Daily Drop (481): Telcos need $3B ito remove Chinese kit, AI’s ‘godfather’ Geoffrey Hinton quit Google, Iran’s Struggle for Stability, Dragon Breath APT Group Using Double-Clean-App
05-06-2023
Saturday, May 06, 2023 // (IG): BB // Cloak & Dagger// Coffee for Bob
Telcos need another $3B in Uncle Sam's cash to remove Chinese network kit, says FCC
Analyst Comments: The ongoing debate over Huawei and ZTE equipment is not going away anytime soon, with US intelligence officials continuing to express concern over China's tech presence in the country. FCC Chair Rosenworcel's letter highlights a pressing issue for the US government, as a large number of US states continue to buy prohibited Chinese technology despite the ban. Telco network providers are reluctant to take on the financial risk of replacing the Chinese tech infrastructure themselves, which is why they are pushing for federal reimbursement.
FROM THE MEDIA: FCC Chair, Jessica Rosenworcel, has cautioned US Congress that telco networks and service providers will not begin replacing Huawei and ZTE equipment unless they are guaranteed federal reimbursement. In a letter to Senate Commerce Committee Chair, Maria Cantwell, Rosenworcel explained that the shortfall in funding required for this project is significant. She stated that the reimbursement program would need $4.98bn to fund all reasonable and supported cost estimates in the approved applications, reflecting a $3.08bn shortfall from the current appropriation of $1.9bn. The FCC has mostly been funding applicants with two million or fewer customers, as demand exceeds the amount allocated under the Secure and Trusted Communications Networks Act, putting it in danger of missing the looming deadline for telcos to apply for funding.
READ THE STORY: The Register
Why AI’s ‘godfather’ Geoffrey Hinton quit Google to speak out on risks
Analyst Comments: Hinton’s resignation from Google highlights the growing concern over the ethical implications of artificial intelligence. His departure from the tech giant is significant as he is considered a leading figure in the AI world and was responsible for many of Google’s AI advancements. Hinton's concerns about AI are not unfounded, as there are real risks associated with the technology, including job loss and the spread of misinformation. As AI continues to advance, it is essential that industry leaders and policymakers work together to develop appropriate guardrails and regulations to mitigate these risks.
FROM THE MEDIA: Geoffrey Hinton, a revered pioneer of deep learning, has resigned from Google after more than 10 years with the company. Hinton is considered one of the “godfathers” of artificial intelligence and is known for his work on neural networks. His resignation came as a result of growing fears he has regarding the risks of AI to humanity. Hinton is concerned that the development of AI technology without appropriate guardrails and regulations could cause misinformation to flood the public sphere and AI to usurp more human jobs than predicted, leading to increased societal violence. Hinton also raised alarm bells about the longer-term threats posed by AI systems to humans if the technology is given too much autonomy. Hinton’s decision to quit Google was spurred on by an academic colleague who convinced him to speak out about these issues.
READ THE STORY: FT
Iran’s Struggle for Stability & Rising Violence and Killings
Analyst Comments: The situation in Iran is complex and multifaceted, with political conflicts, economic hardships, and religious and ethnic divides contributing to the unrest and violence in the country. The involvement of foreign powers and their agendas in the region has exacerbated the conflict. Addressing economic disparities and providing opportunities for marginalized groups may help alleviate some of the grievances that lead to violence and unrest. Holding individuals responsible for violence and violations of human rights, including government officials, security personnel, and non-state actors, accountable is also critical.
FROM THE MEDIA: Iran has been facing political upheaval, sectarian tensions, and violence for many years, with numerous organizations and factions vying for power and influence. The involvement of foreign powers and their agendas in the region has exacerbated the conflict. In recent days, there have been several high-profile cases of violence and targeted killings in Iran. Despite these challenges, the Iranian government seems committed to a more peaceful future for the country and has been making efforts to improve relations with neighboring nations and establish economic and diplomatic connections with Gulf Arab states.
READ THE STORY: Modern Diplomacy
Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised
Analyst Comments: The incident highlights the importance of strong security measures and password hygiene in preventing unauthorized access to sensitive data. It's also worth noting that the attack was carried out by a penetration tester who had no malicious intent, but it could have easily been an actual cybercriminal who had more nefarious goals. As such, it's essential to take security measures seriously and follow best practices such as using strong and unique passwords, enabling two-factor authentication, and regularly monitoring for suspicious activity.
FROM THE MEDIA: PHP software package repository Packagist has been targeted in an attack where an attacker gained access to four inactive accounts on the platform and hijacked over a dozen packages with over 500 million installs. The attacker forked each package and replaced the package description in composer.json with their own message, but no other malicious changes were made. The package URLs were then changed to point to the forked repositories. The attacker was revealed to be an anonymous penetration tester who wanted to land a job. Packagist restored the packages, and all four accounts were disabled. Users are advised to enable two-factor authentication and avoid reusing passwords.
READ THE STORY: THN
Organizations slow to patch GoAnywhere MFT vulnerability even after Clop ransomware attacks
Analyst Comments: The discovery highlights the need for organizations to take proactive measures in securing their systems and applications, including promptly applying patches and updates to fix known vulnerabilities. Failing to do so can put organizations at risk of a cyber attack and potentially result in significant financial and reputational damage. The fact that other ransomware groups have also been exploiting the vulnerability shows that attackers are actively looking for new attack vectors, making it all the more crucial for organizations to stay vigilant and take proactive measures to ensure their systems are secure.
FROM THE MEDIA: Cybersecurity researchers at Censys have discovered that nearly 30% of the 180 GoAnywhere MFT instances they detected are still vulnerable to a zero-day vulnerability that was first exploited by the Clop ransomware group in February 2023. The discovery is alarming security experts as other ransomware groups have also been exploiting the vulnerability in the web-based file transfer tool that is designed to handle secure transfers of sensitive data for organizations. A patch for the vulnerability was released in February, however, more than 130 organizations were reportedly compromised by the Clop ransomware group after the patch. Censys has urged organizations to apply the patch and avoid exposing administration panels to the internet.
READ THE STORY: The Record
Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry
Analyst Comments: The adoption of new techniques by APT groups like Dragon Breath shows the importance of vigilance on the part of users and IT security teams. The new double-clean-app technique employed by the group could make its attacks more difficult to detect and mitigate, potentially increasing the risks faced by victims. The group's targeting of online gambling and gaming industries highlights the fact that organizations outside the usual high-profile targets of APT groups are at risk. Sophisticated techniques, such as DLL side-loading, continue to be popular because they are difficult to detect and can be used in a range of attack scenarios.
FROM THE MEDIA: Dragon Breath, a China-based advanced persistent threat (APT) group, has been observed using a novel DLL side-loading technique in its attacks. Sophos researcher Gabor Szappanos explained that the latest campaign sees the group using a first-stage clean application to "side-load" a second clean application that automatically executes it. This second application then side-loads the malicious loader DLL, which in turn executes the final payload. Dragon Breath, which is also known as APT-Q-27 and Golden Eye, has been active since 2020, with initial attacks using fake websites hosting Trojanised Windows installers for Telegram. It is believed to be part of a larger group called Miuuti Group, which targets online gaming and gambling industries in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines. The DLL side-loading technique has been prevalent since 2010 and is still an effective way for threat actors to target victims.
READ THE STORY: THN
Russia tops national leagues in open-source downloads
Analyst Comments: The Scarf research showing that Russia tops the global table for downloads of open-source software over the last quarter is not entirely surprising. Sanctions may not be the only reason for Russia's accelerating interest in open-source software, and Scarf's data only indicates the number of downloads and does not reveal what software is being downloaded. Nonetheless, the data suggest that Russian organizations are exploring alternatives to proprietary software and considering open-source software as a viable option. Open-source software is a license rather than a product that can be sanctioned, which makes it a suitable option for countries facing trade sanctions. The Scarf data indicates that the number of enterprises downloading open-source software between Q4 2022 and Q1 2023 grew 18.5%, and the increasing trend is likely to continue as more organizations explore the potential of open-source software.
FROM THE MEDIA: According to research by open-source monitoring organization Scarf, Russia has topped the global table for downloads of open-source software over the last quarter. Scarf's research showed the biggest proliferation of downloads took place in Russia, where they grew 320%, followed by Ireland, the Netherlands, and Belgium with increases of 290%, 290%, and 240%, respectively. Scarf tracks around 2,000 FOSS projects and claims to act as a Google Analytics for open-source software. The organization employs a combination of download headers and metadata, along with analysis of documentation, READMEs, and other content. Overall, the number of enterprises downloading open-source software between Q4 2022 and Q1 2023 grew 18.5%, while the total number of downloads by enterprises decreased 26%, owing to the regular cadence of commercial open-source project releases.
READ THE STORY: The Register
European companies form space jam to secure comms sovereignty with satellites
Analyst Comments: The consortium's bid to respond to the EU's call for the IRIS² program may prove to be beneficial for consumers as well as businesses by ensuring they can receive connectivity in hard-to-reach areas. However, the involvement of major European space and telecoms companies may mean that the goal of 30% of the work being carried out by startups may be less likely to be achieved.
FROM THE MEDIA: A consortium of European space and telecom companies have partnered to respond to the European Commission's call for tender on the IRIS² (Infrastructure for Resilience, Interconnectivity and Security by Satellite) program. The group includes Airbus Defence and Space, Eutelsat, Hispasat, SES and Thales Alenia Space, and other technology companies including Deutsche Telekom, OHB, Orange, Hisdesat, Telespazio, and Thales. The aim of IRIS² is to create a space-based system for secure communication so that EU governments and agencies will not have to rely on infrastructure operated by third countries for these services. The project also has the goal of enabling the private sector to operate commercial telecoms services and provide high-speed broadband connectivity in areas that are not well served by terrestrial networks. The costs of delivering the project are estimated to be at least €6 billion ($6.6 billion), with the EU contributing the agreed €2.4 billion.
READ THE STORY: The Register
Chinese VCs Lived the Silicon Valley High Life. Now the Party’s Over
Analyst Comments: The article presents a detailed analysis of the shift in the relationship between Chinese investors and the American tech sector in the late 2010s. It highlights the boom period of Chinese investment in the US, with venture capitalists pouring billions of dollars into American startups and American companies touring Chinese provincial cities. However, the cordial relationship came to a sudden halt when the Trump administration imposed tariffs on Chinese imports and openly shared concerns about China's investments in advanced technologies. The article also highlights the impact of the pandemic on the roadshows and the subsequent decline in Chinese VC investment in US startups.
FROM THE MEDIA: Chinese venture capitalists invested billions of dollars in US startups in the early 21st century, and American companies went on tours of Chinese provincial cities. However, the environment soured quite suddenly late in 2018, with the US government becoming deeply suspicious of any technology linked to China, tightening its controls and threatening to ban companies from its market, making American companies nervous about taking Chinese investment. Chinese venture capitalists still want to put their money to work in America, but the good times are well and truly over. The article describes how many wealthy Chinese people are now looking less at the risks in the US and more at the risks at home.
READ THE STORY: Wired
China labels USA 'Empire of hacking' based on old Wikileaks dumps
Analyst Comments: The investigation by China's National Computer Virus Emergency Response Center and 360 Total Security appears to be propaganda-tinged and does not offer much new information beyond what was leaked in the 2017 WikiLeaks infodump. China's Communist Party has long warned against challenging the legitimacy of governments, and the investigation aims to criticize the US's support for anti-government activists. While the US and China signed a no-hack pact in 2015, both nations continue to use cyber tools to find cracks in the other's defenses.
FROM THE MEDIA: China's National Computer Virus Emergency Response Center and 360 Total Security have conducted an investigation called "The Matrix," which found that the US Central Intelligence Agency (CIA) conducts offensive cyber operations, labeling the US an "Empire of Hacking." The investigation, titled "Empire of Hacking: The US Central Intelligence Agency – Part I," leans heavily on the 2017 WikiLeaks infodump that detailed the "Vault7" trove of exploits the CIA uses to spy on computers, smart TVs, WhatsApp, and other devices. The document also provides a potted history of the CIA's efforts to undermine socialist regimes and the US's development of the TOR protocol. The publication of the investigation was noticed by China's state-controlled news agency Xinhua and the nation's foreign ministry, which demanded that the US stop using cyber weapons to carry out espionage and cyber-attacks globally.
READ THE STORY: The Register
Items of interest
Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN
Analyst Comments: The use of web injects and man-in-the-browser (MitB) attacks is a time-tested tactic that allows malware to inject custom scripts on the client side and intercept traffic to and from the server. The drIBAN attack demonstrates the increasing sophistication of banking trojans, which have now evolved into advanced persistent threats that can bypass anti-fraud systems put in place by banks. The attack highlights the need for banks to invest in anti-fraud measures and improve their cybersecurity posture to protect their corporate clients from financial fraud. It is also essential for users to be vigilant when opening emails, particularly from unknown senders, and to avoid downloading attachments or clicking on links from untrusted sources.
FROM THE MEDIA: Italian corporate banking clients have been targeted by a financial fraud campaign since 2019 that leverages a new web-inject toolkit called drIBAN. The campaign infects Windows workstations in corporate environments, altering legitimate banking transfers by changing the beneficiary and transferring money to an illegitimate bank account controlled by the threat actors. Fraudulent transactions are often realized using the Automated Transfer System (ATS) technique, which can bypass anti-fraud systems put in place by banks. The attack chain begins with a phishing email that comes bearing an executable file, acting as a downloader for the sLoad malware. sLoad is a reconnaissance tool that collects and exfiltrates information from the compromised host. If the target is deemed profitable, a more significant payload like Ramnit is dropped, enabling the hackers to infiltrate the bank’s system.
READ THE STORY: THN
Tracking a hacker who extorted millions through ransomware attacks (Video)
FROM THE MEDIA: We examine the case of a Canadian government worker who had a secret life as a hacker with NetWalker, a criminal ransomware gang. Sebastien Vachon-Desjardins amassed millions of dollars in bitcoin by threatening to expose the private digital information of victims if they didn’t pay up. We reveal how he did it, the digital trail of destruction and how he got caught.
CCP Propaganda: How does U.S. conduct on other countries (Video)
FROM THE MEDIA: CCP Propaganda has released China's National Computer Virus Emergency Response Center (CVERC) and 360 Total Security (360) released a report called "Empire of Hacking": The U.S. Central Intelligence Agency, which details the CIA's cyber-attacking weapons, espionage activities, and real cases of incidents occurring in China and other countries. The CIA uses cyber attack weapons to steal information and manipulate things secretly for "the benefit" of the U.S. They have been involved in attempts to overturn legitimate governments and create disturbances, and American technology companies have helped them in this pursuit.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.