Daily Drop (584): China: Barracuda, Chinese Disinformation, Affiliate Model Boosts Activity, Russia vs. China: Digital Influence, China's Data Landscape, Threats in the Digital Realm, RU: Canada
08-30-23
Wednesday, Aug 30, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Russian Intelligence Aids Cybercriminals, Warns Canadian Cyber Center
Analyst Comments: The revelations in the report are alarming, indicating a potential state-backed support system for cybercriminals. The collaboration between nation-states and cybercriminals elevates the threat level, making it not just a matter of individual or corporate security but a national security concern. The emphasis on ransomware, combined with the mention of its disruptive effects on hospitals, underscores the tangible, real-world consequences of these digital threats. The international nature of these cyber threats, especially with the involvement of major players like Russia and Iran, suggests that a coordinated, international response may be necessary to counteract these challenges effectively.
FROM THE MEDIA: The Canadian Centre for Cyber Security recently released a federal report warning of the potential collaboration between Russian intelligence services and cybercriminals. This alliance is expected to allow these criminals to operate against targets, including Canadians, with significant impunity in the coming months. While Russia is the primary concern, Iran also emerges as a potential collaborator, albeit to a lesser extent. The report forecasts a surge in online crime in Canada over the next two years, with ransomware identified as the most disruptive form. High-value organizations, especially those in critical infrastructure sectors, are particularly at risk. The report also underscores the physical and financial ramifications of these cyberattacks, citing disruptions in patient care at hospitals as a notable example.
Navigating China's Data Landscape
Analyst Comments: The increasing complexity of China's data laws signifies the country's intent to tighten its grip on data security and privacy, reflecting global trends. The extraterritorial nature of some of these laws underscores China's ambition to set standards beyond its borders. For businesses, both domestic and foreign, this evolving landscape demands proactive measures to understand and comply with these regulations. The potential penalties for non-compliance, including substantial fines and business operation restrictions, further emphasize the criticality of adherence. As China continues to roll out additional regulations, like those concerning facial recognition, businesses must remain vigilant and agile in their compliance strategies.
FROM THE MEDIA: China's evolving stance on data privacy and cybersecurity, as discussed in the podcast "Unpacking the China Data Laws" by Gabriela Kennedy and Julian M. Dibbell, has brought forth intricate laws like the 2017 Cybersecurity Law, the 2021 Data Security Law, and the Personal Information Protection Law. These laws present overlapping provisions, vague definitions, and a myriad of assessments, certifications, and approvals that businesses must navigate. Notably, the Data Security Law and the Personal Information Protection Law possess extraterritorial effects, implying that even companies without a direct presence in China but interacting with Chinese data subjects could fall under their purview.
READ THE STORY: MONDAQ
Chinese Espionage Targets Barracuda Vulnerability
Analyst Comments: The rapid and intensified response of the hacker’s post-disclosure indicates a high level of sophistication and preparedness. The deliberate targeting of high-priority entities underscores the strategic nature of the campaign, likely driven by espionage motives. The involvement of state-backed actors, as suggested by Mandiant's attribution to Beijing, raises significant concerns about the increasing capabilities and ambitions of nation-state cyber operations. The incident underscores the need for organizations to not only address known vulnerabilities promptly but also to anticipate potential post-remediation tactics employed by attackers.
FROM THE MEDIA: Chinese hackers have exploited a zero-day flaw in Barracuda's email security appliances, intensifying their focus on high-priority targets. This surge in activity coincided with Barracuda's efforts to address the vulnerability. Within a week of Barracuda's disclosure in late May, the hackers, identified as UNC4841 by Mandiant researchers, deployed an additional backdoor. This targeted mainly U.S. and foreign government agencies and high-tech companies. Mandiant has linked this hacking campaign to Beijing with a high degree of certainty. After Barracuda's remediation attempts, the hackers introduced a novel backdoor named DepthCharge, suggesting they had anticipated the company's mitigation efforts. This indicates a well-funded, deliberate campaign. Barracuda later acknowledged that its patch might not completely eliminate the sophisticated backdoor and recommended users to replace their compromised equipment, a sentiment echoed by the FBI.
READ THE STORY: GovInfoSec // The Record
Two suspects arrested following Poland railway hack
Analyst Comments: The cyberattack on Poland's railway system underscores the increasing vulnerability of critical infrastructure to cyber threats. The fact that the attackers used the railway's own radio system, which lacks encryption or authentication, to disrupt operations highlights the need for robust cybersecurity measures in such essential services. The political undertones of the attack, with the playing of the Russian national anthem, suggest that this was not just a random act of sabotage but possibly a coordinated effort with geopolitical motivations. Given the ongoing tensions between Russia and Ukraine and Poland's role in supporting Ukraine, such cyber incidents can be expected to increase in frequency and sophistication.
FROM THE MEDIA: Polish authorities have arrested two individuals suspected of hacking the national railway's communication network, causing a halt to 20 trains and disrupting traffic for several hours. The suspects, both Polish citizens aged 24 and 29, were apprehended in Bialystok, near the Belarus border. Interestingly, one of the suspects is believed to be a police officer in Bialystok. The attackers reportedly used the railway's radio system to send "stop" commands to targeted trains and broadcast the Russian national anthem and snippets of a speech by Russian President Vladimir Putin. The attack is believed to be in support of Russia, as stated by Stanisław Zaryn, the deputy coordinator of Poland's special services. The country's railway system plays a crucial role in transporting weapons to Ukraine from European allies and also serves as a transit point for Ukrainian citizens and refugees heading to Europe.
READ THE STORY: The Record
Ransomware Group Exploits GDPR to Pressure Victims
Analyst Comments: Ransomed's innovative use of GDPR as an extortion tool underscores the evolving nature of cyber threats. By leveraging protective regulations against victims, Ransomed is challenging traditional cybersecurity and legal frameworks. Organizations must remain vigilant, ensuring they not only comply with data protection regulations but also maintain robust cybersecurity measures to counter such threats. The emergence of such tactics also calls for a reevaluation of current laws and their potential unintended consequences in the realm of cybersecurity.
FROM THE MEDIA: A new ransomware group, aptly named "Ransomed," is exploiting the EU's General Data Protection Regulation (GDPR) to pressure its victims into paying ransoms. The group's strategy is based on the premise that the fines associated with GDPR data breaches would be more costly for the victim than the ransom amount demanded. First identified by cybersecurity analyst Flashpoint on August 15th, Ransomed has established a dedicated Telegram channel and a domain for its operations. The group's unique approach involves leveraging GDPR to threaten victims with potential fines if they don't pay the ransom. Flashpoint suggests that Ransomed likely sets its ransom demands lower than potential GDPR fines to increase the likelihood of payment. This tactic turns protective laws against victims, marking a significant shift from traditional extortion methods.
READ THE STORY: The Record // CyberNews
Operation Duck Hunt: QakBot Malware Neutralized
Analyst Comments: The successful takedown of QakBot is a testament to the effectiveness of international collaboration against cyber threats. QakBot's evolution from a banking trojan in 2007 to a multi-faceted malware distributing various malicious codes, including ransomware, highlights the adaptability and resilience of cyber threats. The malware's ability to shift tactics in response to security measures, such as weaponizing different file formats and exploiting gaps in network defenses, underscores the sophistication of modern cybercriminal operations. While the neutralization of QakBot is a significant achievement, the continuous evolution of such threats necessitates ongoing vigilance and collaboration among nations and cybersecurity experts.
FROM THE MEDIA: The U.S. Justice Department (DoJ) has announced a significant victory against cybercrime with the dismantling of QakBot, a notorious Windows malware. This malware, which has compromised over 700,000 computers worldwide, has been linked to financial fraud and ransomware distribution. The operation, aptly named "Operation Duck Hunt," resulted in the malware being deleted from affected computers and the seizure of over $8.6 million in cryptocurrency profits. This international effort involved collaboration from several countries, including France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., with technical support from cybersecurity firm Zscaler. Although this operation is considered the largest U.S.-led disruption of a botnet infrastructure, no arrests have been made.
READ THE STORY: THN
Meta's Stand Against "Spamouflage
Analyst Comments: The takedown of Spamouflage by Meta underscores the escalating challenges posed by state-backed disinformation campaigns in the digital age. The vast reach and cross-platform nature of this campaign highlight the sophistication and resources behind such operations. Given the current geopolitical tensions between the U.S. and China, coupled with debates surrounding the origins of the pandemic and Taiwan's strategic importance, it's evident that digital platforms will continue to be battlegrounds for influence and information warfare. For corporate security teams, understanding the nuances of these campaigns is crucial. Not only can they directly impact business operations, but they can also shape public perception and discourse.
FROM THE MEDIA: Meta has successfully neutralized a significant Chinese disinformation campaign termed "Spamouflage." This campaign, which Meta describes as the most extensive cross-platform covert influence operation it has ever tracked, primarily disseminated content that painted China in a positive light while criticizing the U.S., Western foreign policies, and detractors of the Chinese government. This includes journalists and Chinese medical researchers who have been vocal about COVID-19. Meta's Q2 Adversarial Threat Report reveals that the company removed 7,704 Facebook accounts, 954 pages, 15 groups, and 15 Instagram accounts linked to this campaign. Active since 2019, Spamouflage has targeted various regions, including Taiwan, the U.S., Australia, the U.K., Japan, and global Chinese-speaking audiences. The campaign's influence spanned over 50 platforms, including major social media sites like X (formerly Twitter), YouTube, TikTok, Reddit, and more.
READ THE STORY: DarkReading // SCMAG
DarkGate Malware's Rising Threat
Analyst Comments: The evolution and commercialization of malware like DarkGate underscore the increasing sophistication and adaptability of cyber threats. By adopting an affiliate model, the malware's reach and impact are amplified, posing a more significant threat to potential targets. The multi-layered attack process, combined with its ability to adapt and evade detection, makes DarkGate a formidable malware variant. Organizations must remain vigilant, continuously updating their cybersecurity measures and educating employees about the risks of phishing and the importance of email security.
FROM THE MEDIA: A surge in DarkGate malware activity has been identified, attributed to the malware's developer renting out the software to a select group of affiliates, as reported by Telekom Security. This recent uptick follows findings from security researcher Igal Lytzki, who highlighted a campaign that utilized hijacked email threads to deceive recipients into downloading the malware. The attack process begins with a phishing URL. Upon clicking, victims are directed to an MSI payload, contingent on specific conditions. Opening this MSI file initiates a multi-layered process involving an AutoIt script, which then executes shellcode to decrypt and activate DarkGate via a crypter. There are also alternate attack variations that employ a Visual Basic Script instead of an MSI file.
READ THE STORY: THN
ChatGPT's Digital Footprint: A New Cyber Challenge
Analyst Comments: The rise of ChatGPT underscores the pressing need for businesses to re-evaluate their digital defense mechanisms. With the ability to republish content, divert web traffic, and unintentionally spread sensitive data, ChatGPT poses a multifaceted challenge. While current countermeasures might involve blocking data collection attempts, the future might see LLM developers leveraging data from major search engines or bypassing restrictions altogether.
FROM THE MEDIA: In the evolving landscape of online threats, ChatGPT and other large language models (LLMs) have carved a niche, presenting fresh challenges for digital businesses. Trained on vast datasets scraped from the internet, these models have the potential to diminish web traffic, replicate content, and inadvertently lead to data breaches. Industries that emphasize data privacy, unique content, and ad revenue, such as e-commerce, media, and classified ads, find themselves on the frontline of this digital battle. While ChatGPT's training predominantly relies on sources like Common Crawl and Wikipedia, its plugins, designed to access real-time data, further amplify the threat by potentially bypassing the need to visit original websites.
READ THE STORY: THN
Meta's Analysis on Global Trolling Campaigns
Analyst Comments: The report underscores the evolving nature of digital influence campaigns and the challenges platforms like Meta face in identifying and countering them. While Russia's operations, particularly Secondary Infektion, are noted for their meticulous operational security, China's Spamouflage is prolific but less discreet. The fact that these campaigns have managed to operate undetected for significant durations highlights the need for continuous advancements in cybersecurity measures. The report also suggests that these covert influence networks might be learning from each other, adapting tactics based on public reporting by the tech industry and security researchers.
FROM THE MEDIA: Meta's recent Adversarial Threat Report highlights the contrasting online trolling strategies employed by Russia and China to further their political narratives. The report claims that Meta has successfully thwarted two major political influence operations on its platforms, one linked to China and the other likely steered by Russia. Both campaigns utilized spam links and fake news to undermine Western governments and diminish support for Ukraine. The China-based campaign, associated with a group called Spamouflage or Dragonbridge, targeted countries like Taiwan, the US, Australia, the UK, and Japan. This group's primary focus was on pro-China commentary and criticism of Western foreign policies. Meanwhile, the Russian campaign, known as Secondary Infektion, is infamous for spreading misinformation about Ukrainian president Volodymyr Zelenskyy. Another Russian operation, Doppelganger, mimicked real news organizations, even producing a counterfeit Washington Post article. Despite their extensive efforts, both campaigns had limited engagement on Meta's platforms.
READ THE STORY: The Register
Kremlin-Backed Hackers Target Polish Websites Ahead of Elections
Analyst Comments: Russia's alleged involvement in these cyberattacks, as outlined by Żaryn, highlights the lengths to which nations might go to influence the internal affairs of other countries, especially during sensitive times like elections. The narrative suggests that cyberattacks are not just about causing digital disruption but can also be strategically employed to shape public opinion and political outcomes.
FROM THE MEDIA: Hackers from the group Noname057, believed to be operating under the Kremlin's directives, have launched cyberattacks on Polish websites, as revealed by Stanisław Żaryn, the Government Plenipotentiary for the Security of the Information Space. Żaryn, in his statement on InfoAlert, emphasized that these cyberattacks are Russia's strategy to sway pre-election sentiments in Poland. The hackers have purportedly framed these attacks as retaliation against the Polish government's policies and alleged "Russophobia." They argue that the Polish populace does not support such views. Żaryn interprets these actions as not just digital interference but also as meddling in Poland's public discourse. He suggests that the Russian services are using these cyberattacks to convey a message to the Polish people: replacing the current "Russophobic" government could halt the attacks and stabilize Poland.
READ THE STORY: The First News
Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits
Analyst Comments: The rapid exploitation of these vulnerabilities underscores the urgency for organizations to prioritize patching and cybersecurity hygiene. The wide exposure of devices, especially in prominent regions like the U.S., South Korea, and Hong Kong, indicates a significant risk. The active exploitation by known malware botnets, such as Kinsing and DreamBus, further elevates the threat level. Organizations must be proactive in monitoring their systems, applying patches, and ensuring robust cybersecurity measures to mitigate the risk of these vulnerabilities.
FROM THE MEDIA: Recent security vulnerabilities in Juniper firewalls, Openfire, and Apache RocketMQ servers have been actively exploited, as reported by multiple sources. The Shadowserver Foundation highlighted exploitation attempts targeting Juniper J-Web's specific endpoint, coinciding with the availability of a proof-of-concept (PoC). These vulnerabilities, identified as CVE-2023-36844 to CVE-2023-36847, are located in Junos OS's J-Web component on Juniper SRX and EX Series. They allow unauthenticated attackers to execute arbitrary code on vulnerable installations. Patches were released on August 17, 2023, and a PoC was subsequently published by watchTowr Labs.
READ THE STORY: THN
UK Warns of AI Security Flaw
Analyst Comments: The NCSC's warning underscores the double-edged nature of AI advancements. While LLMs offer revolutionary capabilities, they also introduce new vulnerabilities. The "prompt injection" attack, in particular, could have severe financial implications if not addressed. The fact that companies have already observed such attacks indicates that this is not a hypothetical threat but a real and present danger. As AI becomes more integrated into various sectors, especially sensitive ones like finance, there's an urgent need for robust security measures.
FROM THE MEDIA: The UK's National Cyber Security Centre (NCSC) has raised alarms over a fundamental security flaw in large language models (LLMs) like ChatGPT. While the initial concerns about ChatGPT revolved around its human-like speech generation capabilities, the current focus is on its potential vulnerabilities when integrated with other systems. A significant threat is the "prompt injection" attack. This type of attack could be exploited in commercial applications, especially in sectors like banking. For instance, a bank's LLM assistant could be manipulated into transferring money to an attacker's account. Software debugging company Honeycomb has already observed such attack attempts on its system. Another concern is data poisoning, where the data these models train on is corrupted. The NCSC emphasizes the importance of designing systems connected to machine learning components with security as a priority.
READ THE STORY: The Record
Items of interest
Harnessing AI for Penetration Testing
Analyst Comments: By successfully employing LLMs in both strategic planning and hands-on vulnerability exploitation, the research underscores the transformative role AI can play in addressing the chronic shortage of skilled cybersecurity professionals. However, while the results are promising, the ethical implications of deploying AI in such sensitive domains warrant careful consideration.
FROM THE MEDIA: Andreas Happe and Jürgen Cito from TU Wien, Austria, in their paper "Getting pwn’d by AI: Penetration Testing with Large Language Models," explore the capabilities of large language models (LLMs) like GPT-3.5 in the realm of penetration testing. The research delves into two primary use cases: high-level task planning and low-level vulnerability exploitation. For high-level tasks, the LLMs were tasked with devising attack methodologies, yielding realistic and feasible attack vectors. On the low-level front, a Python script was developed to allow GPT-3.5 to suggest and execute Linux shell commands on a vulnerable virtual machine, successfully achieving root privileges through various methods.
READ THE STORY: ARXIV
GPT to perform 10x for my specific use case (Video)
FROM THE MEDIA: Finetune Falcon 7b/40b instruct with your own data - The step-by-step guide about how to train falcon model for generating high quality midjourney prompt, from prep training dataset to comparing final results.
BEST Open Source LLM to build a GPT WebApp (Video)
FROM THE MEDIA: Nicholas highlights that Falcon-40B is the top open-source model, leading the hugging face LLM leaderboard. It surpasses other models like llama, stable LM, and MPT. A significant advantage of Falcon-40B is its licensing under Apache 2.0, making it free for commercial use. He anticipates a surge of new AI projects in Y Combinator due to this.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.