Daily Drop (477): China’s scrutiny of foreign sleuths, FBI Disrupts Virtual Currency Exchanges, DPRK RokRAT Malware, US Marshals TOG hacked, LOBSHOT: A Stealthy, Financial Trojan
05-02-2023
Tuesday, May 02, 2023 // (IG): BB // Financial Enabler // Coffee for Bob
China’s ‘men in black’ step up scrutiny of foreign corporate sleuths
Analyst Comments: The current situation in China highlights the increasing importance of due diligence work while also underscoring the risks involved. It is understandable that foreign companies are becoming hesitant to invest in China, given the heightened surveillance and regulation of the due diligence industry. This could lead to a chilling effect on foreign investment, making it more difficult for companies to receive vital reports from global due diligence firms. However, the raids also underscore the importance of the due diligence industry in China, as their research into non-public information is crucial for foreign investors.
FROM THE MEDIA: International consultancies operating in China, including Bain, Mintz, Capvision, Control Risks, Kroll, FTI, and Blackpeak, have experienced a growing number of police raids. The due diligence industry in China involves researching non-public information on companies and key managers, making it inherently risky, particularly during the current climate of heightened tension between China and the US. The raids threaten the ability of foreign companies to conduct due diligence through consultants or their own staff, hampering their ability to invest just as Beijing is trying to encourage investment to revive the economy following COVID-19 controls.
READ THE STORY: FT
FBI Disrupts Virtual Currency Exchanges Used to Facilitate Criminal Activity
Analyst Comments: The seizure of these virtual currency exchange services is a significant step in combating the use of cryptocurrency in criminal activities. Noncompliant virtual currency exchanges have become an important hub in the cybercrime ecosystem, and their lax anti-money laundering programs make them co-conspirators in criminal schemes. The FBI's collaboration with international law enforcement agencies is a positive sign of a coordinated effort to combat cybercrime.
FROM THE MEDIA: The FBI, with the assistance of the Virtual Currency Response Team, the Cyber Police Department and Main Investigation Departments of the National Police of Ukraine, and the Prosecutor General’s Office of Ukraine, conducted a coordinated operation that led to the seizure of nine virtual currency exchange services that were being used to facilitate criminal activity. The seized domains, which included 24xbtc.com, pridechange.com, and bitcoin24.exchange, provided anonymous cryptocurrency exchange services to website visitors, many of whom were involved in criminal activities such as ransomware attacks. The investigation is ongoing.
READ THE STORY: DoJ
Jack Dorsey’s Bluesky emerges as latest challenger to Elon Musk’s Twitter
Analyst Comments: Bluesky is a decentralized social media model backed by Twitter's co-founder Jack Dorsey and other board members. It aims to build an interoperable system where no central authority is in control, and users can curate their experiences based on a menu of custom algorithms made by third parties. Bluesky has an ambitious plan to introduce "composable moderation" where users can build their algorithms based on a particular topic or filter out offensive speech. However, it is unclear how this will work in practice, and whether Bluesky will successfully scale up to compete with Twitter and other social media giants. There are also questions regarding the platform's financing and business model, as the company has not yet disclosed how it plans to monetize its services.
FROM THE MEDIA: Bluesky, an independent project initially funded by Twitter, is being touted as a fresh alternative to Twitter and has gained traction among journalists and high-profile individuals in the past month. The platform has about 50,000 users, still far less than social media giants like Twitter and Meta. However, visits to both the desktop and mobile app rose to nearly 1.5mn globally in April, up from less than 300,000 in March and about 15,000 in February, according to digital intelligence group Similarweb. Bluesky looks much like Twitter, and users can post short messages and images, and build up followings. Although it is still invite-only and in beta mode, it is now in the top 10 social networking apps in the Apple app store.
READ THE STORY: FT
North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
Analyst Comments: The use of LNK files as decoys to activate the infection sequences signals ScarCruft's efforts to keep up with the shifting threat landscape. ScarCruft continues to pose a significant threat and has been launching multiple campaigns across platforms, significantly improving its malware delivery methods. The group's targeting of individuals related to North Korea, including novelists, academic students, and business people who appear to send funds back to North Korea, is noteworthy. It is also notable that the group is overseen by North Korea's Ministry of State Security, indicating that its activities are state-sponsored.
FROM THE MEDIA: North Korean cyber espionage group ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, has been experimenting with oversized LNK files to deliver RokRAT malware as early as July 2022. ScarCruft is a threat group that targets South Korean individuals and entities in spear-phishing attacks. The group's primary malware of choice is RokRAT, which is being actively developed and maintained and has been adapted to other platforms such as macOS and Android. RokRAT is capable of carrying out a wide range of activities like credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management. ScarCruft has continued to use macro-based malicious Word documents to drop malware and also uses cloud services like Dropbox, Microsoft OneDrive, pCloud, and Yandex Cloud to disguise the command-and-control (C2) communications as legitimate.
READ THE STORY: THN
The computer system used to hunt fugitives is still down 10 weeks after the hack
Analyst Comments: The TOG’s computer system being down for 10 weeks is a significant incident that has affected the Marshals’ ability to track down fugitives. It shows that high-level federal law enforcement agencies are not immune to ransomware attacks. The incident has raised concerns about how to secure critical crime-fighting operations. The Marshals’ refusal to pay any ransom is commendable, but shutting down the entire system has had significant consequences, including wiping the cellphones of those who worked in the hacked system, and clearing out their contacts and emails. The TOG’s pen register/trap and trace technology is critical for tracking down suspects, but the shutdown of the system has affected its ability to conduct real-time data searches.
FROM THE MEDIA: The Technical Operations Group (TOG) of the US Marshals, a unit that tracks criminal suspects through their cellphones, emails, and web usage, has been down for 10 weeks due to a ransomware attack. TOG’s computer system was breached in early February, and the Marshals refused to pay any ransom and decided to shut down the entire system. As a result, one of the Marshals’ best tools for finding fugitives has been incapacitated. The Technical Operations Group has helped the Marshals hunt down high-value suspects in the United States and in other countries. TOG uses what is called pen register/trap and trace to conduct cellphone surveillance, which can also be applied to email accounts and can pull data on the location of a phone or electronic device.
READ THE STORY: The Washington Post
US Treasury and Monetary Authority of Singapore Conduct Joint Exercise to Strengthen Cross-Border Cyber Incident Coordination and Crisis Management
Analyst Comments: The cross-border cybersecurity exercise between the United States Department of the Treasury and the Monetary Authority of Singapore (MAS) is a significant step towards strengthening the cybersecurity partnership between the two countries. It is an essential effort to bolster cybersecurity cooperation and their ability to communicate in response to a significant cross-border incident, ensuring a swift response and effective recovery of affected operations. Given the rising cyber threats targeting financial services and the interconnectedness of the United States and Singapore’s financial ecosystems, such cooperation is essential.
FROM THE MEDIA: The United States Department of the Treasury and the Monetary Authority of Singapore (MAS) recently conducted a cross-border cybersecurity exercise from April 25-27, 2023. The exercise aimed to test and enhance existing protocols for information exchange and incident response coordination for cyber incidents that impact banks operating in both countries. The collaboration is part of the expanded partnership on cybersecurity and operational resilience issues since the formal Memorandum of Understanding (MoU) on Cybersecurity Cooperation between the Treasury and MAS was finalized in August 2021.
READ THE STORY: Treasury
LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads
Analyst Comments: The discovery of the LOBSHOT malware strain, which leverages Google ads to distribute malware, is a significant development that highlights the persistent threat that TA505 and other financially motivated e-crime syndicates pose to organizations. The use of dynamic import resolution, anti-emulation checks, and string obfuscation by LOBSHOT to evade detection by security software makes it a potent threat. Additionally, LOBSHOT’s ability to remotely access the compromised host via an hVNC module and stealthily perform actions on it without attracting the victim's attention is a significant concern.
FROM THE MEDIA: A new Windows-based financial trojan and information stealer called LOBSHOT has been discovered by Elastic Security Labs researchers. LOBSHOT has been distributed via rogue Google ads for legitimate tools like AnyDesk hosted on a network of lookalike landing pages maintained by the operators. The malware is attributed to a threat actor known as TA505, which is associated with the Dridex banking trojan, and is a financially motivated e-crime syndicate that overlaps with activity clusters tracked under the names Evil Corp, FIN11, and Indrik Spider. The malware incorporates dynamic import resolution, anti-emulation checks, and string obfuscation to evade detection by security software. Once installed, it makes Windows Registry changes to set up persistence and siphons data from over 50 cryptocurrency wallet extensions present in web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox. LOBSHOT’s core capability is around its hVNC component that allows for direct and unobserved access to the machine.
READ THE STORY: THN
Orbiting satellites hacked in real-time to test cyber resiliency
Analyst Comments: The demonstration highlights the need for the space industry to prioritize cybersecurity at every stage of the satellite's life cycle, from initial design to maintenance. The potential for adversarial nation-states to hack into aging satellites and disrupt critical services on Earth is a growing concern, as evidenced by the Russian-led invasion of Ukraine, where the Kremlin disrupted the KA-SAT network, causing outages to thousands of Ukrainians extending throughout parts of Europe. China has also declared war on Elon Musk’s Starlink program and is developing its own fleet of satellites equipped with new AI weapons to compete with it.
FROM THE MEDIA: The European Space Agency (ESA) hired ethical hackers to compromise a demonstration satellite during the CYSAT cybersecurity and space industry event held in Paris. Thales, a Paris-based digital technology firm, provided a four-person research team that took full control of the demonstration satellite, including its onboard camera, the global positioning system, and the attitude control system. They were also able to compromise data being sent back to Earth and conceal their activities to avoid detection by the ESA. The team used standard access rights to gain control of the satellite's application environment and exploited several vulnerabilities to introduce malicious code into the nanosatellite's systems. The demonstration was intended to raise awareness of potential flaws and vulnerabilities in the space industry, with the ultimate goal of improving the cyber resilience of satellites and space programs.
READ THE STORY: Cybernews
FBI adapting to 'growing' threat from Chinese cyber activity, senior official says
Analyst Comments: The threat of cyberattacks from China has been a growing concern for several years, and the FBI’s recent warnings demonstrate that the problem is only increasing. Beijing has repeatedly been accused of supporting state-sponsored hacking, with authorities in Taiwan reporting as many as 40 million attempted cyberattacks every month from Beijing. Kaiser’s remarks and Wray’s testimony are likely to prompt calls for greater investment in the US’s cybersecurity capabilities to counter the Chinese threat. With the 2024 presidential election looming, the risk of cyberattacks that could undermine confidence in the electoral process is a significant concern.
FROM THE MEDIA: The US is facing an escalating threat posed by malicious cyber activities by China, according to Cynthia Kaiser, Deputy Assistant Director of the FBI’s Cyber Division. Kaiser said that the Chinese state was using cyber operations at the same time as intelligence operations, blending their efforts to achieve their goals. FBI Director Christopher Wray has testified that the agency’s cyber personnel devoted to the China threat are outnumbered “50 to 1” by Chinese hackers. The overall number of agency investigations into threats from Beijing has grown by 1,300% over the last decade.
READ THE STORY: The Record
New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks
Analyst Comments: The discovery of the new malware toolkit targeting enterprise networks highlights the importance of continuous monitoring and detection of anomalous activity to identify and mitigate potential cyber threats. The use of sophisticated tactics such as DNS query dribbling and DNS tunneling by attackers highlights the need for cybersecurity professionals to remain vigilant and stay up-to-date with the latest attack techniques.
FROM THE MEDIA: Infoblox, a cybersecurity firm, has identified a new malware toolkit called Decoy Dog that targets enterprise networks. The toolkit is highly sophisticated and utilizes techniques such as strategic domain aging and DNS query dribbling to avoid detection. One of its main components is Pupy RAT, an open-source trojan that uses DNS tunneling to drop payloads stealthily. While Pupy RAT has been previously linked to nation-state actors from China, there is no evidence to suggest the involvement of any actor in this campaign. Infoblox has found that the Decoy Dog operation had been set up at least a year before its discovery, with three distinct infrastructure configurations identified so far. Although its usage in the wild is "very rare," the toolkit's unique characteristics make it easily identifiable.
READ THE STORY: THN
The Untold Story of the Boldest Supply-Chain Hack Ever
Analyst Comments: In 2020, it was discovered that a group of hackers had carried out one of the most sophisticated cyberespionage campaigns in history. The perpetrators hacked a company called SolarWinds and gained access to thousands of its customers, including eight federal agencies such as the US Department of Defense and the Treasury Department, as well as top tech and security firms like Intel and Cisco. The hack remained undiscovered for six months until investigators finally cracked it. The investigation revealed the perpetrators used a technique called a Golden SAML attack, which is a sophisticated method for hijacking a company's employee authentication system. The hackers were able to seize control of workers'’ accounts, grant those accounts more privileges, and even create new accounts with unlimited access.
FROM THE MEDIA: The article details the story of the SolarWinds hack, one of the most significant cyber espionage campaigns of the decade that came to light in December 2020. The article reveals how the hackers managed to breach SolarWinds' software and gain access to thousands of the company's customers, including several federal agencies, top tech and security firms, and consulting companies such as Mandiant. The article also outlines how investigators from Mandiant, Microsoft, and other organizations discovered the extent of the breach and the techniques used by the hackers.
READ THE STORY: Wired
UK pension funds warned to check on clients’ data after Capita breach
Analyst Comments: This article highlights the potential data breach at Capita, the UK's largest outsourcing company, which has contracts to administer payment systems for over four million individuals. The article notes that while Capita initially stated there was no evidence of data compromise, they later admitted that some data exfiltration had occurred. The Pensions Regulator has warned pension fund trustees to check if their customers' data was affected, which highlights the severity of this incident. The potential consequences of this data breach are serious, given the sensitive nature of pension fund data. Capita's numerous contracts in the public sector, including with the Ministry of Defense, also raise concerns about potential compromises of sensitive information relating to these contracts.
FROM THE MEDIA: Hundreds of UK pension funds have been warned to check if their customers’ data was compromised in a hack at Capita, the country’s largest outsourcing company, which administers payment systems for more than four million pensioners in the UK. Capita recently confirmed it was investigating the apparent theft of data by a ransomware group known as Black Basta. The Pensions Regulator has written to the trustees of hundreds of pensions urging them to find out whether their data has been affected. Capita originally said it had “no evidence” of data being compromised, but subsequently said that “limited data exfiltration” had been found from some affected servers.
READ THE STORY: The Record
Russia is preparing a pilot introduction of the digital ruble
Analyst Comments: The Russian Central Bank's announcement that the digital ruble will be offered to everyone after testing it among a narrow circle of real customers is a significant development in the country's financial sector. The decision is in line with the global trend of developing CBDCs and promoting financial inclusion. However, the concerns raised by Michael Greenwald about the use of digital currencies to operate outside the dollar are valid and need to be considered by policymakers.
FROM THE MEDIA: Russia's Central Bank Governor, Elvira Nabiullina, has announced that the digital ruble will be offered to everyone after being tested among a narrow circle of real customers. She explained that the digital ruble is the third form of money that will be in circulation in parallel with available and non-available funds, and each user will decide which form to use. The concept of the digital ruble was introduced by the Russian Central Bank in October 2020, and it will be in the form of a unique digital code kept in a special digital wallet. Central Bank Digital Currencies (CBDCs) are being developed by many central banks worldwide, with their advocates saying they can promote financial inclusion and facilitate cross-border transactions. However, former US Treasury official Michael Greenwald believes that it could be a problem for the US if Russia, China, and Iran use their digital currencies to operate outside the dollar.
READ THE STORY: The European Times
Critical infrastructure: Keeping up with cybersecurity risks
Analyst Comments: The increasing frequency and sophistication of cyberattacks on critical infrastructure in the MENA region underscore the importance of investing in cybersecurity measures. The projected growth in cybersecurity spending in the region and the integration of AI technology into cybersecurity systems are positive developments that can enhance the detection and prevention of cyber threats. However, the region's public sector remains the biggest spender on cybersecurity, indicating that the private sector may need to step up its efforts to protect itself against cyber threats. Additionally, the rising cyberattacks against oil and gas installations and utilities highlight the need for continued government investments to enhance responsiveness and security.
FROM THE MEDIA: Jyoti Lalchandani, Group Vice President and Regional Managing Director for the META region at IDC stated that with the increasing frequency and complexity of cyber-attacks on IT and OT systems, it is now more critical than ever to remain vigilant and take proactive measures to safeguard critical infrastructure, such as oil and gas installations or utilities. Lalchandani expects cybersecurity spending in the region to reach $5 billion in 2023, with a compound annual growth rate of 7-8%. He also highlighted that AI technology will be integrated into more cybersecurity systems to enable predictive analytics to anticipate and prevent future attacks.
READ THE STORY: ZAWYA
Germany Justifies Expulsion of Russian Diplomats Over Espionage Threats
Analyst Comments: The explanation by Germany sheds light on the reason for the diplomatic spat with Russia, and highlights the growing concern of Russian espionage in Germany. The move by Germany to expel Russian diplomats to reduce the presence of intelligence services reflects the broader concern of European nations over the activity of Russian intelligence services in their respective countries. The incident also underlines the ongoing geopolitical tensions between Russia and Germany, which have intensified in the wake of Russia’s military aggression in Ukraine.
FROM THE MEDIA: Germany has explained the reason for its expulsion of Russian diplomats last month, stating that the action was taken to reduce the presence of intelligence services in the country. The Foreign Ministry justified the decision by stating that the activity of the expelled diplomats was not in line with their diplomatic status. This comes after Germany expelled some 40 Russian diplomats in the spring of 2022, and a German reserve officer received a suspended prison sentence of a year and nine months for spying for Russia.
READ THE STORY: VOA
Items of interest
Feds rethink warrantless search stats and – oh look, a huge drop in numbers
Analyst Comments: While the decline in the number of warrantless searches is encouraging, privacy advocates maintain that Section 702 needs a major overhaul to prevent further unconstitutional surveillance. They argue that even 119,383 searches represent hundreds of thousands of searches for Americans' private wireless data. The fact that this was being framed as a major decline highlights the need for reform of Section 702 provision of the Foreign Intelligence Surveillance Act (FISA). The power is set to expire at the end of the year unless Congress renews it.
FROM THE MEDIA: The annual report by the Office of the Director of National Intelligence revealed a sharp drop in the number of warrantless searches of US residents' communications by the FBI last year, from about 3.4 million in 2021 to 119,383 in 2022. However, privacy advocates have argued that the number of people still caught up in the FBI's domestic surveillance efforts is likely tens of thousands more than it should be. The report attributes the decline to changes in the methodology used to calculate the number of Section 702 searches, as well as new processes implemented by the FBI around Section 702 searches, including mandatory query training and "enhanced approval requirements for certain 'sensitive' queries."
READ THE STORY: The Register
Deep Dive OSINT (Hacking, Shodan, and more!) (Video)
FROM THE MEDIA: People really do share too much information on social media (even on ships!). That makes it too easy to find them and know what technology they are using - don't overshare and don't use default passwords. Don't connect insecure systems to the Internet as tools such as Shodan make it easy to find them. This does affect ICS systems and other systems that control a ship.
Hacking IoT devices with Python (Video)
FROM THE MEDIA: Internet of Things (IoT) devices often have very poor security. It's important to be aware of their vulnerabilities - make sure you put those devices on a separate VLAN. Don't trust that your IOT devices have the necessary security to be trusted on networks that have confidential or important data.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.