Daily Drop (554): China: Gallium and Germanium, Children’s Digital Privacy Bills, Africa: Russian Instructors, DPRK: Russian Defense Minister, Ubuntu Linux Cloud, TSA: Pipelines, Apache Tomcat Servers
07-28-23
Friday, Jul 28, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Russian Defense Minister in North Korea
Analyst Comments: Shoigu's visit signifies the continued diplomatic and military ties between Russia and the DPRK. The acknowledgment of the DPRK's victory in the Korean War and the emphasis on bilateral ties and cooperation between the two nations' defense departments suggest an intention on Russia's part to further strengthen these ties. The visit and the ensuing talks can be seen as part of Russia's broader foreign policy approach to maintain strategic partnerships and balance in East Asia.
FROM THE MEDIA: The Russian Minister of Defense, General of the Army Sergei Shoigu, has led a military delegation to the Democratic People's Republic of Korea (DPRK), according to an announcement by the Russian Ministry of Defence. A welcoming ceremony for the delegation took place at Pyongyang Sunan International Airport, with the DPRK's Minister of Defense, General of the Army Kang Sun-nam, personally greeting Shoigu. The Russian delegation is set to partake in events marking the 70th anniversary of the Day of Victory in the Great Fatherland Liberation War of 1950-1953. Shoigu also held talks with Kang Sun-nam in Pyongyang, emphasizing the importance of cooperation between Russia and the DPRK in ensuring peace and stability on the Korean Peninsula.
READ THE STORY: ModernDiplomacy
Prices of gallium and germanium rise as China's export controls loom
Analyst Comments: The immediate impact of these export controls could be damaging to the global semiconductor industry, potentially leading to higher manufacturing costs and delays in the production of advanced chips. The U.S. and other countries heavily dependent on Chinese supplies will feel the brunt of this change, at least in the short term. These measures could also encourage other countries to reduce their reliance on China for these critical materials and diversify their supply chains, similar to the situation with rare earth elements in 2010. It might stimulate increased production elsewhere, although such changes would take time to implement effectively. While this may create short-term disruptions and economic losses, it could also potentially foster long-term resilience in the global tech supply chain. The challenge here is the timing and ability of these countries to adjust their supply chains and potentially increase their production capacities.
FROM THE MEDIA: China is implementing export controls on gallium and germanium, two key materials in chipmaking, causing prices to rise significantly. The restrictions, seen as a response to technology export blocks by the US and other countries, are due to take effect on August 1. The measures could potentially increase the costs of manufacturing electronic products and hinder the development of advanced chips. China is the largest global supplier of both gallium and germanium, contributing 80-98% and approximately 60% of the world supply respectively. This has prompted some companies to start stockpiling the materials or goods reliant on them. US Commerce Secretary Gina Raimondo admits that American companies' revenues could be impacted by the restrictions but believes the measures are necessary for national security.
READ THE STORY: The Register
Russian Military Instructors Fighting Terrorism and Ensuring Security Across Africa
Analyst Comments: Russia's increased engagement in Africa underscores its strategic interests in the continent, particularly in terms of accessing resources and expanding its influence. The military cooperation and arms contracts reflect Moscow's soft power strategy, which involves providing support to African nations in return for economic and geopolitical benefits. However, allegations of human rights abuses tied to Russian private military companies could tarnish Russia's image in the region and internationally. The scale of the alleged abuses, particularly in Mali, may create tension between Russia and other international stakeholders, such as the UN, the African Union, ECOWAS, and France. Russia's blocking of an independent investigation into the alleged massacre in Mali might further strain these relationships.
FROM THE MEDIA: Ahead of the second Russia-Africa summit in St. Petersburg, Russian President Vladimir Putin has reiterated Moscow's commitment to supporting peace and political stability in Africa. The theme of the summit is "For Peace, Security and Development". Russia's Deputy Foreign Minister, Mikhail Bogdanov, affirmed Russia's readiness to enhance defense cooperation with African nations. Additionally, CEO of Russian arms export agency Rosoboronexport, Alexander Mikheev, stated the agency has signed over 150 military contracts with African countries since 2019, valued at over $10 billion. Concerns have been raised over Russia's methods of support, including alleged ties with the private military company, Wagner Group, which is accused of human rights abuses in Mali and the Central African Republic (CAR). The African Union and ECOWAS have been urged to invoke the African Convention for the Elimination of Mercenaries to prohibit Wagner from operating in Africa. Russia has blocked a request from France at the UN Security Council for an investigation into the alleged massacre of several hundred civilians in Mali.
READ THE STORY: ModernDiplomacy
Japan is‘ gravely concerned’ by China and Russia’s military co-operation
Analyst Comments: The increasing military collaboration between Russia and China, two of the most powerful nations globally, poses a significant strategic concern for Japan. Joint military exercises in disputed waters exacerbate these concerns, especially given Japan's territorial disputes with both countries. Furthermore, the rapidly tilting military balance between China and Taiwan in favor of Beijing complicates the situation, considering Japan's commitment to Taiwan's defense. In response, Japan's upgraded security strategy, which deviates significantly from its post-war pacifist stance, indicates a shift in the country's defense policy. The planned increase in defense spending signals Japan's readiness to enhance its military capabilities in response to perceived threats.
FROM THE MEDIA: Japan's recent defense white paper expressed "grave concern" over the escalating military cooperation between China and Russia, which is perceived as a significant security threat. This concern follows the largest joint naval and air exercise between China and Russia in the Sea of Japan. The white paper also noted the rapid shift in the military balance between China and Taiwan in Beijing's favor and reiterated that China's growing military aggression poses an "unprecedented and the greatest strategic challenge." Tokyo has responded to these threats by strengthening the Japan Coast Guard's cooperation with the Self-Defence Forces (SDF), loosening restrictions on SDF weapon use, and planning to boost defense spending to approximately 2% of its current GDP.
READ THE STORY: FT
Sweeping and controversial children’s digital privacy bills head to full Senate
Analyst Comments: The advancement of the bills is significant in the ongoing efforts to regulate the technology industry, particularly social media platforms, and their interaction with children. The legislation attempts to balance the need for protecting children online while avoiding censorship or infringement of rights. However, opposition from civil rights groups indicates that achieving this balance is challenging. In terms of practical implementation, these bills might require tech companies to make significant adjustments in their content filtering and data collection policies. Age verification could potentially lead to further privacy issues as it may necessitate asking for identification, thus collecting more personal data.
FROM THE MEDIA: The U.S. Senate Commerce, Science, and Transportation Committee has advanced two bills designed to enhance children's online privacy and safety: the Kids Online Safety Act (KOSA) and the Children and Teens Online Privacy Protection Act (COPPA 2.0). KOSA would require platforms to filter content directed towards users under 17, with an aim to prevent exposure to harmful topics like suicide and anorexia. COPPA 2.0 seeks to prevent online services from collecting data from individuals under 17, extending the previous age limit of 13. Despite support from various children's privacy groups and mental health organizations, there is opposition from freedom of expression and data privacy groups like the Electronic Frontier Foundation, the Center for Democracy and Technology, and the ACLU, who argue that the bills will limit access to important information and violate privacy rights.
READ THE STORY: The Record
Ubuntu Linux Cloud Workloads Face Rampant Root Take Takeovers
Analyst Comments: These vulnerabilities pose a significant risk, given the prevalent use of Ubuntu in cloud environments. The open-source nature of Linux and the freedom it provides to developers to modify the OS to suit their deployment needs may also contribute to such issues, demonstrating a complex relationship between the Linux kernel and various distros. To mitigate these vulnerabilities, immediate patching of affected workloads is critical. Restricting OverlayFS to root users only offers a simpler mitigation strategy.
FROM THE MEDIA: Security researchers at Wiz have identified two serious vulnerabilities, dubbed "GameOverlay," in the OverlayFS module of Ubuntu Linux, specifically affecting the versions used in cloud environments. These vulnerabilities, tagged as CVE-2023-2640 and CVE-2023-32629, could allow an attacker to execute code with root privileges on nearly 40% of Ubuntu Linux cloud workloads. The flaws result from changes Ubuntu made to the OverlayFS module in 2018, which became problematic when combined with changes made to the Linux kernel project in 2019 and 2022. The exploitation of these vulnerabilities could permit the creation of specialized executables that escalate privileges to "root" on affected machines.
READ THE STORY: DARKReading
TSA renews cybersecurity guidelines for pipelines
Analyst Comments: The renewal of these regulations indicates the ongoing concern about the security of critical infrastructure and the rising threat of cyber attacks. These new rules illustrate the U.S. government's efforts to mitigate the risks associated with these attacks by requiring critical infrastructure operators to maintain robust cybersecurity measures and practices. The changes are also reflective of the dynamic nature of cybersecurity, requiring rules to be adapted and updated periodically to keep pace with evolving threat landscapes. The modifications to the original regulations also seem to show that the TSA is considering feedback from operators and experts, which is a positive step towards practical, effective security measures.
FROM THE MEDIA: The U.S. Transportation Security Administration (TSA) has renewed its cybersecurity regulations for operators of pipelines that transport hazardous liquids, natural gas, and facilities for liquefied natural gas. This follows the original introduction of these regulations in 2021 after the ransomware attack on Colonial Pipeline. The new rules, which became effective last Thursday, closely mirror the previously issued ones with a few changes to provide operators more flexibility and close loopholes. Operators are required to implement multiple cybersecurity measures such as incident response plans, cybersecurity coordinator roles, vulnerability scans, and network segmentation, among others. TSA officials now also have the right to inspect, maintain, and test security facilities, equipment, and systems.
READ THE STORY: The Record
Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining
Analyst Comments: This campaign reveals an increased interest from cybercriminals in exploiting poorly secured or misconfigured servers for deploying malware and carrying out cyberattacks, particularly DDoS attacks. The use of the Mirai botnet and the employment of cryptocurrency miners underlines the continuous evolution of the threat landscape, as attackers leverage different strategies and tools to maximize their gains. In light of these findings, organizations should prioritize securing their environments and implementing robust credential hygiene to prevent such brute-force attacks.
FROM THE MEDIA: Security company Aqua has detected a new campaign that is targeting Apache Tomcat servers to deliver the Mirai botnet malware and cryptocurrency miners. Over a two-year period, Aqua discovered over 800 attacks on its Tomcat server honeypots, with 96% of these attacks linked to the Mirai botnet. A significant proportion of these attacks used a web shell script called "neww," which launches a brute force attack to gain access to the Tomcat web application manager. Once successful, the attackers deploy a malicious web shell class that listens to remote requests and executes arbitrary commands on the Tomcat server. The ultimate malware deployed is a variant of the Mirai botnet, which uses infected hosts to carry out distributed denial-of-service (DDoS) attacks.
READ THE STORY: THN
NATO probes hacktivist crew's boasts of stolen portal data
Analyst Comments: If the claims of the breach are confirmed, it would underscore the vulnerability of even high-profile international organizations to cyberattacks. Even though the information is unclassified, the leaked data could potentially be exploited for social engineering, phishing, or other targeted attacks. Such leaks can harm the reputation of the affected organization and erode trust among its partners. The possible use of stolen credentials to breach the portal indicates a recurring challenge for organizations in maintaining credential hygiene and managing access controls. Regularly updating and enforcing strong password policies, along with implementing multi-factor authentication, are essential for mitigating such risks. SiegedSec's politically motivated attacks demonstrate the need for organizations, especially those associated with governments and high-profile international entities, to remain vigilant against such threat actors.
FROM THE MEDIA: A hacking group named SiegedSec, known for its politically motivated cyberattacks, claims to have breached NATO's unclassified information-sharing and collaboration IT environment, stealing information from 31 nations. The stolen data, amounting to 845 MB, was supposedly leaked via the hackers' Telegram channel. The group claims that the attack is retaliation against NATO countries for their perceived attacks on human rights. The breached portal, the Communities of Interest (COI) Cooperation Portal, doesn't contain classified information, yet the leaked data allegedly includes 8,000 personnel records and various unclassified documents. NATO's cybersecurity team is currently investigating these claims.
READ THE STORY: The Register
BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities
Analyst Comments: The use of legitimate internet services for C2 obfuscation presents a significant challenge for cybersecurity defenses. This method can evade traditional detection mechanisms, as the traffic to these services can often blend with normal network activity. BlueBravo's continual evolution and diversification of its tools indicate a high degree of sophistication, necessitating proactive and advanced defensive measures. The targeting of diplomatic entities further underscores the strategic objectives of these cyberattacks, often aimed at espionage. Organizations, particularly those in sensitive sectors, need to remain vigilant and implement robust cybersecurity measures, such as employee awareness training, phishing defenses, regular software updates, and continuous network monitoring.
FROM THE MEDIA: Russian state-sponsored actor BlueBravo, also known as APT29, has been found targeting diplomatic entities in Eastern Europe to deliver a new backdoor malware named GraphicalProton. This group is notable for using legitimate internet services for command-and-control (C2) obfuscation. In the recent attack, it employed Microsoft's OneDrive and Dropbox for communication. The malware is usually delivered via phishing emails containing an ISO or ZIP file. Upon clicking a .LNK file disguised as a .PNG image in these files, GraphicalProton is deployed, leading to further exploitation.
READ THE STORY: THN
New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
Analyst Comments: The Nitrogen campaign indicates an evolving threat landscape, with threat actors increasingly leveraging online advertising platforms for their operations. This campaign's methodology, which combines advanced techniques like uncommon export forwarding and DLL preloading with pay-per-click advertisements, shows the increasing sophistication of cybercriminal operations. Enterprises should bolster their cybersecurity defenses and continuously update their threat intelligence to counter such evolving threats.
FROM THE MEDIA: A malvertising campaign dubbed Nitrogen is using ads on Google Search and Bing to target users who are searching for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP. Cybersecurity firm Sophos reported that attackers trick users into downloading trojanized installers, aiming to breach enterprise networks and possibly execute future ransomware attacks. The campaign was first documented by eSentire in June 2023, and its operation involves redirecting users to compromised WordPress sites hosting malicious ISO image files that lead to the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system.
READ THE STORY: THN
Democracy in danger: AI, supercomputers, and the loss of human agency
Analyst Comments: Pantaleoni's insights reflect the increasing concern regarding the role of tech companies and AI in our societies. His argument that the primary danger lies in the attention economy, the concentration of power, and growing social disparities—not AI itself—is worth considering, especially given his significant experience in the tech industry. The concerns about fake news and misinformation, fueled by AI algorithms, are increasingly relevant in our digitally connected world. This underscores the importance of regulatory oversight for tech companies, a step that Pantaleoni supports.
FROM THE MEDIA: Jacopo Pantaleoni, a former Principal Engineer and Research Scientist at NVIDIA, warns of the dangers associated with technological advancements, specifically the role of AI in society. He emphasizes that the real danger is not AI, but the combination of automated extraction of human attention, increasing power concentration in a few tech companies, and widening social disparities. Pantaleoni also brings attention to the erosion of democracy and the rise of fake news caused by machine learning algorithms. His upcoming book, "The Quickest Revolution: An Insider's Guide to Sweeping Technological Change And Its Largest Threats," explores the subject in depth, focusing on the rapid increase in computational capabilities. He highlights that our fastest processors can execute over 100 trillion operations per second and that we're developing supercomputers faster than an Exaflop, performing billions of billions of operations per second. Despite these advancements, Pantaleoni questions whether humans truly comprehend the speed and capabilities of these machines.
READ THE STORY: Cybernews
Forged Azure Access Tokens Exploited by Storm-0558: A Cloud Vulnerability Transparency Gap
Analyst Comments: The Storm-0558 attack revealed significant issues in cloud security, particularly the lack of transparency around cloud vulnerabilities, under-communication, and under-documentation of these issues, and the absence of assigned CVE IDs. Microsoft's initial underestimation of the attack's extent and the ambiguous official documentation exemplify the communication and documentation deficiencies that can exacerbate cybersecurity risks. Additionally, the absence of CVE IDs for cloud vulnerabilities hinders the tracking and management of these threats, making it difficult for organizations to prioritize their remediation efforts.
FROM THE MEDIA: In May 2023, Storm-0558, a threat actor group from China, breached around 25 organizations, including government agencies, by using forged Azure Access tokens to gain unauthorized access to user emails hosted on the public cloud. This security breach was first noticed by a Federal Civilian Executive Branch (FCEB) agency in June 2023, which detected unusual MailItemsAccessed events in the M365 Audit Logs and reported it to Microsoft and CISA. An investigation revealed that the threat actor used an inactive Microsoft Account (MSA) consumer signing key to forge authentication tokens for both Azure AD enterprise and MSA consumer accounts. The attacker also used the GetAccessTokenForResource API to obtain new access tokens by presenting previously issued tokens. This allowed them to extract email-related data, such as emails, attachments, conversations, and email folder information. However, according to Microsoft, Azure AD keys used for enterprise accounts were not compromised.
READ THE STORY: SecurityBoulevard
Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches
Analyst Comments: This advisory reflects the continued importance of robust authentication and authorization processes and the role of secure development practices in protecting sensitive data. The prominence of IDOR and the misuse of valid accounts in successful cyberattacks underline the need for robust access control measures, including stringent password policies and multifactor authentication, as well as diligent monitoring of access logs and network communication logs for abnormal activities. It also highlights the need for organizations to periodically audit their active accounts and promptly deactivate accounts that are no longer in use. As technology continues to evolve, so too will the methods employed by malicious actors. Therefore, it's crucial that businesses and organizations continue to prioritize cybersecurity and stay informed about the latest threats and best practices for mitigating them.
FROM THE MEDIA: The Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) have released a joint advisory warning about security flaws in web applications, particularly focusing on Insecure Direct Object Reference (IDOR) bugs. IDOR is an access control vulnerability that allows malicious actors to access or alter sensitive data by manipulating user identifiers. This type of vulnerability could potentially compromise the personal, financial, and health data of millions of users. To counter such threats, the advisory recommends that developers and vendors adopt secure-by-design and -default principles, and enforce rigorous authentication and authorization checks for every request that accesses, modifies, or deletes sensitive data.
READ THE STORY: THN
Items of interest
Bitcoin could be in danger as quantum computing advances
Analyst Comments: Bitcoin, along with other cryptocurrencies, may face significant challenges as quantum computing technology progresses. However, this threat should be taken into context. Quantum computing is a cutting-edge field and the creation of quantum computers capable of disrupting Bitcoin's security is likely still years, if not decades, away. Furthermore, it is probable that as quantum technology advances, so too will the cryptographic techniques used to secure Bitcoin and other digital assets.
FROM THE MEDIA: Quantum computing advancements, particularly by IBM and Google, are causing concern for the future of Bitcoin due to potential vulnerabilities in its cryptographic protocols. Quantum computers could theoretically undermine Bitcoin's blockchain security and integrity by producing new blocks at unprecedented rates, leading to significant increases in Bitcoin mining difficulty. Current cryptographic attacks using quantum computers are Grover's algorithm, which can pose a risk to cryptographic hashing, and Shor's algorithm, which can break the encryption protecting individual wallets. The exact number of qubits needed to crack Bitcoin is still debated, with estimates ranging from a few hundred to billions. Despite the threats, it's believed that practical quantum attacks on Bitcoin are still decades away.
READ THE STORY: Cybernews
Extracting Wi-Fi Password from Netgear N300 Router over UART (Video)
FROM THE MEDIA: In this video, we get a UART shell on a Netgear n300 Wi-Fi router and extract the SSID and password.
Chip-Off Firmware Extraction on a Linux Embedded Device (Video)
FROM THE MEDIA: In this video, we demonstrate a chip-off firmware extraction on a Linux-embedded device, using the proper amount of flux. We use the XGecu T56 universal programmer to read the firmware off the TSOP48 M29W640GT flash chip made by ST. After reading the firmware, we show how to reattach the flash chip to allow the device to be functional again.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.