Daily Drop (521): Cadet Blizzard: GRU B-Team, Micron: China, LockBit: RU arrested, Chinese Firm’s Encryption Chips, Huawei Bid, Clop deploys extortion tactics, PK Oil: RMB, Chinese UNC4841, Diicot
06-16-23
Friday, Jun 16, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Our Way is Open: Pakistan’s Trade of Crude Oil in Chinese Currency
Analyst Comments: Pakistan's decision to trade crude oil in Chinese currency underscores the increasing economic influence of China in the region and its broader strategy of expanding the use of the RMB. While the move offers short-term economic relief for Pakistan, it also raises concerns about overreliance on a single nation and potential vulnerabilities in national security and diplomatic support. The shift highlights the evolving geopolitical landscape and realignment of alliances, with Pakistan positioning itself as a key player in the East.
FROM THE MEDIA: Pakistan's decision to trade crude oil in Chinese currency (RMB) represents a significant shift in its economic and geopolitical alliances. As Pakistan leans on Chinese loans and investment to address economic challenges, the move aligns with China's long-term strategy of internationalizing the RMB and establishing it as a global reserve currency. By reducing its dependency on US dollars and accessing discounted Russian crude oil, Pakistan aims to diversify its foreign exchange reserves and alleviate its economic crisis. Yet, the reliance on China brings risks, including vulnerability to China's economic performance and policy decisions, potential disruption of oil supply, and strained relations with Western allies. The shift also indicates a realignment of alliances, with Pakistan gravitating towards Russia and China and potentially alienating the West. The move may have broader implications, encouraging other nations to seek alternatives to the US dollar in international trade and potentially reshaping global trade patterns.
READ THE STORY: Modern Diplomacy
New Diicot Threat Group Targets SSH Servers with Brute-Force Malware
Analyst Comments: Diicot is an emerging threat group that demonstrates technical proficiency and a diverse range of objectives. Their adoption of the Cayosin botnet and use of off-the-shelf tools indicate their ability to adapt their attack methods based on target analysis. The group's TTPs, such as the use of custom loaders, UPX modification, and Discord for C2, show their efforts to evade detection and enhance operational security. Diicot's doxxing activities and the discovery of a dispute with rival hacking groups suggest they are involved in additional nefarious activities beyond their core cyber operations.
FROM THE MEDIA: A new Romanian threat actor known as Diicot is employing unique tactics, techniques, and procedures (TTPs) to target victims. Previously operating under the name Mexals, Diicot shares its name and imagery with the Romanian anti-terrorism policing unit. The group primarily conducts cryptojacking campaigns and offers malware-as-a-service (MaaS). In its latest campaign, Diicot is using the Cayosin botnet to target internet-exposed SSH servers with weak credentials. The group employs various techniques to evade analysis, including the use of the Shell Script Compiler and a modified version of the UPX packer. Diicot also utilizes Discord for command and control (C2) and includes Snowflake timestamps in links for data exfiltration and campaign tracking.
READ THE STORY: HackRead
Oil and gas giant Shell confirms it was impacted by Clop ransomware attacks
Analyst Comments: The breach of the MOVEit file transfer tool by the Clop ransomware gang has had significant repercussions for multiple organizations in the UK, including Shell. While Shell claims that its core IT systems were not impacted, the breach raises concerns about the security of third-party tools and the potential for data exposure. The attack highlights the persistent threat posed by ransomware groups and the need for organizations to maintain robust cybersecurity measures. The incident also underscores the importance of vigilance and prompt response in addressing vulnerabilities in software products.
FROM THE MEDIA: Shell, the British oil and gas multinational, has confirmed that it has been impacted by the Clop ransomware gang's breach of the MOVEit file transfer tool. This is the second time that Shell has been targeted by the Clop gang through a file transfer service. While Shell stated that there is no evidence of impact on its core IT systems, a small number of employees and customers who used the MOVEit Transfer tool were affected. Other UK organizations, including the BBC, British Airways, Aer Lingus, Boots, Ofcom, and Transport for London, have also been impacted by the Clop attack on MOVEit. The breach potentially exposed confidential information, personal data, and payroll-related data of these organizations and their employees.
READ THE STORY: The Record // FT
US Senators to launch bill to Seize and Transfer Russian Assets to Ukraine
Analyst Comments: The proposed legislation reflects growing pressure in Congress to find alternative funding sources for Ukraine's reconstruction, particularly by utilizing Russian assets seized by Western countries. By directing Russian money toward Ukraine, the burden on Western allies to provide extensive economic aid to the country could be reduced. However, there are concerns over the practicality of transferring frozen Russian assets to Ukraine, including potential market destabilization and the risk of retaliation from Russia.
FROM THE MEDIA: Republican Senator Jim Risch plans to introduce legislation authorizing President Joe Biden to seize and transfer Russian sovereign assets to Ukraine for its long-term reconstruction. The bipartisan bill aims to shift the financial burden from Western taxpayers to Russian assets and gives the US president the ability to confiscate frozen Russian assets in the US, including those held by the central bank. It also calls for the establishment of a common international compensation mechanism. The bill has gained support from both Republicans and Democrats in Congress.
READ THE STORY: FT
Good News! China and the US Are Talking About AI Dangers
Analyst Comments: Sam Altman's advocacy for China's involvement in shaping AI regulations reflects the growing recognition that AI development and regulation require international cooperation. By acknowledging China's talent pool and encouraging contributions from Chinese AI researchers, Altman emphasizes the importance of a diverse and collaborative approach to address the risks and challenges associated with advanced AI systems. This perspective aligns with the need for cross-border dialogue and cooperation in ensuring the responsible development and deployment of AI technology. By fostering collaboration between the United States, China, and other global powers, it becomes more feasible to establish effective regulations and safeguards that can mitigate potential risks and maximize the benefits of AI technology.
FROM THE MEDIA: OpenAI CEO, Sam Altman, has stated that China should play a significant role in shaping regulations and safeguards surrounding artificial intelligence (AI) technology. Altman highlighted China's strong AI talent and emphasized the need for global collaboration to address the challenges posed by advanced AI systems. His comments were made during a talk at the Beijing Academy of Artificial Intelligence (BAAI). Altman's viewpoint is influenced by OpenAI's involvement in developing advanced AI systems and his recognition of potential risks associated with AI.
READ THE STORY: Wired
Attacks on Barracuda Networks linked to China-backed hacking group
Analyst Comments: The exploitation of the Barracuda ESG vulnerability by suspected Chinese state-backed hackers underscores the persistent threat posed by advanced persistent threat (APT) groups with nation-state affiliations. The targeting of government entities and the use of sophisticated malware tools suggest an espionage campaign with strategic objectives. This incident highlights the importance of promptly patching vulnerabilities and adopting robust security measures to protect critical infrastructure and sensitive data. Organizations should remain vigilant against APT activity and implement comprehensive cybersecurity strategies, including network segmentation, employee training, and threat intelligence sharing. The collaboration between Mandiant, government agencies, and intelligence partners demonstrates the significance of public-private cooperation in combating advanced cyber threats.
FROM THE MEDIA: Suspected Chinese state-backed hackers have been exploiting a vulnerability in Barracuda Networks' Email Security Gateway (ESG) to target government entities and the private sector, according to Google subsidiary Mandiant. The vulnerability tracked as CVE-2023-2868, has been used since October 2022 to send phishing emails with malicious attachments and gain unauthorized access through vulnerable Barracuda ESG appliances. The attacks have been linked to UNC4841, an espionage group operating in support of the People's Republic of China. While Barracuda released a patch for the vulnerability in May, the company has urged customers to replace the affected hardware. The attackers used three strains of malware—Saltwater, SeaSpy, and Seaside—to establish backdoors and exfiltrate targeted data. The victims included government agencies, foreign trade offices, academic research organizations, and individuals with political or strategic importance to China.
READ THE STORY: The Record // CyberSecurityDive // THN
Microsoft: Russia sent its B team to wipe Ukrainian hard drives
Analyst Comments: Cadet Blizzard represents a notable addition to the Russian cyber threat landscape, as it is a novel GRU-affiliated actor engaged in destructive cyber operations that likely support broader military objectives in Ukraine. The group operates with less sophistication and lower operational security than other well-established Russian cyber-espionage groups. Despite their relative lack of success and haphazard approach, Cadet Blizzard's activities remain a concern due to their disruptive nature and potential for causing significant damage. Organizations, especially those supporting Ukraine or engaged in critical sectors, should remain vigilant and take necessary precautions to defend against Cadet Blizzard's attacks, which involve targeting vulnerabilities in web services and employing living-off-the-land techniques to move laterally within networks.
FROM THE MEDIA: Microsoft's Threat Intelligence unit has released a report detailing the activities of a Russian-backed cyber-espionage group known as Cadet Blizzard. The group, linked to Russia's GRU military intelligence unit, was responsible for a data-wiping campaign against Ukrainian government agencies in early 2022. Cadet Blizzard operates with less operational security and is less successful than other well-known Russian state-sponsored groups, such as Forest Blizzard and Seashell Blizzard. The group aims to disrupt, destroy, and collect information using various attack methods but often acts in a disorderly fashion. While Cadet Blizzard's success rate is relatively low compared to other GRU-affiliated actors, their operations can still be destructive and disruptive.
READ THE STORY: The Register
New Report Reveals Shuckworm's Long-Running Intrusions on Ukrainian Organizations
Analyst Comments: The continued cyber espionage activities of the Shuckworm threat actor against Ukrainian targets demonstrate the ongoing threat posed by Russian nation-state-backed groups. The long-running intrusions and the specific focus on stealing sensitive military and government information highlight the adversary's objectives to support Russian military operations. Shuckworm's utilization of spear-phishing campaigns and the deployment of information stealers indicate their sophistication in launching targeted attacks. The group's adaptation of new techniques, such as using USB drives and leveraging blogging platforms for C2, showcases their evolving tactics to evade detection and maintain persistence.
FROM THE MEDIA: The Russian threat actor known as Shuckworm has been conducting cyber espionage campaigns targeting Ukrainian entities since February/March 2023, according to a report by Symantec. The group, attributed to Russia's Federal Security Service (FSB), has targeted security services, military, and government organizations. Shuckworm's intrusions have lasted for months, during which they attempted to steal sensitive information related to Ukrainian service members, enemy engagements, arsenal inventories, and more. The threat actor employs spear-phishing campaigns and deploys information stealers such as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts. They have also been observed using new techniques, including propagating the Pterodo backdoor via USB drives and utilizing Telegram channels and the blogging platform Telegraph for command-and-control (C2) purposes. Shuckworm's activities highlight their persistent focus on Ukraine and their evolving tactics and tools to evade detection.
READ THE STORY: THN
Micron says it is committed to China, invests $602 million in plant
Analyst Comments: Micron's decision to invest substantially in its China business despite recent regulatory hurdles signifies the company's long-term commitment to the Chinese market. As China is a significant consumer of semiconductor products, Micron likely sees the potential for high returns on its investment. However, the decision also carries risks due to the recent regulatory scrutiny by the Chinese government. It will be crucial for Micron to ensure compliance with China's network security standards and manage geopolitical tensions effectively.
FROM THE MEDIA: U.S. memory chipmaker Micron (MU.O) announced its plans to invest 4.3 billion yuan ($603 million) over the next few years in its chip packaging facility in the Chinese city of Xian. This announcement comes despite being targeted by China's cyberspace regulator last month, which claimed Micron had failed a network security review and would henceforth block key infrastructure operators from purchasing from the company. Micron did not mention the review decision in its recent statement. The investment plan will include buying packaging equipment from a Xian-based subsidiary of Taiwan's Powertech Technology Inc (6239.TW) and opening a new production line for manufacturing mobile DRAM, NAND, and SSD products. Micron also plans to offer contracts to 1,200 employees of Powertech's Xian subsidiary and create an additional 500 jobs, raising its China workforce to over 4,500 people.
READ THE STORY: Reuters
New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries
Analyst Comments: This new form of supply chain attack highlights the need for vigilance in securing and monitoring software dependencies. Expired S3 buckets can become potential vulnerabilities if not properly decommissioned or reassigned. Developers and organizations should be aware that abandoned hosting buckets or obsolete subdomains can be exploited by threat actors to carry out data theft and intrusion. The incident underscores the importance of robust security practices throughout the software development lifecycle, including the regular review and removal of unused or expired resources. Organizations should also consider implementing security controls to detect and prevent the hijacking of abandoned buckets or subdomains.
FROM THE MEDIA: A new kind of software supply chain attack has emerged, wherein threat actors take control of expired Amazon S3 buckets to serve malicious binaries without altering the modules themselves. The attack was first observed in the case of an npm package called bignum, which used an Amazon S3 bucket to download pre-built binary versions of an addon named node-pre-gyp during installation. The bucket associated with the package had expired, but an unknown threat actor seized the opportunity to deliver malware by rerouting the package's pointer to a hijacked bucket. The malware steals user credentials, and environment details, and transmits the stolen information to the hijacked bucket. Checkmarx found numerous packages using abandoned S3 buckets, highlighting the constant search by threat actors for new ways to compromise the software supply chain.
READ THE STORY: THN
Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks
Analyst Comments: The arrest of Ruslan Magomedovich Astamirov is a significant development in the fight against ransomware attacks. LockBit has been a highly active and damaging ransomware variant, causing substantial financial losses and disruption to numerous organizations. Astamirov's alleged involvement in executing LockBit attacks and his control over critical infrastructure used in the attacks highlight the complex and sophisticated nature of ransomware operations. This arrest demonstrates the ongoing efforts of law enforcement agencies to identify and prosecute individuals involved in ransomware activities
FROM THE MEDIA: Ruslan Magomedovich Astamirov, a Russian national, has been arrested in Arizona on charges related to his involvement in multiple LockBit ransomware attacks. LockBit is a prominent ransomware variant that has been responsible for a significant number of attacks worldwide. Astamirov's arrest follows a joint advisory from cybersecurity officials highlighting the threat posed by LockBit, which was identified as the most deployed ransomware variant in 2022. According to the complaint, Astamirov controlled email addresses, an IP address, and a cloud services account associated with the deployment of LockBit attacks. He is accused of executing attacks on victims in different countries and receiving a substantial portion of ransom payments in Bitcoin.
READ THE STORY: Cyberscoop
How a Shady Chinese Firm’s Encryption Chips Got Inside the US Navy, NATO, and NASA
Analyst Comments: The issue highlighted in this article demonstrates the intricacy of global supply chains and the difficulties in maintaining security integrity, especially considering geopolitical tensions. This could potentially expose Western governments and agencies to significant security risks, particularly if the encryption chips have intentionally hidden vulnerabilities. There appears to be a gap between policy and practice in managing the supply chain risks, and it's concerning that components from a company specifically flagged for security reasons still find their way into sensitive information networks. While companies and organizations affirm their rigorous security measures, these processes seem to fall short in detecting sophisticated, intentionally planted security threats. Therefore, a more thorough vetting process and stricter adherence to warnings about companies on the Entity List could be necessary to mitigate these risks.
FROM THE MEDIA: There are concerns regarding Western governments' use of technology that incorporates encryption chips from a Chinese company, Hualan Microelectronics, and its subsidiary, Initio. Despite Hualan being added to the US Department of Commerce's "Entity List" in 2021 for supporting China's military development, Initio continues to supply encryption microcontroller chips to Western manufacturers. These manufacturers include suppliers to Western governments, military, and intelligence agencies. There are fears of potential hidden backdoors in these chips that could allow China’s government to decrypt Western agencies’ secrets. Even though no such backdoor has been found, it could be almost impossible to detect if one existed.
READ THE STORY: Wired
Warning: GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files
Analyst Comments: The discovery of an updated version of the GravityRAT trojan highlights the evolving capabilities and tactics of threat actors in targeting Android devices. By posing as legitimate messaging apps, the trojan aims to deceive users and gain intrusive permissions to harvest sensitive information. The ability to steal WhatsApp backups and execute specific commands sets it apart from typical Android malware. The targeted nature of the campaign, focusing on military personnel, suggests an interest in gathering intelligence or compromising operational security. The HelloTeacher banking and stealer malware demonstrate the use of legitimate messaging apps as a cover for carrying out unauthorized transactions, emphasizing the need for users to exercise caution and be vigilant when downloading apps. The Roamer cloud mining scam further highlights the risks associated with phishing websites and malicious channels on platforms like Telegram, underscoring the importance of user awareness and caution in navigating the cryptocurrency landscape.
FROM THE MEDIA: An updated version of the GravityRAT Android remote access trojan has been discovered in a narrowly targeted campaign, masquerading as messaging apps BingeChat and Chatico. The trojan, suspected to be operated by a threat actor based in Pakistan, has been used to target military personnel in India and the Pakistan Air Force. The malicious apps are distributed through rogue websites that promote free messaging services. The updated version of GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files, making it unique compared to other Android malware. In another development, Android users in Vietnam have been targeted by the HelloTeacher banking and stealer malware, which uses legitimate messaging apps as a cover to steal sensitive data and conduct unauthorized fund transfers.
READ THE STORY: THN
China encourages private firms to participate in key supply chain projects
Analyst Comments: The Chinese government's move appears to be aimed at fostering private sector growth and involvement in state-led projects, possibly in an effort to invigorate the country's economic development and diversify sources of innovation. The contrast between private and state investment growth indicates a potential lack of confidence in the private sector, which may stem from regulatory uncertainties or other barriers to growth. By providing access to state infrastructure and encouraging involvement in major projects, the government could be trying to stimulate private sector confidence and investment.
FROM THE MEDIA: The Chinese government announced plans to accelerate the process of granting private firms access to the infrastructure of major national scientific research projects. This initiative also encourages private businesses to participate in key supply chain projects. This comes at a time when private fixed-asset investment experienced a decline of 0.1% in the first five months of the year. This is a stark contrast to the 8.4% growth in investment witnessed by state entities, suggesting weak confidence among private businesses.
READ THE STORY: Reuters // 6do
Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities
Analyst Comments: The changes made to the Vidar malware's backend infrastructure demonstrate the threat actors' agility and their determination to evade detection and maintain their illicit operations. By rotating their IP infrastructure, using VPN servers, and leveraging TOR relays, the operators are attempting to anonymize their activities and blend in with legitimate internet traffic. These tactics make it more difficult for security researchers and law enforcement agencies to track and disrupt their operations.
FROM THE MEDIA: An updated version of the GravityRAT Android remote access trojan has been discovered in a narrowly targeted campaign, masquerading as messaging apps BingeChat and Chatico. The trojan, suspected to be operated by a threat actor based in Pakistan, has been used to target military personnel in India and the Pakistan Air Force. The malicious apps are distributed through rogue websites that promote free messaging services. The updated version of GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files, making it unique compared to other Android malware. In another development, Android users in Vietnam have been targeted by the HelloTeacher banking and stealer malware, which uses legitimate messaging apps as a cover to steal sensitive data and conduct unauthorized fund transfers.
READ THE STORY: THN
When a Huawei Bid Turned Into a Hunt for a Corporate Mole
Analyst Comments: The fact that Huawei was able to secure a major contract with TDC despite the geopolitical climate and potential security concerns speaks to the company's competitiveness and strategic approach. The story also reveals the potential pitfalls and risks associated with such high-stakes contracts, particularly in a context where technology, security, and geopolitics are closely intertwined. The incident illustrates the complex dynamics of the US-China tech rivalry and its impact on businesses and governments around the world. It also underscores the importance of trust and transparency in business transactions, especially in industries with significant security implications. Finally, it highlights the potential implications of corporate espionage and the measures companies may need to take to protect their proprietary information and maintain their competitive edge.
FROM THE MEDIA: In 2019, Denmark's dominant telecommunications company, TDC Holding A/S, was in the process of upgrading its cellular network to 5G. Amid escalating tensions between the US and China, the decision was fraught with geopolitical implications, with the US National Security Agency warning European companies against working with firms tied to Beijing. TDC's decision would not only be financially significant, with the contract worth around $200 million but also symbolically important, reflecting on the efficacy of the Trump administration's diplomacy and its efforts to curb China's global influence. In this high-stakes environment, a meeting was held on March 5, 2019, between a senior executive of TDC, Jens Aalose, and Yang Lan, a representative from Huawei Technologies Co., the world's largest network equipment maker. Huawei had been managing TDC's existing network under a contract set to expire. The meeting was called after Huawei unexpectedly submitted an emergency revision to its proposal for the 5G contract, offering a lower bid than its previous one, which had been higher than that of Ericsson AB, the only other competitor for the contract. Suspecting that Huawei had learned the details of Ericsson's bid, Aalose cut the meeting short.
READ THE STORY: Bloomberg
Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency
Analyst Comments: The use of cloud mining services to launder cryptocurrency by ransomware actors, nation-state hackers, and scammers highlights the evolving tactics employed by malicious actors to hide the origin of illicit funds. By leveraging mining pools, these actors can obscure the source of the funds and create the appearance of legitimate mining activities. This trend underscores the need for enhanced monitoring and regulation of cryptocurrency exchanges, as well as increased efforts by law enforcement and cybersecurity firms to track and disrupt these money laundering operations.
FROM THE MEDIA: Ransomware actors, nation-state hackers, and cryptocurrency scammers are increasingly exploiting cloud mining services to launder digital assets, according to a report by blockchain analytics firm Chainalysis. Cloud mining services allow users to rent computer systems and use computing power to mine cryptocurrencies. Ransomware wallets and mining pools associated with ransomware actors have been found to send funds to a highly active deposit address at a mainstream crypto exchange. By using mining pools, the origin of the funds can be obfuscated, creating the illusion that the funds are proceeds from mining rather than ransomware. The cumulative value of assets sent from ransomware wallets to exchanges through mining pools has risen to nearly $50 million in Q1 2023.
READ THE STORY: THN
Items of interest
Hackers infect Russian-speaking gamers with fake WannaCry ransomware
Analyst Comments: The phishing campaign targeting Enlisted players demonstrates how threat actors leverage popular games to distribute malware and carry out ransomware attacks. By impersonating official game websites, cybercriminals can trick players into downloading malicious software onto their systems. This highlights the importance of user education and awareness to recognize and avoid phishing attempts. Gamers should be cautious when downloading games or game-related content from unofficial sources, and they should ensure they have robust cybersecurity measures in place to protect their systems.
FROM THE MEDIA: A phishing campaign targeting Russian-speaking players of the multiplayer first-person shooter game Enlisted has been discovered by cybersecurity firm Cyble. The campaign uses a fake website resembling the official Enlisted page to distribute ransomware. While the specific group behind the attack has not been identified, researchers believe it is connected to the ongoing conflict between Russia and Ukraine. The fake website hosts a legitimate game installer and ransomware that mimics the WannaCry cryptoworm, named WannaCry 3.0. The ransomware encrypts files and displays a ransom note with instructions to contact the hackers through Telegram for negotiation. Targeting popular games is a common tactic for threat actors to reach a larger pool of potential victims.
READ THE STORY: The Record
Who Stole the NSA's Top Secret Hacking Tools? (Video)
FROM THE MEDIA: The significance of the leaks becomes apparent when the exploit known as EternalBlue is mentioned. This exploit allows remote access to Windows computers and was later used in large-scale cyberattacks such as the WannaCry ransomware attack. The timing of the leaks coincides with Russian hacking incidents and diverts attention away from them.
Living in the Shadow of the Shadow Brokers (Video)
FROM THE MEDIA: Most people know the Shadow Brokers leaked (supposedly) stolen NSA cyber tools, which lead to some of the most significant cyber security incidents of 2017. But in addition to targeting NSA, the Shadow Brokers have also targeted a few individuals in our community. Hear about the history of the Shadow Brokers and the implications of their actions for infosec and DFIR from one of the group’s targets.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.