Daily Drop (501): Nvidia Powers AI Boom, China's Gas Consumption Decline, Ghana's Collateralized Loans Default, Predator Spyware's Data Theft, Iran-Linked APT
05-27-2023
Saturday, May 27, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
Defaulting on Collateralized Chinese Loans, Ghana Will Lose its State Properties
Analyst Comments: The collateralization of loans and the potential risk of losing national assets to China raise concerns about Ghana's debt sustainability and economic sovereignty. The IMF bailout provides some immediate relief, but it remains crucial for Ghana to address its underlying economic issues and implement reforms to ensure long-term stability. The government's commitment to structural reforms and private sector-led growth is a step in the right direction, but it will require effective implementation and monitoring to achieve desired results. The comprehensive strategy being prepared by the Bank of Ghana to revive the financial sector is a positive development, as it aims to restore market confidence and promote lending to the private sector. Ghana's natural resource wealth, particularly in gold and cocoa, presents opportunities for economic growth, but proper management and diversification of the economy are essential to reduce dependency and mitigate risks.
FROM THE MEDIA: The Republic of Ghana has received approval for a $3 billion Special Drawing Rights from the International Monetary Fund (IMF) to address its economic crisis caused by mismanagement and budgetary issues. However, it has been revealed that Ghana has collateralized loans from China, allowing China to potentially seize Ghana's mineral revenue and electricity sales if the loans are not repaid. China owns about two-thirds of Ghana's external loans, making it a significant player in the country's debt situation. The IMF report highlights the risk of losing revenue from Ghana's mineral resources and electricity sales if loan obligations to China are not met. Ghana has borrowed close to $5 billion from China, and $619 million of the $1.9 billion owed to China is collateralized. There are concerns that critical national assets such as the Tema Harbour, Ghana Broadcasting Corporation (GBC), Kotoka International Airport (KIA), and the Electricity Company of Ghana (ECG) could be at risk of being seized by China. President Nana Akufo-Addo has defended the IMF bailout and stated that he will fulfill his promises to Ghanaians and improve the economy before the end of his tenure.
READ THE STORY: Modern Diplomacy
EIA Reports First Decline in China's Annual Natural Gas Consumption in Over Three Decades
Analyst Comments: The drop in natural gas consumption and LNG imports indicates a shift in China's energy consumption patterns, mainly driven by external factors such as COVID-19 and economic conditions, as well as internal policy decisions prioritizing supply security over emission targets. The decline could have significant implications for global natural gas markets and LNG exporters, given China's status as the world's largest LNG importer. China's dependency on imports to meet its energy requirements suggests that its demand might rebound once the economic conditions improve and COVID-19-related restrictions ease. The country's commitment to reducing its carbon footprint could also continue to drive long-term demand for cleaner energy sources like natural gas, although its consumption patterns might vary depending on the balance it strikes between environmental policies and supply security.
FROM THE MEDIA: China's natural gas consumption and LNG (Liquefied Natural Gas) imports decreased in 2022 due to slower economic growth, increased gas prices, and strict COVID-19 regulations. This is the first annual decline in consumption since 1990, according to the U.S. Energy Information Administration (EIA). Despite becoming the world's top LNG importer in 2021, China's imports decreased by 20% in 2022 due to lower demand and higher prices. Even with a significant increase in domestic natural gas production, China remains reliant on imports to meet its growing gas needs.
READ THE STORY: Reuters
Trade Chiefs of US and China Seek Diplomacy Amid Escalating Chip Wars
Analyst Comments: The actions taken by China and the potential retaliation by the US could potentially escalate into a full-blown trade conflict, harming not only the economies of both countries but also the global semiconductor supply chain. The shift in strategies by the US and Japan to strengthen their collaboration on chip technology highlights the growing recognition of technology independence in geopolitical calculations. Such alliances could potentially reshape the global semiconductor landscape and supply chains. The negotiations by TSMC and Intel with the German government underscore the increasing involvement of states in supporting the high cost of semiconductor manufacturing. This trend could result in a more regionally distributed global semiconductor industry, as countries strive for technological independence and supply chain security.
FROM THE MEDIA: The tensions between the US and China over semiconductors are escalating after China banned purchases of products containing technology from US chipmaker Micron, citing national security concerns. This ban has led to Chinese vendors reportedly dropping orders for Micron components. In response, US Secretary of Commerce Gina Raimondo met with Chinese counterpart Wang Wentao, expressing concerns about the restrictions on American companies in China. There are calls in the US for retaliation, such as adding China's Changxin Memory Technologies to the restrictive entity list. The ban has already impacted Micron's business, with significant Chinese customers like Inspur and Lenovo canceling orders. Amidst this, the US and Japan are seeking closer collaboration on chip technology to reduce reliance on Chinese supply chains. In related developments, Taiwan's TSMC is negotiating with the German government to subsidize half the cost of a new chip factory in Germany, similar to Intel's plans for a plant in the country.
READ THE STORY: The Register
The Security Hole at the Heart of ChatGPT and Bing
Analyst Comments: This incident underscores the potential vulnerabilities associated with the use of AI and machine learning, especially large language models. While Giardina's intentions are to raise awareness about these security threats, there's a real concern that such techniques could be exploited maliciously, leading to data theft, scams, or the manipulation of AI systems to act in undesirable ways. Given the growing integration of AI in various applications and services, it's crucial for companies to take these potential threats seriously and invest in measures to mitigate them.
FROM THE MEDIA: An entrepreneur named Cristiano Giardina has resurrected a version of Microsoft's chatbot, Sydney, which was previously shut down due to its chaotic behavior. He accomplished this through an indirect prompt-injection attack, which involves feeding the AI system data from an outside source to make it behave in ways its creators didn’t intend. Indirect prompt-injection attacks have been demonstrated on other large language models (LLMs) such as OpenAI's ChatGPT and Microsoft’s Bing chat system. While most of these demonstrations have been from security researchers, experts warn that not enough attention is being given to this potential threat. Giardina's aim is to raise awareness about these types of attacks. There are currently no definitive solutions to this issue, but researchers are exploring various methods, including using AI to detect such attacks.
READ THE STORY: Wired
How Nvidia created the chip powering the generative AI boom
Analyst Comments: Nvidia's success with the H100 chip demonstrates the rising importance of specialized hardware in the burgeoning field of generative AI. As applications like ChatGPT gain traction, demand for high-performance hardware will likely continue to rise, potentially leading to supply constraints and further competition among tech giants. Nvidia's massive growth also illustrates how technology advancements and market timing can intersect for extraordinary success. The company’s development of the H100 coincided perfectly with the rise in demand for generative AI, leading to soaring sales and valuation. While Nvidia currently has a strong position in the AI chip market, competitors like Google, Intel, and others are also developing next-generation chips.
FROM THE MEDIA: Nvidia's H100 chip, released in 2022, is becoming a crucial component for generative artificial intelligence (AI) systems, driven largely by the rise in popularity of AI applications like OpenAI's ChatGPT. The H100, priced at around $40,000 each, is described as "the world’s first computer [chip] designed for generative AI." Nvidia's recent sales forecast surpassed Wall Street estimates, adding $184bn to its market capitalization in a single day, bringing the company close to a $1tn valuation. The demand for the H100 chip is intense, causing long wait times for delivery, and is particularly high among Big Tech companies and AI start-ups. Despite Nvidia's current dominance, competition from companies like Google and Intel is emerging.
READ THE STORY: FT
Predator Android Spyware: Researchers Uncover New Data Theft Capabilities
Analyst Comments: The detailed analysis of the Predator spyware demonstrates the increasing sophistication of cyber threats, with the use of commercial spyware and "zero-click" attacks becoming more prevalent. This also highlights the ever-evolving nature of cyber threats and the need for persistent vigilance and proactive cybersecurity measures by all types of organizations, including governmental entities. While such tools are claimed to be intended for legitimate governmental use, their misuse for surveillance of journalists, activists, and other members of civil society raises serious ethical and legal questions. The revelation that the Mexican government may be using such tools to spy on itself further illustrates the potential for misuse of such tools.
FROM THE MEDIA: Security researchers have given an in-depth analysis of the workings of an Android spyware called Predator, marketed by the Israeli company Intellexa. The spyware was initially documented by Google's Threat Analysis Group in May 2022, as part of a series of attacks that exploited five zero-day vulnerabilities in the Chrome browser and Android. The spyware, which uses a loader component named Alien, has the capacity to record audio from calls and VoIP apps, extract contacts and messages, hide applications, and prevent apps from executing after a phone restart. The spyware is delivered as part of highly-targeted attacks, using zero-click exploit chains which require no interaction from victims. It is designed to bypass Android security features and can accomplish a range of tasks such as information theft, surveillance, remote access, and arbitrary code execution.
READ THE STORY: THN
How foreign businesses can avoid China’s espionage trap
Analyst Comments: This aggressive investigative approach by the Chinese authorities, marked by a lack of clarity and predictability, could potentially discourage foreign investment. The foreign business community, while trying to comply with unclear and broadly worded regulations, may face significant operational challenges and uncertainties. To maintain their foothold in China, foreign companies might have to rethink their strategies, including their data collection, market research, and due diligence practices. China's vast market potential might still allure many foreign companies, despite the increasing regulatory complexities and the risks involved. The foreign business community's reaction to these developments will likely be shaped by a careful evaluation of the trade-offs between the market potential and regulatory risks.
FROM THE MEDIA: China's authorities are reportedly aggressively investigating consulting firms such as Bain, Capvision Partners, and Mintz Group, which facilitate foreign investment in the country. The investigations, led by career intelligence officers, are characterized by detaining employees and closing local offices based on vague accusations of espionage and national security threats. China's refusal to clearly define offenses or specify alleged wrongful acts is leading to regulatory uncertainty, intimidating the foreign business community, and creating self-regulatory efforts to avoid conflict with authorities. The recent expansion of the Chinese espionage law further complicates matters, covering almost any conceivable business activity as potentially punishable.
READ THE STORY: The Hill
US charges two in Beijing-directed targeting of Falun Gong
Analyst Comments: These charges represent an escalation in the tension between the US and China, underscoring the lengths to which Beijing is alleged to go to suppress its critics, even beyond its borders. The charges also reveal the complex strategies utilized to subvert entities opposed to the Chinese government. This incident may further strain US-China relations, particularly if similar operations are uncovered. It also underlines the challenges faced by the Falun Gong group, which has been under continuous scrutiny and persecution in China since 1999. For US law enforcement, detecting and addressing such schemes forms a crucial part of ensuring the security and integrity of the country's institutions and organizations.
FROM THE MEDIA: Two Los Angeles residents, John Chen, and Lin Feng, have been charged for their alleged involvement in a Beijing-directed scheme against US-based practitioners of the Falun Gong group, which is banned in China. The US Justice Department accused the duo of supporting Chinese efforts to strip a Falun Gong-run U.S. entity of its tax-exempt status. Chen and Lin were said to have attempted to bribe an undercover federal agent posing as a US tax official in 2023 to advance this complaint. The charges come in the wake of the arrest of two New York residents last month suspected of operating a Chinese "secret police station" in Manhattan's Chinatown district.
READ THE STORY: Reuters
Researchers find new ICS malware toolkit designed to cause electric power outages
Analyst Comments: This development could heighten concerns about the vulnerability of critical infrastructure and the increasing sophistication of state-sponsored cyberattacks. As it has ties to red-team exercises and has been linked to a Russian cybersecurity company with connections to the Russian government, this tool could potentially be repurposed for real-world attacks by nation-state actors. It showcases the evolving and increasingly complex strategies adopted by malicious actors to compromise critical infrastructure, necessitating ongoing advancements in cybersecurity defense measures and strategies.
FROM THE MEDIA: Researchers from Mandiant have identified a new malware toolkit, COSMICENERGY, believed to have been developed for red-teaming exercises by a Russian cybersecurity company, Rostelecom-Solar. COSMICENERGY can interact with operational technology (OT) devices and remote terminal units (RTUs) in power grids, communicating over the IEC 60870-5-104 protocol. This malware is seen as a specialized OT malware capable of causing cyber-physical impacts, with capabilities comparable to INDUSTROYER, a malware program used in 2016 against the Ukrainian power grid. COSMICENERGY is composed of two components: one written in Python (PIEHOP) and one in C++ (LIGHTWORK). PIEHOP is designed to connect to MS-SQL servers and upload files or issue commands. LIGHTWORK is designed to issue ON and OFF commands to connected RTUs via IEC-104 over TCP. The attackers, however, would need pre-existing reconnaissance information about the deployment they're targeting.
READ THE STORY: CSO
An alleged Iran-linked APT group targeted an organization linked to the United Arab Emirates (U.A.E.) with the new PowerExchange backdoor
Analyst Comments: This attack demonstrates the ongoing risk posed by APT groups, especially against high-value targets such as government entities. The use of the victim's own Exchange server for C2 communications highlights a sophisticated attempt to blend in with legitimate traffic and avoid detection. As threat actors continue to evolve their techniques and develop new malware variants, it is crucial for organizations to maintain robust cybersecurity defenses and continuously monitor their networks for unusual activity.
FROM THE MEDIA: Researchers from Fortinet FortiGuard Labs have discovered an attack targeting a government entity in the United Arab Emirates with a new PowerShell-based backdoor named PowerExchange. It is speculated that the backdoor is likely linked to an Iran-associated Advanced Persistent Threat (APT) group. The backdoor uses emails for Command and Control (C2) communications, where the victim's Microsoft Exchange server is the C2. The investigation revealed other implants on various servers, including a new web shell, ExchangeLeech, on Microsoft Exchange servers. The infection process begins with spear-phishing emails containing a zip file attachment. The file contains a malicious .NET executable that, when executed, displays an error message while downloading and executing the final payload. The PowerExchange malware uses the Exchange Web Services (EWS) API to connect to the victim’s Exchange server and uses a mailbox on the server to send and receive encoded commands. The backdoor also acts as a proxy for the attacker to hide their identity.
READ THE STORY: Security Affairs
BianLian Ransomware Gang Shifts to Purely Data Extortion Attacks, Warns Joint Advisory
Analyst Comments: The shift in tactics by the BianLian ransomware gang is significant and could influence the methods used by other cybercriminal groups. The move away from encryption attacks to data exfiltration attacks signifies an adaptation to changing defenses, specifically the development and distribution of ransomware decryption tools. The new modus operandi is potentially more damaging and disruptive to targeted organizations, as it not only involves the potential release of sensitive data but also creates a persistent threat even after the initial breach is detected and remediated. It also illustrates a growing trend among cybercriminals to exploit human and system vulnerabilities rather than just system vulnerabilities.
FROM THE MEDIA: The FBI, CISA, and the Australian Cyber Security Centre (ACSC) have jointly warned about the shifting tactics of the BianLian ransomware gang. Instead of using traditional ransomware encryption, the gang is now focusing on data exfiltration-based extortion. This tactic involves stealing sensitive data from victims and then threatening to publish it unless a ransom is paid. The group gains access to victims' networks through valid Remote Desktop Protocol (RDP) credentials and uses open-source tools and command-line scripting to discover and harvest credentials. BianLian has also been known to disable antivirus software and modify the Windows registry to defeat endpoint protection solutions.
READ THE STORY: CPO
Gaming Firms and Community Members Hit by Dark Frost Botnet
Analyst Comments: The discovery of Dark Frost represents a significant development in cyber threats targeting the gaming industry. The botnet's creation using source code from previous malware strains highlights a growing trend among cybercriminals to repurpose and adapt existing malware for new attacks. It also demonstrates the continued prevalence and effectiveness of DDoS attacks, particularly against the gaming industry, which is often targeted due to its high user base and the significant impact that service disruptions can have. The attacker's use of social media to advertise their attacks and services represents a brazen approach that not only increases their visibility but could also potentially attract more potential clients for their illegal services. The exploitation of a longstanding misconfiguration in Hadoop YARN servers also stresses the importance of regular system checks and updates to prevent such vulnerabilities from being exploited. Organizations should consider investing in advanced threat detection and response capabilities to mitigate the impact of such threats.
FROM THE MEDIA: Akamai's Security Intelligence Response Team has discovered a new botnet, Dark Frost, targeting the gaming industry with Distributed Denial of Service (DDoS) attacks. Researchers believe Dark Frost was created using stolen or leaked source code from Qbot, Gafgyt, and Mirai malware. The botnet was flagged in February 2023, but researchers believe the attacker has been active since May 2022. Dark Frost targets misconfigurations in Hadoop YARN servers for remote code execution, and its most prominent targets include gaming companies, online streaming services, game server hosting providers, and gaming community members. The attacker has used social media and a Discord channel to boast about attacks and offer DDoS services for money.
READ THE STORY: HackRead
Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
Analyst Comments: The vulnerability in Expo's OAuth implementation is highly critical, given the high CVSS score and the potential for account takeover and data theft. The flaw exposes applications developed using the Expo.io framework to significant risk, especially those using third-party single sign-on providers like Google and Facebook. Successful exploitation could have severe consequences, potentially resulting in the exposure of sensitive user data or unauthorized actions on the victim's behalf. It is crucial for developers and organizations using the Expo.io framework to apply the provided hotfix promptly and consider Expo's recommendation for SSO configuration to mitigate this vulnerability.
FROM THE MEDIA: A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of Expo.io, a popular application development framework. Assigned the identifier CVE-2023-28131 and given a severity rating of 9.6 on the CVSS scoring system, this flaw could lead to credential leakage and enable account hijacking and data exfiltration. If exploited, attackers could potentially perform actions on behalf of a compromised user on platforms like Facebook, Google, and Twitter. The vulnerability could be exploited through a specially crafted link sent via social engineering techniques like email or SMS. Expo has released a hotfix and recommends users move from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers for single sign-on features.
READ THE STORY: THN
Russia successfully launched its first radar satellite into space
Analyst Comments: The successful launch of the Condor-FKA satellite demonstrates Russia's ongoing commitment to advancing its space exploration and satellite technology capabilities. The satellite's ability to capture images of the Earth's surface in adverse weather conditions, including heavy clouds, is a significant achievement. It will provide valuable data for various applications, including weather monitoring, environmental assessment, and national security purposes. The launch also highlights Russia's continued investment in its space industry and its desire to maintain a strong presence in the global space exploration arena.
FROM THE MEDIA: Russia has successfully launched its Condor-FKA satellite, which is capable of taking continuous pictures of the Earth's surface in any weather conditions, including heavy clouds. The satellite was launched from the Vostochny Cosmodrome using the Soyuz 2.1a rocket. Developed by the military-industrial corporation Scientific and Production Association of Mechanical Engineering, the satellite has a mass of 1,050 kg. It is designed to provide radar imaging capabilities for various applications. The launch marks another milestone in Russia's space exploration efforts and further enhances its capabilities in satellite technology.
READ THE STORY: Turkiye
SpaceX rocket sends Arabsat communications satellite into orbit
Analyst Comments: The successful launch of the Condor-FKA satellite demonstrates Russia's ongoing commitment to advancing its space exploration and satellite technology capabilities. The satellite's ability to capture images of the Earth's surface in adverse weather conditions, including heavy clouds, is a significant achievement. It will provide valuable data for various applications, including weather monitoring, environmental assessment, and national security purposes. The launch also highlights Russia's continued investment in its space industry and its desire to maintain a strong presence in the global space exploration arena.
FROM THE MEDIA: Russia has successfully launched its Condor-FKA satellite, which is capable of taking continuous pictures of the Earth's surface in any weather conditions, including heavy clouds. The satellite was launched from the Vostochny Cosmodrome using the Soyuz 2.1a rocket. Developed by the military-industrial corporation Scientific and Production Association of Mechanical Engineering, the satellite has a mass of 1,050 kg. It is designed to provide radar imaging capabilities for various applications. The launch marks another milestone in Russia's space exploration efforts and further enhances its capabilities in satellite technology.
READ THE STORY: SpaceFlight Now
Promoting Economic Security: Enhancing Stability and Well-being
Analyst Comments: The article emphasizes the significance of economic security in today's world and highlights key strategies to promote it. It recognizes the role of economic stability in various aspects of life, such as social cohesion and sustainable development. The suggested strategies provide a comprehensive approach, addressing economic diversification, education, social welfare, entrepreneurship, and international collaboration. By incorporating these strategies into policymaking and collective efforts, societies can enhance economic security and work towards a more equitable and prosperous future.
FROM THE MEDIA: Economic security is of utmost importance for individuals, communities, and countries, providing stability, social cohesion, and long-term sustainable development. It allows people to meet their basic needs, recover from shocks, and actively participate in society. To enhance economic security, diversifying economies, investing in education, establishing social safety nets, promoting entrepreneurship and innovation, and fostering international cooperation are key strategies. Implementing these tactics can lead to a more resilient and prosperous future, ensuring stability and well-being in an uncertain and rapidly changing world.
READ THE STORY: Modern Diplomacy
The Physics of ‘Sniping’ for Gold
Analyst Comments: The explanation of how gold's high density allows it to sink while other debris is carried away provides insight into the prospecting process. The model created to simulate the motion of gold and rock particles adds a scientific perspective. The discussion on the physics of scale, using examples from various phenomena, enriches the article and demonstrates the broader applicability of this concept.
FROM THE MEDIA: The author shares their fascination with YouTube videos about gold prospecting and describes the "sniping" method used by prospectors to find tiny flecks of gold in rivers. They explain how gold, due to its high density, sinks while other debris gets swept away by the river current. The author builds a model to simulate the motion of gold and rock particles in moving water, showing that gold sinks faster and travels less distance downstream compared to rocks. They also discuss the physics of scale, highlighting how the behavior of objects can vary based on their size. Examples include the cooling of celestial bodies, the flight mechanics of birds, and the impact of hail size on damage potential.
READ THE STORY: Wired
Items of interest
Russia’s Role in preventing world hunger
Analyst Comments: The extension of grain exports by Russia and Ukraine is a positive development in addressing global food insecurity. The reliance on these countries for food supplies, particularly through the State Grain Operator, demonstrates their importance in the international food market. However, the impact of sanctions and the ongoing conflict in certain regions highlight the challenges and vulnerabilities in maintaining stable food supply chains. Efforts to support local farmers and ensure the functioning of the agro-industry, as seen in the Zaporozhye region, are crucial for food security. Continued international cooperation and support are necessary to mitigate the effects of conflicts and sanctions on food availability.
FROM THE MEDIA: Russia and Ukraine have extended grain exports across the Black Sea, which is crucial for addressing global food insecurity. Both countries are major suppliers of essential food commodities, with Ukraine providing wheat for the World Food Programme's humanitarian response. However, sanctions and the ongoing conflict pose challenges to the export of grain from certain regions. Despite these obstacles, Ukraine's Zaporozhye region continues to cooperate with various countries, supported by the State Grain Operator, which handles the reception, storage, and sale of crops. The Berdyansk bakery, a branch of the State Grain Operator, produces a significant quantity of bakery products daily.
READ THE STORY: Modern Diplomacy
Where to start with exploit development (Video)
FROM THE MEDIA: The video discusses the topic of exploit development and provides guidance on where to start. The speaker emphasizes the importance of starting with the basics and gradually progressing to more advanced techniques. They recommend learning programming languages like Python, C, and assembly. The speaker suggests studying the concepts of buffer overflow and exploit mitigation techniques, such as randomization and data execution prevention. They compare the learning process to playing a video game, where each level represents turning on a new mitigation. The transcript also mentions the benefits of co-authoring a book and participating in capture-the-flag competitions. The speaker encourages aspiring exploit developers to associate with knowledgeable individuals, join security groups, and attend conferences.
Working as an Exploit Developer at NSO Group (Video)
FROM THE MEDIA: The speaker describes the unique atmosphere and attention given to researchers at NSO Group, highlighting the collaborative nature of the work compared to their previous experiences. The company provides various amenities and support, such as personal assistants, a well-equipped kitchen, regular fun activities, and annual company retreats. The speaker emphasizes the importance of teamwork and motivation derived from seeing the team succeed. They mention the challenging nature of working on iOS exploits, given the maturity of smartphone security and strong mitigations in place.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected to cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.