Daily Drop (545): Hybrid Warfare: Russia, China: The Great Firewall, RedCurl, BreachForums, Jump Clowd: APT, AWS Cloud, SNOWYDRIVE Malware, Ukrainian Scareware
07-18-23
Tuesday, Jul 18, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
How Russia’s Hybrid Warfare is Changing
Analyst Comments: This article argues that Russia's approach to hybrid warfare has undergone a shift, moving away from primarily relying on non-conventional measures and tactics towards a greater emphasis on conventional methods. The framework of the argument is constructed through an analysis of Russia's experiences in hybrid warfare across various conflicts such as the Afghan War, Chechnya, Georgia, Syria, and Ukraine. Methodologically, the analysis is based on the non-linear concept of hybrid warfare, commonly referred to as the “Gerasimov doctrine.” This concept acknowledges the utilization of both conventional military tactics and non-conventional tactics, emphasizing the use of non-conventional as primary measures.
FROM THE MEDIA: The study, grounded in the Gerasimov doctrine, shows a shift from relying on non-conventional tactics to a growing emphasis on conventional methods in Russia's hybrid warfare strategy. Using examples of various conflicts like the Afghan War, Chechnya, Georgia, Syria, and Ukraine, the article offers a detailed look into the evolution of Russia's military tactics and strategy. Key points of discussion include Russia's approach to hybrid warfare, the changing nature of this approach, and factors influencing the measures employed. The article suggests that Russia's involvement in wars prior to 2014 served as a testing ground for non-conventional measures, whereas the war in Ukraine highlighted a heavier reliance on conventional tactics. It also outlines the implications of the dissolution of the Soviet Union on Russia's military strategy, with the subsequent turn towards asymmetric warfare strategies and renewed focus on diplomacy and international cooperation.
READ THE STORY: Small War Journal
Beijing wants to make the Great Firewall of China even greater
Analyst Comments: These directives signal an intensification of the Chinese government's attempts to control and regulate its domestic internet, in line with its historical approach to information control and censorship. This could further isolate the Chinese internet from the rest of the world, potentially stifling innovation and limiting citizens' access to global information. The instructions also underscore the CCP's intent to control the narrative and ideology propagated online, pointing towards a more rigid control over digital spaces. The use of police departments in enforcing these directives highlights the seriousness with which the Chinese government is approaching these measures.
FROM THE MEDIA: Chinese President Xi Jinping recently instructed officials to construct a "security barrier" around China's internet, a move that could potentially isolate China's internet even more. The directive was given after a cybersecurity meeting held in Beijing, where Xi emphasized the need for the Chinese Communist Party's (CCP) control over the internet sector. In this regard, the term "security barrier" is reminiscent of the Great Firewall, which is a set of legislative actions and technologies that regulate internet use within China, including censorship and limited access to foreign media services. Cai Qi, a member of the CCP Central Committee, echoed these sentiments, advocating for strengthened online governance and control over online ideology. Notably, the directives were strong but lacked specificity. Xi also emphasized that internet and information technology departments at all levels must maintain their loyalty to the Party and be diligent in combating cyber terrorism and other illegal acts.
READ THE STORY: The Register
RedCurl hackers return to spy on 'major Russian bank,' Australian company
Analyst Comments: The hacking activities of RedCurl present a significant threat to commercial organizations worldwide, given its focus on stealing corporate secrets and personal employee data. The fact that the group targets a wide range of industries, from finance to retail, and maintains operations over long periods undetected shows a high level of sophistication. The evolution of RedCurl's hacking tools, demonstrated by the development of RedCurl.SimpleDownloader, indicates a robust and adaptive threat. The new protective features incorporated in recent versions suggest the group is actively working to evade detection and analysis, raising serious security concerns for targeted organizations.
FROM THE MEDIA: RedCurl, a Russian-speaking hacking group, attacked a significant Russian bank and an undisclosed Australian company earlier this year, seeking to steal corporate secrets, as reported by Russia-based F.A.C.C.T., a spin-off from cybersecurity firm Group-IB. RedCurl, active since 2018, targets various organizations, including banks, insurance companies, consulting firms, and retailers, engaging in commercial espionage rather than encrypting data for ransom. The group made two attempts to hack the undisclosed Russian bank, succeeding on the second attempt by targeting one of the bank's contractors. It used the same methods to attack the Australian company. RedCurl creates its own tools or alters existing malware and stays undetected for long periods before stealing corporate data.
READ THE STORY: The Record
Owner of BreachForums Pleads Guilty to Cybercrime and Child Pornography Charges
Analyst Comments: The case against Fitzpatrick represents a notable success in law enforcement's ongoing battle against cybercrime. BreachForums served as a significant hub for illegal activity, with a vast number of stolen data records and a large member base, indicating that its closure could potentially disrupt numerous cybercriminal operations. Fitzpatrick's case also underscores the international nature of cybercrime and the necessity for cross-border collaboration in combating these threats. Law enforcement agencies should continue their focus on dismantling such platforms and holding their operators accountable.
FROM THE MEDIA: Conor Brian Fitzpatrick, owner of the now-defunct cybercrime forum, BreachForums, has pleaded guilty to charges of operation of the forum and possession of child pornography. BreachForums, established in March 2022 and taken down in March 2023, was an illegal marketplace that facilitated the trading of stolen or hacked databases. It is estimated that up to 14 billion individual records across 888 databases were discovered on the forum, which had over 333,000 members at the time of its takedown. Fitzpatrick, also known by his alias pompompurin, could face a maximum jail sentence of 40 years and fines up to $750,000. His sentencing is scheduled for November 17, 2023.
READ THE STORY: THN
JumpCloud breached by nation-state threat actor
Analyst Comments: The breach on JumpCloud underlines the increasing sophistication of cyberattacks, especially those sponsored by nation-state actors. While the company's rapid response and disclosure are commendable, the situation raises questions about the initial lack of specificity in JumpCloud's July 5 advisory. The incident serves as a reminder for organizations to continuously monitor and assess their cybersecurity posture, as spear phishing remains a common and effective method for initial compromise. Companies should conduct regular training sessions to improve employee awareness of such techniques. It is critical that all entities utilizing JumpCloud services closely monitor their environments for any anomalies and follow the necessary steps outlined by JumpCloud, such as the mandatory API key rotation, to ensure the security of their systems.
FROM THE MEDIA: Cloud provider JumpCloud announced a network breach by a nation-state threat actor, a week after issuing a mandatory API key rotation due to an undisclosed incident. The company initially discovered anomalous activity on an internal orchestration system on June 27, traced back to a sophisticated spear phishing campaign that began on June 22. The threat actor gained access to a specific area of JumpCloud's infrastructure, although there was no evidence of customer impact at the time. On July 5, unusual activity in the commands framework for a small set of customers was detected, leading to the invalidation of all API keys for customer administrators. JumpCloud has not attributed the attack to a specific country and declined to comment further on the incident.
READ THE STORY: TechTarget
AWS Cloud Credential Stealing Campaign Spreads to Azure, Google Cloud
Analyst Comments: TeamTNT has a history of targeting exposed cloud services and exploiting cloud misconfigurations and vulnerabilities. Initially focusing on cryptomining, the group has expanded its activities to include data theft and backdoor deployment. This campaign's broadening to include Azure and GCP highlights the group's continuing evolution and ability to adapt their attack tools and strategies to target a wider range of platforms. The findings further underline the importance of securing cloud services and implementing robust security configurations to prevent exploitation. Organizations using cloud services should perform regular audits to identify and fix potential misconfiguraTeamTNT has a history of targeting exposed cloud services and exploiting cloud misconfigurations and vulnerabilities. Initially focusing on cryptomining, the group has expanded its activities to include data theft and backdoor deployment. This campaign's broadening to include Azure and GCP highlights the group's continuing evolution and ability to adapt their attack tools and strategies to target a wider range of platforms.
FROM THE MEDIA: Researchers from SentinelOne and Permiso have reported that a cloud-credential stealing and cryptomining campaign which had been targeting Amazon Web Services (AWS) environments for several months has expanded its targets to include Azure and Google Cloud Platform (GCP). The campaign, believed to be the work of the notorious threat actor TeamTNT, has displayed a series of incremental refinements since its inception in December. While the current Azure and GCP capabilities are less developed than the AWS tooling, the researchers anticipate further bespoke automation’s for these environments if the attackers deem them valuable.
READ THE STORY: DarkReading
Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware
Analyst Comments: USB-based attacks can be particularly dangerous because they can easily bypass network security measures and infect systems directly. Such attacks have been known to infiltrate even air-gapped systems, which are typically considered highly secure due to their isolation from the internet. The findings by Mandiant highlight the importance of physical security measures in addition to network and cybersecurity protections. It is essential to implement strict policies regarding the use of USB and other removable drives, as well as to regularly scan these devices for potential threats.
FROM THE MEDIA: According to Mandiant, the first half of 2023 saw a three-fold increase in cyber attacks using infected USB drives as an initial access vector. The firm detailed two campaigns named SOGU and SNOWYDRIVE, which targeted both public and private sector entities worldwide. The SOGU campaign, attributed to the China-based cluster TEMP.Hex (also known as Camaro Dragon, Earth Preta, and Mustang Panda), is described as the most prevalent USB-based cyber espionage attack, and it targets multiple industry verticals globally. The infection chain starts with a malicious USB drive being inserted into a computer, which then launches a C-based backdoor called SOGU that exfiltrates files of interest, keystrokes, and screenshots. The SNOWYDRIVE cluster, dubbed UNC4698, primarily targets oil and gas organizations in Asia. It uses a backdoor to remotely issue system commands and spread to other USB drives. Mandiant researchers Rommel Joven and Ng Choon Kiat recommend implementing restrictions on access to external devices like USB drives or scanning these devices for malicious files or code before connecting them to internal networks.
READ THE STORY: THN
Alleged Ukrainian scareware developer arrested after a decade on the run
Analyst Comments: The successful arrest of the Ukrainian hacker signifies a major achievement in international cybersecurity efforts and highlights the importance of global collaboration in combating cybercrime. However, the duration of the hacker's evasion (over a decade) underscores the difficulties in tracing and apprehending cybercriminals who operate across borders. It also serves as a reminder of the persistent threat posed by various forms of malware, including scareware, and emphasizes the necessity for both individuals and organizations to maintain robust cybersecurity measures. This includes being aware of potential threats, keeping systems updated, and exercising caution when encountering suspicious software or requests.
FROM THE MEDIA: Spanish police, in collaboration with the FBI and Interpol, have arrested a Ukrainian hacker who had been evading international authorities for over a decade. The hacker, who has not been identified, was involved in a global scareware operation running from 2006 to 2011, causing more than $70 million in economic damage. The suspect was apprehended at Barcelona-El Prat airport. Scareware is a type of malicious software or tactic that uses false security threats to scare people into purchasing counterfeit security software or revealing sensitive information. The hacker's operation reportedly impacted hundreds of thousands of victims around the world. The arrest appears to be linked to the Trident Tribunal operation, a 2011 law enforcement action involving the FBI and 11 other countries that disrupted two international cybercrime operations selling fake antivirus software.
READ THE STORY: The Record
Cybersecurity labeling program for internet-connected devices to be launched next year, White House says
Analyst Comments: The White House and the Federal Communications Commission (FCC) have announced the development of a new cybersecurity labeling program called the U.S. Cyber Trust Mark, set to launch by 2024. The program is designed to certify smart devices, including consumer-grade routers and smart home appliances, based on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST). Amazon, Best Buy, Google, Logitech, and Samsung are among the major retailers supporting the initiative. Under this program, certified products will carry a shield logo, informing consumers that the product complies with the NIST standards. The initiative is intended to help improve the security of these devices and reduce the risk of botnet growth.
FROM THE MEDIA: The White House and the Federal Communications Commission (FCC) have announced the development of a new cybersecurity labeling program called the U.S. Cyber Trust Mark, set to launch by 2024. The program is designed to certify smart devices, including consumer-grade routers and smart home appliances, based on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST). Amazon, Best Buy, Google, Logitech, and Samsung are among the major retailers supporting the initiative. Under this program, certified products will carry a shield logo, informing consumers that the product complies with the NIST standards. The initiative is intended to help improve the security of these devices and reduce the risk of botnet growth.
READ THE STORY: The Record
Western Focus Sharpens on China Over Black Sea Grain Deal
Analyst Comments: Russia's decision to halt the Black Sea Grain Initiative is a strategic maneuver intended to increase its influence and soft power globally by filling the void left by Ukraine in the agricultural export market. While markets have adjusted to the change due to its gradual nature, the decision nonetheless exerts upward pressure on global food prices and exacerbates food insecurity. The move may strain Russia's relationship with China, despite their otherwise close partnership, due to China's heavy reliance on Ukrainian grain imports. It could also lead to diplomatic pressure from other beneficiaries of the initiative, including Turkey and several African nations. For Ukraine, the decision emphasizes the need to diversify its export channels beyond the Black Sea. Given the infrastructural limitations, this will be a significant challenge and could further impact Ukraine's economy and its role in global food production and distribution.
FROM THE MEDIA: Russia has chosen to halt a U.N.-brokered agreement, known as the Black Sea Grain Initiative, that allowed Ukraine to export large amounts of grains and oilseeds. This decision affects global food security and has significant implications for China, which relied on the initiative for nearly a quarter of its grain imports. The decision has resulted in a shift in global food prices, causing concerns about food insecurity, although the impact is somewhat mitigated by the gradual nature of export decrease, allowing markets to adjust. Ukraine's ability to reroute its exports is hampered by the orientation of its agricultural infrastructure towards the Black Sea. In response to Russia's decision, pressure from Turkey and other beneficiaries, like China and African countries, could play a crucial role.
READ THE STORY: The Cipher Brief
Items of interest
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps
Analyst Comments: Threat actors are exploiting Android's WebAPK technology to install malicious web apps designed to steal personal information on users' phones. The attack begins with victims receiving SMS messages prompting them to update a mobile banking application. Upon clicking the provided link, a site uses WebAPK to install a malicious application on the victim's device. The targeted application impersonates PKO Bank Polski, a well-known banking and financial services company in Warsaw. WebAPK enables users to install progressive web apps (PWAs) to their Android devices' home screen bypassing the Google Play Store. Once installed, the fake banking app prompts users to input their credentials and two-factor authentication (2FA) tokens, leading to data theft. CSIRT KNF researchers noted that countering such attacks is challenging due to the dynamic nature of WebAPK applications.
FROM THE MEDIA: Threat actors are exploiting Android's WebAPK technology to install malicious web apps designed to steal personal information on users' phones. The attack begins with victims receiving SMS messages prompting them to update a mobile banking application. Upon clicking the provided link, a site uses WebAPK to install a malicious application on the victim's device. The targeted application impersonates PKO Bank Polski, a well-known banking and financial services company in Warsaw. WebAPK enables users to install progressive web apps (PWAs) to their Android devices' home screen bypassing the Google Play Store. Once installed, the fake banking app prompts users to input their credentials and two-factor authentication (2FA) tokens, leading to data theft. CSIRT KNF researchers noted that countering such attacks is challenging due to the dynamic nature of WebAPK applications.
READ THE STORY: THN
Large-scale Security Analysis of IoT Firmware (Video)
FROM THE MEDIA: Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.
Exploring a New Class of Kernel Exploit Primitive (Video)
FROM THE MEDIA: Microsoft Security Response Center receives and examines many interesting bug classes. Often, the exploitability of those bugs is apparent, but this is not always the case. One interesting outlier is an arbitrary kernel pointer read primitive where the attacker cannot retrieve the content of the memory read. Traditionally, these would have an impact of Denial of Service (DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but could such a limited primitive actually be exploited for code execution / privilege escalation?
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.