Daily Drop (586): AI chip exports to Middle East, Qakbot Dismantled, UK AI Vulnerability, Charles de Gaulles Airport, GRU: Sandworm, Barracuda Bypassed, FreeWorld Ransomware, Meta: Political ADs
09-02-23
Saturday, Sep 02, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
US AI Chip Export Controversy
Analyst Comments: The US government's decision to implement licensing requirements, rather than an outright ban, indicates a cautious approach to technology exports, especially those with potential dual-use in military applications. The move reflects the delicate balance nations must strike between promoting technological advancements and safeguarding national security interests. The ambiguity surrounding the specifics of the licensing requirements and the countries they pertain to in the Middle East suggests a complex geopolitical landscape. This development not only impacts tech giants like Nvidia and AMD but also underscores the intricate interplay of technology, commerce, and international relations in today's globalized world.
FROM THE MEDIA: The US government recently clarified its position on the export of artificial intelligence (AI) chips, specifically the A100 and H100 products from Nvidia and AMD, to the Middle East. Contrary to prior reports suggesting a ban, the US Department of Commerce stated that while there are new licensing requirements for selling these chips in certain Middle Eastern countries, there isn't an outright sales blockade. These chips, integral for image and speech recognition, can also be employed for large-scale military hacking operations and cyber espionage. Historically, the US has used export licensing to restrict market access, as seen with AI chip exports to China, which were limited in the name of national security.
READ THE STORY: DarkReading // Cryptopoltian
Russian-Origin Malware Targets Cryptocurrency
Analyst Comments: The emergence of the Infamous Chisel malware underscores the evolving landscape of cyber threats, especially in the cryptocurrency sector. The association of this malware with a state-sponsored hacking unit amplifies concerns about the intersection of cybercrime and geopolitics. While the malware components exhibit a relatively low to medium level of sophistication, lacking advanced obfuscation or stealth techniques, the potential risks remain significant. The actor behind this malware might have deemed such concealment unnecessary, possibly due to the absence of detection systems on many Android devices. This situation emphasizes the importance of robust cybersecurity measures, especially for devices and platforms handling sensitive financial data.
FROM THE MEDIA: A new strain of malware, named "Infamous Chisel," believed to have Russian origins, has been identified as a significant threat to cryptocurrency wallet and exchange applications. This revelation comes from a collaborative advisory report involving major cybersecurity and law enforcement agencies, including the FBI, NSA, CISA, and the UK's NCSC. The malware is linked to the Sandworm hacking unit of Russia’s GRU military intelligence agency, previously known for its cyber operations against the Ukrainian military. Infamous Chisel is designed to gain persistent access to compromised Android devices via the Tor network, collecting and transmitting data periodically. The malware specifically targets directories associated with applications like the Web3 browser Brave, Binance, Coinbase, Trust crypto wallet, Telegram, Discord, and the Android Keystore system. The intent is to compromise and retrieve a vast array of sensitive information, including cryptocurrency-related data and private keys.
READ THE STORY: The Coin Republic
UK Cyber Agency Highlights AI Vulnerabilities
Analyst Comments: The emergence of prompt injection attacks underscores the evolving challenges in the realm of AI and cybersecurity. The fact that hackers can poison the data accessed by chatbots to generate malicious outputs is concerning, especially given the widespread use of chatbots in various sectors, including finance and customer service. One notable example highlighted the vulnerability of MathGPT, an LLM based on OpenAI's GPT-3 model. A researcher was able to trick the chatbot into executing malicious prompts, gaining access to the system hosting the chatbot. The NCSC's warning emphasizes the need for robust cybersecurity measures and system designs that consider potential vulnerabilities in machine learning components. The comparison of these attacks to SQL injection, but with no clear solution, further underscores the severity and complexity of the challenge.
FROM THE MEDIA: The UK's cybersecurity agency has issued a warning about the vulnerabilities associated with large language model chatbots, highlighting the potential for "prompt injection attacks." These attacks can manipulate the technology behind chatbots to access confidential data, generate offensive content, or cause other unintended consequences. In a typical interaction with an artificial intelligence chatbot, a user provides a prompt or instruction, which the chatbot then processes by scanning vast amounts of text data. Threat actors are now manipulating this data to create malicious prompts, causing chatbots like ChatGPT, Google Bard, and Meta's LLaMA to produce harmful outputs. The National Cyber Security Center (NCSC) has identified these prompt injection attacks as a significant weakness in the current generation of large language models (LLMs). As LLMs increasingly interface with third-party applications and services, the risk of malicious prompt injection attacks grows, potentially leading to cyberattacks, scams, and data theft.
READ THE STORY: BankInfoSec
Major Malware Botnet Qakbot Dismantled
Analyst Comments: The takedown of Qakbot is a testament to the effectiveness of international collaboration in combating cyber threats. The operation's success underscores the importance of a unified approach in addressing global cyber challenges. However, the fact that the operators behind Qakbot remain unidentified and at large suggests that the battle against cyber threats is ongoing. The adaptability and evolution of Qakbot over the years highlight the need for continuous vigilance and innovation in cybersecurity measures.
FROM THE MEDIA: In a significant victory against cyber threats, an FBI-led international effort has successfully dismantled the infrastructure of Qakbot, a malware botnet that has been operational since 2007. Originally introduced as a banking trojan, Qakbot evolved into a versatile and customizable system, becoming a tool of choice for ransomware operators. At its peak, the malware botnet infected over 700,000 computers, causing damages amounting to hundreds of millions of dollars globally. Qakbot, also known as QBot or Pinkslipbot, primarily spread through malicious email links or attachments. A significant number of the infected computers, approximately 200,000, were located in the US. These compromised systems often operated for extended periods without the owners' knowledge. By 2022, Qakbot had adapted its methods, compromising Windows systems by attaching malicious Office macros to emails. Although Microsoft's decision to block certain macros by default in Office temporarily hindered Qakbot's activities, the malware soon adopted an "HTML smuggling" technique, among other exploit methods.
READ THE STORY: CPO
Charles de Gaulles Airport Cyberattack: Unmasking the True Perpetrators
Analyst Comments: While the #OpFrance campaign is portrayed as a hacktivist response to France's historical actions, the potential involvement of Russian state actors adds a layer of complexity. The connections between groups like Anonymous Sudan and Russian entities like Killnet indicate that what appears to be grassroots hacktivism might be a well-coordinated state-backed cyber operation. This blurring of lines between hacktivism and state-sponsored cyberattacks underscores the evolving nature of cyber threats and the importance of discerning the true motives behind such campaigns.
FROM THE MEDIA: The Charles de Gaulles airport website in Paris recently suffered an outage, believed to be the handiwork of the hacktivist group, Dark Storm. This incident is part of the broader #OpFrance campaign, which has been targeting French online infrastructure. Initially, the campaign's motives were linked to France's colonial past in West Africa. However, deeper analysis and patterns suggest that the true orchestrators might be state-backed cybercriminals from Russia, aiming to sow discord and destabilize French society.
READ THE STORY: TECHMONITOR AI
Barracuda's Security Patch Bypassed
Analyst Comments: The sophisticated nature of the attacks, especially the ability to bypass security patches, underscores the advanced capabilities of state-backed cybercriminal groups. The campaign's focus on high-value targets, such as government offices in the U.S. and other countries, highlights the strategic nature of these cyberattacks. The association of the threat group with the Chinese government, as indicated by Mandiant, suggests a broader geopolitical agenda. The use of malware specifically designed for certain devices, like Barracuda's, indicates a well-planned and targeted approach.
FROM THE MEDIA: Barracuda's email security gateway devices were recently targeted by a cyber espionage campaign orchestrated by a China-affiliated threat group, UNC4841. This campaign managed to bypass Barracuda's remediation efforts, continuing its attacks on high-profile targets. Mandiant's research reveals that despite Barracuda releasing a security patch on May 20, the threat group deployed advanced malware to ensure their presence remained within certain high-priority organizations. The malware was specifically designed to persist even after the security updates were applied. Barracuda's CISO, Riaz Lakhani, emphasized that the patch addressed the vulnerability and advised the replacement of any compromised appliance. The FBI has also issued alerts regarding the ongoing exploitation of Barracuda devices by hackers associated with the People’s Republic of China.
READ THE STORY: CyberSecurityDive
Microsoft SQL Servers Under Siege: The Rise of FreeWorld Ransomware
Analyst Comments: The DB#JAMMER campaign demonstrates the evolving sophistication of cyber threats, with attackers leveraging a multi-stage approach to compromise systems and deploy ransomware. The use of a combination of tools, from enumeration software to ransomware payloads, indicates a well-coordinated and targeted attack strategy. The focus on Microsoft SQL servers, a widely used database management system, underscores the potential scale and impact of the campaign. Organizations need to prioritize securing their database servers, regularly update and patch software, and enforce strong password policies to defend against such threats. The rise of the FreeWorld ransomware variant also suggests that threat actors are continuously developing new tools and techniques, emphasizing the need for ongoing vigilance and adaptive cybersecurity strategies.
FROM THE MEDIA: Cybersecurity firm Securonix has identified a campaign, named DB#JAMMER, where threat actors are exploiting inadequately secured Microsoft SQL (MS SQL) servers to deploy Cobalt Strike and a new ransomware variant called FreeWorld. The attackers gain initial access by brute-forcing the MS SQL server, then use it to run shell commands, conduct reconnaissance, and impair system firewall. Subsequently, they establish persistence, transfer malicious tools, and deploy the FreeWorld ransomware. The campaign is notable for its comprehensive use of tools, including enumeration software, RAT payloads, and ransomware payloads. Securonix emphasizes the importance of strong passwords, especially for services exposed to the public, to prevent such brute force attacks.
READ THE STORY: THN
Meta's Oversight on Political Ads: A Cause for Concern
Analyst Comments: Meta's inconsistent enforcement of its own advertising transparency rules is concerning, especially with the 2024 US elections on the horizon. The fact that PragerU, a clearly political entity, can so easily navigate around these rules underscores potential vulnerabilities in Meta's ad review system. MMFA's findings, coupled with Meta's recent staffing decisions related to misinformation countermeasures, suggest a possible relaxation in policy enforcement. This could pave the way for more organizations to exploit these loopholes, leading to a surge in undisclosed political advertising.
FROM THE MEDIA: Media Matters for America (MMFA) recently highlighted that PragerU Kids, affiliated with the right-wing nonprofit PragerU, has been actively pushing over 100 political ads on Facebook and Instagram in just two months. These ads appear to sidestep Meta's advertising transparency rules, established in 2018, which demand clear labeling and funding information for ads concerning "social issues, elections, or politics." One ad, which reached an audience of over 20,000, featured Jill Simonian asserting a shift in American schools from knowledge-based education to activism. PragerU's content is distinctly political, with videos touching on various controversial topics. Despite Meta's rules, PragerU emerged as the 12th highest political ad spender on the platform from May 2018 to August 2023, even outspending numerous political campaigns.
READ THE STORY: Wired
Department of Defense's IT Woes
Analyst Comments: The findings from the GSA survey are concerning, especially given the critical role the DoD plays in national security. The fact that senior-level employees seem more satisfied than the rank and file suggests a potential disconnect between leadership and ground-level workers. The highlighted issues, such as long login times and outdated equipment, can hinder productivity and operational efficiency. Michael Kanaan's comments underscore a deeper problem within the DoD: the need to prioritize fundamental IT infrastructure over other expenditures. Addressing these IT challenges should be a top priority for the DoD to ensure smooth operations and maintain its reputation as a leading federal agency.
FROM THE MEDIA: The Department of Defense (DoD) has been identified as the least satisfactory US government agency in terms of IT services, according to the General Services Administration's (GSA) Mission-Support Customer Satisfaction Survey. The survey, which included 24 US federal government agencies, found the DoD at the bottom in areas such as IT support, equipment, function, and communication/collaboration. While the DoD did slightly better in areas like strategic IT partnerships, modernization’s, and enhancement, it still ranked a lowly twentieth. Interestingly, despite these rankings, 65% of the DoD's users expressed satisfaction with their IT support, and 64.5% were satisfied with their IT equipment. The majority of these respondents were from the higher pay grades and had been with the DoD for eight or more years. However, the rank and file have expressed significant frustrations, with issues ranging from long login times to outdated equipment. Michael Kanaan, a former US Air Force official and current DoD Chief Digital and Artificial Intelligence Office deputy, emphasized that the IT challenges aren't due to a lack of funds but rather a misalignment of priorities.
READ THE STORY: The Register
Apple's CSAM Tool Controversy
Analyst Comments: The debate between Apple and child safety advocates underscores the delicate balance tech companies must strike between ensuring user privacy and addressing pressing societal issues like child exploitation. Apple's decision to pivot to on-device tools suggests a preference for localized solutions that minimize data exposure. However, as child safety remains a paramount concern, it's evident that tech giants will continue facing pressure to develop innovative solutions that address both privacy and safety. The broader implications of this debate also touch on the global discourse around encryption and the rights of tech companies to protect user data against potential government surveillance.
FROM THE MEDIA: Apple's decision to discontinue its iCloud photo-scanning tool for detecting child sexual abuse material (CSAM) has reignited debates on user privacy and child safety. Initially announced in August 2021, the tool faced backlash from digital rights groups and researchers, leading Apple to pause its development due to concerns about potential misuse and threats to iCloud users' privacy. Recently, the child safety group Heat Initiative has urged Apple to reinstate the tool and provide more mechanisms for users to report CSAM. In response, Apple detailed its shift towards on-device tools, termed Communication Safety features, emphasizing their commitment to user privacy and the challenges of implementing a CSAM-scanning mechanism without compromising it. Erik Neuenschwander, Apple's director of user privacy and child safety, highlighted the risks of scanning all iCloud data, noting the potential for misuse and broader surveillance concerns. Sarah Gardner, leading the Heat Initiative and former VP of external affairs for Thorn, expressed disappointment in Apple's decision, emphasizing the company's responsibility to detect and prevent the spread of CSAM.
READ THE STORY: Wired
Items of interest
Okta's Super Administrator Privilege Under Threat
Analyst Comments: The recent social engineering attacks targeting Okta's Super Administrator privileges are a testament to the evolving sophistication of cyber threats. These attacks, which focus on IT service desk personnel, indicate a deep understanding of organizational vulnerabilities, showcasing the adaptability and strategic planning of the attackers. The deployment of the 0ktapus phishing kit in these attacks is particularly alarming. This kit, with its ability to craft realistic fake authentication portals and its integration of a command-and-control channel via Telegram, can deceive even the most vigilant users, making it a potent tool in the hands of cybercriminals.
FROM THE MEDIA: Identity services provider, Okta, has recently alerted the public about a series of social engineering attacks aimed at obtaining elevated administrator permissions. Over the past few weeks, several US-based Okta customers have reported a consistent pattern of these attacks, particularly targeting IT service desk personnel. The attackers' primary strategy is to persuade the service desk staff to reset multi-factor authentication (MFA) factors for highly privileged users. Once achieved, the adversaries exploit the Okta Super Administrator accounts to impersonate users within the compromised organization. This campaign was active between July 29 and August 19, 2023. The tactics used in these attacks are reminiscent of an activity cluster known as Muddled Libra, which has some similarities with Scattered Spider and Scatter Swine. Central to these attacks is the 0ktapus phishing kit, which provides templates for creating fake authentication portals to harvest credentials and MFA codes. This kit also features a built-in command-and-control (C2) channel via Telegram.
READ THE STORY: THN
OpenSSH 2.3 to 7.7 - Username Enumeration | CVE-2018-15473 Exploitation (Video)
FROM THE MEDIA: A user enumeration vulnerability flaw was found in OpenSSH, though version 7.7. The vulnerability occurs by not delaying bailout for an invalid authenticated user until after the packet containing the request has been fully parsed. The highest threat from this vulnerability is to data confidentiality.
A Powerful Pivoting Technique That the OSCP Doesn't Teach You (Video)
FROM THE MEDIA: Pivoting is a technique used by penetration testers and cyber attackers to move deeper into a network after gaining initial access. It allows the attacker to use the compromised system as a launching point to access other systems and networks that might not be directly accessible from the attacker's original point of entry.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.