Daily Drop (555): China: American Companies, STARK#MULE, AI chatbots rebel, HP: Thailand and Mexico, Japan: Military Buildup, Phone Surveillance ‘Loophole’, Hackers Deploy "SUBMARINE" Backdoor
07-29-23
Saturday, Jul 29, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
South Korean Startup to revolutionize satellite orbit prediction
Analyst Comments: The work done by Spacemap addresses a crucial issue of space safety as the number of objects in orbit, including satellites and space debris, continues to rise. With commercial space travel and satellite deployments on the rise, there's an increasing need for accurate prediction and tracking of orbits to prevent potential collisions and to ensure the sustainability of space missions. Spacemap's technology offers a promising solution with its ability to predict satellite orbits and monitor space debris movements, thereby optimizing mission safety and efficiency. The company's unique use of Voronoi diagrams to calculate distances between orbiting objects offers an innovative approach to addressing this issue. As the space industry continues to grow, the demand for such safety measures will likely increase.
FROM THE MEDIA: Spacemap, a South Korean startup, is leveraging its advanced platform technology to enhance safety in space missions. The company's software predicts satellite orbits and space debris movements, aiding in preventing potential collisions. The platform also optimizes fuel usage during missions, aiming to cut costs and boost efficiency. The need for such technology is growing as the number of satellites and space debris objects increases, making space congestion a significant concern.
READ THE STORY: Geospatial World
Chinese strategy towards American companies in China
Analyst Comments: American companies in China present a complex interplay of economic benefits, political risks, and influence dissemination. While these businesses certainly contribute to the Chinese economy and may face restrictions, they also play a pivotal role in promoting American values, accessing competitive markets, and enhancing global competitiveness. The 'Door knock strategy' proposed by the China-U.S. Chamber of Commerce, which involves engaging moderate lawmakers and officials to establish a more responsive interaction with China, could be a promising approach.
FROM THE MEDIA: The presence of American companies in China has been a topic of debate among U.S. officials. Critics argue that American businesses operating in China indirectly support the Chinese Communist Party by paying taxes, hiring local employees, and potentially transferring technology, thus bolstering the Chinese economy. However, supporters assert that the benefits of American companies operating in China far outweigh the risks. They argue that these companies not only gain access to one of the world's most competitive markets, but also serve as agents for spreading American values, such as democratic governance, workers' rights, environmental protection, rule of law, and anti-corruption measures.
READ THE STORY: ModernDiplomacy
STARK#MULE Targets Koreans with U.S. Military-themed Document Lures
Analyst Comments: The activities of this campaign signify an ongoing cyber threat originating from North Korea, targeting South Korean and Korean-speaking individuals. The use of U.S. military-themed document lures showcases a novel social engineering tactic to trick victims into deploying malware on their systems. APT37's expansion of its offensive arsenal and the shift towards leveraging compromised websites for hosting payloads and C2 highlight the evolving sophistication and persistence of these threat actors. This situation underscores the need for strong cybersecurity practices, particularly in the form of user education regarding the dangers of opening suspicious emails and their attachments, even if they appear to come from credible sources.
FROM THE MEDIA: An ongoing cyber attack campaign, referred to as STARK#MULE, has been targeting Korean-speaking individuals by using U.S. Military-themed document lures to deploy malware on compromised systems. Cybersecurity firm Securonix is currently tracking the campaign, which they believe mirrors past attacks from North Korean groups such as APT37, who historically target South Korea, especially government officials. The campaign uses compromised Korean e-commerce websites for staging payloads and command-and-control (C2), and employs phishing emails with U.S. Army recruitment themes to encourage victims to open a ZIP archive file that contains a malware-embedded shortcut file. APT37, also known as Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, has expanded its offensive arsenal with various malware families in recent months, including a Go-based backdoor called AblyGo.
READ THE STORY: THN
How to make today's top-end AI chatbots rebel against their creators and plot our doom
Analyst Comments: The ability to bypass safety mechanisms in LLMs using adversarial phrases poses a significant security risk, especially as these models become more integrated into public-facing applications and services. This loophole might result in the dissemination of harmful, illegal, or inappropriate content, compromising user safety and violating regulatory requirements. The research underscores the necessity for robust adversarial testing prior to deploying such models in the real world. This revelation also emphasizes the need for continued vigilance in AI safety research, to ensure that the increasing sophistication of AI does not outpace the development of necessary safety mechanisms.-
FROM THE MEDIA: A team of researchers from Carnegie Mellon University, the Center for AI Safety, and the Bosch Center for AI have discovered a method to bypass the safeguards of large language models (LLMs) such as ChatGPT, Bard, and Claude. Their study, "Universal and Transferable Adversarial Attacks on Aligned Language Models," explains how LLMs can be manipulated into producing inappropriate or harmful content using specific adversarial phrases appended to text prompts. Initial development of attack phrases was done using Viccuna-7B and LLaMA-2-7B-Chat models, with successful transfers seen on other models such as GPT-3.5, GPT-4, Pythia, Falcon, and Guanaco.
READ THE STORY: The Register
HP to move production of millions of computers to Thailand and Mexico
Analyst Comments: The move by HP follows a trend among US tech companies looking to diversify their supply chains and reduce dependence on China amid increasing geopolitical tensions and rising manufacturing costs in the country. This diversification effort helps mitigate potential risks and takes advantage of emerging production hubs in Southeast Asia. However, it doesn't imply a complete move away from China, as HP has stated its commitment to operations in Chongqing. It may also affect the US tech companies' opportunities in certain sectors like government or public education in China due to local sourcing and manufacturing policies.
FROM THE MEDIA: HP, the top US computer maker is planning to diversify its personal computer supply chain beyond China by shifting production of millions of consumer and commercial laptops to Thailand and Mexico this year. This is the company's first substantial move to distribute its supply chain. Furthermore, some laptop production will be shifted to Vietnam starting next year. The move comes after competitors Dell and Apple have already made similar shifts away from China.
READ THE STORY: FT
Threat from China prompts major military buildup by Japan, including long-range strike weapons
Analyst Comments: The dramatic shift in Japan's defense strategy underscores the growing tensions in the Asia-Pacific region, primarily due to China's increased military activity. The decision to increase defense spending and acquire advanced weaponry is a significant deviation from Japan's post-World War II pacifist constitution. This development could potentially escalate geopolitical tensions and trigger an arms race in the region. The acquisition of long-range offensive weaponry, traditionally seen as offensive, may increase regional apprehension and could elicit countermeasures from neighboring countries, especially China and North Korea. It is crucial for diplomatic efforts to accompany this defense buildup to prevent further escalation and promote stability in the region.
FROM THE MEDIA: Japan is facing what it considers a security "crisis" primarily from China, causing it to implement its largest military build-up since World War II, according to a defense strategy report. This move includes the acquisition of new strike weapons and asymmetric warfare arms. Japan plans to increase defense spending from $12 billion over the past five years to $31 billion in the next five years, a significant departure from its historic pacifist stance. The new strategy involves Japan taking "primary responsibility" for countering invasions rather than relying heavily on U.S. forces. The Japan Self-Defense Forces will be equipped with long-range Tomahawk cruise missiles, new long-range anti-ship missiles, and advanced missile defenses.
READ THE STORY: Washington Times
US Spies Are Lobbying Congress to Save a Phone Surveillance ‘Loophole’
Analyst Comments: The proposal's introduction highlights the increasing concern about privacy rights in the age of digital data collection. If passed, it could significantly change how intelligence agencies gather information. However, the opposition from the NSA signals potential hurdles in the legislation's path. The report revealing the extensive purchasing of sensitive data further emphasizes the need for regulation in this area. While the response from the director of national intelligence suggests a willingness to make changes, the specifics are yet to be clarified.
FROM THE MEDIA: U.S. lawmakers are trying to prevent government agencies from tracking citizens without a search warrant. The proposed amendment faces opposition from the National Security Agency (NSA), which is lobbying against the amendment that would prohibit U.S. military agencies from paying for location data instead of obtaining a warrant. The House of Representatives has already approved the amendment, which is currently being reviewed in the Senate. A government report has exposed that U.S. intelligence agencies have been buying large amounts of sensitive data on Americans, avoiding the need for a judicial review. The report warns of the potential misuse of this data and the threat it poses to constitutional rights.
READ THE STORY: Wired
Bombs, car chases, and ‘free money’: Dutch gangs blow up German cash machines
Analyst Comments: The situation in Germany underscores the complexity of combating organized crime, especially in a federated system where policing and banking are decentralized. The increase in ATM bombings indicates that current security measures are insufficient to deter criminals. While arrests have been made, the problem persists, suggesting that the criminal networks involved are resilient and adaptable. The strong preference for cash in Germany, compared to other European countries, creates a unique set of challenges that authorities need to address. Improved collaboration between law enforcement agencies and the banking industry seems to be a potential solution, but the complexity of the federal structure in Germany might make this challenging. Furthermore, the social aspects of the problem, such as the involvement of specific communities, will require careful consideration to avoid stigmatizing entire groups.
FROM THE MEDIA: Germany is experiencing an ongoing crime wave involving the bombing of ATMs. These attacks, carried out by organized groups, typically Dutchmen of Moroccan descent, have seen a 27% increase from 2021 to 2022, with 496 cases reported in the latter year. The average amount seized in these attacks is around €100,000, causing a total loss of €30 million in 2022. The criminals exploit the fragmented banking system, decentralized police force, and Germany's preference for cash over digital payments. In response to this rise in criminal activity, policing efforts have increased, and banks are being encouraged to upgrade their security measures.
READ THE STORY: FT
Hackers Deploy "SUBMARINE" Backdoor in Barracuda Email Security Gateway Attacks
Analyst Comments: This disclosure is a serious concern for cybersecurity, as the exploitation of a critical flaw in ESG devices indicates that even highly secure platforms are vulnerable to sophisticated attacks. This persistent backdoor attack highlights the advanced tactics used by threat actors, demonstrating their ability to quickly alter their malware and employ additional persistence mechanisms in response to remediation efforts. The operation, likely originating from China, underscores the escalating global cybersecurity threat.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed the details of a new persistent backdoor, known as SUBMARINE, that has been deployed by threat actors during the hack on Barracuda Email Security Gateway (ESG) appliances. SUBMARINE comprises multiple artifacts, such as a SQL trigger, shell scripts, and a loaded library for a Linux daemon, that collectively enable root privilege execution, command control, persistence, and cleanup. These discoveries were made while analyzing malware samples obtained from an unnamed compromised organization, which had been attacked by threat actors exploiting a critical flaw in ESG devices. The flaw, CVE-2023-2868, permits remote command injection. The group behind the attack, UNC4841, is suspected to have Chinese ties and used this flaw as a zero-day exploit in October 2022 to gain initial access to victim environments. The group then implanted backdoors for maintaining persistence.
READ THE STORY: THN
Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required
Analyst Comments: The discovery of this critical vulnerability in Metabase highlights the ongoing challenge of maintaining software security, especially for widely-used open-source packages. As a tool utilized for business intelligence and data visualization, successful exploitation of the vulnerability in Metabase could have significant impacts, including the potential loss of sensitive information or disruption of key services. It also underlines the importance of keeping such software up to date and regularly monitoring for security patches. While there's currently no evidence of the vulnerability being exploited in the wild, the high number of vulnerable instances suggests that many users have not yet applied the necessary updates.
FROM THE MEDIA: Users of the business intelligence and data visualization software, Metabase, are being urged to update to the latest version due to the discovery of a severe security flaw that could allow for pre-authenticated remote code execution. The flaw, tracked as CVE-2023-38646, affects open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. If exploited, the flaw allows an unauthenticated attacker to run arbitrary commands with the same privileges as the Metabase server. Data from the Shadowserver Foundation reveals that 5,488 out of the 6,936 Metabase instances are vulnerable as of July 26, 2023. Users unable to apply patches immediately are advised to block requests to the /api/setup endpoint and isolate the Metabase instance from their production network.
READ THE STORY: THN
US Senator demands feds investigate Microsoft over China email and SolarWinds hack
Analyst Comments: Senator Wyden's call for holding Microsoft accountable highlights growing concern about the cybersecurity practices of large tech companies. The senator emphasizes the importance of software developers being accountable for their products' vulnerabilities, especially when they can lead to breaches of national security. If successful, this action could set a precedent for how software vendors are held accountable for security incidents in the future. The SolarWinds and Storm-0558 hacks exploited Microsoft's vulnerabilities, demonstrating the potential impact of software security lapses. These attacks resulted in significant breaches, including the compromise of US government officials' email accounts. Thus, Wyden's call for accountability is an important step toward strengthening cybersecurity measures and practices.
FROM THE MEDIA: Oregon Senator Ron Wyden is urging the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), and the Justice Department (DoJ) to take action against Microsoft due to security failures that led to two major hacking campaigns, one recent Chinese-led cyberespionage effort, and the 2020 SolarWinds hack. In a letter, Wyden said Microsoft should be held responsible for its "negligence." He referenced an incident where a China-based threat actor, named Storm-0558, gained access to hundreds of thousands of government emails from top US officials and nearly two dozen other organizations, blaming a validation error in Microsoft's code.
READ THE STORY: Cybernews
China’s Wuhan Earthquake Center Suffers Cyber-Attack
Analyst Comments: The attack on the Wuhan Earthquake Monitoring Center contributes to the escalating cyber tensions between the US and China. The alleged state-sponsored nature of the attack reflects an escalating trend in cyber warfare, where state-affiliated or state-backed groups carry out cyber attacks against foreign infrastructure and organizations. While the Chinese report suggests the US is behind the attack, concrete evidence has yet to be presented. The usage of proxies and VPNs in such attacks often makes attribution challenging. As mentioned by cybersecurity expert Ian Thornton-Trump, it is unlikely that a US-affiliated group would use an IP address directly traceable back to the US. Furthermore, the choice of target - a public safety service - could raise questions about the motivations and implications of such an attack.
FROM THE MEDIA: The Wuhan Earthquake Monitoring Center in China has been the victim of a cyber-attack allegedly carried out by a hacker group with an "overseas government background." The attack, revealed by the Wuhan Municipal Emergency Management Bureau, was reported by Global Times newspaper, which is owned by the Chinese Communist Party. The report suggests the attack originated from the US, citing a foreign Trojan horse program discovered at the center. The incident comes amid escalating cyber tensions between the US and China, with recent attacks compromising organizations including the US government.
READ THE STORY: InfoSecMag
School for semiconductors? Arm tries to address chip talent shortages
Analyst Comments: This initiative by Arm and its partners is a timely response to the urgent need for specialized skills in the semiconductor industry, which is essential for technological innovation and growth. The potential impact of the SEA is significant, given the scale of the talent shortage worldwide. However, success will rely heavily on the extent of collaboration and resource-sharing between industry stakeholders, academia, and educational institutions. It will also be important to create attractive career pathways in the sector to retain talent. The initiative also underscores the importance of public policy in supporting industries critical to national security and economic competitiveness.
FROM THE MEDIA: Arm, the chip designer, has initiated the Semiconductor Education Alliance (SEA) to address the global shortage of crucial skills in the semiconductor industry. This alliance brings together multiple industry stakeholders with the objective of sharing resources and expertise to support growth. A few projects are already underway, including creating educational resources for chip design and a system-on-chip (SoC) design platform for academia. This initiative is a response to the increasing global drive to strengthen domestic semiconductor industries, reduce reliance on Asian chips, and ensure supply resilience against global disruptions like the Covid-19 pandemic.
READ THE STORY: The Register
FBI warns of adversaries using AI in influence campaigns, cyberattacks
Analyst Comments: These revelations underline the increasingly complex and evolving landscape of cybersecurity risks posed by the misuse of AI. As AI continues to become more integral to various sectors, its misuse in the hands of adversaries could significantly escalate threats. While AI can drive innovation and efficiency, its potential misuse poses new challenges in terms of regulation, ethics, and security. The FBI's statements serve as a call to action for businesses, governments, and institutions to prioritize robust cybersecurity practices and AI ethics.
FROM THE MEDIA: The FBI is growing more concerned about foreign adversaries exploiting artificial intelligence (AI) in malicious activities, such as influence campaigns. Two primary risks have been identified: "model misalignment," which refers to skewing AI software towards harmful results, and the direct "misuse of AI" in various operations. The FBI official noted that foreign actors are increasingly targeting US entities, including companies, universities, and research facilities, for AI advancements like algorithms, data expertise, and computing infrastructure. There is a particular interest in the talent pool in the AI sector.
READ THE STORY: The Record
Hackers Abusing Windows Search Feature to Install Remote Access Trojans
Analyst Comments: This new attack technique showcases the creativity and persistence of threat actors in exploiting even legitimate system features to launch their attacks. As these malicious campaigns become more sophisticated, it is increasingly important for businesses and individuals to maintain robust cybersecurity practices. These should include ongoing education about the latest threats, careful scrutiny of unsolicited emails and unexpected attachments, and keeping system software up-to-date. Security teams should take note of these new attack vectors and update their defense mechanisms accordingly.
FROM THE MEDIA: Security firm Trellix has reported that a legitimate Windows search feature is being exploited by unknown actors to download harmful payloads from remote servers and infect targeted systems with remote access trojans (RATs) such as AsyncRAT and Remcos RAT. The attack takes advantage of the "search-ms:" URI protocol handler, allowing applications and HTML links to initiate local searches on a device, and the "search:" application protocol, a mechanism for initiating the desktop search application on Windows. The attackers trick users into visiting websites that exploit the 'search-ms' functionality using JavaScript hosted on the page. Victims clicking on a decoy PDF, prompted by a deceptive email, may trigger the execution of a malicious dynamic-link library (DLL) using the regsvr32.exe utility. In a different variant, the files trigger PowerShell scripts to download additional harmful payloads, while displaying a decoy PDF to deceive victims.
READ THE STORY: THN
CherryBlos Malware Uses OCR to Pluck Android Users' Cryptocurrency
Analyst Comments: The discovery of the CherryBlos and FakeTrade campaigns highlights the growing trend of cybercriminals targeting mobile users, especially in the context of the burgeoning popularity of cryptocurrencies. The advanced techniques used by these campaigns, such as software packing, obfuscation, and abusing Android's Accessibility Service, show a high level of sophistication. This increases the potential for successful attacks and also makes detection and mitigation more challenging. It is crucial for Android users to be vigilant about the apps they download and to be wary of too-good-to-be-true offers.
FROM THE MEDIA: Security researchers from Trend Micro have warned of two related malware campaigns, known as CherryBlos and FakeTrade, that are targeting Android users worldwide for cryptocurrency theft and other financial scams. The operators of these campaigns distribute the malware via fake Android apps on Google Play, social media platforms, and phishing sites. A unique feature of CherryBlos is its ability to use optical character recognition (OCR) to read any mnemonic phrases present in pictures on a compromised device and to transmit that data to its command-and-control server (C2). These mnemonic phrases are typically used to recover or restore a crypto wallet. CherryBlos malware is designed to steal cryptocurrency wallet-related credentials and to replace a victim's wallet address when they make withdrawals. The FakeTrade campaign uses similar tactics, with at least 31 fake Android apps used to distribute the malware.
READ THE STORY: DARKReading
Wagner Group Operations In Belarus: 'Welcome to Hell'
Analyst Comments: The redeployment of the Wagner Group to Belarus can potentially destabilize the region and exacerbate existing tensions. The group is infamous for its alleged involvement in various conflicts, often acting on behalf of Russian interests. It’s training of the Belarusian army and internal security forces could enhance Belarus' military capabilities, which may be a cause for concern for neighboring countries, particularly those in the EU and NATO, such as Poland. Furthermore, the presence of the Wagner Group near the Polish border may also contribute to escalating tensions between Belarus and Poland, as well as the EU and NATO more broadly.
FROM THE MEDIA: The Wagner Group, a Russian private military company (PMC), has redeployed to Belarus and is currently training troops near the Polish border. This follows a mutiny within the company which led to it moving out of Russia. The group is also reportedly training Belarusian internal security forces. The Belarusian government seems to view the presence of the Wagner Group as a potential asset for state defense. The move to Belarus was orchestrated by Wagner Group head Yevgeny Prigozhin, who had a phone conversation with Belarusian President Alexander Lukashenko.
READ THE STORY: MEMRI
Apple Sets New Rules for Developers to Prevent Fingerprinting and Data Misuse
Analyst Comments: This move from Apple is consistent with the company's longstanding emphasis on user privacy. By asking developers to justify their use of certain APIs, Apple is tightening its privacy protocols and reducing opportunities for potential abuse of user data. This can be seen as a significant step in improving the trust between users and app developers, reinforcing Apple's image as a pro-privacy tech company.
FROM THE MEDIA: Apple has declared that developers will need to submit reasons for using certain APIs in their apps, starting with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10 later this year. The move is aimed at preventing the abuse of these APIs for data collection. Apple's focus is on APIs related to file timestamp, system boot time, disk space, active keyboard, and user defaults. The policy enforcement, which commences in Fall 2023, will necessitate developers to define the reasons for using these "required reason APIs" in their app's privacy manifest when submitting new apps or updates. Any apps that do not comply by Spring 2024 will be rejected. Apple underlined that fingerprinting, the practice of collecting device signals to uniquely identify users for purposes like targeted advertising, is not allowed
READ THE STORY: THN
Items of interest
China’s New Strategy In Cuba
Analyst Comments: The increasing use of Cuba by China as a base for intelligence-gathering activities represents a significant shift in the global balance of power, raising concerns about the potential threats to US national security. These developments underscore the necessity for a robust response from the international community to counter the growing Chinese influence in the region. Additionally, Spacemap's technology offers a promising solution for mitigating the risks associated with the rise in space debris and congestion due to the increasing number of satellites in orbit.
FROM THE MEDIA: Since 2019, China has been operating military and intelligence facilities in Cuba to enhance its intelligence-gathering capabilities worldwide, according to US intelligence officials. The European Space Agency has reported a steady increase in the number of satellites in space and the resulting space debris, which poses a growing threat to safe space travel. A South Korean startup called Spacemap is developing a software platform that can predict satellite orbits and space debris movements to prevent potential collisions and improve mission safety and efficiency. The software utilizes Voronoi diagrams, a tessellation pattern that subdivides a plane based on several points scattered across it, to determine the number of points surrounding a specific location and calculate the distances between them.
READ THE STORY: EurasiaReview
China’s Spy Base in Cuba (Video)
FROM THE MEDIA: The implications of China’s spy station less than 100 miles off the coast of the US, which may be expanded into a military training facility- and the broader issue of China’s growing economic influence in Cuba and Latin America.
China’s global ambitions: Can the West keep up? (Video)
FROM THE MEDIA: China has been attempting to win friends while maintaining its stance on these matters. There have been visits between China and various Western countries, including the US, Germany, and India, which indicate attempts at diplomacy and managing relations amid strategic disputes. The West is trying to address the rise of China and its increasing influence on the global stage. Germany, in particular, has a complex relationship with China due to its economic reliance on the Chinese market.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.