Daily Drop (590): Digital Economy Framework, DPRK: Andariel, Tu-95: Rubber Tire Camo, Shaping Cyber Space, Ukraine Thwarts Fancy Bear, Illia Vitiuk, LastPass Hacks, BLISTER Malware, SMART ePANTS
09-06-23
Wednesday, Sep 06, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
The Digital Economy Framework Agreement: Aiming for Seamless Trade and Data Flows
Analyst Comments: ASEAN's move to establish the DEFA underscores the bloc's commitment to harnessing the potential of the digital economy. With member countries like Indonesia, Singapore, the Philippines, and Vietnam, ASEAN collectively stands as the world's fifth-largest economy, boasting some of the most promising growth prospects. The DEFA aims to capitalize on this potential by ensuring seamless trade and data flows across the region. However, challenges lie ahead. The Economic Research Institute for ASEAN and East Asia (ERIA) has expressed concerns about potential overlaps with existing ASEAN initiatives that share similar objectives with the DEFA. Additionally, there are apprehensions about certain member nations lacking the requisite legal frameworks to effectively implement DEFA.
FROM THE MEDIA: The Association of South East Asian Nations (ASEAN), a ten-country trade bloc representing over 600 million people and accounting for approximately 6.5% of global economic activity, has embarked on the development of a Digital Economy Framework Agreement (DEFA). This initiative aims to foster an open, secure, interoperable, competitive, and inclusive regional digital economy. The envisioned digital ecosystem will promote the seamless and secure flow of goods, services, and data, backed by supportive rules, regulations, infrastructure, and talent. The decision to formulate the DEFA was made during a recent ASEAN leaders' summit, with a target completion date set for 2025.
READ THE STORY: The Register
DPRK Threat Actor Andariel's Evolving Cyber Arsenal
Analyst Comments: Andariel's continuous evolution and adaptability underscore the persistent threat posed by state-sponsored cyber actors. Their shift from national security-related attacks to financial gains indicates a broader strategy, possibly driven by economic pressures faced by North Korea. The group's ability to exploit a diverse range of vulnerabilities, combined with their expanding malware toolkit, suggests a high level of sophistication and resources. Organizations, especially those in the targeted sectors, should remain vigilant, prioritize cybersecurity measures, and stay updated on the latest threat intelligence to counter such advanced persistent threats.
FROM THE MEDIA: The North Korean threat actor, Andariel, a sub-cluster of the notorious Lazarus Group, has been active since 2008 and is recognized by various aliases including Nicket Hyatt and Silent Chollima. Recent observations by the AhnLab Security Emergency Response Center (ASEC) in 2023 have highlighted the group's increasing reliance on malware strains developed in the Go language. Targeting a diverse range of entities from financial institutions to energy companies, Andariel's primary objectives encompass espionage and illicit revenue generation for North Korea. Their modus operandi involves a mix of spear-phishing, watering holes, and supply chain attacks. Notably, their malware arsenal has expanded to include tools like Gh0st RAT, DTrack, YamaBot, and a Golang-based reverse shell named 1th Troy, among others. Specific attacks in 2023 exploited vulnerabilities in enterprise solutions like the Innorix Agent, emphasizing the group's adaptability and persistence.
READ THE STORY: THN
Russia's Unconventional Defense: Aircraft Shielded with Rubber Tires
Analyst Comments: This unconventional defense tactic was first highlighted by The War Zone in August 2023. Some theories propose that the tires could serve as a rudimentary armor protection or even offer limited camouflage against drones, especially during nighttime. The primary idea might be to confuse drone targeting systems, thereby protecting the aircraft from missile strikes. However, Francisco Serra-Martins from drone manufacturer One Way Aerospace, whose drones have been utilized by Ukrainian forces, suggests that while this method might reduce the thermal signature of the aircraft, they would still be detectable under infrared cameras. The War Zone further elaborates that the tires could potentially disrupt the infrared signature of the aircraft, confusing cruise missiles that employ image matching for targeting. This technique, known as DSMAC (Digital Scene Matching Area Correlator) or ATR (Automated Target Recognition), would provide an edge to Ukraine's newly adapted "Neptune" missiles in land attacks as they'd be less vulnerable to electronic warfare jamming.
FROM THE MEDIA: Satellite surveillance images have revealed that Russian ground forces are covering their aircraft with rubber tires at their airbases. While the exact motive behind this unusual strategy remains unclear, military experts, as reported by CNN, speculate that it might be an attempt to safeguard the aircraft from potential drone attacks. One particularly clear image from Maxar Technologies showcases two Tu-95 strategic bombers at Engels Airbase, located deep within Russia, enveloped with tires over their primary body and wings.
READ THE STORY: Interesting Engineering
The Strategic Competition to Shape Cyberspace
Analyst Comments: Kopach's essay offers a comprehensive overview of the ongoing power dynamics in cyberspace, highlighting the stark differences in the visions of democratic and authoritarian nations. The emphasis on China and Russia's strategic moves underscores the significant threat they pose to a free and open internet. The essay effectively argues for the U.S. to take a proactive stance, not just in defense but in setting the global narrative. However, while the solutions proposed are robust, implementing them requires intricate diplomacy, vast resources, and international collaboration. The essay serves as a crucial call to action, emphasizing that the battle for cyberspace is not just about technology but also about upholding democratic values in the face of rising authoritarianism.
FROM THE MEDIA: Stephen Kopach's essay, "The Strategic Competition to Shape Cyberspace," dated September 06, 2023, delves into the intense rivalry between the United States and its primary adversaries, China and Russia, over the future direction of cyberspace. The U.S. champions an open, free, and secure internet that upholds human rights, contrasting sharply with the closed, controlled internet model promoted by China and Russia. These authoritarian regimes are strategically challenging the current internet governance system by influencing international forums, steering internet governance organizations, and establishing global ICT footholds. China, for instance, is pushing countries to adopt its digital infrastructure, aiming for broader economic and political influence. In response, the U.S. is urged to promote its vision of the internet, emphasizing freedom, security, and human rights. This involves shaping cyber rules, setting technical standards, and striving for global ICT dominance.
READ THE STORY: Real Clear Defense
Ukraine Thwarts Fancy Bear's Cyberattack on Energy Facility
Analyst Comments: Ukraine's ability to detect and respond to the cyberattack showcases the nation's heightened state of cybersecurity alertness, especially given the persistent threats from groups like APT28. The deviation in Fancy Bear's attack method, from using fake government documents to a more personal approach, indicates a potential shift in tactics, suggesting they are experimenting with new strategies to breach systems. The use of Tor by the attackers underscores the increasing sophistication and determination to remain undetected. Given the historical context and the continuous cyber threats from Russian-affiliated groups, it's evident that Ukraine's critical infrastructure remains a prime target. The nation's proactive defense measures, as demonstrated in this incident, will be crucial in safeguarding its digital landscape against future attacks.
FROM THE MEDIA: The notorious Russian cyberespionage group, Fancy Bear (or APT28), recently attempted a cyberattack on a critical energy facility in Ukraine. Using a phishing email as their entry point, they deviated from their usual tactics of mimicking government documents, instead sending an email with images and a deceptive message. This email also contained a BAT file designed to run a malicious script on the recipient's device. Once executed, the attackers installed the Tor software on the victim's computer, facilitating anonymous internet browsing and making it challenging to trace the data's origin. However, an employee at the targeted energy facility identified and countered the threat, restricting access to certain web resources and blocking the use of Windows Script Host.
READ THE STORY: The 420 (India) // The Record
Illia Vitiuk's Leadership in Ukraine's Digital Battlefront and the Evolution of Cyber
Analyst Comments: The digital war between Ukraine and Russia offers a glimpse into the evolving nature of modern warfare. While Russia employed a combination of cyberattacks, missiles, and drone strikes to weaken Ukraine's infrastructure, the resilience of Ukraine's defenders, led by Vitiuk, showcased the nation's robust cybersecurity measures. These measures were honed through years of experience, starting with basic DDOS attacks in 2014 and escalating to more sophisticated attacks targeting the power grid and other critical systems. Vitiuk's leadership, combined with the support of international allies and the dedication of local cyber volunteers, has been instrumental in safeguarding Ukraine's digital landscape.
FROM THE MEDIA: In the wake of Russia's full-scale invasion into Ukraine, Illia Vitiuk, the head of the cyber department at Ukraine's top counterintelligence agency, the Security Service of Ukraine (SBU), emerged as a pivotal figure in the nation's cyber defense. With a history of battling Russian hackers and spies, Vitiuk and his team faced unprecedented challenges, from physically relocating critical servers away from Kyiv to counteracting a barrage of nearly 3,000 cyberattacks in a year. Despite Russia's relentless efforts, Ukraine's digital infrastructure remained largely intact, thanks to the vigilance of Vitiuk's team and their collaborations with allies.
READ THE STORY: NPR
The Aftermath of the 2022 LastPass Hacks: Rising Concerns Over Compromised Data and Cryptocurrency Losses
Analyst Comments: The allegations against LastPass highlight the increasing concerns surrounding digital security, especially in the realm of cryptocurrency. The potential link between the LastPass breaches and the reported crypto thefts underscores the vulnerabilities users face, even when using trusted password managers. While LastPass has taken steps to address security concerns, the recurring allegations emphasize the need for continuous vigilance and proactive measures in the digital security landscape.
FROM THE MEDIA: LastPass, a popular password manager, is once again under scrutiny following allegations related to compromised data from its 2022 hacks. Users, particularly on the platform X (formerly Twitter), have reported unexplained depletions of their cryptocurrency wallets, linking these losses to the breaches of LastPass in 2022. One user, Tay, alleges that attackers have stolen at least $32 million using compromised keys from LastPass. Despite these claims, the legitimacy of the accusations remains unverified. Earlier this year, LastPass faced a lawsuit over an alleged theft of over $50,000 due to its breaches. While the company refrained from commenting on the specific allegations, Karim Toubba, CEO of LastPass, emphasized their ongoing collaboration with law enforcement and other partners to identify the culprits. The company has also introduced measures to enhance user security, including the Security Dashboard, which provides proactive credential monitoring.
READ THE STORY: CyberNews
BLISTER Malware Update: Enhanced Stealth and Network Infiltration Capabilities
Analyst Comments: The continuous evolution and active maintenance of malware like BLISTER emphasize the persistent threats in the cybersecurity landscape. The ability of malware to embed within legitimate software libraries and bypass security measures is a significant concern. Organizations and individuals must remain vigilant, continuously update their security protocols, and stay informed about the latest threats to ensure their digital assets and networks remain protected.
FROM THE MEDIA: An updated version of a malware loader named BLISTER is now being utilized in SocGholish infection chains to distribute an open-source command-and-control (C2) framework known as Mythic. This new BLISTER update includes a keying feature that allows for more precise targeting of victim networks and reduces exposure within VM/sandbox environments. BLISTER was initially discovered by Elastic Security Labs in December 2021, where it was used to distribute Cobalt Strike and BitRAT payloads on compromised systems. The malware's association with SocGholish, a JavaScript-based downloader malware, to deliver Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023. In these attacks, BLISTER is embedded within a legitimate VLC Media Player library to bypass security software and infiltrate victim environments. Both SocGholish and BLISTER have been used in multiple campaigns, with BLISTER acting as a second-stage loader to distribute Cobalt Strike and LockBit ransomware. The malware is being actively maintained, with its authors integrating various techniques to remain undetected and hinder analysis.
READ THE STORY: THN
SMART ePANTS: The Future of Surveillance Wearables
Analyst Comments: The introduction of SMART ePANTS represents a significant leap in wearable technology. While the primary intent is to aid intelligence and security agencies, the broader implications of such technology cannot be ignored. The ability to record audio, video, and track geolocation discreetly raises concerns about privacy and the potential for misuse. The US government's past actions, especially post-9/11, have shown tendencies towards mass surveillance, which makes the introduction of such technology even more contentious. Dr. Dawson Cagle, overseeing the SMART ePANTS program, envisions a future where the research's outcomes have broader applications beyond intelligence. The goal is to integrate various components like computers, sensors, batteries, and wires into a single wearable device. While the technology's potential is vast, from medical applications to consumer wearables, the ethical implications and potential for misuse need to be addressed. The program has been allocated a 42-month timeline for results, and its progress will undoubtedly be watched closely by both proponents and critics.
FROM THE MEDIA: The US government has initiated the SMART ePANTS program, aiming to develop active smart textiles (AST) that can be woven directly into everyday clothing. These textiles, embedded with sensors, cameras, and wires, allow wearers to record audio and video, and their location can be tracked via geolocation sensors. The garments, which can range from shirts to underwear, are designed to be stretchable, bendable, washable, and comfortable. Developed under the Intelligence Advanced Research Projects Activity (IARPA), the primary application of these textiles will be for intelligence, counterterrorism, and national security agencies. However, concerns arise regarding the potential misuse of this technology for mass surveillance, given the US government's history of warrantless surveillance.
READ THE STORY: Interesting Engineering
Maria Ressa's Warning on the Future of Democracy and the Role of AI
Analyst Comments: Maria Ressa's speech serves as a stark reminder of the challenges facing modern democracies in the age of advanced technology and AI. Her insights into the attention economy and the manipulative power of AI underscore the pressing need for stringent regulations and ethical considerations in tech development and deployment. Furthermore, her personal experiences with the Philippine government provide a real-world example of the threats journalists face when challenging authority, emphasizing the importance of press freedom in preserving democracy. The mention of Rappler's use of ChatGPT showcases that while AI has potential benefits, it's the unchecked and unethical use that poses the most significant threat. Ressa's call to action is clear: the battle for facts is paramount, not just for the sake of truth but for the very survival of democracy and the ability to address other global challenges.
FROM THE MEDIA: Nobel Peace Prize laureate Maria Ressa, during her speech at the National Press Club in Washington, expressed grave concerns about the future of democracy, predicting its fate will be sealed by 2024. She emphasized the indispensable role of truth and journalism in this battle, highlighting the dangers of a world without factual integrity, especially in the context of elections. Ressa attributed the current global predicament to a "tech-enabled Armageddon," with generative artificial intelligence playing a significant role in manipulating human behavior. She described a new paradigm, the attention economy, where human focus is the ultimate prize, leading to real-time experimentation on individuals with potentially catastrophic outcomes. Ressa also pointed out the alarming speed at which false information spreads online compared to the truth, laying the blame squarely on tech platforms.
READ THE STORY: VOA
Galactic Energy's Innovative Sea Launch Technology Boosts China's Space Ambitions
Analyst Comments: Galactic Energy's achievement underscores China's determination to be at the forefront of space exploration and satellite deployment. The innovative approach of using a mobile sea platform not only offers logistical advantages but also presents a more economical alternative to traditional land-based launches. The success of this launch could pave the way for more frequent and flexible satellite deployments, giving China a competitive edge in the global space race. The mention of the Internet of Things constellation indicates China's vision for a connected future, where satellites play a crucial role in data communication and connectivity.
FROM THE MEDIA: Beijing-based space company, Galactic Energy, has achieved a significant milestone by becoming the first commercial space entity in China to launch a satellite from the sea. This innovative launch utilized unique technologies that could potentially enhance China's space launch capabilities. The Ceres-1 solid-fuel rocket was launched from a mobile platform off the coast of Shandong province, successfully sending four satellites into an orbit approximately 800km above Earth. These satellites will be part of an Internet of Things constellation. Unlike traditional sea launches that use a launch tube or rack, the Ceres-1 was launched from a transport erector launcher, a method touted as the world's first hot launch on a land transport vehicle at sea. This approach offers a simpler, more efficient, and cost-effective alternative to traditional methods. The successful launch signifies China's growing prowess in space technology and its ability to adapt and innovate in the rapidly evolving space industry.
READ THE STORY: SCMP (STATE SPONSORED)
Group-IB Exposes a Covert Phishing Ecosystem Targeting Microsoft 365 Users
Analyst Comments: W3LL's operations signify a sophisticated and organized approach to cybercrime, emphasizing the evolving nature of threats in the digital age. Their ability to remain concealed while operating a vast phishing empire showcases the challenges faced by cybersecurity experts in tracking and mitigating such threats. The W3LL Store's comprehensive suite of tools, ranging from custom phishing kits to mailing lists and compromised server access, indicates a one-stop-shop for cybercriminals, making BEC attacks more accessible and efficient. The fact that W3LL specifically targeted Microsoft 365 accounts underscores the platform's popularity and the potential value of the data within these accounts.
FROM THE MEDIA: Singapore-based global cybersecurity leader, Group-IB, has unveiled a comprehensive threat report titled “W3LL DONE: HIDDEN PHISHING ECOSYSTEM DRIVING BEC ATTACKS”. This report sheds light on the clandestine operations of W3LL, a threat actor responsible for a vast phishing empire that has been largely under the radar. Over the past six years, W3LL has been instrumental in compromising Microsoft 365 business email accounts. They established a concealed underground market, the W3LL Store, catering to a select community of around 500 threat actors. This store offers a custom phishing kit, the W3LL Panel, adept at bypassing Multi-Factor Authentication (MFA), along with 16 other tailor-made tools for executing business email compromise (BEC) attacks. Group-IB's investigations revealed that between October 2022 and July 2023, W3LL's phishing tools targeted over 56,000 corporate Microsoft 365 accounts across the USA, Australia, and Europe. The estimated turnover for W3LL's Store in the last 10 months is around $500,000. All findings related to W3LL have been communicated to the appropriate law enforcement agencies.
READ THE STORY: Group IB
Schweitzer Engineering Laboratories' Products Found to Have Nine Critical Flaws
Analyst Comments: The vulnerabilities in SEL's products, particularly in SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator, are of grave concern given their critical role in commissioning, configuring, and monitoring devices in power management systems. The ability for a threat actor to exploit these vulnerabilities, especially through tactics like phishing, not only jeopardizes the immediate security of the systems but also poses broader risks to the electric infrastructure. The combination of vulnerabilities, such as CVE-2023-31171 and CVE-2023-31175, which can grant administrative rights, further amplifies the potential damage. Given the essential nature of power management in modern infrastructure, addressing these vulnerabilities should be of paramount importance to ensure the safety, reliability, and resilience of power systems.decision on this matter will not only impact Graphcore but could set a precedent for how the country supports domestic tech innovations in the face of international competition.
FROM THE MEDIA: Schweitzer Engineering Laboratories (SEL) has been identified to have nine significant security vulnerabilities in its power management products. This alarming discovery was highlighted in a report by Nozomi Networks, which detailed the potential risks associated with these flaws. The most severe among these vulnerabilities could enable threat actors to remotely execute code on an engineering workstation, posing a significant threat to the integrity and security of power management systems.
READ THE STORY: THN
Poland's Defense Evolution: Introducing the HAASTA UAV
Analyst Comments: The introduction of the HAASTA drone comes at a time when the global drone landscape is witnessing rapid innovations. The drone's inception is particularly crucial in the backdrop of Russia's use of Shahed-type drones in the Ukraine conflict and similar technological advancements by countries like China and Iran. Shahed-type drones, often referred to as 'kamikaze drones', are designed to hover and then crash into designated targets, providing a cost-effective solution for hitting fixed objectives. HAASTA's primary mission is to neutralize such threats, and it comes equipped with a 5.45mm underbelly-mounted machine gun specifically designed to counter Shahed-type drones. Furthermore, the drone's capabilities extend beyond military applications. It can be used for Intelligence, Surveillance, and Reconnaissance (ISR) missions, operate deep within enemy territories, and even has potential civilian applications such as monitoring long-distance infrastructure and cargo transport.
FROM THE MEDIA: In a significant stride in defense technology, Poland has unveiled the HAASTA unmanned aerial vehicle (UAV) at the International Defence Industry Exhibition (MSPO). This drone is designed to counter smaller airborne threats, marking a pivotal move for Poland amidst the rapid advancements in drone capabilities by nations like Russia and China. The HAASTA UAV is in line with the new STANAG 4703 standard, specifically tailored for fixed-wing light unmanned aircraft.
READ THE STORY: Interesting Engineering
Items of interest
Unmasking North Korea's Cyber Operative: The Trail to Park Jin Hyok
Analyst Comments: Park was identified as an active member of the Lazarus Group, a government-sponsored hacking team. He was also linked to Chosun Expo Joint Venture (Chosun Expo), a company initially founded as a joint venture between South and North Korea for e-commerce and lottery services. While South Korea withdrew from the venture, North Korea continued its operations, diversifying into online gaming and gambling. Park was stationed in the company's Chinese office in Dalian, where he held roles like "developer" and "online game developer." The DOJ believes Chosun Expo was a front for Lab 110, a component of North Korea's military intelligence apparatus.
FROM THE MEDIA: On September 6, the US Department of Justice (DOJ) charged North Korean programmer, Park Jin Hyok, for his alleged involvement in a series of significant cyber-attacks over recent years. The 179-page indictment accuses Park, a 34-year-old North Korean, of being part of numerous cyber intrusions, including the WannaCry ransomware attack in 2017, attempts to hack US defense contractor Lockheed Martin in 2016, the Bangladesh Central Bank cyber-heist in 2016, and the breach at Sony Pictures Entertainment in 2014, among others.
READ THE STORY: ZDNET
LAZARUS: The Rise of North Korean CyberCriminals (Video)
FROM THE MEDIA: Since 2009, a group known today as the "Lazarus Group" has been rebranding throughout the years and with the backing of North Korea's government has evolved from performing nation wide DDoS attacks to eventually siphoning over a billion dollars of currency for all over the world. How did this group grow to become this notorious?
The $1,000,000,000 North Korean Bank Heist (Video)
FROM THE MEDIA: Bangladesh, February 7th, 2016. The director of the Bangladesh Central Bank got off the elevator on the ninth floor, and headed to the back office of the Accounts and Budgeting Department. This was the most restricted part of the building. He was there to deal with a problem, one that had been plaguing the office the last few days…
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.