Friday, April 14, 2023 // (IG): BB // Financial Enabler // Coffee for Bob
Russian threat actors are actively targeting diplomats in NATO and EU countries
Analyst Comments: The ongoing phishing campaign targeting diplomatic staff in NATO and EU countries is a significant concern, particularly given Nobelium's history of targeting high-profile organizations. The use of sophisticated malware and techniques, such as scanning infected systems, highlights the group's capability to conduct cyber espionage and cause significant harm. The warning issued by the Polish Military Counterintelligence Service and CERT Polska highlights the importance of vigilance and implementing configuration changes to disrupt the delivery mechanism used by the group. It also underscores the need for organizations to strengthen their cybersecurity defenses to detect and prevent such attacks.
FROM THE MEDIA: The Polish Military Counterintelligence Service and CERT Polska have issued a warning that the Russian-backed group Nobelium is targeting diplomatic staff in NATO and EU countries via phishing emails. The emails appear to be from the Polish embassy, with recipients directed to download information about diplomatic events. Clicking on the link takes the victim to a fake embassy website hosting EnvyScout malware dropper and other files. The dropper then installs further downloader tools like SnowyAmber and QuarterRig, which can access Nobelium's command-and-control (CnC) nodes to download either the Cobalt Strike or Brute Ratel malware. Both SnowyAmber and QuarterRig scan the infected system to see if it is of interest and running in a test environment for malware analysis.
READ THE STORY: CyberSecurity Connect // The Record
China plans to ban exports of rare earth magnet tech
Analyst Comments: The Japanese government is concerned about a potential disruption in the supply of magnets due to Beijing's revisions of its Catalogue of Technologies Prohibited and Restricted from Export. The catalog now includes manufacturing technologies for high-performance magnets using rare earth elements, which are essential components in various industrial items. China holds the largest percentage of the global market share in neodymium and samarium cobalt magnets, estimated at 84% and over 90%, respectively, with Australia being a distant second. If China bans the export of such technologies, the US and Europe, which do not traditionally manufacture rare earth magnets, would have difficulty entering the market and be entirely reliant on China. Beijing's ban is seen as an effort to keep core environment-related technologies within China while using them as a bargaining chip in its dealings with the US and Europe.
FROM THE MEDIA: There are concerns that Japan could face significant disruption in public and economic activities due to a potential disruption in the supply of magnets. Beijing is currently in the process of revising its Catalogue of Technologies Prohibited and Restricted from Export, which includes manufacturing technologies for high-performance magnets using rare earth elements such as neodymium and samarium cobalt. Rare earth magnets are essential components in motors that generate rotation using electricity and magnetic force and are used in aircraft, EVs, robots, mobile phones, air conditioners, and other industrial items. China has an estimated 84% share of the global market in neodymium magnets and over 90% in samarium cobalt magnets. If China bans the export of such technologies, the US and Europe, which do not traditionally manufacture rare earth magnets, would have difficulty entering the market and be totally dependent on China. The ban is seen as part of Beijing's efforts to keep core environment-related technologies within China while using them as a bargaining chip in its dealings with the US and Europe.
READ THE STORY: ModernDiplomacy
The Hacking of ChatGPT Is Just Getting Started
Analyst Comments: Security researchers and computer scientists are discovering jailbreaks and prompt injection attacks against generative AI systems like ChatGPT, which try to bypass safety measures to generate malicious or harmful content. The attacks are a form of hacking, using carefully crafted sentences to exploit weaknesses in the systems. These attacks pose a security risk, as they could allow cybercriminals to steal data or cause havoc on the web. Some of the latest jailbreaks involve multiple characters, complex backstories, and translating text from one language to another. Companies are trying to address these issues through red-teaming and vulnerability research grants, but more automated solutions may be needed to prevent jailbreaks and prompt injection attacks.
FROM THE MEDIA: Researchers, computer scientists, and security experts are developing jailbreaks and prompt injection attacks against chatbots such as OpenAI’s GPT-4, in order to bypass content filters and rules against producing illegal or harmful content. Alex Polyakov, the CEO of security firm Adversa AI, has created a “universal” jailbreak, which works against multiple large language models, and which can trick the systems into generating detailed instructions on creating meth and how to hotwire a car. The attacks are considered a security risk, particularly as these systems become more powerful and are given access to more data.
READ THE STORY: Wired
America’s Space Systems Should Be Officially Prioritized As ‘Critical’ U.S. Infrastructure
Analyst Comments: The McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University published a 38-page report proposing that America's space systems be designated as critical infrastructure and be protected as such. Rare earth magnets are essential components in space systems that generate rotation using electricity and magnetic force, and China dominates the global market in such magnets. The authors of the report argue that designating space systems as critical infrastructure would signal to allies and adversaries that space systems are a priority and will be treated accordingly.
FROM THE MEDIA: A report by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security suggests that America's space systems, including sensors, signals, data transmission, and supply chains, should be officially recognized and protected as critical infrastructure. This move would signal to both allies and adversaries that space systems are a priority and will be treated accordingly, the report says. With China and Russia as potential threats, the protection parameters should be adjusted to encompass the further growth of space systems beyond geosynchronous orbit, even to the lunar surface. The authors propose that Congress fund NASA $15 million per year to oversee the protection of the US space infrastructure. NASA would need to both develop and scale up its capacity to protect national security, civil, and commercial space systems. Specific threats to the US space infrastructure include command intrusion and denial of service. Adversaries can use these methods to disrupt the US economy and spy on military operations.
READ THE STORY: Forbes
RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware
Analyst Comments: The RTM Locker's specific efforts to avoid drawing attention are higher than normally observed compared to other ransomware groups, making it harder for researchers to infiltrate the gang. This highlights how cybercrime groups continue to adopt new tactics and methods to avoid detection and fly under the radar of researchers and law enforcement alike. The group's tactics and capabilities also underscore the need for organizations to stay vigilant and implement robust security measures to protect against ransomware attacks.
FROM THE MEDIA: The "Read The Manual" Locker (RTM) is a cybercriminal gang operating as a private ransomware-as-a-service (RaaS) provider. RTM's tactics include deploying a ransomware payload on compromised hosts and avoiding high-profile targets to remain under the radar of researchers and law enforcement. The group uses affiliates who are required to remain active or notify the gang of their leave, indicating the organizational maturity of the group. RTM has strict mandates that forbid affiliates from leaking samples and locks out affiliates who remain inactive for 10 days without prior notification. The payload is capable of elevating privileges, terminating antivirus and backup services, and deleting shadow copies before commencing its encryption procedure.
READ THE STORY: THN
Russia jams US GPS-guided weapons given to Ukraine, leaked info shows
Analyst Comments: The leaked report suggests that Russia has the capability to jam GPS-guided weapons provided by the US to Ukraine. This highlights a potential security threat to Ukraine and the vulnerability of US-provided weapons in foreign conflicts. The US military's search for a long-term solution to geolocate targets through quantum computing reflects their recognition of the threat of jamming to GPS-guided weapons. It also indicates the potential for significant advancements in military technology in the near future.
FROM THE MEDIA: According to leaked documents, Russia is capable of jamming GPS-guided weapons, including Joint Direct Attack Munitions (JDAMs), provided by the US to Ukraine. The report revealed that four out of nine extended-range JDAMs used by Ukrainian forces had missed their targets, possibly due to jamming. As a result, the report recommends that the Russian jammers be taken out. The US military has countermeasures against attempts to jam GPS-guided weapons, but each type of JDAM has a different set of vulnerabilities. It is unknown how many JDAMs the Ukrainians have. The US military is looking into using quantum computing as a long-term solution to geolocate targets because it is not vulnerable to jamming.
READ THE STORY: T&P
The Abortion Pill Legal Standoff Endangers Access to All Drugs
Analyst Comments: The article provides a detailed overview of the recent ruling regarding the abortion pill mifepristone and its potential implications for the pharmaceutical industry and patient safety. It includes insights from legal scholars, healthcare providers, and executives from biotech and pharmaceutical companies. The article is well-researched and presents a balanced view of the issue, discussing both the potential benefits and drawbacks of the court's decision. Overall, the article is informative and well-written, providing readers with a comprehensive understanding of the complex legal battle surrounding the availability of the abortion pill in the US.
FROM THE MEDIA: The US Fifth Circuit Court of Appeals ruled in favor of keeping the abortion pill mifepristone on the market but with certain restrictions, including requiring the drug to be dispensed in person and limiting the timeframe in which it can be taken to the first seven weeks of pregnancy. The court overruled Judge Matthew Kacsmaryk's decision invalidating the FDA's approval of the pill in 2000, but upheld Kacsmaryk's decision to undo FDA decisions in recent years that made mifepristone easier to prescribe and obtain. Experts are concerned that the ruling could set a dangerous precedent that could lead to judges invalidating FDA approvals for other drugs that may be politically controversial. The outcome could have significant implications for pharmaceutical innovation and patient access to all kinds of drugs.
READ THE STORY: Wired
Severe Android and Novi Survey Vulnerabilities Under Active Exploitation
Analyst Comments: This is a significant development in the ongoing battle between tech companies and the NSO Group, which has been accused of enabling human rights abuses through its spyware. The discovery of a zero-day vulnerability in macOS is a reminder of the constant threat posed by advanced persistent threats and nation-state actors.
FROM THE MEDIA: Apple has released a security update that fixes a zero-day vulnerability in its macOS operating system used by Pegasus spyware to infect and monitor victims’ devices. The security flaw, which affects all versions of macOS from Big Sur to Monterey, was discovered by a group of researchers from the University of Toronto and Citizen Lab. Pegasus spyware, developed by Israeli firm NSO Group, has been linked to human rights abuses and has been used to target activists, journalists and politicians around the world. The zero-day exploit allowed hackers to bypass macOS’ built-in security features to install Pegasus spyware without the user’s knowledge. Apple said it had found “evidence of exploitation in the wild” and urged all users to update their systems immediately.
READ THE STORY: THN
Taiwanese Air Force pilot’s ‘Winnie the Pooh Patch’ causes international controversy
Analyst Comments: The Winnie the Pooh-inspired patch worn by a Taiwanese Air Force pilot has sparked controversy, as it depicts a Formosan black bear punching a golden bear that resembles Chinese President Xi Jinping. The patch is a creative way for Taiwanese pilots to boost morale, resist Chinese pressure, and highlight Taiwan's unique identity and culture. However, it is also likely to provoke a negative response from China and could escalate tensions in the region. The Chinese government has banned any depiction of Winnie the Pooh due to comparisons made between him and Xi Jinping. The use of creative symbolism in military patches as a form of messaging and identity-building is an interesting phenomenon to observe.
FROM THE MEDIA: A patch depicting a Formosan black bear punching a golden Winnie the Pooh lookalike on the shoulder of a Taiwanese Air Force pilot has caused international controversy. The patch is likely a reference to the popular comparison of Chinese President Xi Jinping to Winnie the Pooh and the increasing frequency with which Taiwan's air force pilots respond to Chinese incursions. While the patch was made by a private company, Taiwan's Taipei Economic and Cultural Representative Office promoted it. This is not the first time militaries have targeted the People's Republic of China through heraldry.
READ THE STORY: T&P
Pro-Russian group takes responsibility for cyberattack on Hydro-Québec
Analyst Comments: The recent DDoS attack on Hydro-Québec's website, claimed by a pro-Russia group, underscores the potential risks faced by Canadian companies and infrastructure assets due to Canada's support of Ukraine. The attack was likely a response to the Prime Minister's announcement of new measures for Ukraine, and it highlights the escalating threats posed by state-sponsored cyber programs. Companies and infrastructure operators should take measures to improve their cybersecurity defenses, including automating network monitoring with AI technology.
FROM THE MEDIA: Canada's Hydro-Québec website was recently hit with a distributed denial-of-service (DDoS) attack, following similar attacks on the websites of the ports of Montreal and Quebec City, and other companies. A pro-Russia group, NoName057(16), claimed responsibility for the attack, which occurred after Prime Minister Justin Trudeau announced new measures for Ukraine, including a donation of ammunition and machine guns. Experts say the attack highlights the escalating threats faced by Canadian companies and key infrastructure assets due to Canada's support of Ukraine. Companies, especially infrastructure companies, are encouraged to improve their defenses against cyber threats, including automating network monitoring with AI technology.
READ THE STORY: Montreal Gazette // GN
Canadian Ports and Energy Websites Hit by Pro-Russian Cyberattack
Analyst Comments: The article highlights the increasing vulnerability of critical infrastructure, including ports and energy systems, to cyberattacks, particularly those that are state-sponsored. The ongoing attacks on Canadian infrastructure demonstrate the need for improved cybersecurity measures and ongoing vigilance to protect against potential cyber threats. The use of AI and other automated tools to monitor network activity may offer a solution to identify and respond to cyber threats more quickly and effectively.
FROM THE MEDIA: Canadian seaports Halifax, Montreal, and Quebec have been targeted in a cyberattack apparently staged by a pro-Russian group called NoName057(16), which has also been targeting the country's energy infrastructure. The attack, which began early on April 12, involved a denial-of-service attack aimed at the ports' websites, with no reports of internal systems being affected. Quebec's state-owned electricity provider Hydro-Quebec also experienced a similar cyber assault on April 14. Although the attack caused the ports' external sites to go offline, operations at the ports themselves were unaffected. The attack is the latest in a series of similar incidents that have targeted ports and maritime infrastructure worldwide.
READ THE STORY: Maritime-Executive
Twitter Partners With eToro To Offer Stock, Crypto Trading
Analyst Comments: The partnership between Twitter and eToro has the potential to disrupt the traditional brokerage industry and pose a long-term threat to other app-based brokerage services such as Robinhood. The move also supports the increasing mainstream adoption of cryptocurrencies, but it also raises concerns about the risk of uninformed investing decisions based on social media. It remains to be seen if Twitter/X can become a world-beater in the realm of financial services, but it is a step in the right direction toward realizing Musk's vision of creating an "everything app."
FROM THE MEDIA: Twitter has partnered with eToro to offer users the ability to trade stocks, cryptocurrencies, and other assets directly on the social media platform. This move is part of Twitter CEO Elon Musk's vision of transforming Twitter into an "everything app" similar to Tencent's WeChat. However, some financial advisors have raised concerns about the potential lack of financial education materials on the platform and the risk of uninformed investing decisions based on social media. Nonetheless, this partnership is further evidence of the increasing mainstream adoption of cryptocurrencies.
READ THE STORY: Forbes
Amazon Is Joining the Generative AI Race
Analyst Comments: Amazon's entry into the generative AI market will also address data security concerns among companies, particularly those working with sensitive client information, as Bedrock ensures that the information they feed into their models is not leaked back into the wider pool of data used to train those models. Additionally, Amazon is offering new AWS instances optimized for running language models and other generative AI using custom silicon and making its AI tool for coding, Code Whisperer, free for individual users through AWS.
FROM THE MEDIA: Amazon has announced two new AI language models, Titan Text and Text Embeddings, which will be available through its cloud platform, Amazon Web Services (AWS). The models are aimed at allowing customers to build their own chatbots, and to compete with Microsoft and Google, which have both launched their own generative AI models. Amazon is also offering access to Stable Diffusion, an AI model for generating imagery, from Stability AI. Additionally, Amazon has launched a platform called Bedrock, which will provide access to cutting-edge language models from two startups, Anthropic and AI21. Bedrock will also address customers' concerns over data leakage by allowing them to use Amazon's models without their information being leaked back into the wider pool of data used to train those models. However, it remains to be seen how Amazon's models compare to those of OpenAI and Google, and how much traction the machine learning tools offered through AWS will gain with developers.
READ THE STORY: Wired
Energy transition between ASEAN Power Grid and Trans-ASEAN Gas Pipeline under Indonesian Chairmanship 2023
Analyst Comments: The article provides valuable insights into ASEAN's energy transition efforts and the importance of energy policies in achieving this transition. The focus on natural gas as a sound energy source is a relevant consideration, and the TAGP project is seen as a potential infrastructure to support the region's natural gas market.
FROM THE MEDIA: ASEAN's efforts to achieve an energy transition towards low-carbon energy in response to climate-related risks and global warming. Two energy-based policies, natural gas, and power grids are being considered for this transition. Indonesia's leadership in ASEAN in 2023 is seen as crucial momentum to carry out the energy transition to reach net-zero emissions in 2060. ASEAN has an agreement on the ASEAN Power Grid (APG) and the Trans-ASEAN Gas Pipeline (TAGP) to achieve domestic policy accountability and integrate the electrification equity program in ASEAN. The article highlights the importance of affordability and ease of access to energy, and natural gas is seen as a sound energy source to secure energy and manage the energy transition. The TAGP project is seen as an energy infrastructure to support the new potential of the natural gas market in Southeast Asia.
READ THE STORY: Modern Diplomacy
Intelligence agency says cyber threat actor 'had the potential to damage critical infrastructure
Analyst Comments: The article highlights the growing concern about cyber threats to critical infrastructure in Canada, particularly in light of recent reports of Russian-backed hackers gaining access to Canada's natural gas distribution network. The warning from the Communications Security Establishment underscores the potential for cyberattacks to cause physical damage to essential services and systems relied upon by Canadians. The article emphasizes the need for preparedness and vigilance among those responsible for operating critical systems and urges them to monitor their networks and apply mitigations.
FROM THE MEDIA: Canada's Communications Security Establishment (CSE) has warned that a cyber threat actor had the potential to cause physical damage to a piece of critical infrastructure recently. Although there was no physical damage to any Canadian energy infrastructure, this warning comes in the wake of leaked U.S. intelligence documents that suggested Russian-backed hackers successfully gained access to Canada's natural gas distribution network. The CSE has defined critical infrastructure as networks and systems that Canadians rely on for essential services such as energy, water, and utility systems, transportation systems, food supply chains, and financial networks. Defence Minister Anita Anand noted that Canada has seen a notable rise in cyber threat activity by Russian-aligned actors, and urged anyone working in a critical sector to be prepared.
READ THE STORY: CBC
Hackers claim responsibility for Western Digital data breach, My Cloud is back online after outage
Analyst Comments: The Western Digital cyberattack is yet another example of the growing threat of ransomware attacks and highlights the importance of strong cybersecurity measures and incident response plans. The hackers' access to the company's code-signing certificate and executive contact information raises concerns about potential impersonation attacks or future targeted attacks against Western Digital. It remains to be seen how the company will respond to the ransom demands and whether any customer data has been compromised. The incident highlights the need for companies to have robust data protection policies and communication plans in place to address potential data breaches and cyberattacks.
FROM THE MEDIA: Hackers claiming to have stolen customer data from Western Digital following a cyberattack last month are threatening to publish the information unless they receive a large ransom payment. The hackers claim to have over 10 terabytes of proprietary data, including customer information, and have access to the company's internal files, code-signing certificate, Azure services, e-commerce data, and executive phone numbers and email addresses. While Western Digital temporarily disabled numerous servers to safeguard its business operations, the group claims to still be inside the company's network with the ability to extract more information.
READ THE STORY: TechSpot
Cyber Assistance Fund Proposed by Cyber Ambassador Nate Fick as Part of Three-part Plan
Analyst Comments: The need for greater international cooperation in tackling cyber threats has become increasingly clear in recent years, as major attacks have impacted countries and industries worldwide. The State Department's efforts to create a formal program for cyber aid to friendly countries, as proposed by Nathaniel Fick, are therefore welcome. Such programs could help build stronger relationships with foreign partners, whilst also helping to bolster international cybersecurity capabilities. However, it remains to be seen how much funding will be available for such efforts, and how effective they will be in countering increasingly sophisticated attacks.
FROM THE MEDIA: The State Department is reportedly working on a formal program for US cyber aid to foreign countries hit by cyberattacks, with Congress said to be supportive of such efforts. State Department roving ambassador for cybersecurity, Nathaniel Fick, is advocating for a three-part plan which includes "a push for a dedicated cyber assistance fund," greater use of online tools, and greater private-sector involvement. The goal is to create greater speed in responding to such attacks, and assistance for foreign partners to avoid having to wait for American experts to fly out. The third part of the plan aims to involve greater private sector support, with the US government playing a brokering and introduction role. The bureau also aims to have a cyber officer in every US embassy around the world by the end of 2024.
READ THE STORY: OODALOOP
Pakistan-linked hackers target India’s education sector with Crimson malware
Analyst Comments: The targeting of educational institutions in India by Transparent Tribe is concerning, particularly as these institutions may hold sensitive information related to the military and government personnel they educate. The use of phishing emails containing education-themed attachments is a clever tactic that could be effective in tricking victims into opening the attachments. The use of OLE to embed the malware within the document is also a concerning development that makes detection and prevention more difficult. The fact that Transparent Tribe is constantly modifying its malware suggests that it is a persistent threat, and the group's previous targeting of government organizations in multiple countries is cause for concern. Organizations in India should be vigilant and take appropriate measures to protect their networks and systems from this threat.
FROM THE MEDIA: A Pakistan-based hacking group known as Transparent Tribe has been targeting Indian educational institutions with Crimson malware, as part of a larger campaign targeting military, government, and education sectors. The hackers use phishing emails containing education-themed malicious attachments, which install the Crimson malware onto the victim's computer through Microsoft Office macros or Object Linking and Embedding (OLE). Crimson is a remote access trojan that can exfiltrate system information and provide attackers with remote access to the victim's computer. Transparent Tribe has been active since 2013 and has targeted government organizations in around 30 countries.
READ THE STORY: The Record
Why China Should Worry About Asia’s Reaction to AUKUS
Analyst Comments: The article provides an analysis of the regional responses to the Australia-United Kingdom-United States (AUKUS) security pact, which aims to counter China's military buildup and growing power in the Indo-Pacific region. While China has criticized the pact, many countries in the region have either supported or avoided publicly opposing it. Japan supports AUKUS, given its strained relationship with China and Beijing's military activities in the region. South Korea has not officially weighed in on AUKUS but is increasingly uncomfortable with Chinese assertiveness and is seeking to increase engagement with the Quad and participate in the U.S.-led Chips 4 alliance. Taiwan has embraced AUKUS, hoping to maximize deterrence against China. In Southeast Asia, the Philippines is the only strong AUKUS supporter, while other ASEAN states have given cautious support to the pact.
FROM THE MEDIA: The article discusses the Australia-United Kingdom-United States (AUKUS) security pact and how Indo-Pacific nations are reacting to it. The pact, which aims to counter China, includes the purchase of nuclear-powered submarines by Australia from the US, and the development of a new class of submarines jointly by the three nations. While China has criticized the pact, most Indo-Pacific nations either support it or avoid publicly opposing it. Japan supports AUKUS and may find other parts of the agenda more appealing than nuclear technology. South Korea, which focuses on North Korea, has not officially weighed in on AUKUS but may benefit from similar arrangements in the future. Taiwan has embraced AUKUS, while Southeast Asian nations are generally cautious in their support. The Philippines is a strong supporter of AUKUS, while other Association of Southeast Asian Nations (ASEAN) states offer cautious support.
READ THE STORY: FP
Can Intel become the chip champion the US needs
Analyst Comments: The article highlights the consequences of this decision for Intel and the US, which are now scrambling to catch up in the race for advanced chip manufacturing. The author notes that Intel is now at another crucial juncture, as it plans to produce chips made with extreme ultraviolet (EUV) lithography in large volume later this year, and the progress will be watched anxiously in Washington as the Biden administration decides how much financial backing to throw behind the company.
FROM THE MEDIA: Intel's decision to stick with older semiconductor manufacturing techniques rather than adopt extreme lithography nearly a decade ago has had significant consequences, leaving the company and the US scrambling to catch up with rivals like Taiwan Semiconductor Manufacturing Company and Samsung, which adopted EUV in 2019. Now, Intel is at another crucial juncture and plans to produce chips made with EUV in large volume later this year, a step that will be watched closely in Washington as the Biden administration considers how much financial backing to provide.
READ THE STORY: FT
Crafty PDF link is part of another tax-season malware campaign
Analyst Comments: The malware campaign's use of a manipulated file shortcut shows attackers continue to innovate in their methods of delivering malware. Accounting firms are attractive targets due to the large amounts of sensitive information they hold, particularly during tax season. Companies need to remain vigilant and educate employees on spotting suspicious emails and files. The fact that the GuLoader malware can deliver more malware to infected computers means the potential impact of an attack could be significant. Sophos' report highlights the importance of continuous monitoring of systems and software for anomalies and threats.
FROM THE MEDIA: Accounting firms have been targeted in a malware campaign, with cybercriminals exploiting a manipulated Windows file shortcut to deliver malware called GuLoader. The process involves sending an email to a firm that looks legitimate and solicits business. The email contains a zip file that includes dummy files and a shortcut to what appears to be a PDF, but which actually contains the malware. The recipient is tricked into clicking the shortcut because it looks like it will open the PDF. The malware is delivered via a Virtual Basic script that serves as the first stage for the GuLoader infection. Sophos, which investigated the campaign, found 29 varieties of the script and 90 other encrypted and unencrypted payloads hosted on related servers.
READ THE STORY: The Record
FBI arrests 21-year-old Air Guardsman over document leaks
Analyst Comments: The arrest of Teixeira is a significant development in the investigation into the leak of highly classified US intelligence documents, and highlights the potential risks of insider threats to government secrets. While the leak may not have contained battle plans for Kyiv's counteroffensive against Russia, it still contained sensitive information that could harm bilateral ties with allies. The incident underscores the need for better security measures to prevent such leaks from happening again. The Pentagon's review of who has access to sensitive information and how it is distributed is a step in the right direction, but it may require additional measures to prevent future insider threats.
FROM THE MEDIA: The FBI has arrested a 21-year-old Air Guardsman, Jack Teixeira, as part of its investigation into the recent leak of highly classified US intelligence documents. The leak of over 100 documents began on social media, mostly on messaging platform Discord, and later on Telegram and Twitter, and focused on the war in Ukraine, as well as information intercepted by the US from allies such as South Korea and Israel. The leaks contained relatively current material, with files from February and early March, relating to Ukraine's counteroffensive to try to take back territory from Russia. The arrest has raised questions about how a low-level military employee could gain access to some of the US's most sensitive secrets. US officials are assessing the fallout from the leak and trying to understand its full extent.
READ THE STORY: FT
Cyber company Darktrace gets caught up in LockBit gang's apparent blunder
Analyst Comments: The incident involving Darktrace and LockBit highlights the potential for misunderstandings and confusion in the world of ransomware attacks and leaks. The fact that LockBit added Darktrace to its leak site based on mistaken identity underscores the importance of accurate information and intelligence gathering in the fight against cybercrime. Additionally, the incident demonstrates the need for organizations to remain vigilant and prepared in the face of potential cyber threats, and to conduct thorough investigations to confirm or rule out compromises.
FROM THE MEDIA: Darktrace has denied that it was hit by ransomware after being added to the leak site operated by the LockBit gang, who had confused it with the cybersecurity Twitter account Darktracer. LockBit has been criticized for posting test data as it tries to improve its leak site. Darktrace, however, said it was aware it was added to the site, and confirmed that it had no evidence of compromise after reviewing its internal systems. Last year, LockBit added cybersecurity firm Mandiant to its leak site after the company tied the gang to Evil Corp, despite not actually having breached any Mandiant systems.
READ THE STORY: The Record
Items of interest
Chinese Cranes to be Ruled Out
Analyst Comments: The decision by South Korean port authorities to stop using foreign cranes due to security concerns over potential military espionage is a significant development. It highlights the growing awareness of the risks associated with foreign-made technology in sensitive areas such as ports and may prompt other countries to take similar steps to enhance their own security measures. The ongoing investigations by South Korea's National Intelligence Service and the U.S. government into the use of Chinese cranes will likely be closely watched by the global community, and their findings could have far-reaching implications for the industry.
FROM THE MEDIA: The Incheon Port Authority and Busan Port Authority in South Korea have announced that they will prefer domestic cranes in their operator selection processes and exclude foreign cranes from their docks, respectively. This policy change is due to security concerns related to Chinese cranes, as the US government is currently working on countermeasures for these cranes at US ports, claiming that the cutting-edge sensors have been used for military espionage. Shanghai Zhenhua Heavy Industries (ZPMC) is a state-run company that accounts for 80% of port cranes in the US and 48.7% in South Korea. The National Intelligence Service in South Korea is currently investigating this matter, and the results of the investigation will be announced in the first half of this year.
READ THE STORY: Business Korea
Unmasking the IranianAPT COBALT MIRAGE (Video)
FROM THE MEDIA: From operational security failures to a Department of Justice (DOJ) indictment, COBALT MIRAGE likes to blur the lines between espionage and revenue generation. This talk uncovers the tactics, techniques, and procedures deployed by COBALT MIRAGE from incidents worked at Secureworks. It's not often white hats see operational security failures unmask the identity of the adversary and even rarer to see it reflected in a DOJ sentencing. Attendees will learn about the critical role of contractor organizations in Iranian APT groups, crossovers in tooling between APT groups, techniques leveraged by COBALT MIRAGE to compromise organizations, inconsistencies in techniques, and the use of post-exploitation ransomware to generate company-specific revenue.
Brighten Up the Ideal Sky: An Inside View of Charming Kitten’s Operations and Support to the IRGC (Video)
FROM THE MEDIA: The author uses Proofpoint telemetry, reporting, and sensitive collection from adversary infrastructure to examine the various phishing techniques, targeting, and attribution used by the group. The article provides insights into how TA453 deviates from typical tactics to increase its chances of success when targeting high-value individuals. The author combines Proofpoint telemetry with data from TA453's collection to categorize and analyze the group's targeting, which allows for the identification of TA453's priorities and strengthens attribution to the IRGC Intelligence Organization.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.