Daily Drop (485): Dragos Ransomware Attempt Fail, Italy Exit BRI, China Ecuador Trade, New Zero-Click Vul, Rockwell Probe, CryptoJacking Botnet, South African Copper Gang
05-11-2023
Thursday, May 11, 2023 // (IG): BB // Cloak & Dagger// Coffee for Bob
Hackers attempt to extort Dragos and its executives in a suspected ransomware attempt
Analyst Comments: The attempted breach of Dragos, a leading industrial cybersecurity firm, highlights the ongoing threat to cybersecurity companies and their role in protecting critical infrastructure. Despite the hackers' unsuccessful attempts to launch ransomware or access sensitive systems, the incident underscores the importance of robust security controls and proactive measures in defending against cyberattacks. Dragos' transparent response to the incident sets a positive example for other organizations facing similar security concerns. The attackers' attempt to target executives and their families demonstrates the persistence and evolving tactics of cybercriminals.
FROM THE MEDIA: Dragos, a prominent industrial cybersecurity firm, disclosed an unsuccessful hacking attempt targeting the company's executives and their family members. The attack aimed to launch ransomware but was prevented by Dragos' layered security controls. Although the hackers gained access to a new sales employee's personal email address, no corporate systems or products were breached. The attackers pilfered general data from the employee's email account, including Microsoft SharePoint data, intelligence reports, and customer support systems. Dragos confirmed that the incident is contained but noted the regrettable loss of data that may be made public due to their decision not to pay the extortion demands. The hackers also attempted to infiltrate other parts of Dragos' infrastructure but were unsuccessful. Dragos responded to the incident with transparency, generating praise from experts for their handling of the situation.
READ THE STORY: Cyberscoop
China deepens ties in Latin America with Ecuador's free trade agreement
Analyst Comments: The signing of a free trade agreement between Ecuador and China signifies the deepening economic ties between the two countries and reinforces China's influence in Latin America. The deal is a setback for the US, which has sought to counter China's growing presence in the region. Ecuador's reliance on Chinese financing and its increasing exports to China demonstrate the importance of the Chinese market for the country's economic growth. The agreement could potentially provide Ecuador with new opportunities for diversification and expansion in agricultural and agro-industrial sectors. However, the deal's fate remains uncertain, given the potential impeachment of President Lasso and the need for legislative approval. Ecuador's pursuit of both a free trade agreement with China and the US reflects its strategy of balancing relationships with major powers to maximize economic benefits.
FROM THE MEDIA: Ecuador and China have signed a free trade agreement, strengthening their economic ties and frustrating US efforts to counter China's influence in the region. The deal is expected to boost Ecuador's non-oil exports by $3-4 billion over the next decade. China has become Ecuador's largest non-oil trade partner and a major source of financing, supporting infrastructure and energy projects in the country. The agreement provides preferential access to the Chinese market for 99% of Ecuador's exports, particularly agricultural and agro-industrial products. However, the deal may face resistance as it needs to be ratified by Ecuador's national assembly, and President Guillermo Lasso is facing possible impeachment. China's growing financial partnership with Ecuador has given Beijing increased political leverage, as it has provided significant loans and investments in recent years.
READ THE STORY: FT
Ukraine war drives rising concern about nation-state hackers, survey says
Analyst Comments: SolarWinds' cybersecurity survey highlights the increasing concerns among IT professionals regarding cyber threats from foreign governments. The shift from physical to digital battlegrounds has led to a rise in nation-state-sponsored cyberattacks, including espionage campaigns and ransomware attacks. SolarWinds' own experience with a high-profile hack has emphasized the need for enhanced security measures and cross-industry collaboration to address such threats. The survey underscores the importance of prioritizing cybersecurity, investing in robust defense mechanisms, and sharing best practices across the industry to mitigate risks associated with government-led cyberattacks.
FROM THE MEDIA: According to SolarWinds' annual cybersecurity survey, foreign governments are the top concern among federal, state, local, and education agency IT professionals. In 2023, 60% of respondents named "foreign governments" as one of the greatest threats, a significant increase from 41% in 2021. This surpasses concerns about "careless/untrained insiders" at 58%. The survey distinguishes between breaches caused by insider incompetence and those caused by malicious insiders actively seeking harm. Among federal respondents, 63% considered foreign governments a significant threat. The shift towards the digital battleground and the increase in nation-state-sponsored cyberattacks, including espionage campaigns, ransomware, and spyware, are driving this anxiety. SolarWinds itself experienced a high-profile hack in 2020, which exposed the risks posed by government-led attacks.
READ THE STORY: Breaking Defense
Rockwell Automation faces U.S. government probe over China ops
Analyst Comments: The investigation into Rockwell Automation's China-based facility highlights concerns over potential risks to U.S. infrastructure and government assets. The focus on employees with access to software codes suggests scrutiny of insider threats and potential vulnerabilities. As critical infrastructure and sensitive government systems are at stake, such investigations are crucial to assess and mitigate potential cyber risks. The outcome of the investigation will determine whether further actions, such as enhanced security measures or potential restrictions, will be necessary.
FROM THE MEDIA: The U.S. government is reportedly investigating whether Rockwell Automation, a U.S. company, is potentially exposing critical infrastructure, military assets, and other government systems to cyber attacks through one of its facilities in Dalian, China. The investigation will focus on employees who may have access to software codes connecting with computer systems at the Dalian facility. Rockwell Automation has stated that it has not been notified of any investigations regarding its China operations and that there have been no indications of breaches or intentional compromises of its products. The company sells factory automation and robotics control software, serving industries such as the aerospace, marine, and automotive sectors.
READ THE STORY: Reuters
Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
Analyst Comments: The disclosed vulnerability highlights the ongoing challenges in software security and the need for continuous monitoring and patching. The ability to bypass integrity protections and steal NTLM credentials without user interaction underscores the severity of the flaw. It is crucial for organizations and individuals to promptly apply the necessary security updates to mitigate the risk of exploitation.
FROM THE MEDIA: Researchers have disclosed a security flaw in the MSHTML platform of Windows that could be exploited to bypass integrity protections on targeted machines. Tracked as CVE-2023-29324, the vulnerability allows an unauthenticated attacker to coerce an Outlook client to connect to an attacker-controlled server, resulting in the theft of NTLM credentials. The flaw is considered a security feature bypass and affects all versions of Windows, except for Exchange servers with the March update. It is worth noting that CVE-2023-29324 is a bypass for a previous fix (CVE-2023-23397) implemented by Microsoft in March 2023 to address a critical privilege escalation flaw in Outlook. Microsoft has released patches for this vulnerability as part of its May 2023 Patch Tuesday updates and recommends installing Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine.
READ THE STORY: THN
Which Is Worse, Insider Trading or Espionage?
Analyst Comments: The investigation of the due diligence industry in China reflects the government's concerns about the potential misuse of information and involvement in espionage by foreign actors. While these consultancies aim to provide investors with valuable insights, the authorities suspect that they may be facilitating the acquisition of state secrets. The crackdown highlights the need for clarity and transparency in the industry, as well as the challenge of distinguishing between legitimate information gathering and intelligence collection. The lack of clear guidelines and regulations contributes to the uncertainty faced by asset managers and consultants operating in China.
FROM THE MEDIA: The Chinese government is investigating the due diligence industry, which serves asset managers, to determine if it has been exploited by foreign spies. State-owned media outlets have highlighted the investigation of Capvision Pro Corp., an expert-network consulting firm, accusing it of assisting foreign intelligence agencies in obtaining state secrets. The nature of these consultancies is to provide investors with an information edge, linking them with industry experts, including government officials and corporate executives, for a fee. Concerns in China go beyond insider trading, with a focus on potential complicity in espionage. The crackdown has put asset managers and their consultants in a challenging position, as the line between information gathering and intelligence collection becomes blurred.
READ THE STORY: Bloomberg
Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild
Analyst Comments: The emergence of the Greatness phishing-as-a-service tool underscores the accessibility and sophistication of cybercrime tools available to novice hackers. By providing pre-built and advanced phishing features, PaaS platforms like Greatness lower the entry barrier for cybercriminals, enabling them to launch successful phishing campaigns with minimal effort. The focus on targeting companies, particularly in sectors with valuable data and assets, indicates a motive for financial gain rather than espionage. The inclusion of MFA bypass and integration with Telegram bots demonstrates the evolving tactics used by cybercriminals to maximize their success rates.
FROM THE MEDIA: Researchers from Cisco's Talos threat intelligence team have identified a new phishing-as-a-service (PaaS) tool called "Greatness" that allows inexperienced hackers to incorporate advanced features into their cyberattacks. Greatness primarily targets companies, particularly in the manufacturing, healthcare, and technology sectors, by mimicking their Microsoft 365 login pages. The service offers its affiliates various tools, including attachment and link builders, convincing decoy and login pages, multi-factor authentication (MFA) bypass, IP filtering, and integration with Telegram bots for immediate notification of stolen session cookies. The majority of victims are located in the U.S., followed by the U.K., Australia, South Africa, and Canada.
READ THE STORY: The Record
U.S.-South Korea Cyber Cooperation Helps Contain China Regionally
Analyst Comments: The establishment of the Strategic Cybersecurity Cooperation Framework between the United States and South Korea marks a significant step in strengthening their cybersecurity collaboration and countering shared cyber threats. By focusing on addressing the cyber activities of North Korea and China, the partnership sends a clear message about the countries' resolve to protect their interests and enhance their cybersecurity postures. While progress has been made in countering North Korean cybercrime, effectively addressing the Chinese cyber threat may be more challenging due to economic ties and dependencies. However, the framework provides an opportunity for intelligence sharing and collaboration among countries targeted by Chinese cyber actors. The partnership aligns with US efforts to establish cyber alliances with regional allies and expand the Quad's cybersecurity cooperation. Successful implementation and proactive collaboration are essential for influencing China's cyber behavior and mitigating cyber activities by other adversarial states.
FROM THE MEDIA: The United States and South Korea have established a Strategic Cybersecurity Cooperation Framework aimed at enhancing their collaboration in countering cyber adversaries, particularly North Korea and China. The agreement emphasizes developing a culture of cybersecurity, strengthening defensive capabilities, and cooperating on capacity building and critical infrastructure protection. The framework also includes the initiation of a Next Generation Critical and Emerging Technologies Dialogue to expand areas of mutual interest in sectors such as semiconductors and digital and quantum technologies. The partnership is significant as it demonstrates a joint effort by two technologically advanced countries to bolster their cybersecurity postures and address shared threats. The collaboration aims to send a message to North Korea and China, highlighting the resolve to counter their cyber activities. While previous joint efforts against North Korean cybercrime have faced challenges, recent actions, such as US sanctions against individuals supporting North Korean cryptocurrency laundering, indicate progress.
READ THE STORY: OODALOOP
RapperBot Crew Drops DDoS/CryptoJacking Botnet Collab
Analyst Comments: The addition of crypto-jacking capabilities to the RapperBot malware demonstrates the ongoing trend of cybercriminals diversifying their attack methods to maximize their financial gains. By combining DDoS attacks with crypto-jacking, the threat actors can leverage compromised devices for both disruptive and profitable purposes. This highlights the importance of comprehensive cybersecurity measures that address multiple threat vectors, including securing IoT devices and implementing strong access controls. Organizations and individuals should follow best practices for password security and consider implementing additional authentication methods to protect against RapperBot and similar threats.
FROM THE MEDIA: The RapperBot malware, known for its distributed denial-of-service (DDoS) capabilities, has added a new feature to its arsenal: cryptojacking. The malware, which primarily targets Internet of Things (IoT) devices, has incorporated a customized variant of the XMRig Monero miner to mine cryptocurrency on infected Intel x64 machines. The combination of DDoS and crypto-jacking capabilities allows the operators to extract maximum value from compromised machines. The integration of XMRig, a popular Monero miner, aligns with the malware's focus on consumer IoT devices, as Monero is designed to be mined profitably with consumer-grade hardware. The RapperBot malware has continually evolved, and prevention measures include good password hygiene and enabling public key authentication or setting strong passwords for IoT devices connected to the internet.
READ THE STORY: DARKReading
Italy to hold talks with China about exiting Belt and Road Initiative
Analyst Comments: Italy's consideration of a potential exit from the Belt and Road Initiative highlights the country's desire to balance its international alliances and maintain strong ties with both the US and China. The decision to join the BRI in 2019 raised concerns among Italy's Western allies, and the current government, led by Prime Minister Giorgia Meloni, aims to navigate a diplomatic exit without causing major disruptions. The timeframe for making a decision adds to the pressure on Italy to resolve the issue promptly. The easing of US pressure indicates a certain level of understanding regarding Italy's stance on Ukraine. However, the economic implications of a withdrawal and potential cooling of bilateral relations pose challenges, particularly for Italian businesses that have been eyeing opportunities in the Chinese market. Balancing these factors will require delicate diplomacy and careful consideration of Italy's long-term strategic interests.
FROM THE MEDIA: Italy is considering holding talks with China to discuss the possibility of exiting Beijing's Belt and Road Initiative (BRI) infrastructure investment program. Italy's decision to join the BRI in 2019 drew criticism from the US and the EU. Prime Minister Giorgia Meloni has not yet made a final decision on terminating Italy's participation but is eager to find a way to extricate the country without damaging relations with China. Italy's agreement with the BRI automatically renews in March 2024 unless Rome formally notifies Beijing of its intent to withdraw three months in advance. The clock is ticking for Meloni to resolve this foreign policy challenge and minimize the diplomatic and economic fallout. While US pressure on Italy regarding the BRI has eased recently, concerns remain within Italy's business community about the potential cooling of bilateral relations and the impact on trade. China has expressed the belief that Italy should continue to tap into the potential of BRI cooperation.
READ THE STORY: FT
Life inside the South African gangs risking everything for copper
Analyst Comments: The criminal enterprise has flourished due to a combination of factors, such as rising copper prices, weak law enforcement, and the availability of vulnerable individuals willing to engage in theft for survival or to sustain drug habits. The consequences of copper theft range from power outages and disrupted transportation systems to financial losses for state-owned enterprises and reduced economic growth. The article underscores the need for comprehensive measures to address the problem, including tackling corruption, improving law enforcement, and implementing stricter regulations on the scrap metal trade. Efforts should also focus on addressing the root causes of copper theft, such as poverty and drug addiction, through social welfare programs and rehabilitation initiatives.
FROM THE MEDIA: Copper theft has become a lucrative criminal enterprise in South Africa, with gangs known as izinyoka (snakes) leading the illicit trade. The soaring prices of copper, which reached a 10-year high of $9,000 per tonne in 2021, have attracted international syndicates. The theft of copper infrastructure has caused severe disruptions, including power outages, canceled trains, and reduced hospital operations. The thefts have also impacted the mining industry, a vital sector in South Africa. The criminal syndicates exploit the abundance of valuable metals, lax law enforcement, and the availability of foot soldiers driven by poverty or drug addiction. Despite government efforts to curb the trade, including export restrictions and policing measures, top-level criminals continue to evade enforcement. The consequences of copper theft extend beyond the value of the stolen metal, leading to significant economic and social disruptions.
READ THE STORY: FT
Keep reading with a 7-day free trial
Subscribe to Bob’s Newsletter to keep reading this post and get 7 days of free access to the full post archives.