Daily Drop (483): China Raids Capvision, Nakasone Cyber Strategy, SideWinder's Polymorphism, China Export Controls, Dallas Ransomware, SideCopy RAT, China Urges US
05-09-2023
Tuesday, May 09, 2023 // (IG): BB // Cloak & Dagger// Coffee for Bob
China Raids Offices of Business Consultancy Capvision
Analyst Comments: The crackdown on foreign businesses, driven by national security concerns, comes amid a larger effort by President Xi Jinping’s government to tighten control over entrepreneurs, root out official corruption, and reduce reliance on foreign technology and expertise. However, this move threatens to undercut China’s attempts to persuade foreign businesses to reinvest in China and help revive its economy. The motivations behind the raids on companies like Capvision are unclear, and some concerns have been raised about the broad definition of national security in China's counterespionage law, which may lead to arbitrary and overly broad interpretations.
FROM THE MEDIA: Chinese authorities have raided the offices of business consulting firm Capvision in Beijing, Shanghai, and other Chinese cities as part of a crackdown on foreign businesses that provide sensitive economic data. This crackdown is being driven primarily by national security considerations as China tightens control over businesses. Capvision is accused of being involved in espionage and violating legal barriers, and investigations have been opened into the company and personnel involved in the case. Chinese authorities allege that domestic consulting companies have weak awareness of national security and seek to benefit financially by stealing intelligence and information pertaining to China's military industry, economy, and finance. Capvision, however, has not commented on the raids. Eric Zheng, the President of the American Chamber of Commerce in Shanghai, has called for more transparency about law enforcement actions against companies such as Capvision that carry out due diligence.
READ THE STORY: NYTIMES // VOA
Nakasone on the military’s cyber strategy, surveillance powers, and ‘hunt forward’ missions
Analyst Comments: Gen. Paul Nakasone's comments provide valuable insights into the U.S. government's cybersecurity efforts and concerns. His comments regarding the upcoming DoD cyber strategy and the need for agility and partnerships reflect the ever-changing cybersecurity landscape and the need for organizations to work together to combat cyber threats. Additionally, his warning about the potential impact of Congress not renewing Section 702 highlights the importance of government legislation in combating cyber threats. Nakasone's insights into Cyber Command's continued support of Ukraine and its efforts to counter Russia's digital threats also underscore the importance of international cooperation in cybersecurity.
FROM THE MEDIA: U.S. Cyber Command Gen. Paul Nakasone recently spoke with reporters following his keynote address at Vanderbilt University's Summit on Modern Conflict and Emerging Threats. During the discussion, Nakasone touched on several cybersecurity topics, including the upcoming release of the Pentagon's latest cyber strategy, the potential expiration of Section 702 of the Foreign Intelligence Surveillance Act, Cyber Command's support for Ukraine's digital defenses, Russian hackers' possible use of generative artificial intelligence for influence operations, and NATO's response to digital attacks. Nakasone revealed that the Pentagon's latest cyber strategy is not dramatically different from the 2018 version. However, he anticipates a greater emphasis on agility and fostering international partnerships, particularly with allies, to better counter adversaries. He also expressed concern over the potential expiration of Section 702 of the Foreign Intelligence Surveillance Act, noting that the U.S. clandestine community would suffer without it.
READ THE STORY: The Record
Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique
Analyst Comments: The accusation against SideWinder highlights the continued threat posed by APT groups in the cybersecurity landscape. The use of server-based polymorphism and other sophisticated techniques demonstrates the level of sophistication that APT groups have achieved, which poses significant challenges to traditional signature-based antivirus detection systems. The ongoing geopolitical tensions in the region between India, Pakistan, and Turkey may also contribute to an increase in cyber activity directed at these countries.
FROM THE MEDIA: Canadian cybersecurity company BlackBerry has accused the SideWinder advanced persistent threat (APT) group of deploying a backdoor in attacks against Pakistan government organizations as part of a campaign that started in November 2022. According to the BlackBerry Research and Intelligence Team, the group used a server-based polymorphism technique to deliver the next stage payload. In a separate campaign discovered by BlackBerry in March 2023, Turkey was targeted by the group. SideWinder has been on the radar since at least 2012, with the group being suspected to be an Indian state-sponsored actor. SideWinder has been known to target various Southeast Asian entities located in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.
READ THE STORY: THN
Updated View On Semi-Cap Export Controls And China Revenues
Analyst Comments: This article offers a thorough examination of the current state of the semiconductor industry, with a focus on the effects of US-led containment policies and China's responses. It discusses the difficulties faced by companies involved in chipmaking and tool-making, as well as the actions taken by various governments to support their domestic industries. Additionally, the article provides predictions for future trends in the industry, such as the continued demand for foreign-made semi-manufacturing equipment in China and the emergence of competition from Chinese counterparts.
FROM THE MEDIA: The US-led containment policies towards China's semiconductor industry are facing skepticism from the industry but strong political support. Meanwhile, Chinese countermeasures are expected to be moderate, given their ongoing reliance on foreign technology. However, Chinese tool-makers are set to benefit from supportive policies, while foreign OEMs are likely to grow in the mid-term as China bridges the technology gap. The article also highlights the impact of export controls and the possible Chinese countermeasures on semi-cap revenues.
READ THE STORY: Seeking Alpha
Dallas courts, fire, and police networks are still crippled by a ransomware attack
Analyst Comments: The ransomware attack on Dallas City underscores the growing threat of cyber attacks against public sector entities, which can result in significant disruption to critical services, including emergency services. The attack is expected to cost the city millions of dollars in remediation efforts, including IT upgrades and compensation for the ransom. The incident also highlights the need for robust cybersecurity measures, contingency plans, and incident response capabilities in government agencies to protect against ransomware attacks.
FROM THE MEDIA: All municipal courts in Dallas will remain closed on Monday due to a ransomware attack that was announced last week. The Royal ransomware gang has claimed responsibility for the attack, pushing out its ransom note through government printers throughout the week. Despite statements from city officials claiming the recovery effort was slowly progressing, the fire and police departments reported they are facing massive issues as a result of the attack. According to the city, staff and vendors worked “throughout this weekend to ensure progress toward service restoration” and they have prioritized the restoration of the city’s Computer Aided Dispatch, one of the systems that underpins the 911 and 311 services. While other government services like water utilities and libraries are still operational, all are facing issues when it comes to bill paying and digital systems.
READ THE STORY: The Record
SideCopy Using Action RAT and AllaKore RAT to Infiltrate Indian Organizations
Analyst Comments: The continued activities of SideCopy, a suspected Pakistan-aligned threat actor, against Indian targets underscore the growing importance of cybersecurity in the region. The use of decoys related to the Indian government and defense forces in spear-phishing email attacks to drop various types of malware demonstrates the sophistication and persistence of the group. The fact that the campaign has been successful in targeting Indian users and has been ongoing for several months before being publicly reported highlights the need for Indian organizations and individuals to remain vigilant against cyber threats. The identification of outbound connections from one of the C2 server IP addresses to another address geolocated in Pakistan further reinforces the suspected links between SideCopy and the Pakistani government.
FROM THE MEDIA: The Pakistani cyber espionage group SideCopy has been observed using themes related to India's Defence Research and Development Organization (DRDO) in a phishing campaign to deliver a malicious payload capable of harvesting sensitive information. This group, suspected of having links to the Pakistani government, has been active since at least 2019 and shares overlap with another Pakistani hacking crew called Transparent Tribe. The use of DRDO-related decoys for malware distribution by SideCopy has been previously reported by several cybersecurity firms. The latest attack sequence documented by Fortinet led to the deployment of an unspecified strain of remote access trojan capable of communicating with a remote server and launching additional payloads. Further analysis of the command-and-control infrastructure by Team Cymru identified outbound connections from one of the C2 server IP addresses to another address geolocated in Pakistan. As many as 18 distinct victims in India have been detected as connecting to C2 servers associated with Action RAT and 236 unique victims, located in India, connecting to C2 servers associated with AllaKore RAT.
READ THE STORY: THN
China Signals Spying Fears Amid Probe of Consulting Firms
Analyst Comments: The investigation into the due-diligence industry in China is part of Beijing's broader efforts to limit foreign influence in China and protect national security. While due diligence is a critical component of business dealings, the involvement of consulting firms in espionage activities would pose a significant risk to Chinese national security, particularly given the sensitivity of the sectors they operate in. The investigations have affected the operations of international consulting firms in China, raising concerns about Beijing's efforts to limit foreign investment. The recent crackdown on foreign businesses and tightened regulations have caused concern among foreign investors about the viability of doing business in China. The investigation is likely to have a chilling effect on foreign businesses and consulting firms operating in China, as they may face increased scrutiny from Chinese authorities, who have emphasized that they will take necessary measures to protect China's national security.
FROM THE MEDIA: China has initiated a nationwide investigation into whether the due-diligence industry, which serves Western businesses in China, has been used for foreign espionage. The investigation was signaled through state-run media, including China Central Television, and other official news outlets, which have accused profit-oriented consulting firms of having weak awareness of China's national security concerns, and of frequently operating at the edge of legality to gather information in sensitive sectors of the military, defense industry, economy, and finance. Police have visited firms and in some cases, detained staff members. The investigation has affected the local operations of international consulting firms in China and is part of Beijing's efforts to limit foreign influence in China, including information gathering, by tightening government control over a wider swath of data and digital activities in the name of national security. The Wall Street Journal reported late last month that police questioned local employees of Capvision, a company in the sector that was founded in China and is jointly headquartered in Shanghai and New York, about the names of Chinese experts in its network.
READ THE STORY: WSJ
Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
Analyst Comments: The exploitation of CVE-2023-27350 by Iranian state-sponsored groups demonstrates the importance of promptly patching known vulnerabilities to prevent unauthorized access. The continued exploitation of this vulnerability by both financially motivated and state-sponsored actors highlights the value of software security and the importance of robust patch management. Microsoft's findings on Iranian threat actors combining cyber operations with multi-pronged influence operations are also concerning, and organizations should remain vigilant and have a comprehensive cybersecurity strategy to protect against all potential threats.
FROM THE MEDIA: Iranian nation-state groups, Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus), have been actively exploiting a critical vulnerability (CVE-2023-27350) in PaperCut print management software, according to Microsoft's threat intelligence team. CVE-2023-27350 is a critical flaw that can be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. The flaw was discovered by Trend Micro's Zero Day Initiative and a patch was made available on March 8, 2023. Microsoft has observed that both state-sponsored groups are using this vulnerability to gain initial access. Mango Sandstorm is linked to Iran's Ministry of Intelligence and Security, while Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps.
READ THE STORY: THN
Key Insights from the Cyberattack on Viasat's Satellites by Russian Hackers
Analyst Comments: The summary provides a comprehensive overview of the key takeaways from the CYSAT event, highlighting the vulnerability exploited by the attackers, the importance of post-incident communication, the acknowledgment of cybersecurity risks by policymakers, the need to segregate between military and civilian infrastructure and the urgency of building a sovereign telco satellite industry.
FROM THE MEDIA: The cyber-attack on Viasat's KA-SAT satellites in Ukraine on February 24, 2022, known as AcidRain, was attributed to Russia by nearly 20 countries, including the Five Eyes countries and a dozen EU member states. During the CYSAT event held in Paris, France, cybersecurity experts discussed the incident and identified several key takeaways. Firstly, the attackers exploited a known vulnerability in a Fortinet virtual private network (VPN) to gain access to Viasat's KA-SAT network. Secondly, post-incident communication is critical to enable effective technical forensics and better incident response. Thirdly, the Viasat attack helped European policymakers acknowledge the cybersecurity risks associated with commercial telecommunication satellite systems, particularly during armed conflicts. Fourthly, it is essential to better segregate between military and civilian infrastructure and improve the cybersecurity posture of the entire space industry. Finally, the EU should prioritize building a sovereign telco satellite industry to avoid relying on commercial companies.
READ THE STORY: InfoSecMag
Europe and Japan let down the U.S. and opposed its offer to Russia
Analyst Comments: The article provides a perspective on the rejection of the US proposal by Japan and Europe and offers an analysis of the reasons behind it. However, it should be noted that the Chinese newspaper may have its own political biases and interests in portraying the decline of American power. The article does not provide any evidence to support its claims about the loss of trust in the US by its allies. The rejection of the proposal may have been based on a range of factors, including the potential impact on their own economies and relations with Russia.
FROM THE MEDIA: Chinese newspaper ‘Baijiahao’ reports that the proposal by the United States to impose a complete ban on exports to Russia was rejected by Japan and Europe. This comprehensive ban is a significant departure from previous targeted economic sanctions, including restrictions on key areas such as agriculture and healthcare. The US expected its loyal allies to support this initiative but was surprised when both Japan and the EU flatly refused to introduce the measure. According to insiders, Tokyo and Brussels unanimously agreed that “a total ban on exports to Russia is impossible.” The article argues that this collective disagreement between Japan and Europe demonstrates the decline of American power and highlights the split within the G7.
READ THE STORY: Modern Diplomacy
As ransomware data remain ‘fuzzy,’ US cyber leaders see reasons for optimism
Analyst Comments: The article reports on a discussion between two of the highest-ranking cybersecurity officials in the United States about the persistent threat of ransomware attacks. Despite efforts by the government to combat ransomware, including legislation mandating incident reporting and the creation of a Joint Ransomware Task Force, attacks continue and may be on the rise. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly notes that it is difficult to assess the number of incidents due to a lack of strict reporting requirements, but emphasizes the importance of raising awareness and implementing measures to reduce the prevalence and impact of ransomware attacks. U.S. Cyber Command and NSA chief Gen. Paul Nakasone highlights the importance of collaboration between agencies and international partners in tackling the issue but cautions that ransomware attacks are unlikely to disappear anytime soon.
FROM THE MEDIA: In a recent cybersecurity conference, US Cyber Command and NSA Chief, Gen. Paul Nakasone and the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, described ransomware as a persistent threat. They, however, expressed optimism that existing and recently launched efforts would help combat the digital pandemic. Both acknowledged the almost-daily reports of ransomware attacks, but Nakasone believes that existing techniques can still be employed to combat ransomware. Meanwhile, Easterly said that her agency remains on track to roll out the final rule on the incident reporting regime in September 2025.
READ THE STORY: The Record
China clamps down on access to public data to counter US think tank intel
Analyst Comments: The Wall Street Journal's report highlights China's increased efforts to control access to its databases and tighten its grip on Western narratives concerning China. By doing so, Beijing is likely aiming to prevent the U.S. from acquiring sensitive information that could be used against China's national security interests. The move comes amid increasing tensions between the U.S. and China, with both countries competing for technological dominance and seeking to limit each other's access to valuable information.
FROM THE MEDIA: China is clamping down on foreign data procurement, partially motivated by U.S. think tank efforts to monitor hard-to-find information on Beijing and its "military-civil fusion" strategy, according to a report by the Wall Street Journal. China has recently taken steps to restrict overseas access to its databases and tighten its control over Western narratives related to China. The increased restrictions are apparently due to mounting concern among top Chinese officials over the intelligence that U.S. analysts have been able to gather by using publicly available information. China’s push toward a "military-civil fusion" has been of particular interest to U.S. think tanks.
READ THE STORY: Yahoo News
New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks
Analyst Comments: The discovery of a new ransomware strain, CACTUS, highlights the continued use of unpatched vulnerabilities in popular VPN appliances for initial access by threat actors. The use of double extortion tactics indicates that the attackers' motives are to steal sensitive data in addition to encrypting it, making it more challenging for the victims to recover their data. The attackers also utilize various tools and techniques such as Cobalt Strike, Chisel, and RMM software to evade detection and maximize their impact on the victim's network. Organizations must take steps to keep their systems up-to-date, enforce the principle of least privilege, and implement robust security solutions to detect and prevent ransomware attacks.
FROM THE MEDIA: Cybersecurity researchers have discovered a new ransomware strain called CACTUS that exploits known flaws in VPN devices to gain initial access to targeted networks. The ransomware, which has been found to target large commercial entities, uses double extortion tactics to steal sensitive data before encryption, but no data leak site has been identified yet. The attackers create new user accounts and use custom scripts to deploy and detonate the ransomware encryptor through scheduled tasks. CACTUS also employs Cobalt Strike and a tunneling tool called Chisel for command-and-control, remote monitoring and management (RMM) software such as AnyDesk, and PowerShell commands for network scanning and machine encryption. It also disables and uninstalls security solutions and extracts credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) for privilege escalation, lateral movement, and data exfiltration. One of the ransomware's unique features is the use of a batch script to extract the ransomware binary with 7-Zip, then remove the .7z archive before executing the payload, which makes it more challenging to detect.
READ THE STORY: THN
After High-Level Meeting, China Urges US to 'Correct' Itself
Analyst Comments: The meeting between the U.S. and China was one of the first high-level meetings in several months and was seen by some as a positive step, even though Chinese Foreign Minister Qin Gang criticized the U.S. for its ongoing efforts to suppress China. Despite Qin's comments, some saw the meeting as a potential thaw in relations between the two countries. The meeting comes ahead of new U.S. guidelines that will restrict the investments U.S. firms can make in China. The guidelines are part of a broader administration plan to insulate the U.S. from China without fully breaking ties, a process that White House national security adviser Jake Sullivan in a recent speech referred to as "de-risking" rather than the more commonly used term "decoupling."
FROM THE MEDIA: Chinese Foreign Minister Qin Gang met with U.S. Ambassador Nicholas Burns in Beijing and criticized the U.S. for its ongoing effort to "suppress" China, saying that improved communication will depend on the U.S. changing its policies. Qin said that U.S.-China relations have worsened since a meeting between President Joe Biden and Chinese leader Xi Jinping in November, adding that a series of erroneous words and deeds by the U.S. since then have undermined the hard-won positive momentum of Sino-U.S. relations. Burns was more reticent about the talks, but some viewed the meeting as a positive step. The Chinese Foreign Ministry readout of the meeting depicted Qin as sharply critical of the U.S., urging Washington to "correct its understanding of China" and to "return to rationality." Qin criticized U.S. policy toward Taiwan, the self-governing island that China claims as its own, saying that any future talks should be based on "mutual respect, reciprocity, and mutual benefit."
READ THE STORY: VOA
Items of interest
Iranian state-sponsored hackers exploiting printer vulnerability
Analyst Comments: The exploitation of this vulnerability by Iranian hacking groups is not surprising, given that they have previously targeted US critical infrastructure, as reported by Microsoft two weeks ago. The increased aggression of Iranian threat actors has also been tied to other moves by the Iranian regime, suggesting such groups are less constrained in their operations.
FROM THE MEDIA: Two Iranian hacking groups, known as Mint Sandstorm and Mango Sandstorm, are exploiting a vulnerability in PaperCut print management software, according to Microsoft. The company urged organizations to install patches for CVE-2023-27350 after several ransomware groups, including Clop and LockBit, were found exploiting the bug. The vulnerability can allow hackers to remotely access victim systems and extract sensitive data. Microsoft said that once proof of concept (PoC) exploits were released publicly, the Iranian hacking groups added the bug to their arsenal of tools. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-27350 to its list of exploited vulnerabilities, giving federal civilian agencies until May 12 to install the patch.
READ THE STORY: The Record
The Stuxnet Story: What REALLY Happened at Natanz (Video)
FROM THE MEDIA: The video delves into the history of the Stuxnet malware, which was the first cyber weapon created to physically damage a military target. It details how Iran's struggles in developing its nuclear program led to the implementation of the Cascade Protection System at the Natanz fuel enrichment plant, which exposed them to cyberattacks. Stuxnet was designed to attack this system by infecting Windows PCs and then spreading to the small grey boxes that regulated the centrifuges, causing them to malfunction. The piece also explores the development of cyber warfare and the exaggerated claims surrounding the supposed growing threat of cyberattacks.
Selling 0-Days to Governments and Offensive Security Companies (Video)
FROM THE MEDIA: The speaker is discussing the process of selling zero-day vulnerabilities to governments and offensive security companies. They have experience as a vulnerability broker and founded their own company focused on selling to these markets. The speaker explains the difficulty in finding high-end vulnerabilities and how the zero-day industry has changed over the past five years, becoming more open and with more players involved. They discuss the products that are in demand in the market and the importance of supply and demand in determining the price of vulnerabilities.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.