Daily Drop (572): RU: PDF Targeting, US Army: EW, China: E-mail Hack, Ukraine War: Tech Opportunity, Zoom: Customer Data, Viasat: RU, Citrix, NRO, Cloudflare R2, SATs and Climate, Monti Returns
08-16-23
Wednesday, Aug 16, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
PDF lures aimed at NATO countries contain a Russian clue
Analyst Comments: The increasing sophistication and audacity of cyberattacks, especially those with potential state sponsorship, underscore the evolving nature of global cyber threats. The use of legitimate services and domains to camouflage malicious activities indicates a high level of expertise and planning. The focus on NATO countries and the link to Russia, especially in the context of the ongoing conflict in Ukraine, suggests that cyber warfare is becoming an essential tool in geopolitical conflicts. It's crucial for nations and organizations to remain vigilant, continuously update their cybersecurity measures, and collaborate internationally to counter such threats.
FROM THE MEDIA: Dutch cybersecurity firm, EclecticIQ, discovered that hackers attempted to infiltrate government agencies in NATO countries using a variant of the Duke malware, which has ties to Russia. These hackers targeted the foreign ministries of NATO-aligned governments with two malicious PDF files. One of these files contained the Duke malware, associated with the Russian state-sponsored cyber-espionage group APT29. The malicious PDFs were disguised as diplomatic invitations from a German embassy, suggesting a broader campaign against global diplomatic entities. The email address in the malicious PDF was linked to a genuine domain, bahamas.gov.bs, which had been previously used in similar attacks. Moscow's cyber espionage activities in Europe have surged since the onset of the war in Ukraine, with countries neighboring Ukraine facing the brunt. APT29, believed to be directed by Russia's Foreign Intelligence Service (SVR), primarily targets governments, political entities, and critical industries in the U.S. and Europe. In the recent campaign, they exploited the Zulip app, an open-source chat application, for their command and control operations.
READ THE STORY: The Record
The US Army is rushing to rearm its electronic warriors after watching Russia and Ukraine jam each other's drones
Analyst Comments: The Ukraine conflict serves as a real-world example of the evolving nature of modern warfare, where electronic and cyber capabilities can be as decisive as traditional firepower. The US Army's push to revamp its electronic warfare tools is a necessary response to the changing battlefield dynamics. The heavy reliance of the US military on electronic communications makes it especially vulnerable to EW attacks, emphasizing the need for robust countermeasures. The Army's initiatives, such as the Terrestrial Layer System – Brigade Combat Team program, are steps in the right direction. However, continuous adaptation and learning from global conflict zones will be crucial to ensure that the US remains ahead in the electronic warfare domain.
FROM THE MEDIA: The US Army is hastening its efforts to enhance its electronic warfare (EW) capabilities, driven by the ongoing conflict in Ukraine. The war has seen drones play a pivotal role, with jamming emerging as a key counter-drone weapon. The US Army's renewed focus on electronic warfare comes after observing the significant impact of jamming in the Ukraine conflict, where drones are being disrupted more effectively through electronic means than with traditional anti-aircraft weapons. The US Army's electronic warfare capabilities have been somewhat neglected in recent years, but the situation in Ukraine has highlighted the importance of these tools. The Army is now investing in several programs to boost its EW capabilities, recognizing the advancements made by adversaries like Russia and China in this domain.
READ THE STORY: Insider
China email hacks included accounts of House member
Analyst Comments: The breach of a U.S. congressman's emails by suspected Chinese hackers underscores the escalating cyber threats posed by nation-state actors. The focus on high-profile targets, such as members of Congress and senior U.S. officials, indicates a strategic intent to gather intelligence or potentially exert influence. The vulnerability in Microsoft software, a widely used platform within the U.S. government, raises questions about the security of ubiquitous tech products and the potential risks of over-reliance on a single tech provider. Given the geopolitical tensions between the U.S. and China, such cyber incidents can further strain relations and necessitate stronger cybersecurity measures and international cooperation to address these threats.
FROM THE MEDIA: Rep. Don Bacon (R-NE), a member of the House Armed Services Committee, has publicly disclosed that his personal and campaign emails were hacked by suspected Chinese hackers. These hackers are believed to be the same group that previously breached the inboxes of the U.S. State and Commerce departments. Rep. Bacon revealed that the breach occurred between May 15th and June 16th of the current year, exploiting a vulnerability in Microsoft software. He emphasized that this breach was not due to user error and that there were other victims of this cyber operation. The congressman also expressed his concerns about the Chinese government's cyber espionage activities and affirmed his commitment to supporting Taiwan. The Homeland Security Department has announced that its Cyber Safety Review Board will investigate the breach, potentially drawing more attention to Microsoft's role.
READ THE STORY: The Record
Businesses scent a tech opportunity in Ukraine war
Analyst Comments: The Ukraine conflict underscores the increasing role of technology in modern warfare. The involvement of major tech companies and the integration of their products into military strategies highlight the blurring lines between civilian and military tech applications. While the immediate focus is on defense and warfare, the long-term vision of transforming Ukraine into a tech hub is ambitious and speaks to the country's resilience and forward-thinking approach. However, the reliance on commercial tech giants also poses risks, especially when geopolitical interests and corporate agendas might not always align. The situation in Ukraine serves as a testament to the evolving nature of warfare in the digital age and the strategic importance of technological advancements in determining the outcomes of conflicts.
FROM THE MEDIA: In the ongoing conflict between Ukraine and Russia, technologies have taken center stage, with both military and civilian tech being employed in innovative ways. Drones, for instance, are being used extensively for reconnaissance and delivering explosives, with Ukraine reportedly losing around 10,000 drones monthly. The war has also attracted the attention of tech companies, with some viewing it as an opportunity to test and showcase their products. Palantir's Alex Karp, for example, has expressed that his company's AI is making a significant difference in Ukraine's favor. Former Google chief, Eric Schmidt, visited Ukraine to explore future investment opportunities and is now supporting a local start-up incubator for military technologies. However, there are concerns about the growing dependence on commercial tech firms. For instance, Elon Musk's dominance in satellite internet constellations and his decisions regarding Starlink have raised eyebrows. Despite the challenges, Ukrainian officials are optimistic that the presence of Western tech companies will have long-term benefits for the country, potentially transforming it into a hub for innovative technologies.
READ THE STORY: FT
Zoom revises terms again to say it doesn’t use customer data to train AI models
Analyst Comments: Zoom's rapid TOS revisions highlight the challenges tech companies face in balancing innovation with privacy concerns. As AI becomes increasingly integrated into products and services, companies must be transparent and cautious about how they use customer data, especially in a global market with varying privacy regulations. The backlash Zoom faced serves as a reminder of the importance of clear communication and the potential consequences of perceived overreach in data usage.
FROM THE MEDIA: Zoom, the popular communication app, has once again revised its terms of service (TOS) in response to significant criticism from users and privacy advocates. The company removed language that suggested it might use content from its platform to train artificial intelligence (AI) models. This decision came after Zoom initially clarified that it would seek customers' consent before using their data for AI training. Earlier in March, Zoom's TOS had been modified, granting the company a broad license to use customer data, including for AI training purposes. This change drew significant backlash, especially with concerns that it might violate the EU's General Data Protection Regulation (GDPR). Despite Zoom's recent introduction of AI features, the company now asserts that it does not use any communication data to train its AI or third-party models.
READ THE STORY: The Record
Incident response lessons learned from the Russian attack on Viasat
Analyst Comments: The Viasat incident underscores the evolving and complex nature of cyber threats in the modern era. It emphasizes the critical need for organizations to be prepared for potential cyberattacks, highlighting the value of prior engagement with cybersecurity experts and the importance of understanding regular operational patterns. The incident also brings to the forefront the significance of public-private collaboration in cybersecurity, as seen in the partnership between Viasat and the NSA. The unresolved question regarding the source of the valid credentials serves as a reminder of the sophisticated tactics employed by cyber adversaries and the continuous challenges faced in cybersecurity investigations.
FROM THE MEDIA: On February 24, 2022, Viasat, a KA-band satellite provider, was targeted in a cyberattack linked to the Russia-Ukraine conflict, resulting in the shutdown of tens of thousands of its broadband modems. This incident was dissected at the Black Hat and DEF CON conferences, where Viasat and the National Security Agency (NSA) shared their experiences. The attack began with unauthorized access attempts using valid credentials and culminated in the deployment of a wiper binary that rendered the modems inoperable. While the NSA had been monitoring potential cyber threats, this attack was unexpected. By May 10, the attack was publicly attributed to Russia. Viasat emphasized the importance of incident response preparedness, information sharing, and understanding "normal" operations to effectively respond to such threats.
READ THE STORY: CSO
Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability
Analyst Comments: The discovery of these vulnerabilities in widely-used industrial software like CODESYS underscores the importance of cybersecurity in critical infrastructure. The potential impact of these vulnerabilities is vast, given the software's widespread use in various industries globally. Organizations must prioritize patching and updating their systems to mitigate the risks associated with these vulnerabilities.
FROM THE MEDIA: In a recent cybersecurity incident, nearly 2,000 Citrix NetScaler instances were compromised by exploiting a critical security vulnerability, CVE-2023-3519. This vulnerability, which affects NetScaler ADC and Gateway servers, allows for unauthenticated remote code execution. Although Citrix patched this vulnerability last month, adversaries have been able to place web shells on vulnerable NetScalers, granting them persistent access. A follow-up analysis by NCC Group revealed that while many administrators had patched their NetScalers, they hadn't properly checked for signs of successful exploitation. As a result, 1,828 NetScaler servers remain backdoored. Most of the compromised servers are located in European countries, including Germany, France, and Switzerland. Interestingly, while Canada, Russia, and the U.S. had many vulnerable servers, none of them were found to have web shells.
READ THE STORY: THN
NRO to select providers of new forms of optical satellite imagery
Analyst Comments: The NRO's move to solicit proposals for advanced optical imaging technologies underscores the agency's commitment to staying abreast of the latest advancements in the satellite imaging sector. By reaching out to commercial entities, the NRO is not only fostering innovation but also ensuring that it has access to the most cutting-edge imaging capabilities. This approach is likely to bolster the NRO's surveillance and reconnaissance capabilities, especially in an era where rapid technological advancements are the norm.
FROM THE MEDIA: The National Reconnaissance Office (NRO) is actively seeking proposals from commercial entities that utilize optical imaging satellites. This initiative, named the "Commercial Electro-Optical Capabilities," aims to explore new and emerging imaging types that were not part of the Electro-Optical Commercial Layer contracts awarded to Maxar Technologies, BlackSky, and Planet Labs in the previous year. The NRO is particularly interested in technologies such as nighttime imaging, non-Earth imaging, multispectral imaging, video, and infrared imaging. The deadline for proposal submissions is set for August 28. NRO Director Chris Scolese revealed that while the NRO already has access to a vast array of commercial imagery sources, the agency is keen on tapping into the latest capabilities that have surfaced in the industry recently. The BAA indicates that the government is looking for imagery products across the electro-optical spectrum. Notably, the commercial non-Earth imagery sector, which involves imaging objects in space, is an emerging field where companies like Maxar are aiming to establish a foothold.
READ THE STORY: SpaceNews
Cybercriminals Abusing Cloudflare R2 for Hosting Phishing Pages, Experts Warn
Analyst Comments: The increasing sophistication and adaptability of cybercriminals are evident in their evolving tactics. By leveraging reputable cloud services like Cloudflare R2 and AWS Amplify, they can bypass traditional security measures and gain the trust of unsuspecting victims. The use of CAPTCHA alternatives to hide malicious content further complicates detection efforts.
FROM THE MEDIA: Cybersecurity experts have raised alarms over the increasing misuse of Cloudflare R2, a cloud data storage service, by cybercriminals to host phishing pages. Over the past six months, there has been a 61-fold surge in such activities. Netskope security researcher, Jan Michael, highlighted that most of these phishing campaigns are aimed at acquiring Microsoft login credentials, though some target other cloud apps like Adobe and Dropbox. These phishing campaigns not only use Cloudflare R2 for distributing static phishing pages but also employ Cloudflare's Turnstile, a CAPTCHA alternative, to hide these pages behind anti-bot barriers, making detection harder. The content of these malicious sites is designed to load only under specific conditions, adding another layer of detection evasion.
READ THE STORY: THN
Europe space chief warns over political wavering on climate
Analyst Comments: The concerns raised by Aschbacher underscore the urgency of the climate crisis and the need for cohesive and decisive action from global leaders. The recent extreme weather events serve as a stark reminder of the tangible impacts of climate change. The potential funding challenges faced by the ESA's Copernicus program could hinder Europe's ability to monitor and respond to environmental changes effectively. This situation emphasizes the interconnectedness of political decisions, such as Brexit, with global challenges like climate change. The call for immediate action and the potential consequences of inaction should serve as a wake-up call for leaders worldwide.
FROM THE MEDIA: Josef Aschbacher, the director general of the European Space Agency (ESA), has expressed concerns over the apparent hesitancy of politicians regarding European leadership in the fight against climate change. He emphasized the urgency of the situation, pointing to the recent record heatwaves and vegetation fires as alarming evidence of global warming's acceleration. Countries like Greece, Italy, Spain, and Portugal have experienced unprecedented temperatures and wildfires this summer. The World Meteorological Organization has also noted that July had the highest global average temperature for any month on record. Aschbacher stressed the importance of immediate action, stating that the costs of inaction in the long term would be significantly higher. He also highlighted the role of satellite measurements in providing clear evidence of the recent heat emergency in southern Europe. The ESA's Copernicus program, which monitors the planet's "vital signs," faces potential funding challenges due to a gap of 721 million euros, primarily resulting from the UK's exit from the European Union.
READ THE STORY: Reuters
Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics
Analyst Comments: The evolution of the Monti ransomware underscores the adaptability and resilience of cybercriminal groups. By constantly updating and refining their tools and tactics, these groups pose an ever-changing threat to organizations.
FROM THE MEDIA: The Monti ransomware group has made a comeback after a two-month hiatus, introducing a new Linux variant of their ransomware. This new version targets the government and legal sectors. Monti initially appeared in June 2022, shortly after the Conti ransomware group ceased its operations. The Monti group initially mimicked Conti's tactics and tools, even using its leaked source code. However, the latest version of the ransomware has diverged significantly from its predecessors. According to Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio, while previous versions had a 99% similarity rate with Conti, the new variant only has a 29% similarity rate, indicating a major overhaul. Some of the changes include the addition of a '--whitelist' parameter, changes in encryption methods, and alterations in file encryption based on file size.
READ THE STORY: THN
Major LinkedIn Account Takeover Campaign Underway
Analyst Comments: LinkedIn, the renowned professional networking platform, is currently grappling with a significant global account takeover campaign. This alarming development has been spotlighted by Cyberint, a leading threat intelligence vendor. They've observed a surge in users being locked out of their accounts, leading to a consequent spike in online searches for LinkedIn support and advice on account compromise. This trend underscores the widespread impact of the issue. The attackers are employing sophisticated methods to breach accounts. They are targeting accounts that are protected by multi-factor authentication (MFA), a security measure that typically offers a higher level of protection. If the attackers are successful in their breach attempts, they can change both the password and the email address associated with the LinkedIn account. This effectively locks out the legitimate owner, making recovery challenging.
FROM THE MEDIA: A major global account takeover campaign targeting LinkedIn users has been observed over recent weeks. Cyberint, a threat intelligence vendor, reported that many LinkedIn users have been locked out of their accounts, leading to a surge in searches for LinkedIn support and advice on account compromise. Google Trends data indicates a significant increase in searches related to this hacked account campaign over the past 90 days. The attackers are attempting to breach accounts, even those protected by multi-factor authentication (MFA). If successful, they can change the password and email address associated with the LinkedIn account, effectively locking out the legitimate owner. Some victims have received ransom messages, asking for small amounts to regain access, while others have had their accounts deleted.
READ THE STORY: InfoSecMag
US urges Iran to stop selling drones to Russia
Analyst Comments: The situation highlights the complexities of international relations and the ripple effects of arms sales in global conflicts. The U.S.'s approach to Iran underscores its strategic interest in curbing Russia's military advantage in the ongoing Ukraine conflict. The potential misuse of drones for malicious activities further amplifies the security concerns. The indirect talks between the U.S. and Iran, while focused on the drone issue, could potentially open doors for broader diplomatic engagements, especially concerning the nuclear crisis. However, the intricacies of international arms sales and the vested interests of nations involved make it a challenging issue to navigate.
FROM THE MEDIA: The U.S. has approached Iran with concerns about its drone sales to Russia, as reported by the Financial Times on August 16, 2023. These discussions, held in Qatar and Oman, are part of broader talks aimed at reducing tensions and addressing the nuclear crisis between the two nations. The U.S. believes that Russia is using these drones in the conflict in Ukraine. While Iran officially denies its drones are being used in Ukraine, the U.S. is pressing for more concrete actions. The drones could potentially be used for various malicious purposes, including blackmail, social engineering, and data collection. There are speculations about how attackers might have accessed these drones, with theories pointing to a previous LinkedIn breach or the use of brute force tools. In a reciprocal arrangement, Russia is reportedly aiding Iran with cyber weapons and assistance in its missile program.
READ THE STORY: The Bharate Express
Items of interest
Abnormal Security’s CEO explains how ‘defensive A.I.’ will someday defeat cyber attacks
Analyst Comments: While innovations like ChatGPT offer a plethora of advantages, they simultaneously introduce new challenges in cybersecurity. Evan Reiser's insights emphasize the ongoing tug-of-war between cyber attackers and those defending against them, with AI being a pivotal tool for both parties. The launch of tools such as CheckGPT showcases the proactive steps companies are taking to combat the potential risks of AI-generated content. As the landscape of AI continues to shift and grow, it's evident that businesses and cybersecurity entities must remain both alert and adaptable to safeguard their digital resources.
FROM THE MEDIA: Evan Reiser, CEO of Abnormal Security, has expressed concerns about the potential misuse of advanced AI tools like ChatGPT by cyber attackers. Abnormal Security, founded in 2018 by Reiser and Sanjay Jeyakumar, specializes in detecting and preventing email cyber attacks using AI and machine learning. The company's technology profiles behavior by analyzing data from platforms such as Slack to identify socially-engineered email scams. Reiser believes that the rise of sophisticated chatbots like ChatGPT has amplified the complexity of email-based attacks. He acknowledges that defenders are currently at a disadvantage, predicting that AI-driven cyber attacks might set back cybersecurity advancements for a year or two. However, he remains optimistic about the future, asserting that "defensive AI" will eventually prevail due to its data advantage. Abnormal Security has introduced CheckGPT, a tool that helps companies identify if an email was crafted using generative AI tools. The startup, last valued at $4 billion in early 2022, has recently announced an annual recurring revenue of $100 million.
READ THE STORY: Fortune
The A.I. Dilemma (Video)
FROM THE MEDIA: Tristan Harris and Aza Raskin discuss how existing A.I. capabilities already pose catastrophic risks to a functional society, how A.I. companies are caught in a race to deploy as quickly as possible without adequate safety measures, and what it would mean to upgrade our institutions to a post-A.I. world.
AI Checklist for Cyber Defense (Video)
FROM THE MEDIA: In this episode, we ask ChatGPT how best to secure a company from cyber attacks. Then our security experts judge its responses.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.