Daily Drop (582): China: ASML Stock Pile, UK: AI Chip Investment, TOR: Fighting DDoS, CISA's Vul. Disclosure Platform, Lazarus Group, Kroll: SIM Swapped, Azure: URL, Meta's Code Llama, DoJ: SpaceX
08-26-23
Saturday, Aug 26, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
China's Semiconductor Ambitions: A Race Against Restrictions
Analyst Comments: China's aggressive procurement of ASML lithography machines underscores its strategic endeavors to fortify its semiconductor industry, especially in the face of global technological tensions. The nation's proactive measures, such as recruiting chip talent from top-tier US universities and Huawei's recent licensing agreement with Ericsson, further highlight its commitment to achieving technological self-reliance. However, challenges loom on the horizon. The US's stringent stance on venture capital funding to Chinese tech sectors and potential chip restrictions could pose significant hurdles. As China accelerates its efforts in the semiconductor domain, the evolving international tech landscape will play a pivotal role in determining the trajectory of its ambitions.
FROM THE MEDIA: Chinese imports of ASML lithography chip-making machines have notably surpassed the Dutch company's projections for 2023. By the end of July, the imports of this pivotal semiconductor equipment reached a value of US$2.58 billion, overtaking ASML's forecast of US$2.36 billion. This surge in imports can be attributed to the forthcoming restrictions by the Netherlands on access to deep ultraviolet lithography systems, set to be implemented from September. This impending policy change has catalyzed a flurry of orders from Chinese semiconductor enterprises.
READ THE STORY: SCMP *State Sponsored Media*
UK Government Invests £100m in AI Hardware Development
Analyst Comments: The UK's significant investment in AI hardware development underscores the country's commitment to positioning itself as a leader in the AI sector. With the global semiconductor market being highly competitive, such strategic investments are crucial for nations to ensure they have the necessary infrastructure to support AI advancements. The UK's focus on generative AI models and its collaboration with major companies like NVIDIA indicates a forward-looking approach. The upcoming AI Safety Summit will further emphasize the country's dedication to establishing robust standards for AI use.
FROM THE MEDIA: The UK government has committed £100 million (equivalent to $126 million USD) to advance AI hardware development and address potential computer chip shortages. This initiative is led by public sector entities, UK Research and Innovation and the Department for Science, Innovation and Technology. The global demand for semiconductor chips has surged, with supply being constrained due to factors such as the COVID-19 pandemic and stockpiling. In this context, nations are vying to establish themselves as reliable bases for chip manufacturers, ensuring a steady supply for a future that is expected to be heavily influenced by AI. The UK's investment is specifically targeted at chips that can power generative AI models. The government has requested 5,000 GPUs from NVIDIA with the aim of establishing a national AI resource akin to the US's National Artificial Intelligence Research Resource Task Force. Additionally, the UK has plans to invest £900 million in developing compute capacity, which includes an exascale supercomputer. Earlier in March, the UK government had pledged £3.5 billion to technology and innovation, with £1 billion earmarked for super-computing and AI.
READ THE STORY: Tech Republic
Tor's Defense Against DDoS: The Proof-of-Work Approach
Analyst Comments: Tor's move to integrate a proof-of-work mechanism is a strategic response to the persistent threat of DDoS attacks. By imposing computational challenges, Tor aims to filter out malicious traffic, ensuring that genuine users can access the services without significant hindrance. However, there are potential downsides. The increased computational demands might disproportionately affect mobile users due to battery drainage concerns. As the digital landscape evolves, it will be crucial to monitor how these changes impact user experience and the overall efficacy of the Tor network in maintaining its commitment to privacy and security.
FROM THE MEDIA: Tor, an acronym for The Onion Router, has been a beacon for privacy enthusiasts for over two decades. It offers a unique onion routing technology that ensures user anonymity by relaying internet traffic through a complex network of nodes. However, from June of the previous year to May, Tor faced a massive distributed denial-of-service (DDoS) attack. While the intensity of this attack has decreased, Denial-of-Service (DoS) threats persist, affecting the performance and raising concerns about the security of the anti-censorship service. To counteract these DDoS threats, Tor developers have introduced a defense mechanism, initially proposed in April 2020, which has been incorporated into Tor version 0.4.8.4. This defense is based on the proof-of-work concept, a mechanism developed in 1992 by Moni Naor and Cynthia Dwork. The idea is simple: clients attempting to access .onion services might be required to complete minor proof-of-work tests. Legitimate users won't notice any difference, but those trying to flood the network with multiple connections will find these challenges a significant hindrance.
READ THE STORY: THN
CISA's Vulnerability Disclosure Platform: A Year in Review
Analyst Comments: CISA's VDP Platform has shown significant progress in its first 18 months, emphasizing the federal government's proactive approach to cybersecurity. The platform's success in addressing a majority of the reported vulnerabilities underscores its effectiveness. However, as cyber threats continue to evolve, it will be crucial for CISA and associated agencies to stay ahead of the curve, ensuring that the platform remains adaptive and responsive to emerging challenges.
FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) has released its first annual report on the Vulnerability Disclosure Policy (VDP) Platform, highlighting its achievements and impact since its inception in July 2021. Over the course of 18 months, the platform received more than 1,300 valid cybersecurity vulnerability reports. Prompt action was taken on a majority of these reports, leading to an estimated savings of $4.35 million in response and recovery efforts. The VDP Platform, which has onboarded 40 agency programs, serves as a centralized system for agencies to receive vulnerability discoveries from cybersecurity researchers and other sources. These discoveries also include vulnerabilities identified during bug bounty contests. While direct submissions typically don't receive rewards, cash prizes are awarded through bug bounty competitions. Once agencies receive these reports, they are submitted to CISA for a consolidated approach to address and adjudicate significant vulnerabilities.
READ THE STORY: The Register
North Korea's Lazarus Group Targets Healthcare with New Malware
Analyst Comments: The Lazarus Group's continuous evolution and adaptation of new tactics underscore the persistent threat posed by state-sponsored hacking groups. Their focus on the healthcare sector, especially during a global pandemic, is particularly concerning due to the critical nature of healthcare services and data. The group's use of open-source tools is a strategic move, making attribution more challenging and speeding up the exploitation process.
FROM THE MEDIA: The Lazarus hacking group, believed to be operating on behalf of the North Korean government, has unleashed a new malware strain targeting the healthcare sector and internet infrastructure in Europe and the U.S. This revelation comes from two reports by Cisco Talos, which also highlighted Lazarus's alleged involvement in stealing $1.7 billion in cryptocurrency in 2022. The new malware campaign exploits a vulnerability in ManageEngine ServiceDesk, a suite used by numerous organizations, including 90% of Fortune 100 companies, for managing IT infrastructure, networks, servers, and more. The vulnerability, identified as CVE-2022-47966, was announced in January, with warnings about its exploitation by hackers. The attackers began exploiting this vulnerability in February to deploy a new and more intricate malware variant named QuiteRAT. This malware shares many features with other Lazarus malware strains but is harder for defenders to detect and analyze. The malware can gather data about the infected device and has a "sleep" feature, allowing it to remain dormant on a compromised network.
READ THE STORY: SCMAG
Kroll Employee Targeted in Sophisticated SIM Swapping Attack
Analyst Comments: SIM swapping, also known as SIM splitting or simjacking, is a technique where attackers fraudulently activate a SIM card under their control using a victim's phone number. This allows them to intercept SMS messages and voice calls, potentially gaining access to multi-factor authentication (MFA) messages that control access to online accounts. Attackers often gather personal information about their targets through phishing or social media to convince cellular carriers to port the victims' phone numbers to their SIM cards. Kroll took immediate measures to secure the three affected accounts and has informed the impacted individuals via email. An ongoing investigation has so far found no evidence that other systems or accounts were compromised. This incident comes shortly after Bart Stephens, co-founder of Blockchain Capital, filed a lawsuit against an anonymous hacker who allegedly stole $6.3 million in cryptocurrency through a SIM swap attack. The U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) recently advised telecommunications providers to implement stronger security measures to prevent SIM swapping. This includes offering customers the option to lock their accounts and enforcing rigorous identity verification checks.
FROM THE MEDIA: Kroll, a risk and financial advisory solutions provider, has reported that one of its employees was the victim of a "highly sophisticated" SIM swapping attack on August 19, 2023. The attack was directed at the employee's T-Mobile account. Without any authorization from Kroll or its employee, T-Mobile transferred the employee's phone number to the attacker's phone upon their request. This unauthorized transfer allowed the attacker to access specific files containing personal information of bankruptcy claimants related to BlockFi, FTX, and Genesis.
READ THE STORY: THN
Potential Security Risks with Azure AD's Abandoned Reply URL
Analyst Comments: This discovery underscores the importance of diligent oversight in application security, especially with widely-used platforms like Azure AD. The exploit, as described by Zane Bond from Keeper Security, can be seen as a more covert Man-in-the-Middle (MITM) attack, which doesn't hinge on typical user errors. Instead, it capitalizes on genuine webpages, in this instance, the abandoned reply URLs, to surreptitiously redirect authorization codes. Nick Rago from Salt Security further highlighted the evolving nature of API attack campaigns, many of which now commence with social engineering tactics. The key takeaway is the need for organizations to maintain vigilance, not only in direct security measures but also in user education and awareness, especially concerning potential phishing or spear-phishing attempts.
FROM THE MEDIA: The Secureworks Counter Threat Unit (CTU) identified a potential security risk associated with an Azure Active Directory (AD) app that had an abandoned reply URL. This oversight could enable attackers to redirect authorization codes to their devices, subsequently exchanging these codes for access tokens. By exploiting this, attackers could potentially access Microsoft’s Power Platform API, achieving elevated privileges that might be used for malicious purposes. Although CTU brought this to Microsoft's attention in early April, and Microsoft acted promptly to address the issue, the potential for misuse remains a concern. Microsoft's swift action involved removing the abandoned reply URL from the Azure AD app within 24 hours of notification. Notably, the CTU has not found evidence of any malicious use of the abandoned reply URLs as of their Aug. 24 blog post. However, since the application in question is vendor-managed, organizations have limited direct mitigation options. The primary recommendation is continuous monitoring for abandoned reply URLs.
READ THE STORY: SCMAG
Ohio Historical Society Faces Ransomware Attack, Thousands of SSNs Exposed
Analyst Comments: The ransomware attack on the Ohio History Connection underscores the increasing threat that such cyberattacks pose to organizations, regardless of their nature or size. The decision of the organization to negotiate with the attackers, albeit unsuccessfully, highlights the dire circumstances and the potential severity of data exposure. The transition to cloud-based services in response to the attack suggests a move towards more secure and resilient data storage solutions.
FROM THE MEDIA: The Ohio History Connection, one of the state's oldest historical societies, recently fell victim to a ransomware attack, compromising the sensitive data of thousands. Established in 1885, this nonprofit organization oversees over 50 sites and museums throughout Ohio and is responsible for the State Historic Preservation Office and the official state archives. The breach, which took place last month, was publicly acknowledged by the organization in a notice, revealing that cybercriminals had encrypted their data, demanding a multi-million dollar ransom to prevent its release. Although the Ohio History Connection attempted to negotiate with the attackers, their offer was declined on August 7, leading to the exposure of personal data. The breach specifically affected the names, addresses, and Social Security numbers of individuals employed by the organization from 2009 to 2023. This exposure was due to unauthorized access to W-9 reports and other records. Additionally, documents related to OHC vendors and checks from donors since 2020 were also accessed. The incident impacted approximately 7,600 individuals.
READ THE STORY: The Record
Meta's Code Llama - A New Machine Learning Model for Code Generation
Analyst Comments: Meta's introduction of Code Llama into the machine learning landscape signifies the tech giant's continued push into the realm of AI-driven code generation. While the model's capabilities, especially its ability to generate and explain code in multiple languages, are commendable, the inherent risks and occasional inaccuracies highlight the challenges of relying solely on AI for code generation. The community license, while promoting an "open approach," still has limitations that might deter some developers or organizations from fully embracing the tool.
FROM THE MEDIA: Meta has unveiled a semi-open machine learning model, Code Llama, designed specifically for generating software source code. Code Llama is a part of the large language models (LLaMA) family, an evolution of the Llama 2 model launched in July. Unlike its predecessor, which was more prose-oriented, Code Llama is fine-tuned to produce and discuss source code based on text prompts. Meta envisions Code Llama as a tool to assist programmers in creating more robust and well-documented software. When prompted, the model can generate code in various languages, including Python, C++, Java, and PHP, and also provide a natural language explanation of the generated source. However, users are advised to interact with Code Llama in English, as it hasn't undergone safety testing in other languages. Meta acknowledges the inherent risks with cutting-edge technology like Code Llama. During red team testing, Code Llama demonstrated safer responses compared to ChatGPT (GPT3.5 Turbo) when prompted to create malicious code. Performance-wise, Code Llama surpasses open-source, code-specific LLMs and its parent Llama 2 in benchmarks and matches OpenAI's ChatGPT. The model is available in three sizes (7B, 13B, and 34B parameters) and has been trained with 500B tokens of code and code-related data.
READ THE STORY: The Register
US Department of Justice Sues SpaceX Over Alleged Discrimination Against Asylees and Refugees
Analyst Comments: The lawsuit against SpaceX highlights the importance of ensuring that companies adhere to federal laws and regulations, especially concerning hiring practices. Discrimination based on citizenship status can have significant implications for both companies and potential employees. The case underscores the need for businesses to be well-informed about legal requirements and to ensure that their public statements and internal policies align with these mandates. If the allegations are proven true, it could have reputational and financial consequences for SpaceX.
FROM THE MEDIA: SpaceX, the aerospace manufacturer and space transportation company, is facing a lawsuit from the US Department of Justice (DoJ) for allegedly discriminating against asylees and refugees in its hiring practices. The complaint, filed by the Office of the Chief Administrative Hearing Officer, asserts that SpaceX discouraged individuals with asylee or refugee citizenship status from applying for positions within the company. The DoJ claims that SpaceX and its CEO, Elon Musk, made incorrect statements that violated the Immigration and Nationality Act (INA). The INA mandates that asylees and refugees cannot be discriminated against based on their citizenship status during job application processes. However, SpaceX is alleged to have consistently and erroneously stated that it could only employ US citizens and lawful permanent residents. This stance, the DoJ argues, deterred asylees and refugees from applying. From September 2018 to May 2022, SpaceX is accused of categorizing asylees and refugees as ineligible for employment under the International Traffic in Arms Regulations (ITAR).
READ THE STORY: The Register
U.S. Government Advisory Board Addresses Rising Teen Participation in Cybercrime
Analyst Comments: The rise in teenage involvement in cybercrime is a pressing issue that requires immediate attention. The ease with which young individuals can engage in these activities, combined with a lack of awareness about online legal boundaries, makes them particularly vulnerable. The recommendations by the Cyber Safety Review Board highlight the need for comprehensive prevention programs that not only educate but also rehabilitate young cybercriminals. Drawing inspiration from European models could be a step in the right direction for the U.S. However, a coordinated effort from various federal agencies will be crucial to effectively address this challenge.
FROM THE MEDIA: The Department of Homeland Security's Cyber Safety Review Board has recommended that Congress consider funding juvenile cybercrime prevention programs. This recommendation comes in the wake of an investigation into Lapsus$, a teenage hacking group known for its cyberattacks on major companies such as Microsoft, Nvidia, and Rockstar Games. The increasing ease with which teenagers can participate in cybercrime without raising suspicions is a growing concern. The use of computers or smartphones, which is common among teenagers, doesn't typically raise eyebrows, making it easier for them to engage in illegal online activities. Additionally, a lack of education about online legal boundaries makes young individuals more susceptible to the allure of cybercrime. A recent survey funded by the European Union revealed that approximately 48% of European youths aged 16 to 19 admitted to engaging in criminal online behavior between the summers of 2020 and 2021. This survey, which involved 8,000 participants from nine European countries, found that 10% of teenagers had participated in criminal hacking, 20% had used illegal virtual marketplaces, and 12.5% had engaged in some form of money laundering.
READ THE STORY: AXIOS
Items of interest
DirtyCred: Escalating Privilege in Linux Kernel
Analyst Comments: DirtyCred represents a significant advancement in the realm of Linux kernel exploitation techniques. Its ability to generalize across heap-based vulnerabilities and bypass numerous existing kernel protections underscores its potency. The acknowledgment and reward from a recognized entity like Google further validate its effectiveness. However, the introduction of such a technique also highlights the vulnerabilities inherent in the Linux kernel and underscores the need for immediate and robust defense mechanisms. The proposed defense by the authors, which focuses on memory segregation, seems promising, but its real-world applicability and effectiveness against evolving threats remain to be seen. The Linux community and stakeholders must prioritize addressing this to ensure system integrity and user security.
FROM THE MEDIA: At the CCS ’22 event in Los Angeles, authors Zhenpeng Lin, Yuhang Wu, and Xinyu Xing introduced "DirtyCred," a novel exploitation technique targeting Linux kernel vulnerabilities. This method allows an unprivileged user to actively allocate privileged credentials, addressing the challenge of making the credential object swap effective. By leveraging various kernel features and mechanisms, DirtyCred can convert any heap-based vulnerability into an ability to free credential objects in an invalid manner. The technique was tested on 24 real-world kernel vulnerabilities, demonstrating privilege escalation in 16 of them. The authors received a $20,000 bounty reward from Google Vulnerability Rewards Program for their findings. To counteract the potential threats posed by DirtyCred, the authors proposed a defense mechanism that segregates high and low privileged objects in non-overlapping memory regions.
READ THE STORY: ZPLIN
How Does Malware Know It's Being Monitored? (Video)
FROM THE MEDIA: John Hammond discusses how malware can determine if it's being monitored or analyzed. He introduces viewers to various anti-debugging techniques that malware uses to detect if it's under scrutiny. If malware detects that it's being analyzed, it can choose not to execute its payload, thereby evading detection. In the video, John demonstrates coding in C and C++ to create a malware sample and shows how it can be used to detect if it's being debugged or analyzed.
Unraveling Cybersecurity: Insights from Experts and Emerging Threats (Video)
FROM THE MEDIA: The transcript begins with mentions of the "sock analyst appreciation day awards program" and the importance of recognizing sock analysts. It then transitions into a segment about Teleport, an open-source solution that provides identity-based certificates to replace passwords and keys. The hosts then welcome back viewers and promote various Security Weekly content, including their podcast feeds, mailing list, Discord server, and on-demand webcasts.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.