Daily Drop (508): US DEF CON: Moonlighter Satellite, Camaro Dragon Unleashes Backdoor, US-Taiwan Trade Deal, Russia - Aurora OS, US Treasury Sanctions Iranian Cloud Provider

06-03-23

Saturday, Jun 03, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob

Uncle Sam wants DEF CON hackers to pwn this Moonlighter satellite into space

Analyst Comments: The Moonlighter satellite and the Hack-A-Sat 4 competition highlight the growing importance of cybersecurity in space systems. As the commercialization of the aerospace industry continues and space systems become more interconnected and mass manufacturing, the need for robust cybersecurity measures becomes increasingly critical. The project aims to proactively address cybersecurity risks in space and encourage the adoption of offensive security research in the industry. By testing real hardware and software in orbit, the project can provide valuable insights and help identify vulnerabilities that can be addressed to enhance the security of space systems.

FROM THE MEDIA: A satellite named Moonlighter, developed by The Aerospace Corporation in collaboration with the US Space Systems Command and the Air Force Research Laboratory, is set to launch into Earth's orbit on a SpaceX rocket. Moonlighter is designed to serve as a hacking sandbox in space, allowing five teams of DEF CON hackers to remotely infiltrate and hijack the satellite while it is in orbit. The goal is to test offensive and defensive techniques on actual in-orbit hardware and software, with the aim of improving space systems' cybersecurity. The satellite will be part of the Hack-A-Sat 4 competition, marking the first time hackers will have the opportunity to test their skills against a live satellite in space.

READ THE STORY:   The Register

Who’s afraid of Vladimir Putin

Analyst Comments: The Biden administration's evolving approach to supporting Ukraine indicates a strategic reevaluation of the risk posed by Putin's potential reactions. While concerns about provocative actions by Russia persist, the administration prioritizes evaluating the effectiveness of aid in the ongoing conflict. This shift in focus suggests a nuanced understanding of the situation and a determination to provide Ukraine with the necessary tools for its defense. The pressure to send long-range Army Tactical Missile Systems underscores the growing recognition of Ukraine's need for increased military capabilities. As the U.S. and its allies consider Ukraine's potential NATO membership and the development of a clear pathway, the international community's commitment to Ukrainian security becomes more apparent.

FROM THE MEDIA: Recent actions by the Biden administration show a declining concern about crossing Russian President Vladimir Putin's red lines. The fear of escalation has been a significant factor in the U.S. decision-making process concerning military aid to Ukraine, but this concern appears to be dwindling. Recent moves, such as allowing Ukrainian pilots to train on American-made F-16 fighter jets, suggest a more assertive stance. This shift is driven by two primary factors: the constant worry about Putin's unpredictability and the ongoing assessment of what will aid Ukraine in its conflict. The U.S. prioritizes the current needs of Ukraine's forces and their ability to sustain the usage of given weapons over potential Russian reactions. This shift could impact the decision-making process regarding future aid, such as long-range Army Tactical Missile Systems.

READ THE STORY:   Politico

Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering

Analyst Comments: The activities of Camaro Dragon (Mustang Panda) and other Chinese threat actors highlight the ongoing cyber threats originating from state-sponsored groups. These actors demonstrate sophisticated techniques, including the development of custom malware, exploitation of vulnerabilities, and the use of targeted phishing campaigns. Their ability to bypass antivirus solutions and employ evasion tactics underscores the need for strong cybersecurity measures. Organizations, especially those in the government and diplomatic sectors, should remain vigilant and implement comprehensive security strategies to detect and defend against these threats.

FROM THE MEDIA: Chinese state-sponsored threat group Camaro Dragon, also known as Mustang Panda, has been linked to a new backdoor malware called TinyNote. The Go-based malware serves as a first-stage payload and enables basic machine enumeration and command execution. It utilizes multiple persistence mechanisms and communication methods to maintain access to compromised hosts. Camaro Dragon has previously been associated with a custom firmware implant called Horse Shell, which targets TP-Link routers. The group's activities demonstrate their evolving evasion tactics, diverse toolsets, and deep knowledge of victims' environments. TinyNote is believed to target Southeast and East Asian embassies and is the first known Mustang Panda artifact written in Golang.

READ THE STORY:   THN

New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal

Analyst Comments: The discovery of significant similarities between the BlackSuit and Royal ransomware strains underscores the evolving nature of the ransomware landscape. It suggests that threat actors are continuously modifying existing tools to launch new variants or that affiliate groups are implementing modifications to established ransomware families. The use of similar encryption techniques and the exploitation of OpenSSL's AES highlight the common approaches used by ransomware strains. The emergence of BlackSuit, potentially related to the Royal gang, indicates the formation of splinter groups or the adaptation of existing tools by new threat actors.

FROM THE MEDIA: An analysis by Trend Micro has revealed significant similarities between the Linux variant of the BlackSuit ransomware and the Royal ransomware family. The examination found that the two ransomware strains were nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps. BlackSuit was first identified in May 2023 as a ransomware strain capable of targeting both Windows and Linux hosts. Both BlackSuit and Royal use OpenSSL's AES for encryption and employ similar intermittent encryption techniques. Trend Micro speculates that BlackSuit may be a new variant developed by the same authors, a copycat, or an affiliate of the Royal ransomware gang.

READ THE STORY:   THN

US-Taiwan relations: New trade deal signed as China tensions rise

Analyst Comments: The signing of the trade deal between the US and Taiwan demonstrates a continued strengthening of economic relations between the two countries. It signifies US support for Taiwan's economic growth and serves as a symbolic gesture amid escalating tensions with China. Beijing's criticism reflects its sensitivity towards any perceived endorsement of Taiwanese independence, emphasizing its territorial claims over the island. The trade agreement underscores the US commitment to maintaining ties with Taiwan and contributes to Taiwan's international recognition. The upcoming defense summit provides a platform for high-level discussions on security and further underscores the complex dynamics in the region.

FROM THE MEDIA: The United States and Taiwan have signed a new trade deal under the US-Taiwan Initiative on 21st Century Trade framework, marking the first agreement since the framework's establishment last year. The deal aims to strengthen economic ties, streamline border procedures, and increase US exports to Taiwan. The signing comes amid escalating tensions between the US and China. Beijing, which considers Taiwan its own territory, has criticized the trade talks, urging the US not to send signals of support for Taiwanese independence. The agreement precedes the Shangri-La Dialogue defense summit, which US Defense Secretary Lloyd Austin and his Chinese counterpart are expected to attend.

READ THE STORY:   BBC

FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring

Analyst Comments: The FTC's fines against Amazon highlight significant privacy breaches related to its Alexa assistant and Ring cameras, raising concerns about the protection of user data. The $25 million penalty for violating children's privacy laws underscores the need for companies to comply with regulations and prioritize privacy rights. The additional fine of $5.8 million reflects the severity of the security lapses surrounding Ring cameras, which exposed users to unauthorized access and harassment. These incidents highlight the importance of robust privacy controls, strong security measures, and employee accountability to prevent unauthorized access to sensitive user data. The court-ordered requirements to delete collected information, disclose data retention practices, and refrain from using the data for algorithm training demonstrate the need for transparency and user consent in data handling practices.

FROM THE MEDIA: The U.S. Federal Trade Commission (FTC) has fined Amazon a total of $30.8 million over privacy breaches related to its Alexa assistant and Ring security cameras. Amazon was fined $25 million for violating children's privacy laws by retaining their Alexa voice recordings indefinitely and preventing parents from deleting them. Additionally, Amazon will pay $5.8 million in consumer refunds for privacy violations related to Ring cameras, including allowing employees and contractors broad access to private videos and not implementing adequate security controls. As part of the court order, Amazon must delete the collected information, disclose data retention practices, and refrain from using such data for algorithm training.

READ THE STORY:   THN

US Seeks New Tools to Compete With China in Latin America

Analyst Comments: The Biden administration recognizes the need to bolster the US presence in Latin America to counter China's growing influence in the region. By focusing on strengthening the DFC and exploring new tools, the administration aims to compete more effectively with China's infrastructure investments. The emphasis on promoting transparency and human rights aligns with the values the US seeks to project in the region. This approach may resonate with countries in Latin America that are cautious about the implications of Chinese investments. However, the US will need to back its rhetoric with tangible initiatives and increased investment to establish a competitive edge against China's expansive presence.

FROM THE MEDIA: The Biden administration aims to enhance the United States' position in Latin America and compete with China by introducing changes to the Development Finance Corporation (DFC), according to Juan Gonzalez, the US National Security Council senior director for the Western Hemisphere. Gonzalez highlighted China's rapid infrastructure development in the region and the need for the US to develop new tools to effectively compete. While China is a major trade partner in South America, the US remains the primary source of private-sector investment.

READ THE STORY:   Bloomberg

Russia wants 2 million phones with home-grown Aurora OS for use by officials

Analyst Comments: Russia's efforts to promote the use of domestic technology, such as the Aurora operating system, reflect its desire to reduce dependence on Western software and mitigate the impact of sanctions. By providing government officials with mobile devices running on the Aurora OS, Russia aims to enhance data security and reduce potential vulnerabilities from foreign technology. This move is consistent with Russia's broader push for digital sovereignty and control over data processing. However, achieving widespread adoption of domestic technology in the face of established Western alternatives may pose challenges. It remains to be seen whether the Aurora operating system can gain significant traction beyond government and state-connected entities.

FROM THE MEDIA: Russia's state-owned telecom company, Rostelecom, plans to provide government officials with mobile phones running on the Aurora operating system, a domestic alternative to Western software. The Russian government is in discussions with Rostelecom to potentially acquire up to 2 million mobile devices with the Aurora OS over the next three years. This move comes as the Russian government accuses U.S. intelligence of hacking thousands of Apple phones to spy on Russian diplomats. The Russian government has been actively promoting the use of domestic technology and has recommended its employees switch from foreign services like Zoom and WhatsApp to Russian platforms.

READ THE STORY:   The Record

US Treasury sanctions Iranian cloud provider ‘facilitating’ Tehran censorship

Analyst Comments: The U.S. sanctions against ArvanCloud and its affiliated entities reflect the concern over Iran's internet censorship and control of online information. By targeting a technology provider that aids in facilitating Iran's internet restrictions, the U.S. aims to disrupt the Iranian government's ability to suppress dissent and limit access to information. These sanctions align with broader efforts by the U.S. and the international community to address human rights violations and promote freedom of expression. However, it remains to be seen how effective these sanctions will be in curbing Iran's censorship practices, as the Iranian government may seek alternative means to maintain control over online information. The response from ArvanCloud, denying the allegations and criticizing the basis for the sanctions, suggests that the company will continue to operate and seek international growth.

FROM THE MEDIA: The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on Iranian cloud technology provider ArvanCloud, its co-founders, and an affiliated Dubai-based company. ArvanCloud is accused of playing a key role in facilitating Iran's internet censorship and aiding the establishment of the National Information Network, an intranet that allows the Iranian government to control access to online information. The OFAC alleges that ArvanCloud has close ties to Iran's intelligence services and has been involved in suppressing dissent, limiting freedom of expression, and impeding the dissemination of information on human rights violations. The European Union had previously imposed sanctions on ArvanCloud for its involvement in setting up a separate Iranian version of the internet.

READ THE STORY:   The Record

Malaysia goes its own Huawei, won't ban Chinese vendor from 5G network

Analyst Comments: Malaysia's decision to potentially involve Chinese suppliers in its 5G network rollout could strain its relations with the EU and US. Concerns have been raised by these parties regarding the security risks associated with untrusted suppliers. The US has been campaigning against Huawei for several years, pressuring allies to follow suit in banning the company from their networks. While Malaysia emphasizes a free market approach and defers telecom operators in selecting suppliers, it acknowledges the concerns of other countries. Malaysia's move may have economic implications, potentially affecting Ericsson and deterring future EU investors. Huawei, on its part, denies posing a security risk and highlights the importance of an objective discussion on cybersecurity.

FROM THE MEDIA: Malaysia is considering allowing Chinese suppliers, including Huawei, to participate in its planned 5G network rollout, potentially putting itself at odds with the EU and US. The Malaysian government stated that it would not interfere with the commercial decisions of telecom operators in selecting network kit suppliers. Malaysia aims to remain a free market and will take into account concerns raised by other countries. The move follows warnings from the EU and the US about the use of "untrusted suppliers." The US ambassador to Malaysia cautioned against national security risks, while the head of the EU delegation expressed concerns about the impact on Ericsson and potential repercussions for EU investors. Huawei has reportedly been lobbying for involvement in Malaysia's second 5G network.

READ THE STORY:   The Register

The Brazil-based botnet targets Spanish speakers across the Americas, Cisco says

Analyst Comments: The discovery of the Horabot botnet highlights the ongoing threat of sophisticated cyberattacks targeting individuals and organizations. The botnet's ability to control victims' Outlook mailboxes and send phishing emails from legitimate servers demonstrates the hackers' advanced social engineering techniques. By using familiar email addresses and legitimate email servers, the attackers increase the likelihood of successful compromises and make it challenging to track and block their phishing infrastructure. The campaign's focus on Spanish-speaking individuals across various business sectors in the Americas indicates a broad and intentional targeting strategy. The use of banking trojans and spam tools underscores the hackers' goal of stealing sensitive information and leveraging compromised accounts for further attacks.

FROM THE MEDIA: Security researchers from Cisco's Talos team have discovered a previously unidentified botnet called "Horabot" being used by hackers, believed to be based in Brazil, to target Spanish-speaking individuals across the Americas. The botnet delivers a banking trojan and spam tool to victim machines, enabling the theft of credentials and financial data, as well as the sending of phishing emails to spread the infection. Notably, the botnet allows hackers to take control of a victim's Microsoft Outlook mailbox, exfiltrate email addresses, and send phishing emails from legitimate email servers to minimize detection. The campaign primarily targets individuals in Mexico but has also affected users in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama.

READ THE STORY:   The Record

Elon Musk hit with insider trading claims over his Dogecoin crypto-hype

Analyst Comments: The expanded lawsuit against Elon Musk adds insider trading allegations to the previous accusations of market manipulation. The plaintiffs claim that Musk manipulated the Dogecoin market for personal gain and offloaded significant amounts of the cryptocurrency. The inclusion of allegations related to insider trading and the involvement of Tesla, Inc. may intensify the legal scrutiny facing Musk. However, it should be noted that the outcome of the lawsuit is uncertain, and Musk's legal team will likely continue to seek the dismissal of the case.

FROM THE MEDIA: A lawsuit filed against Elon Musk on behalf of individuals who lost money investing in Dogecoin has been expanded to include allegations of insider trading. The initial complaints accused Musk of manipulating the market for Dogecoin through public comments on Twitter and during an appearance on Saturday Night Live. The amended complaint now claims that Musk's actions violated the law, accusing him of carnival-barking market manipulation and insider trading. The lawsuit alleges that Musk traded Dogecoin profitably and offloaded more than $100 million in the cryptocurrency after manipulating the market. It also claims that Tesla, Inc. traded in Dogecoin and benefited from insider knowledge from Musk. The lawsuit further accuses Musk of benefiting from paid influencers who support him and his companies.

READ THE STORY:   The Register

Has Amazon found the ultimate lock-in? Cheap cellphone service for Prime

Analyst Comments: Amazon's potential entry into the MVNO space aligns with its strategy of offering a wide range of services to enhance the value of its Prime membership. By offering low-cost cellphone service, Amazon could further deepen its relationship with customers and potentially drive loyalty. However, the success of the service would depend on the terms negotiated with carriers, the pricing structure, and the quality of service provided. The wireless market is highly competitive, and Amazon would need to differentiate itself from existing MVNOs to attract a significant customer base.

FROM THE MEDIA: Amazon is reportedly in talks with major US carriers, including Verizon, T-Mobile US, and Dish Network, to offer low-cost cellphone service to its Prime customers. The service could be offered for as little as $10 per month or potentially at no cost to Prime subscribers. By entering the mobile virtual network operator (MVNO) space, Amazon would pay to use larger carriers' networks and resell that access to customers at lower prices. While talks have been ongoing, there is no guarantee that Amazon will launch the service, and it remains unclear what specific features and limitations the service would have.

READ THE STORY:   The Register

New Botnet Malware 'Horabot' Targets Spanish-Speaking Users in Latin America

Analyst Comments: The Horabot botnet poses a significant threat to Spanish-speaking users in Latin America, particularly in Mexico. The campaign's multi-stage attack chain, including phishing emails, payload delivery, and execution of malicious scripts, demonstrates a sophisticated approach by the threat actor. The use of PowerShell scripts and sideloading techniques highlights the need for robust security measures to detect and prevent such attacks. Organizations and individuals should be vigilant against phishing emails and ensure they have strong email security and anti-malware solutions in place.

FROM THE MEDIA: A new botnet malware called Horabot has been targeting Spanish-speaking users in Latin America since at least November 2020. Horabot enables threat actors to control victims' Outlook mailboxes, exfiltrate email addresses, and send phishing emails with malicious attachments to contacts. The botnet also delivers a Windows-based financial trojan and a spam tool, compromising online banking credentials and Gmail, Outlook, and Yahoo! webmail accounts to send spam emails. The majority of infections have been observed in Mexico, with limited cases reported in other Latin American countries. The threat actor behind the campaign is believed to be located in Brazil.

READ THE STORY:   THN

Starlink bags US defense contract to keep war-torn Ukraine connected

Analyst Comments: The contract between Starlink and the DoD to provide satellite services to Ukraine highlights the growing importance of satellite communications in global security and defense strategies. Starlink's extensive satellite constellation and its ability to provide reliable and high-speed connectivity in remote and underserved areas make it an attractive option for governments and military organizations. The contract demonstrates the recognition of Starlink's capabilities and its potential to support critical communications needs.

FROM THE MEDIA: Starlink, the satellite operator owned by Elon Musk's SpaceX, has reportedly secured a contract with the US Department of Defense (DoD) to provide satellite services to Ukraine. The contract will fund the satellite communications services that Starlink has been providing to Ukraine at its own expense since February 2022. The DoD acknowledged the importance of satellite communications for Ukraine's overall network and confirmed its commitment to working with global partners to ensure resilient communication capabilities for Ukraine. The contract details, including its value and effective date, have not been disclosed.

READ THE STORY:   The Register

Items of interest

The US-China Cold War Fallacy?

Analyst Comments: While there is undeniable tension and conflict between the US and China, the realities of economic interdependence and the potential consequences of total economic separation keep the bonds intact. Xi Jinping's commitment to economic growth and the fact that major democracies have not attempted to isolate China economically are crucial indicators of this trend. The globalized economy is undoubtedly undergoing significant shifts with the emergence of regional trade agreements and efforts to restructure supply chains. But, these transformations reflect the evolution and potential fortification of globalization rather than its outright dissolution.

FROM THE MEDIA: Despite the increasingly contentious relationship between the United States and China, characterized by trade disputes, supply chain fragmentation, and geopolitical tensions, globalization as we know it is not coming to an end. While US-China relations have deteriorated and competition in the tech sector has intensified, trade volumes between the two countries reached a record high in 2022. Chinese President Xi Jinping recognizes the importance of economic growth for China's future and maintains a pragmatic approach to relations with the US and its allies. Other wealthy countries, including US-friendly democracies, also understand the necessity of strong economic ties with China.

READ THE STORY:   GZERO

Hong Kong Crypto Regulations: New BULL Run Incoming (Video)

FROM THE MEDIA: Hong Kong is set to legalize retail crypto investing and trading, which could lead to a significant bull run in the crypto market. In the past, Hong Kong was a major crypto hub, attracting companies from mainland China.

Crypto & Money Laundering: What You Need to Know (Video)

FROM THE MEDIA: In this very special edition of the Future of Money, Henri Arslanian and former special agent for the IRS, Tigran Gambaryan, discuss the intersection of cryptocurrency and illicit activities. Drawing on his wealth of experience working on teams that investigated major scandals in the crypto ecosystem, from Mt. Gox’s bankruptcy to the darknet marketplace Silk Road, Tigran shares his thoughts on the recent arrests of a New York couple linked to the 2016 Bitfinex hack whilst offering a glimpse into how investigators operate in the cryptocurrency space, touching upon everything from the tools that law enforcement authorities typically deploy to the growing risks of money laundering in the DeFi and NFT sectors. This episode is ideal for anyone looking to understand what steps are being taken to counter illicit activity in the crypto ecosystem.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.