Daily Drop (520): CN Hackers Exploit VMware Zero-Day, CN's Extensive Presence in Cuba, Microsoft Alerts: RU ATP, Hackers Deploy Malware via GitHub Profiles and Repo's, DPRK Deceptive Naver Clone
06-15-23
Thursday, Jun 15, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems
Analyst Comments: UNC3886's exploitation of the VMware ESXi vulnerability poses a significant threat to organizations using these systems. By leveraging the zero-day flaw, the group can gain unauthorized access to Windows, Linux, and PhotonOS guest VMs without authentication. This allows them to execute privileged commands and transfer files, potentially leading to further compromise of the affected systems. The sophistication and capabilities of UNC3886 highlight the need for strong security measures and prompt patching. Organizations using VMware ESXi hosts, vCenter servers, and VMware Aria Operations for Networks should apply available security updates and patches to mitigate the risk posed by these vulnerabilities. Implementing multi-factor authentication, network segmentation, and continuous monitoring can enhance the overall security posture and detect any unauthorized activities.
FROM THE MEDIA: The Chinese state-sponsored group UNC3886 has been exploiting a zero-day vulnerability in VMware ESXi hosts to backdoor Windows and Linux systems. The vulnerability, CVE-2023-20867, allows the execution of privileged commands without authentication from a compromised ESXi host. UNC3886, described as a highly adept cyber espionage actor, targets defense, technology, and telecommunication organizations in the U.S., Japan, and the Asia-Pacific region. The group shows expertise in weaponizing flaws in firewall and virtualization software that lack EDR support. They have also been observed harvesting credentials from vCenter servers and using VMCI sockets for lateral movement and persistence.
READ THE STORY: THN // Bleeping Computer
China’s decades-long military presence in Cuba goes beyond espionage
Analyst Comments: While the historical context provided is accurate, it should be remembered that international relations are highly complex and continuously evolving. While China's aspirations and actions indicate a desire to expand its influence, it does not guarantee a new Cold War. The Biden administration's stated commitment to avoiding such a scenario is valid, as any form of confrontation, particularly with nuclear powers, carries significant risks. However, the ongoing developments do call for a balanced and strategic response from the U.S., acknowledging the potential threat posed by a closer Sino-Cuban relationship. This situation necessitates the U.S. to reassess its stance towards both countries and consider diplomatic, economic, and potentially, security measures to maintain its global influence and safeguard its national interests.
FROM THE MEDIA: The relationship between China and Cuba, particularly their shared hostility towards the U.S., is causing growing concern. China is striving to become the world's superpower, and Cuba has been assisting in that effort. Over the past 24 years, China has had a substantial military presence in Cuba, which includes espionage operations. When reports surfaced about China preparing to build a spy station in Cuba, the Biden administration initially denied them, but later had to acknowledge their validity due to evidence of existing Chinese spy bases. China's presence in Cuba isn't a recent development. Chinese personnel has been operating out of the Bejucal listening post since March 1999, a base reportedly capable of eavesdropping and cyber-warfare.
READ THE STORY: Washington Times
Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent
Analyst Comments: The emergence of Cadet Blizzard underscores the continuing evolution of cyber threats, especially state-sponsored actors associated with geopolitical conflicts. The relatively low operational security could be indicative of the group's willingness to act aggressively, despite the risk of detection. The group's active schedule and its focus on off-business hours highlight the importance of constant vigilance in cybersecurity. It's also noteworthy that Cadet Blizzard is targeting IT service providers, as successful attacks on these entities could have cascading effects on many other organizations. Microsoft's detailed threat reporting is essential in helping organizations understand these threats and take appropriate defensive measures.
FROM THE MEDIA: Microsoft has identified a new Russian cyber threat actor named Cadet Blizzard that's linked to the General Staff Main Intelligence Directorate (GRU). Tracked since early 2022, the group conducts disruptive and destructive cyber operations with a focus on information collection. Microsoft noted that Cadet Blizzard operates with lower operational security compared to other Russian groups such as Seashell Blizzard and Forest Blizzard. The group has predominantly targeted government agencies, law enforcement, NGOs, IT service providers, and emergency services across Ukraine, Europe, Central Asia, and occasionally, Latin America. Microsoft also emphasized that Cadet Blizzard's activities pose an increasing risk to the broader European community as the conflict continues.
READ THE STORY: THN // OODALOOP
Hackers create fake GitHub profiles to deliver malware through repositories
Analyst Comments: The use of GitHub to host malware marks an ongoing trend where threat actors exploit popular and trusted platforms to carry out attacks, banking on the trust associated with these platforms to bypass users' suspicion. By mimicking actual security researchers and creating a faux cybersecurity company, the threat actors demonstrated a sophisticated approach to social engineering, highlighting the importance of vigilance and code vetting. The incident reinforces the need for improved security measures within these platforms and underscores the importance of enhanced scrutiny when downloading and using code from shared repositories, regardless of the apparent source.
FROM THE MEDIA: Cybersecurity company VulnCheck has revealed that hackers created fake profiles of security researchers on GitHub to promote code repositories with supposed exploits for popular products like Chrome, Exchange, and Discord, in an attempt to trick professionals into downloading malware. The threat actors, posing as members of a non-existent company called High Sierra Cyber Security, invested substantial efforts to make their repositories appear authentic. While it's unclear if the campaign was successful, the persistence of the hackers suggests they believed it could be effective. This incident underlines the importance of verifying code sources and running unknown exploits in isolated systems for analysis.
READ THE STORY: The Record
North Korea created very phishy evil twin of Naver, South Korea's top portal
Analyst Comments: The creation of a fake version of Naver demonstrates North Korea's continued efforts to engage in cyber attacks and steal personal information. By replicating a popular South Korean internet portal, the attackers aimed to deceive users and obtain their sensitive data. This incident highlights the importance of user awareness and caution when interacting with websites and providing personal information online. The sophistication of the imitation suggests that North Korean threat actors are continuously improving their tactics, making it increasingly challenging for users to differentiate between legitimate and fake websites. This emphasizes the need for robust cybersecurity measures, including regular security awareness training for users, strong authentication protocols, and reliable threat intelligence to identify and mitigate such phishing attempts.
FROM THE MEDIA: The National Intelligence Service (NIS) of South Korea has reported that North Korea created a fake version of Naver, South Korea's largest internet portal, in a large-scale phishing attempt. The fake portal, Naverportal.com, replicated the real-time news, advertisement banners, and detailed menus of the original website to trick users into providing their personal data. This imitation was more sophisticated than previous North Korean attempts, as it closely resembled the genuine site. The NIS has requested the Korea Internet & Security Agency to shut down the inaccessible phishing site.
READ THE STORY: The Register
New Golang-based Skuld Malware Stealing Discord and Browser Data from Windows PCs
Analyst Comments: The emergence of Skuld indicates a growing trend among threat actors to use the Go programming language for its simplicity, efficiency, and cross-platform compatibility. The compiled nature of Golang creates executables that are challenging to analyze and reverse engineer, making it harder for traditional anti-malware solutions to detect and mitigate threats. Therefore, organizations should remain vigilant and ensure they have up-to-date security measures in place to protect against such threats.
FROM THE MEDIA: A new Golang-based information stealer named Skuld has been found compromising Windows systems across Europe, Southeast Asia, and the US. Developed by an individual known as Deathined, the malware scans for sensitive data stored in applications like Discord and various web browsers. Skuld also gathers system metadata and extracts credentials and cookies stored in browsers. It has a particular focus on files in Windows user profile folders. According to Trellix, Skuld shares similarities with Creal Stealer, Luna Grabber, and BlackCap Grabber. The malware checks if it's running in a virtual environment and terminates any processes on its blocklist. Some Skuld samples also incorporate a clipper module that can swap wallet addresses to steal cryptocurrency assets.
READ THE STORY: THN
Microsoft identifies new hacking unit within Russian military intelligence
Analyst Comments: The emergence of Cadet Blizzard as a distinct group within the GRU highlights the evolving Russian cyber threat landscape. The group's focus on destructive cyber operations indicates a shift towards more overt and disruptive tactics compared to traditional espionage-focused cyber activities. Cadet Blizzard's targeting of Ukraine and NATO member states supporting Ukraine underscores its alignment with broader military objectives in the region. The use of a hacktivist front like Free Civilian demonstrates the group's intention to carry out information operations and publicly signal its actions to achieve its larger objectives. The involvement of a private sector enabler organization within Russia indicates potential support and resources beyond the immediate GRU framework.
FROM THE MEDIA: Microsoft researchers have identified a distinct group within the Russian Main Intelligence Directorate (GRU) called "Cadet Blizzard" responsible for cyberattacks, website defacements, destructive attacks, cyber espionage, and hack-and-leak operations. In a report, Microsoft concludes that Cadet Blizzard has been active since February 2023, targeting Ukraine and NATO member states and providing military assistance to Ukraine. The group's activities, which are considered distinct from other GRU-affiliated cyber operations like Sandworm, include attacks on government services, law enforcement, nonprofits/NGOs, and IT service providers. Cadet Blizzard's attacks are disruptive and intended to achieve destruction, disruption, and possibly intimidation, setting it apart from other espionage-focused Russian hacking groups. The group operates without bespoke malware or tooling and uses a hacktivist front called "Free Civilian" to publish and share stolen data.
READ THE STORY: Cyberscoop
Ongoing Russian cyberattacks targeting Ukraine
Analyst Comments: Cadet Blizzard's cyberattacks, attributed to the Russian GRU, demonstrate ongoing Russian aggression in cyberspace, particularly targeting Ukraine and NATO member states involved in supporting Ukraine. The group's use of stolen credentials and web shells, combined with "living off the land" techniques, highlights their efforts to remain covert and evade detection. This emphasizes the importance of robust security measures, including strong authentication, regular credential monitoring, and network segmentation, to mitigate the risk of initial compromise and lateral movement. While Cadet Blizzard's success rate has been relatively low, its activities cannot be taken lightly. Their ability to conduct influence operations, albeit with limited impact, poses a threat to information integrity and can be used for propaganda purposes. Organizations need to stay vigilant, monitor their digital presence, and implement proactive threat hunting to detect and respond to potential breaches and defacement attempts.
FROM THE MEDIA: Microsoft's threat intelligence teams have identified a cyberattack group called Cadet Blizzard, associated with the Russian GRU, responsible for targeting government agencies and IT service providers primarily in Ukraine since February 2023. Cadet Blizzard gains initial access using stolen credentials and deploys web shells to maintain persistence. The group employs "living off the land" techniques, utilizing legitimate commands to move laterally within networks, making detection more challenging. While their success rate has been lower compared to other GRU-affiliated actors, Cadet Blizzard has engaged in influence operations, defacing websites and using a Telegram channel for hack-and-leak operations. Microsoft has shared technical information to help the security community defend against their attacks.
READ THE STORY: Microsoft
Cyber Command reshuffles force expansion due to Navy readiness woes
Analyst Comments: This realignment shows the US military's dedication to enhancing the readiness and skill set of its cyber forces, highlighting a commitment to quality over quantity. It underscores the importance the military places on having highly skilled personnel to handle advanced digital warfare tasks. However, the short-term reduction in advanced digital work capacity might expose potential vulnerabilities. The overall strategy shift indicates that the US military acknowledges the escalating cybersecurity threat landscape, and is taking active measures to ensure it has the necessary resources to respond effectively. This adaptation is a positive step towards improving cyber defense capabilities, although it will be critical to closely monitor the progress and effectiveness of these training-focused teams.
FROM THE MEDIA: The U.S. military is changing the course of its expansion efforts for the Cyber Mission Force (CMF), the "action arm" of its cyber forces. Concerns over inadequate readiness in the Navy's digital personnel led to a shift in the multibillion-dollar plan to expand the CMF by 14 teams. Instead of adding new cyber warriors as initially planned, the four new Navy teams will now focus on training the service's existing cyber operators. The decision comes after the readiness of the Navy's existing 40 CMF teams was deemed inadequate. The adjustment in the short term will lead to fewer available members skilled in advanced digital work but is intended to create a better-trained digital warfare talent pipeline in the long run.
READ THE STORY: The Record
Amazon isn’t sold on AMD’s tiny Zen 4c cores in manycore Bergamo processors
Analyst Comments: The decision by AWS to avoid the 128-core Bergamo processors from AMD seems to be driven by a cost-benefit analysis. While higher core counts offer the potential for greater performance, they also require more expensive components and greater energy consumption. This decision underscores the importance of balancing performance and costs in the design of server infrastructure, particularly in the cloud space, where efficiency and cost-effectiveness are key to scalability and profitability.
FROM THE MEDIA: Amazon Web Services (AWS) has expressed doubts about the utility of AMD's new 128-core Bergamo Epyc processors. David Brown, VP of AWS Elastic Compute Cloud, noted that while higher core counts may increase the potential for running more virtual machines, the cost of the required server components rises significantly as well. Instead, AWS prefers to standardize CPUs across its servers, allowing for customization based on the task at hand. While AWS currently uses AMD's 96-core Epyc processors, it has yet to express interest in the newer, higher core-count Bergamo processors.
READ THE STORY: The Register
MOVEit customers on high alert as Clop’s deadline expires
Analyst Comments: The ongoing ransomware attacks on the MOVEit file transfer service underline the critical importance of timely patching and robust incident response planning. Clop's claim of having stolen data from hundreds of organizations, if true, could have significant repercussions for the victims in terms of both reputation and legal liabilities. Additionally, the fact that this group was able to exploit the vulnerabilities even before a patch was available highlights the need for continuous monitoring and robust cybersecurity controls, especially for organizations in high-risk sectors like finance and healthcare.
FROM THE MEDIA: Clop, a prominent ransomware group has claimed responsibility for the recent exploitation of zero-day vulnerabilities in Progress Software's MOVEit file transfer service. The group alleges to have stolen data from hundreds of organizations, including British Airways and the BBC and has set a deadline for victims to respond. Kroll, a risk analysis firm, has found that Clop may have been aware of one of these vulnerabilities as early as July 2021. Progress Software continues to urge its on-premises MOVEit customers to apply the available patches.
READ THE STORY: CyberSecurityDive
Attacker Infrastructure: How Hackers Build It and How to Use It Against Them
Analyst Comments: Given the evolving threat landscape, cybersecurity strategies have been transitioning from a purely defensive posture to a more proactive, threat-hunting model. HYAS' approach aligns with this shift, enabling organizations to detect and react to threats even before they become active attacks. Their comprehensive and unique data pool, along with their sophisticated correlation techniques, positions them as a promising player in the cybersecurity industry.
FROM THE MEDIA: HYAS, a cybersecurity solutions provider, focuses on proactive defense measures against cyber threats by emphasizing the understanding of adversary infrastructure. Recognizing that hackers often operate within a target network for extended periods before launching attacks, HYAS works to identify these threats before they become destructive. Leveraging a vast graph database of legally and GDPR-compliant gathered data, HYAS creates correlations and combinations to identify, correlate, and attribute adversary infrastructure. Their offerings include HYAS Insight, which allows researchers to understand everything about an attack, and HYAS Protect and Confront, which provide preventative measures for corporate and production environments, respectively.
READ THE STORY: Security Boulevard
Critical Vulnerability in WordPress Stripe Payment Plugin Exposes Customer Data
Analyst Comments: The vulnerability of the WooCommerce Stripe Payment Gateway plugin is a severe security risk due to the potential exposure of sensitive user data. This situation underscores the necessity for continuous vigilance and proactive updating and patching of software and plugins, especially those involved in handling payment and user information. It's recommended for all users of the affected plugin versions upgrade to the patched version 7.4.1 immediately.
FROM THE MEDIA: The WooCommerce Stripe Payment Gateway plugin, developed by WordPress and installed in nearly 900K locations worldwide, has been found vulnerable to Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability. The plugin, used to retain customers on the WordPress site during payment, enables a threat actor to exploit the 'javascript_params' and 'payment_fields' functions to gain access to sensitive data such as personally identifiable information (PII), email addresses, shipping addresses. The exposure of such data could potentially lead to further attacks, including scam emails attempting to seize accounts and credentials. The vulnerability affects WooCommerce Stripe Gateway Plugin versions up to 7.4.0. WooCommerce has released a patch (version 7.4.1) to address the vulnerability.
READ THE STORY: CyberSecurityNews
XSS Vulnerabilities Found in Microsoft Azure Cloud Services
Analyst Comments: While Microsoft has already patched these vulnerabilities, and no further action is needed from Azure users, the incident underscores the need for constant vigilance in the cybersecurity landscape. As cloud services like Azure continue to be ubiquitous in modern business infrastructure, these platforms will likely continue to be targeted for threat actors. Organizations should ensure they have robust security measures in place and are continually monitoring for signs of potential compromise. It's also worth noting that while the potential for exploitation, in this case, required user interaction with a compromised endpoint, the risk associated with XSS attacks should not be underestimated, as they can often lead to serious data breaches.
FROM THE MEDIA: Two vulnerabilities were identified in Microsoft Azure's services: Azure Bastion and Azure Container Registry. The vulnerabilities could enable cross-site scripting (XSS) attacks, leading to unauthorized access to the victim's session within the compromised Azure service iframe, according to Orca Security. XSS attacks involve injecting malicious scripts into legitimate websites which are unknowingly executed by users' browsers. This could potentially allow threat actors to gain unauthorized access, compromise network systems, or steal data. However, the vulnerabilities would require the victim to visit a compromised endpoint under the control of the attacker.
READ THE STORY: DARKReading
North Korean Hackers Suspected In $100M Crypto Heist That Could Fund Nuclear Program
Analyst Comments: This incident underscores the escalating cybersecurity threats posed by state-sponsored groups like North Korea's Lazarus Group. The successful penetration of secure digital wallets and crypto exchanges indicates advanced cyber capabilities and an evolving threat landscape. The alleged use of these stolen funds for financing weapons programs adds another dimension of international security concern. It's clear that enhanced cybersecurity measures and international cooperation are needed to tackle such threats. Furthermore, crypto exchanges must enforce stringent security measures and constantly update their defense mechanisms to safeguard user assets against sophisticated attacks.
FROM THE MEDIA: North Korean hackers, specifically the notorious Lazarus Group, are suspected of orchestrating a cryptocurrency heist exceeding $100 million from the Estonia-based Atomic Wallet, impacting around 5,500 crypto wallets. Crypto analysis firm Elliptic has attributed the theft to Lazarus, which if correct, marks the group's first major publicly attributed crypto heist since a $100 million exploit of Horizon Bridge in June 2022. The Lazarus Group, which the U.S. Department of Justice identifies as a North Korean government-sponsored hacking team, has an estimated total of $2 billion in stolen crypto assets. There is concern that the stolen funds might be used to finance North Korea's nuclear and ballistic weapons programs. A report by the United Nations in February confirmed North Korea's record-breaking crypto theft activity in 2022, totaling around $630 million.
READ THE STORY: Daily Wire
FCC to establish privacy and data protection task force
Analyst Comments: The formation of the task force signifies a more concentrated effort by the FCC to address data privacy and security concerns. By updating rules that haven't been modified for over 15 years, the agency is acknowledging the changing digital landscape and the new threats that have emerged. This initiative is a crucial step towards increasing consumer protection in the digital age, particularly in tackling issues like SIM-swapping fraud and data breaches. However, the success of this task force will depend on the effectiveness of their proposed policies and their enforcement abilities.
FROM THE MEDIA: The Federal Communications Commission (FCC) is forming a privacy and data protection task force aimed at modernizing its policies and increasing enforcement of digital privacy violations. FCC Chairwoman Jessica Rosenworcel announced that the task force will gather technical and legal experts from across the agency to evolve policies and take enforcement action. Led by Loyaan Egal, the chief of the agency’s enforcement bureau, the task force will focus on modernizing FCC data breach rules, investigating and enforcing major data breaches, and developing rules to combat SIM-swapping fraud. The task force will also play a role in the FCC’s work under the Safe Connections Act, which supports domestic violence victims' access to communications.
READ THE STORY: The Record
Items of interest
How to Win the AI War
Analyst Comments: This write-up underscores the need for accurate comprehension of AI's abilities and the potential advantages it can offer to society. The author's plea for a national AI strategy is timely, given the escalating global competition in AI advancement, particularly with China's vigorous pursuits. Nevertheless, it's crucial to acknowledge that discussions surrounding AI regulation and ethical considerations are key for ensuring responsible and ethical AI utilization. Achieving a balance between innovation, regulation, and protecting individual rights and privacy is essential in the evolution and application of AI technologies.
FROM THE MEDIA: The current public discourse surrounding AI has been misleading and filled with misconceptions, according to an opinion piece. The author emphasizes the need for a genuine national AI strategy in the United States to restore American leadership, particularly in competition with China. The article challenges two misconceptions: the fear of AI replacing humanity and the belief that AI will lead to massive job loss. The author explains that AI, particularly machine learning, is primarily about pattern recognition and prediction models, rather than thinking or consciousness. The potential disruptions caused by AI should be seen as opportunities and strict regulatory control could stifle innovation and grant excessive power to the government. The article emphasizes the importance of maintaining a broad base for AI innovation and speeding up advanced AI developments, rather than slowing down. It also highlights the need for confidence and a proactive approach to harnessing the power of AI for national interests.
READ THE STORY: TabletMag
Cybersecurity, Cyberwarfare, and AI (Video)
FROM THE MEDIA: Sean Plankey joins Dave Anderson in this session to chat live about his experience working in the White House for the US Government defining a cyber strategy that changed the way in which the US responds to cybercriminals. Today Sean is a leader at DataRobot, utilizing AI to fight cyber within Enterprise and Government accounts.
What's the Future of AI in Cybersecurity and Hacking (are we doomed)? (Video)
FROM THE MEDIA: The speakers emphasize the importance of embracing AI rather than fighting against it. They highlight the potential benefits of AI in enhancing cybersecurity capabilities, such as encrypting data and improving productivity. They acknowledge that AI is not perfect and may produce incorrect or nonsensical outputs in certain situations. The speakers also mentioned the use of AI in writing spear phishing emails and its potential to create tailored attacks. They discuss the limitations of AI in generating code, creating new malware, and providing accurate information.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.