Daily Drop (605): Deadglyph, RU: Cyber Actors, Iran: OilRig, MQ-9, Countering Disinformation, Banking Trojan BBTok, RU: Bermuda Cyberattack, CHIPS Act, Orbital Debris, DPRK: Cyber Warfare, Apple 0day

09-23-23

Saturday, Sep 23, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob

Deadglyph: Stealth Falcon's Advanced Backdoor with Unique Tactics

Analyst Comments: The discovery of Deadglyph adds another layer of complexity to the capabilities of Stealth Falcon, a group already notorious for its cyber espionage activities. The unique architecture of Deadglyph, which uses multiple programming languages, indicates a high level of sophistication and a likely attempt to evade detection and analysis. The backdoor's capabilities for executing various tasks make it a potent tool for information gathering and system manipulation. Given Stealth Falcon's history of targeting individuals and organizations critical of the Arab monarchy, the emergence of Deadglyph signifies an evolving and significant threat.

FROM THE MEDIA: Cybersecurity researchers have uncovered a new advanced backdoor named Deadglyph, deployed by the threat actor group known as Stealth Falcon. This backdoor is unique in its architecture, employing both a native x64 binary and a .NET assembly, a combination that is unusual in malware development. This tactic is suspected to be a deliberate move to hinder analysis. Deadglyph receives commands from a server controlled by the actor, allowing it to execute various tasks like creating new processes, reading files, and collecting system information. Stealth Falcon, also known as FruityArmor, has been previously linked to cyber espionage activities targeting journalists, activists, and dissidents in the Middle East.

READ THE STORY:  THN

Russian Hackers Target Ukrainian Law Enforcement to Seek War Crimes Evidence

Analyst Comments: The multi-faceted nature of the conflict between Russia and Ukraine extends well beyond traditional battlefields into the realm of cyber warfare. Matveev's activities, along with the findings from the SSSCIP report, indicate that cyber warfare is an integral part of Russia's strategy against not just Ukraine but also other nations. The focus on gathering intelligence related to Russian nationals and war crimes suggests that Russia is increasingly concerned about international legal repercussions. The growing confidence among cybercriminals like Matveev, who are shielded by non-cooperative states, and the escalation in cyber activities against Ukraine, indicate that this is a war that will persist, irrespective of battlefield outcomes.

FROM THE MEDIA: Russian hackers are intensifying their efforts to target Ukrainian law enforcement agencies to gather evidence related to alleged Russian war crimes, according to Yurii Shchyhol, the head of Ukraine's cyber defense agency. The hackers are associated with Russia's foreign, domestic, and military intelligence agencies and have increased their digital intrusion campaigns against the Ukrainian Prosecutor General’s office and departments that document war crimes. Shchyhol noted a shift in focus from energy facilities to law enforcement institutions, indicating that the hackers are keen on following Ukraine's investigations into Russian war crimes.

READ THE STORY:  Japan News

Iranian Nation-State Actor OilRig Targets Israeli Organizations: A Deep Dive into Cyber Espionage

Analyst Comments: The group's focus on Israeli organizations, particularly those in the defense, lodging, and healthcare sectors, underscores the geopolitical motivations behind these cyber-attacks. The use of spear-phishing emails and compromising legitimate websites for command-and-control purposes indicates a sophisticated level of planning and execution. OilRig's ability to adapt and innovate, as evidenced by the deployment of new and improved backdoors, suggests that the group is a significant and evolving threat. Organizations, especially those in targeted sectors, should remain vigilant and adopt robust cybersecurity measures to mitigate the risks posed by such advanced persistent threats.

FROM THE MEDIA: Israeli organizations have been targeted in two separate campaigns, named Outer Space and Juicy Mix, by the Iranian nation-state actor known as OilRig (also referred to as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten). These campaigns took place in 2021 and 2022 and involved the use of two first-stage backdoors called Solar and Mango. These backdoors were deployed to collect sensitive information from major browsers and the Windows Credential Manager. Spear-phishing emails were the likely method of spreading these backdoors. OilRig has been active since 2014 and is affiliated with Iran's Ministry of Intelligence and Security (MOIS). The group has shown flexibility in writing new malware based on the targeted environment and has also been observed targeting U.S. businesses.

READ THE STORY:  THN

MQ-9 Reaper Drones: A New Lease of Life Against China and Russia

Analyst Comments: The USAF's decision to halt the purchase of MQ-9s was initially seen as a limitation of the drone's capabilities in 'non-permissive' airspaces, especially against advanced air defenses from countries like China and Russia. However, the new approach by AFSOC to use MQ-9s as 'motherships' for smaller drones could revitalize the platform's utility. This adaptive strategy aligns with the evolving nature of modern warfare, where networked ISR technologies and multi-domain operations are becoming increasingly important. The MQ-9's potential new role as a mobile command and control center for a network of smaller drones could make it a valuable asset in highly contested environments. This shift in strategy could also alleviate concerns about the USAF compromising its ISR capabilities and offer General Atomics a new avenue for the drone's application.

FROM THE MEDIA: The U.S. Air Force (USAF) had previously indicated that it would place its last order for MQ-9 Reaper drones, with deliveries expected in 2023 and 2024. This decision raised concerns about the USAF's Intelligence, Surveillance, and Reconnaissance (ISR) capabilities and the future of the drone's manufacturer, General Atomics. However, the Air Force Special Operations Command (AFSOC) is exploring new roles for the MQ-9 Reaper drones. They are considering using these drones as 'capital ships' that deploy smaller Unmanned Aerial Systems (UAS) to establish sensor grids or communication pathways. The adapted MQ-9s would act as "motherships," commanding and controlling additional small UAS platforms equipped with the latest kinetic and non-kinetic capabilities and sensors.

READ THE STORY:  EurAsian

ESA Takes on the Responsibility of Building Europe's Secure Satellite Communication Network

Analyst Comments: The ESA's commitment to building the IRIS2 constellation marks a significant step in Europe's efforts to become self-reliant in secure space-based communications. However, the project faces challenges, including the lack of a working heavy launch vehicle after the Ariane 5 completed its last mission in July 2023. The successor, Ariane 6, is still under testing and recently encountered an anomaly. If Ariane 6 is not ready on time, alternative options like Arianespace's Vega launchers may be considered. Despite these challenges, the project holds promise in enhancing Europe's secure communication capabilities, especially in the face of increasing cyber and hybrid threats.

FROM THE MEDIA: The European Space Agency (ESA) has signed an agreement to build and launch the European Union's Infrastructure for Resilience, Interconnectivity and Security by Satellite (IRIS2) constellation. The project aims to provide EU member states with secure space-based communication capabilities, reducing their reliance on other nations' infrastructure. Initially announced in 2022 with a budget of €2.4 billion, the project aims to offer secure and high-speed communication for both civilian and defense use, incorporating advanced technologies like quantum encryption and 5G. The European Commission had initially planned for the services to be operational by 2024, with full capacity by 2027, but these deadlines now appear unlikely.

READ THE STORY:  The Register

Biden's Campaign Strategy to Combat Misinformation: A New Approach in the Digital Age

Analyst Comments: The formation of a dedicated working group to combat misinformation signifies the Biden campaign's acknowledgment of the evolving challenges posed by the digital landscape. The strategy reflects an understanding that social media platforms alone can't be relied upon to police content, especially with the rise of new platforms like Truth Social. By taking a proactive approach, the campaign aims to fill the gaps left by social media companies and directly engage with the public to counter false narratives. However, this strategy also raises questions about the fine line between combating misinformation and infringing on free speech, especially in light of recent court rulings against the administration's communications with social media companies.

FROM THE MEDIA: President Biden's reelection campaign is launching a working group focused on combating misinformation on social media platforms. Led by Rob Flaherty, the deputy campaign manager, along with Michael Tyler, the communications director, and Maury Riggan, the general counsel, the group aims to publicly counter disinformation. The strategy involves mobilizing "an army of folks," including campaign officials, allies, and influencers, to disseminate accurate information. This marks a shift from previous strategies where campaigns relied on social media companies to remove misleading content. The campaign may also consider legal actions against deepfake technology and copyright violations. The initiative is particularly focused on issues like the president's record, the COVID-19 vaccine, and allegations of voter suppression.

READ THE STORY:  The Hill

New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks

Analyst Comments: The emergence of the new BBTok variant highlights the evolving threat landscape in the banking sector, particularly in Latin America. The malware's sophisticated techniques for evading detection and its focus on specific geographies make it a significant threat. Organizations and individuals in the targeted regions should be vigilant and take necessary precautions to protect against this type of banking trojan.

FROM THE MEDIA: A new variant of the banking trojan BBTok is actively targeting users in Latin America, particularly in Brazil and Mexico. The malware replicates the interfaces of over 40 Mexican and Brazilian banks to trick victims into entering their 2FA codes or payment card numbers. The payloads are unique for each victim and are delivered via phishing emails. BBTok, a Windows-based banking malware, first appeared in 2020 and has evolved since then. It has the capability to kill processes, issue remote commands, manipulate keyboards, and serve fake login pages. The malware is delivered through phishing emails containing bogus links or ZIP file attachments. It employs techniques to evade detection mechanisms like Antimalware Scan Interface (AMSI) and uses living-off-the-land binaries (LOLBins) and geofencing checks to ensure targets are only from Brazil or Mexico.

READ THE STORY:  THN

Government of Bermuda Cyberattack: Russian Threat Actors Suspected

Analyst Comments: The cyberattack on the Government of Bermuda is significant, affecting not just local but also regional governments. The suspicion that Russian threat actors are behind the attack adds an international dimension to the incident. The government is currently in the process of identifying the affected systems to restore services. While no data breach has been confirmed, the disruption to government services and potential delays in payments highlight the severity of the attack.

FROM THE MEDIA: The Government of Bermuda has been hit by a cyberattack that disrupted its internet, email, and phone services across all government departments. The Premier of Bermuda, Edward David Burt, stated in a press conference that the attack also had an impact on regional governments. Initial findings from the ongoing investigation point to the likelihood that the attack originated from Russia. While it appears that no data has been stolen, the systems are affected, and the government is working to identify which systems are compromised. The attack has led to service disruptions, including the postponement of the House of Assembly sitting and delays in payroll and vendor payments.

READ THE STORY:  SecurityAffairs

U.S. Tightens CHIPS Act Regulations to Safeguard Semiconductor Industry

Analyst Comments: The U.S. government's move to tighten regulations around the CHIPS Act showcases its commitment to national security and the strategic importance of the semiconductor industry. By setting clear guidelines, the administration is ensuring that funds are used effectively to boost domestic production while preventing potential misuse that could benefit rival nations. The contract with GlobalFoundries further solidifies the government's strategy to collaborate with domestic industry leaders to achieve its objectives. This approach not only safeguards the U.S. semiconductor supply chain but also sends a clear message about the country's stance on protecting its technological and national security interests.

FROM THE MEDIA: The Biden Administration has finalized guidelines to ensure that the $50 billion allocated under the CHIPS Act does not end up benefiting countries or companies that are a concern to the U.S., particularly China and Russia. The funds are intended to boost domestic semiconductor production and reduce the U.S.'s dependence on other countries for essential components. U.S. Commerce Secretary Gina Raimondo emphasized that the CHIPS Act is fundamentally a national security initiative, and the new guardrails are designed to protect U.S. interests. The conditions for receiving CHIPS subsidies have not changed significantly but have been clarified. The funds must be invested in the U.S., and recipients are prohibited from investing in semiconductor manufacturing in countries of concern for a period of 10 years. Violation of these rules will trigger a claw-back provision. The updated guidelines also specify that the funds should lead to physical expansion of semiconductor manufacturing capacity, thereby ensuring that the money is not diverted to unrelated projects.

READ THE STORY:  The Register

National security ‘guardrails’ issued for US semiconductor funding

Analyst Comments: The new regulations signify a strategic move by the U.S. government to protect its technological advancements and national security interests. By setting these "guardrails," the U.S. aims to ensure that its investments in semiconductor technology do not inadvertently benefit foreign adversaries. This is particularly relevant given the global competition in the semiconductor industry and the critical role these components play in various sectors. Businesses seeking federal funding for semiconductor projects will now have to navigate these regulations carefully to ensure compliance.

FROM THE MEDIA: The U.S. Commerce Department has released national security "guardrails" for businesses seeking federal funding under the CHIPS and Science Act, aimed at boosting domestic semiconductor manufacturing. These regulations are designed to counter China's interest in advanced computing technologies and to prevent misuse of technology by foreign adversaries. One of the key regulations prohibits companies that receive funding from expanding semiconductor manufacturing capacity in "foreign countries of concern," such as China and Russia, for a period of 10 years. Another regulation restricts these companies from engaging in joint research or technology licensing efforts with foreign entities that raise national security concerns.

READ THE STORY:  The Record

FAA Proposes Rules to Address Growing Orbital Debris

Analyst Comments: The U.S. Federal Aviation Administration (FAA) has proposed new rules aimed at managing the increasing problem of orbital debris. The FAA has outlined five options for commercial space operators to dispose of the upper stages of their launch vehicles. These options include controlled re-entry, uncontrolled atmospheric disposal, moving to a storage orbit, retrieval within five years, or pushing into an Earth-escape orbit. The FAA also requires operators to submit an Orbital Debris Assessment Plan (ODAP) prior to each operation. The proposal allows up to 25 years for the upper stage to be removed from orbit using uncontrolled or natural decay methods. The FAA notes that the number of orbital objects larger than 10cm is over 23,000, and the primary contributor to this debris is collisions between large objects like upper stages.

FROM THE MEDIA: The U.S. Federal Aviation Administration (FAA) has proposed new rules aimed at managing the increasing problem of orbital debris. The FAA has outlined five options for commercial space operators to dispose of the upper stages of their launch vehicles. These options include controlled re-entry, uncontrolled atmospheric disposal, moving to a storage orbit, retrieval within five years, or pushing into an Earth-escape orbit. The FAA also requires operators to submit an Orbital Debris Assessment Plan (ODAP) prior to each operation. The proposal allows up to 25 years for the upper stage to be removed from orbit using uncontrolled or natural decay methods. The FAA notes that the number of orbital objects larger than 10cm is over 23,000, and the primary contributor to this debris is collisions between large objects like upper stages.

READ THE STORY:  The Register

North Korea's Advanced Cyber Warfare Capabilities and Counter-Intelligence Programs

Analyst Comments: North Korea's cyber warfare capabilities are evolving rapidly, and the country is investing heavily in training and development. The focus is not just on hacking for financial gains but also on counter-intelligence and tracking high-value defectors. This multi-faceted approach to information warfare makes North Korea a significant cyber threat on the global stage. The country's programs aim to ensure loyalty and effectiveness in its cyber operations, but the increasing number of defectors indicates growing discontent among the elite, posing a potential risk to the regime's stability.

FROM THE MEDIA: North Korea has been increasingly investing in cyber warfare capabilities, targeting not just financial systems but also key individuals in the field of internet security. Google's Threat Analysis Group (TAG) recently disrupted a North Korean effort that used social engineering to infect PCs of internet security specialists. North Korea is considered an Advanced Persistent Threat (APT) and is estimated to bring in nearly a billion dollars a year through its hacking efforts. North Korea has been expanding its hacking capabilities for years and has been part of the worldwide expansion of professional hacking groups. The country has also established specialized educational programs like the Mangyongdae Revolutionary Academy, which offers a three-year course for international Information Warfare (IW) specialists. The academy is part of a trend where North Korea has been training agents from elite families for foreign operations, especially against South Korea. These agents are trained in the latest hacking techniques and are tasked with tracking down high-level defectors.

READ THE STORY:  SP

Apple Zero-Day Vulnerabilities Exploited to Target Egyptian Political Figure

Analyst Comments: The incident serves as a stark reminder of the escalating sophistication in cyber-attacks and the utilization of zero-day vulnerabilities to target individuals for political or other high-stakes reasons. It underscores the critical importance for users to keep their software updated as a fundamental line of defense against such advanced threats. Moreover, the case raises ethical and regulatory questions about the commercial spyware industry, emphasizing the need for stricter oversight to prevent human rights abuses and political repression.

FROM THE MEDIA: Multiple zero-day vulnerabilities in Apple's software were exploited to target Ahmed Eltantawy, a former Egyptian MP with presidential aspirations. Conducted by the Citizen Lab and Google's Threat Analysis Group, the investigation attributes the cyber-attack to the Egyptian government and identifies the spyware used as Predator, developed by Cytrox. This spyware is akin to the infamous Pegasus by NSO Group and was delivered through SMS and WhatsApp. Apple has since released security patches for the exploited vulnerabilities, identified as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993.

READ THE STORY:  THN

Items of interest

Israel Unveils AI-Assisted Next-Gen 'Merkava' Tank: The 'Barak'

Analyst Comments: The introduction of the 'Barak' tank represents a significant milestone in Israel's military capabilities, signaling a shift towards the integration of cutting-edge technology into its defense systems. The AI capabilities, in particular, set the 'Barak' apart as a formidable asset in modern warfare, enabling quicker and more accurate targeting of enemy forces. This technological leap could potentially give Israel a significant edge in both defensive and offensive operations. The focus on technological advancements over structural changes indicates Israel's strategic emphasis on agility, intelligence, and rapid response, which are crucial in contemporary conflict scenarios.

FROM THE MEDIA: Israel has unveiled its next-generation 'Merkava' main battle tank, named the 'Barak,' which incorporates advanced artificial intelligence (AI) capabilities. Developed collaboratively by the Israel Ministry of Defense and the Israel Defense Forces (IDF) over the past five years, the 'Barak' is designed to quickly identify and engage enemy targets. The tank features state-of-the-art technologies, including advanced sensors, AI, networking, and active protection systems. It is expected to replace all existing 'Merkava 4' tanks in the 401st Brigade by the end of 2025. The 'Barak' also comes equipped with the 'IronVision' helmet, providing the commander with peripheral vision similar to that of a fighter pilot. The tank is now ready for deployment after undergoing technological trials in 2020 and 2021.

READ THE STORY:  IE

War, AI and the New Global Arms Race (Video)

FROM THE MEDIA: Lethal drones with facial recognition, armed robots, autonomous fighter jets: we're at the dawn of a new age of AI-powered warfare, says technologist Alexandr Wang. He explores why data will be the secret weapon in this uncharted landscape and emphasizes the need to consider national security when developing new tech -- or potentially face all-out AI warfare.

Autonomous Weapons (Video)

FROM THE MEDIA: AI and autonomous weaponry may be the biggest leap in military technology since the advent of nuclear weapons. Should they be banned? The debate is heating up.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.