Daily Drop (559): U.S. Infrastructure, Iranian Company Cloudzy, AMD: Will Still Sell to China, Industrial Control Systems Vulnerabilities Soar, Drone attacks: AI and Russian threats, BlueCharlie Alter
08-03-23
Thursday, Aug 03, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Cyber, nuclear strikes target U.S. infrastructure
Analyst Comments: The UK's shift towards a more transparent risk assessment reflects a commitment to better preparedness and public awareness. While the threats themselves are not novel, their public acknowledgment allows for more robust planning, public involvement, and international collaboration. The U.S. and UK's explicit warnings regarding escalating cyber threats signify the beginning of an era where cyber warfare becomes an integral part of national security strategy. This highlights the urgent need for nations to improve cyber defense mechanisms and foster international cooperation to mitigate these evolving threats. China's expansive investment in ports and hypersonic technology is a strong indicator of its long-term strategic planning for extending its influence globally. The growing presence of China in commercial ports, coupled with its military advancements, calls for vigilance and a reassessment of the military implications of China's economic pursuits.
FROM THE MEDIA: The UK's National Risk Register has identified 89 different threats, including novel concerns such as the misuse of AI, drone attacks, and potential disruption of energy supplies, particularly from Russia. The register now includes new risks like undersea cable vulnerability, categorizing artificial intelligence as a "chronic threat." In the U.S., Lt. Gen. Gregory M. Guillot, the nominated commander of the U.S. Northern Command, has issued a stern warning about cyber threats to critical American infrastructure. He has pointed to the capabilities of Russia and China to launch both cyberattacks and missile strikes against the U.S. Specific concerns include Russia's KH-101 cruise missile, the potential effects of high-altitude nuclear detonations (EMP), China's hypersonic missile tests, and malicious software potentially hidden in the U.S. power grids.
READ THE STORY: Washington Times
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
Analyst Comments: The revelation of Cloudzy's involvement in the cybercrime ecosystem emphasizes the intricate nature of modern cyber threats. With ransomware-as-a-service (RaaS) models becoming increasingly sophisticated, the emergence of C2P providers like Cloudzy indicates a new layer of complexity. The situation highlights the challenges faced by authorities in cracking down on illegal activities facilitated by seemingly legitimate businesses. Cloudzy's case brings attention to the importance of continuous monitoring, international cooperation, and legal enforcement. It also sheds light on the ease with which malicious actors can exploit legal loopholes and anonymous payment systems to carry out their operations.
FROM THE MEDIA: The Texas-based cybersecurity firm Halcyon has identified an Iranian company called Cloudzy as a key player in providing command-and-control services (C2P) to various threat actors including cybercrime groups and nation-state entities. Despite being incorporated in the U.S., Cloudzy likely operates from Tehran, possibly in violation of U.S. sanctions. By offering Remote Desktop Protocol (RDP) virtual private servers and anonymized services, Cloudzy enables ransomware affiliates to conduct cybercriminal activities. Actors leveraging Cloudzy's services include state-sponsored entities from several countries and notorious cybercrime entities.
READ THE STORY: THN
AMD says it'll jump through Uncle Sam's hoops to sell AI chips to China
Analyst Comments: AMD's decision to follow Nvidia and Intel in developing an export-compliant processor for China underlines the country's importance as a market for AI technology. While the move may align with current US export controls, it also reflects the complicated and dynamic nature of international trade regulations. The situation highlights the precarious balance that tech companies must maintain between compliance with national laws and a desire to access vital markets. The calls for even stricter regulations by some US officials also point to ongoing tension within the government and could signal future challenges for the industry.
FROM THE MEDIA: AMD is developing an export-compliant processor for sale in China, following similar moves by Nvidia and Intel. AMD's CEO Lisa Su announced plans to design a product for the Chinese AI solutions market, emphasizing the importance of compliance with US export controls. This comes after the US placed restrictions last year on the sale of AI accelerators in China, limiting the interconnect bandwidth to no more than 600GB/sec. Nvidia and Intel have already launched nerfed versions of their silicon for the Chinese market to comply with these regulations. Additionally, there are debates within the US government on whether to enact even stricter restrictions on AI accelerator sales.
READ THE STORY: The Register
Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023
Analyst Comments: The data showing a significant increase in unpatched security vulnerabilities in industrial control systems (ICSs) paints a concerning picture of the current state of cybersecurity in critical industries. The rise in unpatched flaws, including Critical severity vulnerabilities in products that have reached end-of-life, poses an immediate threat that requires a concerted effort by vendors, regulatory bodies, and end-users. Key vendors like Mitsubishi Electric, Siemens, and Rockwell Automation being most affected underscores the importance of vendor responsibility in maintaining and patching their products. The unique nature of each operational technology (OT) environment means that a tailored approach to security is necessary, rather than a one-size-fits-all solution.
FROM THE MEDIA: According to data compiled by SynSaber, approximately 34% of security vulnerabilities impacting industrial control systems (ICSs) reported in the first half of 2023 have no patch or remedy. This marks a significant rise from 13% in the previous year. A total of 670 ICS product flaws were reported through the U.S. Cybersecurity and Infrastructure Security Agency (CISA), including 88 Critical, 349 High, 215 Medium, and 18 Low Severity CVEs. Certain vendors like Mitsubishi Electric, Siemens, and Rockwell Automation were most impacted in specific sectors. The report also highlights the issue of "Forever-Day" vulnerabilities and emphasizes the importance of understanding vulnerabilities in the specific context of individual operational technology (OT) environments.
READ THE STORY: THN
Drone attacks, AI, and Russian threats to energy are among the main risks to the UK
Analyst Comments: The inclusion of AI and drone attacks in the UK's risk register indicates the growing awareness of emerging technological threats alongside traditional geopolitical concerns. The identification of AI as a chronic threat emphasizes the increasing recognition of its potential dual-use nature, where technological advancements can both drive economic growth and contribute to disinformation campaigns. This acknowledgment could prompt further regulatory scrutiny or initiatives to ensure responsible AI development. The broader openness in detailing these threats also aligns with the government's shifting stance towards transparency, aiming to improve national resilience.
FROM THE MEDIA: The UK government has identified artificial intelligence, drone attacks on critical infrastructure, and potential disruption to energy supplies by Russia as among the main threats to the country in its national risk register. The register, published by the Cabinet Office, includes 89 threats, several of which were publicly acknowledged for the first time. It listed AI as a distinct “chronic threat” for the first time, noting its potential to increase mis- and disinformation and reduce economic competitiveness if mishandled. The register also assessed risks from climate change, antimicrobial resistance, and organized crime, and grouped acute threats into nine themes, including terrorism, cyber, and state threats.
READ THE STORY: FT
Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures
Analyst Comments: The identification of BlueCharlie's revamped infrastructure emphasizes the group's agility and determination to evade detection and disruption. Their response to public exposure demonstrates a strategic and sophisticated approach, including the usage of common attack techniques while also evolving their tactics. Despite employing relatively ordinary methods like phishing, the group's adaptability and alignment with specific services make them a significant threat.
FROM THE MEDIA: A cybersecurity firm, Recorded Future, has linked 94 new domains to a Russia-nexus adversary known as BlueCharlie, suggesting the group is actively modifying its infrastructure following public disclosures about its activities. BlueCharlie is believed to be affiliated with Russia's Federal Security Service (FSB) and has been involved in phishing campaigns aimed at credential theft. The group's targets include private companies, nuclear research labs, and NGOs involved in Ukraine's crisis relief. The new domains signify a shift in infrastructure and an increased level of sophistication, featuring names related to information technology and cryptocurrency.
READ THE STORY: THN
US House panel opens probe into suspected Chinese hacking of Commerce, State emails
Analyst Comments: The initiation of this investigation indicates a further escalation in the complex relationship between the U.S. and China. Cybersecurity remains a vital concern for both nations, and this incident underscores the increasing sophistication of cyber threats. The fact that the U.S. is proceeding with the investigation, despite China's warnings against speculations, demonstrates a strong stance on cybersecurity. The willingness of U.S. officials to continue diplomatic engagements with China, as seen in Raimondo's planned visit, hints at a nuanced approach that seeks to balance holding China accountable while maintaining channels of communication and collaboration.
FROM THE MEDIA: The U.S. House of Representatives Oversight Committee announced on Wednesday that it will initiate an investigation into China's suspected involvement in recent email breaches at the Commerce and State departments. Representative James Comer, the committee chair, along with the heads of two subcommittees, has requested briefings from Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken by August 9. The breaches affected senior U.S. officials, including Raimondo, with hackers displaying new levels of skill and sophistication. Microsoft has identified the group responsible as being based in China. Tensions between Beijing and Washington have been high, and the breach has added to the strain over issues including trade and Taiwan. The full extent of the breach remains unclear, but it is known to have affected at least two dozen other organizations and resulted in hundreds of thousands of stolen emails.
READ THE STORY: Reuters
"Mysterious Team Bangladesh" Targeting India with DDoS Attacks and Data Breaches
Analyst Comments: The rise of Mysterious Team Bangladesh highlights a resurgence in hacktivism globally, especially those driven by political and religious motives. This group's widespread attacks across different sectors and countries demonstrate a concerning level of coordination and skill. The group's brazen social media presence, with a declared intent, is an indication of their commitment to their cause, and their willingness to publicly attribute their activities. The ability to conduct large-scale DDoS attacks and defacements shows that the group is well-equipped and organized. Their apparent success in infiltrating systems indicates that many organizations may still have vulnerabilities that can be easily exploited, such as using outdated systems or poor password management. This calls for a greater emphasis on security hygiene, awareness, and proactive measures to protect against these types of politically motivated cyber attacks.
FROM THE MEDIA: Mysterious Team Bangladesh, a hacktivist group, has been connected to over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022. The group primarily targets logistics, government, and financial sector organizations in India and Israel, motivated by religious and political concerns. They have also targeted other countries, including Australia, Senegal, the Netherlands, Sweden, and Ethiopia. They have accessed web servers and administrative panels, possibly by exploiting known vulnerabilities or poorly-secured passwords. The group has an active social media presence, expressing support for Palestine and attacking the Israeli government's actions.
READ THE STORY: THN
Cybersecurity Firm Uncovers New Mac Security Threat on Russian Dark Web
Analyst Comments: The initiation of this investigation indicates a further escalation in the complex relationship between the U.S. and China. Cybersecurity remains a vital concern for both nations, and this incident underscores the increasing sophistication of cyber threats. The fact that the U.S. is proceeding with the investigation, despite China's warnings against speculations, demonstrates a strong stance on cybersecurity. The willingness of U.S. officials to continue diplomatic engagements with China, as seen in Raimondo's planned visit, hints at a nuanced approach that seeks to balance holding China accountable while maintaining channels of communication and collaboration.
FROM THE MEDIA: The U.S. House of Representatives Oversight Committee announced on Wednesday that it will initiate an investigation into China's suspected involvement in recent email breaches at the Commerce and State departments. Representative James Comer, the committee chair, along with the heads of two subcommittees, has requested briefings from Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken by August 9. The breaches affected senior U.S. officials, including Raimondo, with hackers displaying new levels of skill and sophistication. Microsoft has identified the group responsible as being based in China. Tensions between Beijing and Washington have been high, and the breach has added to the strain over issues including trade and Taiwan. The full extent of the breach remains unclear, but it is known to have affected at least two dozen other organizations and resulted in hundreds of thousands of stolen emails.
READ THE STORY: Crytopolitan
Pro-Russian hackers claim attacks on Italian banks
Analyst Comments: The actions of NoName057(16) provide another example of how geopolitically-motivated cyberattacks are being leveraged to further political agendas, particularly in alignment with Russian interests. By targeting Italy and other nations vocal against Russia or in support of Ukraine, the group demonstrates a willingness to respond to political stances with cyber aggression. While the attacks have been described as causing "short-lived disruption with little to no wider consequence," they should not be underestimated. The ability to disrupt essential services, including banking and public transportation, has real-world implications, even if temporary. Such attacks can erode public trust and create a perception of vulnerability.
FROM THE MEDIA: The pro-Russian hacking group, NoName057(16), has claimed responsibility for a series of distributed denial-of-service (DDoS) attacks on Italian banks, businesses, and government agencies. The cyberattacks flooded websites with junk traffic, rendering them inoperable. Targets included Intesa Sanpaolo, Italy's largest bank, an Italian water supply company, a national business newspaper, and a public transport website. The group previously attacked Poland's tax service website and Czech presidential election candidates. It operates mainly through Telegram and uses a toolkit called DDoSia for its DDoS attacks.
READ THE STORY: The Record
Russian military hackers sent phishing lures masquerading as Microsoft Teams chats
Analyst Comments: The latest phishing campaign by Russian military hackers, Midnight Blizzard, targeting Microsoft Teams chats reveals an escalating sophistication in cyber espionage by state-backed actors. The highly targeted nature of this operation, focusing on specific sectors like government and NGOs, underscores both Russia's strategic intelligence goals and the ongoing challenges in securing complex digital environments against advanced adversaries. The ability to bypass multifactor authentication (MFA) through social engineering demonstrates a deep understanding of technology and human behavior. This incident also presents a reputational challenge for Microsoft, marking the second recent case of state-backed exploitation of their systems. Organizations must respond by embracing a multifaceted approach to cybersecurity that blends technological defenses with human-centric training, continuous threat monitoring, and a recognition of the continual cyber threat posed by state actors.
FROM THE MEDIA: Microsoft has revealed that Russian military hackers, known as Midnight Blizzard (also called NOBELIUM, Cozy Bear, or APT29), have utilized Microsoft Teams chats as phishing lures in targeted social engineering attacks. Since May, the hackers have been compromising Microsoft 365 accounts owned by small businesses to create domains that mimic technical support sites. Through these domains, the hackers send lures via Teams messages in attempts to steal credentials from targeted organizations by eliciting multifactor authentication (MFA) prompts. The campaign has affected fewer than 40 global organizations, primarily targeting government, NGOs, IT services, technology, discrete manufacturing, and media sectors. Microsoft has stopped the use of compromised domains but continues to investigate the incident.
READ THE STORY: The Record
Marine industry giant Brunswick Corporation lost $85 million in cyberattack, CEO confirms
Analyst Comments: The incident at Brunswick Corporation underscores the urgent need for strong cybersecurity measures within the manufacturing sector. With immediate financial losses, operational disruptions, and long-term effects on production schedules, the attack illustrates how vulnerable manufacturing companies can be to sophisticated cyber threats. The impact on different segments of the company, including newly acquired entities like Navico, shows the interconnected risks within large corporations.
FROM THE MEDIA: Brunswick Corporation, a billion-dollar boating manufacturing firm operating in 24 countries, faced a devastating cyberattack on June 13 that significantly affected its systems and facilities. While the specific nature of the attack was not confirmed, it caused the company to halt operations in some locations. The CEO, Dave Foulkes, informed investors and board members that the attack had a severe impact on the company's Q2 financial outlook, costing as much as $85 million. The attack particularly affected Navico, a marine electronics company acquired by Brunswick in 2021. This cyber incident aligns with a larger trend of ransomware attacks targeting manufacturing companies.
READ THE STORY: The Record
Bug in Minecraft mods allows hackers to exploit players' devices
Analyst Comments: The discovery of the BleedingPipe vulnerability is concerning, particularly considering Minecraft's vast player base and popularity. The exploit's ability to execute remote code on users' devices represents a significant threat to players' personal information and privacy. The incident highlights the inherent risks in using mods and underscores the need for players, developers, and modding platforms to take cybersecurity seriously. Ensuring that mods are downloaded from official channels and that security patches are applied promptly can help mitigate the risks. The swift response by the Minecraft security community in identifying and patching the vulnerability shows an encouraging commitment to player safety, but the ongoing threat calls for continuous vigilance and cooperation among developers, platforms, and players.
FROM THE MEDIA: A critical vulnerability known as BleedingPipe has been discovered in Minecraft mods, allowing hackers to run malicious commands on the game's servers and compromise clients' devices. The flaw affects popular mods running on the modding platform Forge and can lead to full remote code execution on gamers' devices. Minecraft, owned by Microsoft, is the best-selling video game in history. The flaw has already been exploited by hackers, affecting over three dozen Minecraft mods. The Minecraft security community (MMPA) has advised players to download the latest release of impacted mods from official channels to protect their devices.
READ THE STORY: The Record
Items of interest
'DarkBERT' GPT-Based Malware Trains Up on the Entire Dark Web
Analyst Comments: The rapid progression from WormGPT to FraudGPT, and now the development of DarkBART and DarkBERT, highlights a significant escalation in the potential influence of malicious AI in cybersecurity. The capability to leverage vast amounts of information from the Dark Web and integrate visual components like Google Lens adds a new layer of complexity to potential attacks. As these tools become more accessible and integrated, it will undoubtedly increase the sophistication of cyberattacks, necessitating a multi-pronged, proactive approach by organizations. Enterprises must update their cybersecurity strategies, provide specific training, and implement robust verification measures to defend against these emerging, AI-driven cyber threats.
FROM THE MEDIA: The developer known as "CanadianKingpin12" on hacker forums, responsible for the FraudGPT malicious chatbot, is developing more advanced AI-based adversarial tools, DarkBART and DarkBERT. These tools aim to arm cybercriminals with more potent capabilities that enable them to conduct sophisticated phishing campaigns, find and exploit vulnerabilities, and even integrate with Google Lens to send text and images. There is also an indication that these tools could soon offer API access, allowing more seamless integration into the cybercriminals' workflows and lowering barriers for newcomers to cybercrime.
READ THE STORY: DarkReading
The Voynich Manuscript (Video)
FROM THE MEDIA: In this video, we explore the unsolved enigma that is the Voynich Manuscript, and its often equally bizarre history.
The Voynich Manuscript Owners - Deep Dive (Video)
FROM THE MEDIA: In this inaugural episode, I ramble on about a few points left over from the Voynich manuscript video, then go into full deep dive mode on its strange cast of owners.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.