Daily Drop (552): China: Cyber Fairness, SiegedSec, Malware Network: APT Link, ZTE: India, Beyond ChatGPT, Lazarus: Microsoft IIS servers, FraudGPT, Rust-based Realst Infostealer
07-26-23
Wednesday, Jul 26, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
China’s Top Diplomat Calls for Global Cyberspace Fairness, Urges Resistance to Technological Dominance
Analyst Comments: Wang Yi's statements echo China's longstanding position of promoting national sovereignty and non-interference in domestic affairs. His call for a more equitable global cyberspace appears to be an attempt to shift the narrative away from accusations of cyber espionage and towards issues of fairness and inclusivity. His bilateral meetings with Russian and Iranian security officials indicate an effort to foster strategic partnerships that can counterbalance U.S. influence.
FROM THE MEDIA: China's top diplomat, Wang Yi, has called for emerging economies to resist attempts at dominance in science, technology, and the internet, emphasizing the importance of fairness, justice, and inclusivity in cyberspace. Speaking at a cybersecurity meeting in Johannesburg, attended by delegates from countries including Brazil, Russia, India, China, and South Africa, he advocated for cyberspace to become a platform for various thoughts rather than a digital battleground. Wang's comments come amid increased scrutiny from the U.S. and its allies of China's growing digital industry and ongoing accusations of technology theft and cyberattacks.
READ THE STORY: CircleID
Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets
Analyst Comments: The rise of macOS-targeting malware like Realst underscores that cyber threats are increasingly platform-agnostic. Threat actors are continually innovating and refining their techniques to exploit vulnerabilities across a wider range of devices and systems. Businesses and individuals must remain vigilant, keeping the software and operating systems updated, backing up important data regularly, and educating themselves about the latest cyber threats. They should also treat unsolicited social media messages with caution, especially those that involve downloading software or participating in unverified activities.
FROM THE MEDIA: A new malware family called Realst is targeting Apple macOS systems, with one-third of the samples already capable of infecting macOS 14 Sonoma, the upcoming major release of the operating system. Realst, written in Rust, is distributed as bogus blockchain games and can empty crypto wallets and steal stored password and browser data from both Windows and macOS machines. The malware is believed to be linked to another information-stealing campaign called Pureland. Threat actors approach potential victims via social media direct messages, luring them into testing a game for a paid collaboration. Once the game is executed, the attackers steal sensitive information and drain cryptocurrency wallets. The discovery of Realst follows that of SophosEncrypt, a RAT with file encryption capabilities.
READ THE STORY: THN
Lazarus targets Microsoft IIS servers to spread malware
Analyst Comments: This report confirms Lazarus group's continuous threat and its adaptability in the face of countermeasures. The group's utilization of Microsoft IIS servers underscores the importance of regularly patching and updating software to minimize exploitable vulnerabilities. Organizations must be aware that outdated software presents a significant risk. The discovery also suggests the Lazarus group's specific interest in South Korean entities, necessitating further strengthening of security measures within these organizations.
FROM THE MEDIA: The Lazarus threat group, believed to be state-sponsored by North Korea, has intensified its attacks on vulnerable Microsoft Internet Information Services (IIS) instances, using them not only as entry points into target organizations but also as vehicles for malware distribution. According to AhnLab Security Emergency Response Center (ASEC), Lazarus has recently attacked South Korean websites where IIS servers were used to distribute malware for exploits related to INITECH's INISAFE CrossWeb EX V3 system management solution. The ASEC researchers highlighted that the latest attacks employed an IIS worker process, w3wwp.exe, to deliver Lazarus’ malware strain, which is primarily a downloader that fetches additional malware types or backdoors.
READ THE STORY: SCMAG
SiegedSec Hacktivist Claims to Strike NATO and Leak Sensitive Docs
Analyst Comments: The attack by SiegedSec is a significant concern due to the sensitivity of the breached data, potentially affecting NATO's security operations. The group's increasing proficiency and aggression are a matter of global security concern. Their claims of distancing themselves from the Russia-Ukraine conflict may be seen as an attempt to avoid being labeled as politically motivated, yet their choice of NATO as a target could suggest some geopolitical motivation. The adoption of high-profile targets and high-impact tactics mirrors a growing trend among cyber threat groups, highlighting the need for continued vigilance and robust cybersecurity measures among organizations and institutions.
FROM THE MEDIA: The hacktivist group "SiegedSec" has claimed responsibility for a cyber attack on NATO's COI portal, resulting in the leak of hundreds of sensitive documents and personal details of at least 70 NATO officials. The group, known for its mix of hacktivism and personal gain motives, alleges that the attack was in response to human rights abuses by NATO, rather than any connection to the Russia-Ukraine conflict. Cybersecurity research firm Cyberint reports that SiegedSec often aligns itself with the Anonymous movement and uses high-profile data breaches for publicity.
READ THE STORY: HackRead
New AI Tool 'FraudGPT' Emerges, Tailored for Sophisticated Attacks
Analyst Comments: The evolution and increasing sophistication of cybercriminal AI tools such as FraudGPT underscores the potential threats of adversarial AI. These tools can enable even less-skilled actors to conduct wide-scale, convincing phishing and other cyber-attacks, thus elevating the overall cyber threat landscape. Businesses and individuals need to stay vigilant and ensure they have strong defenses in place, such as multi-factor authentication, employee education programs, and advanced threat detection systems.
FROM THE MEDIA: Cybercriminals are now advertising a new generative AI tool, named FraudGPT, across various dark web marketplaces and Telegram channels. Designed for offensive purposes, the tool can be used to craft spear-phishing emails, create cracking tools, and perform carding operations, according to Netenrich security researcher Rakesh Krishnan. Sold for a subscription cost of $200 a month, FraudGPT could allow novice actors to scale their phishing and business email compromise attacks, leading to unauthorized wire payments and theft of sensitive data. The tool's capabilities underline the importance of a defense-in-depth strategy and prompt analysis of security telemetry to mitigate such fast-moving threats.
READ THE STORY: THN
Chinese telco ZTE is on the hunt for new routes into India
Analyst Comments: The potential partnership between ZTE and Indian companies signifies the telecom provider's effort to assuage the Indian government's security concerns. Amid escalating border tensions and international scrutiny over alleged cyber threats, Chinese telecom providers have been under immense pressure. This move could be seen as an attempt by ZTE to adapt to the evolving telecom landscape and sustain its business in a significant market like India. As the Indian government continues to advocate for gear only from 'trusted' locations, and domestic companies have begun to rely more on equipment from non-Chinese providers like Ericsson, Nokia, Samsung, TCS, and Tejas, the future of Chinese telecom providers in India remains uncertain. It is also worth noting that these discussions are at a preliminary stage and may not lead to a joint venture.
FROM THE MEDIA: ZTE, a Chinese government-owned telecom network provider, is reportedly in talks with Indian companies about transferring technology and designs and establishing a joint venture. This development follows the Indian government's growing security concerns about ZTE's and Huawei's operations, which have seen the two telecom providers relegated to the fringes of India's telecom network and equipment industry. ZTE hopes that partnering with an Indian company will inject a "critical trust factor" into its operations, enabling it to service existing telecom and network companies while also securing new business.
READ THE STORY: ET
Researchers uncover a malware network possibly linked to nation-state cyberattacks
Analyst Comments: The emergence of the Decoy Dog malware campaign demonstrates the continually evolving nature of cyber threats. Given the scale and characteristics of the campaign, it appears to be a preparatory phase for a significant, potential nation-state cyber espionage operation. The use of Pupy, a tool that can bypass most antivirus applications, indicates advanced threat actors with the resources and knowledge to employ sophisticated evasion tactics. The link to Russian IP addresses, while not definitive, may be indicative of Russia's well-documented history of state-sponsored cyber activities.
FROM THE MEDIA: Security researchers at Infoblox have discovered details about a malware campaign they're naming 'Decoy Dog,' which appears to be the foundation of a potential espionage campaign. While many suspicious domains tied to the campaign link to Russian IP addresses, researchers have yet to confirm Russia as the instigator. Over 100 devices are estimated to be infected with the Decoy Dog malware, potentially deployed by as many as four groups, which may not be linked to the same nation-state. The malware appears to use elements of the open-source remote access tool, Pupy, to disguise its activities, and it's unclear who is behind the campaign and how they're gaining access to devices.
READ THE STORY: AXIOS
Beyond ChatGPT: Organizations Must Protect Themselves Against the Power of AI
Analyst Comments: The use of AI in cyberattacks is a growing concern. The ability of AI to automate, accelerate, and refine threat tactics, as well as impersonate human behavior convincingly, amplifies the potential harm and disruption from cyberattacks. As AI becomes more accessible, the number of cyber threat actors could also increase, further escalating the risk. Therefore, organizations need to prioritize the development and implementation of AI-powered defenses to counter these emerging threats. Regular evaluation and testing of breach response plans can also aid organizations in ensuring their readiness and resilience against potential AI-driven cyber threats.
FROM THE MEDIA: With the evolution of artificial intelligence (AI), a new frontier of opportunities and challenges is emerging in cybersecurity. The Thales "2023 Data Threat Report" reveals that over half of enterprises have no formal plan to handle ransomware attacks, which implies a widespread vulnerability to threats, including AI-driven ones. Experts predict that AI-powered ransomware will accelerate the speed of data exploitation, with the capability to automate breaches. Such threats are expected to be relentless and more advanced than human-controlled cyberattacks, enabled to bypass vulnerabilities and continually modify their attack vectors. AI can also enhance the realism of phishing attempts, and its accessibility may increase the number of threat actors. As a response, AI-powered defenses are necessary, and organizations need to update their cyber-detection capabilities accordingly. Continuous evaluation and testing of response plans to breaches are also advised to prepare for future threats in cybersecurity.
READ THE STORY: DARKReading
China allegedly turns to transnational criminals to spread disinformation in Australia
Analyst Comments: This report highlights the sophistication of state-sponsored disinformation campaigns, especially those led by China, and raises concerns about the intersection of criminal networks and state operations. The alleged use of fake accounts linked to criminal organizations represents an evolution in tactics and could complicate efforts to detect and counter such activities. Moreover, the use of AI-generated profile images underlines the advancement of technologies used in these operations, which could pose a significant challenge to traditional methods of detection and attribution. This also reinforces the need for social media platforms, cybersecurity experts, and governments to collaborate on finding more effective ways to tackle these challenges.
FROM THE MEDIA: The Australian Strategic Policy Institute (ASPI) has published a report suggesting that China is utilizing fake social media accounts associated with transnational criminal groups, such as Warner International Casino, to disseminate online propaganda and misinformation. The findings suggest that China is possibly buying these inauthentic accounts to bolster its covert online influence operations. The research also revealed a recent Chinese influence campaign against Australia that used fake accounts featuring similar AI-generated profile images and behavioral patterns to those promoting Warner International. Despite minimal engagement on most accounts, some real Australians are inadvertently promoting them through social media interactions.
READ THE STORY: The Record
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique
Analyst Comments: The adoption of new tactics by the Casbaneiro operators demonstrates their continuous evolution to avoid detection and increase the effectiveness of their attacks. The use of a UAC bypass technique to gain administrative privileges on a machine further amplifies the potential damage this malware can cause. The shift from ZIP to RAR files and the use of spear-phishing emails with embedded HTML file links signify a change in infection methods. These evolving tactics underline the necessity for organizations, especially financial institutions, to stay updated on the latest threat intelligence and adapt their cybersecurity defenses accordingly.
FROM THE MEDIA: The threat actors behind the Casbaneiro banking malware, also known as Metamorfo and Ponteiro, are reportedly using a User Account Control (UAC) bypass method to gain full administrative privileges on infected machines, according to cybersecurity company Sygnia. The Casbaneiro malware, which initially emerged in 2018 targeting Latin American financial institutions, begins infection chains with a phishing email that leads to a malware-infected attachment. Recently, the attackers have changed their modus operandi by starting attacks with a spear-phishing email embedded with an HTML file link that redirects the target to download a RAR file, deviating from the previous use of malicious PDF attachments with ZIP file download links. Another significant change involves the use of fodhelper.exe to achieve a UAC bypass and attain high integrity level execution.
READ THE STORY: THN
Sneaky Python package security fixes help no one – except miscreants
Analyst Comments: This approach could greatly enhance the visibility of Python's security patches and fixes, helping developers to keep their applications and packages up-to-date with the latest security improvements. As a result, the overall security of Python-based software could be improved, and the risks of exploitation could be reduced. However, it also poses some potential risks, such as the possibility of revealing undisclosed vulnerabilities to potential attackers.
FROM THE MEDIA: Many Python security updates are implemented through "silent" code commits that do not have associated Common Vulnerabilities and Exposures (CVE) identifiers, making it harder for developers to recognize and rectify security flaws in their code. In response to this issue, a group of researchers from George Mason University and Dougherty Valley High School in the United States have proposed the creation of a database of security commits, known as PySecDB, to make Python code repairs more visible to the community. PySecDB includes security commits associated with CVE identifiers, commits identified through keyword searches, and commits detected using a graph neural network model called SCOPY. The researchers hope that this resource will help developers identify and address security vulnerabilities more effectively.
READ THE STORY: The Register
macOS RedLine Stealer malware found on fake blockchain games
Analyst Comments: The discovery of macOS being exploited to deliver malware demonstrates that no operating system is immune to cyber threats. The use of blockchain-based games to distribute malware is also a growing concern, given the popularity of such games. Cybercriminals are becoming more innovative, exploiting popular trends to trap unsuspecting victims. Organizations and individuals should remain vigilant when interacting with unverified online gaming platforms. Security training and awareness campaigns can be effective tools in helping users recognize and avoid such threats.
FROM THE MEDIA: The macOS operating system is being exploited to create malicious software hidden in counterfeit games, as revealed by a malware researcher known as iamdeadlyz. The malware, spread through a fictitious online gaming project called "PureLand", is a new version of the previously discovered "Pearl Land Metaverse". What makes PureLand distinctive is its operation on macOS, a feature that wasn't seen before. The malware uses these games as bait and is embedded with a data-stealing tool known as "RedLine Stealer". This malware can extract login credentials from various sources and collects other sensitive data. Fake gaming platforms used by PureLand include Destruction, Evolion, Olymp of Reptiles, and Brawl Earth.
READ THE STORY: CyberNews
Items of interest
North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder
Analyst Comments: The recent attack highlights North Korea's ongoing efforts to leverage cyber-espionage and financially motivated hacking operations to support the nation's strategic goals. As these actors continue to hone their capabilities and increase their sophistication, organizations should reinforce their security posture by implementing multi-layered defense strategies, robust cybersecurity awareness training, and regular vulnerability assessments. The targeting of macOS systems also reinforces the need for users of all operating systems to maintain vigilance and apply necessary security updates to protect against malware threats.
FROM THE MEDIA: North Korean nation-state actors have been linked to a recent hack of the JumpCloud platform, which was discovered after an operational security (OPSEC) blunder exposed their actual IP address. The threat group, known as UNC4899, is affiliated with the Reconnaissance General Bureau (RGB) and overlaps with other hacking groups such as Jade Sleet, TraderTraitor, and APT43. The attack started with a spear-phishing campaign that compromised JumpCloud, leading to breaches at several customer sites. The hackers targeted four Apple systems running macOS Ventura versions 13.3 or 13.4.1, showing North Korean actors' continued interest in developing malware tailored for the macOS platform.
READ THE STORY: THN
North Korea and the triads: gangsters, ghost ships, and spies (Video)
FROM THE MEDIA: A convicted gambling tycoon, a Hong Kong gold trader, and a racing car driver from Macau: the FT and think-tank Rusi reveal some of the individuals behind a network connecting Chinese criminal groups to North Korean oil procurement and intelligence operations which help to sustain the country's military and nuclear weapons program.
Kim's Cash Flow: The Brutal Money System of North Korea (Video)
FROM THE MEDIA: How is it possible that North Korea, one of the poorest countries on earth finances a nuclear weapons program large enough to challenge the USA? The answer: Bureau 39, a legendary organization nestled deep inside the government apparatus. Its aim is to procure foreign exchange by any means possible to provide Kim Jong-un's regime with money.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.