Wednesday, March 22, 2023 // (IG): BB // Cyber-Roundup// Coffee for Bob
Xi, and Putin, declare intent to rule the world of AI, infosec
Analyst Comments: The joint statement between Russia and China indicates a desire to dominate the world of information technology and cyber security through collaboration in various technology and industry fields. However, their repressive philosophies and attempts to change the rules that govern the internet and acceptable online behavior are likely to be met with resistance from other countries. Additionally, their insistence on equal consideration of their political ideologies may further contribute to tensions with other nations.
FROM THE MEDIA: Russian President Vladimir Putin and Chinese President Xi Jinping have issued a joint statement titled "Joint Statement between the People's Republic of China and the Russian Federation on Deepening the Comprehensive Strategic Partnership of Coordination in the New Era". The statement includes a proposal to combine the research capacity and industrial capabilities of Russia and China to become world leaders in information technology, cyber security, and artificial intelligence, with technological sovereignty being the key to sustainability. The two nations aim to explore new cooperation models in technology and industry fields such as AI, IoT, 5G, digital economy, and low-carbon economy. They also express their belief in the formulation of new and responsible national codes of conduct in information cyberspace and suggest supporting the establishment of a multilateral, fair, and transparent global internet governance system. The two nations aim to create a "multipolar" order and reject the notion that "democracy" is a superior governance model.
READ THE STORY: The Register
China’s insidious, longstanding effort to meddle in Canadian affairs: Christian Leuprecht in the National Post
Analyst Comments: CCP's activities in Canada have been ongoing for several years and have become increasingly hostile, with the state capture of Canadian elites and institutions. The CCP has been systematically eroding resistance to its government from within Canada by blurring the lines between Beijing state organs, Asian organized crime groups, select members of Canada's mainland Chinese immigrant community, and business interests. The CCP maintains the second-largest diplomatic service in Canada for good reason, co-opting staff of targeted politicians, facilitating the clandestine transfer of funds, recruiting potential targets, suppressing protests, and supporting ethnic Chinese under its influence in their election bids. The CCP's hostile hybrid-warfare efforts against Canada pose a significant national security problem to the United States, as the U.S. shares intelligence with Canada.
FROM THE MEDIA: Beijing's interference and espionage activities have become the most significant threat to Canada's democratic way of life. The Chinese Communist Party (CCP) is actively running influence campaigns over resource development and is intent on gaining control of Canadian critical minerals. The CCP's corruption of Canadian politics and business poses a national security problem not only to Canada but also to its most important strategic ally, the United States. Recent unclassified versions of the Canadian Security Intelligence Service's (CSIS) annual report repeatedly warned about the state capture of Canadian elites and institutions. The CCP invests heavily in making influential opinion leaders beholden to it and paying off politicians, which poses a significant threat to Canadian democracy.
READ THE STORY: MLI
Partisan suspects turn on the cyber-magic in Ukraine
Analyst Comments: The use of previously unseen malware like CommonMagic and PowerMagic in an active campaign targeting government, agriculture, and transportation organizations in Russian-controlled areas of Ukraine is significant at both tactical and strategic levels. At a tactical level, the use of spear phishing or similar methods and the delivery of malware through booby-trapped URLs make it difficult for organizations to defend against these attacks. At a strategic level, the use of new malware programs and the absence of any known threat actor or group underscore the need for continued vigilance and investment in cybersecurity, as well as the importance of international cooperation in addressing cyber threats. Additionally, the ongoing war between Russia and Ukraine adds another layer of complexity and urgency to the situation, highlighting the need for diplomacy and conflict resolution.
FROM THE MEDIA: Kaspersky, a Russian cybersecurity company, has detected an active campaign in which previously unseen malware called CommonMagic and PowerMagic is being used to attack government, agriculture, and transportation organizations in Russian-controlled areas of Ukraine. The attack vector is unknown, but spear phishing or similar methods are suspected. The attacks involve booby-trapped URLs that lead to a ZIP archive containing a decoy document and a malicious LNK file that deploys the PowerMagic backdoor. PowerMagic establishes contact with a remote server and executes arbitrary commands, while also delivering the CommonMagic framework, which contains executable modules designed to carry out specific tasks such as interacting with the command-and-control server, encrypting and decrypting C2 traffic, and executing plugins. The plugins can capture screenshots every three seconds and gather files of interest from connected USB devices. The campaign has been active since at least September 2021, and no known threat actor or group has been linked to the operation.
READ THE STORY: Cybernews // THN // DUO
Crypto ATM manufacturer General Bytes hacked, at least $1.5 million stolen
Analyst Comments: The recent security breach, resulting in the theft of a significant amount of cryptocurrency and the shutdown of most General Bytes' US-based crypto ATMs, is a tactically significant event that may create unease among potential mainstream adopters. This incident underscores the ongoing risk of cyber attacks in the cryptocurrency sector and highlights the need for strong security measures to protect personal information and digital assets. The breach could have wider implications for the use and adoption of cryptocurrencies, particularly if customers lose confidence in the security of crypto ATMs and related services.
FROM THE MEDIA: Crypto ATM manufacturer General Bytes has experienced a major security breach resulting in the theft of at least $1.5 million worth of bitcoin, prompting the company to shut down the majority of its US-based automated teller machines. Hackers were able to exploit a vulnerability in the master service interface used to upload videos, which allowed them to remotely upload their own Java application onto the company's server. The breach enabled the attackers to read and decrypt API keys, access funds on exchanges and "hot" cryptocurrency wallets, steal usernames and passwords and turn off two-factor authentication. This is the second security incident involving General Bytes' machines. The company is urging customers to take immediate action to protect their personal information.
READ THE STORY: The Record
HyperBro RAT
Analyst Comments: The HyperBro RAT is a well-established and actively utilized malware variant by APT27, a threat group believed to be sponsored by the Chinese government. APT27's expansion of its capabilities to include financially motivated cybercrime is of particular concern, as it indicates the group is adapting its tactics to maximize its impact. The RAT's use of DLL side-loading to achieve backdoor access and enable malicious activity highlights the importance of securing legitimate executables and preventing unauthorized access to systems. The potential consequences of HyperBro's presence on devices, including data loss, privacy issues, financial losses, and identity theft, underscore the need for organizations to remain vigilant and take appropriate measures to protect their systems and data.
FROM THE MEDIA: HyperBro is a remote access trojan (RAT) that has been utilized by the APT27 threat group since 2017. APT27 is believed to be sponsored by the Chinese government and has executed multiple targeted attacks against organizations in various industries. The threat group has expanded its capabilities to include financially motivated cybercrime. The HyperBro RAT uses proprietary malware, malware shared among Chinese cybercrime groups, and publicly available open-source software to conduct its tradecraft, allowing it to adapt its tactics as needed. The RAT abuses DLL side-loading to compromise the targeted system, achieve backdoor access, and enable the execution of malicious commands, keystroke logging, and user activity monitoring. HyperBro's presence on devices can lead to multiple system infections, data loss, privacy issues, financial losses, and identity theft.
READ THE STORY: Security Boulevard
Watch out: tax crooks are phishing for your W-2 form
Analyst Comments: The theft of W-2 forms through spear-phishing campaigns during tax season is a significant threat to businesses and employees, as it can result in significant financial losses for individuals and organizations. The fact that the number of reports on suspicious activity concerning tax refunds grew fourfold to eight million in 2021 indicates that this threat is becoming more prevalent. Successful attacks can result in millions of stolen dollars for cybercriminals, making this a profitable business.
FROM THE MEDIA: Tax season in the United States, which runs from January to April, is a prime time for cybercriminals to launch spear-phishing attacks aimed at stealing W-2 forms. These forms contain valuable information that can be used to file fraudulent tax returns. Kevin Kirkwood, a cybersecurity expert, and deputy CISO at LogRhythm warn that cybercriminals use spear-phishing campaigns to target businesses and employees during tax season and that successful attacks can lead to significant financial gains. Kirkwood notes that attackers conduct a process of base-level discovery to identify targets, gather intelligence, and craft spear-phishing emails that convincingly impersonate company executives or other trusted personnel. He advises businesses and employees to be on the lookout for red flags such as emails that demand immediate action, bypass security controls, or request W-2 files. Kirkwood recommends that companies take steps to improve security awareness and training, conduct phishing tests, and re-educate employees who click on phishing links.
READ THE STORY: Cybernews
Bitcoin’s Bounce Risks Setting a Crypto Algorithmic Trap
Analyst Comments: The renewed interest in algorithmic stablecoins is a concerning development in the crypto space, as these tokens have a history of failure and remain vulnerable to collapse. The failure of several banks and the resulting Bitcoin rally should not be seen as a reason to overlook the risks associated with algorithmic stablecoins. Regulators have been clear that stablecoins based on algorithms cannot be trusted, and the mechanics of these tokens are still vulnerable to death spirals.
FROM THE MEDIA: Bitcoin's recent rally has renewed interest in algorithmic stablecoins, despite their previous failure. The collapse of TerraUSD and Luna, algorithmic stablecoins that were trading in the tens of billions of dollars in market value, demonstrated the potential dangers of relying on unstable algorithms. Despite regulatory warnings, some major influencers in the crypto space are promoting the use of algorithmic stablecoins as a way to avoid collateralized stablecoins backed by reserves, which have lost value due to US regulators shutting down Paxos's BUSD stablecoin and Circle's USD Coin losing its dollar value. However, the risks associated with algorithmic stablecoins remain high, as they can still experience a death spiral as TerraUSD did. The fact that Bitcoin is thriving during a time of economic turmoil does not necessarily make algorithmic stablecoins any less perilous.
READ THE STORY: Bloomberg
Hacker vs Hacker: North Koreans Attempt to Phish Euler Exploiter of $200M in Crypto
Analyst Comments: The North Korean hackers' attempt to defraud Euler Finance's exploiter amid efforts to recover nearly $200 million in stolen cryptocurrency emphasizes the persistent risk of hacking and phishing attacks in the crypto sphere. This incident also highlights the importance of implementing enhanced security measures and exercising caution during crypto transactions. The possible involvement of Lazarus, a group reportedly connected to North Korea's weapons program, introduces a geopolitical dimension to the event, further underlining its significance.
FROM THE MEDIA: Euler Finance, a DeFi protocol, has faced another obstacle in its attempts to recover almost $200m in stolen cryptocurrency after a hacker, linked to North Korea, attempted to phish Euler's exploiter's wallet. The on-chain message was a scam that would have attempted to steal credentials from Euler's exploiter's wallet. The exchange between two hackers led to alarm bells ringing at Euler Finance, which was already trying to recover the funds. The Ronin bridge exploiter stole $625m from Axie Infinity last March. Experts have accused the Lazarus Group, a North Korean hacker group, of being behind multibillion-dollar attacks against the cryptocurrency world.
READ THE STORY: Coindesk
West African bad actor impersonates financial advisors to steal millions
Analyst Comments: The ongoing scheme of the West African threat actor is significant at both tactical and strategic levels. At a tactical level, the group's use of new tactics and the speed with which it creates new impersonation websites make it difficult for banks and their technology vendors to block incoming network traffic, putting their clients' funds and personal information at risk. At a strategic level, the group's ability to successfully execute such schemes for relatively small amounts of money and its organization across different technologies highlight the need for greater international cooperation in cybersecurity and increased attention to the West African nexus of cybercrime and scams.
FROM THE MEDIA: A West African threat actor is running an ongoing scheme by impersonating financial advisors, brokers, and influencers on social media to attract wealthy clients. The group creates lookalike websites and fake customer onboarding processes to scam victims. DomainTools, a cybersecurity company, reported that the group has started impersonating the Financial Industry Regulatory Authority (FINRA) and using the domain finraglobal[.]org, email address admin@finraglobal[.]org, and IP address 82.180.172[.]248 to steal money and identifying information from victims. The group also directs victims to identity verification forms, claiming that FINRA is the KYC and AML services provider, although FINRA does not provide such services. The group uses pig butchering tactics to fatten up a fake investment account before closing it without notice, stealing funds from the victim.
READ THE STORY: American Banker
Largest telecom in Guam starts restoring services after a cyberattack
Analyst Comments: The cyberattack on Docomo Pacific is significant at a local level, as it disrupted services to Guam and the Northern Mariana Islands, affecting over 220,000 people. The attack also highlights the vulnerability of remote islands and territories to cyber threats, which can have serious implications for critical infrastructure and essential services. The attack on Docomo Pacific follows similar incidents in Tonga, Guadeloupe, and Vanuatu, underscoring the need for improved cybersecurity measures and resilience in Pacific island nations. At a broader level, the attack is a reminder of the growing threat posed by cybercrime and the need for increased international cooperation to address the issue.
FROM THE MEDIA: Docomo Pacific, the largest provider of mobile, television, internet, and telephone services in Guam and the Northern Mariana Islands, has been hit by a cyberattack that caused outages in many of its services. The attack occurred on Thursday evening, and Docomo Pacific CEO Roderick Boss confirmed on Friday that the company's servers were attacked during the incident. While customer data, mobile network services, and fiber services remain unaffected and secure, several customers reported outages in phone service and the internet. Docomo Pacific has published an incomplete update on Twitter saying some services are back online but did not specify which services or areas. The company has not disclosed when service will be fully restored and has not confirmed whether it was a ransomware attack.
READ THE STORY: The Record
In U.S., Cyberdisruption is the Most Critical Threat
Analyst Comments: The survey results indicate that Americans consider cyberterrorism, the development of nuclear weapons by Iran and North Korea, and China's military and economic power as critical threats to U.S. vital interests. The perception of Russia's military power as a threat has declined, while concerns about climate change and the conflict between China and Taiwan have increased. The results highlight the importance of addressing cyberterrorism and nuclear proliferation concerns, as well as the need for continued vigilance in countering China's military and economic ambitions. The findings also suggest that partisan differences in threat perception can complicate efforts to develop a unified national security strategy.
FROM THE MEDIA: According to the recent Gallup World Affairs survey conducted between Feb. 1-23, Americans consider cyberterrorism as the most critical threat to US vital interests, followed by the development of nuclear weapons by Iran and North Korea, international terrorism, and China's military and economic power. The survey also revealed a notable shift in the perception of the threat level of Russia's military power, which has declined since last year. Republicans and Democrats share similar views on cyberterrorism and nuclear weapons by Iran and North Korea, while they differ significantly on the perceived threat level of China's military and economic power and immigration. The findings of this survey suggest that cyberterrorism remains a primary concern for US national security.
READ THE STORY: Gallup
China’s Strategic Support Force Brings Hybrid Warfare to Space, Cyber, and Politics
Analyst Comments: The significance of the event is tactical and strategic. The SSF's capabilities and operational tactics pose a threat to US and allied organizational structures and operating systems. The SSF's training in systemic attacks and the use of gray zone warfare suggests that China's military is committed to information warfare, and other nations should take note and act accordingly. The ad promoting 5,000 "civil" positions that need to be filled with the SSF was designed to attract civilian technical talent to work with the PLA, demonstrating a commitment to expanding the SSF's capabilities. The SSF's newly appointed defense minister, Li Shangfu, served as the deputy commander of the SSF when it was first launched, indicating that China is committed to its continued growth and development.
FROM THE MEDIA: A Chinese spy balloon that crossed the United States earlier this year suggests the operation was carried out by China's Strategic Support Force (SSF). The SSF is a hybrid branch of the People's Liberation Army (PLA) that combines cyber, electronic, space, and psychological warfare. The SSF was established in 2015 as part of a PLA restructuring aimed at shifting from land-based territorial defense to extended power projection beyond China's borders. The SSF has no equivalent in any other country, and it incorporates China's electronic war forces, network war forces, and elements of its space forces, including Base 311, responsible for political warfare.
READ THE STORY: VOA
Addressing the ‘right to mine’ crypto
Analyst Comments: The increasing attention and potential regulation of the cryptocurrency mining industry is significant in both a tactical and strategic sense. Tactically, Right to Mine bills threaten to infringe upon a community’s right to govern and protect themselves against for-profit interests while shielding miners from fair electricity rates and leaving communities with the negative impacts of mining without the promised economic development and new jobs.
FROM THE MEDIA: The cryptocurrency mining industry is facing increased scrutiny and potential regulation due to its massive energy consumption and negative impacts on local communities. Some groups are pushing “Right to Mine” bills in states across the US, which would give big businesses the “right” to mine crypto, even over a community’s right to clean water and air, a quiet home, and a livable climate. These bills would squash or severely limit a community’s ability to govern and protect itself against for-profit interests. Right to Mine bills also seek to shield miners from fair electricity rates, despite cryptocurrency mining operations often costing others who share its energy utility. The cryptocurrency mining industry seeks out the cheapest energy it can find, regardless of how dirty it is, and often leaves local communities with unpaid utility bills and failed promises of economic development and new jobs. Policymakers can be pro-crypto and pro-business without being anti-community and anti-local governance by applying clean energy standards to cryptocurrency miners.
READ THE STORY: The Hill
BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum
Analyst Comments: The closure of BreachForums could significantly impact the cybercriminal landscape as it was a lucrative destination for purchasing and selling stolen databases from various companies and organizations. The development may prompt cybercriminals to migrate to underground forums to peddle their illegal wares. The shutdown also comes at a time when Telegram remains a hub for cybercrime activities, facilitating the sale of malware, personal and corporate data dumps, and other illicit goods such as counterfeits and drugs. It remains to be seen if this development will require a new forum entirely or if an alternative venue will emerge to meet the demand for breached databases.
FROM THE MEDIA: On March 21, 2023, Baphomet, the current administrator of BreachForums, announced that the hacking forum has been officially taken down, citing the decision as a necessary change to bring about positive change. The shutdown is believed to be due to suspicions that law enforcement had obtained access to the site's configurations, source code, and information about the forum's users. The development follows the arrest of its administrator, Conor Brian Fitzpatrick, who was charged with a single count of conspiracy to commit access device fraud.
READ THE STORY: THN
How AI Could Revolutionize Diplomacy
Analyst Comments: The adoption and adaptation of new technologies in peacemaking efforts can impact every step of the process, from negotiations to monitoring and enforcing agreements. AI and other emerging technologies could speed up negotiations, better inform diplomats, provide real-time counsel, and assist in monitoring activities after an agreement. This can significantly improve the efficiency and effectiveness of peacemaking efforts. The significance of this development is strategic, as it has the potential to change the way countries conduct diplomatic negotiations and may ultimately help resolve conflicts.
FROM THE MEDIA: The article discusses how emerging technologies such as artificial intelligence (AI), quantum computing, the internet of things (IoT), and distributed ledger technology can impact peacemaking efforts, from the earliest days of negotiations to monitoring and enforcing agreements. The use of automated language processing, AI-powered ChatGPT, and AI-powered cognitive trade advisor can speed negotiations, better inform diplomats ahead of talks, and provide real-time, data-informed counsel throughout discussions. AI-powered "hagglebots" could take on a key role in negotiations. New technologies also allow countries to solicit citizen input more easily in real-time. Computer vision can help identify micro-expressions and other emotions by analyzing videos of negotiations, making diplomacy rely more on hard science. After parties announce a deal, distributed ledger technology could be used to openly transfer funds while keeping in place sanctions for other purposes. The internet of things could make monitoring more effective by creating many new data points. The promise of new technologies is vast.
READ THE STORY: FP
NAPLISTENER: New Malware in REF2924 Group's Arsenal for Bypassing Detection
Analyst Comments: Moscow seeks to topple more French dominoes in central and western Africa, and the US is responding by adopting more forward-leaning measures. The assassination plot in Chad represents “a new chapter” in efforts by Wagner, a Kremlin-backed private military force, to advance Russian interests in Africa, and the US is taking a more forceful approach to stymie Russian gains on the continent. The US is also using new tactics, such as sharing sensitive intelligence with African leaders, as it moves more assertively in Africa. As African countries are presented as valued partners, not pawns in a global rivalry, the comparison with the Cold War that many see is one that the Biden administration wants to avoid.
FROM THE MEDIA: As the rivalry between Russia and the West intensifies in Africa, fueled by weapons, resources, and social media, Chad has emerged as the latest focal point. The US has warned Chad's president about Russian mercenaries planning to assassinate him and other high-ranking officials, while Moscow supports Chadian rebels in the Central African Republic. Moscow is also attempting to gain influence within Chad's ruling elite. To counter Russia's advances in Africa, the US has become more assertive, sharing sensitive intelligence with African leaders and employing new tactics to disrupt Russian gains. This approach is aimed at shoring up France's diminishing position in Africa, as Russia seeks to topple more French-supported governments in Central and West Africa. Despite concerns of a new Cold War in Africa, the US has presented its strategy as one of partnership, not rivalry. However, African leaders have expressed their desire to avoid being forced to choose sides, emphasizing that they've suffered enough from historic burdens. As Russia continues to expand its influence in Africa, Western powers are grappling with how to respond effectively.
READ THE STORY: THN
Associate of ‘Cryptoqueen’ fraudster arrested and brought to US
Analyst Comments: The extradition of Dilkinska represents progress in the investigation of the OneCoin cryptocurrency scam, and her trial will provide further insight into the extent of the fraud and money laundering that occurred. The fact that Dilkinska, as the former head of legal and compliance, is facing charges indicates that those in positions of power and responsibility will be held accountable for their actions. The maximum sentence of 20 years for each charge highlights the seriousness of the crimes committed and sends a message to other individuals involved in cryptocurrency scams that they will face severe consequences.
FROM THE MEDIA: Irina Dilkinska, former head of legal and compliance for OneCoin, has been extradited from Bulgaria to the US to face charges of fraud and money laundering in a New York federal court. Dilkinska allegedly enabled OneCoin to launder millions of dollars of illegal proceeds through shell companies, which is the opposite of her job title. OneCoin, which prosecutors characterized as a pyramid scheme that took in $4 billion from victims, was co-founded by Ruja Ignatova, who remains at large after being charged with fraud and money laundering in 2017. Dilkinska's job at OneCoin was to assist in the creation and management of shell companies, including using a shell company called B&N Consult EEOD to launder OneCoin proceeds. The wire fraud and money laundering charges each carry a maximum sentence of 20 years.
READ THE STORY: The Record
Mexico wants seized Vulcan terminal used as cruise ship dock, quarry turned to a theme park
Analyst Comments: The seizure of Vulcan's cargo terminal by Mexican police could negatively affect U.S.-Mexico economic relations and future investments in Mexico, impacting the ability to achieve their shared vision for improving livelihoods in one of Mexico's most economically disadvantaged regions. From a tactical standpoint, the seizure threatens to delay the completion of the Train Maya project, which could have political implications for the president of Mexico. Additionally, the lack of local supplies of crushed stone could delay the stabilization of the train's tracks, further delaying the completion of the project. From a strategic standpoint, this event could be a warning for foreign companies operating in Mexico that the rule of law may not be assured, potentially deterring future investments in the country.
FROM THE MEDIA: Vulcan Materials has accused Mexican authorities of violating its commercial and property rights, stating that no legal paperwork has been presented to justify the seizure. The president of Mexico, Andrés Manuel López Obrador, has been publicly sparring with Vulcan for over a year, as he needs the dock to finish his pet project, a tourist train known as the Train Maya. The lack of local supplies of crushed stone needed to stabilize the Maya Train's tracks has forced López Obrador to import the stone from Cuba, and the only private freight dock on the Caribbean side that could handle the Cuban shipments and other shipments of cement and steel is the one owned by Vulcan.
READ THE STORY: AL
Can Russia Get Used to Being China’s Little Brother
Analyst Comments: The meeting between the leaders of China and Russia indicates that the two countries are strengthening their strategic partnership amid increasing tension with the West. China is now the dominant partner in the relationship, and Russia is increasingly dependent on China for economic, technological, and diplomatic support. However, Russia remains globally significant, particularly as a nuclear power and exporter of energy, resources, and food. The peaceful border between the two countries provides a breathing space for both countries to face their adversaries. The meeting highlights the importance of Russia to China's quest to become a global rule-setter and dominant power in Asia, while Putin seeks China's support for his war. The outcome of the visit will reveal if China is serious about resolving the Ukraine conflict and whether the two countries will deepen their defense cooperation.
FROM THE MEDIA: China's President Xi Jinping and Russia's President Vladimir Putin met in Moscow to discuss their strategic partnership. China is now considered the dominant partner in the relationship, while Russia is increasingly dependent on China for economic, technological, and diplomatic support. However, Russia remains a globally significant exporter of energy, resources, and food and is a major nuclear power. Both countries share a peaceful border that gives them breathing space to face their respective adversaries. Russia remains important to China's quest to become a global rule-setter and dominant power in Asia. Putin hopes to ensure that China continues to provide a lifeline for Russia during its isolation, and he seeks political-diplomatic and technical-military support for his war. Xi's top priority is to resolve the Ukraine conflict and show the world that China can resolve global conflicts. The outcome of his Moscow visit will reveal if China is serious about peace.
READ THE STORY: FP
Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware
Analyst Comments: Attack on the NuGet repository and the subsequent discovery of malicious code in packages is significant from a tactical and strategic perspective. The attack was sophisticated and highly malicious, and the packages were downloaded over 160,000 times in just one month. The use of cryptocurrency stealer malware in the attack is particularly concerning, as it can result in financial losses for victims. The attack also highlights the continued use of typosquatting techniques and the vulnerability of the software supply chain. The fact that the connection to the command-and-control (C2) server occurs over HTTP, making it vulnerable to an adversary-in-the-middle attack, further underscores the need for improved security measures to protect against such attacks.
FROM THE MEDIA: The NuGet repository has been targeted by a "sophisticated and highly-malicious attack" designed to infect .NET developer systems with cryptocurrency-stealing malware. The attack featured 13 rogue packages that were downloaded more than 160,000 times in the past month. The packages were taken down when the attack was discovered. They contained a PowerShell script that triggered the download of a "second stage" payload, which could then be remotely executed. The packages' use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate ones, to trick developers into downloading them.
READ THE STORY: THN
Barr Responds to Mexico on Drug Cartels
Analyst Comments: President López Obrador's lack of interest in seriously confronting the cartels, coupled with his policy of allowing them to traffic drugs freely to the U.S., has hindered progress. The Mexican government's inaction has allowed the cartels to flourish, leading to increased violence and instability. Cooperation between the U.S. and Mexico is crucial to effectively combating the cartels and reducing the slaughter caused by their activities. Efforts to reduce the demand for drugs are important, but they must be coupled with decisive steps to dismantle the cartels and end their reign of terror.
FROM THE MEDIA: In a response to Mexican Foreign Secretary Marcelo Ebrard Casaubon's letter, an op-ed writer argues that the U.S. and Mexico must cooperate in an all-out campaign to dismantle the cartels. However, obstacles to real progress include the cartels' strong grip on Mexico and their success in corrupting the Mexican government at all levels. President Andrés Manuel López Obrador has no interest in seriously confronting the cartels and won't allow the U.S. to do it. AMLO's policy of allowing the cartels to traffic drugs freely to the U.S. has failed. Efforts to reduce demand for drugs might help over the long term, but aren't a substitute for decisive steps now to reduce the slaughter today.
READ THE STORY: WSJ
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers
Analyst Comments: The campaign targeting poorly managed Linux SSH servers using ShellBot is significant from a tactical and strategic perspective. The malware targets servers with weak credentials and can carry out DDoS attacks and exfiltrate harvested information. The use of known SSH credentials for a dictionary attack highlights the need for strong credentials and proper access management. The backdoor-like capabilities of PowerBots to grant reverse shell access and upload arbitrary files further underscores the seriousness of the threat. The campaign also comes at a time when DDoS attacks targeting healthcare organizations hosted in Azure have been gradually increasing, posing a significant threat to the healthcare industry.
FROM THE MEDIA: A new campaign has been launched that targets poorly managed Linux SSH servers, deploying different variants of a malware called ShellBot. ShellBot is a DDoS Bot malware developed in Perl that uses IRC protocol to communicate with the command and control (C&C) server. The malware is installed on servers that have weak credentials after threat actors use scanner malware to identify systems that have SSH port 22 open. A dictionary attack is then initiated using a list of known SSH credentials to breach the server and deploy the payload. ShellBot can carry out DDoS attacks and exfiltrate harvested information. Three different ShellBot versions have been identified - LiGhT's Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – all of which offer various DDoS attack commands using HTTP, TCP, and UDP protocols. PowerBots comes with backdoor-like capabilities to grant reverse shell access and upload arbitrary files from the compromised host.
READ THE STORY: THN
From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022
Analyst Comments: The focus on vulnerabilities in edge network devices for obtaining initial access is concerning, as these devices play a critical role in network security. The exploitation of zero-day vulnerabilities by cyber espionage groups and financially motivated threat actors underscores the potential for significant financial and intellectual property losses. The emergence of China-nexus clusters as the most prolific state-sponsored group highlights the need for increased vigilance and improved defense strategies against state-sponsored cyber threats.
FROM THE MEDIA: In 2022, 55 zero-day vulnerabilities were exploited in the wild, with most discovered in software from Microsoft, Google, and Apple, according to a report by threat intelligence firm Mandiant. Desktop operating systems, web browsers, IT and network management products, and mobile operating systems were the most exploited product types. Of the 55 zero-day bugs, 13 were exploited by cyber espionage groups, and four were exploited by financially motivated threat actors for ransomware-related operations. China-nexus clusters emerged as the most prolific state-sponsored group, exploiting seven zero-days. North Korean and Russian threat actors were linked to the exploitation of two zero-days each. The disclosure comes as threat actors are getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.
READ THE STORY: THN
Items of interest
A New York Court Is About to Rule on the Future of Crypto
Analyst Comments: The outcome of the Ripple-SEC case is significant, as it may set a precedent for future cases and establish the SEC as crypto's main regulator. If the SEC wins, it may lead to increased regulatory scrutiny and requirements for the crypto industry, potentially resulting in compliance challenges for crypto firms. Moreover, it may impact the position of US-based exchanges and their ability to operate, leading to potential market shifts.
FROM THE MEDIA: On December 22, 2020, the US Securities and Exchange Commission (SEC) charged Ripple, a San Francisco-based company that provides infrastructure for cross-border payments, and two of its executives for conducting a $1.3 billion unregistered securities offering by selling a cryptocurrency, XRP. Ripple has been challenging the SEC's claims, stating that XRP does not meet the criteria of the Howey test and that no contracts were signed when the transactions took place. If the court rules in favor of the SEC and declares XRP security, it may have legal consequences for entities that have issued tokens or helped people to trade them without SEC approval, and most other crypto tokens may also be classified as securities, making them subject to the SEC’s supervision. The outcome of the case may have significant consequences for the crypto sector and may impact crypto firms, particularly US-based exchanges.
READ THE STORY: Wired
The Cyber War between China and the US | China Spy Documentary (Video)
FROM THE MEDIA: The ongoing cyber war between China and the United States, with the US accusing China of stealing industrial secrets through cyber espionage. The US has indicted and identified Chinese hackers responsible for these attacks, but enforcing legal action has proven difficult as those responsible remain in China. Despite an agreement in 2015 between the US and China to stop such cyber-enabled theft, attacks have continued. The video also touches on the controversy surrounding the US government's own surveillance practices, as revealed by Edward Snowden.
The Secret World of Oil Espionage (Video)
FROM THE MEDIA: Oil companies and governments use corporate espionage to protect their interests, including spying on competitors and stealing trade secrets. The rise of digital technology has made oil espionage more sophisticated, and it can threaten global energy security by disrupting supply and compromising safety. The video calls for a more proactive approach to protect sensitive information, including investing in cybersecurity measures and being more transparent about energy policies. Developing countries are often at a disadvantage in negotiations, and the video suggests addressing power imbalances and investing in renewable energy to reduce dependence on fossil fuels.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.