Daily Drop (538): Fake Windows Update, HK's Crypto Grey Zones, Starlink: Dodging Space Junk, Rebuilding Ukraine, China AI Rules, TOITOIN, US Space Command: Russia-Ukraine
07-11-23
Tuesday, Jul 11, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Beware of Big Head Ransomware: Spreading Through Fake Windows Updates
Analyst Comments: The discovery of the Big Head ransomware highlights the creative and deceptive techniques that cybercriminals employ to trick users into falling for their schemes, such as imitating Windows updates or Word installers. This serves as a reminder for individuals and organizations to be vigilant about the authenticity of updates and software they download. Regularly updating legitimate software, employing robust cybersecurity solutions, and training users to spot potentially malicious behavior can help protect against such threats.
FROM THE MEDIA: A newly discovered ransomware named Big Head is being distributed as part of a malvertising campaign, imitating Windows updates and Word installers. The ransomware is designed to encrypt files on victims' machines, demanding a cryptocurrency payment in return. Big Head was first documented by Fortinet FortiGuard Labs, which noticed that the ransomware showed a fake Windows Update or Microsoft Word icon, indicating the ransomware was likely distributed as counterfeit software. The .NET-based ransomware, according to Trend Micro's analysis, deploys three encrypted binaries that propagate the malware, enable Telegram communications, and encrypt files while showing a fake Windows update. This ransomware is distinctive in its ability to delete backups, terminate processes, perform checks for virtualized environments, disable the Task Manager, and abort itself if the machine's language matches certain languages. The identity of the threat actor behind Big Head is currently unknown, but indications point towards an adversary likely of Indonesian origin.
READ THE STORY: THN
Mainland Chinese take advantage of Hong Kong’s crypto grey zones
Analyst Comments: This trend underscores the increasing global demand for cryptocurrencies and highlights the stark contrast in regulatory approaches between different jurisdictions. The fact that Chinese citizens are willing to travel internationally to purchase cryptocurrencies despite the mainland ban indicates a robust interest in the asset class, as well as potential regulatory arbitrage. The situation raises significant regulatory and law enforcement challenges. If this trend continues or grows, it may prompt both Hong Kong and mainland China to reconsider their regulatory frameworks to address the risks associated with the opaque nature of these transactions, such as money laundering and other illicit activities.
FROM THE MEDIA: Chinese citizens are making regular trips to Hong Kong to buy cryptocurrency due to its legal status in the semi-autonomous region, despite it being banned on the mainland. The lax regulations in Hong Kong, particularly for Over-The-Counter (OTC) crypto shops, make it easy for buyers to purchase cryptocurrencies often without disclosing their identities or the origin of their funds. This influx of mainland Chinese customers to these shops has significantly increased their trading volumes. While online crypto exchanges in Hong Kong are required to obtain a license under a new regulatory framework, most OTC shops remain outside the jurisdiction of the Hong Kong Securities and Futures Commission.
READ THE STORY: FT
Starlink satellites are dodging objects in orbit thousands of times every month
Analyst Comments: The surge in avoidance maneuvers by Starlink satellites underscores the growing issue of space congestion, raising concerns about potential catastrophic collisions. This challenge is likely to intensify with more planned mega-constellations. The unintended electromagnetic radiation from these satellites is another concern, highlighting the need for robust regulations to safeguard radio astronomy bands. The situation calls for an international effort to manage space traffic and regulate satellite emissions effectively to balance technological advancement and space sustainability.
FROM THE MEDIA: SpaceX's Starlink satellites made over 25,000 avoidance maneuvers from December 1, 2022, to May 21, 2023, due to the increasing congestion in low Earth orbit. The company's collision avoidance threshold is stricter than the industry standard, initiating moves when the collision probability surpasses 1 in 100,000, compared to NASA and others' threshold of 1 in 10,000. Notably, this figure is double the avoidance maneuvers made in the previous reporting period, reflecting the growth of the Starlink constellation, which added 457 satellites during this period. Over 1,300 of these maneuvers were to avoid debris from Russia's November 2021 anti-satellite weapon test. Furthermore, a study found that Starlink satellites emit "unintended electromagnetic radiation" that could disrupt astronomical research, a concern that intensifies with larger constellations.
READ THE STORY: TC
Rebuilding Ukraine Is an Act of Resistance
Analyst Comments: The reconstruction of Ukraine in the aftermath of the Russian invasion is a daunting and costly task. However, the resilience and determination of the people, as well as the potential of sectors like technology, could play a significant role in the country's recovery. The vision for a freer, cleaner, and stronger Ukraine, while ambitious, demonstrates the country's commitment to not just rebuilding, but improving upon what was lost.
FROM THE MEDIA: The city of Irpin, northeast of Kyiv, Ukraine, has suffered extensive damage due to Russia's invasion, with homes, infrastructure, and businesses destroyed. Borys Yefimenko, who owned 10 cafés in the city, fled during the invasion and returned after Irpin was liberated to find significant devastation. He managed to salvage two of his cafés and has been slowly rebuilding his business. The UN estimates that at least 7,000 civilians have been killed, tens of thousands of Ukrainian soldiers have died, and around 14 million people have been displaced. Additionally, 150,000 homes have been destroyed or damaged, and a significant portion of the country's farmland has been rendered unusable. The economy contracted by 30% in 2022. Despite the devastation, there is a movement in Ukrainian society to build back better, with an emphasis on creating a freer, cleaner country with a stronger national identity. This ambitious recovery plan will involve stimulating new industries, leveraging technology, and restoring cultural institutions.
READ THE STORY: Wired
China to lay down AI Rules with Emphasis on content control
Analyst Comments: The new regulations, while aimed at preventing potential misuse of AI technology, may hamper innovation in China's tech industry due to the stringent control over the content created by AI. The requirement for companies to gain a license before releasing AI systems may also cause delays in the deployment of these technologies. It's important to note that while the rules mirror efforts worldwide to regulate AI, the high content control standards set by Beijing could prove more restrictive compared to regulations in the EU or US. Moreover, the potential for tech companies to be held almost fully responsible for AI-generated content could discourage the sharing and proliferation of AI models, stifling the broader development of this technology in China.
FROM THE MEDIA: China is set to introduce stringent licensing rules for generative artificial intelligence (AI), under new regulations from the Cyberspace Administration of China (CAC). The rules, which are tighter than draft regulations issued earlier, aim to balance Beijing's ambitions to lead in AI technology with its strict information control regime. The regulation requires AI content to embody "core socialist values" and forbids anything subversive to the state. The upcoming legislation has potentially significant implications for Chinese tech giants like Baidu and Alibaba, who recently rolled out generative AI applications.
READ THE STORY: FT
New TOITOIN Banking Trojan Targeting Latin American Businesses
Analyst Comments: The TOITOIN banking trojan represents a serious cybersecurity threat for businesses in the LATAM region, given its sophistication and targeted nature. Its multi-stage infection chain and the use of custom-developed modules indicate a high degree of technical proficiency by the threat actors, enhancing its ability to bypass conventional security measures. The trojan's ability to manipulate system files and execute commands with elevated privileges could result in significant data breaches and financial losses.
FROM THE MEDIA: Since May 2023, businesses operating in the Latin American (LATAM) region have been targeted by a new Windows-based banking trojan named TOITOIN. Zscaler researchers have described the trojan as having a multi-staged infection chain using specially crafted modules to carry out malicious activities, including injecting harmful code into remote processes, circumventing User Account Control, and evading Sandbox detection. The infection begins with a phishing email, leveraging an invoice-themed lure, that includes a link to a ZIP archive hosted on an Amazon EC2 instance. The trojan can gather system information and harvest data from installed web browsers. It also checks for the presence of Topaz Online Fraud Detection, a module integrated into LATAM banking platforms.
READ THE STORY: THN
Russia-Ukraine war holds key lessons for US Space Command
Analyst Comments: The lessons from the Russia-Ukraine war underscore the significance of space and cyberspace in modern warfare. As cyberattacks and NAVWAR tactics increase, it becomes essential for nations, particularly those with significant space infrastructure like the U.S., to enhance their defensive and potentially offensive capabilities. The role of China in space operations, along with Russia, represents an additional challenge for U.S. space operations. The key takeaway is the need for robust, multifaceted strategies to protect space and cyber assets and to understand and counteract enemy tactics in these domains.
FROM THE MEDIA: U.S. Space Command's deputy commander, Lt. Gen. John Shaw, has shared key insights from the Russia-Ukraine war that the U.S. military is considering for space defense strategies. First, the war highlighted the vulnerability of satellite communication (satcom) networks to cyberattacks, causing significant outages in Europe, and emphasizing the intertwined nature of cyber and commercial space domains. Second, Satcom jamming, a technique used by both Russian and Ukrainian forces to interfere with satellite communications, has influenced the tactical maneuvering of satellites. Lastly, the conflict has exhibited the largest scale of Navigation Warfare (NAVWAR) - the intentional disruption of positioning, navigation, and timing abilities - ever seen, prompting nations to reevaluate their GPS systems and the U.S. to prepare for offensive NAVWAR engagements. The U.S. Joint Navigation Warfare Center, established in 2004, has been tasked with ensuring positioning, navigation, and timing superiority for the Department of Defense.
READ THE STORY: The Hill
Intel patches buggy Sapphire Rapids Xeons, resumes shipments
Analyst Comments: The temporary halt in shipments of Intel's Sapphire Rapids processors due to a bug underscores the complexity and challenges associated with chip design and manufacturing. It also highlights the necessity of rapid and efficient response mechanisms to address such problems. Given that the bug did not seem to appear when the processors were running commercially available software, it is reassuring that the issue seems not to have had a broad impact on the end users. The prompt resolution of this issue should contribute to maintaining customer confidence in Intel's product line.
FROM THE MEDIA: Intel has resumed shipments of its 4th-Gen Xeon Scalable processors, known as Sapphire Rapids, after halting them due to a bug that could interrupt system operation on processors with between eight and 32 cores under certain conditions. Intel has now addressed the issue with a firmware update. However, the company did not provide details about the cause of the problem or the conditions under which it occurred. Notably, Intel's high-core-count and high-bandwidth memory (HBM) equipped Xeons are unaffected by this bug. Users with medium-core-count Sapphire Rapids Xeons are encouraged to apply the patch.
READ THE STORY: The Register
Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari
Analyst Comments: The discovery of this zero-day vulnerability highlights the constant security threats that tech companies, like Apple, face, and the ongoing need for timely and effective responses. The fact that the flaw has been actively exploited makes it particularly severe, emphasizing the importance of patching vulnerabilities as quickly as possible.
FROM THE MEDIA: Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and the Safari web browser to fix a zero-day flaw (CVE-2023-37450), which has been actively exploited. The flaw in WebKit could allow threat actors to execute arbitrary code when processing specially crafted web content. The person who discovered and reported the flaw wished to remain anonymous. The updates are for devices running iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1, macOS Big Sur, and macOS Monterey. This year, Apple has already dealt with ten zero-day vulnerabilities. The updates were released after Apple patched three zero-days connected to an espionage campaign known as Operation Triangulation.
READ THE STORY: THN
Genesis Market gang tries to sell platform after FBI disruption
Analyst Comments: The attempted sale of Genesis Market indicates a potential shift in cybercriminal activity. While the platform's operations have been significantly impacted by law enforcement operations, it remains to be seen whether its unique IMPaaS model will be replicated or further developed by other cyber criminals.
FROM THE MEDIA: The cybercriminals behind Genesis Market, a cyber fraud platform, are trying to sell their operation after it was targeted by an FBI-led operation three months ago, resulting in the seizure of their clear web domains and their inclusion on the U.S. Treasury's sanctions list. Genesis Market, unlike its competitors, didn't just sell stolen data and credentials but also allowed criminals to use a custom browser extension to impersonate victims, in what has been described as an impersonation-as-a-service (IMPaaS) model. Despite law enforcement's actions, the platform's dark web mirror remained active, although its activities saw a significant decrease. Genesis Market's operators are now advertising the platform for sale, including its developments, source codes, scripts, and server infrastructure, on darknet hacking forums.
READ THE STORY: The Record
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign
Analyst Comments: The continual evolution of SCARLETEEL's methods demonstrates the adaptability and persistence of threat actors, who regularly update their techniques to overcome new security measures. Their focus on cloud environments like AWS, a popular choice for many businesses, underscores the importance of maintaining up-to-date security practices. The use of cryptocurrency miners for revenue generation also highlights the need for vigilance and robust defenses against such threats.
FROM THE MEDIA: Advanced threat campaign SCARLETEEL, previously known for its attacks on cloud environments, is now targeting Amazon Web Services (AWS) Fargate. Cybersecurity firm Sysdig reports that the attackers are adapting their tools and techniques to bypass new security measures, making their command and control architecture more resilient and stealthy. The attack chain usually culminates in the theft of proprietary data and the deployment of cryptocurrency miners on compromised systems. The SCARLETEEL campaign was initially exposed in February 2023. In the latest activities, attackers exploit vulnerable public-facing web applications to gain control over AWS accounts, aiming for persistence, intellectual property theft, and potential revenue generation via crypto miners.
READ THE STORY: THN
Russia’s Nuclear Diplomacy Falls Behind Expectations in Africa
Analyst Comments: Russia's nuclear power initiatives in Africa have the potential to significantly alter the continent's energy landscape and drive economic development. However, the realization of these ambitions is met with numerous challenges. While some African nations have welcomed Russia's nuclear investments, others have been skeptical due to concerns over cost, safety, and transparency. The falling cost of renewable energy technologies like wind and solar poses a competitive challenge to the economic viability of nuclear power projects. Russia's push for nuclear energy also raises geopolitical questions about its intentions in Africa, particularly in the context of its competition with other global powers like China and the US.
FROM THE MEDIA: Russia, primarily through its state-owned nuclear company Rosatom, is pursuing a strategy of building nuclear power plants across Africa. This move aims to address the chronic energy shortages in many African nations, provide Rosatom with a vast new market, and expand Russia's global geopolitical influence. Countries such as Egypt and South Africa have seen significant negotiations and investments from Russia for nuclear power development. However, the approach has encountered hurdles, including concerns about high costs, safety risks, and potential corruption.
READ THE STORY: Modern Diplomacy
Items of interest
Apple users urged to install zero-day patch amid fresh spyware fears
Analyst Comments: The fact that Apple has issued an emergency patch suggests the presence of a serious security threat. It's crucial for users to update their software immediately to prevent potential cyber-attacks. The situation also highlights the ongoing challenges technology companies face in protecting their systems against constantly evolving cyber threats. Additionally, this event emphasizes the need for consumers to stay vigilant and regularly update their devices to safeguard against potential vulnerabilities.
FROM THE MEDIA: Apple has released an emergency patch to address zero-day exploits affecting its products, including iPads, iPhones, and Macs. Cybersecurity firm Sophos has strongly advised users to install the patch immediately due to the critical nature of the threat. These zero-day exploits are system vulnerabilities that cybercriminals have discovered and exploited before cybersecurity professionals have had an opportunity to address them. While patches for macOS Ventura 13.4.1, iOS 16.5.1, and iPadOS 16.5.1 have been released, Sophos states that updates for other platforms may still be forthcoming.
READ THE STORY: Cybernews
Zero Days (Video)
FROM THE MEDIA: From Academy Award-winning filmmaker Alex Gibney (Going Clear: Scientology and the Prison of Belief), #ZeroDays tells the story of Stuxnet, a self-replicating computer malware, known as a "worm" for its ability to burrow from computer to computer on its own. The U.S.A. and Israel unleashed the virus to destroy a key part of an Iranian nuclear facility, and which ultimately spread beyond its intended target. It's the most comprehensive accounting to date of how a clandestine mission hatched by two allies with clashing agendas opened forever the Pandora's Box of cyber-warfare.
From Zero to Zero Day (Video)
FROM THE MEDIA: “In this talk, I will share my story of how in a little over a year, a high school student with almost zero knowledge in security research found his first RCE in Edge.”
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.