Daily Drop (578): China: NWO, US CHIPS, Ukrainian: Russian Parliament, China’s Engagement, Ivanti, Seiko data breach, SoftBank’s Arm, DJI
08-22-23
Tuesday, Aug 22, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
China’s blueprint for an alternative world order
Analyst Comments: China's strategy is multifaceted. By aligning with the developing world, China is associating with the most populous and fastest-growing segment of the global population. This alignment is evident in China's recent trade patterns, where its exports to the developing world surpassed those to the US, EU, and Japan combined. China's focus on the UN is strategic, aiming to repurpose the organization's authority to serve its interests. The nation's efforts to increase its influence within the UN, especially through Xi's initiatives, are evident. For instance, the "Group of Friends of the Global Development Initiative," founded by China in 2020, has about 70 member countries and has already held its inaugural ministerial meeting.
FROM THE MEDIA: China is actively working towards establishing an alternative world order, leveraging its economic strength to rally developing nations and diminish the West's dominance, especially over the United Nations (UN). This strategy was unveiled when Xi Jinping, China's leader, introduced the Global Development Initiative (GDI) during his speech at the UN in September 2021. The GDI, along with the Global Security Initiative and the Global Civilisation Initiative, aims to promote development, alleviate poverty, and enhance health in the developing world. These initiatives are seen as China's most assertive steps to rally the "global south" and bolster its influence in the UN. China's primary objective is to institutionalize its leadership over the developing world, ensuring open avenues for Chinese trade and investment and leveraging the voting power of these nations to project its values and power.
READ THE STORY: FT
Hey Joe, are those US CHIPS funds still coming? We kinda need them, says Micron
Analyst Comments: The semiconductor industry is of strategic importance, given its role in various sectors, from consumer electronics to defense. The U.S. government's CHIPS Act aims to revitalize domestic chip manufacturing, reducing dependency on foreign suppliers. Micron's application for funds underlines the significance of such incentives in ensuring the viability and competitiveness of U.S.-based chip manufacturing.
FROM THE MEDIA: Micron, an American chip manufacturer, has informed investors that federal grants and tax incentives are essential for the development of its announced chip fabrication plants (fabs) in Idaho and New York. The company has applied for funds under the CHIPS and Science Act, a $52.7 billion initiative by President Joe Biden to bolster the semiconductor industry. This act includes $39 billion for manufacturing incentives for companies that establish chip factories in the U.S. Micron had previously announced its plans to build a $15 billion memory fab in Boise, Idaho, and a DRAM fab in Clay, New York, with a budget of $100 billion. The New York facility is expected to span over 20 years, with the first phase having a $20 billion budget. The state of New York has provided $5.5 billion in incentives for this project.
READ THE STORY: The Register
Ukrainian hackers claim to leak emails of Russian Parliament deputy chief
Analyst Comments: The hacking activities and subsequent leaks by Ukrainian groups like "Cyber Resistance" indicate an escalating cyber conflict between Ukraine and Russia. The targeting of high-profile individuals like Babakov, who has significant ties to the Kremlin, suggests that these hacker groups are aiming to expose alleged corrupt practices and undermine the credibility of Russian officials. The involvement of InformNapalm, an international community, highlights the global interest and collaborative efforts in analyzing such leaks. While the authenticity of the leaked documents is yet to be verified, if proven true, it could have diplomatic and political repercussions.
FROM THE MEDIA: A Ukrainian hacker group named "Cyber Resistance" claims to have accessed the email account of Alexander Babakov, a deputy chairman of Russia’s parliament. The leaked 11 GB data allegedly contains Babakov’s personal and financial documents. While the authenticity of the documents remains unverified by Recorded Future News, the international volunteer community, InformNapalm, has analyzed the data. Their findings suggest Babakov's involvement in money laundering activities and efforts to bypass Western sanctions. Babakov, known for his close ties to the Kremlin, has been expanding cooperation with African and Asian countries to counteract Western sanctions. Ukrainian cybersecurity officials believe that such cyber intelligence is crucial in understanding and thwarting Russia's plans.
READ THE STORY: The Record
How China’s Engagement with the Global South Challenges US Dominance
Analyst Comments: The West's diminishing influence in the Global South is a result of both its own missteps and China's strategic outreach. The US, in particular, has failed to foster genuine, mutual relationships with many countries in the Global South, often viewing them through a narrow lens of self-interest. This has created a vacuum that China is keen to fill. China's strategy, which emphasizes economic collaboration without political strings attached, resonates with many countries that have felt sidelined or patronized by the West. The Ukraine conflict, rather than being a standalone event, is a manifestation of these deeper shifts in global power dynamics.
FROM THE MEDIA: The conflict in Ukraine has illuminated the shifting dynamics of global politics, emphasizing the West's misjudgment of the Global South's stance on the Russian invasion. While the Global South envisions a multipolar world and prioritizes economic collaboration, the West has been losing its grip due to perceived patronizing attitudes and policies. Concurrently, China, under Xi Jinping's leadership, is emerging as a formidable global leader, actively courting the Global South with economic incentives and alternative multilateral institutions. This approach contrasts with the West's often conditional aid. Data reveals the waning economic power of traditional Western alliances, like the G7, in comparison to emerging economies, particularly the BRICS nations.
READ THE STORY: ModernDiplomacy
Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software
Analyst Comments: The disclosure of this zero-day flaw in Ivanti's software underscores the importance of continuous monitoring and patching in the cybersecurity landscape. While Ivanti has been proactive in warning its users, the active exploitation of the flaw is concerning. Organizations using Ivanti's software should take immediate measures to mitigate the risk, especially if they have exposed port 8443 to the internet. The fact that this flaw can be weaponized in conjunction with other vulnerabilities highlights the layered threats that organizations face.
FROM THE MEDIA: Ivanti, a software services provider, has issued a warning about a critical zero-day flaw in its Sentry software, which is currently being exploited. The flaw, labeled as CVE-2023-38035 with a CVSS score of 9.8, is an authentication bypass affecting versions 9.18 and earlier. This vulnerability arises from an insufficiently restrictive Apache HTTPD configuration. If exploited, it allows an unauthenticated actor to access sensitive APIs used in the Ivanti Sentry administrator portal. Although the flaw has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. Successful exploitation could let attackers change configurations, run system commands, or write files onto the system. The company is aware of only a limited number of affected customers. Norwegian cybersecurity firm, mnemonic, discovered and reported the flaw.
READ THE STORY: THN
Prolific ransomware gang takes credit for Seiko data breach
Analyst Comments: The cyberattack on Seiko underscores the escalating threat of ransomware attacks on global corporations. The AlphV/Black Cat ransomware gang's ability to target high-profile companies indicates their sophistication and the potential risks they pose to other major entities. The connection between this group and the Darkside ransomware group, if accurate, suggests a pattern of targeting critical infrastructure and high-revenue companies. The cascading effects of such attacks, as noted by Matsubara, emphasize the broader implications for multiple sectors, not just the targeted organization.
FROM THE MEDIA: Japanese watchmaker Seiko has confirmed a data breach after the AlphV/Black Cat ransomware gang claimed responsibility for a cyberattack on the company. Seiko, which reported revenues exceeding $1.7 billion this fiscal year, discovered the potential breach on July 28 and engaged cybersecurity experts on August 2. The investigation revealed unauthorized access to at least one server. Screenshots of stolen data, including spreadsheets and presentations, were shared by the ransomware gang. AlphV/Black Cat has been linked to several high-profile attacks in 2023, targeting companies like Estée Lauder, Reddit, Casepoint, and NCR. There's speculation that the same hackers were behind the Darkside ransomware group, known for the Colonial Pipeline attack. Seiko is currently determining the extent of the compromised information and has advised its customers and partners to be vigilant.
READ THE STORY: The Record
SoftBank’s Arm unveils plans for biggest US IPO in nearly two years
Analyst Comments: The upcoming IPO of Arm is significant not just for SoftBank but also for the broader tech and IPO markets. Arm's dominant position in the smartphone chip market makes it a key player in the tech industry. However, its reliance on the Chinese market, coupled with the unique challenges presented by its operational structure in China, introduces a level of uncertainty. The fact that Arm is seeking to diversify into other areas, such as automotive and cloud computing, indicates that the company is looking for growth opportunities outside of its traditional stronghold. For SoftBank, a successful IPO could bolster its reputation as a leading tech investor, especially after some recent challenges.
FROM THE MEDIA: Arm, a chip designer owned by SoftBank, is set to have the largest US initial public offering (IPO) since November 2021, with plans to list on Nasdaq next month. SoftBank acquired Arm in 2016 for $32bn, and a recent internal transaction valued the company at $64bn. Arm's designs dominate the smartphone chip market, holding a share of over 99%. The company revealed that nearly a quarter of its revenues come from China, where its operations are managed by a local company outside of SoftBank's control. Despite its dominance in the smartphone chip market, Arm is facing challenges due to the market's biggest slump in a decade. The company reported a 1% decline in revenue, amounting to $2.7bn, for the year ending March 31. The IPO will involve SoftBank reducing its stake, and Arm will not receive any proceeds from it. SoftBank has engaged in discussions with potential investors, including Amazon, Intel, and Nvidia. The IPO is seen as a test for the US IPO market after a period of inactivity.
READ THE STORY: FT
Controversial Chinese drone maker DJI debuts a cargo carrier
Analyst Comments: DJI's introduction of the FlyCart 30 marks a significant advancement in the consumer drone market, especially in the cargo-carrying segment. The drone's capabilities, such as its dual battery system, cargo modes, and advanced navigation features, make it a versatile tool for various applications. However, the potential military applications of such drones, especially given DJI's past associations with conflict zones, raise concerns about their use in warfare or surveillance. The company's assertion that it doesn't market its products for military use will be under scrutiny, especially given the geopolitical tensions and the increasing use of drones in modern warfare.
FROM THE MEDIA: Chinese drone manufacturer DJI, which has faced US sanctions, has launched its first consumer cargo drone named FlyCart 30. Priced at $17,000, the all-weather drone can carry up to 30kg over 16km and can fly as far as 28km without cargo. By removing one of its two batteries, it can carry 40kg and reach speeds of 20 meters per second. The drone can operate in two cargo modes: using a container or a cable. The container can hold up to 70 liters, while the cable mode allows the drone to drop a package from the end of a 20-meter line. If the cargo touches the ground, the cable automatically releases it. The drone's controller assists pilots in selecting routes based on various factors, and the drone is equipped with a radar and vision system for obstacle avoidance. The drone can also use 4G for communication in case of signal issues. DJI has previously stated it doesn't sell its products for military use, but its drones have been seen in conflict zones.
READ THE STORY: The Register
Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack
Analyst Comments: The recent hacking campaign targeting Hong Kong organizations underscores the increasing threat of supply chain attacks in the cybersecurity landscape. The attackers' ability to compromise legitimate software updates and use signed malware highlights their sophistication and the challenges organizations face in detecting and mitigating such threats. The potential link to Chinese hacking efforts, based on the malware used and previous similar attacks, raises concerns about state-sponsored cyber activities and their implications for geopolitical relations. The focus on Hong Kong entities, given the region's political dynamics with mainland China, further emphasizes the potential for cyberattacks to be used as tools in larger geopolitical strategies.
FROM THE MEDIA: An unidentified hacking group has launched a supply chain attack targeting file protection, encryption, and decryption software, focusing on entities in Hong Kong and other parts of Asia. The Symantec Threat Hunter Team, a division of Broadcom, has named the hackers "Carderbee." These hackers compromised a Cobra DocGuard software update file with the intention of deploying the Korplug backdoor, a commonly used malware. This malware was signed using a legitimate Microsoft certificate, making it challenging for security software to recognize. The campaign began in April 2023 and was found on approximately 100 computers across several organizations. Given that Cobra DocGuard software is only installed on about 2,000 computers, the attackers might be selectively targeting specific victims. The campaign is another instance of a successful supply chain attack. While the malware, PlugX, was initially linked to Chinese-related hacking campaigns, its widespread use now makes it difficult to attribute conclusively.
READ THE STORY: Cyberscoop
Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer
Analyst Comments: The revelation of the identity behind the CypherRAT and CraxsRAT RATs highlights the importance of cybersecurity research in tracking and neutralizing cyber threats. The ability of the CraxsRAT to bypass initial detections and gradually request permissions showcases the evolving sophistication of malware and the challenges in combating them. The fact that the developer operated out of Syria and managed to sell over 100 licenses of a potent Android RAT underscores the global nature of the cyber threat landscape. The discovery of his identity through his participation in a crypto forum also emphasizes the role of operational security failures in exposing cybercriminals.
FROM THE MEDIA: Cyfirma researchers have identified the developer behind the CypherRAT and CraxsRAT remote access trojans (RATs). The individual, using the alias 'EVLF DEV', has been selling these RATs from Syria for the past eight years. CraxsRAT, in particular, is a potent Android RAT that has seen over 100 licenses sold. This RAT allows cybercriminals to craft highly customizable malicious packages that can initially bypass detection and request limited installation permissions. Once a victim installs the package, the attacker can progressively ask for more permissions. The RAT can also disrupt pages on infected devices, preventing victims from uninstalling the malicious application. While active, the RAT can monitor keystrokes, read messages, access contacts, call logs, device storage, and location. Cyfirma managed to freeze EVLF's cryptocurrency wallet and found his personal details after he participated in a cryptocurrency discussion forum.
READ THE STORY: OODALOOP
North Korean Attackers Penetrated Russian Rocket Designer’s Systems
Analyst Comments: The breach of a Russian missile maker by North Korean hackers underscores the complex and often unpredictable nature of international cyber espionage. While countries may have diplomatic or trade relations, their cyber activities can operate on a different plane, driven by strategic interests, intelligence gathering, and technological advancement. The fact that the breach remained undetected for months highlights the sophistication of state-sponsored cyber actors and the challenges organizations face in detecting and mitigating such threats. The accidental leak of internal communications serves as a reminder of the importance of operational security and the potential risks associated with sharing information, even within trusted communities.
FROM THE MEDIA: North Korean cyber attackers successfully breached the systems of a Russian missile maker, NPO Mashinostroyeniya, and maintained their presence for almost half a year. Two North Korean hacking groups, Lazarus and ScarCruft, were responsible for the intrusion, as reported by Reuters. The breach came to light after an IT staff member from NPO Mash accidentally leaked the company's internal communications while trying to investigate the North Korean cyberattack. This leak occurred when the staff member uploaded evidence to a private portal used globally by cybersecurity researchers. SentinelOne's security analysts discovered the breach after coming across the leaked email collection. The emails contained an implant related to previous campaigns by North Korean threat actors. A deeper investigation revealed a more extensive intrusion. SentinelOne's Tom Hegel stated that the leaked data consisted of a significant volume of emails not related to their research, suggesting that the leak might have been accidental or due to some other unrelated activity. The intrusion's discovery timeline aligns with significant events, such as Russia's veto against the UN's efforts to impose new sanctions on North Korea's ICB missile launches.
READ THE STORY: Security Boulevard
Using Generative AI to Resurrect the Dead Will Create a Burden for the Living
Analyst Comments: The cyber-attack on Energy One underscores the increasing vulnerability of energy and utility companies to cyber threats. Given the critical nature of energy infrastructure and the potential cascading effects of a successful breach, such attacks can have significant implications not only for the targeted company but also for the broader energy grid and its consumers. The swift response by Energy One, including its engagement with cybersecurity specialists and notification of authorities, is commendable.
FROM THE MEDIA: Energy One, a wholesale energy software provider, reported a cyber-attack on its corporate systems in both Australia and the UK on 18 August. The company, which has been in operation for 15 years, offers software and services to businesses ranging from startups to multinational corporations, including energy retailers and generators in Australasia and Europe. Upon detecting the attack, Energy One took immediate measures to mitigate its effects, engaged cybersecurity specialists from CyberCX, and informed the Australian Cyber Security Centre and relevant UK authorities. The company is currently analyzing its systems to determine the extent of the breach and has temporarily disabled some links between its corporate and customer-facing systems. Energy One is also investigating the initial point of entry for the cyber-attack and whether any personal information or customer systems have been compromised.
READ THE STORY: CSO
Items of interest
'Cuba' Ransomware Group Uses Every Trick in the Book
Analyst Comments: Despite the Cuban references in their operations, evidence, including translation errors and malware behaviors, strongly indicates Cuba's Russian origin. Their modus operandi, characterized by the use of both custom and off-the-shelf tools and a deliberate operational pace, makes them a significant threat. Organizations are urged to prioritize detection technologies, timely software patching, and advanced threat intelligence as primary defense mechanisms against such adversaries. In the event of a breach, the importance of swift action cannot be overstated, as delays can result in substantial losses. Given Cuba's history and demonstrated capabilities, they remain a formidable threat, especially to organizations based in the US.
FROM THE MEDIA: The ransomware group known as Cuba, which has its roots in Russia, executed an attack in June targeting an American critical infrastructure provider and a systems integrator in Latin America. This attack was initiated with an administrator-level login via the Remote Desktop Protocol (RDP), without any preceding signs of brute-forcing or vulnerability exploitation. In their multifaceted approach, Cuba exploited two specific vulnerabilities: CVE-2020-1472 "Zerologon" and CVE-2023-27532. They also deployed two of their proprietary malwares, BUGHATCH and BURNTCIGAR, and utilized well-known software tools like Metasploit and Cobalt. Their operational strategy was marked by stealth, as they methodically moved within the compromised network, spacing out their malicious activities over two months to remain undetected.
READ THE STORY: DARKReading
Ransomware Is An Epidemic And It's Getting Worse (Video)
FROM THE MEDIA: All over the world, criminals are locking up important computer systems and demanding crypto as a ransom. So-called ransomware is officially an epidemic, and cryptocurrencies sit at the nexus of the crisis.
How Hackers Write Malware & Evade Antivirus (Nim) (Video)
FROM THE MEDIA: The video begins with an analogy of the "hello world" program, which is typically the first code a programmer writes when learning a new language. The presenter aims to demonstrate a "hello world" equivalent for writing malware.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.