Daily Drop (571): DPRK: NPM Packages, BRICS: Currency, China: Infrastructure, CODESYS Industrial Automation, JanelaRAT, China: Threatens to Expose US, Crypto-Apps, Fake Chrome Browser, Charming Kitten
08-15-23
Tuesday, Aug 15, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
North Korean Hackers Suspected in New Wave of Malicious npm Packages
Analyst Comments: The increasing number of attacks targeting package registries like npm underscores the vulnerabilities in the software supply chain. Developers and organizations must be vigilant about the packages they incorporate into their projects. The sophisticated nature of these attacks, combined with their potential links to nation-state actors, makes them particularly concerning. Organizations should prioritize securing their software supply chains, regularly auditing dependencies, and ensuring that they only use trusted sources.
FROM THE MEDIA: The npm package registry has been targeted in a sophisticated attack campaign designed to trick developers into downloading malicious modules. Software security firm Phylum identified this campaign as exhibiting behaviors similar to a previous attack linked to North Korean threat actors. Nine suspicious packages were uploaded to npm between August 9 and 12, 2023. The attack starts with a post-install hook in the package.json file that triggers an index.js file upon package installation. This file then uses the pm2 module to launch a daemon process executing another JavaScript file named app.js. This code establishes encrypted communication with a remote server, transmitting basic information about the compromised host and awaiting further instructions. This attack follows the discovery of a malicious Ethereum package on npm and a controversial change in the popular NuGet package, Moq.
READ THE STORY: THN
BRICS creator slams ‘ridiculous’ idea for a common currency
Analyst Comments: O'Neill's skepticism about the Brics nations' ability to establish a common currency highlights the challenges of economic collaboration among countries with diverse economies and political systems. While the idea of reducing dependence on the US dollar is appealing to many emerging economies, the practical challenges of implementing a shared currency are significant. The BRICS nations will need to carefully consider the economic and political implications of such a move, especially given the mixed track record of other regional currency initiatives.
FROM THE MEDIA: Jim O'Neill, the former Goldman Sachs economist who coined the term "Brics" (referring to Brazil, Russia, India, China, and South Africa), has criticized the idea of these emerging nations developing a common currency. This comes as the BRICS nations prepare for their 15th summit, where they will discuss the potential expansion of the bloc. O'Neill expressed skepticism about the group's achievements since their initial meetings and questioned the feasibility of creating a common currency for such diverse economies. He also pointed out that the dominance of the US dollar in the global financial system is not ideal for emerging countries. The BRICS bloc, which represents over 3 billion people, has been exploring the use of local currencies for trade among member states. However, the idea of a common currency is not currently on the summit's agenda.
READ THE STORY: FT
China would consider attacks on US railroads, pipelines if it invades Taiwan, Easterly says
Analyst Comments: The increasing concerns about China's cyber capabilities, especially in the context of a potential conflict over Taiwan, underscore the evolving nature of geopolitical cyber threats. The shift from espionage-focused attacks to those that can cause disruption or destruction indicates a significant escalation in cyber warfare tactics. The U.S. needs to bolster its cybersecurity defenses, especially for critical infrastructure, and foster collaboration between the government, the private sector, and the hacker community. Given the interconnected nature of global infrastructure and the ripple effects of major cyberattacks, this is not just a concern for the U.S. but for its allies and global partners as well.
FROM THE MEDIA: CISA Director, Jen Easterly, has warned of the potential for the Chinese government to launch disruptive or destructive cyberattacks on U.S. critical infrastructure, such as pipelines and railroads, especially if the U.S. intervenes in a possible Chinese invasion of Taiwan. Speaking at the DEF CON security conference, Easterly and TSA administrator David Pekoske discussed the urgency to address cybersecurity vulnerabilities and sought the hacker community's assistance. Easterly confirmed concerns previously raised by White House officials about China's potential for destructive cyberattacks during a Taiwan invasion. In May, it was revealed that Chinese hackers had developed capabilities to disrupt U.S. critical infrastructure, especially on military bases in Guam. The U.S. has observed a shift in Chinese cyber activities from espionage and data theft to potential disruption and destruction. Easterly emphasized the need for the American public to prepare for possible disruptive cyberattacks, drawing lessons from Ukraine's experience with Russia.
READ THE STORY: The Record
Microsoft reveals severe vulnerabilities in CODESYS industrial automation software
Analyst Comments: The discovery of these vulnerabilities in widely-used industrial software like CODESYS underscores the importance of cybersecurity in critical infrastructure. The potential impact of these vulnerabilities is vast, given the software's widespread use in various industries globally. Organizations must prioritize patching and updating their systems to mitigate the risks associated with these vulnerabilities.
FROM THE MEDIA: Microsoft researchers have discovered 16 vulnerabilities in CODESYS, a popular industrial automation software. These vulnerabilities were presented by Microsoft security researcher Vladimir Eliezer Tokarev at the BlackHat security conference. CODESYS is used in engineering programmable logic controllers (PLCs), which are integral to various systems ranging from traffic lights to critical infrastructure like water processing and energy production. The vulnerabilities have high CVSS severity scores, with many reaching 8.8 out of 10. Exploiting these vulnerabilities could allow hackers to escalate privileges, steal credentials, or cause physical disruptions. Given that CODESYS has sold over 8 million device licenses worldwide, a successful attack could result in significant damage.
READ THE STORY: The Record
New Financial Malware 'JanelaRAT' Targets Latin American Users
Analyst Comments: The emergence of JanelaRAT highlights the evolving threat landscape in the LATAM region, with cybercriminals deploying sophisticated techniques to target financial data. The use of legitimate sources for side-loading and the ability to remain undetected underscores the need for organizations to adopt advanced cybersecurity measures. The targeted nature of JanelaRAT indicates that threat actors are increasingly focusing on specific regions and industries, requiring tailored defense strategies.
FROM THE MEDIA: A financial malware named JanelaRAT is targeting users in Latin America (LATAM), aiming to capture sensitive financial and cryptocurrency data from the region's banks and financial institutions. Zscaler ThreatLabz researchers discovered the malware, which uses DLL side-loading techniques from legitimate sources like VMWare and Microsoft to evade detection. The malware is delivered via a ZIP archive file containing a Visual Basic Script. JanelaRAT is a modified version of BX RAT, first identified in 2014, and has the capability to capture window titles, track mouse inputs, log keystrokes, take screenshots, and gather system metadata. The malware's focus on LATAM is evident from its Portuguese language strings and references to LATAM-based financial organizations.
READ THE STORY: THN
China to disclose secret US ‘global reconnaissance system,’ claims official
Analyst Comments: The escalating tensions between China and the U.S. in the cyber domain highlight the complexities of international relations in the digital age. China's decision to disclose a U.S. reconnaissance system is a strategic move to counter criticisms and allegations directed at its own cyber activities. This development underscores the importance of establishing clear norms and guidelines in cyberspace to prevent misunderstandings and potential conflicts.
FROM THE MEDIA: Chinese authorities have announced their intention to disclose a "highly secretive global reconnaissance system" operated by the U.S. government. This move comes as a response to allegations of hacking earthquake monitoring equipment in Wuhan. This is the latest in a series of attempts by China to spotlight U.S. intelligence-gathering activities, especially in light of criticisms directed at Beijing's actions, which the U.S. claims often violate international law by targeting commercial rather than national security information. The state-controlled English-language newspaper, the Global Times, reported that this disclosure is a result of an investigation into alleged espionage targeting seismic intensity data. Xiao Xinguang, a member of an advisory body to the Chinese Communist Party, stated that this seismological data has significant intelligence value for various purposes, including analyzing weapons system tests and nuclear tests.
READ THE STORY: The Record
Beware of cool-looking beta crypto-apps. They may be money-stealing fakes
Analyst Comments: This new scam tactic is particularly concerning due to its multifaceted approach, combining both technical deception and social engineering. By presenting the malware as beta apps, criminals exploit the curiosity and trust of potential victims. The use of romance scams or phishing emails to build trust further underscores the lengths these criminals will go to ensure the success of their deceit. Given the increasing popularity of cryptocurrency and the general allure of beta-testing new technologies, this scam has the potential to affect a broad range of individuals.
FROM THE MEDIA: The FBI has alerted the public about a scam where criminals deceive individuals into downloading what are presented as beta-grade phone apps, which are, in reality, laden with malware. These malicious apps can extract data, access and deplete online financial accounts or entirely commandeer the device. The scammers, using tactics like phishing emails or romance scams, build trust with victims, sometimes even forming fake relationships, to manipulate them into downloading these apps. Often, these fraudulent apps are disguised as cryptocurrency exchanges, promising substantial returns on investments.
READ THE STORY: The Register
Fake Chrome Browser Update Installs NetSupport Manager RAT
Analyst Comments: The use of a fake Chrome browser update as a lure is a concerning evolution in cybercriminal tactics. By exploiting the trust users have in regular software updates, attackers are finding an effective method to deploy malicious tools. The campaign's sophistication, combined with its use of compromised websites across various sectors, indicates a well-organized and potentially large-scale operation. The similarities with the SocGholish campaign, albeit with different tools, suggest that threat actors are learning from each other and adapting successful techniques.
FROM THE MEDIA: Cybersecurity firm Trellix has exposed a new cyber scam that tricks users into downloading a fake Chrome browser update, which in reality is a malicious remote administration tool (RAT) called NetSupport Manager. This RAT allows cybercriminals to access and control victims' computers. The campaign, which began in late June 2023, uses compromised websites to deliver the fake Chrome update. Once victims download the fake update, they unknowingly install the NetSupport Manager RAT, granting cybercriminals access to sensitive data and control over their devices.
READ THE STORY: HACKRead
Chinese media teases imminent exposé of seismic US spying scheme
Analyst Comments: The upcoming allegations from China's Global Times may further strain the already tense US-China relations, especially in the realm of cybersecurity. While the US has frequently accused China of cyber espionage and intellectual property theft, this move by China seems to be a counter-narrative, painting the US as the aggressor in the cyber domain. The veracity of the claims remains to be seen, but the geopolitical implications are evident. Both nations are engaged in a broader struggle for technological and geopolitical dominance, and cybersecurity has become a significant battleground. The forthcoming details on the alleged US cyber operations could provide insights into US cyber tradecraft or could be a strategic move by China to shift the narrative.
FROM THE MEDIA: China's state-controlled media outlet, the Global Times, has hinted at an upcoming revelation of alleged US cyberattacks on its earthquake monitoring systems. The Wuhan Municipal Emergency Management Bureau previously reported that some of its seismic equipment was targeted by a foreign entity, which the Global Times identified as the US. The recent analysis reportedly found sophisticated backdoor malware consistent with US intelligence agencies' characteristics, aiming to steal earthquake monitoring data for military reconnaissance. Xiao Xinguang, a member of the National Committee of the Chinese People's Political Consultative Conference (CPPCC) and the chief software architect of Antiy Labs, emphasized the intelligence value of the data, especially in detecting nuclear tests.
READ THE STORY: The Register
Most DDoS attacks tied to gaming, business disputes, FBI and prosecutors say
Analyst Comments: The revelation that most DDoS attacks are not geopolitically motivated but are instead the result of personal disputes or business competition underscores the diverse threat landscape of cyberattacks. The fact that many of these attacks are initiated by younger individuals during holiday breaks highlights the accessibility and affordability of DDoS-for-hire services. Law enforcement's proactive approach in targeting DDoS infrastructure and creating confusion within the DDoS community is a positive step towards mitigating this threat.
FROM THE MEDIA: Federal officials, during the Black Hat cybersecurity conference, revealed that the primary motivations behind most distributed denial-of-service (DDoS) attacks are business or gaming disputes. While the media often focuses on nation-state-backed DDoS attacks, especially those linked to Russia, the majority of these attacks stem from minor disagreements between children or businesses trying to divert customers. The officials highlighted the case of Matthew Gatrel, who was sentenced for running a service that facilitated over 200,000 DDoS attacks. The primary motivation for these attacks was to gain a competitive edge in gaming. Another significant finding was that most DDoS attacks occur during the holiday season when children are on break. Law enforcement agencies categorize DDoS-related services into three types: Booter/Stresser services, botnet-based services, and open proxy services.
READ THE STORY: The Record
Charming Kitten Targets Iranian Dissidents with Advanced Cyber Attacks
Analyst Comments: The persistent and evolving cyber threats from Iranian actors, particularly Charming Kitten, highlight the need for heightened cybersecurity awareness and measures, especially for those in the targeted professions. The group's focus on social engineering and impersonation underscores the importance of verifying the identities of new contacts and being cautious about unsolicited communications. The targeting of Iranian banks and their customers further indicates that cyber threats are not limited to political or dissident targets but can also have significant financial implications. Organizations and individuals, especially those with ties to the Middle East or involved in dissident activities, should be vigilant, regularly update their cybersecurity protocols, and educate their members about the latest threat tactics.
FROM THE MEDIA: Germany's Federal Office for the Protection of the Constitution (BfV) has issued a warning about cyber attacks targeting Iranian individuals and organizations in Germany since late 2022. These attacks primarily target dissidents, including lawyers, journalists, and human rights activists, both within and outside Iran. The cyber espionage group behind these attacks is identified as Charming Kitten, known by various other names such as APT35, Mint Sandstorm, TA453, and Yellow Garuda. Although Iranian cyber actors are considered less sophisticated than their Russian and Chinese peers, they have been evolving their tools and techniques. Charming Kitten is known for its elaborate social engineering tactics, impersonating real individuals to build trust with its targets. The group uses phishing techniques to steal credentials, often impersonating legitimate service providers like Google or Microsoft. Google's Threat Analysis Group had previously highlighted a malware, HYPERSCRAPE, used by this group to extract user data. These findings align with reports from Certfa Lab and Human Rights Watch, which had earlier exposed a phishing campaign targeting professionals in the Middle East.
READ THE STORY: THN
Items of interest
Over 120,000 Computers Compromised by Info Stealers Linked to Users of Cybercrime Forums
Analyst Comments: The findings highlight the irony that even cybercriminals are not immune to the very threats they propagate. The fact that hackers are getting infected by stealer malware underscores the pervasive nature of these threats and the need for robust cybersecurity measures across all user segments. The data also emphasizes the importance of strong password practices, even within the hacker community. Law enforcement agencies could potentially leverage such inadvertent infections for attribution and action against cybercriminals. The rise of MaaS and the value of stolen credentials in the underground market further emphasize the need for organizations and individuals to prioritize cybersecurity.
FROM THE MEDIA: Hudson Rock, a cybersecurity firm, has discovered that out of 14.5 million computers in their cybercrime database, 120,000 computers infected with stealer malware are linked to cybercrime forums. Many of these computers belong to hackers who inadvertently got infected. The data retrieved from these compromised machines can reveal the real-world identities of hackers based on various indicators. Information stealers have become a significant part of the malware-as-a-service (MaaS) ecosystem, making them a popular initial attack vector for threat actors. The cybercrime forum with the highest number of infected users is Nulled.to, followed by Cracked.io and Hackforums.net. Interestingly, passwords from cybercrime forums are generally stronger than those used for government websites. The majority of these infections are attributed to malware strains like RedLine, Raccoon, and AZORult.
READ THE STORY: THN
Credential Access: Info Stealers, Initial Access Brokers, and Ransomware Operators (Video)
FROM THE MEDIA: Radware Threat Researchers Shorts - Credential Access December 2022, fragment from the Radware Threat Researchers Live stream Ep.27
Cyber-Intelligence Briefing - Stealers - The Most Active Malware and Why You Need to Know (Video)
FROM THE MEDIA: Stealer malware is a type of malicious software that sneaks into computers, both personal and corporate, and steals valuable information. It does this by secretly communicating with a control center operated by cybercriminals. Information stealers are specialized malware used to steal account passwords, cookies, credit card details, and crypto wallet data from infected systems, which are then collected into archives called 'logs' and uploaded back to the threat actors. CYFIRMA Cyber Researchers break down the details.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.