Daily Drop (581): Space Force: RSD, Flax Typhoon: Taiwan, Arm's Vulnerability to China, China: Internet, Whiffy Recon Malware, SEC's Scrutiny on SolarWinds, China's Strategic Moves, Telekopye
08-25-23
Friday, Aug 25, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Space Force Launches Initiative for Rapid Satellite Deployment
Analyst Comments: The "Tactically Responsive Space Challenge" underscores the U.S. Space Force's commitment to ensuring rapid response capabilities in space, especially during emergencies. By inviting industry participation, the Space Force aims to tap into innovative solutions that can be swiftly implemented. This initiative not only highlights the growing importance of space in defense and security strategies but also emphasizes the need for agility and speed in satellite deployment.
FROM THE MEDIA: The U.S. Space Force has initiated a program named "Tactically Responsive Space Challenge" aimed at rapidly deploying satellites during emergencies or conflicts. The challenge, which will run from August 30 to September 28, invites companies to submit their proposals via the DoD Small Business Innovation Research portal. Winning proposals can secure "direct to Phase 2" Small Business Technology Transfer (STTR) contracts, with awards reaching up to $1.7 million. The Space Force seeks solutions that can address on-orbit needs within a 24-hour timeframe. The challenge encompasses six areas, including logistics, payload sensors, spacecraft buses, launch vehicles, and ground systems. The initiative is managed by SpaceWERX and the Space Systems Command, with the goal of prototyping selected technologies within 15 months and deploying them in two years.
READ THE STORY: SN
Chinese Nation-State Group 'Flax Typhoon' Targets Taiwanese Organizations in Stealthy Espionage Campaign
Analyst Comments: The activities of Flax Typhoon underscore the evolving nature of cyber threats emanating from nation-state actors. The group's emphasis on using built-in tools and benign software to maintain stealth and persistence in target networks is indicative of a broader trend among advanced threat actors to "live off the land" and minimize their digital footprint. The geopolitical context, especially the ongoing tensions between China and Taiwan, adds another layer of complexity to the situation. Microsoft's decision to publicize this information underscores the gravity of the threat and the potential downstream impact on global organizations.
FROM THE MEDIA: A Chinese nation-state hacking group, tracked by Microsoft's Threat Intelligence team as "Flax Typhoon" and also known as "Ethereal Panda," has been implicated in cyber espionage activities against numerous Taiwanese organizations. The group's primary objective is to gain and maintain prolonged access to these networks, using minimal malware and relying more on tools inherent in the operating system and other benign software. While the main targets are Taiwanese entities, including government agencies, educational institutions, and IT organizations, some victims have also been identified in Southeast Asia, North America, and Africa. The group has been active since mid-2021. Their tactics involve exploiting known vulnerabilities in public-facing servers, using web shells, and establishing persistent access through methods like Remote Desktop Protocol (RDP). A unique aspect of their attacks includes modifying the Sticky Keys behavior to launch the Task Manager. Microsoft's revelation comes amid heightened tensions between China and Taiwan, with Beijing intensifying its rhetoric around "reunifying" Taiwan with mainland China.
READ THE STORY: CyberScoop // THN // The Record
Arm's Vulnerability to China Trade War Exposed in SEC Filing
Analyst Comments: The revelations in Arm's SEC filing are significant, shedding light on the intricate dynamics of global trade and the potential repercussions of geopolitical tensions on tech industries. The fact that Arm has dedicated a substantial portion of its filing to discuss the potential risks in China underscores the importance of the Chinese market to its operations. The ongoing trade war between the U.S. and China is not just a political or economic issue; it has tangible implications for businesses operating in both countries. Arm's concerns about its Neoverse cores highlight the complexities of global supply chains and the challenges businesses face in navigating regulatory landscapes. The situation with Arm China further complicates the scenario, emphasizing the need for multinational corporations to maintain a delicate balance in their overseas operations.
FROM THE MEDIA: Arm, the British chip designer, in its recent SEC filing, highlighted its concerns about the potential of being excluded from the Chinese market. The filing, which was primarily about its upcoming IPO, revealed that China accounts for approximately a quarter of Arm's revenues. The document detailed the risks and uncertainties Arm faces in doing business in China, especially amidst the ongoing trade war. The U.S. has been imposing stricter trade restrictions on the sale of sensitive semiconductor technologies to curb China's domestic foundry industry. In response, China has restricted the sale of certain raw materials used in semiconductor production. Arm's Neoverse cores, which compete with Intel and AMD's processors, are particularly at risk due to their high performance, which falls under U.S. and U.K. export control regimes. The filing also touched upon the challenges posed by Arm's relationship with Arm China, which operates semi-independently and had previously faced management issues. Arm anticipates a decline in royalty and licensing revenues from China due to these challenges.
READ THE STORY: The Register
China Wants to Run Your Internet
Analyst Comments: The piece provides a comprehensive overview of the geopolitical implications of internet governance, highlighting the stark contrast between the original vision of the internet and China's proposed New IP. The potential for the New IP to be used as a tool for state surveillance and control is alarming, especially given the global nature of the internet. The emphasis on collaborative efforts in internet governance and the risks associated with a fragmented internet is clear. The historical context of technical standards setting offers a deeper understanding of the current challenges, serving as a call to action for Western powers to find a middle ground with China and ensure the internet remains a global, open platform.
FROM THE MEDIA: "China Wants to Run Your Internet" by Edoardo Campanella and John Haigh delves into the historical context of nations setting technical standards for dominant technologies. The internet, initially designed to be decentralized, is now at the center of a battle for governance. China has proposed the "New IP," a redesign of the internet that, while officially aimed at building "intrinsic security," could serve as a massive surveillance and information control system. China's strategy is to shift the development of internet standards from a collaborative, multistakeholder system to a nation-state driven forum. The New IP centralizes control of data transfer, potentially allowing for state surveillance, censorship, and propaganda.
READ THE STORY: FP
Whiffy Recon Malware: Tracking Infected Devices via Wi-Fi
Analyst Comments: The indictment of Tornado Cash's founders underscores the increasing scrutiny and regulatory challenges faced by cryptocurrency platforms, especially those that potentially enable money laundering and other illicit activities. The involvement of such platforms in large-scale financial crimes can have significant implications for the broader cryptocurrency industry, potentially leading to stricter regulations and oversight. The case also highlights the global nature of cryptocurrency operations, and the challenges authorities face in tracking and apprehending individuals involved in cross-border cybercrimes. The actions taken by the DoJ and OFAC emphasize the U.S. government's commitment to combating cyber-related financial crimes and ensuring the integrity of the financial system.
FROM THE MEDIA: The introduction of Whiffy Recon showcases the evolving tactics of cyber adversaries. Its ability to frequently track the location of an infected device is both novel and concerning. The continuous 60-second interval of location tracking suggests that the threat actors have a keen interest in real-time movement or the specific geolocation of the compromised device. While the malware's primary function seems to be location tracking, its potential integration with other malicious tools or its use in more extensive campaigns cannot be ruled out. The fact that such a capability is rarely used by criminal actors indicates that its deployment might be for more specialized or targeted operations.
READ THE STORY: THN
SEC's Scrutiny on SolarWinds: Implications for CISOs and Cybersecurity Reporting
Analyst Comments: The SEC's decision to issue a Wells Notice to SolarWinds's CISO is a significant development, signaling a shift in the regulatory landscape. This move underscores the increasing importance of cybersecurity disclosures and the potential legal implications for not only companies but also individual executives. The SEC's actions emphasize the need for companies to have robust cybersecurity measures, transparent reporting mechanisms, and clear lines of responsibility. CISOs, in particular, should be aware of the regulatory focus on their roles and ensure that they have the necessary processes in place to detect, evaluate, and report cyber incidents promptly.
FROM THE MEDIA: On June 23, 2023, SolarWinds, an information security software company, announced that the U.S. Securities and Exchange Commission (SEC) issued Wells Notices to some of its executives, including CFO J. Barton Kalsu and CISO Tim Brown, regarding potential securities violations linked to a 2020 data breach. This breach, disclosed in December 2020, was orchestrated by the Russian Foreign Intelligence Service (FIS) which injected malicious code into SolarWinds's "Orion" software. This allowed FIS to exploit SolarWinds's software updates to access data from entities using the Orion software. The SEC's Wells Notice signifies its intention to recommend charges and provides the recipients an opportunity to argue against such charges. This is the first instance of a CISO receiving a Wells Notice, highlighting the SEC's intensified focus on timely and significant cybersecurity-related disclosures and holding individuals accountable for company violations.
READ THE STORY: CPO MAG
China's Strategic Moves to Bypass US Semiconductor Restrictions
Analyst Comments: China's strategic moves underscore the nation's determination to become self-reliant in the semiconductor industry, especially in the face of mounting US restrictions. By recruiting foreign-trained experts and covertly expanding its semiconductor infrastructure, China is signaling its intent to remain a major player in the global tech industry. Huawei's alleged covert operations indicate the lengths to which companies will go to ensure their survival and growth in a geopolitically charged environment. The decision by the US to extend exemptions for South Korean and Taiwanese semiconductor companies suggests a recognition of the interconnectedness of the global semiconductor supply chain and the potential repercussions of overly restrictive policies.
FROM THE MEDIA: In response to the stringent US sanctions that have hampered its semiconductor industry, China is reportedly recruiting engineers from other countries to enhance its local chip production capabilities. Huawei, a leading Chinese tech company, is said to be establishing a clandestine network of semiconductor plants throughout China. This move is seen as a strategy to counteract the US's efforts to limit China's access to advanced technology. The new initiative, named Qiming, is being managed by the Ministry of Industry and Information Technology. This initiative is designed to run alongside other recruitment drives by local and provincial authorities. Furthermore, Huawei is believed to be expanding its covert semiconductor infrastructure in China to address the challenges posed by US sanctions. The Semiconductor Industry Association (SIA) has reported that Huawei has acquired at least two existing factories and is constructing at least three more, all under different company names to hide its involvement.
READ THE STORY: The Register
Telekopye: The New Telegram Bot Powering Phishing Scams from Russia
Analyst Comments: The emergence of Telekopye highlights the evolving sophistication of cybercriminal operations. The use of a popular platform like Telegram to automate phishing scams showcases the adaptability and innovation of threat actors. The centralized nature of the operation, combined with a clear hierarchical structure, indicates a high level of organization and coordination. This suggests that cybercriminal enterprises are becoming more professionalized, posing a greater threat to potential victims. The long-standing activity of Telekopye since 2015 also underscores the importance of continuous vigilance and the need for individuals and organizations to stay updated on the latest cyber threats.
FROM THE MEDIA: A new cyber threat named Telekopye, a combination of Telegram and the Russian word for "spear," has emerged. This malicious Telegram bot is being used by threat actors, referred to as Neanderthals, to automate phishing scams. The toolkit allows for the creation of phishing web pages from pre-existing templates and sends the URL to potential victims, termed Mammoths by the criminals. The bot provides easy-to-use menus, making it accessible for multiple scammers simultaneously. The origins of these threat actors are believed to be Russia, as evidenced by the use of Russian SMS templates and the targeting of Russian online marketplaces. Telekopye has been active since 2015, indicating its consistent use and maintenance. The scam involves Neanderthals building trust with their Mammoths, sending them a fake link generated by the Telekopye phishing kit, and then extracting funds once the victim provides payment details. The stolen funds are then converted into cryptocurrency. The phishing domains are designed to appear legitimate, making them hard to identify. The operation is centralized, with stolen funds directed to a shared account overseen by the Telekopye administrator. The criminal enterprise is highly organized, with a clear hierarchy of roles. To avoid falling victim, individuals are advised to be cautious of the language used in messages and to insist on in-person exchanges when dealing with online marketplaces.
READ THE STORY: THN
Privacy Regulators Warn Social Media Companies of Data Scrapers
Analyst Comments: The joint statement by international privacy regulators underscores the increasing global concern about the protection of user data, even when it's publicly available. The emphasis on the potential misuse of scraped data for malicious activities like cyberattacks, identity fraud, and even espionage by foreign governments highlights the gravity of the issue. The fact that even AI companies, which often rely on vast amounts of data for training, are not explicitly mentioned but are implicitly included in the warning indicates a broadening scope of scrutiny. The provided suggestions for companies to protect against data scraping are practical and emphasize both technical and user-awareness approaches.
FROM THE MEDIA: An international consortium of privacy regulators has issued a warning to social media companies and other businesses about the risks of data scrapers. In a joint statement by 12 agencies, they emphasized that even publicly accessible personal information is still protected under data protection and privacy laws in most jurisdictions. The primary concern is that data scrapers might collect user data for malicious purposes, such as cyberattacks or identity fraud. The statement, which includes signatories from countries like the U.K., Australia, Canada, and New Zealand, does not specifically target artificial intelligence companies but does highlight the potential legal challenges for companies that do not adequately protect user data.
READ THE STORY: The Record
Lazarus Group Targets Zoho ManageEngine Flaw to Deploy QuiteRAT Malware
Analyst Comments: The Lazarus Group's ability to swiftly exploit vulnerabilities, especially just days after proof-of-concepts emerge, underscores their agility and the potential risks they pose to global cybersecurity. Their shift towards using open-source tools during the initial stages of their attacks suggests a strategic evolution, possibly to evade detection or to leverage the benefits of such tools. The exploitation of a critical flaw in a widely-used platform like Zoho ManageEngine ServiceDesk Plus indicates that organizations must prioritize patching and updating their systems promptly. The Lazarus Group's continuous adaptation and expansion of their malicious toolkit emphasize the need for constant vigilance and proactive defense strategies in the cybersecurity domain.
FROM THE MEDIA: The Lazarus Group, a threat actor linked to North Korea, has been exploiting a critical security flaw in Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan named QuiteRAT. This malware targets crucial internet infrastructure and healthcare entities in Europe and the U.S., as reported by cybersecurity firm Cisco Talos. The group's consistent use of known tradecraft indicates their confidence in their operations. QuiteRAT is believed to be an evolution of the previously known MagicRAT malware, with a significantly smaller file size. The Lazarus Group's recent activities show a shift towards using open-source tools during the initial access phase of their attacks.
READ THE STORY: THN
FBI Warns of Ineffective Patches for Critical Barracuda ESG Flaw CVE-2023-2868
Analyst Comments: The continued exploitation of the Barracuda ESG flaw, even after patches were released, underscores the severity and persistence of the threat. The fact that the patches were ineffective raises concerns about the robustness of the response to such critical vulnerabilities. Organizations using Barracuda ESG appliances should heed the FBI's advice and take immediate action to replace compromised appliances and conduct thorough network scans. The linkage of the attacks to a group believed to be connected to China further emphasizes the geopolitical implications of such cyber threats.
FROM THE MEDIA: The FBI has issued a warning regarding the ineffectiveness of patches for the critical Barracuda Email Security Gateway (ESG) flaw, CVE-2023-2868. Despite the patches, threat actors continue to exploit the vulnerability in ongoing hacking campaigns. Barracuda had previously alerted its customers about breaches in some of its ESG appliances due to this zero-day vulnerability. The flaw, discovered in May, was exploited to deploy malware, allowing persistent backdoor access. The malware families used in these attacks include SALTWATER, SEASPY, and SEASIDE. Barracuda had recommended that all affected ESG appliances be replaced, regardless of their patch version. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog and shared details about the malware used in the attacks. Mandiant researchers have linked the attacks to the UNC4841 threat actor group, believed to be connected to China.
READ THE STORY: Security Affairs
Lazarus Group Targets ManageEngine ServiceDesk Vulnerability in Recent Attacks
Analyst Comments: The Lazarus Group's persistent and evolving cyberattacks underscore their adaptability and the potential threats they pose to global entities. Their shift towards using open-source tools early in their attack campaigns indicates a strategic move to evade early detection and complicates attribution efforts for security analysts. Organizations need to be vigilant, ensuring that their systems are regularly updated and patched, especially when vulnerabilities become publicly known. The reuse of the same infrastructure by Lazarus suggests that tracking their digital footprint might offer opportunities for early detection and defense against their campaigns.
FROM THE MEDIA: The North Korean state-sponsored Lazarus Group has been actively exploiting a vulnerability in ManageEngine ServiceDesk, targeting a UK internet backbone provider and multiple healthcare entities across Europe and the US. This marks their third campaign within a year, consistently reusing the same infrastructure. In this recent attack, they deployed a remote access trojan (RAT) to exploit the ManageEngine ServiceDesk flaw, CVE-2022-47966, introducing a new malware named QuiteRAT. Additionally, another malware strain, CollectionRAT, was discovered during the investigation.
READ THE STORY: SCMAG
UN's Cybercrime Treaty: A Potential Global Surveillance Tool
Analyst Comments: The ongoing negotiations on the UN cybercrime treaty highlight the complex interplay between cybersecurity, international cooperation, and human rights. While the intent to combat cybercrime is commendable, the potential for misuse, especially by authoritarian regimes, is alarming. The treaty's broad and ambiguous definitions could provide a veneer of international legitimacy to state-sponsored surveillance and censorship. It underscores the importance of ensuring that international agreements, especially in the digital realm, are crafted with clear safeguards to protect individual rights and freedoms.
FROM THE MEDIA: The United Nations is currently in the process of negotiating an international treaty on countering cybercrime. While the treaty's objective is to define online crime and enhance international cooperation against it, there are rising concerns about its potential misuse. Originally proposed by Russia and backed by nations like China, North Korea, and Iran, critics argue that the treaty might be used by authoritarian regimes to legitimize cross-border surveillance and criminalize online speech. During the treaty's sixth negotiating session in New York, human rights and digital privacy advocates expressed fears that the treaty, in its current form, could enable governments to target activists, journalists, and marginalized communities. The Electronic Frontier Foundation (EFF) and other organizations have called for clearer wording in the treaty to ensure judicial oversight on surveillance and to establish minimum data protection standards.
READ THE STORY: The Register
Viasat Faces Another Satellite Malfunction Shortly After Recent Incident
Analyst Comments: Viasat's recent challenges with satellite malfunctions, especially following its acquisition of Inmarsat, could raise concerns about the company's satellite reliability and quality assurance processes. While the immediate financial implications seem contained, repeated incidents might affect customer trust and the company's reputation in the long run. It's crucial for Viasat to address these issues promptly and ensure robust quality checks to prevent future malfunctions.
FROM THE MEDIA: Viasat, a global communications company, has reported a malfunction in its second communications satellite within a short span. The affected satellite, I6 F2, is part of the fleet from the recently acquired U.K.-based Inmarsat. Launched in February, the I6 F2 satellite experienced a power system failure while ascending to its operational orbit, where it was intended to serve as a backup. Although Airbus, the satellite's manufacturer, and Viasat are evaluating the possibility of the satellite's recovery, sources suggest the chances are slim. Despite this setback, Viasat has clarified that the malfunction will neither impact current customer services nor significantly alter the financial forecast provided in August. This incident follows closely on the heels of a malfunction in Viasat's $750 million ViaSat-3 Americas satellite.
READ THE STORY: CNBC
Items of interest
The US-China Chip War: Reshaping Global Power Dynamics and Opportunities for India
Analyst Comments: The escalating chip war between the US and China underscores the strategic importance of the semiconductor industry in global geopolitics. The US's efforts to bolster its domestic semiconductor industry and reduce tech leaks to China highlight the sector's significance in national security and economic growth. China's countermeasures, like the MIC 2025 initiative and restrictions on certain exports, indicate its intent to become self-reliant and reduce dependencies on the West. As the two superpowers recalibrate their tech strategies, other nations, like India, have an opportunity to position themselves advantageously in the global semiconductor supply chain.
FROM THE MEDIA: The ongoing technological rivalry between the US and China, particularly in the semiconductor sector, is reshaping global power dynamics. Semiconductors, or chips, are crucial to various sectors, including manufacturing, trade, and communication. The competition between the world's two largest economies in this domain is bound to have worldwide implications due to the technological and commercial interdependencies. President Biden's recent executive order aims to prevent technology leaks to China, reflecting concerns over China's aggressive tech strategies and unfair practices. While the US has made domestic strides in semiconductor production and job creation, the global implications of this tech war are intricate, with both nations taking measures to reduce dependencies on each other. Amidst this rivalry, India could potentially benefit if it positions itself strategically in the semiconductor supply chain.
READ THE STORY: ORF
Inside the US-China battle for silicon chip supremacy (Video)
FROM THE MEDIA: From computers to toasters, smartphones to refrigerators, semiconductors are essential in our daily lives.
T
China bans export of chip-making metals amid tech-war with US (Video)
FROM THE MEDIA: China is restricting the export of two materials vital to the semiconductor industry from Tuesday. Germanium and gallium are needed to make chips used in everything from solar panels to warships. The export controls are in response to a range of restrictions imposed by the US.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.