Daily Drop: (432)

03-16-2023

Thursday, March 16, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob

This Is the New Leader of Russia’s Infamous Sandworm Hacking Unit

Analyst Comments: Evgenii Serebriakov is being labeled as the commander of Sandworm is significant in the military intelligence community, as it highlights the continued threat of cyberattacks from Russia's GRU military intelligence agency. His role in leading Sandworm, one of the world's most prolific cyberwar groups, indicates that he is a valuable asset to the GRU. His rise to leadership, despite being previously identified and indicted, highlights the GRU's disregard for the rule of law and international norms in cyberspace. The fact that relatively few people serve as key players in high-profile state-sponsored hacking operations, indicates the need for greater vigilance and international cooperation in countering the cyber threats posed by state actors.

FROM THE MEDIA: The commander of Sandworm, a notorious division of Russia's GRU military intelligence agency, responsible for many aggressive cyber campaigns of cyberwar and sabotage, has been identified by Western intelligence sources. The commander is now an official named Evgenii Serebriakov, who was indicted in 2018, along with six other GRU agents after being caught in a close-range cyber espionage operation in the Netherlands targeting the Organization for the Prohibition of Chemical Weapons in the Hague. Despite being caught, he was later placed in charge of Sandworm in the spring of 2022 after serving as the deputy commander of APT28, also known as Fancy Bear. Sandworm is responsible for many of the world's worst cyberattacks, including NotPetya, a self-replicating code that spread to networks worldwide and inflicted $10 billion in damage. Sandworm has now focused its efforts on Ukraine after Russia's invasion a year ago. Serebriakov's rise to leadership suggests he is regarded as having good connections to the security research community and strong technical skills, despite being caught in the 2018 Netherlands operation.

READ THE STORY:   Wired

‘Prolific’ crypto money laundering platform ChipMixer shuttered by Germany, US

Analyst Comments: This platform allegedly processed more than $700 million in stolen funds, including some from heists against cryptocurrency platforms allegedly perpetrated by North Korea’s Lazarus Group. The mixer also attracted more than $200 million linked to purchases on darknet marketplaces and more than $35 million in bitcoin associated either directly or through intermediaries with fraud shops. The operation involved agencies in Germany, Poland, Belgium, Sweden, and the U.S., indicating a coordinated effort to tackle global financial crime.

FROM THE MEDIA: European and U.S. authorities have jointly taken down a cryptocurrency mixing platform named ChipMixer and arrested Minh Quốc Nguyễn, a Vietnamese man who allegedly operated the service. The authorities seized four servers and around $46.5 million worth of Bitcoin. The DOJ accused ChipMixer of being involved in money laundering worth more than $3 billion since 2017, which facilitated ransomware attacks, state-sponsored crypto-heists, and darknet purchases across the globe. Cryptocurrency mixers are used to mix funds into a common pool, making their origins difficult to follow, and nearly a quarter of the $7.8 billion that went through a mixer in 2022 was for illicit purposes, according to blockchain data firm Chainalysis. ChipMixer allegedly received bitcoin from the Russian Main Intelligence Directorate (GRU) and other Kremlin hacking groups to purchase malware tools related to the Drovorub malware, a Linux malware toolset publicly disclosed by the U.S. government in 2020.

READ THE STORY:   The Record

What's Wrong with Manufacturing?

Analyst Comments: This vulnerability can be seen in the sector's low cybersecurity ranking, which places it fifth or sixth among the weakest industries. Although attackers may not be intentionally targeting manufacturing businesses, the sector's vulnerabilities make it a prime target for cyber extortion. For instance, attackers may use ransomware to encrypt a manufacturer's sensitive data and demand a ransom in exchange for the decryption key. Other cyber threats in the manufacturing industry include supply chain attacks, industrial espionage, and intellectual property theft. Therefore, manufacturing businesses should prioritize cybersecurity measures to protect themselves from cyber extortion and other cyber threats.

FROM THE MEDIA: The manufacturing industry is the most impacted industry in the Cyber Extortion dataset, representing over 20% of all victims since monitoring double-extortion leak sites began in early 2020. However, the explanation for this phenomenon is not clear, as manufacturing does not appear to have more confirmed security vulnerabilities per IT asset than other industries. Additionally, while a tempting assumption is that manufacturing is compromised more often via insecure Operational Technology (OT) or Internet of Things (IoT) systems, the data does not support this theory. Rather, it appears that attackers are opportunistic, compromising vulnerable businesses regardless of industry. While the manufacturing industry does appear to have a high number of victims, this may reflect the sector's overall vulnerability rather than any deliberate targeting by attackers.

READ THE STORY:   THN

Cybercriminals register new domains to prey on SVB, Credit Suisse victims

Analyst Comments: Financially motivated threat actors are taking advantage of the news of SVB's collapse to execute phishing scams and malware lures. The use of newly registered domains that can be used in phishing attacks raises concerns about the security of financial accounts and the potential loss of sensitive information. The fact that cybercriminals are also creating domains for competing banks indicates a trend that could be replicated in future attacks. The fallout from Signature Bank's failure and issues surrounding Credit Suisse are likely to lead to similar cyber threats, highlighting the need for extra due diligence with any requests to update bank account information.

FROM THE MEDIA: Risk intelligence company Flashpoint has identified around 20 malicious domains that cybercriminals have registered to look like legitimate pages affiliated with Silicon Valley Bank (SVB), following the bank's collapse. Threat actors have also created domains for competing banks, such as Revolut. The new domains may be used in phishing attacks to collect sensitive information or coerce victims into sharing information or sending funds to actor-controlled accounts. Flashpoint recommends extra due diligence with any requests to update bank account information. The fallout from Signature Bank's failure and issues surrounding Credit Suisse are likely to lead to similar cyber threats.

READ THE STORY:   ITWire

Russian Hackers Step Up Cyber Espionage Against Ukraine and Allies, Microsoft Says

Analyst Comments: Russia is using cyber espionage to extend its reach beyond Ukraine and target countries allied with Ukraine. The fact that NATO member countries were also targeted raises concerns about the potential for this cyber warfare to escalate into a larger conflict. The successful hacking rate of about 29% and the potential theft of sensitive data highlight the need for increased cybersecurity measures to protect critical infrastructure providers and government agencies. The indication that cyberattacks laid the groundwork for military missions in Ukraine raises concerns that this combined kinetic and cyber warfare strategy could become a model for future conflicts.

FROM THE MEDIA: According to a report by Microsoft, Russian government hackers have conducted multiple cyber spy operations on countries allied with Ukraine since Moscow's February invasion of Ukraine. The report found that 128 organizations in 42 countries outside Ukraine were targeted by the same groups in stealthy, espionage-focused hacks, including member countries of the military alliance NATO. The report indicated that the target appeared to be mostly governments, think tanks, humanitarian groups, and critical infrastructure providers, with a successful hacking rate of about 29%. Microsoft's earlier report indicated that cyberattacks laid the groundwork for military missions in Ukraine.

READ THE STORY:   WSJ

‘Multiple Threat Actors’ Used Old Exploit to Access Federal Agency Servers

Analyst Comments: At least one federal agency was vulnerable to hacking groups exploiting old vulnerabilities in software development and design products. The fact that at least two hacking groups were able to gain access to the agency's servers highlights the need for increased cybersecurity measures to prevent future breaches. The use of old vulnerabilities to exploit agencies underscores the importance of keeping software up-to-date and patching known vulnerabilities to prevent exploitation. The fact that hackers were able to upload malware to the affected agency's servers highlights the need for improved intrusion detection and response capabilities to detect and neutralize malicious activity.

FROM THE MEDIA: According to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), at least two hacking groups were able to gain access to at least one federal agency's servers between November 2022 and early January through an old vulnerability in a software development and design product. Hackers used a vulnerability in old versions of Telerik UI, a software developer kit for designing apps, which, when exploited, allows hackers with access to execute code. Although the hackers were not able to gain privileged access or move deeper into the network, they were able to upload malware to the affected agency's servers. The alert mentions two threat actors, including an APT actor. The alert urged users to patch the software and limit unnecessary permissions associated with the service.

READ THE STORY:   NEXTGOV

Chinese Silkloader cyber attack tool falls into Russian hands

Analyst Comments: The sharing of Silkloader among cybercriminals in the Eurasian region is a significant development. It reveals how tools are acquired or shared between groups, firming up links between them, and demonstrates the challenges of countering financially motivated cybercrime. The tool's adoption by Russian-speaking ransomware operators suggests that it could become a staple in the cybercriminal arsenal, enabling them to evade detection mechanisms and launch attacks successfully. The potential for Silkloader to be distributed widely as an off-the-shelf loader through a packer-as-a-service program to ransomware groups or via groups offering Cobalt Strike/infrastructure as a service to trusted affiliates means it poses a significant threat to organizations globally.

FROM THE MEDIA: Threat researchers at WithSecure have reported on the sharing of cyber tools by criminal gangs across the historic Silk Roads of Eurasia. They discovered a Chinese-developed tool, Silkloader, being adopted by Russian-speaking ransomware operators. Silkloader is a beacon loader that exploits the VLC Media Player to upload and launch the Cobalt Strike command-and-control framework, enabling attackers to evade defense mechanisms. After being exclusively deployed by financially motivated Chinese actors against targets in East Asia, Silkloader has been distributed within the Russian cybercrime ecosystem, most likely through a packer-as-a-service program or via groups offering Cobalt Strike/infrastructure as a service to trusted affiliates. The report highlights the challenges of countering financially motivated cybercrime, as attackers are using the industry to acquire new capabilities and technologies, enabling them to adapt quickly to their targets’ defenses.

READ THE STORY:   ComputerWeekly

How Africans Are Using Bitcoin Without Internet Access

Analyst Comments: Machankura presents a significant opportunity for bitcoin peer-to-peer transactions for Africans without reliable internet access, with approximately 2,900 African users in over seven countries already using it. The low internet penetration in Africa presents opportunities for technologists to build tools for rural and developing areas. However, the challenges of USSD not using encrypted messages, Machankura being currently custodial, and USSD requests being forwarded to Machankura's servers by a third party, are significant obstacles. The Machankura team is actively working to overcome these challenges, making Machankura a potentially significant innovation for bitcoin peer-to-peer transactions for Africans without reliable internet access.

FROM THE MEDIA: South African software developer Kgothatso Ngako created a tool called Machankura in 2022, which allows bitcoin peer-to-peer transactions for Africans without reliable internet access. The solution uses the Unstructured Supplementary Service Data (USSD) protocol to access the Lightning Network through mobile phones' Subscriber Identity Module telecommunication network. Machankura is being used by approximately 2,900 African users in over seven countries. Despite the growing tech industry in Africa, internet penetration remains low, presenting opportunities for technologists to build tools for rural and developing areas. USSD protocol allows forwarding requests to online applications that bitcoin users can tap into using a code. Machankura offers a Lightning-friendly bitcoin wallet and the ability to "barter BTC." However, USSD does not use encrypted messages, and Machankura is currently custodial, and USSD requests are forwarded to Machankura's servers by a third party, which are centralized platforms that could potentially be forced by the government to take down the service.

READ THE STORY:   Forbes

Hacker-selling data was allegedly stolen in US Marshals Service hack

Analyst Comments: The sale of allegedly stolen USMS data on a hacking forum is a significant threat to national security. The data potentially include sensitive information about convicts, gang leaders, and cartels, as well as details about witnesses in the witness protection program. The sale of this information on the dark web increases the risk of targeted attacks against USMS employees and assets. The breach underscores the importance of cybersecurity measures to protect sensitive government data from cyber criminals.

FROM THE MEDIA: A threat actor is selling hundreds of gigabytes of data allegedly stolen from U.S. Marshals Service (USMS) servers on a Russian-speaking hacking forum. The database, sold for $150,000, allegedly contains "documents from file servers and work computers from 2021 to February 2023" and includes aerial footage and photos of military bases and high-security areas, copies of passports and identification documents, and details on wiretapping and surveillance of citizens. The files also contain information on convicts, gang leaders, and cartels, as well as details about witnesses in the witness protection program. USMS confirmed last month that it's investigating a "data exfiltration event" after a February 17 ransomware attack that impacted "a stand-alone USMS system" and included USMS employees' personally identifiable information.

READ THE STORY:   BleepingComputer

Russia’s harmful influence in Africa

Analyst Comments: Russia's aggression on Ukraine has exposed Africa to supply chain destabilizations, financial instability, and heightened food insecurity, thereby gravely hurting millions of Africans and inflicting an increased potential for instability on some African states. Russia's strategic presence in Africa has expanded, and it has established ties in the energy sector, and mining concessions, and become the biggest arms exporter to the continent. Moscow's disinformation campaigns seek to discredit democracy, foster the perception that it offers no advantages over authoritarianism, and undermine legitimate governments. The presence of the Wagner Group in several African countries has led to torture, rape, summary executions, and massacres. Wagner's presence has accompanied the Russophile transformation that has taken over several African countries, tearing at the thin social fabric of many African societies. Wagner's presence has also aggravated the jihadi threat in Mali and is working with rebels in Chad to destabilize the government.

FROM THE MEDIA: Russia’s aggression towards Ukraine has resulted in Africa facing destabilization of supply chains, financial instability, and food insecurity, which has had a grave impact on millions of Africans, leading to increased potential for instability in some African states. Russia’s strategic presence in Africa has expanded, and it has established ties in the energy sector and mining concessions while becoming the biggest arms exporter to the continent. Moscow’s strategy in Africa includes disinformation campaigns, interfering in elections, inflaming social tensions, and supporting autocrats while bashing the West for alleged neo-imperialism. Russia has deployed the Wagner Group, a paramilitary entity, in several African countries, which has allegedly been involved in torture, rape, summary executions, and massacres.

READ THE STORY:   ModernDiplomacy

Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script

Analyst Comments: The exploitation of a critical vulnerability in Microsoft Outlook by a Russian-based threat actor highlights the threat posed by advanced persistent threats targeting government, transportation, energy, and military sectors. The exploit's sophistication underscores the importance of prioritizing the deployment of patches and keeping security measures updated. The bypassing of Microsoft's SmartScreen security feature also emphasizes the importance of developing multi-layered security measures to prevent social engineering and phishing attacks. The attack demonstrates the need for organizations to have robust cybersecurity measures in place to defend against advanced persistent threats.

FROM THE MEDIA: Microsoft has identified a Russian-based threat actor targeting a critical vulnerability in its flagship Microsoft Outlook software. The company has traced the exploit to a limited number of organizations in Europe in the government, transportation, energy, and military sectors. Microsoft has offered mitigation guidance and a CVE-2023-23397 script to help with the audit and cleanup. The vulnerability is a critical privilege escalation issue that does not require user interaction. Microsoft also flagged a second vulnerability - CVE-2023-24880 - for urgent attention, with attackers actively bypassing its SmartScreen security feature.

READ THE STORY:   SecurityWeek

New threat actor wages espionage campaigns across Central Asia and Eastern Europe

Analyst Comments: The identification of YoroTrooper highlights the continued threat posed by cyber espionage groups targeting government and energy organizations. The use of phishing emails, typo-squatting, and Python-based information stealers emphasizes the importance of developing multi-layered cybersecurity measures to detect and prevent such attacks. The successful campaigns of YoroTrooper demonstrate the need for organizations to keep their security measures updated and remain vigilant against phishing attacks. The group's targeting of critical EU health care and UN agencies underscores the need for such organizations to have robust cybersecurity measures in place to defend against cyber espionage groups.

FROM THE MEDIA: Cisco Talos has identified a cyber espionage group named YoroTrooper, which has been active since at least June 2022. The group targets government and energy organizations in Azerbaijan, Belarus, Tajikistan, and other Commonwealth of Independent States (CIS) members. YoroTrooper relies on phishing emails, often using typo-squatting, as the initial attack vector, and uses a toolset that includes Python-based information stealers and remote access malware. Victims include at least two accounts from a critical EU health care agency and UN agency the World Intellectual Property Organization (WIPO).

READ THE STORY:   Cybernews

Why we should care about Credit Suisse’s problems

Analyst Comments: A potential failure of Credit Suisse could have significant consequences on the global financial system due to its designation as a globally important financial institution. If the bank fails, it could trigger a domino effect on other financial institutions and cause a financial crisis. As such, the situation is of strategic significance, and swift action may be required to avert a financial meltdown.

FROM THE MEDIA: Credit Suisse, one of the 30 globally important financial institutions, is facing a dire situation with total assets of $574 billion at the end of 2022, down 37% from $912 billion at the end of 2020. Its asset-management arm supervises another $1.7 trillion in assets. Credit Suisse has been involved in scandals for decades, including bribery, money laundering, tax evasion, corporate espionage, subprime shenanigans, and poor risk management. The bank's delayed annual report not only showed a loss of $8 billion, equal to its entire market capitalization but also revealed "material weaknesses" in its accounting for 2021 and 2022. The largest shareholder, Saudi National Bank, has said it can't provide any more capital because of regulations that say it can't own more than 10% of the bank. Credit Suisse has asked the Swiss central bank and the Swiss banking regulator to step in with a public show of support, but so far, they have not responded. The market is pricing in a situation where Credit Suisse is close to failing.

READ THE STORY:   AXIOS

US ex-intelligence officer: Russia now spying ‘on an industrial scale

Analyst Comments: The intensified Russian espionage activity is of significant tactical and strategic significance to the US. Russia’s espionage activity can harm US national security and economic interests, and the US needs to respond to this increased activity. Additionally, the use of operatives under non-official cover (NOC) highlights the risks of infiltration, and the US needs to improve its strategies to counter this new trend in Russian espionage.

FROM THE MEDIA: Russian espionage activity has intensified in recent years, according to Chris Costa, the executive director of the International Spy Museum in Washington, DC. Russia’s spying apparatus has been in place since the Cold War era, but Costa believes that the country is more aggressive now than it has ever been. He stated that Russia is doing espionage on an industrial scale, both through computer hacking and human intelligence agents. Russia is also developing individuals who can be motivated to support their country. Classic methodologies for espionage are being executed, in particular in Europe, where hundreds of spies have been identified as suspected Russian spies working out of Russian embassies. Due to this setback, Russians are going to need to rely on operatives under non-official cover (NOC). Rebekah Koffler, the author of “Putin’s Playbook: Russia’s Secret Plan to Defeat America,” stated that the US’s intelligence resources in recent years have been devoted to the war against terrorism, while Russia and China have focused their intelligence efforts on the US.

READ THE STORY:   La Prensa Latina

Chinese rocket that sent spy satellites into space falls on Texas

Analyst Comments: An uncontrolled reentry of the rocket segment over Texas is concerning, particularly given the potential risks to people and property in heavily-populated areas. The event underscores the need for better international norms and cooperation in managing space activities, including the safe disposal of space debris. The lack of acknowledgment from Chinese officials regarding the event raises questions about the responsibility of countries and companies involved in space activities to ensure transparency and accountability for potential hazards. The event's low impact on populated areas may indicate a relatively low level of risk, but it highlights the need for continued efforts to improve safety practices in space activities.

FROM THE MEDIA: A part of a Chinese rocket responsible for carrying three military surveillance satellites into orbit fell back to Earth and disintegrated over Texas in early March. The rocket's second stage weighing four tons plunged through the sky at a speed of 17,000 miles per hour over west Texas in an uncontrolled reentry, meaning it was not steered but rather its orbit decayed and lowered naturally. There were concerns about the debris posing a threat to people and property in heavily-populated areas, but military officials estimate any debris that did fall landed in the least populated counties in the state. A second Chinese rocket segment also fell back to Earth over Nepal three days later the crime caused "serious harm."

READ THE STORY:   My Plain View

Russia keen to finance Bangabandhu Satellite-2

Analyst Comments: Potential financing of the Bangabandhu Satellite-2 project by Russia could have significant implications for Bangladesh's efforts to enhance its communication and information infrastructure, as well as for the country's broader development goals. The meeting also highlights the potential for diverse areas of cooperation between Russia and Bangladesh, including LNG exports, energy infrastructure, and banking transactions. However, the cautious stance taken by Bangladesh officials underscores the need to carefully consider the potential risks and benefits of such cooperation, particularly amid international sanctions imposed on Russia. The meeting also underscores the importance of international cooperation and consultation in addressing shared challenges and opportunities in trade, economic, scientific, and technical areas.

FROM THE MEDIA: Russia is actively considering financing the Bangabandhu Satellite-2 project in Bangladesh and has assured the country of completing the loan sanction process quickly, according to Shahjahan Mahmood, chairman and CEO of the Bangladesh Satellite Company Limited. Bangladesh has requested a loan of $345 million for the project, and Russian representatives pledged to attach importance to lending during the recent Russia-Bangladesh Intergovernmental Commission meeting. The meeting also discussed areas of cooperation, including LNG exports, gas pipelines, and other equipment exports, modernizing Ghorashal Unit-1 and Unit-2, and ways to smoothen banking transactions. No final decisions were made at the meeting, and Bangladesh has taken a cautious stance amid international sanctions imposed on Russia.

READ THE STORY:   TBS NEWS

Project Blackjack: DARPA’s test of satellite laser links delayed

Analyst Comments: The delay of the cross-satellite laser links demonstration under the Blackjack program is a setback for the program's goals of testing advanced space technologies and supporting the development of the Transport Layer network. The delay highlights the need for careful planning and coordination in launching and integrating complex space systems, particularly given the dependence on rideshare opportunities and integration facilities. The program's focus on OISLs and the Transport Layer network also underscores the growing importance of satellite connectivity and data transmission in supporting military and defense operations, as well as the potential for commercial applications in telecommunications and other industries.

FROM THE MEDIA: The Pentagon's plan to demonstrate cross-satellite laser links under its Blackjack program has been delayed due to a lack of available launch window, according to industry and government officials. Telesat Government Solutions, the US subsidiary of telecoms firm Telesat, is providing a pair of satellites for the test, but DARPA has pushed the launch date to January 2024 due to the need for rideshare on a SpaceX Falcon 9 and the availability of an integration facility. The Blackjack program aims to test optical inter-satellite links (OISLs) between satellites in low Earth orbit, which are critical to the Space Development Agency's Transport Layer network of data relay satellites.

READ THE STORY:   Breaking Defense

Lost in Translation: What happens when academic exchanges between the world’s biggest superpowers collapse

Analyst Comments: The reduction in academic collaborations between the United States and China has far-reaching implications, particularly in the realm of Chinese-language studies. This could lead to severe limitations for American policymakers in the coming years. Additionally, these exchanges are essential for promoting mutual understanding and fostering a positive relationship between the two countries. However, the current trend of fractured academic partnerships has significant costs, not only for students caught in the middle but also for the already fragile state of bilateral relations. The recent shift in the United States academic focus from China to Taiwan suggests that the situation is unlikely to improve in the near future. Moreover, the threat posed by Confucius Institutes, which have been accused of espionage and intellectual property theft, further complicates the issue.

FROM THE MEDIA: U.S.-China academic bridge, which began in the 19th century, has all but atrophied over the past decade due to the pandemic, worsening ties, travel restrictions, and Beijing's growing repression, leaving an ever-shrinking space for academic engagement. Under the Obama administration, academic connections were seen as a key opportunity to forge new ties, and the number of Americans studying in China increased by 25% while their Chinese counterparts’ numbers surged by 20% in 2007. However, since then, American interest in studying abroad in China has plummeted, while declining enrollment in once-popular college Mandarin courses and a more suspicious, even hostile, academic environment have impacted the Chinese students who come to the United States.

READ THE STORY:   FP

A new era of relations with China requires a new diplomatic playbook

Analyst Comments: China's authoritarian government and cyber espionage activities and acknowledges the failure of the U.S. policy of enabling China's "peaceful rise." The author argues that diplomacy and clear communication are essential for navigating the complex relationship with China, but warns against grandstanding for political gain, which can worsen relations. Overall, the article provides a useful analysis of the U.S.-China relationship and the challenges and opportunities it presents for U.S. national security.

FROM THE MEDIA: U.S. needs to have a tougher stance on China, citing the country's authoritarian government and cyber espionage activities as reasons. The author praises the Trump administration's pivot on China policy, which he says the Biden administration has sharpened. He argues that clear communication and deft diplomacy are essential for navigating the complex relationship with China, including finding areas where cooperation is possible, such as climate change and the global economy, while also responding directly to issues like Chinese hacking and intellectual property theft. The author stresses the importance of avoiding grandstanding about threats to score political points, which can spiral relations downward, and instead speaking directly to leaders in China to ensure competition doesn't turn into a conflagration.

READ THE STORY:   The Hill

Facebook’s behavioral ads lacked legal basis, Dutch court rules

Analyst Comments: The ruling against Facebook Ireland's consentless behavioral ad-targeting business is significant as it confirms the violation of EU data protection rules and constitutes an unfair commercial practice. The decision could set a precedent for further privacy litigation against Facebook's tracking activities in the region. The court ruling is a blow to Meta's business model and could affect around 10 million Dutch Facebook users seeking compensation for privacy violations. The court's decision is a strategic setback for Meta, and the company's appeal may have limited success. The ruling highlights the importance of obtaining valid legal bases for processing personal data for ad targeting and adequately informing users of data-sharing practices.

FROM THE MEDIA: A Dutch court has ruled that Facebook Ireland violated EU data protection rules by processing the personal data of Dutch Facebook users for advertising purposes without a proper legal basis. The court found that Facebook Ireland processed personal data for advertising purposes without a legally valid basis and also failed to inform Facebook users about sharing their personal data with third parties. Additionally, the court found that Facebook's actions constituted an unfair commercial practice. The lawsuit, brought by the Dutch privacy advocacy group Data Privacy Foundation and a local consumer protection not-for-profit, could affect around 10 million Dutch Facebook users who can seek compensation for privacy violations. The court ruling could encourage more regional privacy litigation against Facebook's consentless tracking. Facebook Ireland has confirmed that it will appeal the decision.

READ THE STORY:  TC

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

Analyst Comments: The group's use of spear-phishing, malicious shortcuts, and decoy documents highlights the need for increased awareness and training of personnel to recognize and avoid such tactics. The group's use of open-source and commodity malware, combined with custom malware, shows the sophistication of the campaign and the increasing technical abilities of cyber espionage groups. The group's use of Telegram as an exfiltration channel shows that threat actors are finding new ways to exfiltrate sensitive data. The tactical overlaps with the PoetRAT team suggest the possibility of state-sponsored cyber espionage activities. The emergence of YoroTrooper underlines the importance of threat intelligence and proactive threat hunting to identify and mitigate such attacks.

FROM THE MEDIA: A previously undocumented threat actor known as YoroTrooper has been identified as carrying out a cyber espionage campaign since June 2022. YoroTrooper targets government, energy, and international organizations in Commonwealth of Independent States (CIS) nations, including Azerbaijan, Tajikistan, Kyrgyzstan, and Turkmenistan. The group uses spear-phishing tactics to distribute malicious shortcut files (LNKs) and decoy documents wrapped in ZIP or RAR archives to infect systems with commodities and open-source stealer malware such as Ave Maria, LodaRAT, Meterpreter, and Stink. The group also deploys Python-based malware, reverse shells, and a custom keylogger to exfiltrate sensitive data via Telegram. The group has been observed exhibiting tactical overlaps with the PoetRAT team, and researchers believe that YoroTrooper is Russian-speaking. The threat actor's data-gathering goals include stealing credentials, browser histories and cookies, system information, and screenshots.

READ THE STORY:   THN

Cyber theft hits China’s money spinner courier industry

Analyst Comments: The cyber theft in China's express delivery sector highlights the significant threat posed by cybercrime across the world, particularly in sectors with high volumes of personal data. The leakage of 4.5 billion pieces of personal information raises concerns about the effectiveness of data protection measures in China. The express delivery sector is an important part of the Chinese economy, contributing to efficiency, productivity, and rural income growth. The loss of customer trust due to the data breach could have cascading effects on the employment rates in China, particularly for unskilled and semi-skilled workers. The incident underlines the importance of strong cyber security measures and effective data protection policies to prevent similar incidents in the future.

FROM THE MEDIA: A cyber theft in China's express delivery sector led to the leakage of private data of 4.5 billion customers during February 12-15. An automated query robot, ChatGPT, leaked the personal information of customers, including name, mobile phone number, and detailed delivery address, leading to concerns about the effectiveness of data protection measures in China. The courier industry is an important part of the Chinese economy, with rapid growth over the past five years driven by strong economic performance and expanding e-commerce. The industry is instrumental in rural income growth and is one of the largest employers in China, particularly for unskilled and semi-skilled workers. The loss of customer trust due to the data breach could have cascading effects on employment rates.

READ THE STORY:   ET

Russian hacktivist group targets India’s health ministry

Analyst Comments: HMIS is significant as it could expose the personal health information of millions of Indian citizens, potentially leading to identity theft, financial fraud, or other criminal activities. The attack may also damage India's relations with Russia, and could lead to further attacks by hacktivist groups. The sale of exfiltrated information on cybercrime forums could lead to financial gain for cybercriminals, while document fraud using stolen personally identifiable information could harm individuals and businesses. The attack highlights the need for government agencies to monitor for anomalies in user accounts, use a load balancer and DDoS protection services, and block unnecessary IP addresses and geolocations.

FROM THE MEDIA: On March 15, 2023, cybersecurity firm CloudSek reported that a Russian hacktivist group called Phoenix had claimed responsibility for a cyberattack on the Health Management Information System (HMIS) belonging to the Indian Ministry of Health. The attack may have exposed the personal health information of millions of Indian citizens. The Phoenix group posted several samples from the HMIS website on its Telegram channel. The cyberattack is likely in response to India's support for Western sanctions against Russia, including a price cap on Russian oil. The attack could lead to further attacks by similar hacktivist groups, the sale of exfiltrated information on cybercrime forums, or document fraud using stolen personally identifiable information. The hacktivist group has targeted hospitals in Japan and the UK before, as well as a US-based healthcare organization serving the US military, the Ministry of Health, the Federal Public Procurement Regulatory Authority, the Ministry of Food Control, the Supreme Court, the Ministry of Home Affairs, and several other departments of Pakistan.

READ THE STORY:   CSO

Items of interest

India-US chip partnership could boost the global chip supply chain

Analyst Comments: The semiconductor industry relies on a complex global supply chain, which has been disrupted due to the pandemic and geopolitical tensions, leading to a semiconductor shortage that has impacted products ranging from servers and PCs to automobile manufacturing. India's $10 billion incentive plan for semiconductor manufacturing and display production shows the country's commitment to becoming a key player in the global semiconductor supply chain, particularly in manufacturing. The collaboration between India and the US is expected to fuel enterprise investment in the semiconductor sector and lead to greater cooperation in tech development. The establishment of a resilient supply chain will help India respond better to logistics or geopolitical crises in the future. The announcement of India's first semiconductor fabrication facility is a crucial step towards achieving the country's goal of becoming a manufacturing nation in three to four years.

FROM THE MEDIA: India has signed a memorandum of understanding with the US to establish a semiconductor supply chain, which experts see as an opportunity for both nations to reduce global dependency on China in the semiconductor sector. The Indian government is aiming to attract global chip makers to set up facilities in the country and has approved a $10 billion incentive plan for semiconductor manufacturing and display production. India currently does not have native semiconductor manufacturing firms but is working to create a resilient supply chain along with other countries, and has collaborated with the US, Japan, and Australia to secure supply chains in semiconductors and 5G telecom technologies. While India currently has a decent presence in chip design, it aims to become a key player in the global semiconductor supply chain, particularly in manufacturing. India is set to announce its first semiconductor fabrication facility, which could make the country a manufacturing nation in three to four years. The MoU with the US is expected to fuel enterprise investment in the semiconductor sector and lead to greater cooperation in tech development.

READ THE STORY:   Computerworld

FBI and CISA on Latest Russian Cyber Threats (Video)

FROM THE MEDIA: In a recent briefing by the US Chamber of Commerce, representatives from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) discussed the persistent and evolving cyber threats emanating from Russia. The unprovoked invasion of Ukraine in February 2022 served as a catalyst for the US to reevaluate its cyber security infrastructure and defense systems.

Defending Critical Infrastructure from Cyber/Physical Attacks (Video)

FROM THE MEDIA: The transcript is from a webinar about defending critical infrastructure from cyber/physical attacks. The speaker provides administrative updates, encourages audience interaction, and introduces the guest speaker, Matthew Cardigan, who discusses vulnerabilities in industrial control systems and how to defend against them. He explains the concept of full-impact adversarial simulation and emphasizes the importance of pre-testing networks and having a well-developed cyber instant response plan. The speaker also advises regular security audits and review of patching procedures to limit exposure to system information. There are examples of easily accessible devices that can intercept signals and exfiltrate data, and the potential risk to small manufacturers is discussed.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.