Daily Drop (499): China's 'Volt Typhoon' Hacks US & Guam Infrastructure, Space Force's Space Hacking, AI Prevents Slavery in Automaker Supply Chains, Team America: AI Police, EU: Gas Demand Drop
05-25-2023
Thursday, May 25, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
Chinese State Hacker Group 'Volt Typhoon' Conducts Stealthy Infiltration of U.S. and Guam Critical Infrastructure
Analyst Comments: The activities of Volt Typhoon pose a significant cybersecurity risk to critical infrastructure in Guam and the United States. The group's ability to remain undetected for an extended period indicates advanced capabilities and a focus on long-term access and espionage. By leveraging existing tools and infrastructure, Volt Typhoon can evade traditional detection methods, making it more challenging to identify and mitigate their activities. The targeted sectors, including communications and government agencies, suggest a strategic interest in gathering sensitive information. The joint advisory underscores the need for enhanced cybersecurity measures and threat intelligence sharing among government and private sector entities to counter the ongoing cyber threats posed by state-sponsored actors like Volt Typhoon.
FROM THE MEDIA: China's state-sponsored hacker group, "Volt Typhoon," has been conducting stealthy cyber espionage operations targeting critical infrastructure in Guam and the United States since mid-2021. The group has primarily focused on sectors such as communications, information technology, and government agencies. Volt Typhoon gains initial access through internet-facing Fortinet FortiGuard devices and then extracts credentials to infiltrate other devices on the network. The group employs "living off the land" techniques, using legitimate Windows utilities to evade detection. Microsoft and the Five Eyes intelligence-sharing alliance has issued a joint advisory to raise awareness about the threat.
READ THE STORY: THN // The Record // The New York Times // GovInfoSec
China’s Game in the Arctic: A Tale of Deception
Analyst Comments: China's Arctic ambitions are a part of its broader strategic goals, evidenced by its military-civilian mixing strategy and the PLA's involvement in its Arctic programs. The geopolitical landscape, with the conflict in Ukraine and the potential alignment between Beijing and Moscow, is influencing China's presence in the Arctic, with China seeing Russia as a gateway to the region. Chinese investments in key Russian ports indicate its growing influence in the region, despite past conflicts between the two countries. However, China's expansion in the Arctic is raising concerns among other nations about its intentions and potential implications for global security. Its activities in the Arctic are indicative of its larger ambitions and its blending of civilian and military efforts, which is part of its military-civil fusion strategy.
FROM THE MEDIA: China has been increasing its presence and activities in the Arctic, with its eyes set on becoming a "polar great power" by 2030. It has established two permanent research stations in the Svalbard archipelago of Norway and Iceland and is developing a third in northern Sweden. These facilities are conducting diverse research activities that also align with China's broader strategic and military interests. The changing Arctic environment could open new shipping routes, reducing transit times for seaborne trade and offering easier access to natural resources, which is advantageous for China's ambitions. Furthermore, China's Arctic research, while primarily focused on scientific knowledge, serves Beijing's strategic objectives and is seen as a way for China to assert its "right to speak" on Arctic affairs. There are concerns about the potential military implications of China's activities in the Arctic.
READ THE STORY: Modern Diplomacy
Space Force Will Look At How to Hack Targets From Space
Analyst Comments: The integration of Space Force troops with the Air Force's 16th Air Force demonstrates a multi-domain approach to U.S. national security, reflecting the evolving complexities of warfare which is extending into space and cyber domains. As space becomes increasingly militarized, cyber operations are expected to play a pivotal role in safeguarding space-based assets, which are becoming frequent targets of adversaries. Given the ubiquity, cost-effectiveness, and difficulty in attributing cyberattacks, the U.S. needs to invest significantly in both offensive and defensive cyber capabilities. This collaboration indicates a future where space and cyber operations are not merely interconnected, but an integrated part of a broader security strategy. The evolution of warfare into these domains necessitates changes in military strategy, training, and resource allocation.
FROM THE MEDIA: Two Space Force troops are working alongside the Air Force's 16th Air Force, which supplies cyber specialists to U.S. Cyber Command, to explore the future of offensive space operations. Lt. Gen. Stephen Whiting, the leader of Space Operations Command, highlighted the importance of leveraging offensive cyber capabilities for space purposes. The Space Force plans to establish a component of U.S. Cyber Command in the coming years. While discussions often focus on the vulnerability of U.S. satellites to hacking, Whiting emphasized the need to defend the cyber terrain as it is the "soft underbelly" of the Space Force and the space enterprise. Cyberattacks are viewed as a cost-effective and harder-to-attribute means of targeting compared to direct attacks in space.
READ THE STORY: Defense One
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware
Analyst Comments: Agrius's shift to a new ransomware written in C++ underscores its expanding capabilities and continuous development of new tools. This highlights an escalating threat landscape, with Iran-backed cyber groups persistently launching cyberattacks against Israel and other regions. While Agrius's tactics remain consistent, the new ransomware shows its efforts to improve capabilities and complicate attribution and detection. This latest development is another reminder of the importance of robust cybersecurity defenses and threat intelligence. The threat posed by state-sponsored actors necessitates heightened vigilance and constant updating of security protocols to protect sensitive infrastructure and data. Furthermore, the fact that the group is targeting vulnerabilities in web servers suggests that organizations must prioritize patching and updating their systems to mitigate the risk of these attacks.
FROM THE MEDIA: The Iranian threat group, Agrius, also known as Pink Sandstorm, is deploying a new ransomware strain called Moneybird to target Israeli organizations. Known for its destructive data-wiping attacks disguised as ransomware infections, Agrius has been active since at least December 2020 and is linked to Iran's Ministry of Intelligence and Security (MOIS). The group recently attempted disruptive intrusions against diamond industries in South Africa, Israel, and Hong Kong, using a .NET-based wiper-turned-ransomware called Apostle and its successor, Fantasy. Unlike these, Moneybird is programmed in C++. The infection process starts with the exploitation of vulnerabilities in internet-exposed web servers, leading to the deployment of a web shell named ASPXSpy. This web shell then delivers publicly-known tools to perform reconnaissance, move laterally, harvest credentials, and exfiltrate data.
READ THE STORY: THN // The Record
AI can help automakers keep slavery out of their supply chains
Analyst Comments: The automotive industry's growing supply chain issues are clearly a complex and multifaceted problem. Increased scrutiny from lawmakers is likely to continue, particularly as the issue of forced labor in Xinjiang remains a hot topic. Automakers will need to find more efficient ways to ensure supply chain transparency to meet these challenges, and AI may provide a potential solution. However, given the varying levels of transparency in different countries, it may still prove difficult for automakers to provide the level of visibility that lawmakers are asking for. If successful, AI could play a key role in transforming how industries manage and audit their supply chains, not only ensuring compliance but also potentially reducing costs and improving resilience.
FROM THE MEDIA: In response to increased scrutiny of the automotive industry's supply chains following reports of forced labor in China’s Xinjiang province, automakers are under pressure to ensure transparency and compliance with federal trade laws. As supply chains have become more complex due to geopolitical tensions, the COVID-19 pandemic, and the demand for scarce raw materials, automakers are now expected to have visibility into every stage of their supply chain, from raw materials to finished products. Some automakers have begun using AI to manage these complexities, reducing costs, increasing resilience, and ensuring compliance. Despite this, the industry faces challenges due to the varying transparency requirements among countries, with some like China obfuscating the origin of goods to circumvent foreign sanctions. This has led to a push for "friendshoring," bringing manufacturing to more transparent regions, although this process is slow.
READ THE STORY: The Hill
EU says the drop in gas demand will exceed bloc’s Russian imports
Analyst Comments: The EU's anticipated decrease in gas demand reflects its continued efforts to reduce reliance on Russian imports amid ongoing geopolitical tensions. This shift is not only significant for the EU's energy security but also supports its broader environmental objectives under the European Green Deal, which aims to make the bloc carbon-neutral by 2050. However, the transition poses challenges as energy systems need to adjust, and alternatives like renewable sources must be adequately scaled up. The note about potential risks indicates that the EU is wary of potential disruptions or price volatility in the energy market.
FROM THE MEDIA: Brussels anticipates that EU gas demand will decrease by more than the total amount of its imports from Russia in 2023, according to a document presented to the European Commission by energy commissioner Kadri Simson. The EU is expected to reduce its gas consumption by an additional 60 billion cubic meters in 2023, which is more than the volume of gas it plans to import from Russia in the same year, both through pipelines and liquefied natural gas (LNG). This comes in light of a series of emergency laws introduced last year to reduce energy use and lessen the bloc's dependence on Russian imports. Although gas prices have recently dropped to closer historical ranges, the document acknowledges that some risks still need to be carefully monitored.
READ THE STORY: FT
Get ready for Team America: AI Police
Analyst Comments: The OSTP's update to the National AI R&D Strategic Plan represents a continuation of efforts from the previous administration, emphasizing the importance of long-term, responsible investment in AI research. The addition of international collaboration as a strategy highlights the global nature of AI developments and the necessity of a coordinated approach. The focus on understanding the theoretical capabilities and limitations of AI models, particularly in relation to sectors like climate change, agriculture, energy, and healthcare, signifies an awareness of the wide-ranging impact of AI and the importance of managing its risks. The OSTP's request for public comment on AI's potential impacts on national security, democracy, and job loss shows a commitment to engaging with a wide array of perspectives to build a comprehensive and effective national AI strategy.
FROM THE MEDIA: The US Office of Science and Technology Policy (OSTP) has updated its National AI R&D Strategic Plan for the first time since 2019, with most strategies staying the same as those recommended under the previous administration. A new ninth strategy has been added focusing on exploring and fostering international cooperation to develop AI technologies affecting global issues such as the environment and manufacturing. Another change includes updating the strategy "Make long-term investments in AI research" to "Make long-term investments in fundamental and responsible AI research." The updated plan emphasizes responsible AI innovation, data privacy, AI safety, addressing biases in AI, and understanding the theoretical capabilities and limitations of AI models.
READ THE STORY: The Register
GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains
Analyst Comments: Google's GUAC tool could offer significant benefits for software supply chain security. It consolidates information from multiple sources to provide a comprehensive view of software dependencies and vulnerabilities, which could enable organizations to better understand and manage their security risks. Additionally, by being open-source and offering an API for developers, it allows for widespread integration and customization, enhancing its potential utility. While it is still in the beta version, with further development and refinement, GUAC could become an important tool in mitigating software supply chain attacks.
FROM THE MEDIA: Google has announced the 0.1 Beta version of Graph for Understanding Artifact Composition (GUAC) to help organizations secure their software supply chains. GUAC is an open-source framework that functions as an API, enabling developers to integrate their tools and policy engines into it. GUAC aggregates software security metadata from various sources into a graph database to map the relationships between software, providing organizations with a better understanding of their software security position. It gathers data from Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, deps.dev insights, and a company's internal private metadata, aiding in creating a comprehensive risk profile and visualizing the connections between artifacts, packages, and repositories. With this, Google aims to combat high-profile supply chain attacks, create a patch plan, and allow for a quick response to security breaches.
READ THE STORY: THN
Hackers target 1.5M WordPress sites with cookie consent plugin exploit
Analyst Comments: The sheer scale of these attacks highlights the persistent threat posed by unpatched plugins to the security of WordPress websites. While the current wave of attacks appears not to inject malicious payloads due to a misconfigured exploit, the threat actor could potentially fix this issue, escalating the danger for unpatched websites. Therefore, it is crucial for site administrators to ensure the Beautiful Cookie Consent Banner plugin and all others are updated to their latest versions. The incident underscores the ongoing importance of regular patching and updating practices, particularly for websites using open-source platforms like WordPress.
FROM THE MEDIA: There are ongoing attacks targeting an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin known as Beautiful Cookie Consent Banner, which has more than 40,000 active installs. This type of attack could result in unauthorized access to sensitive information, session hijacking, malware infections, or a full compromise of the victim's system. The vulnerability also enables attackers to create rogue admin accounts on WordPress websites with unpatched plugin versions. This security flaw was patched in January with version 2.10.2. However, nearly 3 million attacks have been blocked against more than 1.5 million sites from around 14,000 IP addresses since May 23, 2023, according to Defiant, a WordPress security company. The current threat actor appears to be using a misconfigured exploit, but website admins are advised to update the plugin to the latest version to prevent potential damage.
READ THE STORY: Bleeping Computer
No, Russia Is Not Massively Skirting Sanctions
Analyst Comments: Sanctions evasion, while a reality, is not as widespread or effective as some media narratives suggest. The effectiveness of sanctions should not be measured solely by the extent of evasion but also by their overall impact on the targeted country's economy and policy. The fact that complex evasion schemes are in place indicates that sanctions are having an effect. It's essential to continually refine and adapt sanctions to increase effectiveness, respond to evasion tactics, and minimize unintended impacts on non-targeted sectors and innocent civilians. This requires ongoing monitoring, analysis, and international cooperation. Russia's size and economic heft make large-scale evasion challenging, and third-party countries like China appear cautious about significantly aiding such evasion. While some increases in certain high-tech imports to Russia suggest evasion attempts, these are from a low base, indicating that the overall scale remains limited.
FROM THE MEDIA: While reports suggest that Moscow easily evades sanctions through various means, the article highlights several key takeaways that present a more complex picture. Firstly, not all countries participate in sanctions, allowing non-Western firms to conduct business with Russia freely. Additionally, Western sanctions do not cover all sectors, such as food and medical supplies, leading to increased exports of these goods to Russia. The article also emphasizes that sanctions evasion is not unique to Russia and has historical precedents. However, for a large country like Russia, evading comprehensive sanctions is challenging due to the scale of its economy. The article further dispels the notion that China significantly enables sanctions evasion and notes that Russia's surge in high-tech imports from non sanctioning economies comes from a low starting point.
READ THE STORY: FP
WeChat makes facial recognition payment systems talk to the hand
Analyst Comments: The introduction of palm recognition-based payments by WeChat reflects the continuous innovation and adoption of biometric technologies in the Chinese market. This feature offers convenience and a contactless payment experience, aligning with the preference for touchless transactions amid the COVID-19 pandemic. The use of palm prints for identification may offer advantages over facial recognition, as palm prints are less likely to be exposed on social media or undergo modifications that could affect recognition accuracy. However, security concerns remain, as capturing hand gestures on video could potentially compromise user privacy.
FROM THE MEDIA: Chinese microblogging site WeChat has introduced a new payment feature that allows users to make payments by swiping their palm over facial recognition devices. After registering their palm print and binding it to their WeChat account, users can complete purchases by waving their hand in front of a camera-embedded scanning surface. The system recognizes unique palm characteristics and can be used in various lighting conditions. Apart from payments, the technology can also be applied to other use cases such as boarding transport, attendance tracking, and membership verification. While WeChat is not the first to explore palm recognition for payments, the implementation of this feature could intensify competition in the Chinese payment service market.
READ THE STORY: The Register
How Hackers Launched an Attack on European Spacecraft
Analyst Comments: The ESA's cybersecurity challenge demonstrates the growing concerns over cyber threats to space systems and the need to develop robust defenses and resilience. As the number of satellites in orbit increases, including those providing commercial services, the risk of cyberattacks becomes more significant. The exercise conducted by Thales highlights the importance of proactively identifying vulnerabilities and enhancing cybersecurity measures to protect critical space assets. The development of cybersecurity capabilities and space cyber defense units, such as China's cyber defense system and the US Space Force's Space Delta 6, indicates a growing recognition of the threat and the efforts being made to address it.
FROM THE MEDIA: The European Space Agency (ESA) conducted a cybersecurity challenge to test the resilience of its OPS-SAT nanosatellite against potential cyberattacks. Thales' offensive cybersecurity team partnered with ESA to carry out the exercise, where they gained access to the satellite's onboard system and injected malicious malware to compromise its operations. The goal was to assess the impacts and consequences of a real cyberattack on space systems. Cybersecurity challenges in the space industry include ensuring mission continuity, resilience against vulnerabilities, threat recognition and response, and compliance with space security certifications. The increasing likelihood of satellite cyberattacks highlights the need for robust defense measures and regulatory frameworks in space.
READ THE STORY: ITSECNEWS
Threat actors leverage kernel drivers in new attacks
Analyst Comments: he use of malicious kernel-level drivers in targeted attacks underscores the importance of robust endpoint security and defense mechanisms. Kernel-level threats provide threat actors with significant control and evasion capabilities, making them a serious concern for organizations. The attribution process for the WinTapix.sys driver is still ongoing, but the targeting of Middle Eastern countries suggests the involvement of an Iranian threat actor. The BlackCat ransomware attack highlights the exploitation of kernel drivers signed through legitimate Microsoft accounts, emphasizing the need for enhanced security measures and scrutiny of digital signatures. The reports highlight the evolving tactics of threat actors and their ongoing efforts to circumvent detection by leveraging kernel-level access.
FROM THE MEDIA: Two separate cybersecurity research reports from Fortinet and Trend Micro highlight the use of malicious kernel-level drivers by threat actors in targeted attacks. Fortinet's research focuses on WinTapix.sys, a driver used in attacks against organizations in the Middle East, potentially attributed to an Iranian threat actor. Trend Micro's report discusses a ransomware attack by BlackCat ransomware that deployed malicious kernel drivers signed through Microsoft hardware developer accounts. Both reports emphasize the significance of kernel-level threats due to the complete access they provide to threat actors and their ability to evade endpoint protection platforms. The use of kernel drivers in attacks is expected to continue as they offer an effective means of bypassing security measures.
READ THE STORY: TechTarget
New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East
Analyst Comments: The utilization of malicious kernel drivers highlights the evolving tactics of threat actors to evade detection and gain control over targeted systems. The attribution of the WINTAPIX driver to an Iranian threat actor is based on limited confidence, but the targeting of Middle Eastern countries aligns with past activities of Iranian threat actors. The incidents emphasize the importance of robust security measures, including driver signature enforcement and protection against known vulnerable drivers. The use of kernel drivers allows threat actors to operate at the highest privilege level and subvert security mechanisms, making it challenging to detect and mitigate their activities.
FROM THE MEDIA: An unidentified threat actor has been observed utilizing a malicious Windows kernel driver named WINTAPIX (WinTapix.sys) in targeted attacks, possibly targeting the Middle East region. Security researchers suspect the involvement of an Iranian threat actor based on telemetry data. The driver acts as a loader, allowing the attacker to execute the next stage of the attack by injecting an embedded shellcode into a user-mode process. The malware establishes persistence, targets Microsoft Internet Information Services (IIS) servers, and includes backdoor and proxy features. In a separate incident, the BlackCat (or ALPHV) ransomware group was found using a signed driver named ktgn.sys to evade security defenses. The driver is an updated version of POORTRY and is signed using a stolen or leaked cross-signing certificate. Both incidents demonstrate the increasing use of malicious kernel drivers to bypass security measures and gain privileged access to targeted systems.
READ THE STORY: THN
Items of interest
Chinese Labs Are Selling Fentanyl Ingredients for Millions in Crypto
Analyst Comments: These findings highlight the critical role that cryptocurrencies play in the global narcotics trade, particularly in the context of the deadly opioid fentanyl. The use of cryptocurrencies for these transactions is likely due to their resistance to seizure or blocking, despite the potential for tracing by Western companies and law enforcement agencies. This report underscores the potential to use blockchain data as an "early warning system" for forecasting drug inflows into cities, which could help prevent overdoses. However, the challenge lies in applying sufficient pressure on cryptocurrency exchanges to cut off accounts linked to fentanyl precursor sellers, given the decentralized and global nature of these platforms.
FROM THE MEDIA: Chinese chemical manufacturers are accepting cryptocurrencies such as Bitcoin and Tether as payment for fentanyl precursors sold to global drug operations, according to research from cryptocurrency-tracing firms Elliptic and Chainalysis. The researchers found over 90 Chinese chemical firms advertising fentanyl precursor chemicals on the open web, 90% of which accepted payment in cryptocurrencies. Blockchain analysis estimates that these firms received around $27 million in transactions over the past five years, with a 450% increase in the past year. This figure may only represent a fraction of the cryptocurrency-fueled fentanyl supply chain. While dark-web markets have started to ban fentanyl due to its danger, the wholesale supply of fentanyl ingredients to drug producers worldwide continues unabated, with a potentially devastating impact on public health.
READ THE STORY: Wired
How China Is Fuelling America's Drug Epidemic (Video)
FROM THE MEDIA: Ben Westhoff, a renowned investigative journalist, has been delving into the origins and production process of fentanyl, a synthetic opioid that has been linked to a surge in overdose deaths in the US. Fentanyl is more than 50 times stronger than heroin and has been identified as the central substance contributing to the North American opioid crisis. The drug's production process has often been shrouded in misinformation, leading to myths and politicized narratives. Westhoff sought to cut through these misconceptions by traveling to China to inspect the labs and factories where fentanyl and its precursor chemicals are made.
'China Is Using Fentanyl To Commit Diplomatic Blackmail': GOP Lawmaker Lays Into Beijing Strategy (Video)
FROM THE MEDIA: A GOP lawmaker discusses China's use of fentanyl as a tool for diplomatic blackmail. The lawmaker highlights fentanyl as the leading cause of death among working-age Americans and accuses China of intentionally allowing its shipment to the United States. They suggest that China's cooperation on counter-narcotics ceased after Speaker Pelosi's visit to Taiwan, and China's Embassy claimed that U.S. actions on the Uighur genocide affected their examination of fentanyl substances. The lawmaker asks about diplomatic measures the Biden administration can take to restrict the flow of Chinese fentanyl precursors.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.