Daily Drop (568): Road Map To Sino-US Cyber Cooperation, MoustachedBouncer, DoE: Cybersecurity Approach, Cozy Bear, US: Microsoft Hack, Boston Subway Cards, Python URL Parsing Flaw, Lolek Hosting
08-12-23
Saturday, Aug 12, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
The Road Map To Sino-US Cyber Cooperation Requires Both Nations To Look In The Mirror
Analyst Comments: Earl Carr delivers an in-depth insight into the cyber relationship between the U.S. and China, underscoring the ironies and challenges in their interactions. While offering numerous instances of both nations' cyber activities, Carr accentuates the superpowers' shared responsibility, especially the U.S.'s, in bolstering cybersecurity in third-world nations. His emphasis on the global nature of cybersecurity and the need for a cooperative approach is both timely and vital.
FROM THE MEDIA: The Road Map To Sino-US Cyber Cooperation Requires Both Nations To Look In The Mirror dives deep into the cyber complexities between the U.S. and China. The U.S., despite its self-portrayal as a cybersecurity champion, has been involved in significant cyber-attacks, while China has been notably aggressive, as seen in the Microsoft hacking incident. The strength of U.S. soft power, evident in international media, contrasts the lingering uncertainty around China's access to TikTok user data. The U.S. occasionally restricts access to Chinese scholars, leading to strained academic relationships. Both nations have wielded cyber capabilities for political ends, like the U.S.'s Stuxnet worm against Iran and China's association with APT41. They have sometimes disregarded international laws, continuing cyber espionage activities despite agreements. The U.S.'s dominant role in drafting international cyber frameworks contrasts with its inadequate assistance to third-world countries.
READ THE STORY: Forbes
‘MoustachedBouncer’ espionage hackers targeting embassies in Belarus
Analyst Comments: Jonathan Greig's article offers a detailed and concerning look into the intricacies of cyber-espionage activities in Belarus. The revelation that a hacker group, with potential ties to the Belarus government, is actively targeting foreign embassies highlights the increasing challenges faced by diplomatic entities in today's digital age. The methods used by MoustachedBouncer, particularly the AitM technique, demonstrate a sophisticated approach to cyber-espionage, emphasizing the need for enhanced security measures by potential targets. The links between MoustachedBouncer and other hacking entities with Russian ties suggest deeper geopolitical undercurrents, which further complicate the cyberspace domain.
FROM THE MEDIA: Jonathan Greig reports on the activities of a hacking group, named "MoustachedBouncer", targeting foreign embassies in Belarus. These hackers are engaged in espionage activities, aiming to steal documents, record audio, and monitor victims' keystrokes. Researchers from the cybersecurity firm ESET identified the group and linked it to the Belarus government, specifically alluding to the nation's leader, Alexander Lukashenko, who is known for his mustache. Since 2014, MoustachedBouncer has been operational, but they altered their tactics in 2020 to employ "adversary-in-the-middle" (AitM) attacks, which intercept user-service authentication. According to ESET researcher Matthieu Faou, the hackers appear to exploit local ISPs, with at least four embassies being impacted so far. The group manipulates victims' internet access at the ISP level, tricking Windows into perceiving a fake Windows Update page. Tools called “NightClub” and “Disco” were used by the hackers, with the former exploiting free email services, while the latter is used during AitM attacks.
READ THE STORY: The Record // THN
The Department Of Energy's Evolving Cybersecurity Approach
Analyst Comments: The DOE's intensified focus on cybersecurity signifies the gravity and complexity of modern cyber threats. The move towards a zero-trust approach is both a necessity and an evolution of traditional cyber defense tactics. It acknowledges the changing nature of threats and the requirement for continuous validation and verification processes. While the shift towards newer protocols and strategies is commendable, it's evident from Liberto's insights that transitioning entirely may be both time-consuming and expensive. This points to a larger challenge many organizations face: balancing between existing legacy systems and the need for cutting-edge cybersecurity measures. The emphasis on training underscores that while technology is crucial, human awareness remains a critical line of defense.
FROM THE MEDIA: The U.S. Department of Energy (DOE) is evolving its cybersecurity approach in response to increasing cyber threats. Given the heightened risk to critical infrastructure and data, the DOE has combined government compliance, regulations, laws, and executive orders to meet these challenges. A critical aspect of this is the adoption of the 'zero trust' cybersecurity approach. This concept challenges traditional assumptions of trust within a network, treating every user, device, and application as potentially untrusted. Ignatius "Buck" Liberto, Director, Cybersecurity Risk Management & Compliance at the U.S. DOE, emphasizes the challenges in fully implementing zero trust due to legacy architectures and protocols. However, he also states that there is a shift from the old 'allow all, deny by exception' mindset to the new 'deny all, allow by exception' strategy, forming part of the zero trust framework.
READ THE STORY: Forbes
'Cozy Bear' Russian hackers target Irish Embassy in Kyiv
Analyst Comments: The attempted cyberattack on the Irish Embassy showcases the escalating nature of cyber threats on a global scale, especially those that are potentially state-sponsored. The agility of the Irish cybersecurity response team in detecting and mitigating the threat underscores the critical need for robust cybersecurity infrastructure, especially for institutions holding sensitive information. The wide range of countries whose embassies were targeted indicates a large-scale coordinated effort by the hackers, emphasizing the importance of international cooperation in countering such threats. The suspected association of Cozy Bear with the Russian government, if confirmed, could have diplomatic implications, stressing the necessity for nations to take a clear stance on cyber espionage.
FROM THE MEDIA: The Irish Embassy in Ukraine, situated in Kyiv, faced a cyberattack orchestrated by the notorious Russian hacker group, Cozy Bear. The initial breach attempted to exploit an ad for a used car from a Polish Embassy staffer. This ad was accessed by several foreign embassies, leading Cozy Bear to initiate a phishing scam. However, Irish cyber-detectives, located both in Dublin and Kyiv, detected the threat and neutralized it without any harm. The matter has been handed over to the National Cyber Security Centre for further investigation. It's known that other embassies, including those from countries like Canada, the US, and Greece, among others, were targeted. Junior Minister Ossian Smyth communicated that such cyberattacks on the Department of Foreign Affairs are frequent due to the sensitive nature of their work. Cozy Bear, believed to be affiliated with Russian intelligence services, is suspected to be acting under orders from Russian President Vladimir Putin.
READ THE STORY: Irish Mirror
US cyber board to investigate Microsoft hack of government emails
Analyst Comments: The cyber breach highlights the vulnerabilities and challenges of modern-day cloud-based systems, even when trusted with sensitive governmental data. The delayed detection underscores the significance of robust monitoring tools and the need for companies to provide such tools as a standard feature rather than an upscale option. Microsoft's response, though corrective in nature, came after significant damage. The event also illustrates the importance of government and private sectors working hand in hand to ensure national cyber resilience. The CSRB's proactive stance in investigating major cyber events serves as a positive step towards addressing and preventing such future occurrences.
FROM THE MEDIA: On August 11, 2023, TechCrunch reported that the U.S. Cyber Security Review Board (CSRB) is set to investigate a recent intrusion into U.S. government email systems supplied by Microsoft. This decision comes after the revelation that Chinese state-backed hackers accessed government email accounts, including that of the U.S. Commerce Secretary and several officials at the U.S. State Department. Microsoft disclosed that the hackers stole a sensitive signing key which, combined with an existing flaw, granted them unauthorized access. Though the breach started in mid-May, it was not detected until a month later when the State Department identified it. Criticism from various sectors led Microsoft to provide log access for all customers from September. Senator Ron Wyden criticized Microsoft and called for an investigation into "lax cybersecurity practices."
READ THE STORY: TC
Teens Hacked Boston Subway Cards to Get Infinite Free Rides—and This Time, Nobody Got Sued
Analyst Comments: The revelation that teenagers could not only replicate but also advance on a hack previously tackled by MIT students speaks volumes about the escalating technical aptitude of newer generations, emphasizing the impending challenge that institutions, both business and governmental, might face. The Massachusetts Bay Transit Authority's (MBTA) evolved approach from the 2008 incident, where they chose to sue, to now inviting the teenagers to present their findings, is indicative of an evolving and more collaborative attitude towards ethical hacking. Such synergies are essential in addressing vulnerabilities effectively. However, the MBTA's decision to defer a robust solution to their vulnerabilities until 2025 might be risky. This delay potentially opens the door for misuse, prompting other opportunistic hackers to capitalize on these vulnerabilities, leading to financial setbacks. Public disclosures of this nature underscore the need for entities like MBTA to consistently engage with the cybersecurity community, possibly by organizing regular ethical hacking tests, to preemptively detect and rectify vulnerabilities.
FROM THE MEDIA: In 2008, MIT students were stopped from presenting a method to hack Boston’s subway system for free rides due to a lawsuit by the Massachusetts Bay Transit Authority (MBTA). Inspired by this event, four teenagers, Matty Harris, Zachary Bertocchi, Noah Gibson, and Scott Campbell, have successfully hacked Boston’s current subway system, using the RFID-based CharlieCards, in 2023. After two years of research, they reverse-engineered the system to not only add any amount of money to the cards but also to designate cards as discounted student, senior, or even MBTA employee cards for unlimited free rides. The team even built a "vending machine" and an Android app to demonstrate the hacks. Unlike in 2008, the MBTA did not sue the teens but invited them to present their findings. Though the vulnerabilities are yet to be fixed, MBTA plans to roll out a new subway card system in 2025 which, it claims, won’t have the current vulnerabilities. The MBTA's stance is that while they recognize the vulnerabilities, they do not see them as posing imminent risks related to safety, system disruption, or a data breach.
READ THE STORY: Wired
New Python URL Parsing Flaw Enables Command Injection Attacks
Analyst Comments: This discovery is particularly concerning given the widespread use of Python in many applications and systems. Although blocklisting methods, which this flaw exploits, are not always the primary choice for security, their use in specific scenarios makes systems vulnerable. The high CVSS score indicates the potentially severe impact of this flaw, underlining the need for immediate patches. Organizations and developers using affected Python versions should prioritize updating to the patched versions.
FROM THE MEDIA: The Hacker News recently highlighted a high-severity security flaw in Python's URL parsing function, urlparse
. This vulnerability, identified as CVE-2023-24329 with a CVSS score of 7.5, can be manipulated by an attacker by initiating a URL starting with blank characters. Such a maneuver could bypass domain or protocol filtering mechanisms that use a blocklist, leading to potential arbitrary file reads and command execution. Yebo Cao, the security researcher who reported the flaw in August 2022, pointed out its presence in specific Python versions. Fortunately, patches have been rolled out in subsequent versions to mitigate the issue. Cao emphasized the vulnerability's potential to bypass protections and the consequent risks of Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) in various situations.
READ THE STORY: THN
Takedown of Lolek bulletproof hosting service includes arrests, NetWalker indictment
Analyst Comments: The dismantling of LolekHosted.net is a significant blow to cybercriminal operations worldwide, given its pivotal role in facilitating cybercrimes, notably through the notorious NetWalker ransomware. Bulletproof hosting services, like LolekHosted, are paramount for cybercriminals as they provide an umbrella of protection and anonymity. The collaboration between European and U.S. agencies, spanning from Europol to the FBI, underscores the gravity of the threat posed by such services. The indictment and the accompanying hefty prison sentence sought for Grabowski serve as a stark reminder of the legal repercussions of facilitating cybercrime.
FROM THE MEDIA: European law enforcement, in collaboration with U.S. agencies, executed a significant takedown operation against a cybercriminal infrastructure, leading to several arrests. On August 11th, 2023, The Record reported that five individuals were arrested in Poland for their involvement with a web hosting service, LolekHosted.net, known for supporting cybercrime activities. The servers of this service were seized on August 8th. U.S. prosecutors in Florida indicted a Polish national, Artur Karol Grabowski, 36, for allegedly operating Lolek. The hosting service had facilitated attacks by the NetWalker ransomware that affected numerous global targets, with at least 50 incidents directly linked to Lolek. Grabowski remains at large. The LolekHosting.net was a "bulletproof" hosting service, often patronized by cybercriminal organizations due to the protection and anonymity it offered its clients.
READ THE STORY: The Record
Inside Russia's attempts to hack Ukrainian military operations
Analyst Comments: The continuous attempts by Russian hackers to infiltrate the Ukrainian military's operational systems underscore the high stakes of cyber warfare in modern geopolitical conflicts. By targeting communication devices, Russia aims to compromise Ukraine's operational efficacy. The focus on Starlink devices shows the crucial role modern technology plays in contemporary warfare, where maintaining communication channels can be as important as physical weaponry. Ukraine's decision to publicize these attempts is both a strategic move and a call for international awareness.
FROM THE MEDIA: Georgia Public Broadcasting reveals details provided by Ukrainian intelligence to NPR about Russian hackers' attempts to breach Ukrainian military planning operations. Specifically, these hackers, attributed to Russia's military intelligence organization GRU's SandWorm group, targeted Android tablets used by Ukrainian officers. Their primary objective was to extract intelligence and subsequently design malware to exploit the broader Ukrainian military operations network. Previous attempts by Russia to compromise the Ukrainian military's Delta system were also highlighted. Malware samples from the most recent operation indicated a focus on gathering data about Starlink satellite internet devices developed by SpaceX. These devices are instrumental in Ukraine, especially when other communication channels are compromised.
READ THE STORY: GFB
Largest switching and terminal railroad in US investigating ransomware data theft
Analyst Comments: This incident underscores the ever-growing cyber threat faced by critical infrastructure in the U.S. and globally. The fact that the Belt Railway Company, a key transportation hub, has become a target suggests that ransomware gangs are shifting focus to entities that play pivotal roles in countries' economic and logistical operations. While the company has responded promptly by involving cybersecurity experts and law enforcement, its proactive measures (as outlined in its recent blog post) failed to prevent this breach. This raises questions about the efficacy of current cybersecurity protocols and standards, even when entities are compliant with regulatory requirements. Given the significance of railroads in logistics and the broader economy, such breaches can have cascading effects. It's crucial for such vital infrastructure entities to continually adapt and upgrade their security measures, anticipating evolving cyber threats.
FROM THE MEDIA: The Belt Railway Company of Chicago, the largest switching and terminal railroad in the U.S., is currently investigating a data theft by the Akira ransomware gang. Based in Bedford Park, Illinois, the company is co-owned by six railroad firms from the U.S. and Canada. It operates approximately 28 miles of railroads and offers services to over 100 local manufacturing businesses. The Akira gang recently claimed responsibility for stealing 85 GB of the company's data. Although the incident has not affected the company's operations, they have engaged a prominent cybersecurity firm for investigation and are coordinating with federal law enforcement. This cyber-attack occurs in the backdrop of the Transportation Security Administration (TSA) implementing stricter cybersecurity regulations for crucial rail infrastructure. Interestingly, the company had shared its efforts to comply with these rules in a blog post just a month ago, stating it had cleared a TSA audit and implemented recommended changes.
READ THE STORY: The Record
Southern African power generator targeted with DroxiDat malware
Analyst Comments: This incident underscores the complexity and adaptability of cyber threats targeting vital infrastructures, even in regions less commonly in the limelight for such attacks, like southern Africa. The deployment of a new SystemBC variant, DroxiDat, reveals that malicious actors are persistently evolving their methods to enhance efficacy and simultaneously target multiple entities. The use of built-in Windows tools is particularly concerning, as it shows a more sophisticated approach to bypass potential security barriers. The fact that no ransomware was delivered is intriguing and raises questions about the attackers' endgame. Was this a test run, an espionage operation, or simply a display of capability? The speculated involvement of Russian-speaking hackers adds another layer of complexity, suggesting the potential for state-sponsored or state-tolerated cyber operations.
FROM THE MEDIA: A power generator in southern Africa has reportedly fallen victim to a cyberattack involving a new variant of the SystemBC malware, named DroxiDat. The cybersecurity firm Securelist disclosed this after discovering the incident, which transpired in March. The unidentified perpetrators utilized a Cobalt Strike tool along with DroxiDat to profile and establish remote connections to the electric utility, although no ransomware was delivered. SystemBC, a versatile malicious backdoor, has been available on darknet forums since at least 2018 under the model of "malware as a service." This DroxiDat variant is particularly notable for its ability to concurrently handle multiple targets using automated tasks. If the attackers gain the appropriate credentials, they can launch ransomware using inherent Windows tools, removing the necessity for manual intervention.
READ THE STORY: The Record
Russia Says It Destroys 20 Ukrainian Drones over Crimea
Analyst Comments: The escalation of drone-based engagements suggests a shift in tactics and a reliance on more covert and less manpower-intensive forms of warfare. The successful defense against these drones by Russian forces indicates their preparedness and advanced defense mechanisms. Ukraine's reluctance to publicly acknowledge these attacks signifies a potential strategy of plausible deniability, possibly aiming to disrupt without escalating the conflict overtly. The suspension of activities on the Crimean Bridge underscores the strategic importance of infrastructure in this conflict. Given the intricate mix of information and potential propaganda from both sides, independent verification becomes paramount for an objective understanding of events.
FROM THE MEDIA: Russian defense forces reportedly destroyed 20 Ukrainian drones that were launched onto the Crimean Peninsula, with 14 taken down by air defense systems and six by electronic warfare. The aftermath resulted in no casualties or damage. The target of these drones remains unclear. However, traffic on the significant Crimean Bridge was briefly halted. This drone attack is part of a larger trend, as drone engagements over Russian-controlled territories have surged, especially since a drone incident over the Kremlin in May. While Ukraine often refrains from claiming responsibility, they emphasize the importance of targeting Russian military infrastructure. This conflict is set against the backdrop of Russia's annexation of Crimea in 2014 and its subsequent invasion of Ukraine.
READ THE STORY: AAWSAT
Microsoft to freeze license extensions for Russian companies
Analyst Comments: This development reveals the profound ramifications of geopolitical tensions on the technological and corporate landscape. As tech giants like Microsoft and Google restrict their services in Russia, it underscores the intertwined nature of geopolitics and technology in today's globalized world. The potential cyber vulnerabilities that arise from outdated software could pose significant challenges for Russian companies. Furthermore, while Russia's push for home-grown technology solutions is ambitious, the immediate lack of mature alternatives may compel businesses to resort to potentially unsafe practices, thus raising cyber risks.
FROM THE MEDIA: Microsoft has announced that it will cease renewing licenses for its products to Russian companies starting in October. This move comes as a direct response to the sanctions imposed against Russia due to the ongoing conflict in Ukraine. As stated in a letter dispatched to Russian businesses, Microsoft will discontinue processing payments via wire transfer to any local bank account for its services within Russia. Businesses are advised to secure their data before their existing subscriptions lapse. Microsoft had previously halted the sale of its products and services in Russia in March of the prior year, and it has announced intentions to incrementally curtail its operations in the country. A significant portion, approximately 90%, of corporate clients in Russia utilize Microsoft products, according to Forbes Russia. The suspension of Microsoft software updates raises concerns about increased vulnerability to cyberattacks for Russian services. Additionally, the dearth of alternative solutions might spur companies to resort to unauthorized software tools.
READ THE STORY: The Record
Items of interest
Embassy of China in Canada Issues a Statement on U.S Cyber Espionage Campaigns Against Japan
Analyst Comments: This development underscores the intricate web of cyber espionage and countermeasures existing between global superpowers. The statement by the Chinese Embassy not only acknowledges the U.S.'s cyber espionage activities but also sheds light on the strategic importance of HFOs. These operations could enhance the U.S.'s cyber situational awareness, allowing it to anticipate and counter potential cyber threats more effectively. Conversely, China views the possibility of the U.S. employing HFOs in countries neighboring China as a significant concern, as it might expose China's cyber capabilities and those of its allies.
FROM THE MEDIA: The Embassy of China in Canada has released a statement regarding U.S. cyber espionage activities targeting Japan. The statement draws attention to a methodology known as "hunt-forward" missions. These operations, referred to as Hunt Forward Operations (HFOs), function as an early warning system for cyber situational awareness. By engaging in HFOs, the U.S. gains insights into the cyber tactics and techniques of adversaries. Despite the benefits that the U.S. could reap from sharing its cyber-attack expertise with hunt-forward mission host countries, there's also potential to gather intelligence about cyber-attacks originating from these host nations.
READ THE STORY: Security Boulevard
The Evolving Threat from China (Video)
FROM THE MEDIA: Over the last year, CTU researchers have directly observed multiple incidents attributed to Chinese threat groups including BRONZE UNION, BRONZE SPIRAL, BRONZE ATLAS, BRONZE UNIVERSITY, BRONZE MOHAWK, and BRONZE EDGEWOOD. This session will explore some of these incidents and examine how observed TTPs likely reflect a changing threat landscape of China-based threat groups.
The New Chinese Malware Scandal: Unveiling A Cyber Catastrophe & the Dark History of Malware (Video)
FROM THE MEDIA: Chinese state-sponsored hackers breached internet service providers and network service providers.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.