Daily Drop (546): China: Data Traps, DPRK: Crypto, Russia’s: Telecom Surveillance, Estée Lauder, Ukraine dismantles bot farm, CISA and NSA Guidance: 5G Network, Cloudflare: DDoS
07-20-23
Thursday, Jul 20, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Head of MI6 warns that China is setting ‘data traps’ for partners
Analyst Comments: This statement by Richard Moore is a significant revelation about China's international agreements and their potential implications on global data security. By entering these agreements, nations risk losing sovereignty and becoming vulnerable to external influences. This is an issue of critical importance, given the rising global significance of China. The use of AI by MI6 underscores the increasing integration of AI in intelligence gathering and national security, highlighting the strategic importance of this technology in contemporary geopolitics. Moore's emphasis on human judgment being irreplaceable in intelligence work is a reminder that while AI can be a powerful tool, it does not obviate the need for human analysis and intervention.
FROM THE MEDIA: Richard Moore, head of Britain's foreign intelligence service MI6, has warned that China is leveraging international agreements to gather data on foreign citizens and national projects. Moore cautioned that by accepting these agreements, countries risk being trapped in a "data trap," losing sovereignty and becoming susceptible to influence. When China distributed COVID-19 vaccines globally, it often required recipient nations to share their vaccination data sets with Beijing, Moore said. He warned that this kind of condition should raise alarm bells. MI6 now devotes more resources to China than to any other country, reflecting China's growing global significance and the critical need to understand the intent and capabilities of the Chinese government. He also mentioned that MI6 is using AI to aid, but not replace, human judgment in situations like identifying and disrupting the flow of weapons to Russia for use against Ukraine.
READ THE STORY: The Record
DPRK hackers breached US IT company in bid to steal crypto-sources
Analyst Comments: Their shift in strategy towards "supply chain attacks" reveals an enhancement in their cybercriminal capabilities and could imply that they are refining their methods for higher yields. The international community should take these growing threats seriously and implement stringent cybersecurity measures to counteract these increasingly sophisticated attacks. More cooperation between private sector entities, like JumpCloud and CrowdStrike, and national security agencies may be necessary to detect and prevent these incidents effectively. Given the enormous sum stolen in previous attacks, vigilance is crucial as such attacks could significantly disrupt not only individual businesses but the broader cryptocurrency market and financial system.
FROM THE MEDIA: North Korean hackers, suspected to belong to the group "Labyrinth Chollima", have reportedly infiltrated US IT management company JumpCloud. They exploited this access to launch subsequent attacks on cryptocurrency companies, showing an evolution in tactics. Historically, these cybercriminals pursued individual crypto firms, but now they aim for entities that provide multiple avenues to cryptocurrencies. JumpCloud acknowledged the breach but refrained from identifying the specific assailants or the affected clients. The cybersecurity firm, CrowdStrike, confirmed that the North Korean hacker group "Labyrinth Chollima" was responsible, with the assumed intent of generating revenue for North Korea's regime. The prowess of North Korean hackers in executing "supply chain attacks" - compromising service providers to pilfer user data or money - has notably increased, as per cybersecurity researcher Tom Hegel from SentinelOne.
READ THE STORY: Reuters
Russia’s vast telecom surveillance system crippled by withdrawal of Western tech, report says
Analyst Comments: The White House and the Federal Communications Commission (FCC) have announced the development of a new cybersecurity labeling program called the U.S. Cyber Trust Mark, set to launch by 2024. The program is designed to certify smart devices, including consumer-grade routers and smart home appliances, based on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST). Amazon, Best Buy, Google, Logitech, and Samsung are among the major retailers supporting the initiative. Under this program, certified products will carry a shield logo, informing consumers that the product complies with the NIST standards. The initiative is intended to help improve the security of these devices and reduce the risk of botnet growth.
FROM THE MEDIA: The White House and the Federal Communications Commission (FCC) have announced the development of a new cybersecurity labeling program called the U.S. Cyber Trust Mark, set to launch by 2024. The program is designed to certify smart devices, including consumer-grade routers and smart home appliances, based on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST). Amazon, Best Buy, Google, Logitech, and Samsung are among the major retailers supporting the initiative. Under this program, certified products will carry a shield logo, informing consumers that the product complies with the NIST standards. The initiative is intended to help improve the security of these devices and reduce the risk of botnet growth.
READ THE STORY: The Record
Russian Hackers Probe Ukrainian Defense Sector With Backdoor
Analyst Comments: This targeted attack by the Turla hacker group signifies the continued threat of state-backed cyber espionage operations, particularly originating from Russia. The use of the new backdoor method, DeliveryCheck, highlights an increasing sophistication in malware deployment. Furthermore, the targeting of popular apps like Signal Desktop and Microsoft Exchange servers indicates a broader and more invasive approach to data exfiltration. Given the potential geopolitical implications of these attacks, it's crucial for targeted nations and international cybersecurity agencies to enhance their defenses and cooperation to counter these threats. Detection, mitigation, and public awareness campaigns about these threats can help protect sensitive information and critical infrastructures from such advanced persistent threats (APTs).
FROM THE MEDIA: The Russian hacker group, Turla, has launched targeted attacks against Ukraine's defense sector and other Eastern European entities using a new backdoor method known as DeliveryCheck. This novel .NET-based malware, aimed primarily at espionage, was distributed via emails with documents containing malicious macros. Security researchers at Microsoft's Threat Intelligence and the Computer Emergency Response Team of Ukraine (CERT-UA) have confirmed this. Post initial infection, the threat actor uses open-source tools like rclone to collect and exfiltrate files or deploys a highly functional Secret Blizzard implant called Kazuar. The Kazuar backdoor can execute nearly 40 functions, including event logging, collecting forensic artifacts, and stealing authentication data. Turla is believed to be closely associated with Russia's foreign intelligence service, the FSB.
READ THE STORY: BankInfoSecurity
Estée Lauder beauty giant breached by two ransomware gangs
Analyst Comments: These concurrent ransomware attacks underscore the escalating threat that such cyberattacks pose to businesses across sectors, even those with substantial resources like Estée Lauder. The company's unwillingness to negotiate with the threat actors aligns with general cybersecurity best practices and law enforcement recommendations, which discourage paying ransoms as it incentivizes further attacks. It is critical for Estée Lauder and similar companies to implement robust cybersecurity measures, regular network audits, and employee awareness programs to minimize the risk of such attacks.
FROM THE MEDIA: Cosmetics company Estée Lauder has been reportedly hit by two separate ransomware attacks carried out by the ALPHV/BlackCat and Clop groups. The BlackCat gang claims to still be present on the network, criticizing Estée Lauder's security measures. In an SEC filing, Estée Lauder confirmed one of the attacks, revealing that the intruder accessed some of its systems and potentially stole data. It appears that the Clop ransomware gang exploited a vulnerability in the MOVEit Transfer platform to gain access to the company. Despite Estée Lauder employing cybersecurity experts and coordinating with law enforcement, BlackCat maintains that they still have access to the network. The company, however, has shown no intention of negotiating with the threat actor, focusing on remediation and restoration of impacted systems.
READ THE STORY: Bleeping Computer
Ukraine dismantles bot farm pushing Russian propaganda, 150,000 SIM cards seized
Analyst Comments: Ukraine's successful dismantling of the bot farm indicates an important victory in the cyberspace component of the ongoing conflict with Russia. These bot farms are part of a broader digital warfare strategy, spreading disinformation to manipulate public opinion, foster confusion, and demoralize the opposition. The fact that Ukraine is actively fighting this digital warfront is crucial in maintaining its informational integrity and safeguarding the security of its citizens. However, the persistence of such bot farms suggests that ongoing vigilance and international cooperation will be required to counter these cyber threats.
FROM THE MEDIA: The Cyber Police Department of the National Police of Ukraine has successfully dismantled a large bot farm reportedly linked to over 100 individuals, following raids at almost two dozen locations. It is alleged that these bots were utilized to propagate Moscow's propaganda justifying Russia's war in Ukraine, disseminate illicit content, and steal personal information. Computer equipment, mobile phones, over 250 GSM gateways, and approximately 150,000 SIM cards from various mobile carriers were seized in the joint operation by units of the Ukrainian National Police and the cyber police. Ukraine has been cracking down on several Russian bot farms since the beginning of the war, with these bot farms spreading disinformation and inciting panic among Ukrainians.
READ THE STORY: ET
CISA and NSA Issue New Guidance to Strengthen 5G Network Slicing Against Threats
Analyst Comments: The release of this advisory underlines the growing concern over the potential security threats presented by 5G network slicing. The fact that both the CISA and NSA are issuing joint recommendations indicates the significance of the issue. Network slicing is a crucial aspect of 5G technology, and its security vulnerabilities can have serious implications for data privacy and national security. The endorsement of a zero trust architecture and enhanced monitoring tools signifies a broader trend towards more proactive and robust cybersecurity measures. The security of 5G networks is likely to continue to be a focus of attention for cybersecurity agencies worldwide, as this technology becomes more widely adopted.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released recommendations to address security concerns associated with 5G standalone network slicing. The advisory builds upon previous guidance from December 2022 and notes that advanced monitoring, auditing, and analytical capabilities are required to meet network slicing service level requirements. It warns of a broad spectrum of potential threat vectors, including denial-of-service attacks, jamming, identity theft, and adversary-in-the-middle attacks, which could compromise the confidentiality, integrity, and availability of network services. A zero trust architecture (ZTA) is suggested to secure network deployments, emphasizing the need for authentication, authorization, and audit techniques.
READ THE STORY: THN
China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
Analyst Comments: The attribution of these sophisticated Android surveillance programs to APT41 underscores the breadth and depth of China's state-sponsored hacking activities. The diverse range of targets and the ongoing evolution of malware functionality demonstrate APT41's significant resources and adaptability. As these surveillance programs hide inside ordinary Android apps and exploit privileges to execute malicious operations, they highlight the potential security risks posed by even seemingly innocuous applications.
FROM THE MEDIA: China's state-sponsored hacking group APT41 (also known as Winnti, BARIUM, Double Dragon) has been linked to two Android surveillanceware programs, WyrmSpy and DragonEgg. This threat actor is notorious for espionage campaigns against government agencies and enterprises globally, with victims as far-reaching as Australia, India, and the United States. The attribution to APT41 was made after WyrmSpy and DragonEgg were found to have overlapping Android code signing certificates. A command-and-control (C2) server address hardcoded in early WyrmSpy samples was previously linked to APT41 by the US Department of Justice. Both WyrmSpy and DragonEgg hide inside seemingly innocuous Android apps and request extensive permissions to exfiltrate user data.
READ THE STORY: DarkReading
Cloudflare reports surge in sophisticated DDoS attacks
Analyst Comments: The surge in DDoS attacks demonstrates the evolving threat landscape, with industries such as cryptocurrency becoming increasingly attractive targets due to their financial significance. The emergence of powerful virtual machine botnets represents a new level of sophistication in DDoS attacks, enabling large-scale operations with fewer resources. The exploitation of zero-day vulnerabilities in widely used systems like Mitel further amplifies the risk and impact of these attacks. Organizations across sectors need to prioritize robust cybersecurity measures, including DDoS mitigation strategies, to safeguard their networks. The geopolitical context, particularly the tension between Russia and Western countries, also plays a role in shaping the threat landscape, necessitating vigilant monitoring and threat intelligence.
FROM THE MEDIA: In the second quarter of 2023, companies experienced a significant increase in well-coordinated distributed denial-of-service (DDoS) attacks, predominantly from hacking groups based in Russia, as reported by Cloudflare. Between April and June, the total number of DDoS requests reached 5.4 trillion, a 15% increase from the first quarter. Cryptocurrency, gaming, and gambling industries were the hardest hit, with cryptocurrency companies witnessing a 600% surge in DDoS attacks. Cloudflare identified three main factors contributing to the rise in DDoS attacks: pro-Russia hacktivist activities, the emergence of potent virtual machine botnets, and the exploitation of a zero-day vulnerability in the Mitel business phone system.
READ THE STORY: The Record
New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems
Analyst Comments: The discovery of P2PInfect highlights the increasing sophistication of malware targeting cloud environments, especially those with misconfigurations or vulnerabilities. The worm's use of a P2P network for propagation signifies a unique approach within the cloud-targeting and cryptojacking threat landscapes. This further underscores the need for organizations to adopt robust cybersecurity measures, including securing their cloud environments, conducting regular audits for misconfigurations, and promptly patching known vulnerabilities.
FROM THE MEDIA: Researchers at Palo Alto Networks' Unit 42 have discovered a new peer-to-peer (P2P) worm named P2PInfect. This worm is unique in its ability to exploit Redis servers running on both Linux and Windows operating systems, making it highly scalable and potent. The worm, written in Rust, targets the Lua sandbox escape vulnerability (CVE-2022-0543) in Redis systems and has already compromised an estimated 934 unique systems since its first detection on July 11, 2023. Post-exploitation, P2PInfect delivers a dropper payload that establishes a P2P network for further malicious activity, including propagating malware to other exposed Redis and SSH hosts. The ultimate goal of the campaign remains unknown, and it has not yet been linked to any known threat groups.
READ THE STORY: THN
Items of interest
FCC Again Urged to Aid Satellite Precision Agriculture
Analyst Comments: The Precision Agriculture Satellite Connectivity Act signifies a recognition of the increasing importance of connectivity and precision farming in the agricultural sector. The bill, if passed, could potentially bridge the 'digital divide' and enable more farmers to leverage the benefits of modern technologies, thereby enhancing productivity and sustainability in agriculture. Implementing the changes required by the legislation will likely present substantial challenges. Navigating regulatory processes, revising current rules to favor emerging technologies, and ensuring adequate spectrum availability for non-geostationary satellite orbit (NGSO) services are complex tasks that demand significant resources, expertise, and time. It is also important to consider the international dynamics, as the growth of satellite communications and precision agriculture could have significant implications for global food security, and potentially raise concerns about space race and national security.
FROM THE MEDIA: The US House of Representatives recently passed a bipartisan legislation, House Resolution 1339 or the Precision Agriculture Satellite Connectivity Act, which is currently awaiting action by the Senate Committee on Commerce, Science, and Transportation. The legislation is designed to encourage the Federal Communications Commission (FCC) to improve the availability of satellite communication and Positioning, Navigation, and Timing (PNT) services for farmers, particularly those in rural areas. If implemented, the bill will require the FCC to review its rules on satellite communications services to determine if changes can be made to promote precision agriculture, and then develop and submit related recommendations to Congress within 15 months.
READ THE STORY: InsideGNSS
Chinese hackers gain access to Biden’s commerce secretary’s emails (Video)
FROM THE MEDIA: Atlas Organization founder Jonathan D.T. Ward on impacts from Chinese hackers breaching the commerce secretary's email and the negatives of investing in China.
China accused of spying on critical US infrastructure (Video)
FROM THE MEDIA: China has been spying on critical US infrastructure.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.