Daily Drop (533): Starlink: Taiwan, CN PCM's: They aren't Wagner, RU SATCOM: Wagner, MuddyWater Evolves, DPRK APT EarlyRat, SiegedSec, Muslim Brotherhood: China, WhatsApp Upgrades Proxy
07-01-23
Saturday, Jul 01, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
SpaceX Starlink might be a deterrence to conflict over Taiwan
Analyst Comments: Starlink's potential use in military communication and its ability to quickly restore connection to critical areas could play a significant role in future conflict scenarios. However, Musk's commercial interests in China may influence Starlink's utilization in such situations, as the company might want to avoid any political backlash that could potentially jeopardize its operations.
FROM THE MEDIA: SpaceX's Starlink satellite internet service may act as a deterrent in potential conflicts over Taiwan. Fumiko Sasaki, an international relations specialist at Columbia University, suggests that the Chinese People's Liberation Army (PLA) could potentially target underwater cables and satellites to disrupt communication between Taiwan and its allies, such as the US and Japan, in the event of a conflict. Starlink's service has previously proven effective in war scenarios, notably in Ukraine in 2022 when Russia launched over 100 missile strikes targeting the country's energy and communication infrastructure. Sasaki believes that the use of Starlink would force the PLA to reconsider its offensive strategy, giving Japan more time to strengthen its defenses. Japan's Self-Defense Forces (SDF) have been testing Starlink services across its land, sea, and air forces since March, and sources suggest that the SDF is considering adopting Starlink by next year.
READ THE STORY: TeslaRati
WhatsApp Upgrades Proxy Feature Against Internet Shutdowns
Analyst Comments: These upgrades to WhatsApp's proxy feature are crucial, especially in regions where internet censorship and shutdowns are frequent. By providing an intermediary gateway between WhatsApp and external servers, users can continue to communicate, even when direct access to the platform is restricted. However, it is important to remember that while proxy servers can bypass certain restrictions, they may not fully protect against sophisticated surveillance and censorship techniques.
FROM THE MEDIA: Meta's WhatsApp has updated its proxy feature, enhancing the range of content that can be shared in conversations. The updates include the ability to send and receive images, voice notes, files, stickers, and GIFs. The company also streamlined the setup process and introduced shareable links for easy and automatic installation of functioning/valid proxy addresses. These updates enhance the ability of users to bypass government-imposed censorship and internet shutdowns, and access WhatsApp indirectly.
READ THE STORY: THN
The failure of Muslim Brotherhood agenda inside China and Xinjiang
Analyst Comments: It's important to approach this passage with caution as it represents a specific viewpoint that may not necessarily reflect the objective reality or the official stance of all parties involved. While the Muslim Brotherhood has faced accusations of involvement in extremist activities, it is essential to critically evaluate any claims and consider multiple perspectives. The passage raises several allegations, such as the Muslim Brotherhood's collaboration with Britain in psychological and propaganda warfare, its supposed intention to transfer global hegemony from the United States to various countries, and its ultimate goal of spreading chaos and turmoil internationally. These claims should be subject to further scrutiny and corroborating evidence.
FROM THE MEDIA: The reporting presents a perspective on the Chinese government's view of the banned terrorist group, the Muslim Brotherhood. It suggests that China sees the Muslim Brotherhood as a threat due to its alleged links with international terrorism and its attempts to manipulate conflicts, particularly between China and other countries. The passage also highlights China's concerns about the Muslim Brotherhood's connections with the East Turkistan separatist movement in Xinjiang.
READ THE STORY: Modern Diplomacy
Several US states investigating ‘SiegedSec’ hacking campaign
Analyst Comments: The SiegedSec attacks highlight the vulnerability of local and state government infrastructure to politically motivated hacking groups. The range of the affected websites demonstrates that various government functions, from judiciary to human services, can be targets of such attacks, potentially disrupting government services and compromising sensitive information. The lack of information about the individuals behind SiegedSec points to a challenge in attributing and responding to such attacks. With the group’s leader citing ‘fun’ or ‘lulz’ as a primary motivator, it seems that traditional deterrence strategies may be less effective against groups like SiegedSec.
FROM THE MEDIA: Officials across several US states are investigating cyberattacks on state-run websites claimed by the politically-motivated hacking group SiegedSec. The targets included the Nebraska Supreme Court intranet, South Dakota Boards and Commissions, Texas State Behavioral Health Executive Council Personal Information, Pennsylvania Provider Self-Service, and South Carolina Criminal Justice Information Services. SiegedSec reportedly defaced the websites and shared images of stolen data on Telegram, without specifying their motive. The group had earlier claimed responsibility for cyberattacks on government bodies in Texas, Kentucky, and Arkansas, citing political grievances, such as state-level bans on abortion and gender affirming care.
READ THE STORY: The Record
How China’s Overseas Security Forces Differ From Wagner
Analyst Comments: China's use of private security companies in its global endeavors tend to be defensive in nature focusing on the Chinese BRI projects. This write-up displays some of the differences between Chinese security firms and Russia's Wagner Group, emphasizing China's centralization of power and the limitations on private security firms' activities. It also discusses how China's Belt and Road infrastructure (BRI) program has created a demand for security forces to protect Chinese professionals abroad. The passage raises the possibility that China may expand the role of private security firms to further its influence. However, it is important to critically evaluate the claims and consider multiple perspectives on China's use of private security firms and its broader geopolitical strategies.
FROM THE MEDIA: Chinese contractors, similar to Russia's Wagner Group, operate in developing countries across Africa and Asia. However, there are differences between the two. China's centralization of power and tight gun laws limit private security firms from mounting military rebellions. Chinese security companies primarily handle non-lethal guard duties and often function as consultants for more dangerous tasks, hiring and managing local staff. While China's security concerns have led to the growth of commercial security firms, they remain primarily domestic. However, analysts suggest that China's broad definition of national security and its track record of covert use of commercial enterprises could lead to an expansion of private security firms' role.
READ THE STORY: WSJ
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
Analyst Comments: Andariel's use of the previously undocumented EarlyRat malware highlights the continual evolution and development of cyber threats from state-sponsored actors like North Korea. The use of such sophisticated tools and techniques, including the deployment of a wide variety of malware and the exploitation of the Log4j vulnerability, underline the high level of threat posed by this group. Organizations, particularly those in sectors that may be of strategic interest to North Korea, should remain vigilant and ensure that they have robust cybersecurity measures in place to detect and respond to such threats.
FROM THE MEDIA: Andariel, a threat actor linked to North Korea, has reportedly used a previously undocumented malware called EarlyRat in phishing attacks. The group is known for espionage attacks against foreign government and military entities and for conducting cybercrime for additional income. Andariel's arsenal includes a ransomware strain called Maui and numerous remote access trojans and backdoors like Dtrack, NukeSped, MagicRAT, and YamaBot. The group infects machines using a Log4j exploit, which downloads further malware from a command-and-control (C2) server. EarlyRat is spread via phishing emails containing decoy Microsoft Word documents; when macros are enabled, VBA code is executed that downloads the trojan. EarlyRat is a simple, limited backdoor designed to collect and exfiltrate system information to a remote server and execute arbitrary commands.
READ THE STORY: THN
Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
Analyst Comments: The updated approach and tools used by APT35 indicate a growing sophistication in the group's activities, revealing their commitment to achieving their objectives. Their spear-phishing tactics demonstrate careful planning and attention to detail, aiming to build trust with their targets before deploying the malware. This enhancement of their methodology, paired with their selective use of malware, indicates a strategic approach aimed at evading detection and increasing the likelihood of successful infiltration. The deployment of the PowerStar malware, in particular, shows the group's ability to innovate and adapt, making it a substantial threat to consider.he absence of Surovikin and the promotions of Putin loyalists suggest a major realignment within the Russian security apparatus. By elevating individuals who have publicly demonstrated their loyalty, Putin seems to be aiming to consolidate his control over the security services while attempting to minimize the influence of hardline elements within the military. The shifting dynamics within the security services could potentially impact Russia's military strategies and the conduct of its ongoing military operations. Furthermore, these changes could also serve to deter future coup attempts by signaling that any challenge to Putin's authority will be met with significant consequences.
FROM THE MEDIA: The Iran-based cyber threat group, APT35 (also known as Charming Kitten), has enhanced its hacking tools for better concealment and has started distributing a more advanced custom backdoor through a spear-phishing campaign. One notable target of this campaign was an Israeli journalist, who was subjected to an intricate spear-phishing method that involved a malicious "draft report". The report contained a password-protected RAR file, which when opened, executed a .LNK file that downloaded the PowerStar malware into the system. The PowerStar malware, an upgraded variant of a previously known backdoor, collects certain system information and sends it to a command-and-control (C2) server.
READ THE STORY: DARKReading
From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon
Analyst Comments: The emergence of the PhonyC2 framework indicates the persistent evolution of the MuddyWater group's tactics, techniques, and procedures (TTPs). Their continued development of custom C2 frameworks highlights their high level of sophistication and ability to adapt to evade detection. Israel and other neighboring states, particularly Iran's geopolitical rivals, remain the primary targets for Iranian APTs, reflecting the nation's strategic interests. The threats from groups such as MuddyWater underline the need for targeted entities to continually evolve their cyber defenses, including securing public-facing servers and educating staff about the risks of social engineering.
FROM THE MEDIA: The Iranian state-sponsored group known as MuddyWater, or Mango Sandstorm, has been linked to a newly observed command-and-control (C2) framework called PhonyC2. The group has used this tool since 2021, including in an attack on Technion, an Israeli research institute, in February 2023. MuddyWater is known to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS) since at least 2017. PhonyC2 is similar to a previous framework used by MuddyWater, MuddyC3, both written in Python. The group continuously updates PhonyC2 to avoid detection. The framework is primarily used to generate various payloads for connecting back to the C2 and awaits instructions from the operator to conduct the final step of the intrusion kill chain. PhonyC2 can generate payloads, create different PowerShell command variants, enumerate connected machines, execute the same command across all connected hosts simultaneously, and generate a PowerShell code to allow the operator to gain persistence on an infected host.
READ THE STORY: THN
Russian satellite comms firm Dozer taken offline by Wagner-affiliated hacker group
Analyst Comments: The reported cyberattack on Dozor-Teleport highlights the vulnerability of critical infrastructure and the potential risks associated with state-affiliated hacker groups. It underscores the importance of robust cybersecurity measures for organizations handling sensitive information. While the attack is attributed to a group claiming affiliation with the Wagner Group, skepticism exists regarding the veracity of this claim.
FROM THE MEDIA: Russian satellite communications firm Dozor-Teleport experienced a cyberattack, reportedly carried out by a group affiliated with the Wagner Group. The company, utilized by Russia's Ministry of Defense, Gazprom, and other organizations, was temporarily taken offline. Internet monitoring firms confirmed the disruption, but Dozor-Teleport has since resumed operations. The hacker group claimed to have damaged satellite terminals and leaked confidential information. However, doubts have been raised about the group's actual connection to the Wagner Group.
READ THE STORY: DCD
Pro-Russian hackers upgrade DDoSia bot used to attack Ukraine, NATO countries
Analyst Comments: The upgrades and increasing use of the DDoSia bot highlight the continuous and evolving cyber threat from pro-Russian hacker groups, especially targeting countries that have been vocal in their opposition to Russia's actions in Ukraine. The use of DDoS attacks can cause significant disruption to online services, impacting both public institutions and private companies. The hackers' communication and organization via Telegram also illustrates the role that social media and online platforms can play in facilitating such activities. Paying participants in cryptocurrency is a tactic that can attract more participants to their cause and enable the group to avoid traditional financial systems.
FROM THE MEDIA: Pro-Russian hacker group NoName057(16) has been upgrading its distributed denial-of-service (DDoS) attack toolkit, known as DDoSia, which has been increasingly deployed against countries critical of Russia's actions in Ukraine. DDoSia has been used against government agencies, media, and private companies in Ukraine, Lithuania, Poland, Italy, and other European countries, impacting a total of 486 different websites. The group reportedly targets about 15 victims per day. The DDoSia project was launched in early 2022, and its Telegram channel has since garnered 10,000 followers. Participants in the DDoS attacks are remunerated in cryptocurrency, based on their contribution.
READ THE STORY: The Record
Chip Giant TSMC Blames $70M LockBit Breach on IT Hardware Supplier
Analyst Comments: This breach is another example of the security risks posed by third-party suppliers in the IT supply chain. It underscores the importance for organizations to ensure that their suppliers are adhering to rigorous cybersecurity standards. The breach's extent doesn't seem to have impacted TSMC's core operations or sensitive customer data, according to the company's statement, which is a somewhat positive outcome. However, the incident has potentially exposed TSMC to significant financial extortion and reputational damage. The situation shows the effectiveness of ransomware as a cybercrime strategy, as well as the need for companies to have robust, well-tested incident response plans in place. While Kinmax downplayed the incident, the information accessed might still provide malicious actors valuable insight into the network configuration and potential vulnerabilities of their clients, reinforcing that even seemingly benign information can be exploited.
FROM THE MEDIA: Taiwan Semiconductor Manufacturing Company (TSMC), a major supplier of semiconductors to Apple, experienced a data breach that led to a $70 million ransom demand from the LockBit ransomware group. TSMC attributed the incident to a third-party IT hardware supplier, Kinmax Technology, a Taiwan-based systems integrator. The breach apparently didn't affect TSMC's business or customer information but involved information related to server initial setup and configuration. A subgroup within the LockBit operation, named the National Hazard Agency, threatened to leak TSMC's data and "points of entry" to its network, including login credentials, if the ransom wasn't paid by August 6. Kinmax acknowledged the intrusion but downplayed its significance. TSMC has halted its data exchange with Kinmax and is increasing security awareness among its suppliers.
READ THE STORY: DARKReading
Beware: New 'Rustbucket' Malware Variant Targeting macOS Users
Analyst Comments: The sophistication and persistence of this new variant of Rustbucket malware present serious threats to macOS users, particularly in the financial sector. The use of a backdoored PDF reader as an infection mechanism makes this malware particularly elusive, as its malicious activity only initiates upon the opening of a weaponized PDF file. This tactic underscores the increasing creativity and evolution in the methods used by cybercriminals.
FROM THE MEDIA: Researchers have discovered an updated variant of Rustbucket malware that is now targeting macOS users. This malware, attributed to the North Korean threat actor group BlueNoroff (a part of the Lazarus Group), is unique for its advanced capabilities in persisting on the infected system and evading detection by security software. Rustbucket infection begins with a macOS installer file that installs a backdoored PDF reader. The malware only activates when a weaponized PDF file is opened with the compromised reader. This highly targeted campaign primarily focuses on financial institutions in Asia, Europe, and the U.S.
READ THE STORY: THN
Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
Analyst Comments: This particular attack signifies an advancement in cybercriminal strategies where they use ad platforms and clone webpages of well-known applications to spread malware. It highlights the need for organizations to have advanced cybersecurity measures in place, including employee training, monitoring, and logging activities, defining normal network traffic, improving incident response and communication, and engaging with cybersecurity professionals.
FROM THE MEDIA: In a joint investigation by Trend Micro and a targeted organization, malicious actors have been found to use malvertising to distribute malware through cloned webpages of legitimate organizations, in this case, WinSCP, an open-source Windows application for file transfer. The malware led to a BlackCat (aka ALPHV) infection and employed SpyBoy, a terminator that tampers with protection provided by agents. Cybercriminals stole top-level administrator privileges and used these to conduct unauthorized activities, establish persistence, backdoor access, and steal passwords. The malvertising infection chain involved the user searching for an application, clicking on a malicious ad, and then starting the download of an ISO file to their system.
READ THE STORY: TrendMicro
Russian election-meddling ‘troll factory’ reportedly shut down after Wagner revolt
Analyst Comments: The shutdown of the IRA and other media holdings of Prigozhin could temporarily disrupt Russian disinformation campaigns and online influence operations, particularly those targeting foreign nations. However, if ownership transfers to a figure like Yuri Kovalchuk, these activities may resume under a different banner. Yet, the disappearance of Ilya Gorbunov, amid the negotiations over Prigozhin's assets, raises questions about the internal dynamics of these organizations. This event could be indicative of deeper instability or shifts within the landscape of Russia's information operations. Given Prigozhin's attempted coup and his subsequent flight to Belarus, this situation also reflects political tensions within Russia. The potential Kremlin supervision of these outlets, regardless of their new owner, underlines the central role of state influence in Russian media.The report from FIS indicates that the geopolitical tensions resulting from the Russia-Ukraine conflict are driving shifts in intelligence gathering tactics, with a greater reliance on cyber espionage. As the accessibility of human intelligence assets reduces, digital infiltration becomes a more feasible and attractive option for intelligence collection. Critical infrastructure, financial service providers, state administrations, and businesses dealing with large volumes of sensitive data need to ramp up their cybersecurity defenses in anticipation of these potential threats.
FROM THE MEDIA: The Internet Research Agency (IRA), known for its interference in the 2016 U.S. presidential election, is reportedly shut down after an attempted coup by its founder, Yevgeny Prigozhin. Prigozhin, also controlling several other media outlets, reportedly fled to Belarus, leading to the closure of his Saint Petersburg-based media holdings, including the IRA. His assets were seized, and all employees were let go without compensation. In the meantime, Ilya Gorbunov, who was managing Prigozhin's media empire, was in negotiations with potential buyers before his sudden disappearance. One likely candidate to take over Prigozhin's assets, including the IRA, is Yuri Kovalchuk, owner of Russia’s National Media Group (NMG).
READ THE STORY: The Record
Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign
Analyst Comments: The proxyjacking technique presents a stealthy and less resource-intensive alternative to traditional cryptojacking, reducing the chance of detection. The activity underscores the ongoing evolution of cyber threats and the creativity and adaptability of malicious actors. Cybersecurity strategies need to evolve accordingly, and organizations should adhere to best practices such as the use of strong passwords, regular patch management, and detailed logging.
FROM THE MEDIA: Cybersecurity researchers at Akamai have reported an active campaign targeting vulnerable SSH servers to covertly incorporate them into a proxy network, a technique known as proxyjacking. This tactic allows threat actors to monetize unused bandwidth on a victim's server, using it to clandestinely run different services as a peer-to-peer (P2P) node. The campaign was discovered on June 8, 2023, and the attackers breach SSH servers and deploy an obfuscated Bash script that fetches necessary dependencies from a compromised web server. The researchers also noted that the same server is being used to host a cryptocurrency miner, suggesting that the attackers are involved in both cryptojacking and proxyjacking attacks.
READ THE STORY: THN
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts
Analyst Comments: This is a high-risk issue as Ultimate Member is a popular plugin used by many WordPress websites for user-profile creation and community management. The security flaw provides hackers with an opportunity to gain complete control over the affected websites. Until a full patch is made available, users of Ultimate Member are advised to disable the plugin and perform audits of all administrator-level users to identify and remove any unauthorized accounts. Regular monitoring and swift action are crucial to mitigate the potential damage from this vulnerability.
FROM THE MEDIA: Around 200,000 WordPress websites are at risk due to an unpatched security vulnerability in the Ultimate Member plugin. The vulnerability, tracked as CVE-2023-3460 (CVSS score: 9.8), allows unauthenticated attackers to exploit this flaw and create new user accounts with administrative privileges, effectively granting them full control over the affected websites. Although partial fixes have been implemented in recent versions of the plugin, the patches are incomplete, and the vulnerability remains actively exploitable.
READ THE STORY: THN
CISA issues DDoS warning after attacks hit multiple US Orgs
Analyst Comments: The surge in DDoS attacks poses a significant threat to businesses and organizations, potentially causing service disruption, financial loss, and reputation damage. Entities must take proactive measures such as enrolling in dedicated DDoS protection services and deploying firewall rules to mitigate potential attacks. The pattern of attacks by Anonymous Sudan (Storm-1359) indicates that both governmental and private sectors need to be on high alert and prepared to respond to DDoS threats.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about ongoing distributed denial-of-service (DDoS) attacks on multiple organizations across various industry sectors in the United States. The organization has urged businesses to take proactive measures to counter these attacks and reduce their impact. Such steps include setting up firewall rules quickly and redirecting malicious traffic via DoS protection services to prevent attackers from disabling targeted online portals or services. The warning follows several DDoS attacks claimed by the Anonymous Sudan group, a threat actor Microsoft identifies as Storm-1359. The group has allegedly targeted both private and governmental organizations, taking their online portals offline. This group has reportedly attacked large organizations like Scandinavian Airlines (SAS), Tinder, and Lyft, as well as various hospitals across the United States.
READ THE STORY: Bleeping Computer
Items of interest
Moscow Warns of New Western Colonialism Threatening Africa (Poss. Propaganda)
Analyst Comments: Laughably this report shares a poss. biased Russian perspective on the West's relationship with Africa, portraying it as neo-colonial and exploitative. Russia has been increasing its involvement in Africa, expanding economic and military cooperation with various African nations. This can be seen as part of Russia's broader strategy to regain global influence, skert sanctions via weapons trade with South Africa and counter the dominance of Western powers. In addition, China's Belt and Road Initiative (BRI) plays a significant role in Africa. The BRI aims to enhance connectivity and economic cooperation between China and countries along its routes, including many African nations. China has made substantial investments in infrastructure projects in Africa, such as ports, railways, and highways. While the BRI holds the potential for economic benefits, concerns exist regarding environmental impacts, debt sustainability, and equitable distribution of benefits. It is crucial to note that both Russia's involvement and China's use of the BRI in Africa are driven by their respective geopolitical and economic interests.
FROM THE MEDIA: The news article from teleSUR reports that Gennady Gatilov, Russia's permanent representative to the United Nations in Geneva, has warned of new threats of Western colonialism towards Africa. Gatilov claims that the West is exploiting Africa through neo-colonialism for their own benefits, which poses a threat to the continent. He suggests that Western countries are imposing their own rules on other countries and exploiting African nations to make profits, imposing their dictates on how Africans should build their future. Gatilov adds that Western countries seek to turn Africa into a 'resource colony' for easy access to cheap raw materials, in exchange for limited benefits from Western civilization. The article also mentions that a delegation of African leaders arrived in St Petersburg to discuss potential solutions to the situation in Ukraine. This delegation included leaders from Zambia, the African Union, the Comoros, Senegal, South Africa, Egypt, the Congo, and Uganda.
READ THE STORY: TeleSUR
Russia secretly in war in Africa (Video)
FROM THE MEDIA: Wagner is estimated to have around 5,000 troops across #Africa. Its contractors control strategic sites and mineral deposits. But #Wagner’s CEO, #Prigozhin, uses the PMC as a springboard to score points with #Putin.
How Russia Profits From African Coups (Video)
FROM THE MEDIA: From Mali to Sudan, Burkina Faso to Chad, coups have been spreading across Africa. In the midst of the chaos, Russia has seen an opportunity. The Kremlin is using disinformation and mercenaries to fuel instability in the region. This allows Russia to spread its influence while gaining access to valuable natural resources. In this episode, we investigate how Russia profits from instability in Africa.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.