Daily Drop (598): Iran: Peach Sandstorm, CVE-2023-29491, BlackCat/Alphv, UK Ransomware Attacks, DPRK: Laundering, Raytheon: Saudi's Scopa Defense, BurntCigar Malware, South China, CCP: Your Data
09-15-23
Friday, Sep 15, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
North Korean Hackers Leveraging Russian Exchanges for Money Laundering
Analyst Comments: The collaboration between North Korean and Russian cybercriminal entities poses significant challenges for global authorities. Russia's well-known reluctance to cooperate with international law enforcement efforts makes the recovery of stolen funds from Russian exchanges particularly challenging. While mainstream centralized exchanges typically cooperate with authorities, Russian exchanges, and law enforcement have a history of non-cooperation, drastically reducing the likelihood of asset recovery. Chainalysis data for 2023 reveals that while the value of cryptocurrency stolen by DPRK-linked groups has decreased compared to 2022, the threat remains significant. DPRK-linked groups are responsible for 29.7% of cryptocurrency thefts via hacks this year.
FROM THE MEDIA: Recent on-chain data has unveiled alarming connections between North Korean and Russian cyberattack infrastructures. Following a significant arms meeting between North Korean leader Kim Jung-un and Russian President Vladimir Putin, there's evidence suggesting that hacking groups linked to the Democratic People’s Republic of Korea (DPRK) are increasingly utilizing Russia-based exchanges notorious for laundering illicit cryptocurrency assets. This revelation is particularly concerning as independent sanctions monitors have highlighted North Korea's evolving cyber warfare strategies. An upcoming United Nations report indicates that North Korea is resorting to advanced cyberattacks to finance its nuclear missile programs. These "state-sponsored" hacking groups are primarily targeting cryptocurrency and financial exchanges globally.
READ THE STORY: Sepoy
The South China Sea’s Resource Wars: Beyond Fossil Fuels
Analyst Comments: While fossil fuels have been a traditional point of contention, the emerging race for "green" metals and minerals, essential for renewable energy technologies, adds another layer of complexity to the geopolitical dynamics. The environmental concerns associated with deep-sea mining, combined with the lack of regulatory oversight, present a significant challenge. The article underscores the need for a balanced approach that prioritizes both environmental preservation and sustainable resource extraction. The geopolitical maneuvers by major powers, driven by economic and strategic interests, could have long-term implications for the region's ecological health and global stability.
FROM THE MEDIA: The South China Sea, spanning 1.3 million square miles, has become a focal point for geopolitical tensions between the East and West, particularly between China and the United States. While the potential for military conflict remains, the region has already suffered significant environmental degradation. Over-harvesting has led to a sharp decline in fish populations, with tuna, mackerel, and shark numbers dropping to half of what they were in the 1960s. Coral reef atolls, vital for marine biodiversity, are under threat from rising ocean temperatures and construction activities, especially by the Chinese military on the disputed Spratly Islands. The presence of vast oil and gas reserves in the South China Sea has undoubtedly intensified territorial disputes. The U.S. government estimates that the region holds 11 billion barrels of oil and 190 trillion cubic feet of natural gas. The Asia Maritime Transparency Initiative has reported that multiple countries are initiating new oil and gas projects in these contested waters, leading to fears of escalating confrontations.
READ THE STORY: CounterPunch
Iranian State Hackers Target Global Satellite, Defense, and Pharmaceutical Industries
Analyst Comments: Peach Sandstorm's campaign, which spanned from February to July, utilized a mix of publicly accessible and custom tools to breach its targets and gather intelligence to further Iranian state interests. One of the techniques employed by the hackers was "password spraying." This method involves using a single password or a list of frequently used passwords to unlawfully access the target's devices. Despite its simplicity, this technique has proven effective, increasing the hackers' success rate while minimizing the risk of automatic account lockouts. The group's modus operandi becomes more intricate once they successfully infiltrate a target. Microsoft observed the hackers leveraging tools like AzureHound and Roadtools to extract information from a victim's system, access data in a target's cloud environment, and transfer specific data to a centralized database. The hackers also exploited known vulnerabilities in tools like Zoho ManageEngine and the team collaboration tool Confluence.
FROM THE MEDIA: Hackers with ties to the Iranian government have launched a series of cyberattacks targeting thousands of organizations worldwide, primarily in the satellite, defense, and pharmaceutical sectors. This revelation comes from recent research conducted by Microsoft. The hacking group, known as Peach Sandstorm and previously identified as Holmium, successfully infiltrated some of these organizations, stealing their data. Microsoft's report, released on Thursday, did not specify the countries under attack. However, recent cyber activities linked to Iran have predominantly targeted Israel, the U.S., Brazil, and the United Arab Emirates.
READ THE STORY: THN // The Record
UK Ransomware Attacks: Who's Behind the Surge
Analyst Comments: The escalating frequency of ransomware attacks in the UK underscores the pressing need for enhanced cybersecurity measures across all sectors. The involvement of third-party suppliers in these breaches emphasizes the importance of rigorous vetting processes, especially when they handle sensitive data. The international roots of these cybercriminal groups present a complex challenge in both addressing and preventing such attacks. A collaborative approach, involving organizations, cybersecurity experts, and governments, will be pivotal in curbing this rising menace. The legal stance on ransom payments, while clear on its discouragement, may need further clarity to deter organizations from making such payments.
FROM THE MEDIA: The Greater Manchester police force has recently fallen victim to a ransomware attack, marking yet another entity in the UK to suffer from this increasingly common cyber threat. This breach, facilitated through a third-party supplier, exposed sensitive data, including details on officers' name badges such as ranks, photos, and serial numbers. This incident is reminiscent of a similar breach that affected the Metropolitan police in August. The UK has witnessed a series of ransomware attacks this year, targeting diverse entities ranging from the Royal Mail and Capita to Barts Health NHS trust and The Guardian newspaper. Ransomware is malicious software that infiltrates computer networks, often through deceptive "phishing attacks." Once inside, it encrypts the system's content, making it inaccessible. The attackers then demand a ransom, typically in cryptocurrency, to restore access. A more sinister variant, known as "double extortion," sees the attackers extracting data and using it as a bargaining chip, threatening its public release or sale.
READ THE STORY: The Guardian
US-Canada Water: NoEscape Ransomware Gang Claims Theft of 80GB from the International Joint Commission
Analyst Comments: The attack on the IJC underscores the increasing audacity and capability of ransomware groups targeting critical infrastructure and organizations. The NoEscape gang's modus operandi of double extortion—stealing data before encrypting it—adds another layer of pressure on the victimized entities. Their threat to release sensitive data publicly can have far-reaching implications, especially for an organization like the IJC, which handles sensitive cross-border water rights. NoEscape's alleged ties to the former Soviet Union and its strategy of avoiding targets within this region align with the tactics of other ransomware groups. Their emergence, following the shutdown of other groups like Avaddon, suggests a continuous evolution and adaptation of cybercriminal networks.
FROM THE MEDIA: The International Joint Commission (IJC), responsible for managing water rights along the US-Canada border, has confirmed a cybersecurity breach. This acknowledgment comes in the wake of claims by the NoEscape ransomware group that they stole 80GB of data from the commission. The IJC's spokesperson refrained from providing specific details about the incident or verifying the data theft claims made by the cybercriminals. The IJC plays a crucial role in approving projects that influence water levels in the numerous lakes and rivers shared by the US and Canada. It also mediates disputes related to these shared waters. On September 7, NoEscape listed the IJC as a victim on its dark website. The gang alleges that they infiltrated the commission's network, stealing and encrypting a vast amount of confidential data. The stolen data purportedly includes contracts, legal documents, personal details of employees and members, financial records, insurance details, geological files, and other sensitive information. The ransomware group has given the IJC a ten-day window to meet its ransom demands, threatening to release the stolen data publicly if their demands are not met.
READ THE STORY: The Register
The Chinese Cybersecurity Conundrum: No Data is Safe
Analyst Comments: The narrative around apps like WeChat being tantamount to malware is a revelation, underscoring the depth and breadth of China's surveillance reach. The stark choices presented to foreign companies underscore the gravity of the situation. The article serves as a clarion call for businesses to either reconcile with the realities of China's surveillance state or reconsider their operational strategies within the country. The authors' credentials further lend weight to the arguments, making it an essential read for entities navigating the Chinese digital landscape.
FROM THE MEDIA: In a recent post on the China Law Blog, authors Dan Harris and Jonathan Bench delve into the intricate web of China's data security landscape. They highlight the challenges foreign companies face when trying to protect their critical data in China. Contrary to the popular belief that a technical solution exists to safeguard private technical data, the authors argue that the problem is more profound and systemic. The Chinese Communist Party (CCP) and its agents have access to virtually any data transmitted across the Chinese border.
READ THE STORY: HB
MGM Resorts Faces Major Cyberattack: The Scattered Spider Web
Analyst Comments: The recent cyberattacks on MGM Resorts and potentially Caesars Entertainment underscore the escalating threat that ransomware poses to large corporations, especially those in the lucrative casino industry. The attackers' shift from a unique plan targeting slot machines to a more traditional ransomware approach highlights their adaptability and determination. The involvement of Scattered Spider, known for their advanced social engineering skills, is particularly concerning. Their ability to impersonate IT help desks and exploit vulnerabilities in systems, such as MGM's reportedly outdated Microsoft Exchange Servers, indicates a high level of sophistication. Companies, irrespective of their industry, must prioritize cybersecurity, regularly update their systems, and train employees to recognize and report potential threats.
FROM THE MEDIA: MGM Resorts, a prominent hospitality giant with multiple properties across the U.S., including Las Vegas, recently fell victim to a significant cyberattack. The culprits, linked to the BlackCat/Alphv ransomware gang, initially aimed to manipulate MGM's slot machines. However, after failing in this endeavor, they resorted to encrypting the company's data and demanding cryptocurrency as ransom. The hackers, known as "Scattered Spider" or "0ktapus," have been involved in several high-profile cyberattacks in the past. Their modus operandi often involves sophisticated social engineering techniques, such as impersonating IT help desks. In addition to MGM, another casino giant, Caesars Entertainment, was reportedly attacked by the same group, although the hackers denied their involvement.
READ THE STORY: FT // The Record
Microsoft Uncovers Memory Corruption Flaws Impacting Linux and macOS Systems
Analyst Comments: The discovery of these vulnerabilities in the widely-used ncurses library underscores the importance of continuous security assessments, especially for foundational programming libraries. Given the potential for these vulnerabilities to be exploited for privilege escalation and code execution, organizations using Linux and macOS systems should prioritize patching and updating their systems to mitigate the risks. The collaboration between Microsoft and Apple in addressing these issues also highlights the importance of cross-industry cooperation in cybersecurity.
FROM THE MEDIA: Microsoft's Threat Intelligence researchers have identified a series of memory corruption vulnerabilities in the ncurses programming library, which is commonly used in Linux and macOS systems. Termed as "new curses," this library is now under scrutiny for flaws that could potentially allow malicious actors to execute unauthorized code on affected systems. The vulnerabilities, which have been collectively designated as CVE-2023-29491 with a CVSS score of 7.8, were rectified as of April 2023. Microsoft collaborated with Apple to address issues specific to macOS arising from these vulnerabilities. The flaws were discovered when Microsoft's code auditing and fuzzing processes revealed that the ncurses library searches for several environment variables, including TERMINFO. Malicious actors could exploit these vulnerabilities by manipulating these environment variables, leading to unauthorized operations.
READ THE STORY: THN
Raytheon Cancels Multi-billion-dollar Agreement with Saudi's Scopa Defense Amid Alleged Links to Russia and China
Analyst Comments: The deal, which encompassed radars and various air defense systems, was projected to be a $25bn investment in Saudi Arabia, potentially generating $17bn in sales. Company records indicated that two firms linked to Scopa Defense, Tal Military Industries and Sepha Military Industries, had business ties with entities from China, Russia, and Belarus that are under sanctions. Furthermore, Scopa was allegedly trying to access sensitive data from RTX. Mohamed Alajlan, the owner of Scopa, denied allegations of engaging with internationally sanctioned companies and emphasized that any transactions with Chinese firms were solely for procuring raw materials for ammunition and armored vehicle production. The backdrop to this development is the ongoing geopolitical tension, with Western countries imposing sanctions on Russia since the onset of the Ukraine conflict and the US sanctioning China over various issues, including alleged cyberattacks and espionage activities.
FROM THE MEDIA: Raytheon Technologies Corporation (RTX), a major US weapons manufacturer, has reportedly terminated a significant deal with Saudi Arabian firm, Scopa Defense, due to concerns over the latter's alleged financial engagements with sanctioned entities from Russia, China, and Belarus. This decision comes in the wake of claims that Scopa Defense was in dealings with these entities, which are under US sanctions. The Wall Street Journal, citing anonymous sources, reported that the apprehensions stemmed from fears that weapon systems from the US could be compromised if the technologies integrated into Scopa Defense's weaponry were acquired by Chinese or Russian entities and subsequently reverse-engineered. This led to the resignation of Scopa Defense's advisory board, which consisted of retired US military officers. Scopa Defense, established in 2021, is part of Saudi Arabia's initiative to transition from arms importation to the development of its domestic military sector. In the previous year, RTX and Scopa Defense had signed a memorandum of understanding aimed at setting up an air defense systems factory in Saudi Arabia.
READ THE STORY: PRESSTV
Cuba Ransomware Group's New Stealth Tactics: A Deep Dive into BurntCigar Malware
Analyst Comments: The Cuba ransomware group's ability to continuously evolve its tactics underscores the dynamic nature of cyber threats. Their capability to manipulate timestamps, thereby deceiving investigators, is a testament to their sophistication. The group's wide reach, targeting diverse industries across multiple continents, coupled with its ability to extract sensitive information, makes it a formidable threat. Gleb Ivanov's advice from Kaspersky, emphasizing regular system updates, closing vulnerabilities, and staying abreast of cybersecurity trends, is a crucial takeaway for organizations. In the face of such advanced threats, it's imperative for organizations to have a robust defense mechanism and a team that can swiftly detect and neutralize these threats. The evolution of the Cuba ransomware group serves as a stark reminder of the ever-changing landscape of cyber threats and the importance of continuous vigilance.
FROM THE MEDIA: Researchers from Kaspersky have unveiled new malware samples linked to the Cuba ransomware group, showcasing evolved versions of the BurntCigar malware. This discovery was made during an ongoing investigation that began after an incident was detected on a client's system in December. The attack chain led to the deployment of a library named "komar65" or BugHatch. This sophisticated backdoor operates in process memory, connecting to a command-and-control (C2) server, and can receive commands to download software tools like Cobalt Strike Beacon and Metasploit. The involvement of Veeamp in the attack is a clear indicator of Cuba's participation. The group has a history of targeting various industries across continents, including North America, Europe, Oceania, and Asia. A unique characteristic of the Cuba gang's modus operandi is its ability to alter compilation timestamps, misleading investigators.
READ THE STORY: Darkreading
Ukraine's Strategic Move in the Black Sea: Retaking Oil Rigs Near Crimea
Analyst Comments: The retaking of the oil rig by Ukrainian forces signifies a strategic move, especially given the region's geopolitical importance. The video evidence, which showcases Ukrainian soldiers onboard a motorboat passing by Zmiinyi Island and later boarding the Tavrida oil drilling rig, was corroborated by the DFRLab using geolocation techniques. The Tavrida rig is part of the Boyko Towers, named after Yuriy Boyko, a former Ukrainian energy minister. The footage also highlighted the strategic importance of electronic devices on the rig, potentially used for maritime radar operations. Russia's reaction to these developments has been swift and assertive. Moscow has expressed its displeasure over a series of actions by Armenia, which it perceives as "unfriendly." These actions include Armenia's planned military drills with the U.S., the Armenian first lady's humanitarian visit to Ukraine, and Armenia's intent to join the Rome Statute of the International Criminal Court, which has issued an arrest warrant for Russian President Vladimir Putin.
FROM THE MEDIA: The Atlantic Council's Digital Forensic Research Lab (DFRLab) has been closely monitoring Russia's multifaceted operations in the military, cyber, and information domains, especially in the context of its ongoing conflict with Ukraine. The latest installment of the Russian War Report reveals that Ukrainian armed forces have successfully retaken an oil and gas drilling rig in the Black Sea, close to Crimea. This move was authenticated by the DFRLab through geolocation techniques, comparing footage from the Ukrainian Ministry of Defense with other available data sources.
READ THE STORY: AC
The Role of High-Capacity Networks in Modern Warfare and the Challenges Ahead
Analyst Comments: The Army's envisioned network is not merely a tool; it's a pivotal enabler. It's the linchpin that ensures the effective deployment and use of weapons and other strategic assets. This network is designed to offer situational awareness, a unified operational view, timely target data, and diverse communication avenues across the entire force, even amidst the chaos of intense combat. Without this network, individual units might grapple with challenges like identifying enemy and friendly forces, selecting the right weapons for specific threats, or even basic communication during an assault.
FROM THE MEDIA: The U.S. Army is currently navigating a monumental technological transformation, transitioning its operations from the industrial age paradigms to the digital era's demands. This evolution is anchored in the understanding that the outcomes of future conflicts will largely depend on who can control and leverage information most effectively. Central to this transformation is the development and deployment of a high-speed, high-capacity network. This network is envisioned to seamlessly connect every segment of the Army, from the infantry, aviation, artillery, and armor to the logistical and intelligence units that underpin tactical operations.
READ THE STORY: Forbes
DHS Highlights the Growing Concern of AI-Driven Cyber Threats and Influence Campaigns
Analyst Comments: The DHS's report underscores the evolving nature of cyber threats, with AI playing a pivotal role in the arsenal of state-backed hackers. The emphasis on China's involvement, especially in the context of critical infrastructure, is a clear indication of the shifting dynamics in cyber warfare. The use of AI not only enhances the capabilities of malware but also makes influence campaigns more effective and harder to detect. The mention of the "pipedream" malware is a testament to the increasing sophistication of cyber-attacks targeting specific industrial systems. The U.S.'s move towards "smart city technologies" is a double-edged sword. While it promises efficiency and modernization, it also introduces potential vulnerabilities. The challenge lies in ensuring that these technologies are developed with a security-first approach.
FROM THE MEDIA: The Department of Homeland Security (DHS) has released its Homeland Threat Assessment, which highlights the potential use of artificial intelligence (AI) by malicious actors to target critical infrastructure. This includes potential interference in elections and attacks on industrial systems. The report emphasizes that adversaries are increasingly focusing on critical sectors such as energy, transportation, pipelines, and the upcoming 2024 election, leveraging emerging technologies like AI. State-backed hackers, particularly from China, are adapting AI for influence campaigns and the development of sophisticated malware for large-scale attacks. The report also mentions the malware "pipedream," specifically designed to target industrial devices. Beijing's interest lies in using AI to craft malware that is more efficient, faster, and evasive, with the transportation sector being a prime target.
READ THE STORY: CyberScoop
Beijing's Selective Crackdown on Transnational Crime
Analyst Comments: China's recent actions in Southeast Asia indicate a more proactive approach to tackling transnational crime, especially in areas where its nationals are victims. However, the selective nature of these crackdowns suggests a balancing act. Beijing is trying to address international criticism and protect its citizens while preserving its strategic interests in the region. The longevity and comprehensiveness of this crackdown remain uncertain, especially given the strategic importance of some SEZs and criminal enterprises. The situation underscores the complexity of China's relationships in Southeast Asia, where geopolitical strategy, economic interests, and public image are intricately intertwined.
FROM THE MEDIA: Chinese criminal organizations have been proliferating across Southeast Asia, especially within Special Economic Zones (SEZs) such as Boten in Laos, Shwe Kokko in Myanmar, and the casinos in Cambodia’s Sihanoukville. Historically, Beijing viewed these networks, often run by Chinese fugitives, as tools for promoting its interests, with local governments frequently complicit. However, recent years have seen a shift. China has ramped up its law enforcement cooperation with Southeast Asian nations, targeting issues like transnational crime, money laundering, and human trafficking. This change in stance is driven by increasing international scrutiny over rights abuses in Chinese-controlled zones and the rising number of Chinese victims in scams and trafficking rings.
READ THE STORY: RFA
Beijing's Selective Crackdown on Transnational Crime
Analyst Comments: While tools like GPTZero represent a proactive approach to addressing the proliferation of AI-generated content, their limitations highlight the complexities of the issue. The narrative also serves as a reminder that as technology evolves, so too will the methods to detect and counteract its potential misuse. The mention of other media types, like images and videos, suggests that the broader challenge of AI-generated content is multifaceted and will require diverse solutions.
FROM THE MEDIA: An intro into the world of AI-generated content, spotlighting Edward Tian, a Princeton student who developed GPTZero, a tool designed to detect AI-generated text. Tian's tool evaluates text based on "perplexity" and "burstiness" to differentiate between human and AI writing. However, GPTZero faced challenges, including misclassifications and bypass techniques. Another notable figure, Joseph Semrai, created WorkNinja, a tool that produces AI-written essays and then rephrases them to evade detection. Soheil Feizi, a professor, expressed skepticism about the future reliability of AI detectors, emphasizing the potential harm of false positives in academic contexts.
READ THE STORY: Wired
Items of interest
Supply Chain Attack on Linux Users via Trusted Download Manager Site
Analyst Comments: This supply chain attack on freedownloadmanager.org underscores the persistent threats faced by Linux users and the importance of ensuring the security of their systems. It also serves as a reminder that even trusted download sources can be compromised, necessitating caution when downloading software. The attackers' focus on stealing sensitive data, including passwords and cloud service credentials, highlights the potential value of such information to cybercriminals. Therefore, users are advised to adopt strong, unique passwords and consider implementing multi-factor authentication for enhanced security.
FROM THE MEDIA: A supply chain attack was discovered on the website "freedownloadmanager.org," which targeted Linux users for over three years, from 2020 to 2022. The attack involved redirecting users attempting to download legitimate Linux software to a malicious domain, "deb.fdmpkg.org," which distributed a compromised Debian package. This package contained a post-install script that dropped two ELF files, leading to the establishment of a reverse shell connecting to a command-and-control (C2) server. The malware, referred to as "crond," collected sensitive data from infected systems, including system information, browsing history, passwords, and credentials for cloud services like AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure. The stolen data was uploaded to the attacker's server using an uploader binary from the C2 server.
READ THE STORY: THN
A Common Bypass Pattern To Exploit Modern Web Apps (Video)
FROM THE MEDIA: Simon emphasizes that the security landscape for web applications is evolving, with more emphasis on secure-by-default frameworks and mitigations. He mentions the importance of examining how user input is processed, normalized, and transformed within web applications and how different components interpret and handle data, which can lead to security vulnerabilities.
How File Upload Vulnerabilities Work (Video)
FROM THE MEDIA: They start by demonstrating how to exploit such a vulnerability by uploading a malicious PHP file instead of a legitimate image file. The process involves manipulating the file name and content type fields to bypass any server-side checks. Once the PHP file is uploaded, they show how it can be executed on the server, leading to the disclosure of sensitive files, in this case, the /etc/password
file. Finally, they successfully solve a lab challenge by extracting a secret string from a user's file.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.