Daily Drop (497): US ISR Spot China's WZ-8 Drone, Canada, US Explore Latin America and Africa, Russia's Cyber Gulag, Russian Wagner Group, China ATP, China-US Tensions: Fishing Fleet, AT&T Warning
05-23-2023
Tuesday, May 23, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
German arms company Rheinmetall confirms Black Basta ransomware group behind the cyberattack
Analyst Comments: The cyberattack on Rheinmetall by the Black Basta ransomware group highlights the growing threat of ransomware attacks targeting critical industries and infrastructure. The incident coinciding with reports of Rheinmetall's involvement in constructing a tank factory in Ukraine raises concerns about the potential motives behind the attack. Rheinmetall's military contracts and its supply of ammunition and equipment to Ukraine make it an attractive target for cybercriminals seeking to disrupt military operations or gain leverage in geopolitical conflicts. The incident underscores the importance of robust cybersecurity measures for companies operating in sensitive sectors and the need for increased vigilance to defend against evolving cyber threats.
FROM THE MEDIA: German automotive and arms manufacturer Rheinmetall has confirmed that it was targeted in a cyberattack by the Black Basta ransomware group. The attack, detected on April 14, affected Rheinmetall's civilian business operations, which are conducted on separate IT infrastructure from its military business. Rheinmetall's military business has played a significant role in supporting the Ukrainian armed forces with ammunition and reconnaissance systems in the ongoing conflict in Ukraine. The company has reported the incident to the relevant authorities and filed a criminal complaint.
READ THE STORY: The Record
"Redefining Dependencies: Canada, US, and the China Challenge - Exploring Exploitation of Latin America and Africa"
Analyst Comments: Canada's emphasis on critical minerals reflects the growing importance of these resources for the transition to a green and digital economy. The strategy aligns with global trends and the increasing demand for batteries and other clean energy technologies. However, the pursuit of critical minerals should be accompanied by robust environmental and social safeguards, respect for indigenous rights, and responsible mining practices. The expansion of mining operations, particularly in the Global South, can lead to conflicts over land, resources, and human rights. It is essential for Canada and other countries to ensure that their mineral extraction activities are sustainable, respectful of local communities, and contribute to the long-term well-being of the regions involved.
FROM THE MEDIA: Canada is prioritizing the exploration and extraction of critical minerals, including cobalt, gallium, lithium, nickel, rare earth elements, and zinc, as part of its first-ever Critical Minerals Strategy. The strategy aims to secure and expand access to these minerals, which are crucial for the green and digital economy. The global demand for batteries, in particular, is expected to increase significantly, driving the need for critical minerals. Canada attracts a significant amount of mineral exploration investment and has a high number of active lithium projects. The country's focus on critical minerals is also influenced by geopolitical factors, including reducing dependency on China and deepening collaboration with the US.
READ THE STORY: Canadian Dimension
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
Analyst Comments: The activities of the Bad Magic hacker group demonstrate the persistent and evolving nature of cyber threats in the context of the Russo-Ukrainian conflict. The group's use of sophisticated techniques and its ability to adapt its toolset indicate a high level of expertise and resources. Organizations in the conflict area and those with interests related to the region should be vigilant and take appropriate measures to enhance their cybersecurity defenses.
FROM THE MEDIA: A hacker group known as Bad Magic or Red Stinger has been linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area. The group has been active since at least 2016 and has recently expanded its targets to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine. Bad Magic uses a modular framework called CloudWizard, which allows it to conduct various malicious activities such as taking screenshots, recording microphones, logging keystrokes, and harvesting Gmail inboxes. The group's activities are primarily focused on cyber espionage, and it has continuously evolved its toolset over the years. The ongoing Russo-Ukrainian conflict is expected to fuel the group's operations in the future.
READ THE STORY: THN
The cyber gulag: How Russia Tracks, censors, and controls its citizens
Analyst Comments: The Russian government's increasing use of digital technology for surveillance and control represents a significant threat to privacy and freedom of expression. The implementation of AI systems and facial recognition cameras, coupled with online censorship and prosecutions, creates a climate of fear and self-censorship among citizens. The government's plans to expand digital surveillance and its use of online platforms for military summonses further exacerbate concerns about privacy and government control.
FROM THE MEDIA: Russia under President Vladimir Putin has increasingly harnessed digital technology for surveillance and control, leading to concerns about a "cyber gulag" where citizens are monitored and censored. The government has implemented measures to tighten internet controls, including blocking websites, storing call records and messages, and pressuring companies to store user data on Russian servers. Online censorship and prosecutions have spiked, with hundreds of thousands of web pages blocked and individuals facing criminal charges over social media posts and comments. The government has also introduced artificial intelligence systems to monitor online content and plans to use online platforms for military summonses. Surveillance cameras with facial recognition technology have been used to track and detain activists, and the government aims to expand their use nationwide. Experts warn that Russia is building a system of total digital surveillance, coercion, and punishment, resembling a "cyber gulag."
READ THE STORY: ABC NEWS
AT&T warns T-Mobile US, Starlink may disrupt terrestrial cellphones
Analyst Comments: AT&T's petition to block T-Mobile's satellite service appears to be driven by concerns about potential interference with its own network services. The company emphasizes the importance of protecting terrestrial networks, highlighting the essential role of wireless connectivity for various services. AT&T's proposal for a waiver-based approach could reflect its desire for consistent regulatory requirements and oversight. While the motivations behind the petition may include competitive considerations, the concerns raised by AT&T regarding interference and network protection are legitimate. The FCC will need to carefully evaluate the potential impact on existing services and ensure fair and consistent regulations for satellite-based mobile phone services.
FROM THE MEDIA: AT&T has submitted a petition to the US FCC to block T-Mobile US from launching its planned satellite-based mobile phone service in partnership with SpaceX's Starlink. AT&T argues that the service could disrupt existing terrestrial wireless services and calls for the protection of these networks. The company suggests a waiver-based approach that grants the FCC's Wireless Telecommunications Bureau sole authority to authorize satellite-based services.
READ THE STORY: The Register
Russian Wagner Group Sets Sights on Mali as Potential Route for War Supplies, Claims US
Analyst Comments: The allegations that Wagner is attempting to obtain military equipment and transit it through Mali highlight the mercenary force's ongoing involvement in conflicts and its reliance on international networks to support its operations. The US and other Western countries have been increasingly targeting Wagner with sanctions for its role in conflicts and human rights abuses. The accusation of using false paperwork to ship military supplies adds to concerns about Wagner's illicit activities and raises questions about the effectiveness of international controls on arms transfers. The involvement of Wagner in Mali and the allegations of war crimes and crimes against humanity underscore the need for accountability and justice for the victims. The actions of Wagner and its attempts to evade scrutiny demonstrate the challenges of addressing the activities of private military and security companies in conflicts around the world.
FROM THE MEDIA: The private mercenary force Wagner, which is fighting alongside Russian troops in Ukraine, is attempting to hide its efforts to obtain military equipment internationally for use in the conflict, according to the US State Department. Wagner is allegedly seeking to transit military supplies through Mali, using false paperwork for the transactions. The US has imposed sanctions on individuals and entities supporting Wagner's military operations and is monitoring the situation closely. The French parliament recently adopted a resolution calling on the EU to declare Wagner a "terror group," and the UN has accused Wagner and Malian troops of committing war crimes and crimes against humanity in Mali.
READ THE STORY: Aljazeera // Reuters
Chinese state-sponsored attack uses custom router implant to target European governments
Analyst Comments: The activities of Camaro Dragon highlight the ongoing threat posed by state-sponsored APT groups and their ability to compromise routers for malicious purposes. Organizations should prioritize the security of their network infrastructure, including routers, by implementing strong access controls, regularly updating firmware, and monitoring for anomalous activity. The overlap between Camaro Dragon and Mustang Panda suggests a complex threat landscape with multiple threat actors sharing tools and infrastructure. This underscores the need for robust cybersecurity measures and intelligence sharing to effectively defend against these sophisticated adversaries.
FROM THE MEDIA: Check Point Research has released a report detailing the activities of a Chinese state-sponsored APT threat actor called Camaro Dragon. The group uses a custom implant to compromise TP-Link routers, allowing them to steal information and gain backdoor access. The researchers discovered modified firmware images for TP-Link WR940 routers that contained the malicious implant. The implant, named Horse Shell, runs in the background as a daemon and provides functionalities such as remote shell, file transfer, and tunneling. The malware communicates with its command-and-control server using the HTTP protocol on port 80, encrypting the content with a custom encryption scheme. Camaro Dragon shows significant overlaps with another Chinese state-sponsored APT group called Mustang Panda.
READ THE STORY: TechRepublic
Escalating Tensions Between China and US Linked to Involvement of Chinese Fishing Fleet
Analyst Comments: China's fishing fleet has become a contentious issue in US-China relations, with the US viewing it as a threat to national security and global fisheries. The allegations of illegal fishing, labor abuses, and the fleet's dual-use nature as a maritime militia raise concerns about its impact on marine ecosystems, coastal communities, and regional stability. The US and its allies are taking measures to counter China's fishing activities, but it remains to be seen whether these actions will effectively address the problem. As the world's worst offender for illegal fishing, China's practices have significant implications for transnational crime and the sustainability of global fish stocks.
FROM THE MEDIA: China's vast fishing fleet, the largest in the world, is becoming a major point of tension between the US and China. The US considers illegal, unreported, and unregulated (IUU) fishing by Chinese vessels a national security concern. The Chinese fleet has been accused of depleting fish stocks globally, engaging in environmental and labor abuses, and operating as a maritime militia that supports China's navy and coastguard. China denies these allegations and claims to be a responsible player in distant-water fisheries. The US, along with Japan, Australia, and India, has taken steps to combat China's illegal fishing activities, including imposing financial sanctions on Chinese fishing companies. The presence of China's maritime militia and its territorial disputes in the South China Sea raises the risk of clashes with other nations' navies and coastguards. NGOs have also raised concerns about labor and environmental abuses by the Chinese fleet, particularly in the Pacific Ocean, West Africa, and the Antarctic region.
READ THE STORY: FT
Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations
Analyst Comments: The emergence of GUI-vil highlights the evolving nature of crypto-mining threats and the exploitation of cloud services for illicit activities. The group's use of GUI tools and its focus on AWS EC2 instances demonstrate the adaptability and agility of threat actors in leveraging legitimate cloud services for malicious purposes. Organizations hosting cloud environments should prioritize implementing strong access controls, regularly monitoring and auditing cloud resources, and employing security measures to detect and prevent unauthorized activities.
FROM THE MEDIA: A financially motivated threat actor known as GUI-vil, of Indonesian origin, has been identified using Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for illicit cryptocurrency mining operations. GUI-vil demonstrates a preference for GUI tools, particularly S3 Browser, to gain initial access and conduct operations through the AWS web console. The group leverages publicly exposed source code repositories on GitHub and vulnerable GitLab instances to obtain AWS keys for ingress, followed by privilege escalation and reconnaissance to identify accessible S3 buckets and services. GUI-vil employs tactics such as creating new user identities and access keys or adding login profiles to existing users to blend in and persist within victim environments. The threat actor's primary objective is financially driven, aiming to create EC2 instances for cryptocurrency mining, resulting in expenses for victim organizations hosting the instances.
READ THE STORY: THN
Keep reading with a 7-day free trial
Subscribe to Bob’s Newsletter to keep reading this post and get 7 days of free access to the full post archives.