Daily Drop (541): China: Cyber Skilled, Zimbra warning, CISA Alert, Satellite Security, ViaSat issues, AVrecon spreads, Taiwan: Weather Sat, Soloman Islands: Cyber Policy, Inspur warnings
07-14-23
Friday, Jul 14, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Microsoft Email Hack Shows Greater Sophistication, Skill of China’s Cyberspies
Analyst Comments: The reported increase in the sophistication of Chinese state-backed hacking operations could pose significant threats to U.S. national security and corporate interests. This shift towards more targeted and stealthy attacks may make these operations harder to detect and defend against. The fact that senior U.S. officials' accounts have been compromised signifies the scale of the threat. If these allegations are accurate, they will likely exacerbate tensions between the U.S. and China, potentially straining diplomatic relations further and intensifying ongoing cybersecurity concerns.
FROM THE MEDIA: A network of Chinese state-backed hackers is alleged to have infiltrated the email accounts of senior U.S. officials, including Commerce Secretary Gina Raimondo. The attack demonstrated a significant increase in the group's sophistication, alarming U.S. cybersecurity officials. These hackers have transitioned from noisy, large-scale data heists to more stealthy, targeted attacks that can evade detection for extended periods. The latest hack focused on Microsoft email accounts, suggesting that the hackers have the capacity to infiltrate high-level computer networks. While the U.S. has not formally accused China of the attack, Microsoft has attributed it to a Chinese hacking group.
READ THE STORY: WSJ
Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation
Analyst Comments: The Zimbra and Cisco vulnerabilities underscore the ongoing risk and need for vigilance in software security. As these instances demonstrate, even well-established software can contain flaws that put user data and systems at risk. The proactive response from both Zimbra and Cisco in addressing these flaws and providing remediation measures is commendable, but organizations should ensure they promptly apply these patches and continue to monitor their systems for potential threats.
FROM THE MEDIA: Zimbra, the email software company, has issued a warning about a critical zero-day vulnerability in its Collaboration Suite Version 8.8.15 that is currently being exploited in the wild. This flaw could potentially compromise user data's confidentiality and integrity. The company has addressed this issue and anticipates its inclusion in the July patch release. In the meantime, Zimbra has recommended a manual fix for customers to mitigate the attack vector. The flaw, an instance of cross-site scripting (XSS), was discovered during a targeted attack and reported by Google Threat Analysis Group researcher Clément Lecigne. In other security news, Cisco has released patches to fix a critical vulnerability in its SD-WAN vManage software (CVE-2023-20214, CVSS score: 9.1) that could allow unauthorized, remote attackers to gain read or limited write permissions to the software's configuration. Cisco has addressed the flaw in multiple versions of the software and is not aware of any malicious exploitation.
READ THE STORY: THN
Satellites lack standard security mechanisms found in mobile phones and laptops
Analyst Comments: The findings indicate significant potential cybersecurity risks in satellite technology. The lack of modern security mechanisms and the heavy reliance on security through obscurity could make these critical infrastructures vulnerable to hacking attempts. This study emphasizes the need for a paradigm shift in satellite cybersecurity to incorporate robust security practices commonly used in modern technology. The researchers' initiative to bridge the gap between satellite developers and the security community is commendable, potentially leading to improved understanding and the application of more rigorous security standards in satellite technology.
FROM THE MEDIA: A team of researchers from Bochum and Saarbrücken, led by Johannes Willbold, Dr. Ali Abbasi, and Professor Thorsten Holz, conducted a comprehensive security analysis of three low-Earth orbit satellites. They found that many modern security concepts, standard in mobile phones and laptops, were not implemented in these satellites. The industry was found to rely mainly on security through obscurity, which relies on the absence of system documentation to deter potential attacks. The researchers pointed out that even with no documentation, vulnerabilities can be identified through reverse engineering.
READ THE STORY: HelpNetSecurity
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
Analyst Comments: The discovery of AVrecon emphasizes the growing cyber threats targeting SOHO routers, often seen as easy targets due to their lack of robust security measures. This botnet's size and potential for various cybercrimes, including ad fraud and data exfiltration, pose significant risks. Therefore, individuals and organizations with SOHO routers must ensure they adopt strong security measures, including keeping their devices' firmware updated, changing default credentials, and using strong, unique passwords.
FROM THE MEDIA: Lumen Black Lotus Labs has discovered a new malware strain, named AVrecon, that has been secretly targeting small office/home office (SOHO) routers for over two years. This malware has infiltrated more than 70,000 devices and created a botnet with 40,000 nodes across 20 countries, making it one of the largest SOHO router-targeting botnets to date. Its purpose appears to be creating a covert network for a variety of criminal activities ranging from password spraying to digital advertising fraud. The majority of these infections are located in the U.K. and the U.S., followed by several other countries.
READ THE STORY: THN
Taiwan flags space ambition with domestically developed weather satellite
Analyst Comments: This development reflects Taiwan's resilience and determination to advance its technological capabilities amid ongoing geopolitical tensions. The successful creation of a domestically produced satellite leverages Taiwan's established strengths in semiconductor and precision manufacturing, positioning the nation favorably in the global space industry. The satellite's intended purpose of better predicting natural disasters could potentially save lives and resources, adding a humanitarian dimension to this technological achievement.
FROM THE MEDIA: Taiwan's President Tsai Ing-wen announced the development of the country's first domestically built weather satellite, Triton, emphasizing its significance in the growth of the nation's space industry. Over 80% of the Triton Solomons says China will assist in cyber, community policing satellite's components were developed and produced in Taiwan, including a proprietary global navigation satellite system. The Triton satellite, to be launched in September from French Guiana, will operate in a low-Earth orbit of approximately 550-650 km, collecting sea surface wind data to enhance typhoon and heavy rain predictions. Taiwan's strategic plan includes using satellites for internet services in the event of communication disruption caused by potential Chinese aggression.
READ THE STORY: Reuters
Solomons says China will assist in cyber, community policing
Analyst Comments: The Solomon Islands' new policing deal with China is indicative of the ongoing geopolitical realignments in the Pacific region. The move seems to be part of a broader trend where Pacific Island nations are broadening their security partnerships amidst growing international tensions. However, the agreement has been met with skepticism and concern by traditional Western allies, underlining the strategic competition between China and the West in the region. The Solomon Islands' decision to engage with China could have implications for regional security dynamics, and it will be crucial to watch how these developments influence the balance of power in the Pacific region.
FROM THE MEDIA: The Solomon Islands has defended its policing agreement with China amidst criticism from Australia, the United States, New Zealand, and its own opposition party. The critics are calling on Prime Minister Manasseh Sogavare to release the details of the deal, expressing concerns over potential regional conflict. In response, Sogavare's office stated that the arrangement was intended to enhance the capability of its police force in areas like cybersecurity and community policing and was not a threat to regional peace. The statement also pointed out that Australia and New Zealand already provide policing support to the Solomon Islands. The country, which holds a strategic position in the Pacific, previously pledged support for China's Global Development Initiative and Global Security Initiative.
READ THE STORY: Nikkei Asia
Viasat reveals problems unfurling huge antenna on powerful new broadband satellite
Analyst Comments: This development is a setback for Viasat and may potentially impact its ambitious plans for global, space-based internet coverage. Viasat-3 Americas is the first of a planned trio of satellites aimed at covering most of the globe with high-speed internet access. Depending on the severity of the problem and the effectiveness of any potential remedial measures, this could delay or disrupt Viasat's plans. For now, the incident underscores the challenges of satellite deployment and the risks associated with space ventures. However, Viasat has indicated that current customers will not be affected and they might relocate a subsequent ViaSat-3 satellite to ensure the provision of additional bandwidth for the Americas.
FROM THE MEDIA: The ViaSat-3 Americas satellite, launched atop a SpaceX Falcon Heavy rocket on April 30, has encountered issues with the deployment of its large mesh antenna, a critical component for providing hemispheric access to high-speed internet. The satellite operator, Viasat, and its reflector provider are currently reviewing the deployment to determine the impact and possible remedial measures. The issue led to a sharp drop in Viasat's shares. The satellite, which can handle up to 1 terabyte of data per second, was expected to begin providing space-based internet access to the western hemisphere this summer.
READ THE STORY: CBSNEWS
Inspur warns of profit plunge as sanctions bite
Analyst Comments: The ongoing situation poses a significant challenge for Inspur, which has lost its competitive edge in markets outside China due to the US sanctions. The firm's struggles might open up opportunities for other server manufacturers like Dell, HPE, and Lenovo, who could gain a larger market share as a result. The sanctions effectively limit Inspur's ability to cater to the global demand for servers and tech components, which might result in a reshuffling of market dynamics.
FROM THE MEDIA: Chinese server manufacturer Inspur has issued a profit warning, anticipating a 60-70% drop in profit and a 30% decrease in revenue for H1 2023. The company has attributed these losses to a worldwide shortage of GPUs and special-purpose chips. However, the US sanctions implemented in March 2023 are also a likely significant contributor to the decline. Inspur was added to the US export ban list for allegedly sourcing US-origin items for China's military modernization efforts. Given that Inspur is a major supplier for global tech giants such as IBM and Cisco, the restrictions may force their clients to seek components like Xeons, Epycs, and Nvidia accelerators elsewhere.
READ THE STORY: The Register
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland
Analyst Comments: The increased cyber warfare against Ukraine and Poland underscores the escalating geopolitical tensions in the region and the evolving digital frontlines of these conflicts. The threats are becoming more sophisticated, leveraging multistage infection chains and blending legitimate and malicious elements to evade detection. The continued activity of nation-state affiliated threat actors like GhostWriter, APT28, and APT29, suggests that cyber espionage and sabotage will continue to be primary tactics in the ongoing conflicts.
FROM THE MEDIA: Ukraine and Poland's government entities, military organizations, and civilian users have been under cyberattack campaigns that aim to steal sensitive data and establish persistent remote access to compromised systems. The campaign, spanning from April 2022 to July 2023, uses phishing and decoy documents to deploy malware called PicassoLoader, which then enables the launch of Cobalt Strike Beacon and njRAT. These attacks are attributed to a threat actor called GhostWriter, which reportedly aligns with the Belarusian government's priorities. Furthermore, Russia-associated hacker groups, including APT28 and APT29, have also been seen targeting Ukraine with similar tactics.
READ THE STORY: THN
CISA gives US civilian agencies until August 1 to resolve four Microsoft vulnerabilities
Analyst Comments: The inclusion of these vulnerabilities in CISA's catalog indicates they are currently being exploited by cybercriminals. As these bugs pose a significant threat to federal agencies, they need to be promptly patched to prevent potential cyber-attacks. Given the severity of these vulnerabilities and the wide usage of Microsoft software, organizations of all sizes and across sectors should urgently prioritize updating their systems. The widespread concern underlines the importance of continuous vigilance and regular patching in today's cyber threat landscape.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has set an August 1 deadline for U.S. federal civilian agencies to patch four severe zero-day vulnerabilities disclosed in Microsoft's monthly Patch Tuesday release. The four vulnerabilities are among over 130 announced by Microsoft. One of these vulnerabilities, CVE-2023-35311, which affects Microsoft Outlook, has raised significant concern among experts due to its potential to be leveraged in phishing campaigns leading to potential ransomware or fraud events. It affects all versions of Microsoft Outlook from 2013 onwards. Microsoft confirmed that it is being exploited, but did not provide further information on the groups utilizing the bug.
READ THE STORY: The Record
Items of interest
Another challenger to OpenAI? OK, we'll allow it
Analyst Comments: The creation of xAI by a prominent figure like Musk can have significant implications on the AI landscape. The company is likely to attract significant attention, resources, and talent. This move may also spark increased competition and innovation in the development of machine learning models and applications, given the caliber of the companies from which it is drawing its staff.
FROM THE MEDIA: Elon Musk, founder of SpaceX and co-founder of OpenAI, has launched a new machine-learning company called xAI. The goal of this venture is to "understand the true nature of the universe," and will be taking on machine learning experts from Tesla, DeepMind, Google, and Microsoft. xAI is positioned as a rival to OpenAI and its large language models. More details about the company are expected to be revealed on Friday.
READ THE STORY: The Register
Covert C2 Channels (Video)
FROM THE MEDIA: Kai Bernardini is a professional hacker/security researcher, a mathematician, and and a lecturer in computer science at Boston University. He's also better than me at lead belay (no short-roping from Kai!). Today Kai joined us to discuss covert command and control (C2) channels. Sure, your communication might be indistinguishable from random noise. But is it indistinguishable from r/dankmemes? If not, prepare to get caught by the local sysadmin.
Building a C2 (Video)
FROM THE MEDIA: Building a Command and Control server, or C2, is a central task when establishing a botnet for ethical hacking or cybersecurity testing purposes. A C2 server can control infected systems (bots), send commands, and collect data.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats a
nd overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.