Daily Drop (512): APT Turla: Origin Story, "The Snake" Malware Hunt, Enhance Critical Infrastructure, Nordic Media vs. Russian Threats, AI Nudes: Social Media Sextortion, Q&A: Former Wagner Member
06-07-23
Wednesday, Jun 07, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
The Origin Story of the APT Turla, the Hunt for “The Snake” Malware, and Current Steps for Prevention
Analyst Comments: The disruption of the Snake malware network and Turla's operations is a notable achievement in the fight against state-sponsored cyber espionage. Turla has been a persistent and sophisticated threat, with a long history of targeting government systems and critical infrastructure. The collaborative efforts of intelligence and cybersecurity agencies demonstrate the importance of international cooperation in countering such threats. However, it is crucial to recognize that Turla is a resilient adversary that has evolved and adapted its tactics over the years. It is likely that the group will continue its activities, potentially using new tools and techniques. Organizations should remain vigilant, update their security measures, and follow the mitigation recommendations provided in the advisory to protect against Turla's operations and similar advanced persistent threats.
FROM THE MEDIA: The United States, in collaboration with intelligence and cybersecurity agencies from other Five Eyes member nations, conducted a joint operation code-named MEDUSA to disrupt the Snake malware network, which is attributed to a unit within Russia's Federal Security Service (FSB) known as Turla. Turla has been using versions of the Snake malware for nearly 20 years to steal sensitive documents from government systems in multiple countries, including NATO member governments and journalists. Operation MEDUSA disabled the Snake malware on compromised computers using an FBI-created tool named PERSEUS. While the disruption is significant, experts believe that Turla is a resilient and sophisticated hacking group that is likely to continue its activities. Network defenders are advised to review the cybersecurity advisory for detection and mitigation guidance.
READ THE STORY: OODALOOP
North Korean hacking group Kimsuky targeting regional experts, news outlets
Analyst Comments: Kimsuky's targeted intelligence-gathering campaign highlights the persistent cyber threat posed by state-sponsored hacking groups. Their focus on experts in North Korean affairs and media demonstrates a strategic interest in understanding external perceptions of North Korea and potentially influencing decision-making processes. The use of social engineering, spoofed URLs, and malware-laden documents showcases the group's evolving tactics and sophistication. The collaboration between SentinelOne and NK News is an example of the importance of partnerships between cybersecurity researchers and media organizations in uncovering and analyzing such campaigns. The attribution of Kimsuky to the Reconnaissance General Bureau reinforces the involvement of the North Korean government in state-sponsored cyber activities.
FROM THE MEDIA: The North Korean government-backed hacking group, Kimsuky, has been conducting a targeted intelligence-gathering campaign, focusing on experts in North Korean affairs and media. The group utilizes social engineering techniques and malware distribution to steal email credentials and gather information. They have also targeted news outlets reporting on North Korea to steal subscription credentials. The campaign, discovered by cybersecurity firm SentinelOne in collaboration with NK News, involves extensive email correspondence, spoofed URLs, and weaponized Microsoft Office documents. Kimsuky aims to establish trust with its targets before initiating malicious activities. By targeting high-profile experts and news outlets, Kimsuky seeks to understand how the international community perceives North Korean developments and military activities, contributing to North Korea's decision-making processes.
READ THE STORY: The Record // DUO
Group Urges White House to Address Urgent Need for Enhanced Critical Infrastructure Protection
Analyst Comments: The report from the CSC 2.0 highlights significant shortcomings in US government policies and agencies responsible for protecting critical infrastructure. It underscores the urgent need for an updated policy directive that aligns with the evolving threat landscape and technological advancements. The recommendations put forth in the report, such as enhancing resilience, clarifying roles, and allocating appropriate resources, are crucial for strengthening the cybersecurity posture of critical infrastructure sectors. Improved coordination, collaboration, and leadership across federal agencies are vital to address systemic and cross-sector threats effectively.
FROM THE MEDIA: CSC 2.0, a congressionally mandated group of experts has released a report stating that US government policies and agencies tasked with protecting critical infrastructure against cyber threats are outdated and inadequate. The report highlights the shortcomings of current policies in light of recent cyberattacks on critical infrastructure, such as the Colonial Pipeline ransomware attack. It criticizes the public-private partnership model and points out the limitations of the Cybersecurity and Infrastructure Security Agency (CISA) in facilitating rapid response to cyberattacks. The report emphasizes the need for an updated policy directive and a systemic and holistic approach to address evolving cybersecurity risks and technologies. It also highlights the inconsistencies and gaps within federal agencies and calls for improved leadership, resources, and coordination among sector-specific agencies.
READ THE STORY: Cyberscoop
The Future Of Cyber Espionage, The Uncomfortable Truth In The Near And Distant Future
Analyst Comments: The podcast provides valuable insights into the changing landscape of cyber espionage and the future challenges it presents. The increasing accessibility of zero-day exploits and the lack of preparedness in boardrooms underscore the urgent need for organizations to prioritize cybersecurity. The shift towards targeted and public activities in cyber threats raises concerns about the potential for significant damage. The discussion on the stealthy nature of cyber intelligence threats and the fragmentation of the internet highlights the complexities of combating cyber espionage. The role of AI and its impact on cyber espionage is an important consideration, as advancements in AI can be leveraged by both attackers and defenders.
FROM THE MEDIA: The podcast highlights the evolution of cyber threats over the past decade and predicts future trends in cyber espionage. Zero-day exploits, once rare and expensive, have become more accessible to a larger group of individuals, organizations, and countries. The podcast emphasizes that the boardrooms of corporations are not adequately addressing the cybersecurity risks posed by cyber espionage. The threat landscape is expanding, with asymmetrical threats trickling down to dedicated individuals, making cyber vigilantism more common. The focus of cyber threats is shifting from mass damage to highly targeted and public activities, causing toxic damage. The podcast also discusses the stealthy nature of cyber intelligence threats, their amplification with the proliferation of devices, and the inevitable separation and fragmentation of the internet.
READ THE STORY: Forbes
From Bullets to Development: Rethinking Military Expenditure in Favour of Official Development Assistance
Analyst Comments: The reduction in life-saving aid budgets and the rise in military expenditures reflect a misalignment of priorities among wealthy nations. While global crises persist, the most vulnerable individuals bear the consequences of these decisions. The decline in aid to least-developed countries and the insufficient progress in meeting aid targets indicate a lack of commitment to supporting the development and welfare of low- and middle-income nations. The disparity between the ability of wealthy nations to borrow at low-interest rates for pandemic recovery and the debt burden on the poorest countries further highlights the inequities in resource allocation. The need for increased investment in essential public services, climate finance, and grants-based assistance is urgent.
FROM THE MEDIA: The reduction in life-saving aid budgets by some wealthy nations, coupled with record levels of military expenditures, raises concerns about the allocation of resources and the impact on vulnerable populations. Official Development Assistance (ODA) plays a crucial role in supporting development and welfare efforts in low- and middle-income countries, but recent trends show a decline in aid to least-developed countries and countries in sub-Saharan Africa. The lack of progress in meeting the commitment to increase ODA to 0.7% of GDP burdens these countries and forces them to seek alternative development strategies. While military spending continues to rise, critical needs like healthcare and education are deprioritized. The reduction in aid budgets and climate finance exacerbates poverty, inequalities, and climate impacts in the global South.
READ THE STORY: Modern Diplomacy
Nordic media take aim at Russian threats
Analyst Comments: The documentaries aired in the Nordic countries have shed light on covert Russian intelligence operations, emphasizing their defensive nature post-Ukraine and their focus on critical infrastructure in the Arctic and North Sea. These operations utilize civilian shipping and undercover intelligence officers, sparking serious concern among Nordic governments, who have responded by expelling Russian diplomats. However, the documentaries raise questions about the potential fallout from these public disclosures and suggest a balancing act between expulsions and the need for information to counter Russia. They also touch on the possible influence of a Russian "fifth column" in Western democracies, implying that Western governments may opt for restraint to maintain secrecy.
FROM THE MEDIA: A series of three jointly-produced documentary programs aired by public television broadcasters in the Nordic countries have shed light on covert Russian intelligence operations and their potential threat to Europe's critical infrastructure. The investigations exposed Russian trawlers monitoring NATO drills, Russian underwater research vessels near wind farms, and Russian intelligence officers working under diplomatic cover in Nordic embassies. The programs highlighted the vulnerability of Europe to Russian attacks and emphasized the defensive nature of Russian operations following setbacks in Ukraine. The increasing importance of Russia's nuclear arsenal and the need to protect energy and communications infrastructure in the Arctic and North Sea were also discussed. The media revelations prompted expulsions of Russian diplomats by Nordic governments, but concerns remain about the impact of public disclosures on Russian influence operations and potential unknown dangers.
READ THE STORY: GIS
New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency
Analyst Comments: The discovery of this malware campaign highlights the ongoing threat to cryptocurrency users and the sophistication of cybercriminals in targeting valuable digital assets. By leveraging the Satacom downloader and rogue browser extensions, attackers are able to bypass security measures and perform web injections to manipulate cryptocurrency transactions. The geographical targeting of specific regions indicates a strategic approach to maximize potential profits. The use of obfuscation techniques, such as null bytes and dynamic C2 server retrieval, demonstrates the perpetrators' efforts to evade detection and maintain control over the malware. The discovery of booby-trapped extensions on the Chrome Web Store further underscores the need for increased vigilance and scrutiny when installing browser add-ons.
FROM THE MEDIA: A recent malware campaign has been discovered that utilizes the Satacom downloader to deploy stealthy malware aimed at stealing cryptocurrency. The malware, distributed through bogus websites and ZIP archive files, targets users primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico who use cryptocurrency platforms such as Coinbase, Bybit, KuCoin, Huobi, and Binance. The Satacom downloader fetches the actual malware through DNS requests, and a PowerShell script downloads a rogue browser add-on from a remote server. The add-on disguises itself as a Google Drive extension and uses web injections to manipulate content on targeted cryptocurrency websites and steal cryptocurrency. The malware also conceals its activity by modifying email confirmations and extracting system metadata, cookies, and browser history. The C2 server can be updated through Bitcoin transactions, allowing threat actors to change domains if blocked or banned.
READ THE STORY: THN
Singapore to double its submarine cable landing sites by 2033
Analyst Comments: Singapore's plans to expand its submarine cable infrastructure demonstrate its commitment to maintaining its position as a key connectivity hub in the region. By doubling the number of cable landing facilities, Singapore aims to attract more international connectivity and strengthen its role in facilitating global digital communication. The investment in green data centers aligns with the growing emphasis on sustainability and energy efficiency in the data industry. Upgrading domestic infrastructure for higher speeds and smoother handovers reflects Singapore's ambition to be at the forefront of technological advancements and support emerging technologies like AI and data-intensive applications.
FROM THE MEDIA: Singapore plans to double the number of submarine cable landing facilities over the next ten years, aiming to enhance its status as a connectivity hub. Currently hosting 26 subsea cables and three landing sites, Singapore's expansion of cable infrastructure will support its role as a neutral player and a global connectivity link. The move comes as China also invests $500 million to expand its own undersea cable infrastructure. Singapore's cable expansion requires $7.4 billion in investments from the private sector. The country's digital blueprint also emphasizes the development of green data centers and the upgrading of domestic hard infrastructure to support 10-gigabit speeds, with a focus on accommodating new applications and data-intensive operations.
READ THE STORY: The Register
New ‘PowerDrop’ malware targeting US aerospace industry
Analyst Comments: PowerDrop is a newly discovered PowerShell script malware targeting the U.S. aerospace industry. Its remote access trojan capabilities and evasion tactics indicate the involvement of more advanced threat actors, potentially nation-state adversaries. The lack of clear attribution hinders precise identification, but suspicions point to China given their historical exploitation of PowerShell for lateral movement and their use of machine learning to counter incident response. The ongoing tensions with China and the recent revelation of Chinese hackers accessing critical infrastructure in Guam further support this suspicion.
FROM THE MEDIA: Researchers have discovered a new PowerShell script malware called PowerDrop, which is specifically targeting the United States aerospace industry. The malware was found on the network of an unnamed defense contractor in May. PowerDrop operates as a remote access trojan, providing threat actors with the ability to run commands on victim networks after gaining access to servers. The malware exhibits unique evasion techniques that enable it to remain undetected and maintain long-term access to compromised servers. While the core functionality of the malware is not highly sophisticated, its ability to obfuscate suspicious activity indicates the involvement of more advanced threat actors. Although the specific nation-state actors behind PowerDrop have not been identified, the ongoing conflict in Ukraine and the intensified focus on aerospace and missile programs suggest their possible involvement.
READ THE STORY: The Record
Starlink's rocket speeds hit a 50-megabit wall for large downloads
Analyst Comments: The complaints from Starlink users in the UK raise concerns about the service's adherence to advertised speeds and its transparency regarding traffic management policies. If the allegations are true, Starlink may be perceived as discriminating against large downloads and not being clear about its traffic management practices. The UK telecoms regulator Ofcom has highlighted that broadband providers must explain key information about speed and traffic management in their contracts, and they must follow net neutrality rules. Customers who are dissatisfied with their broadband speed can make a formal complaint to the provider and escalate it to an alternative dispute resolution scheme if necessary.
FROM THE MEDIA: Starlink users in the UK are claiming that their download speeds are being capped at around 50Mbit/sec when retrieving large files, leading some to accuse the satellite broadband service of mis-selling. Users have reported that their connection speed is limited whenever they attempt to download large files, regardless of network conditions. Starlink's advertised speeds range from 25-100Mbit/sec for its Standard service and 40-220Mbit/sec for the Priority version. While Starlink has a Fair Use policy that allows for network management and speed reduction during times of high usage, customers argue that the speed caps are occurring at all times of the day and night.
READ THE STORY: The Register
This new satellite enters orbit with one mission: To get abused by hackers
Analyst Comments: The Moonlighter satellite hacking challenge at the DEF CON conference highlights the growing concern surrounding cybersecurity in the space industry. As more satellites and space systems are deployed, the risk of cyberattacks targeting critical infrastructure in space becomes more significant. The ability to compromise satellite systems can have severe consequences, both in terms of financial impact and national security. The development of resilient architectures and effective security measures for space missions is crucial to mitigate these risks. By providing a platform for cyber experiments, Moonlighter aims to contribute to the advancement of space-based cybersecurity and the development of more secure satellite systems. The exercise also underscores the importance of recognizing space as a critical infrastructure sector and implementing protective measures against cyber threats.
FROM THE MEDIA: Hackers will have the opportunity to test their skills in space by remotely hacking the Moonlighter satellite during the DEF CON security conference in Las Vegas. The 5-kilogram mini-satellite, positioned in low-Earth orbit, offers a grand prize of $50,000 for the team that successfully hijacks it. The mission aims to aid researchers in safeguarding satellite systems from cyber threats, a growing concern in the space industry. Satellite security has become increasingly important, particularly during times of conflict, as demonstrated by Russian hackers targeting American satellite company Viasat during the war in Ukraine. The Moonlighter satellite was specifically developed to serve as a testing ground for cybersecurity professionals, providing a platform for cyber experiments and the development of more resilient space architectures. The satellite's unique feature is its use of an alternate communication method, reducing reliance on traditional ground-based stations and enhancing autonomy and resilience.
READ THE STORY: The Record
Agreements With Allies to Counter Disinformation
Analyst Comments: The memorandum of understanding with North Macedonia serves as an example of the U.S. strategy to address information manipulation. The lack of current AI implementation by the Global Engagement Center suggests that the focus is on other methods and tools for countering disinformation. The assessment raises concerns about the risks associated with AI-driven rapid translation, enabling adversaries to spread disinformation more effectively. It also highlights the internal criticisms within Russia, indicating potential challenges to the government's objectives.
FROM THE MEDIA: The United States is actively working with its allies to combat the violation of "information space integrity" caused by disinformation campaigns, particularly from Russia and China. Through collaborations such as the Memorandum of Understanding with North Macedonia, the U.S. aims to address the manipulation of information by providing evidence and support to affected countries. Similar partnerships are being pursued with countries like Bulgaria and Slovakia. While the use of artificial intelligence (AI) in countering disinformation is acknowledged as both an opportunity and a concern, the U.S. State Department's Global Engagement Center (GEC) does not currently utilize AI tools for this purpose. The assessment also highlights the risks associated with AI-enabled rapid translation, which can be exploited by adversaries for spreading disinformation in multiple languages.
READ THE STORY: VOA
Google snubbed JPEG XL so of course Apple now supports it in Safari
Analyst Comments: Apple's support for JPEG XL in Safari is a positive development for the adoption of the image codec, as Safari has a significant user base. The decision has reignited discussions and calls for Google to reconsider its removal of JPEG XL support. The claims of a lack of ecosystem interest in JPEG XL have been challenged by industry proponents who argue that there is substantial support from companies like Facebook, Adobe, and Intel. The inclusion of JPEG XL in Safari could potentially encourage other browsers to consider adding support for the codec. However, challenges remain, such as concerns over patents and the competitive landscape with formats like AVIF.
FROM THE MEDIA: Apple has announced support for the JPEG XL image codec in its Safari browser, renewing calls for Google to reconsider its decision to remove JPEG XL support from the open-source Chromium project. The addition of JPEG XL support in Safari has sparked demands for Google to reverse its decision and reinstate support for the codec. Google previously cited a lack of interest from the ecosystem as a reason for removing JPEG XL support. However, proponents of JPEG XL have argued that there is significant interest in the codec from companies like Facebook, Adobe, Intel, and others. JPEG XL offers better image quality and loading behavior compared to JPEG and is not encumbered by patents or proprietary software. The inclusion of JPEG XL in Safari may have implications for the adoption of the codec in other browsers.
READ THE STORY: The Register
Sextortionists are making AI nudes from your social media images
Analyst Comments: By scraping publicly available images and leveraging AI-generated content, threat actors can create convincing explicit material to extort victims. The FBI's warning underscores the need for individuals to be cautious about sharing personal media online, especially sensitive content involving minors. The recommended actions, such as monitoring online activity, restricting access to personal content, and reporting deep fake material, provide practical steps to protect against sextortion and mitigate its impact. The mention of the UK's amendment to the Online Safety Bill to criminalize the non-consensual sharing of deep fakes reflects ongoing efforts to address this issue through legislative measures.
FROM THE MEDIA: The FBI has issued a warning about the increasing use of deep fake technology in sextortion attacks. Sextortion involves blackmailing victims with threats of publicly releasing explicit images or videos obtained through hacking or coercion. Malicious actors are now scraping publicly available images from social media platforms and using deep fake tools to generate AI-generated sexually explicit content that appears authentic. The FBI has observed a rise in victims reporting the use of fake images or videos created from their social media content. Threat actors typically demand payment or the submission of real sexually-themed content. In some cases, the created videos are posted directly to pornographic websites, exposing victims without their knowledge or consent. Minors have also been impacted by these malicious activities.
READ THE STORY: Bleeping Computer
Q&A with a former member of Wagner Group: ‘They were like little kings or czars’
Analyst Comments: The Wagner Group's activities and its relationship with the Russian army in Ukraine reflect the complex dynamics of Russian military operations and the involvement of private military companies. The group's recruitment tactics, including targeting individuals with criminal backgrounds, raise concerns about the potential risks associated with employing mercenaries. The use of propaganda and multimedia campaigns to attract recruits aligns with tactics observed in other extremist groups, although Wagner lacks a distinct ideological basis. The deteriorating military discipline and the consolidation of power around Yevgeny Prigozhin within the group indicate a potentially troubling internal structure. The Wagner Group's presence, despite its lack of formal recognition in Russia, perpetuates a sense of impunity and power for those close to the Kremlin. The disinformation and propaganda campaigns associated with Wagner serve as a tool to manipulate public perception, particularly in Ukraine.
FROM THE MEDIA: The Wagner Group, a Russian private military company, is reportedly engaged in escalating tensions with the Russian army as it operates in Ukraine. There have been reports of friendly fire incidents and allegations that Wagner detained a commander from the Russian Army's 72nd brigade. The group has been involved in various activities around the world, including protecting government officials in Mali and mining blood diamonds in the Central African Republic. Wagner's recruitment efforts have recently focused on replenishing its ranks, as it is believed to have suffered significant casualties in the war in Ukraine. The group has launched a multimedia campaign, including movies and catchy songs, to attract young men.
READ THE STORY: The Record
The challenges Intel faces to compete with TSMC, Samsung
Analyst Comments: Intel's foray into contract manufacturing with IFS presents both opportunities and challenges. While the company has made strides in securing funding and expanding its fab capacity, it faces an uphill battle in catching up with industry leaders like TSMC and Samsung in terms of process technology. The success of IFS will hinge on Intel's ability to deliver competitive products and attract customers in a highly competitive market. The partnerships and relationships Intel has with the US government may offer some early opportunities, but cost competitiveness will be a crucial factor. The outcome of Intel's efforts to build advanced process nodes and its partnership with IBM will also play a significant role in determining its position in the contract manufacturing landscape.
FROM THE MEDIA: Intel's decision to enter the contract manufacturing business through Intel Foundry Services (IFS) has raised questions about its ability to compete with established leaders like TSMC and Samsung. While IFS has secured some customers, including MediaTek, the company still faces challenges in terms of process technology and execution. Nvidia CEO Jensen Huang recently expressed openness to using Intel's assembly lines, but it is unclear if Intel's existing technology will meet Nvidia's requirements. Intel is investing in building new fabs and has made progress in securing funding for its projects. It has also announced plans for advanced process nodes, such as 20A, which it aims to launch alongside the new fabs.
READ THE STORY: The Register
Items of interest
Russia’s cyber gangs are attacking the soft underbelly of the UK economy
Analyst Comments: The article highlights the escalating threat of cyberattacks faced by the UK and emphasizes the growing sophistication of hackers, particularly Russian cybercrime groups like Clop. The impact of these attacks is significant, with the personal details of employees and customers being compromised. The blurring lines between criminal enterprises and state-sponsored activities raise concerns about the involvement of nation-states in cyber operations. The article rightly emphasizes the need for companies to prioritize cybersecurity and invest in robust defense measures. It also raises valid concerns about outsourcing technology and the challenges companies face in ensuring the security of their systems and data.
FROM THE MEDIA: The UK faces a growing threat from cyberattacks targeting major companies and institutions. Russian cybercrime group Clop has conducted large-scale hacks, exposing the personal details of employees at organizations such as the BBC, British Airways, and Boots. These attacks are increasing in frequency, sophistication, and damage as cybercriminals continuously refine their techniques. No organization is immune, and sensitive information, including bank account details and addresses, is at risk. The lines between criminal and state-sponsored activities are blurring, with Clop being part of a network of Russian hacker groups linked to the Kremlin. This convergence of cyberattacks, economic warfare, and disinformation campaigns creates a dangerous environment.
READ THE STORY: Telegraph
The Cyber Vory: The Evolution of the Russian Organized Crime Threat Actors (Video)
FROM THE MEDIA: The Vory, aka Russian Organized Crime (ROC) has a long and sordid history. Over the century, this subculture has developed into a sophisticated family of threat actors, responsible for a significant number of serious breaches and ransomware attacks. What separates Russian Organized Crime groups from other groups is the unique relationship it has had with the various Russian and Soviet governments in the last century. The history of ROC has a direct impact on how the threat actors operate.
The Transformation of Cybercrime: From Disruption to Organized Warfare (Video)
FROM THE MEDIA: This video describes the rise of organized cybercrime and its impact on Australia. It highlights the scale and frequency of cyberattacks, the financial losses incurred by businesses, and the increasing sophistication of cybercriminal operations. The interview features insights from cybersecurity experts, law enforcement officials, and hackers themselves.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.