Daily Drop (526): China’s Grey-Zone: South-China Sea region, Zyxel: Urgent Updates, Dutch ports: RU, Wago & Schneider: New Flaws, Jordanian Cyber, Afghan Central Bank: CN
06-21-23
Wednesday, Jun 21, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
China’s Grey-Zone activities in the South-China Sea region, especially in Taiwan
Analyst Comments: China's use of grey-zone activities to pursue its geopolitical objectives is a complex issue requiring nuanced strategies. Potential countermeasures include strengthening Taiwan's defenses against disinformation and cyberattacks, diversifying Taiwan's economic relations to lessen dependence on China, and continuing to support Taiwan's security through defensive arms sales and joint military exercises. However, these actions risk exacerbating tensions with China. Therefore, it is critical to maintain diplomatic channels with Beijing to prevent escalation. Western countries can also assist Taiwan in raising its international profile, despite the One-China policy, and promote public diplomacy initiatives to counter China's isolation efforts.
FROM THE MEDIA: The People's Republic of China, in alignment with its policy of non-traditional warfare, has been leveraging a range of "grey-zone" activities, particularly against Taiwan. These tactics include military provocations, spreading disinformation, cyber-attacks, economic coercion, and interference in internal affairs. These efforts serve to assert China's territorial claims and pressure adversaries without resorting to direct military conflict. Taiwan, seen as a valuable asset due to its industrial development and key role in the semiconductor industry, has borne the brunt of these activities. China's strategies range from increased military presence and threats in the South China Sea to disinformation campaigns and economic pressure.
READ THE STORY: Modern Diplomacy
Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
Analyst Comments: Given the high CVSS score, the vulnerability represents a substantial risk and could be exploited by malicious actors to gain unauthorized control of devices. With Zyxel devices increasingly becoming targets for cybercriminals, it's crucial that users apply the provided patches promptly to mitigate potential threats. The previous exploitations of vulnerabilities in Zyxel's firewalls also indicate that threat actors are aware of and actively targeting Zyxel's products.
FROM THE MEDIA: Network equipment manufacturer Zyxel has released security updates to rectify a severe flaw (CVE-2023-27992, CVSS score: 9.8) in its network-attached storage (NAS) devices. This pre-authentication command injection vulnerability could allow an unauthenticated attacker to remotely execute operating system (OS) commands by transmitting a malicious HTTP request. The vulnerability was detected and reported by Andrej Zaujec, NCSC-FI, and Maxim Suslov. Zyxel's NAS326, NAS540, and NAS542 models are impacted. The alert follows the recent addition of two vulnerabilities in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
READ THE STORY: THN
Dutch ports fall victim to Russia-friendly hackers again
Analyst Comments: The attack on the Dutch and Belgian ports, while not directly affecting their operations, signifies an escalation in the cyber tactics of state-affiliated groups. It demonstrates the potential vulnerabilities in critical infrastructure that can be exploited, necessitating better defensive strategies. The attackers’ self-identification and the stated reasons behind the attack represent an increasing boldness and politicization in cyber threats. The Dutch government's statement suggests a recognition of the evolving threat landscape and a commitment to leveraging the upcoming EU directives to bolster cyber defenses.
FROM THE MEDIA: On Tuesday, a Russian hacker group known as NoName057 claimed responsibility for a series of Distributed Denial of Service (DDoS) attacks that disrupted the websites of three Dutch and Belgian ports. The North Sea Port, which runs the impacted ports in Vlissingen, Terneuzen, and Gent, confirmed the cyber attack but did not disclose the perpetrators' identities. The hackers stated their actions were in response to the "Russophobic" nations participating in a fighter jet coalition for Ukraine. While the ports' daily operations were not affected, the attacks highlight a need for increased cybersecurity measures in the region. The Dutch Ministry of Infrastructure and Water Management emphasized the future role of the Network and Information Security Directive (NIS2) and the Critical Entities Resilience Directive (CER), two critical pieces of EU cybersecurity legislation.
READ THE STORY: Euractiv // Teiss
The Secondary Chip and Hardware Markets: The Strategic Importance of Legacy Chips
Analyst Comments: The CSIS report sheds light on the strategic significance of legacy chips and the challenges faced in their production and availability. The reliance of industries such as automotive on legacy chips highlights the need for adequate investment and capacity to meet growing demand. The report emphasizes the importance of considering the economic and strategic value of legacy chips beyond their categorization based on transistor size. Policymakers should prioritize public and private investments to address the chip shortage and ensure the resilience of the manufacturing sector.
FROM THE MEDIA: The Center for Strategic and International Studies (CSIS) released a report on the strategic importance of legacy chips, addressing the issues raised in the OODA Stratigame scenario planning exercise on global computer chip supply chain disruption. Legacy chips, defined as those produced with 28-nanometer technology or larger, play a crucial role in various industries, including automobiles, consumer electronics, and medical devices. The chip shortage experienced during the COVID-19 pandemic highlighted the significance of legacy chips and their impact on the U.S. manufacturing economy. However, investment in legacy chip production has lagged behind demand, leading to supply constraints and disruptions across industry verticals.
READ THE STORY: OODALOOP
Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products
Analyst Comments: It's concerning that major OT vendors such as Wago and Schneider Electric are found to have critical vulnerabilities in their products, indicating a need for better security practices within the industry. The severity of the Schneider Electric vulnerability, in particular, underlines the potential consequences of these issues, as control of power meters could have significant impacts. Moreover, the observation by Forescout regarding vendors' lack of understanding of secure-by-design practices is a crucial insight that needs to be addressed to improve the overall cybersecurity posture of the OT sector. The false sense of security generated by partial patches and incomplete security testing procedures can lead to complacency, exacerbating the potential risk.
FROM THE MEDIA: Three new security vulnerabilities have been identified in operational technology (OT) products from Wago and Schneider Electric. The cybersecurity company Forescout has disclosed these flaws as part of OT:ICEFALL, a collective name for 61 vulnerabilities across 13 vendors. The most severe of the new vulnerabilities (CVE-2022-46680, CVSS score: 8.8) pertains to plaintext transmission of credentials in the ION/TCP protocol utilized by Schneider Electric's power meters. This vulnerability could allow attackers to take control of susceptible devices. The other two vulnerabilities (CVE-2023-1619 and CVE-2023-1620, CVSS scores: 4.9) are denial-of-service bugs impacting WAGO 750 controllers. Forescout's research shows that vendors often lack an understanding of secure-by-design practices and fail to implement effective security testing procedures.
READ THE STORY: THN
Cisco launches new AI networking chips to compete with Broadcom, Marvell
Analyst Comments: Cisco's entry into the market for networking chips for AI supercomputers positions it as a competitor to Broadcom and Marvell Technology. The performance enhancements and connectivity capabilities of Cisco's new ethernet switches cater to the increasing demand for speed and efficiency in AI and machine learning workloads. By targeting major cloud providers, Cisco aims to establish a strong presence in the cloud computing market. The competition in this space reflects the growing importance of specialized chips for AI applications and the race to provide the most powerful and efficient solutions.
FROM THE MEDIA: Cisco Systems has unveiled its networking chips for AI supercomputers, entering into competition with Broadcom and Marvell Technology. The chips, part of Cisco's SiliconOne series, are being tested by major cloud providers. Cisco's latest ethernet switches, the G200 and G202, offer double the performance compared to the previous generation and can connect up to 32,000 GPUs. The chips aim to enhance the speed and efficiency of AI and machine learning tasks while reducing the number of switches required.
READ THE STORY: Reuters
Mending Economic Bridges: Afghan Central Bank Governor’s Meeting with the Chinese Ambassador
Analyst Comments: This meeting is a critical turning point that signifies the evolving geopolitical dynamics in the region. It underlines China's strategic interest in resource-rich Afghanistan, especially in the face of the country's isolated financial condition due to U.S.-led sanctions, liquidity problems, and international banking concerns. China's readiness to engage with the Taliban-led Afghanistan showcases its long-term economic vision and willingness to take calculated risks. The Chinese ambassador's meeting with Mullah Hidayatullah Badri, an individual with a significant economic background within the Taliban’s leadership, indicates that the Taliban is serious about addressing Afghanistan's economic struggles and is open to collaboration.
FROM THE MEDIA: In an important development indicating China's increasing economic interest in Afghanistan, a key meeting was held on June 16, 2023, between the acting governor of the Afghan central bank, Mullah Hidayatullah Badri, and China’s ambassador to Afghanistan, Wang Yu. The discussions revolved around banking relations, business, and other relevant topics, reflecting China's eagerness to tap into Afghanistan's economic potential despite its current troubled state.
READ THE STORY: Modern Diplomacy
Alert! Hackers Exploiting Critical Vulnerability in VMware's Aria Operations Networks
Analyst Comments: The active exploitation of this vulnerability underscores the importance of timely patching and software updates. Given the increasing pace at which threat actors exploit newly disclosed vulnerabilities, it is crucial that organizations prioritize patch management and security updates. VMware's software is widely used across many industries, making this vulnerability potentially high-impact. Considering the risk associated with this vulnerability, customers using affected versions of Aria Operations for Networks should install the necessary updates immediately to mitigate potential threats.
FROM THE MEDIA: VMware has reported active exploitation of a recently patched critical command injection vulnerability (CVE-2023-20887) in its Aria Operations for Networks. The flaw, which allows a malevolent actor with network access to perform a command injection attack leading to remote code execution, has been fixed in multiple versions of Aria Operations Networks. The company confirmed that the vulnerability has been used in real-world attacks. Threat intelligence firm GreyNoise has identified active exploitation from two different IP addresses located in the Netherlands.
READ THE STORY: THN
Jordanian Cyber Leaders Kick Off Cybersecurity Framework Development
Analyst Comments: Jordan's efforts to establish a national cybersecurity framework is an important step in protecting the nation from cyber threats. As we've seen, cyber threats are not limited to any one region or type of institution; they can impact both private and public sectors and affect national security. The proactive approach Jordan is taking, including an open consultation period, reflects a desire to ensure a thorough and robust cybersecurity infrastructure. It's also noteworthy that the framework aims to keep pace with international practices, which suggests an understanding of the global nature of cyber threats and the need for international standards and cooperation.
FROM THE MEDIA: The National Cybersecurity Center of Jordan has announced a proposed draft for a national cybersecurity framework. The draft, open for consultation, includes a comprehensive set of procedures, controls, standards, and mechanisms that all public and private institutions must implement. The aim is to align with international practices in strengthening the national defense system against cyber threats. By focusing on enhancing technical, human, and administrative capabilities within organizations, the framework aims to effectively confront cyber threats and mitigate their impact. The primary goal is to boost the security of Jordan's cyber systems and improve the level of information protection.
READ THE STORY: DARKReading
Assessing Pakistan’s Cyber Security Landscape
Analyst Comments: Pakistan's cyber security policy development indicates its recognition of the crucial need for robust legislation and efficient policies in this domain. The passage of PECA provided a comprehensive legal framework for addressing cybercrime, despite certain limitations in terms of judicial orders for legal action. The recent launch of the National Cyber Security Policy indicates a serious commitment to tackling cybersecurity issues head-on. The introduction of the Personal Data Protection Bill in 2021 signifies a significant step towards enhancing digital privacy protection, which is particularly important in an era of expanding electronic transactions and cross-border data exchanges. However, it's crucial that all stakeholders understand their rights and obligations under the Bill for its effective implementation.
FROM THE MEDIA: Pakistan's cybersecurity policy development traces back to the early 2000s with the Electronic Transactions Ordinance (ETO), 2002, aimed at protecting the nation's e-commerce. The National Response Center for Cyber Crimes (NR3C) was established in 2007, followed by the National Action Plan (NAP) in 2014 to counter terrorism and extremism, including cyber threats. The Prevention of Electronic Crimes Act (PECA) passed in 2016 laid out provisions for cybercrime prosecution. Recently, the National Cyber Security Policy was launched in 2021, aimed at addressing weak enforcement, data protection issues, and collaboration for effective implementation.
READ THE STORY: Modern Diplomacy
Chinese spy facilities in Cuba are a ‘serious concern’, says Blinken
Analyst Comments: The US raising concerns about China's alleged electronic spying facilities in Cuba underscores the growing tensions between the two countries in the realm of intelligence and espionage. The report of a tentative deal for a new eavesdropping facility in Cuba adds to the existing concerns. The Biden administration's focus on disrupting China's activities reflects its determination to counter Chinese espionage and protect US national security interests. However, the response from Chinese officials regarding the concerns raised by Blinken is not disclosed, leaving the outcome of the discussions uncertain.
FROM THE MEDIA: During his visit to Beijing, US Secretary of State Antony Blinken raised concerns with Chinese officials about China's alleged electronic spying facilities in Cuba. The Wall Street Journal had reported that China and Cuba reached a tentative deal for a new eavesdropping facility in Cuba, which raised concerns for the US. Blinken stated that he discussed the issue with Chinese officials but did not disclose their response. The US has become increasingly concerned about Chinese espionage and intelligence-gathering activities overseas. The Biden administration remains focused on disrupting China's activities in Cuba and expressed confidence in meeting security commitments at home and in the region. Blinken's visit aimed to stabilize relations between the US and China, and progress was made towards that goal according to President Xi Jinping.
READ THE STORY: FT
Vyoma raises $9 million for debris-monitoring satellites
Analyst Comments: Vyoma's successful funding round and its development of space debris-monitoring satellites demonstrate the increasing importance and demand for space situational awareness (SSA) solutions. With the growing congestion of space and the potential risks posed by space debris, monitoring and tracking objects in orbit is crucial for the safety and sustainability of space activities. Vyoma's focus on using space-based cameras to track smaller objects and its collaboration with Safran for enhanced capabilities show a commitment to advancing SSA technologies. The investments made in Vyoma and other companies working in the space-based SSA sector highlight the industry's recognition of the need for effective solutions in this field.
FROM THE MEDIA: German startup Vyoma has raised €8.5 million ($9.3 million) in funding to develop space debris-monitoring satellites. The funding round included participation from Safran, a French aerospace giant, and three undisclosed investors. Vyoma plans to launch a constellation of 12 satellites starting next year, with the first two microsatellites focused on tracking and cataloging objects larger than 30 centimeters in low Earth orbit (LEO). The company aims to eventually track objects as small as one centimeter using space-based cameras. Safran's subsidiaries are exploring ways to enhance Vyoma's capabilities through the addition of sensors and optical instruments.
READ THE STORY: Space news
Justice Department adds new cyber-threat-focused litigating section
Analyst Comments: The formation of NatSec Cyber represents a crucial step forward in the U.S. government's ongoing efforts to enhance the nation's cyber defenses. By dedicating a specific section within the DOJ to cybersecurity, it highlights the recognition of cyberspace as a new frontier for national security threats, further emphasizing the growing importance of cybersecurity in maintaining national security. This move also signifies a shift towards more proactive measures in combating cyber threats, with the division intending to disrupt cyber threats more quickly and on a larger scale. Furthermore, aligning the new section's structure with that of the FBI's cyber division indicates a desire for improved coordination and cooperation among various governmental entities in the face of increasingly sophisticated cyber threats.
FROM THE MEDIA: The Department of Justice (DOJ) is establishing a new section within its National Security Division, specifically dedicated to cybersecurity. Named NatSec Cyber, this division aims to boost the speed and scope of campaigns to counter cyber threats from nation-states and state-sponsored cybercriminals. The creation of this section is a response to a 2022 review that identified the need for personnel skilled in understanding the complexities of cyber breaches and attacks. This move places cyber-related activities on an equal footing with other sections within the National Security Division. Its structure, organized by geographical threat actors, aligns with the structure of the FBI's cyber division, facilitating integration. NatSec Cyber will also support U.S. attorney offices nationwide, serving as an incubator for cyber cases.
READ THE STORY: FEDSCOOP
Russia’s ‘Fancy Bear’ hackers targeted the Ukrainian gov’t, military organizations
Analyst Comments: APT28 has a notorious history, having been implicated in several high-profile cyber attacks, including those on the U.S. Democratic National Committee and the World Anti-Doping Agency. This new activity indicates that APT28 continues to operate with high sophistication and clear strategic objectives. The tactics deployed – spear-phishing and the exploitation of vulnerabilities in the Roundcube Webmail service – underline the relentless sophistication of such threat actors. The techniques used by the group are advanced and capable of bypassing even diligent security measures, which emphasizes the necessity for robust and continuously updated cybersecurity defenses.
FROM THE MEDIA: Ukrainian cybersecurity officials and researchers from Recorded Future's Insikt Group have identified an ongoing cyber espionage campaign orchestrated by the infamous APT28 group, also known as Fancy Bear or BlueDelta. This group is believed to be associated with the Russian military's Main Directorate (GRU). The targets include the Ukrainian government and a military aviation company. The campaign uses spear-phishing techniques, leveraging current news of Russia's invasion of Ukraine, to compromise email inboxes without any further action required by the victims. The activity appears intended to support Russia's military operations by gathering sensitive intelligence.
READ THE STORY: The Record
DOJ launches cyber unit with national security focus as China, Russia threats mount
Analyst Comments: This is a crucial step in the U.S.'s effort to counter cyber threats from nation-states and state-backed hackers. It not only reflects the growing significance of cybersecurity in national security but also underscores the aggressive stance of the DOJ against such threats. By focusing on the disruption of malicious activities and prosecuting the actors involved, the new unit will likely enhance the U.S.'s defense against cyber threats. The efficacy of these efforts will heavily depend on international cooperation, as most of these cyber threat actors operate from foreign jurisdictions. Mentions of China and North Korea, in particular, indicate where the U.S. perceives the most significant threats emanating from. The challenge will be in navigating international relations while pursuing justice against state-backed cybercriminals.
FROM THE MEDIA: The U.S. Department of Justice (DOJ) has established a new unit in its National Security Division to address cyber threats originating from state-sponsored hackers. This step formalizes the emphasis on combating cyber threats in the department's hierarchy. The unit will focus on disrupting operations and prosecuting threat actors, especially from China and North Korea. The DOJ has a history of vigorously pursuing state-backed cyber actors. The new unit, termed "NatSec Cyber," will enable comprehensive and intensive investigations in the early stages of cases.
READ THE STORY: CNBC
Oreo cookie maker says crooks gobbled up staff info
Analyst Comments: This data breach incident highlights the risk that third-party vendors can pose to a company's data security. Even if a company has robust cybersecurity measures in place, it may be vulnerable through its connections to other businesses that have access to its sensitive information. It's important for organizations to assess the security protocols of their partners and ensure that they meet the required standards
FROM THE MEDIA: Mondelez International, the company behind Oreo and Ritz crackers, has issued a warning to approximately 51,000 of its current and former employees regarding a data breach incident. However, the breach did not take place in Mondelez's own IT infrastructure, but rather in Bryan Cave Leighton Paisner LLP's network, a law firm providing legal services to Mondelez and holding sensitive personal information of the company's employees. The accessed data included social security numbers, names, addresses, dates of birth, marital status, gender, employee identification numbers, and retirement plan details. Financial information was not involved. Bryan Cave detected unauthorized access to its systems from February 23 to March 1, 2023, but only notified Mondelez on March 24. Mondelez has offered free credit monitoring services to the affected individuals for 24 months
READ THE STORY: The Register
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
Analyst Comments: The emergence of Condi highlights the continued risk posed by botnets, particularly in the context of IoT devices like Wi-Fi routers. Condi's design, which allows it to terminate other botnets and survive system reboots, indicates a high level of sophistication. It is notable that the malware exploits a known security vulnerability (CVE-2023-1389) for propagation, emphasizing the importance of timely patching and software updates to mitigate such threats. The monetization strategy employed by the actor behind Condi, involving DDoS-as-a-service and selling the malware source code, indicates a broader trend toward the commercialization of cybercrime.
FROM THE MEDIA: A new malware named Condi is exploiting a security vulnerability in TP-Link Archer AX21 Wi-Fi routers to incorporate these devices into a distributed denial-of-service (DDoS) botnet. The campaign, which has escalated since the end of May 2023, is attributed to a threat actor known as zxcr9999 on Telegram. Condi is capable of terminating other competing botnets on the same host but lacks a persistence mechanism, meaning it cannot survive a system reboot. To compensate, the malware deletes multiple binaries used to shut down or reboot the system. Condi primarily exploits routers vulnerable to CVE-2023-1389, a command injection bug previously exploited by the Mirai botnet, to spread.
READ THE STORY: THN
Items of interest
DIY Picosatellites Hack Chat
Analyst Comments: Small and cost-effective satellite technology is a growing trend that allows startups to explore opportunities in space. The CubeSat format has become a critical enabler for private entities to venture into space at a lower cost. With companies like Quub, Inc., we see the rise of 'space startups,' which signals a significant shift in the industry, previously dominated by nations and large corporations. Quub's focus on real-time environmental monitoring of Earth could have wide-ranging applications from climate change tracking to disaster management, and their use of consumer-grade technology could potentially lower barriers to entry even further.
FROM THE MEDIA: Lancaster, Pennsylvania-based company, Quub, Inc., is aiming to develop and deploy a constellation of microsatellites for real-time environmental monitoring of Earth. The democratization of satellite construction, largely due to the CubeSat format and a higher rate of launches, both national and commercial, has drastically reduced the obstacles for private, low-budget launches. Quub's construction approach relies on consumer-grade technology and modularized construction. Nathaniel Evry, Quub's Chief Research Officer, is set to join a community event hosted by Hackaday.io, providing insights into the challenges and requirements of building hardware resilient to the rigors of space launch and operation.
READ THE STORY: HackaDay
Browser Exploitation Introduction (Video)
FROM THE MEDIA: This stream includes retired content from the SANS SEC760 "Exploit Dev" course. It will focus on Use After Free exploitation of an outdated Internet Explorer version. I'll follow it up with another stream on browser memory leaks.
Overview of SEC661: ARM Exploit Development and an Introduction to Router Emulation (Video)
FROM THE MEDIA: The webcast is about ARM exploit development and focuses on the Internet of Things (IoT) and router emulation. The speaker, John DeGroiter, has extensive experience in technology and helps others learn in the field. The course covers fundamental concepts such as the stack, passing arguments on the stack, local variables, prologue and epilogue of the stack, and stack overflows. It also explores firmware analysis for IoT devices, router emulation, and different exploits for ARM processors.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.