Daily Drop (579): RU: Laundering & Sanction, Space Junk, LinkedIn: Chinese Spies, Spacecolon, Submarine Cables, Credential Harvesting, Exactly & Harbor Protocol, fine-tune OpenAI's GPT-3.5, Mil Sat
08-23-23
Wednesday, Aug 23, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Ukrainian hackers expose money laundering and sanction evasion by senior Russian politician
Analyst Comments: The increasing frequency and severity of cyberattacks, as indicated by the news stories, underscore the escalating cyber threats globally. The alleged hacking of a prominent Russian politician's email by Ukrainian hackers, if verified, could have significant geopolitical implications, especially given the tense relations between the two countries. Meta's privacy issues in Norway suggest that even tech giants are under scrutiny for their data practices. The disruption of Ecuador's National Election emphasizes the vulnerability of critical infrastructures and democratic processes to cyber threats.
FROM THE MEDIA: The news snippet from "teiss" highlights a series of cyber-related incidents and concerns. The most prominent story revolves around Ukrainian hackers, known as "Cyber Resistance", who allege to have infiltrated the email account of Alexander Babakov, a significant Russian politician linked to the Kremlin. They claim to have uncovered evidence of money laundering and sanction evasion. Other notable incidents include Meta (formerly Facebook) being accused of privacy violations in Norway, cyber disruptions in Ecuador's National Election, and Siemens Healthineers investigating a hacking claim. The "Most Viewed" section lists several high-profile cyber incidents, including attacks on Pornhub, Capita IT Systems, and a major data breach at Morris Hospital.
READ THE STORY: TEISS
Exposed: The Chinese spy using LinkedIn to hunt UK secrets
Analyst Comments: The utilization of social media platforms, especially professional networking sites like LinkedIn, by foreign spies underscores the evolving nature of espionage in the digital age. The blending of traditional human intelligence gathering with cyber tactics presents a multifaceted challenge for national security agencies. The fact that spies can operate remotely, using digital platforms to target a wide range of individuals, from government officials to researchers, highlights the need for heightened cyber awareness and digital literacy. The proactive measures taken by platforms like LinkedIn, as indicated by their statement, are crucial. However, individuals and organizations must also be vigilant and discerning when engaging with unknown profiles or receiving unsolicited offers. The "Think Before You Link" campaign by MI5 is a step in the right direction, emphasizing the importance of digital caution.
FROM THE MEDIA: A report from "The Times of London" reveals that a Chinese spy has been using LinkedIn to solicit UK officials for state secrets. Over a span of five years, this spy, believed to be operating from the Chinese Ministry of State Security's headquarters in Beijing, created multiple fake LinkedIn profiles. These profiles often used stock images and listed fictitious companies as employers. The spy then reached out to security officials, civil servants, and scientists with access to sensitive data. This individual is considered by Western security services to be one of the most active spies working against British interests in recent times. The spy used various aliases, with "Robin Zhang" being the primary one. The modus operandi involved establishing relationships and then offering large sums of money for classified information. One recruitment consultant was even offered $10,000 for details of an intelligence service candidate. The UK's security minister, Tom Tugendhat, confirmed the Home Office's awareness of such activities and emphasized the need for caution among government employees, businesses, researchers, and academics. This isn't the first instance of Chinese spies leveraging LinkedIn; a similar case was reported in 2020.
READ THE STORY: Insider
Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks
Analyst Comments: The rise of sophisticated toolsets like Spacecolon emphasizes the evolving nature of cyber threats. The global reach of the Scarab ransomware attacks, targeting a diverse range of institutions, underscores the indiscriminate nature of such threats. The fact that the threat actor, CosmicBeetle, targets servers with missing critical security updates highlights the importance of regular system updates and patches. The use of social engineering, combined with advanced malware strains, presents a multifaceted challenge for cybersecurity professionals.
FROM THE MEDIA: A malicious toolset named Spacecolon is being used in a campaign to distribute variants of the Scarab ransomware to victim organizations worldwide. ESET security researcher, Jakub Souček, suggests that the toolset likely infiltrates victim organizations by compromising vulnerable web servers or through brute forcing RDP credentials. The Slovak cybersecurity firm, ESET, has named the threat actor behind this as CosmicBeetle and traced the origins of Spacecolon back to May 2020. The majority of victims are located in countries like France, Mexico, Poland, Slovakia, Spain, and Turkey. Although the exact origin of the adversary is uncertain, some Spacecolon variants contain Turkish strings, hinting at a Turkish-speaking developer's involvement. Targets of these attacks include a diverse range of institutions from a hospital in Thailand to a school in Mexico. The primary component of Spacecolon is ScHackTool, which deploys an installer to set up ScService, a backdoor that can execute commands, download and execute payloads, and gather system information.
READ THE STORY: THN
Submarine cables: the US-China cold war threatening the global internet
Analyst Comments: The submarine cable cold war between the US and China underscores the strategic importance of digital infrastructure in today's geopolitics. The intertwining of economic, political, and technological interests between these two superpowers could significantly impact global internet connectivity and stability. The potential fragmentation of the internet into separate ecosystems could have far-reaching consequences, not just for the two nations but for the global community.
FROM THE MEDIA: The ongoing cold war between the US and China is now threatening the global internet infrastructure, specifically submarine cables. While Beijing initially made progress in establishing its submarine internet infrastructures, Washington's countermeasures have effectively halted China's cable deployment. The US has been proactive in curbing China's ambitions regarding submarine internet cables, especially around Taiwan, a major hub in the Pacific region. China's "Digital Silk Road" initiative, launched in 2015, aims to support physical trade routes with digital highways, thereby strengthening its economic and political influence. Huawei Marine Networks, a subsidiary of Huawei, was a significant player in this initiative until US sanctions forced a transfer of its cables division to Hengtong Optic-Electric Co Ltd, which was then renamed HMN. The US's concerns revolve around the potential for Beijing to use this infrastructure for espionage. As a result, Washington has blocked several projects involving Chinese participation, even if they had no direct link to the US. Despite these setbacks, Beijing remains resilient, continuing its efforts to establish its dominance in the submarine cable sector.
READ THE STORY: InCyber
Hackers exposed 2.6 million Duolingo users, more available for scraping
Analyst Comments: The incident underscores the pressing need for robust cybersecurity measures, especially for platforms with vast user bases like Duolingo. Users should remain vigilant about the personal information they share online and be wary of potential phishing schemes.
FROM THE MEDIA: Duolingo, the renowned language learning app, has faced a significant data exposure issue with the details of 2.6 million users now accessible on the cybercrime marketplace, BreachForums. Initially put up for sale in January on a hacker's forum, the data encompasses email addresses, usernames, phone numbers, social network details, and other user-specific information like language studies and achievements. While Duolingo acknowledges the scraping of public profile data, they deny any formal data breach. The vulnerability reportedly lies in Duolingo's exposed API, which allows hackers to retrieve public profile details by simply submitting a username or email. Founded in 2011 by Luis von Ahn and Severin Hacker, Duolingo boasts over 500 million registered users.
READ THE STORY: CyberNews
Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead
Analyst Comments: The attacker's agile methodology in malware development signifies a new era where cyber adversaries can quickly adapt and refine their tools based on feedback and changing environments. Their shift to multi-cloud targeting underscores the increasing importance of robust security measures across all cloud platforms. The German elements within the attacker's operations might provide a potential lead for attribution, but it also serves as a reminder that cyber threats can emerge from any corner of the globe. The use of masquerading domains, especially those mimicking legitimate AWS domains, is a clever tactic to evade detection and signifies the sophistication of the attacker.
FROM THE MEDIA: The report from Permiso p0 Labs and SentinelLabs highlights an attacker's agile development approach in creating and refining their credential harvesting malware. Over a month, the attacker deployed eight distinct iterations of their malware, with a primary focus on cloud services. Their strategy has expanded from AWS-centric attacks to now encompass multi-cloud environments, including GCP and Azure. Interestingly, several elements within the attacker's code and infrastructure hint at a German origin, such as specific error messages and the use of the German word "Datei." The detailed changelog provided in the report offers a deep dive into the attacker's development process, revealing their evolving priorities and tactics. The attacker's infrastructure primarily relies on the hosting service Nice VPS, and they've employed multiple domains, some of which masquerade as legitimate AWS domains, to further their campaign.
READ THE STORY: THN
Millions stolen from crypto platforms Exactly Protocol and Harbor Protocol
Analyst Comments: The increasing frequency and magnitude of cyberattacks on cryptocurrency platforms underscore the vulnerabilities inherent in the rapidly evolving DeFi sector. Exactly Protocol's significant loss, despite its recent success in attracting deposits, highlights the attractiveness of such platforms to cybercriminals. Harbor Protocol's repeated security incidents raise concerns about the robustness of security measures in place. The lack of clarity and communication from the platforms post-incident can further erode trust among users, as evidenced by the frustrations voiced on Harbor's Telegram channel. The exploitation of Vyper, a widely-used programming language, suggests that attackers are not just targeting platforms but also the underlying infrastructure of the crypto ecosystem. With Lazarus and other groups actively targeting these platforms, it's imperative for companies in the DeFi space to bolster their security measures, regularly audit their systems, and maintain transparent communication with their user base.
FROM THE MEDIA: Two cryptocurrency platforms, Exactly Protocol and Harbor Protocol, recently suffered significant losses due to cyberattacks. Exactly Protocol, a decentralized finance platform, confirmed a security issue and temporarily paused its operations, allowing only withdrawals. The platform, which facilitates lending and borrowing of crypto assets, announced earlier in the month that it had amassed deposits worth over $100 million. While initial reports suggested a loss of over $12 million, the company later confirmed that $7.3 million worth of ETH was stolen. Harbor Protocol, a DeFi tool by ComDex, also reported a cyberattack but did not specify the amount stolen. Harbor had previously faced a security incident earlier in the year. These attacks follow a significant breach three weeks prior, where the popular Web3 programming language, Vyper, was exploited, resulting in the theft of at least $61 million in cryptocurrency. North Korea's Lazarus hacking group is a known perpetrator of such attacks on cryptocurrency platforms.
READ THE STORY: The Record
You can now fine-tune OpenAI's GPT-3.5 for specific tasks – it may even beat GPT-4
Analyst Comments: The move to allow fine-tuning of GPT-3.5 Turbo highlights the flexibility and potential cost savings that can be achieved by optimizing existing models rather than always moving to newer, more expensive ones. For developers and businesses, this offers an opportunity to get more tailored performance from a model without necessarily incurring higher operational costs. The emphasis on fine-tuning also underscores the importance of customization in AI, where generic models might not always be the best fit for specific applications.
FROM THE MEDIA: OpenAI has introduced the capability for developers to fine-tune its GPT-3.5 Turbo model, potentially making it more efficient and cost-effective than the newer GPT-4 model for specific tasks. Fine-tuning allows the enhancement of an already-trained large language model's performance by training it further on custom data. This can make a model more specialized, such as a health chatbot giving more accurate medical advice. OpenAI suggests that a fine-tuned GPT-3.5 Turbo can match or even surpass the base GPT-4's capabilities on certain tasks. Without fine-tuning, developers rely on better input prompts to guide the model's behavior. OpenAI charges users based on the number of tokens processed in input and output. Fine-tuning can reduce costs by enabling shorter input prompts. A customized GPT-3.5 Turbo might be more economical in the long run compared to GPT-4, especially since GPT-4 is pricier than GPT-3.5 Turbo. OpenAI plans to offer fine-tuning for GPT-4 later in the year.
READ THE STORY: The Register
Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware
Analyst Comments: The unmasking of EVLF and their malware products highlights the ongoing challenges in the cybersecurity landscape. The fact that such sophisticated tools can be sold as a service to other cybercriminals underscores the organized and commercial nature of modern cybercrime. The ability of these RATs to access a wide range of information on a victim's device is concerning, especially given the increasing reliance on mobile devices for both personal and professional activities.
FROM THE MEDIA: A Syrian threat actor named EVLF has been identified as the creator of the Android malware families CypherRAT and CraxsRAT. These Remote Access Trojans (RATs) allow attackers to remotely control a victim's device, including accessing the camera, location, and microphone. Cybersecurity firm Cyfirma revealed that these RATs are being sold to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. Over the past three years, approximately 100 unique threat actors have purchased these tools on a lifetime license. EVLF has been operating a web shop to market their products since September 2022. CraxsRAT is particularly dangerous, with features like bypassing Google Play protect, live screen view, and a shell for command execution. The malware also seeks permissions to access a variety of information from the victim's device. EVLF has a Telegram channel named "EvLF Devz" with over 10,000 subscribers. Following the public disclosure of their activities, EVLF announced on August 23, 2023, that they would be discontinuing the project.
READ THE STORY: THN
Pentagon dumps $1.5B more into military sat network that's already slipping behind
Analyst Comments: The PWSA project is ambitious and holds significant strategic importance for the US military's future operations. The "proliferated" design approach is innovative and could serve as a deterrent against potential threats in the space domain. However, the challenges faced so far, especially the concerns raised by the FAA, highlight the complexities of deploying such a vast network in space. It's crucial for the SDA and associated agencies to address these challenges promptly to ensure the project's success and maintain the intended timeline.
FROM THE MEDIA: The US Department of Defense has invested an additional $1.5 billion into the Pentagon's Proliferated Warfighter Space Architecture (PWSA) satellite constellation. Managed by the Space Development Agency (SDA) of the Space Force, this project aims to launch a network of small satellites to provide essential services to the US military, including low-latency tactical data links and improved missile tracking. The design strategy is to have a large number of satellites in orbit, making it difficult for potential adversaries, like Russia and China, to disable the network by destroying a few satellites. However, the project has faced setbacks, including supply chain delays and concerns from the Federal Aviation Administration (FAA) over potential electromagnetic interference.
READ THE STORY: The Register
Cyberattack on Belgian social service centers forces them to close
Analyst Comments: The cyberattack on CPAS underscores the vulnerability of public service institutions to cyber threats. The decision to take all systems offline highlights the severity of the threat and the institution's commitment to safeguarding its data and services. Ransomware attacks, in particular, have become increasingly common, targeting both public and private entities. The potential shift to manual processes indicates the challenges institutions face in maintaining services during such incidents. Belgium's previous experiences with cyberattacks and its proactive approach in developing a cybersecurity strategy suggest that the country recognizes the importance of bolstering its digital defenses.
FROM THE MEDIA: The Public Center for Social Action (CPAS) in Charleroi, Belgium, has temporarily closed its social branches due to a cyberattack. These institutions, which are present in all 581 municipalities in Belgium, offer a range of social services, including financial assistance, housing, and medical and legal advice. The cyberattack was detected on a Monday morning, prompting the IT team to take all systems offline as a precautionary measure. Although CPAS did not specify the nature of the attack, local newspaper Sudinfo reported it as a ransomware incident with the attackers demanding a ransom. Despite the cyberattack, nursing homes, citizen spaces, and home care centers remain operational. The spokesperson for the institution indicated that they might resort to manual processes, using pen and paper, to continue their services.
READ THE STORY: The Record
Space junk targeted for cleanup mission was hit by different space junk, making more space junk
Analyst Comments: The collision of VESPA with another piece of space debris underscores the growing problem of space junk and the potential risks it poses to active satellites and space missions. The incident serves as a reminder of the urgent need to address space debris and highlights the importance of missions like ClearSpace-1. As space activities increase, with more satellites being launched, especially with projects like SpaceX's Starlink, the need for effective space debris management becomes even more critical. Efforts to mandate space operators to clean up their debris within a shorter timeframe are a step in the right direction, but more comprehensive solutions and international cooperation are required to tackle this issue effectively.
FROM THE MEDIA: The European Space Agency (ESA) revealed that a piece of space debris, which was targeted for removal in a future cleanup mission, has been hit by another piece of space junk, thereby increasing the amount of space debris in Earth's orbit. The debris in question, the VEga Secondary Payload Adapter (VESPA), weighing 112kg, was left in space following the 2013 launch of an Arianespace Vega rocket. The ESA's ClearSpace-1 mission was scheduled to remove VESPA in 2026, aiming to be the first mission to remove an existing object from orbit. The ESA had signed a $126 million contract with Swiss startup ClearSpace SA for this mission. Despite the recent collision, the ESA stated that the ClearSpace-1 mission would continue as planned, but the impact of the event is being evaluated.
READ THE STORY: The Register
Items of interest
Space is the next cybersecurity frontier
Analyst Comments: The increasing privatization of the space industry and its growing significance to various sectors underscores the need for robust cybersecurity measures. As space becomes the next frontier for cyber threats, both the government and private entities must collaborate to ensure the security of space systems. The recent warnings and cyber exercises indicate a growing awareness of the potential threats, but proactive measures, international cooperation, and industry-wide standards might be necessary to adequately address the challenges.
FROM THE MEDIA: The U.S. is growing increasingly concerned about the security of its space systems, especially as private industry plays a larger role in their development. The National Counterintelligence and Security Center, the FBI, and the Air Force recently issued an advisory warning that foreign spies could be targeting commercial space firms. The advisory suggests that adversaries might aim to steal intellectual property, gather sensitive satellite payload data, or exploit supply chain vulnerabilities. However, the advisory does not specify the countries likely behind these potential attacks or the events that prompted the warning. As the space industry is projected to become a $1 trillion industry by 2030, its security is paramount. Many sectors, including agriculture, health care, transportation, and energy, depend on satellites for essential services. The challenge lies in securing these companies and their infrastructure from cyber threats, both in orbit and on the ground. As the space industry becomes more privatized, government visibility into these networks diminishes, giving private executives significant roles in national security. There have been recent cyber exercises focused on the space industry, including a "capture the flag"-style hacking competition involving an orbiting satellite.
READ THE STORY: Axios
Protecting Space capabilities and Cybersecurity framework (Video)
FROM THE MEDIA: Threats to space assets and their supporting infrastructure pose increasing risks to the economic promise of emerging markets in space. Faced with a unique mix of challenges that makes their cybersecurity, from threat vectors to risk mitigation considerably more complex. There are learnings from IT frameworks however to handle this better. Chair: Dr. Gulshan Rai, Chief Information Security Officer at the Prime Minister’s Office, Government of India
Cybersecurity on the Final Frontier: Protecting Our Critical Space Assets from Cyber Threats (Video)
FROM THE MEDIA: Our overwhelming reliance on space technology puts us in a precarious position. Like any other increasingly digitized critical infrastructure, satellites and other space-based assets are vulnerable to cyberattacks. These concerns are no longer merely hypothetical and, if not mitigated, could interfere with the space-enabled technology we take for granted in our day-to-day lives as well as national security and global economic development broadly.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.