Daily Drop (608): US: Critical Infrastructure, CN: South Korea, RU: War Crimes Data, NOOR-3, ShadowSyndicate, KNP Logistics, Philippines' UHS, CVE-2023-5129, ZenRAT, Sony Hacked: Ransomed.vc RU linked

09-27-23

Sep 27, 2023

Wednesday, Sep 27, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob

Iran Launches Imaging Satellite Amid Tensions with the West

Bottom Line Up Front (BLUF): Iran announced the successful launch of its Noor-3 imaging satellite, a move that has heightened tensions with Western nations. While Iran asserts the launch serves purely civilian purposes, the West fears the technology could be repurposed for nuclear weapon development.

Analyst Comments: Iran's satellite launch, amidst ongoing tensions with the West, underscores the complexities of the geopolitical landscape in the Middle East. The move can be seen as Iran's assertion of its technological prowess and a step towards space dominance. However, given the historical context and the strained relations between Iran and Western nations, particularly the U.S., the launch raises concerns about potential military applications. The situation necessitates vigilant monitoring and diplomatic engagement to ensure regional stability and prevent potential escalation.

FROM THE MEDIA: On Wednesday, Iran's Communication Minister, Isa Zarepour, confirmed the Noor-3 satellite's placement in an orbit 450 kilometers above Earth. The aerospace arm of Iran's paramilitary Revolutionary Guard executed the launch. Footage suggests the launch took place near Shahroud. The U.S. has expressed concerns about Iran's satellite launches violating a U.N. Security Council resolution, urging Iran to refrain from activities related to ballistic missiles capable of delivering nuclear weapons. The U.S. intelligence community's 2022 threat assessment indicated that such satellite launch vehicle development could expedite Iran's development of an intercontinental ballistic missile.

READ THE STORY: ABC News // DW // KFGO

ShadowSyndicate Emerges: A Multi-Ransomware Threat Actor

Bottom Line Up Front (BLUF): Cybersecurity experts have identified a new cybercrime group, ShadowSyndicate (previously known as Infra Storm), which is believed to have utilized up to seven different ransomware families in the past year. This group's activities raise concerns about the evolving threat landscape and the increasing sophistication of cybercriminal operations.

Analyst Comments: The rise of ShadowSyndicate underscores the dynamic nature of the cyber threat landscape. The group's association with multiple ransomware families and other malware operations indicates a potential collaborative environment among cybercriminals, leading to more sophisticated and coordinated attacks. The continuous evolution of such groups, combined with their ability to adapt and leverage various tools, presents a significant challenge for cybersecurity defenses. Organizations must remain vigilant, continuously update their threat intelligence, and employ proactive defense mechanisms to counter such evolving threats.

FROM THE MEDIA: ShadowSyndicate, active since July 16, 2022, is associated with ransomware activities related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. They have also employed post-exploitation tools like Cobalt Strike and Sliver, as well as loaders such as IcedID and Matanbuchus. The group's operations have been traced back to a distinct SSH fingerprint found on 85 servers, with a majority located in Panama. Notably, there are connections between ShadowSyndicate and other malware operations, including TrickBot, Ryuk/Conti, FIN7, and TrueBot. The group's emergence comes amid other significant cybercrime activities, such as German law enforcement's actions against the DoppelPaymer ransomware group and advisories from the FBI and CISA about the Snatch ransomware group.

READ THE STORY: THN

Analyzing the Implications of Designating Space as the 17th U.S. Critical Infrastructure

Bottom Line Up Front (BLUF): The recent bipartisan proposal to designate space as the 17th U.S. critical infrastructure sector, as outlined in the Space Infrastructure Act, is flawed. While the intent is to bolster space security, the move could inadvertently harm the burgeoning space industry and dilute essential government resources.

Analyst Comments: The push to designate space as its own critical infrastructure sector stems from a genuine concern about the increasing threats in the space domain. However, the proposed approach might not be the most effective or efficient. The U.S. government should consider alternative strategies that focus on bolstering the performance and delivery of essential services provided by critical infrastructure. By leveraging existing policies and focusing on a holistic approach that integrates space systems into current sectors, the U.S. can ensure a more secure and resilient space domain without adding bureaucratic layers or diluting resources.

FROM THE MEDIA: A bipartisan group of lawmakers introduced the Space Infrastructure Act, following a recommendation by the Cyberspace Solarium Commission 2.0, aiming to make space the 17th U.S. critical infrastructure sector. Brian Cavanaugh, Senior Vice President at American Global Strategies, argues that such a designation, while well-intentioned, might not effectively address the risks posed by adversaries or natural phenomena. Instead, it could potentially harm the rapidly growing space industry and spread thin the limited government resources dedicated to ensuring the nation's critical infrastructure security. Existing policies and frameworks, such as PPD-21, SPD-5, and the National Space Policy, already address the risks to space systems. The government has also initiated a space-focused Information Sharing and Analysis Center (ISAC) and a critical infrastructure cross-sector working group for space systems.

READ THE STORY: SN

Ransomware Attack Paralyzes Philippines' Universal Healthcare System

Bottom Line Up Front (BLUF): The Philippine Health Insurance Corporation (PhilHealth), responsible for the universal healthcare of the Philippines' 114 million citizens, has been hit by a ransomware attack. The Medusa ransomware gang has claimed responsibility, forcing the organization to temporarily shut down several of its online systems.

Analyst Comments: The attack on PhilHealth underscores the increasing threat posed by ransomware to critical infrastructure and essential services worldwide. The involvement of the Medusa ransomware gang, known for targeting government-level organizations, highlights the strategic nature of such attacks. Organizations, especially those managing sensitive data and essential services, must prioritize cybersecurity measures, conduct regular backups, and ensure rapid incident response capabilities. Collaboration between national and international agencies will be crucial in addressing the evolving ransomware threat landscape.

FROM THE MEDIA: On a recent Friday morning, officials from PhilHealth discovered an information security incident and promptly initiated an investigation with the assistance of multiple government agencies. As a result of the attack, access to Health Care Institution (HCI) member portals and e-claims was disabled. The organization assures the public that the situation is under control and that no personal or medical information has been compromised. While the affected systems are offline, members and dependents are required to provide physical copies of their PhilHealth Identification Card (PIC) or Member Data Record (MDR). Payments for services are currently being made over the counter, with online transactions halted. The Medusa ransomware gang has demanded multiple ransoms, including $100,000 to extend the ransomware's deadline and $300,000 for data deletion or download. The gang did not specify the nature or volume of the data they exfiltrated.

READ THE STORY: The Record

Chinese State-Sponsored Cyber Espionage Targets South Korean Entities

Bottom Line Up Front (BLUF): Chinese hackers, identified as TAG-74 and linked to Chinese military intelligence, have been conducting a multi-year cyber espionage campaign against South Korean academic, political, and government organizations. The campaign aligns with China's broader objectives of intellectual property theft and expanding its influence in the region.

Analyst Comments: The persistent and targeted nature of TAG-74's cyber espionage activities highlights the strategic importance of South Korea and its neighboring countries to China's intelligence objectives. The use of sophisticated tools and techniques, coupled with the group's links to Chinese military intelligence, underscores the advanced capabilities of state-sponsored threat actors. Organizations in the targeted regions should be vigilant and adopt robust cybersecurity measures to defend against such sophisticated threats. The shared tools among Chinese threat groups also suggest a coordinated effort, emphasizing the need for international cooperation in cybersecurity.

FROM THE MEDIA: Recorded Future's Insikt Group has been tracking the cyber espionage activities of TAG-74, a group linked to Chinese military intelligence. This group poses a significant threat to various sectors in South Korea, Japan, and Russia, including academic, aerospace and defense, government, military, and political entities. The focus on South Korean academic institutions aligns with China's efforts to steal intellectual property and is also influenced by South Korea's strategic relations with the U.S. The hackers employ social engineering attacks using Microsoft Compiled HTML Help (CHM) file lures to deploy a custom variant of an open-source Visual Basic Script backdoor named ReVBShell. This backdoor is then used to introduce the Bisonal remote access trojan. Both ReVBShell and Bisonal have been previously associated with other China-nexus clusters, such as Tick and Tonto Team. TAG-74's activities underscore its long-term intelligence collection objectives against South Korean targets, and given its focus, it is expected to remain highly active in its intelligence-gathering efforts in South Korea, Japan, and Russia.

READ THE STORY: THN

KNP Logistics Declares Insolvency, Citing June Ransomware Attack as Culprit

Bottom Line Up Front (BLUF): KNP Logistics, a major UK logistics group, has declared insolvency, attributing its financial downfall to a ransomware attack that occurred in June. This incident has resulted in the redundancy of approximately 730 employees, emphasizing the severe business implications of ransomware attacks.

Analyst Comments: The insolvency of KNP Logistics underscores the devastating impact ransomware can have on businesses, even leading to their complete shutdown. While ransomware attacks are often viewed in terms of data loss or financial demands, the broader implications on business operations, employee livelihoods, and supply chains can be profound. Organizations must prioritize cybersecurity, maintain updated backups, and establish robust incident response plans to mitigate the risks associated with ransomware. Collaboration with cybersecurity experts and law enforcement can further enhance an organization's resilience against such threats.

FROM THE MEDIA: KNP Logistics, one of the UK's largest privately-owned logistics groups, announced its insolvency, pointing to a ransomware attack in June as the primary cause. As a consequence, around 730 employees will lose their jobs, although the sale of one of the group's primary entities will save roughly 170 positions. Raj Mittal from FRP Advisory, overseeing the insolvency process, mentioned that KNP Logistics was already facing challenges before the ransomware incident. The attack's aftermath saw key systems, processes, and financial information severely impacted, hindering the group's ability to secure additional funding and investment. The Akira ransomware gang claimed responsibility for the attack on KNP Logistics in June. While a decryptor for the Akira ransomware was made available by cybersecurity firm Avast in July, it remains unclear if KNP Logistics could have utilized it. The National Cyber Security Centre and the Information Commissioner’s Office have expressed concerns about ransomware victims not reporting incidents to law enforcement or regulators. Data from the ICO highlighted a surge in ransomware attacks on UK organizations last year, affecting over 700 organizations and potentially compromising the data of more than 5.3 million individuals.

READ THE STORY: The Record

Hong Kong's Crackdown on Crypto: New Measures Post JPEX Incident

Bottom Line Up Front (BLUF): In the aftermath of the JPEX crypto platform incident, Hong Kong's Securities and Futures Commission (SFC) has announced its intention to publish lists of virtual asset trading platforms applying for licenses, those already licensed, those having licenses revoked, and those deemed suspicious. This move is part of Hong Kong's effort to establish itself as a global crypto hub while ensuring regulatory compliance.

Analyst Comments: Hong Kong's proactive approach to regulating the crypto industry, especially in light of the JPEX incident, underscores the territory's commitment to ensuring a safe and regulated environment for crypto investors and traders. By introducing transparency measures and enhancing licensing requirements, Hong Kong is positioning itself as a trustworthy and reliable global crypto hub. The actions taken by the SFC also serve as a warning to other crypto platforms about the importance of regulatory compliance.

FROM THE MEDIA: Hong Kong's SFC, in response to the attack on the crypto platform JPEX, has decided to increase transparency by publishing a list of virtual asset trading platforms that are in the process of obtaining an operating license. The SFC will also list licensed platforms, those whose licenses are being revoked, and platforms they find suspicious. Additionally, the SFC is considering the creation of a dedicated channel for the public to report any breaches or questionable behavior by crypto entities. The JPEX incident has underscored the risks associated with unregulated virtual asset trading platforms (VATPs) and highlighted the importance of proper regulation to maintain market confidence. The SFC emphasized the need for better information dissemination to the investing public to help them understand potential risks associated with suspicious websites or VATPs. The SFC has also expressed its commitment to work with the police to investigate the JPEX incident and ensure that those responsible are brought to justice. Despite the licensing requirements introduced in June 2023, JPEX continued to promote its products and services in Hong Kong without applying for a license.

READ THE STORY: The Register

ZenRAT Malware Masquerades as Bitwarden Password Manager

Bottom Line Up Front (BLUF): A new malware strain, ZenRAT, is actively targeting Windows users by disguising itself as the Bitwarden password manager. Distributed via fake Bitwarden installation packages, the malware is a modular remote access trojan (RAT) with the capability to steal information.

Analyst Comments: The emergence of ZenRAT underscores the importance of downloading software only from verified sources. The malware's ability to disguise itself as a popular password manager like Bitwarden increases its potential to compromise a significant number of unsuspecting users. Immediate awareness and preventive measures are crucial to mitigate the risks associated with this new threat.

FROM THE MEDIA: ZenRAT is being hosted on counterfeit websites that appear to be affiliated with Bitwarden. The malware specifically targets Windows users, redirecting non-Windows users to harmless web pages. The malicious payload, named Bitwarden-Installer-version-2023-7-1.exe, is sourced from a dubious domain and is a trojanized version of the standard Bitwarden installation package. It contains a malicious .NET executable. Notably, users visiting the deceptive website from non-Windows systems are redirected to a cloned article about Bitwarden. Once activated, ZenRAT collects various details about the host system and communicates with a command-and-control (C2) server operated by the threat actors.

READ THE STORY: THN

Kremlin's Efforts Aim to Uncover Evidence of Russian Soldiers' Misdeeds

Bottom Line Up Front (BLUF): Russian hackers are intensifying cyberattacks on Ukrainian law enforcement agencies to discover information about war crimes committed by Russian soldiers during the ongoing conflict.

Analyst Comments: The intensified cyber espionage activities by Russia underscore the Kremlin's concerns about the potential repercussions of the evidence being collected by Ukrainian entities. The shift in their cyberattack strategy and targets indicates a broader approach to gathering intelligence and possibly disrupting Ukraine's efforts in various sectors. The link between cyber espionage and on-ground war crimes investigations emphasizes the evolving nature of modern warfare, where digital and physical realms are intertwined. Ukrainian entities, especially those involved in sensitive investigations, should bolster their cybersecurity defenses and be prepared for persistent and evolving cyber threats from state-sponsored actors like Russia.

FROM THE MEDIA: Russian cyber espionage campaigns, as reported by Ukrainian cybersecurity officials, have been targeting Ukraine's prosecutor general's office, courts, and other entities involved in the investigation of war crimes. Victor Zhora, the deputy chairman of Ukraine's cybersecurity service (SSSCIP), revealed these findings during a recent press conference. The primary objective of these cyberattacks seems to be to uncover evidence of war crimes committed by Russian soldiers since the war's onset in February 2022. These crimes include civilian killings, rape, hostage-taking, torture, and bombings of civilian infrastructure. The SSSCIP report suggests that Russian hackers are attempting to obtain lists of war crime suspects to help them evade prosecution and possibly repatriate them to Russia. The International Criminal Court (ICC) has also been a target, with the recent opening of its field office in Kyiv to investigate Russian war crimes. The ICC's top prosecutor, Karim Khan, has indicated that cyber incidents could be treated as potential war crimes, with Russia's cyberattacks on Ukraine's civilian infrastructure being potential cases.

READ THE STORY: The Record

CIA Develops AI Chatbot to Counter China's Technical Efforts

Bottom Line Up Front (BLUF): The U.S. Central Intelligence Agency (CIA) is reportedly developing an AI chatbot similar to ChatGPT to enhance its intelligence capabilities and counter China's growing AI expertise.

Analyst Comments: The development of an AI chatbot by the CIA underscores the escalating technological race between the U.S. and China in the realm of artificial intelligence. While the U.S. aims to leverage AI for intelligence gathering and espionage, there are inherent risks and ethical considerations, especially concerning data privacy and surveillance. The balance between national security and individual privacy will continue to be a contentious issue as AI technologies become more integrated into intelligence and surveillance operations.

FROM THE MEDIA: The CIA's Open-Source Enterprise division is in the process of creating a large language model (LLM) to provide U.S. intelligence agencies, including the CIA, FBI, National Security Agency, and military analysts, with improved access to intelligence. This move comes as a response to China's ambition to lead the global AI sector by 2023. The LLM will enable users to trace the original source of the information presented and will feature a chat functionality. Randy Nixon, the director of the CIA's Open-Source Enterprise division, emphasized the chatbot's ability to continuously grow its collection without limitations, except for cost constraints. However, this AI tool will not be available to policymakers or the general public. The FBI, NSA, and CISA have previously warned about China's use of AI for threat detection, vulnerability hunting, disinformation campaigns, and cyberattack development. FBI Director Christopher Wray highlighted China's extensive data theft activities, which provide them with vast amounts of data ideal for training machine learning models.

READ THE STORY: The Register

libwebp Image Library Under Active Exploitation (CVE-2023-5129)

Bottom Line Up Front (BLUF): Google has identified and assigned a new CVE identifier for a critical security flaw in the libwebp image library, which is used for rendering images in the WebP format. This vulnerability is currently being actively exploited.

Analyst Comments: The active exploitation of this vulnerability poses a significant threat to organizations and individuals relying on applications that use the libwebp library. Given its widespread use and the severity of the flaw, there's an urgent need for immediate patching and updates. Users should be cautious and ensure they are using the latest versions of their applications, especially those processing WebP images.

FROM THE MEDIA: The vulnerability, identified as CVE-2023-5129, is rooted in the Huffman coding algorithm. When exploited using a specially crafted WebP lossless file, libwebp may write data out of bounds, leading to potential security breaches. Previous vulnerabilities in the same library were addressed by tech giants like Apple, Google, and Mozilla. However, the recent flaw's impact is broader, with many applications, code libraries, and operating systems found vulnerable.

READ THE STORY: THN

Securing Cyberspace: Navigating the Next Generation of Threats

Bottom Line Up Front (BLUF): The digital realm is facing an unprecedented surge in cyber threats, with recent advancements in AI potentially providing more avenues for hackers. As technology rapidly evolves, there's a growing concern about unforeseen cyberattacks. Key figures in the cybersecurity domain, including Chris Painter and Chris Krebs, emphasize the importance of understanding the evolving threat landscape, the role of ransomware, and the potential risks to election security.

Analyst Comments: The cybersecurity landscape is in a state of flux, with nation-states, criminals, and other actors continuously adapting their tactics. The increasing integration of AI and other technologies presents both opportunities and vulnerabilities. It's crucial for nations, especially the U.S., to invest in strengthening their cyber defenses, understanding the evolving threats, and fostering international cooperation to ensure a secure digital future. The Ukraine war serves as a stark reminder of how cyber warfare is becoming an integral part of modern conflicts, necessitating a proactive and well-informed approach to cybersecurity.

FROM THE MEDIA: The discussion, hosted by The Washington Post, highlighted the increasing importance of cybersecurity over the past decade. Chris Painter, the State Department's first coordinator for cyber issues, discussed the evolution of the cyber threat landscape in comparison to U.S. defense capabilities. He emphasized the shift in public perception of cyber threats, from viewing hackers as "Robin Hoods" to recognizing the serious national security implications of cyberattacks. Painter also touched upon the significance of the Ukraine war in understanding cyber warfare's role in modern conflicts. Chris Krebs, the former director of CISA, delved into the world of ransomware, emphasizing its growing threat and the challenges it poses to various sectors, including election security.

READ THE STORY: The Washington Post

Ransomware Attack Paralyzes Philippines' Universal Healthcare System

READ THE STORY: The Record

Russian Cybercrime Group Ransomed.vc Alleges Compromise of Sony's Systems

Bottom Line Up Front (BLUF): Sony is currently investigating claims made by the Russian cybercrime group, Ransomed.vc, alleging that they have successfully hacked into all of Sony's systems and have possession of around 6,000 compromised files.

Analyst Comments: The allegations against Sony by Ransomed.vc, if true, could have significant implications for the tech company, especially given its past history with cyber breaches. The fact that the group claims to have files but is opting to sell rather than ransom them indicates a potentially different motive or strategy compared to other cybercriminal groups. Sony's prompt investigation into the matter is crucial, not only for its reputation but also for the security and trust of its vast user base. The international tech community will be closely watching the developments surrounding this situation.

FROM THE MEDIA: Sony, the Japanese tech giant, is under scrutiny after the cybercrime group Ransomed.vc claimed to have hacked into the entirety of Sony's systems. The group asserts that they have around 6,000 compromised files, all of which are reportedly in Japanese. In a statement, the group mentioned, "We have successfully compromised [sic] all of Sony systems. We won’t ransom them! We will sell the data. Due to Sony not wanting to pay. DATA IS FOR SALE." Cyber Security Connect experts have weighed in on the situation, stating that while the group seems to have shown some proof of their claims, the evidence provided is not particularly compelling. The proof includes items like an internal login page and an internal PowerPoint presentation. The criminals have not specified a ransom amount but have provided Sony with contact details and mentioned a "post date" of September 28, presumably indicating a deadline set by Ransomed.vc.

READ THE STORY: The Sun

Securing Cyberspace: Navigating the Next Generation of Threats

READ THE STORY: The Washington Post

Items of interest

Russian Cyber Operations Intensify Against Ukrainian Law Enforcement

Bottom Line Up Front (BLUF): Russian military cyber operations in the first half of 2023 have primarily targeted Ukrainian law enforcement agencies. The objective is to gather information on Ukrainian investigations into war crimes and counter-intelligence efforts against Russian spies. This shift from disruptive cyber operations to data collection and intelligence indicates a strategic change in Russian cyber warfare tactics.

Analyst Comments: The strategic shift in Russian cyber operations from disruption to intelligence gathering indicates a more calculated approach to cyber warfare. The focus on Ukrainian law enforcement agencies suggests that Russia is keen on understanding and potentially undermining Ukraine's internal security mechanisms. The rise in cyber incidents, despite improved Ukrainian defenses, underscores the persistent threat posed by Russian state-sponsored hackers. The involvement of high-profile hacking groups like Sandworm and Gamaredon further emphasizes the seriousness of the threat. The international community, especially organizations like the International Criminal Court, should be on high alert given the evolving nature of Russian cyber operations.

FROM THE MEDIA: Russian cyber operations have been focusing on gathering intelligence from Ukrainian law enforcement agencies. The primary aim is to collect data on Ukrainian investigations into war crimes and counter-intelligence activities against Russian spies and collaborators. This information was disclosed by Ukraine's top cyber defense organization in a recent report. The backdrop of this report is a noticeable shift in Russian hacking activities, moving from disruptive cyber operations to data collection, cyber intelligence, and influence operations. Victor Zhora, a leading Ukrainian cyber defense official, confirmed this trend. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP), responsible for investigating cyberattacks and defending critical infrastructure, stated that Russian military commanders are directing cyber units to gather evidence and intelligence. This information could potentially be used for criminal proceedings against spies, individuals, institutions, or organizations in Russia, leading to sanctions or other actions. The cyber operations also aim to assist Russians arrested in Ukraine in evading prosecution and facilitating their return to Russia.

READ THE STORY: CyberScoop

Russian hackers seek war crimes evidence, Ukraine cyber chief says (Video)

FROM THE MEDIA: Russian spies are using hackers to target computer systems at law enforcement agencies in Ukraine in a bid to identify and obtain evidence related to alleged Russian war crimes, Ukraine's cyber defence chief told.

How investigators are tracking Russian war crimes in Ukraine (Video)

FROM THE MEDIA: In Borodianka, a Ukrainian town in the Bucha district, northwest of Kyiv, 81-year-old Taisia Herasymenko says her son was shot dead by Russian soldiers. She is seeking justice and hopes a trial will come soon. The case is one of many that Ukrainian and international officials are investigating in the Bucha area where mass graves were discovered. Reuters follows investigators as they try to put the pieces together and look for any evidence of executions and torture.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.

Bob’s Newsletter

Discussion about this post