Daily Drop (619): Rocket Alert App, Beijing's New Action Plan, Gaza-Based Threat Actor, Alibaba's Espionage Claims, Unpatched NetScaler, Whats App: Exploitation of Israeli, Israel-Hamas Conflict
10-09-23
Monday, Oct 09, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
Hacktivist Breach: Israel's Rocket Alert App Compromised
Bottom Line Up Front (BLUF): The RedAlert app, a real-time rocket alert system used widely in Israel, was reportedly compromised by the pro-Palestinian hacktivist group AnonGhost. The group exploited a vulnerability to send a fake nuclear attack threat to users, though the app's creators deny any malfunction.
Analyst Comments: The cyberattacks on Israel, particularly the breach of the RedAlert app, highlight the evolving nature of modern warfare, where physical and digital battlespaces are intertwined. As geopolitical tensions escalate, cyber warfare becomes an increasingly significant tool for state and non-state actors alike. The exploitation of widely-used apps like RedAlert underscores the importance of robust cybersecurity measures, especially in conflict zones where misinformation can have dire consequences. Hacktivist groups like AnonGhost typically engage in small-scale distributed denial-of-service (DDoS) attacks or website defacement. However, they occasionally execute more intricate attacks. Researchers have noted that these groups often exploit web and mobile APIs, which are perceived as softer targets compared to primary product APIs. AnonGhost, in particular, has been previously linked to the Islamic State (ISIS).
FROM THE MEDIA: Researchers from the cybersecurity firm Group-IB have claimed that AnonGhost exploited an application programming interface (API) vulnerability in the RedAlert app, which boasts over a million downloads on the Google Play store. The hacktivists allegedlGaza-Based Threat Actory intercepted requests, exposed vulnerable servers and APIs, and utilized Python scripts to spam some app users with the message, "a nuclear bomb is coming." This supposed attack was shared on AnonGhost's official Telegram channel. However, Elad Nava, the director of Pushy, the company responsible for the RedAlert app, refuted these claims, stating that the app continues to function normally.
READ THE STORY: CyberNews
Beijing's New Action Plan Targets Advanced Storage, Low-Latency Networks, and Digitization of Industry
Bottom Line Up Front (BLUF): China's Ministry of Industry and Information Technology has released an updated "Action Plan for the High-Quality Development of Computing Infrastructure" that prioritizes edge computing, advanced storage technologies, and sustainable digital infrastructure development.
Analyst Comments: China's updated action plan underscores its commitment to becoming a global leader in digital infrastructure and technology. The emphasis on edge computing and advanced storage technologies indicates Beijing's intent to stay at the forefront of technological advancements. The focus on sustainability and collaboration between the government, private sector, and industry groups suggests a holistic approach to achieving these goals. If successful, China's digital infrastructure could set new global standards and further position Chinese businesses as dominant players on the world stage.
FROM THE MEDIA: China's newly revised action plan, unveiled on Monday, outlines the nation's digital infrastructure goals for 2025. The targets include achieving a collective computing power of 300 exaflops and a national storage capacity of 1,800 exabytes. Notably, 30% of this storage is expected to be "advanced", with an emphasis on innovative storage technologies like all-flash memory and Blu-ray storage. The plan also highlights the importance of edge computing, aiming for industry applications to be available wherever necessary. Beijing has set latency benchmarks of five milliseconds between major computing infrastructure and network hubs, and even more ambitious sub-millisecond latency goals within major urban areas. The plan also emphasizes the use of IPv6 and SRv6 on 40% of networks and optic fiber as the primary layer on 80% of crucial sites. Sustainability is a recurring theme, with the plan advocating for more efficient use of electricity and prioritizing low-carbon inputs.
READ THE STORY: The Register
Gaza-Based Threat Actor Targets Key Israeli Sectors
Bottom Line Up Front (BLUF): A Gaza-based cyber threat actor, identified as Storm-1133, has been implicated in a series of cyber attacks targeting Israeli private-sector organizations in the energy, defense, and telecommunications sectors. Microsoft's Digital Defense Report highlights this group's alignment with Hamas's interests.
Analyst Comments: The activities of Storm-1133 underscore the evolving landscape of cyber threats, where nation-state actors and aligned groups employ sophisticated techniques to further political and strategic interests. The blending of social engineering with advanced cyber tactics highlights the need for organizations to remain vigilant and adopt comprehensive cybersecurity measures. The geopolitical implications of such cyber activities, especially in regions with ongoing conflicts, emphasize the intertwined nature of cyber warfare with traditional warfare.
FROM THE MEDIA: Microsoft's recent Digital Defense Report has shed light on the cyber activities of Storm-1133, a threat actor based in Gaza. The group's cyber attacks have primarily targeted Israeli organizations in the energy, defense, and telecommunications sectors. Microsoft assesses that the group's activities align with the interests of Hamas, the governing authority in the Gaza Strip. The attacks have predominantly affected organizations perceived as hostile to Hamas, including those loyal to Fatah, a Palestinian nationalist party based in the West Bank. The attack strategies employed by Storm-1133 involve a combination of social engineering and the creation of fake LinkedIn profiles. These profiles, posing as Israeli HR managers and software developers, are used to send phishing messages, conduct reconnaissance, and deliver malware to employees of targeted Israeli organizations. Microsoft has also observed attempts by Storm-1133 to infiltrate third-party organizations publicly associated with their primary Israeli targets.
READ THE STORY: THN
Alibaba's Alleged Espionage Activities in Europe Highlight Growing Concerns Over Chinese E-Commerce Giants
Bottom Line Up Front (BLUF): Chinese e-commerce giants, particularly Alibaba, are under scrutiny for potential espionage activities in Europe. The rapid expansion of these companies, combined with Chinese regulations that mandate data sharing with the government, raises significant national security concerns.
Analyst Comments: The alleged espionage activities of Alibaba in Europe highlight the broader challenges posed by the global expansion of Chinese e-commerce companies. These companies' operations, supported by Chinese regulations, can potentially be weaponized for intelligence-gathering, posing significant national security risks. As Chinese e-commerce entities continue to grow and expand their global footprint, it's crucial for countries to assess the potential risks and implement measures to safeguard their national interests. Consumers, too, need to be more aware of the potential risks associated with using these platforms.
FROM THE MEDIA: Belgium is currently investigating alleged espionage activities linked to Alibaba's logistics arm, Cainiao, at the Liège airport, one of Europe's major cargo hubs. The primary concern stems from a Chinese regulation that requires companies to share data with Chinese authorities, potentially turning these e-commerce operations into intelligence-gathering entities. Experts suggest that companies like Alibaba could exploit their presence in key logistical hubs to gather proprietary data on transactions, companies, and individuals. This data could be used for various purposes, including economic espionage, which involves the targeting or acquisition of secret trade, technology, or financial information. The rapid expansion of Chinese e-commerce companies, such as Shein and TikTok, in global markets, particularly the U.S., further exacerbates these concerns. The technology and infrastructure supporting these operations could potentially be embedded with malware, serving as a trojan horse for spying activities.
READ THE STORY: QZ
Cyber Vulnerabilities Exposed: Unpatched NetScalerInstances Targeted
Bottom Line Up Front (BLUF): Unpatched Citrix NetScaler instances are being exploited by threat actors to harvest user credentials, leveraging a vulnerability known as CVE-2023-3519. Organizations are urged to patch and change their certificates and passwords to mitigate the risk.
Analyst Comments: The exploitation of unpatched vulnerabilities, especially in widely-used systems like Citrix NetScaler, underscores the importance of timely patching and proactive cybersecurity measures. Organizations that delay or neglect patching expose themselves to significant risks, especially when vulnerabilities have a high severity score. The integration of cyberattacks into automated campaigns further emphasizes the need for organizations to remain vigilant and prioritize security updates. As cyber threats continue to evolve, a proactive and timely response to known vulnerabilities is crucial to safeguarding digital assets and user data.
FROM THE MEDIA: IBM has reported a credential harvesting campaign specifically targeting Citrix NetScaler gateways that remain unpatched against the CVE-2023-3519 vulnerability. This vulnerability, which has a high CVSS score of 9.8, was disclosed in July, but exploitation began as early as June 2023, with some attacks focusing on critical infrastructure entities. By mid-August, an automated campaign had backdoored approximately 2,000 NetScaler instances. In September, a new malicious campaign was observed, where attackers targeted unpatched NetScaler devices to inject scripts on authentication pages to steal user credentials. The attackers exploit the vulnerability to inject a PHP web shell, which then allows them to modify the legitimate 'index.html' file. This modification loads a JavaScript file from the attacker's infrastructure on the VPN authentication page, which subsequently captures and sends user credentials to a remote server. IBM has identified at least 600 unique victim IP addresses with modified NetScaler Gateway login pages, primarily in the US and Europe.
READ THE STORY: SecurityWeek
Cybercriminals Exploit Israeli Crisis via WhatsApp
Bottom Line Up Front (BLUF): The U.S. should consider leveraging Russia's historical desire for strategic autonomy to gain an advantage over China. By restoring diplomatic ties and offering incentives, the U.S. can potentially weaken the China-Russia alliance, benefiting its broader geopolitical strategy.
Analyst Comments: Graham's perspective offers a fresh lens to view the U.S.-Russia-China triangle, emphasizing strategic pragmatism over entrenched hostilities. While the approach might face opposition, especially from countries directly affected by Russia's actions, it underscores the importance of broader geopolitical considerations. The U.S., as a dominant power, has the opportunity to think creatively and harness Russia's ambitions to further its own interests, especially in counterbalancing China's growing influence.
FROM THE MEDIA: Thomas Graham's article delves into the complex relationship dynamics between Russia, the West, and China, especially against the backdrop of the war in Ukraine. Despite Russia's current anti-Western stance, its historical desire for strategic autonomy offers the U.S. a potential leverage point. The article traces Russia's post-Soviet trajectory, highlighting its initial dependence on the West, its resurgence under Putin, and its growing alignment with China. However, Russia's desire to avoid becoming a junior partner to China means it seeks a counterweight, which could be the West. The author suggests that the U.S. should consider restoring diplomatic relations and offer incentives to ensure Russia's strategic autonomy, thereby potentially weakening the China-Russia alliance.
READ THE STORY: CyberNews
The Digital Frontline: Hacktivist Involvement in the Israel-Hamas Conflict
Bottom Line Up Front (BLUF): The ongoing Israel-Hamas conflict has extended into the digital realm, with multiple hacker groups launching cyberattacks in support of both sides. These digital skirmishes underscore the increasing integration of cyber warfare tactics in geopolitical conflicts.
Analyst Comments: The intertwining of cyber warfare with real-world conflicts is a growing trend, highlighting the strategic importance of digital assets and infrastructure in modern geopolitical struggles. The involvement of hacktivist groups in the Israel-Hamas conflict serves as a testament to the evolving nature of warfare, where digital strikes can complement or even precede physical confrontations. As cyber capabilities become more accessible, it's imperative for nations and organizations to bolster their cyber defenses and be prepared for digital skirmishes that can have tangible real-world consequences. The blending of cyber and physical battlefronts necessitates a holistic approach to security, encompassing both digital and physical domains.
FROM THE MEDIA: The Israel-Hamas conflict, which saw a significant escalation following a major attack by the Palestinian militant group, has been mirrored in the cyber world. Several hacker groups, ranging from Anonymous Sudan to pro-Russian group Killnet, have initiated cyberattacks targeting various entities associated with both Israel and Hamas. Initial attacks were launched against Israel's emergency warning systems, with claims of taking down alerting applications. Prominent Israeli entities, such as the Jerusalem Post and the Israel Electric Corporation, have also been targeted. On the other side, pro-Israel groups like ThreatSec have claimed to compromise infrastructure associated with Hamas. The methods employed by these hacktivists predominantly include distributed denial-of-service (DDoS) attacks, with some groups known to exaggerate their claims of disruption. However, certain groups, especially those with ties to nation-states, have historically launched highly disruptive attacks on major global entities.
READ THE STORY: SecurityWeek
Critical Vulnerabilities Found in ConnectedIO's 3G/4G Routers
Bottom Line Up Front (BLUF): ConnectedIO's ER2000 edge routers and their cloud-based management platform have been identified with multiple high-severity security vulnerabilities. If exploited, these vulnerabilities could allow attackers to execute malicious code, access sensitive data, and pose significant risks to thousands of global companies.
Analyst Comments: The vulnerabilities in ConnectedIO's routers and cloud platform amplify the threats to Extended Internet of Things (XIoT) devices. Given the potential for attackers to take control, intercept traffic, and infiltrate XIoT devices, organizations using these routers should be on high alert. The vulnerabilities underscore the importance of robust security measures, regular patching, and continuous monitoring, especially for devices connected to the internet. Immediate action is recommended to mitigate potential risks and ensure the security of internal networks.
FROM THE MEDIA: Researchers have discovered a series of vulnerabilities in ConnectedIO platform versions v2.1.0 and prior, specifically targeting the 4G ER2000 edge router and cloud services. These vulnerabilities can be chained, enabling attackers to execute arbitrary code on cloud-based devices without needing direct access. Additionally, flaws in the communication protocol (MQTT) used between the devices and the cloud have been identified. This includes the use of hard-coded authentication credentials, potentially allowing attackers to register rogue devices and access sensitive MQTT messages.
READ THE STORY: THN
Chinese Smart TV Boxes: The PEACHPIT Ad Fraud Campaign
Bottom Line Up Front (BLUF): The U.S. should consider leveraging Russia's historical desire for strategic autonomy to gain an advantage over China. By restoring diplomatic ties and offering incentives, the U.S. can potentially weaken the China-Russia alliance, benefiting its broader geopolitical strategy.
Analyst Comments: The discovery of the BADBOX and PEACHPIT campaigns underscores the evolving threats in the cybersecurity landscape. The fact that devices can be preloaded with malware before reaching consumers highlights the need for rigorous security checks throughout the supply chain. Consumers must be cautious when purchasing off-brand devices from online retailers and resale sites. Manufacturers and e-commerce platforms should also enhance their security protocols to detect and prevent the distribution of compromised devices.
FROM THE MEDIA: Last week, Human Security, a bot defense software vendor, detailed an attack that involved selling off-brand mobile and Connected TV (CTV) devices on popular online retailers and resale sites. These devices came preloaded with the Triada malware. The campaign, named BADBOX, affected devices sold for under $50. Human's research identified over 200 models with this pre-installed malware. When the company shopped for seven specific devices, they found that 80% of the units were infected with BADBOX. Further analysis revealed an ad fraud module named PEACHPIT. At its height, PEACHPIT operated on a botnet that spanned 121,000 Android devices daily. The attackers also developed malicious iOS apps, which affected 159,000 Apple devices daily during the campaign's peak. These infected devices delivered over four billion ads daily, all of which were invisible to users.
READ THE STORY: The Register
Senior Executives Targeted: The Rise of the EvilProxy Phishing Kit
Bottom Line Up Front (BLUF): A new phishing campaign is targeting senior executives in U.S.-based organizations, leveraging a popular adversary-in-the-middle (AiTM) phishing toolkit called EvilProxy. This toolkit is being used for credential harvesting and account takeover attacks, with sectors such as banking, financial services, insurance, property management, real estate, and manufacturing being the primary targets.
Analyst Comments: The discovery of the EvilProxy phishing campaign underscores the evolving and sophisticated nature of cyber threats. The exploitation of legitimate platforms like 'indeed.com' and Dropbox highlights the need for continuous vigilance and updated security measures. Organizations must prioritize cybersecurity training for their employees, especially senior executives, to recognize and avoid such phishing attempts. Additionally, platforms and websites must regularly audit and patch vulnerabilities to prevent exploitation by malicious actors.
FROM THE MEDIA: Menlo Security has identified a phishing campaign that began in July 2023, targeting senior executives in U.S. organizations. The campaign utilizes the EvilProxy phishing toolkit to conduct its attacks. This toolkit acts as a reverse proxy set up between the target and a legitimate login page, allowing attackers to intercept credentials, two-factor authentication (2FA) codes, and session cookies, facilitating the hijacking of accounts of interest. The threat actors behind this campaign have exploited an open redirection vulnerability on the job search platform 'indeed.com.' This vulnerability redirects victims to malicious phishing pages that impersonate Microsoft, thereby harvesting the credentials entered by the unsuspecting user. EvilProxy was first documented by Resecurity in September 2022.
READ THE STORY: THN
"Curl" Open-Source Tool Faces Security Threats
Bottom Line Up Front (BLUF): The open-source tool "curl," foundational in supporting various network protocols, is under the spotlight with two vulnerabilities set to be publicly announced soon. Given curl's extensive use in the tech ecosystem, these vulnerabilities could have far-reaching effects.
Analyst Comments: The vulnerabilities in curl underscore the intricate challenges the open-source community grapples with, especially when the tool in question is as ubiquitous as curl. Organizations should be on high alert, monitoring updates from the curl maintainers, and be primed to deploy the fixes as they roll out on October 11. The recurrence of vulnerabilities in open-source tools amplifies the call for a more standardized approach to software documentation, emphasizing the importance of transparency through Software Bills of Materials (SBOMs).
FROM THE MEDIA: Curl, an open-source command-line tool, is a staple for developers and system administrators, facilitating interactions with APIs, file downloads, and the automation of numerous internet tasks. The vulnerabilities in question include a high-severity issue (CVE-2023-38545) affecting both curl and its underlying library, libcurl, and a low-severity issue (CVE-2023-38546) targeting only libcurl. A maintainer's comment on GitHub has described the high-severity vulnerability as one of the most severe security flaws curl has seen in recent times. Fixes for these vulnerabilities are slated for release on October 11. This alert comes on the heels of a series of open-source security concerns. Other tools, like libwebp and libvpx, have recently been exploited, with entities like Google pointing to exploitation by commercial spyware vendors. Additionally, Amazon Web Services has flagged a vulnerability in TorchServe, a tool integral to building AI models.
READ THE STORY: The Record // THN
Generative AI's Vulnerability: The Rising Threat of Prompt Injections
Bottom Line Up Front (BLUF): Generative AI models, notably ChatGPT, are increasingly vulnerable to manipulations through "jailbreaks" and "prompt injections," leading to potential malicious outputs. As these AI models become more integrated into various platforms, the cybersecurity implications of such vulnerabilities become more pronounced.
Analyst Comments: The vulnerabilities within generative AI models present a growing cybersecurity challenge. As these models become more prevalent in applications, the potential for misuse escalates. The inherent nature of generative AI, which is to generate content based on prompts, makes it intrinsically challenging to safeguard against all potential misuse. Organizations leveraging these models must be proactive, continuously monitoring AI outputs, and implementing robust security measures. The AI development community must also prioritize transparency and engage in open discussions about these vulnerabilities to collectively address and mitigate risks.
FROM THE MEDIA: Generative AI, designed to produce vast content based on user prompts, has been manipulated in various ways, from generating malicious code to bypassing content filters. A recent demonstration by Moonlock Lab showcased ChatGPT's ability to produce keylogger malware code when fed specific keywords. This incident underscores the ease with which these models can be "hacked" using carefully crafted prompts. The emerging threat of "prompt injections" is particularly alarming. In this method, users subtly guide the AI to behave unexpectedly, sometimes embedding these prompts on websites, making them invisible to users but readable by chatbots. Such tactics can lead to unintended actions, including potential data exfiltration.
READ THE STORY: THN
Items of interest
Navigating the U.S.-Russia-China Triangle
Bottom Line Up Front (BLUF): The Israel-Hamas conflict has reached a critical juncture with Hamas taking Israeli hostages for a potential exchange, while the Israeli Navy intensifies its counter-terrorism operations.
Analyst Comments: The current dynamics between Israel and Hamas are highly combustible. The audacious move by Hamas to take hostages indicates a shift in their strategy, possibly aiming to leverage international pressure on Israel. Israel's decisive naval and aerial responses signal their commitment to neutralizing immediate threats. The situation demands urgent international diplomatic intervention to de-escalate tensions and avert a full-blown conflict.
FROM THE MEDIA: Hamas leader Saleh al-Arouri announced the capture of a significant number of Israeli hostages, aiming to exchange them for Palestinians detained in Israeli prisons on terrorism charges. This alarming development was substantiated by online footage showcasing Palestinians abducting Israeli residents and relocating them to the Gaza Strip. In a swift response to the escalating threats, the Israeli Navy launched a series of attacks. They targeted terrorists on Zikim Beach and struck Islamic Jihad ships anchored in the Gaza Strip. The navy also thwarted an attempt by five Hamas ships trying to breach Israeli waters. Amidst these developments, Israel's leadership has declared a state of emergency, with Prime Minister Netanyahu proclaiming the nation to be in a state of war. The Israeli Air Force, in retaliation to Hamas's provocations, has initiated strikes on 21 Hamas strongholds in the Gaza Strip.
READ THE STORY: Foreign Affairs
Iran or Russia: Who's Backing Hamas And Will An All-Out Israel-Palestine War (Video)
FROM THE MEDIA: amas spokesman Ghazi Hamad told the BBC that Iran had backed the Palestinian terror group in launching its attack on Israel on October 7. The claim comes after Dennis Ross of the Washington-based Institute for Near East Policy blamed Iran for the attack. Meanwhile, Estonian Reform Party leader Marko Mihkelson said the ongoing conflict in the Middle East may have involvement of Russia and Iran.
Putin Renews Support For 'Independent Palestine'; Russia For Ceasefire Amid Israel-Hamas War (Video)
FROM THE MEDIA: As the tensions between Israel and Palestine continue to escalate, Russia has called for Israeli and Palestinian forces to stop armed hostilities after attacks launched by Palestinian militant group Hamas on Israel. Russian foreign ministry spokeswoman Maria Zakharova called both the parties to set up "a negotiation process aimed at establishing a comprehensive, lasting and long-awaited peace" with the help of the international community. Watch this to know more.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.