Daily Drop (564): DPRK: RU Missile Firm, US MIL: China Malware, New Malware Campaign, Vietnamese hacker targets Chinese, Bulgarian organizations, Big Mac Attack, China: Japanese Mil
08-08-23
Tuesday, Aug 08, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
North Korean Hackers Targets Russian Missile Engineering Firm, Ransomware: Zero-Days, MerlinAgent,
Analyst Comments: The simultaneous targeting by both ScarCruft and the Lazarus Group is unusual and indicates the high value of the information held by NPO Mashinostroyeniya. The OpenCarrot implant's extensive capabilities suggest a desire for deep access to the target's systems. While the exact intrusion methods remain unclear, ScarCruft's known tactics and similarities to the JumpCloud hack provide potential clues. The incident highlights North Korea's proactive measures to covertly advance its missile development objectives, even targeting entities in countries with which it has diplomatic relations.
FROM THE MEDIA: NPO Mashinostroyeniya, a prominent Russian missile engineering company, experienced a cyber intrusion attributed to two North Korean nation-state actors: ScarCruft (aka APT37) and the Lazarus Group. Cybersecurity firm SentinelOne identified the breaches, which included an email server compromise and the deployment of a Windows backdoor named OpenCarrot. Both threat groups are affiliated with North Korea but operate under different intelligence bureaus. The intrusion suggests a significant strategic espionage mission aimed at benefiting North Korea's missile program.
READ THE STORY: THN
U.S. Military Systems Infected by Chinese Malware: How Deep Does It Run
Analyst Comments: The discovery of this malware in critical military infrastructure is alarming and underscores the evolving nature of cyber threats. The potential for such malware to disrupt military operations during a crisis adds a new dimension to cyber warfare. While cyber espionage is not new, the planting of "kill switches" that can cripple systems is a significant escalation. The U.S. will need to bolster its cybersecurity defenses, not just to detect and remove such threats but to prevent future intrusions. Collaboration with private tech companies, like Microsoft, will be crucial in these efforts… also known as prepping the battlefield.
FROM THE MEDIA: Chinese malware has been discovered in the networks controlling the critical infrastructure of U.S. military bases, posing a potential "ticking time bomb" that could cripple military systems in the event of a conflict between the U.S. and China. This revelation was reported by The New York Times, citing anonymous officials from the Biden administration. The malware is believed to be primarily aimed at overseas military bases, especially those that would be crucial in a conflict over Taiwan. However, the threat extends beyond military bases, as the malware could disrupt utilities in civilian areas of the U.S. mainland. The malware campaign has been active since at least mid-2021, with traces found both overseas and stateside.
READ THE STORY: CPO MAG
Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits
Analyst Comments: The evolving tactics of ransomware groups present a growing threat to organizations worldwide. The shift from phishing to exploiting vulnerabilities, especially zero-day vulnerabilities, indicates a more sophisticated approach by attackers. The pivot from encryption to data exfiltration and extortion underscores the importance of robust cybersecurity measures beyond just data backup. The fact that most victims are small to midsize businesses suggests that these entities may lack the resources or awareness to defend against such threats effectively. The high likelihood of a second attack after an initial breach indicates that ransomware groups are capitalizing on known vulnerabilities within organizations.
FROM THE MEDIA: Ransomware attacks on organizations increased by 143% between Q1 2022 and Q1 of the following year. Attackers have shifted their focus from encrypting data to stealing sensitive data and extorting victims with threats of selling or leaking the data. This change in tactics has rendered robust backup and restoration processes less effective. Akamai's research indicates a shift in initial access vectors from phishing to vulnerability exploitation, with ransomware groups increasingly leveraging zero-day vulnerabilities. Cl0P, a ransomware group, notably exploited zero-day vulnerabilities to infiltrate high-profile companies. Other groups, like LockBit and ALPHV, exploited newly disclosed vulnerabilities before patches were applied. Akamai also highlighted a trend where ransomware operators are moving from data encryption to extortion through data theft. Most victims were small to midsize businesses, and manufacturing companies were the most targeted.
READ THE STORY: DARKReading
Ukrainian state agencies targeted with open-source malware MerlinAgent
Analyst Comments: The use of open-source tools like MerlinAgent in cyberattacks underscores the dual-use nature of many cybersecurity tools. While they can be beneficial for research and ethical hacking, they can also be weaponized for malicious purposes. The phishing campaign's success highlights the importance of continuous cybersecurity training and awareness, especially for government agencies and other high-profile targets. Given the tense geopolitical situation between Ukraine and Russia, it's likely that cyberattacks will persist, with both nations using a mix of sophisticated and basic techniques.
FROM THE MEDIA: Ukrainian government agencies were targeted by hackers in a phishing campaign that utilized an open-source program named MerlinAgent. The threat actor, identified as UAC-0154, sent deceptive emails in early August, masquerading as security advice from Ukraine's computer emergency response team (CERT-UA). These emails carried malicious attachments that, once opened, infected the recipient's computer with the MerlinAgent tool. This tool granted the attackers remote access capabilities, allowing them to execute commands and manage files on the victim's system. CERT-UA had previously identified the use of MerlinAgent in attacks against Ukrainian government agencies in July. The tool, developed by Russel Van Tuyl as a learning project in the Golang programming language, is available on GitHub and was intended solely for research and authorized testing.
READ THE STORY: The Record
New Malware Campaign Targets Inexperienced Cyber Criminals with OpenBullet Configs
Analyst Comments: The campaign's strategy of targeting budding cybercriminals is indicative of the evolving threat landscape, where even malicious actors are not safe from their peers. The use of OpenBullet configurations as an infection vector is innovative and highlights the risks associated with the trading and use of such tools in criminal communities. The focus on cryptocurrency theft and the use of Telegram as a C2 mechanism align with current cybercrime trends. Organizations and individuals should be wary of downloading configurations or tools from unverified sources, even within trusted networks.
FROM THE MEDIA: A new malware campaign has been detected that uses malicious OpenBullet configuration files to target novice cybercriminals with the aim of deploying a remote access trojan (RAT) for data theft. OpenBullet, an open-source pen testing tool, is typically used for automating credential stuffing attacks. Kasada, a bot mitigation company, identified this campaign as a tactic by advanced threat actors to exploit less experienced hackers. The malicious configurations are shared via a Telegram channel, which then directs users to a GitHub repository to download a Rust-based dropper named Ocean. This dropper subsequently fetches a Python-based malware called Patent, which acts as a RAT. This RAT uses Telegram for command-and-control, can capture screenshots, list directories, terminate tasks, and steal sensitive data, including crypto wallet information. The malware also alters clipboard contents to redirect cryptocurrency transfers to the attacker's wallet. Over the past two months, the attackers have laundered approximately $1,703.15 using an anonymous crypto exchange named Fixed Float.
READ THE STORY: THN
Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware
Analyst Comments: The resurgence of the Yashma ransomware, with its new tactics, highlights the evolving nature of cyber threats. The use of a GitHub repository to fetch the ransom note showcases the adaptability of threat actors in bypassing security measures. The overlap with Vietnam's time zone and the attacker's potential Vietnamese origin suggest a regional focus, but the inclusion of an English ransom note indicates broader ambitions. The mimicry of WannaCry's ransom note might be an attempt to instill greater fear in victims, given WannaCry's notorious reputation. The rise in ransomware variants, as noted by FortiGuard Labs and Recorded Future, underscores the need for organizations to maintain up-to-date security measures and stay informed about the latest threat intelligence.
FROM THE MEDIA: A new variant of the Yashma ransomware is targeting organizations in China, Vietnam, Bulgaria, and several English-speaking countries. Cisco Talos researchers identified a previously unknown threat actor, believed to be from Vietnam, responsible for these attacks that began around June 4. The Yashma ransomware, which had become largely inactive after a decryptor was released, appears to have been revived. The attacker's ransom note resembles that of the infamous WannaCry ransomware from 2017, and it is available in multiple languages: English, Bulgarian, Vietnamese, and Chinese. The ransom doubles if not paid within three days, and the attackers provide a Gmail address for communication. Interestingly, no specific ransom amount is mentioned, and the Bitcoin account in the note has no funds, suggesting the operation might still be in its early stages. This new Yashma variant retains most of its original features but now fetches the ransom note from a GitHub repository controlled by the threat actor, a tactic that helps evade detection.
READ THE STORY: The Record
Apple Users See Big Mac Attack, Says Accenture
Analyst Comments: The rising interest in targeting Macs underscores the need for organizations to reevaluate their security postures for all devices, not just those running Windows. The misconception that Macs are inherently more secure can lead to complacency, making them attractive targets for cybercriminals. As Macs continue to gain traction in the enterprise, it's crucial for organizations to apply the same rigorous security measures to them as they do to other devices. This includes regular patching, security awareness training, and the deployment of advanced threat detection tools.
FROM THE MEDIA: Apple Mac computers are witnessing a surge in targeting by Dark Web threat actors. Accenture's threat intelligence unit reported a tenfold increase in such actors focusing on Macs since 2019, with a significant rise in the past 18 months. Historically, threat actors have primarily targeted Windows and Linux devices, but a growing Dark Web community of skilled attackers is now focusing on Macs. The shift is attributed to the continuous innovation of threat actors, the economic incentive of targeting Macs, and the perception that Macs in enterprises are more vulnerable due to less stringent security policies compared to Windows devices. Notably, Macs are becoming more prevalent in the enterprise, with their market share growing to 8.6% in Q2 2023, up from 6.8% the previous year. This growth has led to an increase in macOS-specific malware, including info stealers, remote access Trojans, loaders, and zero-days. The misconception that Macs are immune to viruses may be contributing to their increased targeting.
READ THE STORY: DARKReading
A 2020 hack of the Japanese military was tied to cyberspies from China's People's Liberation Army
Analyst Comments: The reported cyberattacks signify a strategic shift in China's cyber operations, moving from mere espionage to potential disruption. The targeting of Japan, a key US ally in East Asia, underscores China's broader geopolitical objectives and its willingness to exploit cyber vulnerabilities to achieve them. The sustained and deep access to Japanese military networks is particularly concerning, given the strategic importance of Japan in the East Asian security landscape. The revelations emphasize the need for nations to prioritize cybersecurity, not only for their defense sectors but across all critical infrastructure.
FROM THE MEDIA: China's cyber-espionage activities have expanded beyond the previously known malware attacks on US military systems. The Washington Post revealed a significant hack in 2020 by China's People's Liberation Army (PLA) into Japanese military networks. This breach provided Chinese cyber spies with insights into Japanese military strategies, capabilities, and vulnerabilities. The incident is described as one of the most detrimental in Japan's recent history, with Chinese intelligence having extensive access to Japanese systems until early 2021. This revelation, combined with earlier reports of China embedding malware in US military systems, indicates an intensified approach by the PLA in targeting international adversaries. Unlike previous cyberattacks that were primarily surveillance-oriented, recent attacks seem designed to disrupt US military and civilian operations.
READ THE STORY: Insider
Items of interest
China-Linked Cyber Siege Won’t Halt Rare Earths Plan
Analyst Comments: The ongoing social media campaign against Lynas highlights the strategic importance of rare earths and the geopolitical tensions surrounding their production and processing. China's dominance in this sector has long been a concern for many countries, given the critical role these minerals play in modern technology and defense. The U.S.'s investment in Lynas is a clear move to diversify its supply chain and reduce dependency on China. While the online campaigns aim to hinder Lynas's efforts, the company's confidence suggests that such tactics may have limited real-world impact. However, it underscores the broader cyber and information warfare landscape where state-linked entities might employ various tactics to advance national interests.
FROM THE MEDIA: Lynas Rare Earths Ltd. has reported that a social media campaign, believed to be linked to pro-China groups, is targeting its efforts to establish a processing facility in Texas. These online attacks, which began last year, come from accounts purporting to be local activists concerned about the environmental consequences of the plant. However, cybersecurity firm Mandiant has identified these accounts as having a "pro-China agenda." The U.S. government has funded Lynas with $258 million to create a rare earths processing plant in Texas, aiming to reduce China's dominance in the production of essential minerals used in battery metals and semiconductors. Despite the online campaigns, Lynas CEO Amanda Lacaze believes they haven't swayed public opinion in Texas and remains confident in the U.S.'s ability to bring critical manufacturing industries back to its shores.
READ THE STORY: BNN
How China's Firewall Started (Video)
FROM THE MEDIA: It may seem obvious why the Chinese Communist Party would want a great firewall: the level of control it gives over the population is astronomical. But there was a particular group that it wanted to silence that created the incentive. In this just us episode of China Unscripted, we discuss Hong Kong's rule of law, China's disastrous one-child policy, and the culture of corruption that Jiang Zemin fostered.
Protests break through the Great Firewall of China (Video)
FROM THE MEDIA: Protesters in China are blaming zero-COVID policies for the deaths of 10 people in an apartment building in the city of Urumqi. Demonstrations erupted in dozens of cities around the country, including in Shanghai and the capital Beijing.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.