Daily Drop (591): Trickbot: Clamp Down, iOS: Zero-days, AI-Driven Misinformation, TV based Botnet, Vladislav Klyushin, Huawei: Tech Cold War, Outlook: Storm-0558, East Asia's Cyber Threats
09-08-23
Friday, Sep 08, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
U.S. and U.K. Clamp Down on Trickbot Cybercrime Syndicate
Analyst Comments: The continued actions against the Trickbot syndicate and its associates highlight the growing urgency and collaborative efforts of the U.S. and U.K. governments in combating cyber threats, especially those with potential state actor ties. The Trickbot group, which has been operational since 2016, has evolved into a comprehensive malware suite, causing significant disruptions, including attacks on medical facilities during the COVID-19 pandemic. The group's resilience, demonstrated by its survival of a takedown attempt in 2020 and its subsequent shutdown in 2022, underscores the challenges faced by global law enforcement in combating such threats. The sanctions, combined with the unsealing of indictments, send a clear message to cybercriminals about the consequences of targeting critical infrastructures in the U.S. and U.K. The focus on Trickbot, Conti, and other associated entities indicates a strategic approach to dismantle networks that pose significant threats to national security and critical infrastructure.
FROM THE MEDIA: The U.S. and U.K. governments have intensified their crackdown on cybercrime by naming and sanctioning 11 Russians believed to be associated with the infamous Trickbot cybercrime group. This group, which has alleged ties to Russian intelligence, has been a significant concern for both nations. The U.S. Treasury Department has emphasized that all 11 sanctioned individuals play pivotal roles in the management and procurement for Trickbot. These sanctions are not the first of their kind; a similar joint action was taken in February against individuals linked to Trickbot, Conti, and Ryuk cybercrime activities. The implications of being on this sanctions list are severe: it imposes travel bans, freezes assets, and prohibits business interactions with those listed, affecting both American and British individuals and organizations. The U.S. Treasury has also warned foreign financial institutions of potential sanctions if they knowingly facilitate significant transactions with any of the sanctioned Russians.
READ THE STORY: CyberScoop // The Record // The Register
Apple's Urgent Response: Patching Zero-Day Vulnerabilities Tied to Pegasus Spyware
Analyst Comments: The rapid response from Apple in addressing these vulnerabilities underscores the severity and potential risks associated with zero-day exploits, especially when linked to powerful spyware like Pegasus. The continuous discovery of such vulnerabilities in widely-used devices emphasizes the evolving challenges in cybersecurity. The association of these vulnerabilities with the NSO Group's Pegasus spyware, which has a history of being used for surveillance purposes, further accentuates the ethical and security concerns surrounding commercial spyware. As cyber threats continue to evolve, it's crucial for tech giants like Apple to remain vigilant and proactive in safeguarding user data and privacy.
FROM THE MEDIA: Apple has swiftly released software updates to address two zero-day vulnerabilities that were reportedly exploited to deliver the NSO Group's Pegasus spyware. These vulnerabilities were discovered in Apple's iOS, iPadOS, macOS, and watchOS. Cybersecurity researchers from the Citizen Lab at The University of Toronto have emphasized the importance of Apple device users updating their operating systems immediately to rectify these vulnerabilities. The first vulnerability, identified as CVE-2023-41064, affects devices such as iPhones, iPads, Macs, and Apple Watches. This vulnerability can be exploited when these devices process a "maliciously crafted image," specifically within the Image I/O framework. The second vulnerability, CVE-2023-41061, arises in Apple's Wallet function and can create security issues when a device receives a "maliciously crafted attachment." Citizen Lab's investigation revealed that these vulnerabilities were being actively exploited, particularly in a zero-click iMessage exploit chain named BLASTPASS, to deploy the Pegasus spyware on iPhones running the latest iOS version (16.6) without any interaction from the victim.
READ THE STORY: THN // The Record
China's AI-Driven Misinformation Campaign Targets U.S. Voters
Analyst Comments: The revelation of China's AI-driven misinformation campaigns underscores the evolving nature of cyber threats and the increasing sophistication of influence operations. The use of AI to generate images that resonate with social media users, even if they are of low quality, highlights the potential power and reach of such campaigns. As geopolitical tensions continue to rise, it's crucial for nations and tech giants to remain vigilant and proactive in identifying and countering such threats. The blending of technology, politics, and misinformation presents a complex challenge that requires a multifaceted response.
FROM THE MEDIA: China is reportedly employing AI-generated images to influence U.S. voters, according to a new report by Microsoft. The report titled "Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness" highlights that Chinese state-affiliated hacking groups are utilizing AI to automatically generate images for influence operations. The primary objective is to emulate voters from various political backgrounds and ignite controversies based on racial, economic, and ideological differences through diffusion-powered image generators. Clint Watts, the general manager of Microsoft's Threat Analysis Center, mentioned in a blog post that these AI-driven campaigns focus on divisive topics like gun violence and aim to denigrate U.S. political figures and symbols. Despite some images being of subpar quality, they still manage to captivate social media users, leading to frequent reposts. Outside of the U.S., China's primary focus lies on nations surrounding the South China Sea. The principal group behind these operations, Raspberry Typhoon, targets government sectors, military entities, and crucial infrastructure companies, especially in the telecom domain. China is also leveraging the trend of social media influencers through "multilingual internet celebrity studios".
READ THE STORY: Forbes
Pandora's Box: The New Botnet Threat Targeting Android TVs
Analyst Comments: This new menace has set its sights on inexpensive Android-based TV sets and boxes, turning them into unwilling participants in distributed denial-of-service (DDoS) attacks. Doctor Web, a Russian cybersecurity firm, has highlighted the potential infiltration methods: malicious firmware updates or deceptive applications that promise pirated video content. Several apps, notably Latino VOD, Tele Latino, UniTV, and YouCine TV, have been identified as culprits. Once installed, they discreetly launch a service that paves the way for Pandora's installation. The botnet then communicates with a remote server, altering the system's host files and preparing the device for DDoS attacks.
FROM THE MEDIA: The cybersecurity landscape has witnessed the emergence of a new threat: a variant of the notorious Mirai botnet named "Pandora." This malicious software specifically targets inexpensive Android-based TV sets and TV boxes, turning them into unwilling participants in distributed denial-of-service (DDoS) attacks. Russian cybersecurity firm, Doctor Web, has highlighted the potential infiltration methods: malicious firmware updates or deceptive applications designed for viewing pirated video content. Interestingly, these malicious updates seem to be widely available across various websites, bearing signatures from the publicly accessible Android Open Source Project test keys. Once a device is compromised, the malware ensures its persistence, even through system restarts, by embedding itself in the boot.img. Further complicating matters, certain apps, seemingly designed for streaming pirated content, have been flagged as potential carriers of this botnet. These apps, primarily targeting Spanish-speaking users, silently initiate a background service upon installation, setting the stage for Pandora's deployment.
READ THE STORY: THN
Vladislav Klyushin's Cyber-Crime Operation Exploits Confidential Corporate Data for Massive Gains
Analyst Comments: The modus operandi of Klyushin's group was to infiltrate computer networks, pilfering financial filings of companies before their public release. This stolen data was then used to trade stocks illicitly. Two other Russians, Mikhail Vladimirovich Irzak and Igor Sergeevich Sladkov, were also charged in relation to this insider-trading scheme but remain fugitives. The trio, Klyushin, Ermakov, and Rumiantcev, were employees at the Moscow-based M-13 firm, which boasted several Russian government ministries as its clients. Their cyber-crime spree spanned from January 2018 to September 2020, during which they hacked into Donnelley Financial Solutions (DFIN) and Toppan Merrill, companies responsible for managing public companies' SEC financial filings. Using malware, they captured employee credentials, granting them access to yet-to-be-released corporate financial reports. This inside information was then used to trade stocks of companies like Tesla, Snap, Roku, Avnet, and Capstead Mortgage, leading to their ill-gotten gains of approximately $93 million.
FROM THE MEDIA: Vladislav Klyushin, the Russian proprietor of M-13, a security penetration testing company, has been sentenced to nine years in a U.S. prison. His crime? Orchestrating a cyber-crime operation that illicitly acquired confidential financial data from top-tier corporations, subsequently leveraging this inside information to amass a staggering $93 million through insider trading. Klyushin, a 42-year-old Moscow resident, was apprehended in Sion, Switzerland, in March 2021. His charges encompassed securities fraud, wire fraud, unauthorized computer access, and conspiracy. He was found guilty in February. Two of his alleged accomplices, Ivan Ermakov and Nikolai Rumiantcev, are still evading capture. Intriguingly, Ermakov, previously associated with the Russian Main Intelligence Directorate (GRU), had been indicted in 2018 for his alleged involvement in the 2016 U.S. election interference and other cyber-crimes.
READ THE STORY: The Register
The Mate 60 Pro's Debut and its Implications in the US-China Tech Cold War
Analyst Comments: While the Chinese state media has celebrated the phone as a victory against US restrictions, both Huawei and the Beijing government have been notably silent about the device's technical specifics. Some articles discussing the phone's internals have even been removed from Chinese social media platforms. Experts have voiced concerns about the chip's capabilities. The Kirin 9000s uses SMIC’s new 7nm technology, while the industry is transitioning to 3nm chips by next year. Current top-tier chips in the Android and iOS ecosystems are based on the 4nm process. Huawei, therefore, has some catching up to do.
FROM THE MEDIA: The recent launch of Huawei Technologies' Mate 60 Pro smartphone has stirred discussions across various sectors, from politics to technology. This device, a testament to China's escalating capabilities in semiconductor technology, has industry experts contemplating its role in the ongoing US-China tech rivalry. Huawei's journey has been shrouded in mystery since its 2020 US blacklist, which cut off its access to cutting-edge American chip technologies. The Mate 60 Pro's release has intensified this intrigue, mainly due to its Kirin 9000s chip. This chip, manufactured by China's premier foundry, Semiconductor Manufacturing International Corp (SMIC), represents a significant leap for Chinese foundries. TechInsights, a Canadian semiconductor research firm, has labeled it a "made-in-China design and manufacturing milestone." However, both Huawei and SMIC have remained tight-lipped about this advancement.
READ THE STORY: Interesting Engineering
Outlook Hack: Storm-0558 Exploits Microsoft's Crash Dump, Exposing Vulnerabilities in Key Management
Analyst Comments: The breach's origin was traced back to a software crash in April 2021, which produced a 'crash dump'. This dump, meant to redact sensitive data, inadvertently contained the signing key due to a race condition. This oversight was compounded when the crash dump was transferred from a secure environment to an internet-connected debugging space. During this transition, Storm-0558 compromised a Microsoft engineer's account, extracting the digital key. The breach facilitated unauthorized access to Outlook Web Access (OWA) and Outlook.com for nearly 25 organizations.
FROM THE MEDIA: Microsoft has disclosed how a China-based threat actor, dubbed Storm-0558, managed to acquire a dormant consumer signing key, which was then used to access Outlook. The breach was traced back to a software crash in April 2021. A snapshot of the crashed process, known as a 'crash dump', was created. This dump, which should have redacted sensitive information, mistakenly included the signing key due to a race condition. Microsoft's systems failed to detect the key's presence in the crash dump. The crash dump was subsequently moved from a secure production environment to a debugging environment connected to the internet. During this time, Storm-0558 compromised a Microsoft engineer's corporate account and extracted the digital key from the snapshot. Microsoft's report suggests that the key might have been in the possession of the threat actor for over two years before its discovery in June 2023. This breach enabled unauthorized access to Outlook Web Access (OWA) and Outlook.com for approximately 25 organizations. The issue arose from a validation error that mistakenly trusted the key for signing Azure AD tokens. Microsoft has since rectified the problem and has expanded access to security logging for its users.
READ THE STORY: The Register // THN
Unraveling China and North Korea's Digital Aggressions and Their Implications
Analyst Comments: Microsoft's insights underscore the evolving and multifaceted nature of East Asian cyber threats. The blend of traditional espionage tactics with modern, AI-driven influence operations signifies a new era in information warfare. The evident alignment of North Korea's cyber espionage with its defense objectives is particularly concerning, hinting at a strategic synchronization. This report serves as a clarion call for nations and corporations, emphasizing the need for vigilance and adaptability in the face of these ever-evolving digital threats.
FROM THE MEDIA: Microsoft's recent report, "Digital threats from East Asia increase in breadth and effectiveness," delves into the escalating cyber threats from China and North Korea. The study pinpoints four pivotal trends: China's amplified espionage targeting nations around the South China Sea; Beijing's refined use of social media for influence, even extending to US elections; the multilingual expansion of these operations; and North Korea's burgeoning interest in maritime technology. The report also sheds light on specific groups like "Raspberry Typhoon" and "Flax Typhoon," which target various sectors and regions, and highlights China's innovative use of AI for content creation in influence operations. Interestingly, despite evident AI glitches, such content has found traction on social media platforms. Additionally, North Korea's cyber focus on the maritime sector seems to align with its recent maritime technological advancements.
READ THE STORY: The Register
Items of interest
Texas Cryptomining Firm Earns More from Power Credits than Bitcoin Mining
Analyst Comments: Riot Platforms' strategy of capitalizing on power credits amidst fluctuating Bitcoin prices showcases a unique approach to maintaining profitability in the volatile cryptocurrency market. The company's ability to earn more from energy credits than from actual Bitcoin mining underscores the challenges and uncertainties inherent in the crypto sector. With energy prices on the rise and Bitcoin's value not showing the same vigor as in 2021, Riot's pivot to leverage ERCOT's demand response program might serve as a blueprint for other mining companies facing similar challenges. However, the sustainability of this model in the long term remains to be seen, especially if energy credits become less lucrative or if Bitcoin's value sees a resurgence.
FROM THE MEDIA: Riot Platforms, a Bitcoin mining company, recently disclosed that it earned a staggering $31.7 million from Texas power authorities in August for curtailing its operations. This amount significantly overshadows the value of the Bitcoin they mined during the same period, which was worth just under $9 million. The Electric Reliability Council of Texas (ERCOT) has a demand response program that rewards major energy consumers like Riot with power credits for reducing their energy consumption and selling power back to the grid. Riot's CEO, Jason Les, highlighted that these credits substantially reduce the company's Bitcoin mining costs, positioning Riot as one of the industry's lowest-cost Bitcoin producers. This strategy has proven especially beneficial given the decline in Bitcoin's value, which has been hovering in the mid-$20k range, a stark contrast to its near $70k peak in late 2021.
READ THE STORY: The Register
Apple Won't Be Using RISC-V For The Foreseeable Future - Signs Long Term Deal with Arm (Video)
FROM THE MEDIA: Apple has signed a new long term deal with Arm which guarantees Apple's access to the Arm architecture to 2040 and beyond. We can therefore assume that Apple hasn't been sucked into the hype around RISC-V. Apple will also be an initial investor during the Arm IPO later this year.
Are Flow Batteries About to Take Over? A Lab Tour of RedFlow's Zinc Bromine Battery (Video)
FROM THE MEDIA: Energy storage is a huge topic these days as electricity grids are seeing larger and larger proportions coming from variable renewable sources like wind and solar and storage is used to fill the gaps between variable supply and demand. Traditionally, nearly all storage in the electricity grid came through hydroelectric dams, but in recent years the new storage capacity that’s been added has been overwhelmingly lithium-ion batteries. This has occurred in tandem with EVs and their lithium ion batteries also experiencing exponential growth.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.