Daily Drop (518): Ukraine info sharing: a Model for Countering China, Cyber Shockwaves: Russia-Ukraine Conflict, Drug Cartels Threaten Security, Ukraine Raids Pro-Russia Bots, US Pushes China Offline
06-13-23
Tuesday, Jun 13, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
Ukraine information sharing a Model for Countering China, top cyber official says
Analyst Comments: Easterly's push for improved intelligence sharing and the rapid declassification of sensitive information underscore the importance of clear, timely communication in managing cyber threats. This approach could potentially accelerate the response time and resilience of critical infrastructure owners and operators. Her reference to the “Ukraine tensions plan” demonstrates an attempt to be proactive and prepared for potential cyber threats. This strategy could be a valuable model for dealing with similar threats in the future. Furthermore, the suggestion to use federal "purchasing power" to drive the development of secure code signifies an innovative approach to influencing cybersecurity practices. However, translating this into action may require addressing potential challenges, such as balancing the speed of software development with the need for secure code, as well as managing the possible economic impacts on companies.
FROM THE MEDIA: Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), advocates for enhanced intelligence sharing with U.S. critical infrastructure operators to combat Chinese cyber threats. Reflecting on the rapid declassification of sensitive data about Russian cyber activities in Ukraine and potential threats to U.S. targets, she proposed it as a model approach for protecting sources and methods and ensuring necessary information dissemination. Easterly shared these thoughts at an Aspen Institute event, where she also noted the creation of a “Ukraine tensions plan” at the beginning of the invasion. This plan was a joint exercise with critical infrastructure owners and operators that explored response strategies and communication with the private sector in case of a significant attack on U.S. soil. Easterly also suggested leveraging federal "purchasing power" to promote secure-by-design coding in critical infrastructures.
READ THE STORY: Cyberscoop
Russia-Ukraine war sending shockwaves into cyber-ecosystem
Analyst Comments: The cyber warfare aspect of the Russo-Ukrainian conflict highlights the evolving nature of modern warfare. The involvement of private individuals and organizations in cyber operations underscores the decentralization of cyber warfare and the potential for non-state actors to significantly impact conflicts. The difficulty in attributing cyber attacks complicates not only international relations but also practical matters such as cyber risk insurance. This highlights the need for improved mechanisms for attributing cyber attacks and managing the associated risks. The situation also underscores the importance of resilience and preparedness in the face of cyber threats. Organizations must focus on understanding their unique risk profiles and ensuring operational stability and resilience, rather than solely focusing on blocking specific threats.
FROM THE MEDIA: The Russian invasion of Ukraine has been extensively documented across digital media, but another less visible front of the conflict is cyber warfare. Despite the difficulty in verifying information about digital skirmishes, their effects are becoming increasingly apparent in global digital ecosystems. The war is characterized by significant cyber operations from both sides, with neither establishing clear dominance. At the onset of hostilities, Russia launched a massive cyber attack on Ukrainian networks. However, Ukraine has a resilient digital ecosystem and has received substantial cyber support from tech vendors and states. Cyber warfare is increasingly being conducted outside of centralized military or government efforts, with thousands of private individuals and organizations in Ukraine participating in the cyber fightback against Russia. The blurred lines between official nation-state attacks, hacktivists, and vigilantes raise complex issues. The difficulty of attributing cyber attacks complicates cyber risk insurance, where payouts often depend on identifying the source of the attack.
READ THE STORY: The Register
Drug Cartels Terrorist Organizations Threaten U.S. Security
Analyst Comments: The situation is complex and multifaceted. The cartels' influence extends beyond drug trafficking, encompassing human trafficking and contributing to escalating violence and corruption. Their transnational nature and connections to other criminal organizations worldwide exacerbate the problem. The U.S. government's attempts to work with the Mexican government have been hindered by corruption, and the cartels' influence over politicians and law enforcement officials in Mexico threatens the rule of law. This situation also encourages illegal immigration into the U.S., as people flee cartel violence.
FROM THE MEDIA: The 2022 International Narcotics Control Strategy Report by the State Department identifies Mexico as the main source of illegal drugs in the U.S., including heroin, marijuana, methamphetamine, and synthetic opioids. Nearly all heroin seized in the U.S. originates in Mexico, which is also the primary source of fentanyl and its derivatives, leading to over 90,000 American deaths annually. Mexican cartels have diversified into human trafficking, earning billions annually, and contributing to escalating violence in Mexico and the U.S. The U.S. DEA and the State Department have identified drug trafficking by Mexican cartels as a national security threat due to its links to corruption, violence, terrorism, and transnational organized crime. The cartels' transnational nature is alarming, with connections to Colombian drug cartels, Chinese chemical suppliers, U.S. street gangs, Russian criminal organizations, and the Venezuelan government. This has led some U.S. lawmakers to propose designating the cartels as terrorist organizations.
READ THE STORY: Modern Diplomacy
Americans 'Need to Be Prepared' for Chinese Cyberattacks
Analyst Comments: The threat of cyberattacks on critical infrastructure highlights the importance of strong cybersecurity measures in the U.S., especially as geopolitical tensions continue to rise. While the U.S. has made strides to bolster its cyber defense, as Easterly's comments suggest, further precautions may be necessary given the magnitude of potential threats. The mentioned "Shields Up" campaign could be a positive step in increasing awareness and preparedness among private companies that control much of the country's critical infrastructure. However, addressing such sophisticated threats will likely require a multifaceted approach that includes technological solutions, regulatory measures, international cooperation, and human factors such as training and awareness. The denial from China indicates the complex diplomatic dimensions of cybersecurity, requiring not only technical solutions but also intricate political negotiations and trust-building measures.
FROM THE MEDIA: Jen Easterly, the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), warned of potential Chinese cyberattacks on the U.S.'s critical infrastructure in the case of escalating conflicts. With concerns over the resilience of U.S. infrastructures such as the electric grid and water systems, she emphasized the need for greater societal and operational resilience. U.S. officials have frequently raised warnings of cyber threats from China, especially in a scenario where China attempts to take control of Taiwan. To counter such threats, CISA may launch a "Shields Up" campaign urging private companies to enhance security precautions. China has refuted these allegations, asserting that they are law-abiding in cyberspace.
READ THE STORY: VOA // Reuters
How the US is pushing China out of the internet’s plumbing
Analyst Comments: The situation raises both strategic and technical issues for global internet infrastructure. From a strategic standpoint, the US's efforts to block Chinese involvement reflect a broader geopolitical tension and reflect growing concern over cybersecurity and potential espionage. This approach could potentially lead to a bifurcation of the internet, with Chinese and US cables operating largely independently of each other, which could have implications for global internet connectivity and resilience. From a technical perspective, the potential insertion of data extraction devices during cable maintenance could present serious cybersecurity risks, given the extensive amount of data that these cables carry.
FROM THE MEDIA: The international landscape of subsea internet cables, critical to global web infrastructure, is increasingly divided between China and the US. Fueled by espionage fears and potential conflict scenarios, US administrations have largely excluded Chinese participation in subsea cable projects, leading Chinese companies to build networks for China and its allies instead. This shift has raised concerns about a dangerous bifurcation of the global internet. In 2018, China Mobile withdrew from a cable consortium with Amazon and Meta following Washington's efforts to block Chinese involvement. This followed a trend over the last five years, where the US has sought to disentangle its internet infrastructure from that of China. As a result, Chinese supplier HMN Tech, which took over from Huawei Marine, now only supplies equipment for 10% of global cables, while French company ASN and US company SubCom have supplied 41% and 21% respectively. Chinese companies are finding their footing in regions where they still have influence, leading major cable projects in Asian, African, and Latin American countries. This development has exacerbated worries over potential internet fragmentation, fears of data extraction devices being inserted during cable maintenance, and concerns about the creation of more centrally controlled internet infrastructures in countries like China and Russia.
READ THE STORY: FT
Supply Chain Attack Defense Demands Mature Threat Hunting
Analyst Comments: The increasing frequency of software supply chain attacks emphasizes the need for organizations to adopt proactive defense strategies, rather than relying solely on reactive measures. With threat actors continuously evolving their techniques and exploiting new vulnerabilities, enterprises must actively monitor their networks, engage in regular threat hunting, and maintain robust cybersecurity practices to identify and mitigate potential threats. The evolving landscape of cyber threats—with the advent of AI as a new potential tool for malicious actors—adds another layer of complexity to cybersecurity. This necessitates continued investment in cutting-edge security technology and research to stay ahead of these developments.
FROM THE MEDIA: In recent years, there have been several cyberattacks against software supply chains. Experts recommend active monitoring and threat hunting as the best defense against such attacks. These attacks often provide threat actors with a large surface to target, including automatic software updates, cloud systems, software-as-a-service tools, and more. To address this, businesses should focus on monitoring potential threats and hunting for any signs of intrusion. Advanced persistent threat groups, which often have significant resources at their disposal, have had particular success with supply chain attacks. The rise of artificial intelligence also adds a new layer of complexity to supply chain security. Monitoring the security of third parties in the software supply chain is essential to protect against attacks. Proactively monitoring supply chain risks with cyber threat intelligence teams can provide additional protection.
READ THE STORY: DARKReading
Ukraine police raid social media bot farm accused of pro-Russia propaganda
Analyst Comments: The closure of this bot farm showcases the significant role of cyber operations in modern conflicts, particularly in the information warfare domain. As seen here, automated accounts are being used to disseminate propaganda and instigate panic, illustrating the capability of such tools to shape public opinion and influence political climates. This operation is a victory for Ukraine's cybersecurity efforts, but it also underscores the challenge of controlling digital disinformation, which can originate from any location and be coordinated across national borders.
FROM THE MEDIA: Ukraine's Cyber Police have disrupted a bot farm reportedly spreading disinformation on social media to influence public perception about the ongoing conflict with Russia. The operators managed over 4,000 fraudulent accounts designed to mimic Ukrainian citizens, used to criticize Ukraine's military forces, legitimize Russia's invasion, and stir political unrest in Ukraine. The administrators received payments in Russian rubles, which is a prohibited currency in Ukraine, earning around $13,500 monthly. They converted the rubles into cryptocurrencies using sanctioned payment systems and transferred them onto bank cards. Three suspects from the Vinnytsia region have been arrested, and if convicted, could face up to 15 years in prison.
READ THE STORY: The Record
China's cyber now aimed at infrastructure warns CISA boss
Analyst Comments: The evolving focus of China's cyber activities underscores the country's growing sophistication and strategic shift in its cyber operations. The emphasis on disruptive rather than espionage activities potentially signifies a new era of cyber warfare, where the objective is not just to steal information, but to cause significant societal disruption. This raises the stakes for cybersecurity and emphasizes the need for resilience in the face of potential attacks.
FROM THE MEDIA: According to Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), China's cyber operations against the US have shifted focus from espionage to disruptive attacks on infrastructure and society. Speaking at an Aspen Institute event, Easterly revealed this change in tactics, explaining that activities have moved beyond intellectual property theft to actions aiming at societal panic and disruption. The Intelligence Community's threat assessment confirms that, in a major conflict, Beijing would likely employ aggressive cyber operations against critical American infrastructure, including pipelines and rail lines, to delay military deployment and create societal panic. Despite the threat, Easterly also advocated for collaboration with China on regulating artificial intelligence (AI) to prevent a potential "AI apocalypse".
READ THE STORY: The Register
Gozi malware hacker sentenced to three years in US prison
Analyst Comments: The sentencing of Mihai Ionut Paunescu marks a significant development in the global fight against cybercrime. By providing a platform for cybercriminals to conduct their operations, Paunescu played a critical role in the proliferation of some of the most notorious malware strains. His sentencing sends a strong message about the consequences of enabling cybercrime, but the case also highlights the challenges faced by law enforcement in bringing such individuals to justice due to jurisdictional and extradition issues.
FROM THE MEDIA: Mihai Ionut Paunescu, a Romanian hacker who provided the infrastructure for several types of malware, has been sentenced to three years in US federal prison. Paunescu ran a "bulletproof hosting" service named PowerHost[.]ro, which cybercriminals used to distribute malware such as the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy malware. These were used to steal financial data and carry out various cybercrimes. The service helped hackers remain anonymous and launch attacks by renting servers and IP addresses from legitimate internet providers. Paunescu, also known as "Virus," was arrested in Bogotá, Colombia, in June 2021. He has been credited for serving time in Romanian and Colombian custody and must forfeit $3.51 million and pay restitution of $18,945.
READ THE STORY: The Record
Password Reset Hack Exposed in Honda's E-Commerce Platform, Dealers Data at Risk
Analyst Comments: This discovery highlights the potential dangers that security vulnerabilities in e-commerce platforms can pose. Gaining access to sensitive dealer information and customer orders could have severe consequences, such as data breaches and financial losses. Threat actors could also leverage these vulnerabilities to plant malicious code on dealer websites, leading to further exploitation. The incident underscores the need for rigorous security measures and regular audits to ensure the security of e-commerce platforms, especially those dealing with sensitive data.
FROM THE MEDIA: Security vulnerabilities found in Honda's e-commerce platform could have been leveraged to gain unrestricted access to sensitive dealer data. The platform, designed for the sale of power equipment, marine, lawn, and garden businesses, does not impact Honda's automobile division. The security flaw exploited a password reset mechanism on the Power Equipment Tech Express site, allowing full admin-level access. The design flaw could also have been used to access a dealer's customers, edit their website and products, and elevate privileges to the administrator of the entire platform. The weaknesses potentially exposed 21,393 customer orders, 1,570 dealer websites, 3,588 dealer accounts, 1,090 dealer emails, and 11,034 customer emails from August 2016 to March 2023. The vulnerabilities have been fixed following responsible disclosure on March 16, 2023.
READ THE STORY: THN
Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
Analyst Comments: This discovery reveals a significant security vulnerability within a widely used development tool, emphasizing the importance of continuous software updates and security monitoring. Malicious actors could exploit this flaw to distribute harmful extensions, potentially compromising systems and networks, and stealing sensitive information. It's vital for developers and companies using Microsoft Visual Studio to install the latest patches promptly to mitigate potential risks. The rapid response from Microsoft in fixing the flaw underlines their commitment to maintaining the security of their software products.
FROM THE MEDIA: Security researchers have discovered a flaw in the Microsoft Visual Studio installer that could be exploited by malicious actors to impersonate legitimate publishers and distribute harmful extensions. The flaw, designated as CVE-2023-28299 with a CVSS score of 5.5, allows for the spoofing of publisher digital signatures. This vulnerability could be bypassed by altering the "DisplayName" tag in the "extension.vsixmanifest" file of a Visual Studio Extension (VSIX) package. By adding enough newline characters and fake "Digital Signature" text, warnings about the extension not being digitally signed could be hidden, tricking developers into installing it. Microsoft has addressed this issue as part of its Patch Tuesday updates for April 2023.
READ THE STORY: THN
Fortinet squashes hijack-my-VPN bug in FortiOS gear
Analyst Comments: The discovery of this vulnerability underscores the importance of regular patching and updates in maintaining cybersecurity. Given that the bug has reportedly been exploited in the wild, it is crucial for organizations using affected Fortinet products to apply the patches as soon as possible to mitigate the risk of attack. The fact that the vulnerability is located within the SSL-VPN, a commonly used feature, further highlights the potential scale of the threat.
FROM THE MEDIA: Fortinet has patched a critical vulnerability in its FortiOS and FortiProxy SSL-VPN that could be exploited to take control of the equipment. The remote code execution vulnerability, known as CVE-2023-27997, was discovered by security analysts from Lexfo and has reportedly been exploited in the wild. The bug is located within the SSL-VPN, making any system with this feature enabled potentially vulnerable. Fortinet has released multiple updates to address the issue and is urging administrators to apply the patches immediately. The vulnerability, a heap buffer overflow, is rated 9.2 out of 10 in terms of severity.
READ THE STORY: The Register
The US Is Openly Stockpiling Dirt on All Its Citizens
Analyst Comments: The report underscores the urgent need for comprehensive privacy reform in the United States, particularly in the era of digital data and internet-driven economies. The present laws and interpretations appear to create loopholes that enable invasive surveillance, bypassing traditional checks and balances in place for government surveillance. This potential erosion of privacy rights for Americans is alarming, as it could set a precedent for less scrupulous governments to justify their surveillance overreach. It's troubling that the US government is seen to be operating on the principle that any data it can purchase is considered "publicly available" and therefore free from normal privacy restrictions. This commercialization of personal data underscores the need for improved regulation of data brokers and the ways in which they operate.
FROM THE MEDIA: A newly declassified report reveals that the US government has been quietly amassing a significant amount of sensitive information about its own citizens. This data accumulation, conducted through secret business arrangements between commercial data brokers and US intelligence community members, has been described by experts as a potential nightmare for privacy defenders. The report details how intelligence agencies have bought information about Americans that legal guidelines suggest the government should not have access to. In the absence of comprehensive privacy reform from the US Congress, a surveillance state has been growing, taking advantage of legal loopholes and interpretations to bypass traditional restrictions on domestic surveillance activities. This has led to concerns that the rights and privacy of US citizens, especially in the digital realm, are being eroded.
READ THE STORY: Wired
Calls to ground Border Force’s DJI drone fleet
Analyst Comments: The concerns about DJI drones highlight the broader issues of data security and potential foreign interference in sensitive operations. The fact that other agencies, including the Australian Defence Force and the US Department of Defense, have suspended the use of DJI products lends weight to these concerns. The situation underscores the importance of rigorous cybersecurity measures and the need for ongoing vigilance in the face of potential threats.
FROM THE MEDIA: The Australian Border Force (ABF) is facing pressure to ground its fleet of DJI drones following similar actions by the Australian Defence Force and the US Department of Defense. The concerns stem from potential links between DJI, a Chinese company, and the Chinese military, as well as the legal obligations of Chinese companies to assist the Chinese Communist Party. The ABF has purchased 41 DJI drones since 2017 and is currently trialing them to enhance operational capability. Opposition home affairs spokesman James Paterson has called for the government to investigate lower-risk alternatives to DJI for all Commonwealth departments and agencies. The ABF has not yet committed to banning DJI drones, stating that it adheres to strict cybersecurity measures with DJI technology.
READ THE STORY: Inside Imaging
Items of interest
Russian propaganda on social media during the 2022 invasion of Ukraine
Analyst Comments: The insights from this study underscore the influential role of social media in contemporary warfare and propaganda. It brings to light how state actors can manipulate these platforms to disseminate propaganda and sway public opinion on a global scale. The prominent role of bots in spreading pro-Russian messages emphasizes the urgent need for more effective mechanisms to identify and control bot activity on social media. This research could prove pivotal in formulating policies and strategies to combat misinformation and propaganda campaigns in the future. It's crucial to remember that these findings are specific to the context of Ukraine's invasion in 2022, and the dynamics may differ in other geopolitical situations.
FROM THE MEDIA: The study provides valuable insights into the role of social media in modern warfare and propaganda. It highlights the potential for state actors to use social media platforms as a tool for spreading propaganda and influencing public opinion, both domestically and internationally. The finding that bots played a significant role in the spread of pro-Russian messages underscores the need for more robust mechanisms to detect and curb bot activity on social media platforms. This research could be instrumental in shaping policies and strategies to counter misinformation and propaganda campaigns in the future.
READ THE STORY: Arxiv
I, BOT: Inside a Ukrainian Troll Factory (Video)
FROM THE MEDIA: We are presenting an investigation on how the trolls, i.e. fake accounts, were used during the last parliamentary election campaign in Ukraine. Vasyl Bidun, a journalist for Hromadske’s partner Slidstvo.Info, went to work at a troll factory. The film "I, Bot" is a rare example of undercover reporting in today's investigative journalism in Ukraine.
Inside Wagner, Russia’s Secret War Company (Video)
FROM THE MEDIA: The Wall Street Journal’s latest documentary “Shadow Men: Inside Russia’s Secret War Company” goes deep inside the lethal global expansion of the Russian private military company Wagner — tracing the group's evolution from a small, guns-for-hire operation into a sprawling network of businesses that have been active on four continents.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.