instagram were stopped. The tactics reportedly include establishing phony versions of reputable news outlet websites and using thousands of false accounts to disrupt online discussions on the war. The report notes that state media, such as TASS and Sputnik, have been substantially less active on Facebook and Instagram over the past year, and that there has been less engagement with their material. However, user engagement with false information published by the Russian state news agency decreased by more than 80%.
READ THE STORY: Republic World
The Security Perks and Perils of OpenAI on Microsoft Bing
FROM THE MEDIA: Microsoft's recent decision to integrate OpenAI into its Bing search engine has potential cybersecurity implications, according to industry experts. OpenAI integration could make it easier for cyber attackers to generate traffic to their malicious websites, evade search engine blocking, and propagate malvertising. However, OpenAI also provides an opportunity for cyber defenders to perform better code analysis, making search engines a source of up-to-date information for threat intelligence analysts. Bing, using OpenAI technology, can offer tailored and timely results, while OpenAI's integration with Bing can simplify searches and simplify code analysis for cybersecurity professionals. Hackers can take advantage of OpenAI to circumvent search engine blocking and to direct users to malicious content. Despite this, experts believe that the benefits of OpenAI integration outweigh the risks, particularly as the integration matures and moderation improves.
READ THE STORY: BankInfoSec
Unanswered Questions Cloud the Recent Targeting of an Asian Research Org
FROM THE MEDIA: Symantec has uncovered a previously unknown threat actor it is calling "Clasiopa" that deploys a malware backdoor called "Atharvan" in attacks. The group has been using a range of stealth tactics to try to cover its tracks and make detection more difficult. However, its efforts haven't been perfect and have provided researchers with some leads that suggest the group may be based in India. The main motivation of Clasiopa's attack appears to be information theft or spying, and the group has been observed using brute-force attacks on public-facing servers to gain access. The attack highlights the importance of robust cybersecurity defenses for public-facing servers, particularly those storing sensitive information.
READ THE STORY: DARKReading
PureCrypter targets government entities through Discord
FROM THE MEDIA: The threat intelligence team at Menlo Labs has uncovered a previously unknown threat actor group that is distributing an evasive threat campaign via Discord. The campaign, which targets government entities, uses the PureCrypter downloader and a compromised non-profit organization's domain as a Command and Control (C2) to deliver secondary malware payloads, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware. AgentTesla is an advanced backdoor that steals stored passwords from different browsers, logs clipboards, captures screenshots, and supports all versions of the Windows operating system. The group uses a process hollowing technique to inject AgentTesla's payload into a standard Windows process, cvtres.exe, and encrypts its config file using an XOR algorithm. The threat actor group uses FTP for data exfiltration and has used the same FTP server in campaigns using OneNote to deliver malware. Menlo Labs found that over half of the 106 samples they analyzed shared similar MITRE techniques, including defense evasion, process injection, virtualization/sandbox evasion, credential access, discovery, collection, command and control, and application layer protocol.
READ THE STORY: Security Boulevard
Pirated Final Cut Pro for macOS Offers Stealth Malware Delivery
FROM THE MEDIA: Unknown threat actors have been using pirated versions of Apple's Final Cut Pro software to deliver the XMRig cryptocurrency mining tool onto victims' systems. Researchers from Jamf found that over 400 seeders have shared the weaponized software via torrents, potentially infecting hundreds of users. The malware author has been uploading pirated macOS software with the same crypto miner for over three years and has previously targeted pirated macOS versions of Logic Pro and Adobe Photoshop. The most recent malware is nearly invisible to malware scanners, uses the Invisible Internet Project (i2p) protocol for communication, and changes the process name to look identical to system processes, making detection difficult for users.
READ THE STORY: DARKReading
Wiper Malware Surges Ahead, Spiking 53% in 3 Months
FROM THE MEDIA: Fortinet has reported that the use of disk wipers in cyberattacks surged by 53% between Q3 and Q4 of 2022. Since the Russia-Ukraine conflict began, wiper activity has been almost non-existent until the last couple of years, and financial cyber criminals, hacktivist groups, and others have joined Russia-based advanced persistent threat groups in using the malware. Fortinet identified 16 different families of wipers targeted at 25 countries in 2022 and has highlighted HermeticWiper, WhisperGate, NotPetya, DoubleZero, IsaacWiper, and Shamoon as some of the most widely used. A new breed of wipers is now being developed, including some which are open source and readily available for cybercriminals. Currently, the main motivation for wiper malware seems to be cyberwar and hacktivism, but cybercriminals could also use them to sabotage systems or to destroy evidence of a cybercrime.
READ THE STORY: DARKReading
TELUS investigating the leak of stolen source code, employee data
FROM THE MEDIA: TELUS, Canada's second-largest telecom, is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data, including private source code repositories and payroll records held by the company. The threat actor posted TELUS' employee list, comprising names and email addresses, for sale on a data breach forum. The same actor later offered to sell the company's private GitHub repositories, source code, and payroll records. TELUS has not yet confirmed whether an incident has occurred or ruled out a third-party vendor breach. The investigation continues, and the company has so far not found evidence of corporate or retail customer data being stolen.
READ THE STORY: BleepingComputer
New S1deload Malware Hijacking Users' Social Media Accounts and Mining Cryptocurrency
FROM THE MEDIA: A malware campaign called S1deload Stealer is targeting Facebook and YouTube users with the aim of hijacking their accounts and using them to mine cryptocurrency. Cybersecurity firm Bitdefender has discovered that the malware uses DLL side-loading techniques to overcome security defenses and execute malicious components. It is spread through Facebook posts that offer adult-themed content, and when extracted from a ZIP archive, they deploy the malware. S1deload Stealer can then capture saved credentials and cookies from web browsers, launch a headless Chrome browser to inflate YouTube video views, and steal cryptocurrency without the victim's knowledge. More than 600 unique users are thought to have been affected between July and December 2022.
READ THE STORY: THN
Lazarus Group Likely Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data
FROM THE MEDIA: ESET researchers have discovered a new backdoor named WinorDLL64 associated with Wslink, a malware downloader that was first observed in October 2021. The backdoor has been linked to the Lazarus Group due to code and behavior overlaps with previous Lazarus campaigns. WinorDLL64 is a fully-featured implant that is capable of exfiltrating, overwriting and deleting files, executing PowerShell commands, and obtaining comprehensive information about the underlying machine. Intrusions involving Wslink malware have been highly targeted, and only a few detections have been reported in Central Europe, North America, and the Middle East.
READ THE STORY: THN
New Hacking Cluster 'Clasiopa' Targeting Materials Research Organizations in Asia
FROM THE MEDIA: A new threat group called Clasiopa has been found targeting Asian materials research organizations, using a custom backdoor and modified version of the open-source Lilith remote access Trojan (RAT), among other tools, to exfiltrate sensitive information. It is not yet clear who is behind the group, with hints at Indian ties, including the use of "SAPTARISHI-ATHARVAN-101" in a custom backdoor and the password "iloveindea1998^_^" for a ZIP archive. However, researchers believe this could be a planted false flag. Symantec believes that the primary motivation of the group is to achieve persistent access to victim machines and information theft.
READ THE STORY: THN
Russian Troops Target Journalists, Media Infrastructure in Ukraine
FROM THE MEDIA: The war in Ukraine, now in its second year, has resulted in the deaths of over 8,000 Ukrainian civilians and 11 journalists, with 19 more journalists injured, according to the United Nations High Commissioner for Human Rights and a report by Reporters Without Borders (RSF). The RSF report details that journalists were targeted by gunfire and artillery fire with some executed in cold blood and at least 26 of the 50 journalists who came under fire were deliberately targeted. Russian forces have also targeted media infrastructure, including TV towers, and taken control of internet and mobile phone providers in the occupied territories, limiting residents’ access to news and information. The regime in Moscow has waged an information war, using cyber-attacks, social media threats, and attacks against media pages on social media. RSF has filed seven war crimes complaints with the International Criminal Court and the Ukrainian prosecutor-general.
READ THE STORY: OCCRP
Amazon gets the green light to launch the 3,000-satellite Kuiper constellation
FROM THE MEDIA: Amazon has been granted permission by the US Federal Communications Commission to construct a constellation of 3,236 satellites under its Project Kuiper plan, which aims to provide high-speed broadband connectivity worldwide. The satellites will have a seven-year operational lifetime and orbit at altitudes of about 365 miles, 380 miles, and 390 miles, and operate in Ka-band radio frequencies. The approval stipulates that half the satellites must be launched by July 2026 and the rest by mid-2029. Amazon has already booked up to 83 launches for the project and must provide semi-annual conjunction and space debris reports.
READ THE STORY: SPACE
The coming Chinese mega-constellation revolution
FROM THE MEDIA: China is planning to take on SpaceX's Starlink and OneWeb in the global satellite internet race with its Guowang constellation project, which was designated as a national "new infrastructure" project in 2020. The project supersedes China Aerospace Science and Industry Corp and China Aerospace Science and Technology Corp's smaller LEO communications constellations named Hongyan and Hongyun. According to reports, emerging Chinese commercial space companies will have a big role in the project, both in manufacturing satellites and launching them to orbit. Chinese private launch service providers have already noted the Guowang project as a potential source of revenue.
READ THE STORY: SN
Dutch Police arrest three ransomware actors extorting €2.5 million
FROM THE MEDIA: The Amsterdam cybercrime police team has arrested three men, aged between 18 and 21, for ransomware activity that allegedly generated €2.5 million from extorting small and large organizations in multiple countries. It is believed that the suspects attacked thousands of companies, including online shops, software firms, social media companies, and institutions connected to critical infrastructure and services, and demanded between €100,000 and €700,000 depending on the size of the hacked organization. The extortion involved threats of leaking the data or destroying the company's digital infrastructure. The Dutch police say that even when victims paid the ransom, the hackers still sold the stolen data online for extra profit. The hackers stole personal data belonging to tens of millions of individuals, including names, email addresses, telephone numbers, bank account numbers, credit card details, account passwords, license plates, and passport details, which can be used in phishing and social engineering attacks, and various fraudulent activities.
READ THE STORY: Bleeping Computer
LockBit gives up on Royal Mail ransom, leaks data and private chats
FROM THE MEDIA: LockBit, the ransomware group responsible for the breach of UK's Royal Mail, has released the stolen data after the postal service refused to pay the $80 million ransom demand. The release of the files brings to close weeks of negotiations between the two parties, leaving the postal service without a decryptor and LockBit without a payday. In addition to files, the group has also released private chats between the two, showing a far steelier opposition to extortion than LockBit might have been expecting. The chat history also revealed that the postal service may have hired a professional negotiator to deal with the ransomware gang, indicating that organizations are upping their game to anticipate the growing threat from extortionists.
READ THE STORY: Cybernews
Hackers Using Trojanized macOS Apps to Deploy Evasive Cryptocurrency Mining Malware
FROM THE MEDIA: Jamf Threat Labs has discovered that cybercriminals are using Trojanized versions of genuine apps, such as Final Cut Pro, to deploy evasive cryptocurrency mining malware on macOS systems. The malware uses the Invisible Internet Project (i2p) to download malicious components and send mined currency to the attacker's wallet. The source of the malware has been traced back to Pirate Bay, with the earliest uploads dating back to 2019. Apple has taken steps to combat such abuse by subjecting notarized apps to more stringent Gatekeeper checks in macOS Ventura, thereby preventing tampered apps from being launched, although the malware was still able to execute before the user received an error message.
READ THE STORY: THN
Items of interest
Hackers use ChatGPT phishing websites to infect users with malware
FROM THE MEDIA: As reported by threat intelligence firm Cyble, cybercriminals are setting up phishing websites that imitate the branding of a popular AI tool, ChatGPT, to spread malware and steal credit card information. The websites, promoted via an unofficial ChatGPT social media page, contained links to the fake websites of ChatGPT or its developer, OpenAI. When users clicked the “Download for Windows” or “Try ChatGPT” buttons, a malicious file with stealer malware was automatically downloaded to their devices, which could collect sensitive data without the victim’s knowledge. Researchers also found that the phishing sites distributed malware families such as Lumma Stealer, Aurora Stealer, and clipper malware designed to target cryptocurrency transactions.
READ THE STORY: The Record
Roadmap to ChatGPT and AI mastery (Video)
FROM THE MEDIA: It's great to hear that Mike Pound is continuing the conversation about AI and machine learning. It's important to recognize that while these technologies have a lot of potentials, there are also challenges and concerns that need to be addressed. It's encouraging to hear him emphasize the importance of computer science education, as this will be key in addressing some of these challenges and ensuring that AI is used in a responsible and ethical way.
Analysing Data with ChatGPT (Data Analysis and ML ) (Video)
FROM THE MEDIA: It sounds like Jesse is demonstrating how to use ChatGPT to perform some data analysis without the need to use pandas. Instead, ChatGPT is generating the HTML behind the scenes to create a table with the desired results. Jesse emphasizes that ChatGPT is not simply selecting and presenting data, but actually performing the necessary steps to create the final output.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.