Daily Drop (567): Statc Stealer Malware, Intel chip: Leaking Data, Satellite hack on eve of Ukraine war, Co-founder of Yandex, Ukraine: closer than Five Eyes, APT31: Backdoor, SIM swapping: Crack down
08-11-23
Friday, Aug 11, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Say hello to Downfall, another data-leaking security hole in several years of Intel chips
Analyst Comments: The discovery of these vulnerabilities underscores the ongoing challenges in ensuring hardware security, especially in the realm of speculative execution. The potential exploitation of these vulnerabilities, especially in shared cloud environments, is concerning. Intel's solution for Downfall may result in significant performance reductions, which could be detrimental for certain applications and workloads. Meanwhile, AMD's patch for Zenbleed appears to have a lesser impact on performance. Given the history of speculative execution attacks and the vast number of chips potentially affected, it's crucial for users and organizations to promptly apply patches and stay informed about mitigation strategies.
FROM THE MEDIA: Google researchers have identified two new security vulnerabilities in Intel and AMD processors, named "Downfall" and "Zenbleed" respectively. These vulnerabilities can potentially be exploited to extract sensitive data from a computer's memory. Downfall, found in Intel components, was addressed almost a year after its private disclosure. On the other hand, Zenbleed, discovered in AMD components, received a partial patch in July, a couple of months after its private reporting. Both vulnerabilities are reminiscent of the Spectre and Meltdown attacks from 2018, which leveraged speculative execution in CPUs to access restricted data.
READ THE STORY: The Register
Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault
Analyst Comments: The sophistication and timing of the Viasat attack underscore the evolving nature of cyber warfare and its integration into broader military strategies. The fact that the attackers had a deep understanding of Viasat's systems suggests a high level of preparation and possibly inside knowledge. The ongoing nature of the attacks indicates a persistent threat, not just a one-off event. The U.S. and its allies need to be vigilant and proactive in safeguarding critical infrastructure, especially as cyber operations become more integrated into geopolitical conflicts. The unexpected nature of the attack on a satellite internet provider also highlights the need for broadening threat assessment horizons.
FROM THE MEDIA: At the Black Hat cybersecurity conference, Viasat's executive disclosed that the cyberattack on satellite communications preceding the Ukraine war was more intricate than initially reported. The attackers, believed to be Russian, demonstrated deep system knowledge. Initially, it was known that malware wiped thousands of modems. However, a second, previously undisclosed component involved the attackers using a "highly technical knowledge" of Viasat's network to target specific terminals, preventing them from reconnecting. The U.S. and Ukrainian officials have attributed this to Russia. The attack disrupted Kyiv's military communications and European internet access. The U.S. responded with alerts and recommendations, emphasizing the need for enhanced space system cybersecurity.
READ THE STORY: Cyberscoop
Co-founder of Yandex – Russia's Google clone – denounces war on Ukraine
Analyst Comments: Arkady Volozh's denouncement of the invasion is significant given his prominent position as the co-founder of one of Russia's largest tech companies. His statement reflects the broader sentiment and concerns of many in the tech industry regarding the ongoing conflict and its implications. The potential for Moscow to access Yandex's data raises further concerns about user privacy and the influence of the Russian government on domestic tech companies. The situation underscores the challenges tech companies face in navigating political landscapes and maintaining user trust amidst geopolitical tensions.
FROM THE MEDIA: Arkady Volozh, the co-founder of Yandex, often referred to as Russia's version of Google, has publicly condemned Russia's invasion of Ukraine. In a statement, Volozh expressed his strong opposition to the "barbaric invasion" and voiced his horror at the ongoing bombings. While he acknowledged that there were reasons for his previous silence on the matter, he emphasized his anti-war stance. Volozh, who has not resided in Russia since 2014, stepped down from his CEO position at Yandex in June 2022, shortly after being added to a European Union (EU) entity list for allegedly supporting the Russian government. Since his departure from Yandex, Volozh has been assisting Russian engineer refugees in starting anew. There are concerns that Moscow might demand access to Yandex's data, especially with the upcoming power of the Federal Security Service (FSB) to access taxi data in September.
READ THE STORY: The Register
Biden fuels tech trade war with China, banning AI, chip, and quantum system investments
Analyst Comments: The escalating tech trade war between the US and China has significant implications for the global tech industry. By restricting investments in key sectors, the US is signaling its concerns over China's growing technological prowess and the potential national security threats it poses. The move is likely to strain US-China relations further and could lead to retaliatory measures from China. Additionally, the global tech supply chain, already under pressure from various factors, may face further disruptions. The cautious response from trade groups indicates the industry's concerns about the potential fallout from these restrictions.
FROM THE MEDIA: US President Joe Biden has intensified the technology trade war with China by issuing an executive order that restricts investments in several sectors, notably semiconductors and AI. This move follows previous restrictions on US chip-related exports to China and could further disrupt the global tech supply chain. The executive order, released on Wednesday, empowers the US Treasury to draft specific regulations after a 45-day consultation period. These regulations will affect semiconductors and microelectronics, quantum information technologies, and certain AI systems. Biden's intention is to prevent "foreign countries of concern" from leveraging US investments in these technologies for military and intelligence purposes that could jeopardize US national security. While the executive order does not explicitly name any country, China, including Hong Kong and Macau, are listed as countries of concern in an annex.
READ THE STORY: ComputerWorld
CISA boss says US alliance with Ukraine over past year is closer than Five Eyes
Analyst Comments: The strengthening of the cybersecurity relationship between the US and Ukraine is significant, especially given the ongoing geopolitical tensions and cyber threats that Ukraine faces from Russia. The collaboration serves as a testament to the importance of international cooperation in the realm of cybersecurity. The emphasis on election security also underscores the global concern about potential cyber threats to democratic processes.
FROM THE MEDIA: At the Black Hat conference, Jen Easterly, the head of the US government's Cybersecurity and Infrastructure Security Agency (CISA), highlighted the strong relationship between the US and Ukraine, especially in the realm of cybersecurity. This relationship has been fostered over the past year through a security information sharing agreement. Easterly emphasized that the collaboration between the two nations in the past year is probably the closest the US has worked with any foreign partner on an operational level.
The US and Ukraine signed a memorandum of understanding a year ago to share threat intelligence information to help counter online attacks against Ukraine. As a result, a significant amount of threat data and training, dating back to 2014, has been declassified and shared with Ukraine to help it combat IT intrusions and disruptions. Easterly mentioned that the US has learned as much from Ukraine about handling an active cyberwar as Ukraine has from the US.
READ THE STORY: The Register
US should crack down on SIM swapping following Lapsus$ attacks: DHS review
Analyst Comments: The Lapsus$ attacks underscore the pressing need for a comprehensive re-evaluation of current security practices, especially in the telecommunications sector. The fact that a group of teenagers could exploit systemic weaknesses to such a degree is alarming. SMS-based multifactor authentication, while convenient, has shown its vulnerabilities, and the recommendation to transition to password less solutions seems timely. The involvement of regulatory bodies like the FCC and FTC is crucial in ensuring that telecommunications providers are held accountable and that such vulnerabilities are addressed promptly.
FROM THE MEDIA: A recent review by the Department of Homeland Security (DHS) has highlighted the vulnerabilities in the telecommunications industry and security practices of various businesses, following a series of cyberattacks by teenage hackers in 2021 and 2022. The DHS's Cyber Safety Review Board, in a 59-page report, has urged the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to enhance their oversight on SIM swapping. The board also suggests that organizations should transition from SMS and voice-based multifactor authentication to more secure password less solutions. The focus of the report was on the hacker group Lapsus$, which targeted major tech companies like Uber, Okta, and Samsung. The group, primarily composed of teenagers, exploited SMS-based multifactor authentication by performing fraudulent SIM swaps.
READ THE STORY: The Record
New Statc Stealer Malware Emerges: Your Sensitive Data at Risk
Analyst Comments: The emergence of the Statc Stealer malware underscores the evolving nature of cyber threats. Its broad range of stealing capabilities, combined with sophisticated anti-analysis features, makes it a significant threat to users. The fact that it targets multiple browsers and other applications like Telegram indicates a comprehensive approach to data theft. The deceptive infection mechanism, where it disguises as an MP4 file, highlights the importance of user awareness and caution when interacting with online content. The mention of Raccoon Stealer's resurgence is a reminder that even when cyber threats are seemingly neutralized, they can return in more advanced forms. Both individuals and organizations should remain vigilant, keep their software updated, and invest in robust cybersecurity measures.
FROM THE MEDIA: "The Hacker News" reported on a new malware strain named "Statc Stealer" that targets Microsoft Windows devices. This malware is designed to steal sensitive personal and payment data. It can extract information from various web browsers, cryptocurrency wallets, and messaging apps. The malware is written in C++ and often masquerades as an MP4 video file on browsers like Google Chrome. The infection process involves victims clicking on deceptive ads. Once inside the system, the malware deploys a downloader binary via a PowerShell script. It has advanced anti-analysis features, including checks to prevent sandbox detection and reverse engineering. The malware communicates with a command-and-control (C&C) server using HTTPS to send stolen data. The article also mentions an updated version of another malware, "Raccoon Stealer," which was halted after the arrest of its main developer but has now resurfaced with new features.
READ THE STORY: THN
Ukrainian official touts country’s wartime cyber intelligence efforts
Analyst Comments: The ongoing conflict between Ukraine and Russia has evolved into a sophisticated cyber warfare landscape. Ukraine's proactive approach in leveraging cyber intelligence showcases the modern battlefield's shift from traditional warfare to digital espionage and counterintelligence. The use of open-source intelligence and chatbots underscores the innovative methods countries are employing to gather real-time intelligence. The success of these methods, as highlighted by Vitiuk, indicates the potential of cyber intelligence in modern warfare. However, with Russia also employing cyber espionage tactics against Ukraine, it's evident that the digital battlefield is as contested as the physical one.
FROM THE MEDIA: In a recent conference in Kyiv, Illia Vitiuk, the head of cybersecurity at the Security Service of Ukraine (SBU), emphasized the pivotal role of cyber intelligence in understanding and countering Russian military strategies. Vitiuk highlighted that hackers have been infiltrating Russian systems to gain insights into the Kremlin's objectives, troop movements, and methods to circumvent Western sanctions. One notable achievement was the prevention of Russia's attempt to acquire microchips for Iranian drones through third countries. The intelligence gathering process often starts with open-source intelligence, where Ukrainian specialists identify the infrastructure and vulnerabilities of their targets. Vitiuk also mentioned the role of leaked Russian documents and chatbots on Telegram in gathering intelligence. These chatbots were developed by the Ukrainian government to collect information about Russian military activities and have proven instrumental in countering Russian advances.
READ THE STORY: The Record
Google AI red team lead says this is how criminals will likely use ML for evil
Analyst Comments: The increasing integration of AI into various systems underscores the need for proactive security measures. As AI systems become more prevalent, their vulnerabilities become attractive targets for malicious actors. The tactics highlighted by Fabian, such as prompt injection and data poisoning, demonstrate the sophisticated nature of potential AI-based attacks. However, the proactive approach of AI red teams, like Google's, is a positive step towards understanding and mitigating these threats. While AI can indeed streamline the identification of security vulnerabilities, it's crucial for organizations to remain vigilant and continuously update their security protocols. The dynamic nature of AI means that the cybersecurity landscape will continue to evolve, and staying ahead of potential threats will be paramount.
FROM THE MEDIA: At the DEF CON conference, Daniel Fabian, the head of Google Red Teams, discussed the potential threats and challenges posed by artificial intelligence (AI) in the realm of cybersecurity. Fabian emphasized that while AI is a relatively new technology, both security defenders and attackers are exploring its potential uses. Google's AI red team focuses on simulating potential AI-based threats to anticipate future adversarial strategies. Fabian highlighted specific AI-based threats, such as prompt injection attacks and data poisoning, which can manipulate AI outputs or introduce malicious code into machine learning models. Despite the potential risks, Fabian remains optimistic about the future of AI in cybersecurity, believing that in the long run, AI will benefit defenders more than attackers.
READ THE STORY: The Register
Google loses bid to throw out ‘Incognito’ lawsuit, placing private browsing under scrutiny
Analyst Comments: The lawsuit against Google's Incognito mode is significant as it challenges the tech giant's portrayal of private browsing and its actual privacy implications. If the lawsuit succeeds, it could set a precedent for other tech companies and how they market their privacy features. The case underscores the importance of clear communication and transparency in tech products, especially when it comes to user privacy. The outcome of this lawsuit could potentially lead to more stringent regulations or guidelines on how tech companies can market their privacy features. It also highlights the broader issue of data privacy and the value of consumer data in the digital age.
FROM THE MEDIA: Google is set to face a $5 billion consumer privacy lawsuit after a California judge denied the company's request to dismiss the case. The lawsuit challenges the privacy assurances of Google's Chrome Incognito browsing product. The plaintiffs argue that Google's privacy policies are misleading and that the company can still track users even when they use the Incognito mode for browsing. Serge Egelman, from the International Computer Science Institute, stated that many users misunderstand the security of private browsing, thinking it offers more protection than it actually does. The lawsuit suggests that while Incognito mode may reset tracking cookies, other data like IP addresses can still be used to create a unique identifier to track users. The judge's decision means that the lawsuit will either head to trial or be settled. The case also brings to light the value of consumer data, with the judge referencing a Google pilot program that paid users to track them, suggesting there is a market for such data.
READ THE STORY: The Record
Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics
Analyst Comments: APT31's advanced tactics underscore the evolving sophistication of state-sponsored threat actors. Their ability to target air-gapped systems, which are typically isolated from unsecured networks, highlights a high level of technical capability and determination. The use of popular cloud-based storage like Dropbox and Yandex Disk for data exfiltration is a strategic move, as it can potentially bypass certain security measures. However, this method also poses a risk for the threat actors, as the stolen data could be accessed by a third party if they gain access to the storage used by APT31. Organizations need to be vigilant and adopt advanced security measures, especially those in sectors or regions that are frequent targets of state-sponsored cyber espionage campaigns.
FROM THE MEDIA: "The Hacker News" discusses the advanced backdoors and data exfiltration tactics of the Chinese threat actor known as APT31 (also referred to as Bronze Vinewood, Judgement Panda, or Violet Typhoon). This group has been linked to a set of sophisticated backdoors capable of sending harvested sensitive data to Dropbox. The malware is part of a collection of over 15 implants used by APT31 in attacks against industrial organizations in Eastern Europe in 2022. The malware operates in three stages: setting up persistence, collecting sensitive data, and transmitting the data to a remote server. A unique feature of APT31's approach is the use of a command-and-control (C2) inside the corporate perimeter, targeting air-gapped systems. Kaspersky also identified additional tools used by APT31 to manually upload data to various file-sharing services and the Yandex email service.
READ THE STORY: THN
US Cyber Command boss says China's spooky cyber skills still behind
Analyst Comments: The remarks by General Nakasone underscore the evolving nature of cyber threats and the importance of national cybersecurity. The emphasis on China as a "pacing challenge" indicates a recognition of the long-term strategic competition in the cyber domain. The collaboration with the private sector and the lessons learned from significant cyber incidents in 2021 demonstrate the US's adaptability and resilience in the face of evolving threats. The focus on China's potential positioning within critical infrastructure is a clear indication of the strategic importance of cybersecurity in safeguarding national interests.
FROM THE MEDIA: General Paul Nakasone, the commander of US Cyber Command, stated that China's cyber and surveillance capabilities are not superior or even on par with those of the United States. Speaking at an event at the Center for Strategic and International Studies in Washington, Nakasone referred to China as a "pacing challenge" and emphasized the long-term nature of the competition between the two nations. While acknowledging China's growing cyber capabilities, Nakasone expressed confidence in the security of classified networks against potential Chinese infiltration. He also voiced concerns about China's intentions in gaining positions within the critical infrastructure of the US and its allies. Nakasone highlighted the importance of the private sector in bolstering US cybersecurity, pointing to the collaboration during Russia's invasion of Ukraine. He also reflected on the significant cybersecurity challenges faced by the US in 2021, including the SolarWinds breach and ransomware attacks, marking a shift in the perception of cybersecurity as a national security issue.
READ THE STORY: The Register
New SystemBC Malware Variant Targets Southern African Power Company
Analyst Comments: The deployment of the DroxiDat variant of SystemBC in critical infrastructure attacks highlights the increasing sophistication and adaptability of cyber threats. The malware's capability to potentially pave the way for ransomware attacks is particularly alarming, given the surge in such attacks targeting industrial sectors. The suspected involvement of Russian ransomware groups adds a layer of geopolitical complexity to these cyber threats. It's imperative for organizations, especially those in vital sectors, to bolster their cybersecurity defenses and remain vigilant against evolving threat vectors.
FROM THE MEDIA: An unidentified threat actor targeted a power generation company in southern Africa using a new variant of the SystemBC malware named DroxiDat, potentially as a precursor to a ransomware attack. The malware was deployed alongside Cobalt Strike Beacons. SystemBC, a C/C++-based commodity malware first identified in 2019, sets up SOCKS5 proxies on victim computers for malicious traffic tunneling. The DroxiDat variant was specifically used to profile systems and proxy network traffic to a command-and-control (C2) infrastructure. While SystemBC has historical ties to ransomware attacks, the DroxiDat variant has been linked to the Nokoyawa ransomware in a separate healthcare incident. Evidence suggests that Russian ransomware groups, specifically FIN12, might be behind these attacks. The number of ransomware attacks on industrial organizations has doubled since Q2 2022.
READ THE STORY: THN
Magento shopping cart attack targets critical vulnerability revealed in early 2022
Analyst Comments: The exploitation of this older vulnerability in Magento 2 highlights the importance of timely patching and the challenges businesses face in keeping up with security updates. The attackers' sophisticated methods, such as pulling the web shell from GitHub and disguising it as a legitimate Magento component, demonstrate the evolving tactics and techniques used by cybercriminals. E-commerce platforms, especially widely-used ones like Magento, remain attractive targets due to the valuable financial data they handle.
FROM THE MEDIA: Adobe's open-source Magento 2 software, used by e-commerce stores, is currently under attack due to a critical vulnerability that was patched in February 2022. Security researchers from Akamai have identified a server-side template injection campaign targeting Magento 2 stores that have not patched the CVE-2022-24086 vulnerability, which has a CVSS score of 9.8. The ongoing campaign, which began in January 2023, aims to extract payment statistics from orders placed in the victim's Magento store over the past ten days. The attackers are exploiting this vulnerability to pull a web shell from GitHub and execute it on the victim's server. The attackers have also taken measures to hide their malicious activities, such as registering the web shell as a new Magento component named "GoogleShoppingAds."
READ THE STORY: The Register
16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks
Analyst Comments: The discovery of these vulnerabilities in the widely-used CODESYS V3 SDK is alarming, especially given the potential impact on OT environments. The ability to execute remote code or launch denial-of-service attacks on critical infrastructure systems can have severe consequences, from data theft to operational disruptions. The fact that these vulnerabilities can be exploited to tamper with PLCs further amplifies the risk, as PLCs are integral to many industrial processes. Organizations using CODESYS V3 should prioritize updating to the patched version to mitigate the risk. Given the potential severity and the broad application of the affected SDK, OT environments need to be vigilant and proactive in their cybersecurity measures.
FROM THE MEDIA: A series of 16 high-severity vulnerabilities, collectively referred to as CoDe16, have been identified in the CODESYS V3 software development kit (SDK). These vulnerabilities, which range from CVE-2022-47378 to CVE-2022-47393, could lead to remote code execution and denial-of-service attacks, particularly threatening operational technology (OT) environments. The flaws were discovered in all versions of CODESYS V3 prior to version 3.5.19.0. While exploitation requires user authentication and knowledge of the proprietary protocol of CODESYS V3, successful attacks could disrupt and tamper with critical automation processes. The vulnerabilities are primarily buffer overflow issues, and their exploitation could allow attackers to backdoor OT devices and compromise the functioning of programmable logic controllers (PLCs). Patches for these vulnerabilities were released in April 2023.
READ THE STORY: THN
New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks
Analyst Comments: The weaponization of a legitimate tool like Freeze[.]rs underscores the adaptability and resourcefulness of cyber adversaries. The multi-stage attack chain, which involves phishing, multiple malware deployments, and the use of a legitimate tool for malicious purposes, demonstrates the sophistication of modern cyber threats. Organizations need to be vigilant against such multi-faceted threats, ensuring that their security solutions can detect and mitigate such complex attack chains. The rapid adoption of newly released tools by cyber adversaries further emphasizes the need for continuous monitoring and updating of cybersecurity strategies and defenses.
FROM THE MEDIA: Cyber adversaries are leveraging a legitimate Rust-based injector named Freeze[.]rs to deploy a malware known as XWorm. The attack chain, discovered by Fortinet FortiGuard Labs on July 13, 2023, begins with a phishing email containing a malicious PDF file. This attack also deploys the Remcos RAT using a crypter named SYK Crypter, which was identified by Morphisec in May 2022. Freeze[.]rs, an open-source red teaming tool from Optiv, is designed to execute shellcode discreetly, bypassing security solutions. The SYK Crypter is used to distribute various malware families and is fetched from the Discord content delivery network via a .NET loader disguised as legitimate purchase orders. The attack chain culminates in the deployment of the XWorm remote access trojan, which can gather sensitive data and control the compromised device. The primary targets of this malicious campaign are Europe and North America.
READ THE STORY: THN
Items of interest
Ukraine, Cyberattacks, and the Lessons for International Law
Analyst Comments: The article provides a comprehensive overview of the cyber landscape in the context of the Russia-Ukraine conflict. It highlights the evolving nature of cyber warfare and its integration into broader military strategies. The emphasis on the need for international legal frameworks to address both high-end and lower-level cyber operations is particularly relevant, given the increasing reliance on digital infrastructure globally. The article underscores the importance of proactive measures, collaboration, and clarity in international rules to ensure cybersecurity and manage potential escalations in future conflicts.
FROM THE MEDIA: In an article published in the AJIL Unbound journal, Kristen E. Eichensehr discusses the role of cyberattacks in the context of Russia's invasion of Ukraine. Contrary to expectations, cyber operations seemed to have played a limited role in the early stages of the invasion. This has led to speculation about the reasons behind this limited cyber activity. The article explores two primary explanations: either Russia's cyberattacks were effectively countered, or Russia chose not to deploy them extensively. The article emphasizes the need for international lawyers to focus on clarifying and enforcing international rules for both high-end and lower-level cyber operations. The goal is to manage escalation risks in current and future conflicts, even if such rules might not directly restrain behavior.
READ THE STORY: Cambridge Core
The Satellite Hack Everyone Is Finally Talking About (Video)
FROM THE MEDIA: When Viasat’s network was hacked at the start of Putin’s invasion of Ukraine, the Ukrainian government scrambled to connect troops— and the satellite internet industry got a wakeup call. Bloomberg's Katrina Manson tells us more.
How China Hacked ISP (Video)
FROM THE MEDIA: Chinese state sponsored hackers breached internet service providers and network service providers. We give a technical analysis of how they exploited vulnerabilities, exfiltrated data, and changed internet routing.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.