Daily Drop (535): NXP Semiconductors, US Tech War, Federal judge: Disinformation, Chinese OS: OpenKylin, TA453, OPERA1ER
07-07-23
Friday, Jul 07, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
After TSMC, NXP Semiconductors says no material impact from Chinese export curbs
Analyst Comments: This reaction from NXP and TSMC suggests that at least for the short term, some global chipmakers do not foresee significant disruption from China's export curbs. However, given the critical role of gallium and germanium in the semiconductor and electric vehicle industries, the situation will likely remain fluid, necessitating continuous monitoring and adjustment by these firms. The restrictions further highlight the increasing geopolitical tensions in the technology sector and the need for companies to diversify their supply chains to mitigate risk.
FROM THE MEDIA: NXP Semiconductors, the Netherlands-based chipmaker, does not anticipate any substantial impact on its business operations following China's decision to impose export restrictions on certain gallium and germanium products. The company, which manufactures some chips for the auto and communication sectors using these elements, reassured stakeholders after conducting an initial review of the Chinese government's policy. Taiwan's TSMC, the world's largest contract chipmaker, similarly stated it does not expect the restrictions to directly impact its production.
READ THE STORY: ET
US tech war on Beijing heats up, Yellen fears impact on global economy
Analyst Comments: The trip is an attempt to manage growing tensions between the US and China, especially in technology and trade. While the US has been restricting access to key technologies, China has been working to become more self-sufficient, a move which could potentially harm American companies in the long run. The visit by Yellen may help in reducing tensions, although major breakthroughs are not expected. The meeting is crucial for global economy as any escalation in tensions could have far-reaching consequences. The emphasis is likely to be on finding common ground and establishing ongoing communication channels, with the understanding that not all issues will be resolved in one trip.
FROM THE MEDIA: US Treasury Secretary Janet Yellen will visit China for three days to discuss a wide range of economic issues, including trade restrictions and bilateral ties, which had deteriorated earlier this year. The trip follows a visit by US Secretary of State Anthony Blinken, and recent controversial comments made by President Biden referring to Xi as a "dictator". A key issue for China is the US restrictions on semiconductors and related technology, with reports that further restrictions could be announced soon. In response, China has curbed the export of certain materials used in the chips industry and threatened retaliation. The US does not anticipate major breakthroughs from this trip, but hopes to establish long-term communication channels.
READ THE STORY: Almayadeen
Federal judge issues injunction limiting officials’ ability to control disinformation
Analyst Comments: The decision highlights the complexity of balancing free speech rights with the need to control misinformation, particularly in the context of elections. While the injunction seeks to preserve constitutional free speech rights, it also raises questions about how best to maintain the integrity of the information environment without infringing on these rights. The ruling suggests that more transparent communication about the government's anti-disinformation efforts might be a suitable strategy. This decision underscores the contentious nature of these issues and signals that more debates around the role of government and the private sector in managing information dissemination, defining harmful misinformation and disinformation, and striking the right balance between free speech and public safety are likely to occur in the future.
FROM THE MEDIA: A federal court decision ruled that the Biden administration must limit its contact with social media platforms in trying to control what the court deemed as protected speech. This decision is in response to a lawsuit filed by two Republican state attorneys general. The attorneys general argue that the administration's efforts to control misinformation and disinformation infringe upon Americans' First Amendment rights. This ruling has significant implications for the upcoming 2024 election cycle, where disinformation is seen as a major threat. Multiple agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), Justice Department, Centers for Disease Control, and Department of Homeland Security, are impacted by this injunction.
READ THE STORY: The Record
China releases its first open-source computer operating system
Analyst Comments: This release underscores China's intensified efforts to enhance its technological self-reliance amid ongoing tensions with the U.S. The development of OpenKylin could have significant implications for global tech companies that currently dominate the Chinese market, particularly Microsoft and Apple. However, it will be crucial to monitor user adoption rates and whether OpenKylin can offer a viable and competitive alternative to established operating systems.
FROM THE MEDIA: China has launched its first domestic open-source desktop operating system called OpenKylin, in an attempt to reduce its dependency on U.S. technology. The operating system, based on Linux, was developed by a community of roughly 4,000 developers and is already being used in various sectors including finance, energy, and China's space program. The move is part of China's broader goal to create an operating system independent of U.S. technology, with over a dozen Chinese companies seeking to develop alternatives to Microsoft's Windows and Apple's MacOS.
READ THE STORY: Yahoo
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
Analyst Comments: This incident highlights TA453's growing capabilities in multi-platform attacks, signaling a more extensive potential threat landscape. The usage of a new backdoor, GorjolEcho, and the MacOS-specific chain, NokNok, demonstrate the group's ongoing development and adaptation of its malware tools. The group's persistence and the sophistication of its campaigns underscore the serious nature of the threat it poses. Cybersecurity defenses should take note of these developments and ensure they have robust protections in place against such multi-platform, evolving threats.
FROM THE MEDIA: Iranian nation-state actor TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, has been associated with a new series of spear-phishing attacks, infecting both Windows and macOS systems with malware. The threat group, linked to Iran's Islamic Revolutionary Guard Corps (IRGC), deployed a novel infection chain through various cloud hosting providers, using a new PowerShell backdoor named GorjolEcho. Upon detecting that a target was using an Apple computer, TA453 altered its approach, deploying a MacOS-specific infection chain called NokNok. This incident demonstrates TA453's continued evolution of its malware arsenal and the difficulty in detecting such sophisticated, multi-platform attacks.
READ THE STORY: THN
Charming Kitten targets nuclear security experts in “unending espionage quest”
Analyst Comments: The activities of Charming Kitten underscore the persistent and evolving nature of cyber threats posed by nation-state actors. By impersonating reputable experts and leveraging benign initial communication, the threat actor demonstrates the sophisticated methods employed in modern cyberespionage. This report underscores the need for individuals and organizations to maintain vigilance and strong cybersecurity measures. It also underlines the importance of cybersecurity research in uncovering, understanding, and mitigating such threats.
FROM THE MEDIA: Charming Kitten, an Iran-linked threat actor also known as TA453, APT42, Mint Sandstorm, and Yellow Garuda, has been targeting nuclear and Middle East experts in an ongoing cyberespionage campaign. Cybersecurity company Proofpoint reports that the group impersonates well-known professionals in an attempt to compromise high-value accounts across government, academia, NGOs, national security, and journalism. The group reportedly sends seemingly harmless emails to their targets before using multi-persona impersonation to establish rapport and spread malware. Proofpoint suggests that Charming Kitten is acting in support of the Islamic Revolutionary Guard Corps' Intelligence Organization. The threat actor is known for adapting its infection chain to evade detection and continues its espionage efforts uninterrupted.
READ THE STORY: Cyber News
Researchers Uncover New Linux Kernel 'StackRot' Privilege Escalation Vulnerability
Analyst Comments: The discovery of StackRot underscores the necessity of regular security checks and updates in system infrastructures. While there is no evidence of the flaw being exploited in the wild, the potential for privilege escalation poses a significant risk. System administrators using affected Linux versions are encouraged to update their systems promptly to the patched versions to mitigate the potential threat.
FROM THE MEDIA: A newly discovered security vulnerability in the Linux kernel, termed StackRot (CVE-2023-3269), could allow users to gain elevated privileges on a target host. The flaw, which has a CVSS score of 7.8, affects Linux versions 6.1 to 6.4. StackRot is found in the memory management subsystem of the Linux kernel and can be triggered with minimal capabilities. Exploiting the vulnerability, however, is considered challenging due to the delay in actual memory de-allocation. A patch for this flaw was released on July 1, 2023, and a proof-of-concept exploit, along with additional technical specifics, is expected to be public by the end of the month.
READ THE STORY: THN
INTERPOL Nabs Hacking Crew OPERA1ER's Leader Behind $11 Million Cybercrime
Analyst Comments: The arrest of a key OPERA1ER member highlights the increasing effectiveness of international cooperation in cybercrime investigations. This development is a significant win for law enforcement and underlines the importance of public-private partnerships in combating cybercrime. The modus operandi of the group, including spear-phishing attacks, the use of remote access trojans, and the long-term persistence in compromised networks, underscores the need for organizations to maintain robust, multi-layered cybersecurity defenses. The fact that the group carried out its operations in multiple languages also emphasizes the global nature of cyber threats and the necessity for organizations to factor in such complexities in their security strategies.
FROM THE MEDIA: A senior member of OPERA1ER, a French-speaking hacking group, has been arrested in an international law enforcement operation named Nervone, according to an announcement by Interpol. The group, also known as Common Raven, DESKTOP-GROUP, and NX$M$, is suspected of stealing between $11 million to $30 million through more than 30 attacks in 15 countries across Africa, Asia, and Latin America. The arrest was carried out by authorities in Côte d'Ivoire, with support from the U.S. Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs. OPERA1ER is known for targeting banks, financial services, and telecom companies, and uses spear-phishing tactics and off-the-shelf remote access trojans for post-exploitation activities.
READ THE STORY: THN
Nickelodeon says some of allegedly stolen data ‘appears to be decades old’
Analyst Comments: This alleged data breach emphasizes the persisting vulnerability of media and entertainment companies to cyberattacks. The incident brings to light not only the potential economic impact but also the potential disruption to creative endeavors and upcoming productions. The data breach could reveal trade secrets, disrupt production schedules, and impact future releases, with substantial reputational damage. It is crucial for organizations to implement robust cybersecurity measures to safeguard their intellectual property and proprietary data, especially in industries like media and entertainment, where creative content has high intrinsic value.
FROM THE MEDIA: Nickelodeon, a leading children's television network, is currently investigating a suspected data breach following claims by hackers that they've stolen approximately 500 GB of data. The leaked data reportedly includes decades-old information from the Nickelodeon animation department, with folders on popular shows like Rugrats, Avatar: The Last Airbender, SpongeBob SquarePants, and more. Cybersecurity experts from vx-underground stated the leaks contain details on unreleased television shows, scripts, among other things. Nickelodeon's spokesperson confirmed they were aware of the unauthorized release of production-related files and have launched an investigation. The company, however, did not clarify whether the data leak was due to a cyberattack or hack.
READ THE STORY: TheRecord
Silentbob Campaign: Cloud-Native Environments Under Attack
Analyst Comments: This discovery highlights the critical need for robust security measures within cloud environments, especially given the complex nature of this attack infrastructure and its use of a cloud worm. Cybersecurity teams should closely monitor their cloud-native environments, keep software up-to-date, and ensure proper configuration of APIs to prevent similar intrusions.
FROM THE MEDIA: A potentially extensive campaign against cloud-native environments has been detected by cybersecurity researchers. The attack infrastructure, codenamed Silentbob, is in the early stages of deployment and is primarily comprised of a cloud worm designed to exploit exposed JupyterLab and Docker APIs. The worm's purpose is to deploy Tsunami malware, hijack cloud credentials, commandeer resources, and propagate further worm infestations. Cybersecurity firm Aqua believes the campaign may be connected to the notorious cryptojacking group TeamTNT, though it might also be the work of an advanced copycat. The campaign was uncovered after a series of attacks on Aqua's honeypot, leading to the discovery of four malicious container images. These images, since taken down by Docker, were designed to seek out exposed Docker and Jupyter Lab instances and then install a cryptocurrency miner and the Tsunami backdoor.
READ THE STORY: THN
Cyber agencies warn of new TrueBot malware variants targeting US and Canadian firms
Analyst Comments: This advisory highlights an evolving threat landscape where cybercriminals continuously adapt their tactics and tools to exploit new vulnerabilities and enhance the effectiveness of their attacks. This development is concerning given the potential high impact of such attacks, which could lead to significant data loss and financial damage.
FROM THE MEDIA: U.S. and Canadian cybersecurity agencies have issued a joint advisory warning about an increase in financially motivated TrueBot malware activity. The TrueBot botnet has been utilized by threat groups, such as the Clop ransomware gang, to exfiltrate data from compromised devices. The malware, developed by a Russian-speaking hacking group known as Silence, traditionally spread through phishing emails. However, the threat actors have now shifted their tactics, using new variants that exploit a remote code execution (RCE) vulnerability in the Netwrix Auditor application. Cybersecurity researchers began to notice a surge in TrueBot activity following the disclosure of the Netwrix Auditor vulnerability in mid-2022. The advisory does not specify the victims or the number of organizations targeted but offers details on detecting the malware and mitigating its effects.
READ THE STORY: The Record
Russian railway site allegedly taken down by Ukrainian hackers
Analyst Comments: This incident underscores the vulnerability of critical infrastructure to cyberattacks and the potential for such incidents to cause significant disruptions. The attack on RZD aligns with the escalating cyber warfare dynamics observed in the ongoing conflict between Russia and Ukraine. The exploitation of a state-run railway system not only impacts civilian logistics but can also potentially disrupt military movements. As these attacks can cause significant economic and operational impacts, it emphasizes the need for robust cybersecurity measures and resilience strategies in critical sectors. It also highlights the role hacktivist groups can play in the broader conflict, conducting operations independent of state actors.
FROM THE MEDIA: Russian state-owned railway company, RZD, reported that its website and mobile app were incapacitated for several hours due to a "massive" cyberattack, making ticket purchases possible only at railway stations. The attack, claimed by the Ukrainian hacktivist group IT Army, left RZD's system down for at least six hours. Although RZD later announced it had resumed operations, some online services remain inaccessible due to increased load. This attack marks the second such cyberattack on RZD since the beginning of the war in Ukraine, with the first incident in February involving a distributed denial-of-service (DDoS) attack.
READ THE STORY: The Record
New law could allow GCHQ to monitor UK internet logs in real-time to tackle fraud
Analyst Comments: The proposed law represents a significant expansion of state surveillance powers in the UK, with potential implications for privacy and civil liberties. While the intention of tackling fraud and other serious crimes is commendable, the broad application of this proposed measure may face opposition on civil liberties grounds. Furthermore, the technical feasibility of implementing real-time monitoring remains uncertain, given the complexity and resources required to implement and effectively use ICRs. This proposal will likely fuel ongoing debates about the balance between security and privacy in the digital age, and the role of state agencies in monitoring online activities.
FROM THE MEDIA: The UK government is considering a new law that would enable the country's cyber and signals intelligence agency, GCHQ, to monitor logs of domestic internet traffic in real time to identify online fraud and intervene while crimes are in progress. The proposal follows calls for an overhaul of the government's approach to fraud, which costs an estimated £4.7 billion ($5.3 billion) annually. Less than 8% of reported fraud crimes are investigated. The plan raises questions about the technical feasibility of real-time monitoring and potential civil liberties implications. The government's use of internet connection records (ICRs), a type of data that telecoms operators in the UK are required to retain for up to a year, would be a central element of the proposal. Currently, ICRs can only be used to identify individuals suspected of a crime, not to develop new suspects.
READ THE STORY: The Record
JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident
Analyst Comments: JumpCloud's swift response to the security incident demonstrates the company's commitment to protecting its clients' data. However, the incident could result in temporary disruptions for affected customers. The situation highlights the importance of robust API security measures to prevent potential breaches. The lack of details regarding the incident's specifics or scale could lead to some criticism for JumpCloud, with customers likely seeking more transparency about the issue. Affected clients should follow JumpCloud's advice to promptly reset their API keys and stay updated on further developments or announcements related to the incident.
FROM THE MEDIA: JumpCloud, a cloud-based identity and access management solutions provider, has experienced a cybersecurity incident affecting some of its clients. In response, the company has reset the application programming interface (API) keys for all impacted customers to protect their data. This reset will disrupt several functionalities, such as Active Directory imports, HRIS integrations, JumpCloud PowerShell modules, and others. JumpCloud is providing support to clients needing assistance with resetting or re-establishing their API keys and is encouraging all affected clients to reset their keys promptly. While specifics of the incident are not currently available, the company is actively addressing the situation. The incident underscores the importance of API security.
READ THE STORY: THN
Items of interest
Iran's Charming Kitten Group Evolves Its Tools and Tactics
Analyst Comments: TA453's evolution of infection chains demonstrates its adaptability and commitment to pursuing targets of interest. The use of a multi-cloud approach featuring Google Scripts, Dropbox, and CleverApps is likely aimed at minimizing disruptions from threat hunters. TA453's adoption of a Mach-O compatible malware signifies its intent to expand its reach to macOS users. Continued vigilance and strengthening of cyber defenses are necessary to counter this group's evolving tactics and maintain cyber security. It's crucial to educate potential targets about such threat actors' tactics to ensure they can identify and report suspicious activity.
FROM THE MEDIA: The Charming Kitten group, also known as TA453 or APT42, is a state-sponsored Iranian cyber threat group known for its focus on diplomats, foreign policy experts, and government officials. In a recent operation identified by Proofpoint, the group has deployed a new infection chain and lure targeted at a nuclear security expert at a U.S think tank. They began their attack with a benign email and followed up with a second one containing a malicious macro that pointed to a Dropbox URL hosting a .rar file. This file contained an LNK file, which, when executed, deployed a PowerShell backdoor known as GorjolEcho. When they realized their backdoor was ineffective due to the target's macOS machine, they redesigned their infection chain and introduced a new backdoor named NokNok, hidden in a ZIP archive disguised as a VPN client.
READ THE STORY: DUO
Brighten Up the Ideal Sky: An Inside View of Charming Kitten’s Operations and Support to the IRGC (Video)
FROM THE MEDIA: In a webinar, Joshua Miller, a Senior Threat Researcher at Proofpoint, will provide a comprehensive inside view into the operations of TA453, also known as CharmingKitten, an Iranian nation-state actor linked to Iran's Islamic Revolutionary Guard Corps (IRGC). Miller will explore the various spear-phishing techniques that TA453 employs to engage their targets and identify deviations from their usual tactics when dealing with particularly high-value targets. This analysis will provide insights into how TA453 adapts their strategies to maximize their chances of success.
The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker (Video)
FROM THE MEDIA: “When our intel team talks about human error, we usually focus on the victim of a security incident. But in the investigation we ran in the past year, we flipped the script to highlight how the continued operational security errors of a prolific, state-sponsored threat group reveal intimate details of their entire operation. Through very simple but persistent mistakes made by the adversary, likely based in Iran, we continued to learn the innermost details of the operations of a group we track as ITG18, better known as "Charming Kitten". This group targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development, recording the victims' most private chats, emails, and even photos.”
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.