Daily Drop: (425)

03-08-2023

Wednesday, March 08, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob

ASML chief warns of IP theft risks amid chip sanctions

Analyst Comments: Due to US sanctions, China is being compelled to develop its own semiconductor industry. This has prompted the country to invest heavily in domestic chipmaking capabilities, potentially allowing a lower cost of entry into the semiconductor market. However, intellectual property (IP) theft poses a risk to the industry. Companies must intensify their efforts to protect their IP, as theft decreases research and development time and cost, allowing for easier entry into the market. ASML, the only manufacturer capable of producing highly advanced EUV machines, finds itself embroiled in the trade war between the US and China, potentially limiting its ability to sell equipment to China.

FROM THE MEDIA: ASML's CEO, Peter Wennink, stated that he is currently taking extra precautions to guard against intellectual property theft more than ever before. He pointed to increasing restrictions being placed on China's ability to acquire cutting-edge chips and semiconductor equipment by the United States, Europe, and Japan, citing a geopolitical tussle that has forced China to strengthen its homegrown semiconductor industry. Wennink stated that this situation is reminiscent of the oil crisis of 1973, as chips have become a strategic commodity like oil. ASML, Europe's largest tech company, is a key supplier to the world's biggest semiconductor manufacturers, and Wennink said that it must increase its spending on cybersecurity and intellectual property protection every year. ASML recently revealed that an employee in China had stolen information about its technology, raising concerns in Washington that China may use nefarious methods to bypass western sanctions and establish its own chip sector. ASML is entangled in the trade war between the US and China since 2019, and the latest round of trilateral controls is expected to further limit ASML's ability to sell its equipment to China.

READ THE STORY:   FT

Forget the regulatory red herring: Here’s what the National Cybersecurity Strategy is really telling us

Analyst Comments: The National Cybersecurity Strategy released by the ONCD highlights the need for a paradigm shift in the regulatory landscape and emphasizes greater public-private sector collaboration to tackle cyber risks. It identifies the need for better liability and responsibility allocation and advocates for long-term investments in cybersecurity. The strategy calls for greater coordination between industry, academia, nonprofits, and government agencies to build the cyber workforce of the future.

FROM THE MEDIA: The strategy establishes a new approach to accountability, calling for a continuum of responsibility and liability to pressure owners and operators of systems to defend cyberspace and make long-term investments. The document identifies the need to consider cross-border requirements to prevent them from "impeding digital trade flows" and commits to tackling the complicated issue of regulatory harmonization. It also emphasizes the need for building the cyber workforce of the future and the importance of partnerships with foreign nations to address ransomware challenges. The strategy makes it clear that China is the "broadest, most active, and most persistent threat" to both government and private sector networks, and emphasizes the importance of disrupting adversary networks to balance the burden of cyber defense and accountability. The strategy is a thesis statement for the coming years and requires unified, coordinated, whole-of-community action to be implemented effectively.

READ THE STORY:   The Hill

Russian group targets Kremlin critics with doctored YouTube videos

Analyst Comments: This approach is similar to the active measures employed by the Soviet Union during the Cold War to influence public opinion and discredit their opponents. The use of edited recordings to make the targets appear foolish or not credible is a deliberate attempt to undermine their message and harm their reputation. These threat groups are clearly targeting individuals who have been vocal in their opposition to Russia's invasion of Ukraine, and by doing so, they are attempting to manipulate public opinion in favor of the Kremlin.

FROM THE MEDIA: Proofpoint, a cyber watchdog, has warned that two threat groups, known as Vovan and Lexus, are targeting high-profile Westerners who speak out against the Kremlin, tricking them into recorded conversations. These are edited to make the subject appear foolish or not credible and posted on YouTube and other platforms, in apparent reprisal for opposing the Kremlin’s war. Vovan and Lexus apparently use social engineering to go after targets, impersonating senior Ukrainian politicians to lure victims into a false sense of security. Proofpoint has tracked these two groups, which together form the composite entity codenamed TA499, as a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021.

READ THE STORY:   Cybernews

Internal documents show Mexican army used spyware against civilians, set up secret military intelligence unit

Analyst Comments: The report underscores the risks of government surveillance abuse and its potential impact on freedom of speech and expression. It highlights the need for strong regulations and protection of digital rights to prevent such abuses and protect individuals from potential harm. Given Mexico's ongoing struggle with cartels and organized crime, the threat of government surveillance abuse is particularly concerning and raises important questions about the balance between security and privacy.

FROM THE MEDIA: Digital rights groups R3D and Citizen Lab have updated their report on Mexican government surveillance. They found evidence linking the Mexican army to the purchase and deployment of Pegasus spyware against journalists and a human rights advocate. Internal classified documents released as part of last year's Guacamaya hack-and-leak operation confirm the connection between the military and the spyware. The documents also reveal the existence of a previously unknown military intelligence agency called CMI, which spied on the human rights advocate investigating a suspected extrajudicial killing by the army in 2020. The revelations demonstrate the government's illegal surveillance of civilians and highlight the importance of investigating and pushing back against surveillance in Mexico.

READ THE STORY:   The Record

Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments

Analyst Comments: The fact that the Chinese threat actor Sharp Panda is using a new version of the Soul modular framework shows that they are willing to change their techniques, as it is different from their attack chains in 2021. The use of a geofenced command-and-control server that only responds to requests originating from IP addresses corresponding to the targeted countries demonstrates the group's focused approach. This highlights the need for stronger international cybersecurity collaboration to effectively defend against such attacks, as tool-sharing is prevalent among Chinese advanced persistent threat (APT) groups.

FROM THE MEDIA: Chinese threat actor Sharp Panda has been conducting a long-running cyber espionage campaign against high-profile government entities in Southeast Asia since late last year. The campaign is characterized by the use of a new version of the Soul modular framework and targets countries such as Vietnam, Thailand, and Indonesia. The attack begins with a spear-phishing email containing a lure document that drops a downloader and exploits vulnerabilities in the Microsoft Equation Editor. The downloader retrieves a loader known as SoulSearcher from a geofenced command-and-control server and downloads, decrypts, and executes the Soul backdoor and its other components to harvest a wide range of information. The use of the Soul backdoor has been previously documented by Broadcom's Symantec in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. The findings highlight the prevalence of tool sharing among Chinese APT groups and the threat of cyber espionage to government entities in the region.

READ THE STORY:   THN

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

Analyst Comments: SYS01stealer, is specifically targeting critical government infrastructure employees, manufacturing companies, and other sectors. The attackers are using sophisticated tactics, such as fake Facebook profiles and advertisements, to lure victims into downloading a malicious file that is disguised as cracked software or adult-themed content. I’m not sure who is looking at “adult-themed” content in the office but apparently several.

FROM THE MEDIA: The attackers are targeting Facebook business accounts using Google ads and fake profiles to lure victims into downloading a malicious file that steals sensitive information, including login data, cookies, and Facebook ad and business account information. The attackers use a fake Facebook profile or advertisement to lure a victim into clicking a URL to download a ZIP archive that contains a based loader vulnerable to DLL side-loading, making it possible to load a malicious dynamic link library (DLL) file alongside the app. All roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware. The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers and exfiltrate the victim's Facebook information to a remote server and download and run arbitrary files. The development comes as Bitdefender revealed a similar stealer campaign known as S1deload that hijacks users' Facebook and YouTube accounts and leverages the compromised systems to mine cryptocurrency.

READ THE STORY:   THN

Transparent Tribe Hackers Distribute CapraRAT via Trojanized Messaging Apps

Analyst Comments: Transparent Tribe is a suspected advanced persistent threat (APT) group that has been linked to cyber espionage campaigns targeting government organizations and individuals in India and Pakistan. The group is also known as APT36, Operation C-Major, and Mythic Leopard.

FROM THE MEDIA: A suspected Pakistani advanced persistent threat (APT) group known as Transparent Tribe has been conducting a cyber espionage campaign that targets Indian and Pakistani Android users with a backdoor called CapraRAT. The group reportedly distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp. The malware was available to download from fake websites that masqueraded as the official distribution centers of these apps. Slovak cybersecurity firm ESET states that as many as 150 victims, likely with military or political leanings, are estimated to have been targeted. The targets are believed to be lured through a honeytrap romance scam wherein the threat actor approaches the victims via another platform and persuades them to install the malware-laced apps under the pretext of "secure" messaging and calling. The CapraRAT backdoor has an extensive set of features that allows it to take screenshots and photos, record phone calls and surrounding audio, and exfiltrate other sensitive information.

READ THE STORY:   THN

BlackMamba: Using AI to Generate Polymorphic Malware

Analyst Comments: Polymorphic malware is malware that can change its code to evade detection by antivirus and other security software, and the use of AI can make it even more difficult to detect and defend against. The ability of this type of malware to modify its code at runtime and eliminate the need for a command-and-control infrastructure makes it even more dangerous.

FROM THE MEDIA: The introduction of ChatGPT has made neural network code synthesis freely available, which can be used to develop new software programs, including malware. Polymorphic malware is emerging as a new breed of cyber threat, which can combine highly detectable behaviors in an unusual way to evade detection by traditional security solutions. AI-generated malware poses an even greater threat, as the methods it chooses may be highly atypical compared to those used by human threat actors. Researchers have built a proof-of-concept malware called BlackMamba that utilizes intelligent automation to synthesize new malware variants and eliminate the need for a command-and-control channel, making it virtually undetectable by predictive security solutions. The malware can be distributed via links in emails, social engineering schemes, and other typical methods. Organizations must remain vigilant and adapt to new threats by operationalizing cutting-edge research being conducted in this space.

READ THE STORY:   Security Boulevard

RT On Facebook: How Sanctions Are Circumvented

Analyst Comments: Digital sanctions can be effective in limiting the spread of disinformation and propaganda by nation-state trolls, but they may not completely stop them. Sanctions like blocking websites or social media accounts can make it more difficult for nation-state trolls to spread their messages, but they can still find ways to get around the sanctions, such as using tools like VPNs. Additionally, troll factories and fake accounts can make it more difficult to control the spread of disinformation and propaganda. However, digital sanctions can still be an important tool in combating the influence of nation-state trolls and limiting their impact.

FROM THE MEDIA: The German-language offshoot of Russia Today (RT), known as "RT DE," has continued to spread on Facebook and other platforms despite being sanctioned by the European Union (EU) a year ago. RT DE's content has been shared on Facebook or Instagram over 14,000 times since the beginning of March 2022 and generated around 250,000 interactions within a year, according to a new data analysis by WDR, NDR, "Süddeutsche Zeitung," and "Debunk.Org." Facebook only "geo-blocked" the RT DE account, making it inaccessible to German users, but not deleting it. However, users can easily circumvent the block by using a virtual private network (VPN) that pretends to be a user from another country. Björnstjern Baade, the private lecturer at Freie Universität Berlin, sees the sanctions as a clear obligation to completely block and delete RT content, which is prohibited from being distributed by all operators under EU regulation. The distribution of RT content by politicians, including a dozen groups and individuals linked to the far-right Alternative for Germany (AfD), is considered part of Russia's strategy and dangerous. Investigative journalist Ksenia Klotschkowa has given an insight into how to troll factories work in Russia, where troll farms and fake accounts spread disinformation and propaganda.

READ THE STORY:   Globe echo

What we learned at Optus from being hacked

FROM THE MEDIA: The attack was pre-meditated and undertaken by a motivated, skilled cyber criminal who crafted the attack just for Optus. The author notes that cybercrime is a growing threat, costing the world more than $2 trillion this year, and is often state-sanctioned or state ignored. The article suggests three things we can all do to make a difference together, including cultivating great tech talent, better understanding how the way we use data ascribes value to it and working together to keep ahead of the criminals. The author also emphasizes the importance of responding quickly and with the goal to protect customers from harm, as Optus did when it realized it was under attack. Despite the scale of data believed to be accessed, Optus was able to protect customers from financial loss or falling victim to a crime through misuse of their data.

READ THE STORY:   AFR

Studying Ukraine war, China's military minds fret over US missiles, Starlink

FROM THE MEDIA: Chinese military researchers are studying Russia's struggles in Ukraine to plan for possible conflict with U.S.-led forces in Asia. They have been reviewing almost 100 articles in more than 20 defense journals to scrutinize the impact of U.S. weapons and technology that could be deployed against Chinese forces in a war over Taiwan. China needs the capability to shoot down low-earth-orbit Starlink satellites and defend tanks and helicopters against shoulder-fired Javelin missiles, according to these researchers. The publicly available journal articles are more candid in their assessments of Russian shortcomings. They reflect the work of hundreds of researchers across a network of People's Liberation Army (PLA)-linked universities, state-owned weapons manufacturers, and military intelligence think tanks.

READ THE STORY:   Reuters

What does Xi Jinping’s tighter regulatory grip on China mean for business

FROM THE MEDIA: China is making sweeping changes to financial and tech regulation in an effort to shore up financial stability at home and compete in an intense rivalry with the US over technology. These changes include the replacement of China’s banking watchdog with a new agency to oversee the financial sector, which will take over some of the supervisory functions of the People’s Bank of China. The securities market will be handled as before, but everything else will fall under the remit of a new national financial regulatory administration. The government will also create a national data administration to utilize the country’s vast troves of information and lead the digitalization of the economy and state. The restructuring aims to centralize party control over the country’s tech development efforts and create a new type of whole-country system for achieving breakthroughs.

READ THE STORY:  FT

NSA chief warns of TikTok’s broad influence

FROM THE MEDIA: NSA Director General Paul Nakasone expressed concern about the influence that Chinese-owned video app TikTok has on its users, during a hearing at the Senate Armed Services Committee. Nakasone highlighted concerns about the data that TikTok holds, the algorithm and who controls it, and the platform’s influence operations. He also mentioned that such a large population of listeners could turn off the message. The comments came on the same day that Democratic senators unveiled legislation giving the federal government more power to regulate or ban technology tied to foreign adversaries. The RESTRICT Act is sponsored by Sens. Mark Warner (D-Va.) and John Thune (R-S.D.).

READ THE STORY:   The Hill

TSA issues emergency cybersecurity mandates for the aviation sector

FROM THE MEDIA: The Transportation Security Administration (TSA) has amended security directives for airport and aircraft operators to address persistent cybersecurity threats against US infrastructure, including the aviation sector. Regulated entities in the aviation sector must now develop plans to harden resilience to their digital networks and infrastructure in the face of ongoing cyberattacks. The requirements include segmenting network activity, implementing access controls, monitoring for cybersecurity threats, timely patching of vulnerable systems and testing the effectiveness of protections. The move represents the latest effort by federal agencies under the Biden administration to establish baseline cybersecurity rules for critical infrastructure sectors that underpin essential services to Americans.

READ THE STORY:  SCMAG

Belgian Greens want Wagner Group added to EU terrorist list

FROM THE MEDIA: Belgium's Green parties Ecolo and Groen have called for the inclusion of the Russian paramilitary group Wagner Group on the European list of terrorist organizations, with a motion tabled in the Belgian Chamber of Representatives. The group, accused of war crimes, operates particularly in Syria and Mali, as well as in Ukraine, where around 50,000 Wagner mercenaries are active. The group was recently labeled an international criminal organization by the US and subject to European Union individual sanctions. The Belgian resolution would make supporting the group a crime and must be initiated by a member state.

READ THE STORY:   Euractiv

Emotet malware attacks return after a three-month break

FROM THE MEDIA: The Emotet malware operation has resumed its spamming of malicious emails after a three-month break, infecting devices worldwide. Emotet is distributed through email containing malicious Microsoft Word and Excel document attachments, which downloads and loads Emotet DLL into memory once macros are enabled. The malware then waits for instructions from a remote command and control server and steals victims' emails and contacts or downloads additional payloads. Emotet's spamming began at 7:00 AM ET with volumes remaining low, using emails that pretend to be invoices and ZIP archives containing inflated Word documents that are over 500MB in size. The malware has been padded to hinder antivirus software from detecting it as malicious, and when running, the malware will await commands that will likely install further payloads on the device. However, Microsoft's recent change, which disabled macros by default in Microsoft Office documents downloaded from the Internet, is expected to hinder the malware's success in its current method.

READ THE STORY:   Bleeping Computer

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

FROM THE MEDIA: A new phishing campaign targeting organizations in Eastern Europe has been discovered, using an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), allowing the attackers to perform cyber-espionage across the region. The campaign uses emails that appear to come from legitimate institutions in the targeted country to lure victims, relying on the reputations of the organizations to trick users. The emails contain attachments that typically masquerade as financial documents, such as invoices or tender documentation, and when a user decompresses the attachment and runs the executable within, the DBatLoader malware loader downloads and executes an obfuscated second-stage payload from a public cloud location to bypass Windows UAC and drop the RAT. Researchers have recommended vigilance against malicious network requests to public cloud instances, monitoring for suspicious file creation activities, and configuring Windows UAC to "always notify" to avoid compromise.

READ THE STORY:   DARKReading

Darktrace’s plan to protect critical infrastructure: think like an attacker

FROM THE MEDIA: Cyberattacks on critical infrastructure have become a growing concern since the annexation of Crimea in 2014, leading to a sustained barrage of attacks by Russian-linked groups on infrastructure in Ukraine. The country suffered the first confirmed hack to take down a power grid the following year, and attacks have continued since Russia’s full-scale invasion began in February 2022. Cybersecurity firms are experimenting with various defensive methods to mitigate the threats, with Darktrace applying AI to think like an attacker in its new product Prevent/OT, which identifies routes adversaries take to target critical infrastructure. The software visualizes potential pathways to assets, enabling defenders to harden their environments and prevent attacks before they happen.

READ THE STORY: TNW

Space Force eyes True Anomaly’s satellite ‘pursuit’ capability for ops, training

FROM THE MEDIA: True Anomaly, a Colorado-based start-up, has received funding from the US Space Force for its software, which uses artificial intelligence to track and image adversary spacecraft. The software can be used as a training environment and for wargaming, according to CEO Even Rogers. The company is also developing a new kind of satellite, called Jackal, which can track other spacecraft and pursue them if they try to escape. Rogers said the company's focus is to keep space safe by monitoring the locations of moving craft, such as those already demonstrated by China and Russia, and that the company is using its own funding to develop the Jackal spacecraft.

READ THE STORY:   BreakingDefense

Cyberattacks Are Just One Part of Hybrid Warfare

FROM THE MEDIA: Hybrid warfare is the mixing of conventional and unconventional tactics, such as cyberattacks, disinformation, propaganda, and the use of irregular forces, which blur the lines between war and peace and attempt to sow doubt in the minds of target populations. In the Russia-Ukraine war, hybrid warfare has been used in the form of an automated wave of internet traffic that knocked Ukrainian banks and government agencies offline, as well as disinformation campaigns and sabotage of pipelines. The hallmarks of cyberwarfare include attacks on data centers, bank records, and essential services like telecommunications and electricity. The Council on Foreign Relations has identified China, Russia, Iran, and North Korea as behind more than three-quarters of cyberattacks. While the Tallinn Manual attempts to apply rules of war to cyber warfare, there are no official regulations in place. To counter hybrid threats, the European Center of Excellence for Countering Hybrid Threats conducts simulations and exercises to make member states less vulnerable and more resilient to attacks, and the US has passed a law to expedite and centralize reporting of cyberattacks that target critical infrastructure.

READ THE STORY:   The Washington Post

Items of interest

Dismantling the Ransomware Business Model

FROM THE MEDIA: U.S. Congressman Josh Gottheimer, joined by New Jersey's cybersecurity agency, has raised concerns about the threats that TikTok and the Chinese Communist Party pose to the safety of American citizens, data, and national security. The Congressman argued that TikTok, with over 100 million monthly active users, collects far-reaching and sophisticated data from its users, including usernames, passwords, personally identifiable information, pictures, and videos of millions of Americans, which could be leveraged by the Chinese government to breach U.S. institutions, steal intellectual property, collect data, and access the systems that control critical infrastructure. The Congressman also highlighted the addictive qualities of TikTok, which could have a negative impact on children's mental health. In addition, Chinese law obligates TikTok's parent company to "support, assist, and cooperate with state intelligence work." Gottheimer is pushing for legislation that would grant the President the power to ban TikTok in the United States or force the sale of its U.S. operations to an American company if the President believes there is continued data collection and a clear threat to national security.

READ THE STORY:   Security Boulevard

OT and ICS cyber security (Video)

FROM THE MEDIA: The proprietary interface and difficulty in obtaining security patches make these systems more vulnerable to cyber-attacks. The video highlights major cyber attacks against these systems and offers mitigation strategies such as using firewalls, encryption algorithms, and network monitoring systems. The video also discusses common OTICS cyber attacks, such as insider attacks, ransomware attacks, and cell phone Wi-Fi attacks. The importance of segmentation strategy and strong identity access management solutions is emphasized to protect the critical infrastructure.

What Every Pen Tester Needs to Know About ICS (Video)

FROM THE MEDIA: There are misconceptions about ICS, such as that it is totally arcane and requires specialized training. The speaker debunks these misconceptions and urges the audience to take the time to learn more about ICS. The speaker also discusses the potential consequences of a cyberattack on ICS and the importance of securing these systems. Finally, the speaker encourages the audience to learn about ICS by doing their own analysis and investigation.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.