Daily Drop (602): Middle East Telecom: Malware, BeiDou Satellite System, Beijing: Shipping Intelligence, VenomRat: Hidden in PoC, ICC: Network Targeted, XWorm, ChatGPT: Software Eng.
09-20-23
Wednesday, Sep 20, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Middle East Telecom Companies Targeted by New Malware: HTTPSnoop
Analyst Comments: The introduction of HTTPSnoop into the cyber threat landscape accentuates the evolving nature of cyber threats and the escalating sophistication of malicious actors. The malware's capability to impersonate legitimate security software components is alarming and underscores the pressing need for organizations to integrate advanced threat detection and response mechanisms. Telecommunication providers, given their pivotal role in national and global internet traffic, must prioritize cybersecurity. Their strategic importance makes them lucrative targets, especially for state-sponsored groups. The potential state-backed nature of this threat further underlines the geopolitical ramifications and amplifies the urgency for international collaboration in countering such cyber challenges.
FROM THE MEDIA: Telecommunication service providers in the Middle East are under threat from a new malware family named "HTTPSnoop." This revelation comes from cybersecurity experts at Cisco Talos, who recently published their findings on this malware and another called "PipeSnoop." Both pieces of malware are disguising themselves as legitimate security software components, including components from Palo Alto Networks' Cortex XDR application and Microsoft's Exchange Web Services (EWS) platform. This makes it challenging for defenders to detect them. The researchers have not been able to link this activity to any known groups' tactics, techniques, and procedures (TTPs). This suggests that either a new actor group is behind this or an existing group has adopted new TTPs. The operation is suspected to be state-sponsored, but the origin remains speculative. The malware, HTTPSnoop, stands out due to its sophistication and stealth. It acts as a backdoor, allowing attackers to listen to incoming requests for specific URLs and execute content on the compromised machine. The malware seems to be designed to exploit internet-facing servers. One of its novel techniques is making internet traffic appear as if it belongs to legitimate applications, such as Microsoft EWS.
READ THE STORY: THN // The Record
Debunking the Myth: Why ChatGPT and Other AIs Won't Replace Software Engineers
Analyst Comments: In light of this history, claims that tools like ChatGPT will replace software engineers seem exaggerated. While large language models (LLMs) like ChatGPT can automate some mundane tasks, they cannot understand the intricate requirements of a software project or the interdependencies within a codebase. They might assist in speeding up certain processes, but they won't replace the need for human judgment and expertise. If anything, tools like ChatGPT might eliminate repetitive tasks, allowing developers to focus on more complex and creative aspects of software design. Edsger Dijkstra's observation highlights this sentiment: as computers have grown more powerful, the challenges of programming have only increased. Efforts to simplify programming have often added more complexity. Thus, while LLMs might bring about changes in the tech landscape, they are unlikely to make human coders redundant. Instead, they might enhance their roles, allowing them to focus on the more intricate and innovative facets of software development.
FROM THE MEDIA: The rise of generative AI has led to concerns among software engineers about the potential for their roles to become obsolete. However, history shows that while new technologies have often promised to replace or minimize the role of coders, they have only made them more indispensable over time. In the early days of computing, software was often seen as a secondary concern to hardware and systems architecture. Early programmers, many of whom were women, were sometimes viewed as performing menial tasks. Yet, they were crucial in handling the intricate details of programming, debugging, and testing. Over time, various innovations aimed to reduce the need for human coders. Languages like FORTRAN and COBOL were designed to be user-friendly, allowing non-programmers to write software. Other methodologies, like Waterfall-based development and object-oriented programming, sought to simplify the software development process.
READ THE STORY: Wired
Dark Web Marketplace Shutdown: Finland and Europol Target PIILOPUOTI
Analyst Comments: The investigation involved multiple international entities, including German and Lithuanian authorities, Europol, the European Union Agency for Criminal Justice Cooperation (Eurojust), and various police units in Finland. Cybersecurity firm Bitdefender played a role in the takedown by offering technical guidance to the law enforcement agencies involved in the investigation. Alexandru Catalin Cosoi, senior director of the investigation and forensics unit at Bitdefender, highlighted the importance of public-private collaboration in disrupting illegal online activities. He emphasized that criminals should not be complacent about their anonymity on the dark web, as international efforts can bring them to justice.
FROM THE MEDIA: Finnish law enforcement, in collaboration with Europol and a cybersecurity firm, successfully shut down a dark web marketplace named PIILOPUOTI. The platform, which had been operational on the Tor Network since May 2022, was primarily used for smuggling and selling drugs and related paraphernalia into Finland. This information was confirmed through a statement released by Finnish Customs. While the criminal investigation is still ongoing, Finnish Customs, along with their international partners, have refrained from providing further details on the matter. The platform's screenshot was shared, but Finnish authorities did not comment on any arrests or other illicit activities associated with PIILOPUOTI.
READ THE STORY: The Record
BeiDou Satellite System Expands Reach with New Installations on Disputed Territories (State-Sponsored Media)
Analyst Comments: The decision to set up these ground stations in the disputed waters of the South China Sea is a clear manifestation of China's strategic ambitions in the region. By leveraging the capabilities of the BeiDou satellite system, China is not only enhancing its maritime surveillance capabilities but also sending a strong message about its intent to solidify its jurisdiction over these contested waters. The positioning of these ground stations is particularly noteworthy. Located between North Reef, at the northernmost tip of the Paracels, and Bombay Reef in the southeast, they are strategically placed near several of China's sensitive installations. This includes the Sansha headquarters and a series of islands that house naval and air bases. These waters have been a hotspot for confrontations, especially between the People’s Liberation Army warships and the US Navy, which frequently conducts "freedom of navigation operations" in the vicinity. While systems like GPS can function without ground stations, having a ground station nearby can significantly enhance the accuracy of the satellite system. This is especially crucial for military operations, where precision is paramount.
FROM THE MEDIA: China has taken a significant step in asserting its dominance in the South China Sea by establishing two ground stations for its BeiDou satellite system on disputed reefs, a move reported by state television. These newly erected stations, which are intricately connected to China's land-based ship automatic identification system (AIS), find their homes on lighthouses located on North Reef and Bombay Reef in the Paracel Islands. These islands are a point of contention, with both Vietnam and Taipei laying claim to them. The BeiDou satellite network, China's answer to the US GPS, is at the heart of these stations, enabling them to accurately locate vessels and subsequently transmit signals.
READ THE STORY: SCMP (CCP SPONSORED)
Beijing's Strategic Use of Shipping for Intelligence Gathering and Geopolitical Leverage
Analyst Comments: The implications of China's maritime strategy are twofold. In peacetime, control over trade information and port infrastructure offers China substantial commercial advantages. However, in a potential wartime scenario, this control could be catastrophic for global trade. China's ability to disrupt the international economy goes beyond physically seizing ports; it can exert influence by controlling infrastructure and information. For the U.S. and its allies, understanding and mitigating the risks associated with China's maritime dominance is crucial. Collaborative efforts, deeper private sector partnerships, and measures to counter Chinese technological influence in ports are essential steps to ensure maritime security and protect global trade interests.
FROM THE MEDIA: China has significantly expanded its influence in global maritime trade over the past three decades. Today, 90% of the world's trade is transported by sea, and China owns or operates around 96 foreign ports, including recent expansions in Hamburg, Germany, and the Solomon Islands. While foreign ownership of ports is not inherently risky, China's operations are unique due to their extensive information-gathering infrastructure and the legal mandate for all Chinese overseas companies to report intelligence to the Chinese government. This dominance in maritime operations and infrastructure, combined with China's vast commercial fleets and software systems like LOGINK, allows Beijing to gather data, and intelligence, and conduct surveillance on a massive scale.
READ THE STORY: FP
Earth Lusca's SprySOCKS: A Stealthy Linux Backdoor Emerges
Analyst Comments: The infection process employed by Earth Lusca capitalizes on known vulnerabilities in widely used platforms like Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra. Once inside the system, the group aims to exfiltrate sensitive documents, and email credentials, and further deploy advanced backdoors like ShadowPad and the Linux version of Winnti. A notable discovery is the introduction of SprySOCKS, a backdoor that traces its lineage to the open-source Windows backdoor Trochilus. This new malware variant is adept at gathering system information, initiating an interactive shell, and managing SOCKS proxy, among other operations. The backdoor's communication mechanism mirrors that of the RedLeaves trojan, suggesting a shared ancestry.
FROM THE MEDIA: Earth Lusca, a China-linked threat actor, has unveiled a new weapon in its arsenal: a previously undetected Linux backdoor named SprySOCKS. This group, which has been active since 2021, initially gained attention for its cyber espionage campaigns against entities spanning Asia, Australia, Europe, and North America. Their modus operandi often involves spear-phishing and watering hole attacks. Recent findings indicate that Earth Lusca has expanded its target list in 2023, focusing on government departments across Southeast Asia, Central Asia, and the Balkans, especially those involved in foreign affairs, technology, and telecommunications.
READ THE STORY: THN
Researchers Warn of a New Malware Campaign Targeting WinRAR's CVE-2023-40477 Vulnerability
Analyst Comments: The malware campaign's sophistication is evident in its use of a fake PoC script, which is designed to exploit the eagerness of researchers to study new vulnerabilities. By leveraging a known vulnerability in WinRAR, the threat actors behind this campaign can potentially compromise a significant number of systems, given WinRAR's widespread use. The campaign's focus on researchers suggests a strategic intent to access high-value targets, possibly to gather intelligence or further propagate the malware. The discovery of this campaign underscores the importance of continuous vigilance and the need for users and organizations to keep their software updated. It also highlights the evolving tactics of threat actors, who are now using deception to exploit the very community that seeks to counter them.
FROM THE MEDIA: A new malware campaign has been identified by security researchers at Palo Alto Networks, which targets the CVE-2023-40477 vulnerability in WinRAR. The campaign cleverly employs a fake proof-of-concept (PoC) script to deceive researchers into downloading and executing a VenomRAT payload. This malicious script is based on a publicly available PoC code for a vulnerability in GeoServer, which has been altered to initiate the VenomRAT infection chain. The malware campaign's objective seems to be to compromise researchers' systems to access and steal their data. To counter this threat, Palo Alto Networks advises users to update their WinRAR software, exercise caution when clicking on links, and avoid downloading files from untrusted sources.
READ THE STORY: HackRead
ANY.RUN Analysts Expose XWorm's Advanced Evasion Techniques and Configurations
Analyst Comments: The XWorm remote access trojan, first identified in 2022, has rapidly evolved into a significant global cybersecurity threat. Its continuous updates have fortified its capabilities, making it a concern for cybersecurity professionals. Recently, the analyst team at ANY.RUN undertook a comprehensive analysis of the latest XWorm variant, revealing its sophisticated mechanics and configurations. The malware was found to be distributed via MediaFire, a popular file-hosting service, and was protected within a RAR archive.
FROM THE MEDIA: The discovery of XWorm's new variant in the ANY.RUN malware database underscores the importance of continuous monitoring and analysis in the cybersecurity realm. The malware's advanced evasion techniques, such as querying its environment to detect virtual sandboxes and shutting down upon detection, highlight its sophistication. Furthermore, its ability to use Residential Proxy to deceive the malware into believing it's operating on a genuine user's machine is a testament to its advanced capabilities. The static analysis also revealed the malware's heavy obfuscation, making it challenging for analysts to decipher its true intent. The extraction of XWorm's complete configuration, including its host details and Telegram token, provides invaluable insights for cybersecurity professionals.
READ THE STORY: THN
The ICC's Computer System Compromised; Dutch Government Assists in Investigation
Analyst Comments: The cyber breach at the ICC underscores the increasing cyber threats faced by global institutions, especially those handling sensitive information. Given the ICC's role in investigating and prosecuting war crimes, the hack could have severe implications, potentially compromising ongoing investigations and putting protected witnesses at risk. The involvement of the Dutch government and the National Cyber Security Centre indicates the seriousness of the breach. The previous warnings by the Dutch intelligence agency and the ICC's Prosecutor highlight the need for institutions to proactively address cybersecurity vulnerabilities. The incident serves as a reminder of the evolving nature of cyber threats and the importance of robust cybersecurity measures for international organizations.
FROM THE MEDIA: The International Criminal Court (ICC) in The Hague announced that its computer system was hacked, raising concerns due to the highly sensitive nature of the information the institution handles, including war crimes data. The breach was detected following unusual activity on the ICC's computer network. The extent of the hack, its resolution, and the potential perpetrators remain undisclosed. The ICC, established in 2002, is responsible for trying war crimes and crimes against humanity and is currently investigating several situations worldwide, including in Ukraine, Uganda, Venezuela, Afghanistan, and the Philippines. The court has recently been in the spotlight for issuing an arrest warrant for Russian President Vladimir Putin. The compromised data could range from criminal evidence to the identities of protected witnesses. The Dutch government is assisting the ICC in analyzing and mitigating the incident's impact, with the National Cyber Security Centre supporting the investigation.
READ THE STORY: Reuters
US Commerce Secretary Expresses Doubts Over Huawei's 7nm Homegrown Processor
Analyst Comments: Huawei's Mate 60 Pro smartphone is equipped with a domestically developed Kirin 9000S chip produced by China's Semiconductor Manufacturing International Corp (SMIC). This 7nm process chip suggests that China is advancing its domestic chip production capabilities. Previously, SMIC was recognized for producing 14nm parts. The US Commerce Department's Bureau of Industry and Security has initiated an investigation into the 7nm chip to determine if it was produced using American technology. Both Huawei and SMIC are under US export controls, theoretically making it challenging for them to acquire technology and business from American suppliers. However, there are indications that these controls might not be as stringent as assumed.
FROM THE MEDIA: The US-China technological rivalry has intensified as US Commerce Secretary Gina Raimondo expressed concerns over Huawei's recent release of a smartphone powered by a 7nm homegrown processor during her visit to China. Raimondo emphasized the US's efforts to hinder China's technological progress, such as restricting access to the latest American chip-making technology. This could have potential repercussions for US businesses. During a congressional hearing, Raimondo questioned China's ability to produce the advanced smartphone processor "at scale." This skepticism might be an attempt to save face, considering the US's extensive efforts to prevent China from manufacturing these components.
READ THE STORY: The Register
Operation Rusty Flag: Azerbaijan Faces Rust-Based Malware Threat
Analyst Comments: The emergence of the Rust-based malware campaign targeting Azerbaijan underscores the evolving nature of cyber threats. The use of Rust, a modern programming language, in malware development indicates a shift in tactics by threat actors to leverage newer technologies that might evade traditional security solutions. The potential "false flag" operation, using a document previously associated with another group, highlights the complexities in attributing cyberattacks to specific actors. Organizations need to remain vigilant and continuously update their cybersecurity measures to counter such evolving threats.
FROM THE MEDIA: A new cybersecurity campaign has been identified, targeting systems in Azerbaijan with malware developed using the Rust programming language. The operation, dubbed "Operation Rusty Flag" by cybersecurity firm Deep Instinct, has not been linked to any known threat actor or group. The campaign employs at least two different initial access vectors. One of the lures used in the operation is a modified document previously associated with the Storm-0978 group, suggesting a potential "false flag" operation. The attack chain uses an LNK file named 1.KARABAKH.jpg.lnk to fetch a second-stage payload, an MSI installer from Dropbox. This installer subsequently drops a Rust-written implant, an XML file for a scheduled task to run the implant, and a decoy image with watermarks of the Azerbaijan Ministry of Defense symbol. Another infection vector uses a Microsoft Office document that exploits a known vulnerability (CVE-2017-11882) to fetch a different MSI file from Dropbox, which serves a variant of the Rust backdoor. This document was previously used by Storm-0978 in cyberattacks against Ukraine.
READ THE STORY: THN
Cybersecurity Tensions Rise as China Claims US Led Thousands of Attacks Against Its Targets
Analyst Comments: This recent accusation comes amidst the ongoing technological rivalry between the two nations. Huawei, a leading telecom company, has been a significant concern for Washington, especially after the company introduced a smartphone powered by an advanced chip it designed. This chip was produced by Semiconductor Manufacturing International Corp, despite the US's efforts to restrict Huawei's access to American technology essential for designing advanced chips and phones. China's Foreign Ministry spokeswoman, Mao Ning, criticized the US for its excessive use of the national security concept to suppress Chinese enterprises. She emphasized that such actions would not hinder China's progress but would only strengthen its resolve. Meanwhile, US Commerce Secretary Gina Raimondo expressed her displeasure when Huawei launched the Mate 60 Pro during her visit to China. However, she mentioned that the US has no evidence to suggest that China can produce the advanced semiconductors powering the device on a large scale.
FROM THE MEDIA: China has accused the US of hacking into the servers of Huawei Technologies Co. starting in 2009. This alleged infiltration is said to be a part of a larger effort by the US, resulting in tens of thousands of cyber-attacks against Chinese entities in the past year. According to a post on the official WeChat account of China’s Ministry of State Security, the Tailored Access Operations unit of the US National Security Agency was responsible for the 2009 attacks and had been continuously monitoring the servers since then. However, the post did not provide further details about the subsequent attacks post-2009. The issue of cyberattacks has been a longstanding point of contention between the US and China. Beijing has consistently accused Washington of orchestrating cyberattacks against Chinese targets, especially after Edward Snowden's revelations about US espionage activities. Conversely, the US and various cybersecurity researchers have pointed fingers at China for sponsoring cyberattacks against Western targets.
READ THE STORY: Bloomberg
A Look into the Growth of 200mm-Wafer Semiconductor Fabs and the Future of Tech Supply Chains
Analyst Comments: These 200mm fabs are crucial for producing a wide range of integrated circuits and semiconductor devices. They cater to the manufacturing of products where the cost of advanced equipment cannot be justified. This includes microcontrollers, memory chips, analog chips, ASICs, and more. Notably, such silicon plays a pivotal role in the automotive sector, supporting various vehicle functions. A report by SEMI indicates that semiconductor manufacturers globally are set to increase 200mm-wafer fab capacity by 14% between 2023 and 2026. This growth includes the establishment of 12 high-volume 200mm wafer fabs, aiming to achieve over 7.7 million wafers per month. The primary sectors driving this growth include consumer, automotive, and industrial sectors, with a notable emphasis on the rise in electric vehicle (EV) adoption.
FROM THE MEDIA: The semiconductor industry is witnessing a resurgence in the development and construction of 200mm-wafer fabs, which offer insights into the future of tech supply chains and potential technological trends. While the current standard wafer diameter is 300mm, with 450mm on the horizon, the 200mm was popular during the 1990s. The advantage of increasing wafer size is the ability to fit more or larger chip dies on a single wafer. However, upgrading factories to accommodate larger diameters is both costly and time-consuming. Hence, there remains a demand for fabs that can handle smaller wafers, striking a balance between advanced capabilities and cost-effectiveness.
READ THE STORY: The Register
Items of interest
The Rise of Cyber Mercenaries: Challenges and Responses in the Quad
Analyst Comments: Cyberattacks are increasingly intertwined with geopolitical conflicts. The risk is not just about having secure systems but ensuring that every point in the software service supply chain is secure. The rise of Cybercrime-as-a-Service (CaaS) and "hack-for-hire" firms has further complicated the landscape. These firms, operating globally, target a range of sectors, from financial services to healthcare. The increasing number of cyber mercenaries, private groups that may or may not be linked to specific states, poses a significant threat. A 2021 UN report highlighted the strategic importance of cyberspace for both state and non-state actors, emphasizing the use of proxies that often violate human rights. The Quad countries - India, Japan, Australia, and the US - have been frequent targets of cyberattacks. Recognizing the importance of cybersecurity, the Quad has emphasized the need to address the growing market of cyber mercenaries.
FROM THE MEDIA: The modern world, characterized by intricate interconnections, has witnessed its fragility through events such as the Russia-Ukraine war, the COVID-19 pandemic, and the US-China trade war. These events have underscored the vulnerabilities inherent in our global systems. The Asia-Pacific region, in particular, has seen a surge in cyberattacks, with a 168% increase in 2021 and a further 22% rise in 2022. Major nations like Australia, India, and Japan have been primary targets. The increasing cyber threats can be attributed to two main trends: the expanding online presence of individuals and entities, and the rise of state-sponsored malicious actors. This paper aims to shed light on the evolving cyber threat landscape, focusing on the role of cyber mercenaries and the collective response of the Quad countries.
READ THE STORY: ORF
3G Network Shutdown (Video)
FROM THE MEDIA: In the progressive rollout of 5G, all Australian mobile carriers have now announced that they will commence the restriction or shutdown of their 3G networks and related services by mid-2024. Part of this decision is to move towards better utilizing these low-band frequencies, to support more LTE and 5G services, which can support wider applications and provide more network efficiency.
China is waiting for a 'weak' US to launch war, military expert warns (Video)
FROM THE MEDIA: Ret. Lt. Col. James Carafano argues China is developing the capabilities to have an 'offensive' war with the U.S. on 'The Evening Edit.'
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.