Daily Drop (620): DPRK: Counter US, NASA: Falcon Heavy, CN: "Stayin Alive", South Korea: Chips, GNOME: RCE, CN: US Utilities, Vietnam: Predator Spyware, CVE-2023-3519, Taiwan: Peace w/ CN, Hacktivist
10-10-23
Tuesday, Oct 10, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob
North Korea's Satellite Program: A Countermeasure to U.S. Space Militarization
Bottom Line Up Front (BLUF): North Korea has emphasized its spy satellite program as a crucial step to counteract the U.S.'s increasing militarization of space, which Pyongyang perceives as an enhancement of the U.S.'s preemptive nuclear strike capabilities and a bid for global dominance.
Analyst Comments: The recent statements from North Korea underscore the nation's growing concerns about the U.S.'s strategic intentions in space, especially in the context of the broader geopolitical tensions in the Asia-Pacific region. North Korea's emphasis on its satellite program as a countermeasure suggests that space will be a significant arena for strategic competition in the coming years. The international community should closely monitor these developments, as they have the potential to escalate existing tensions and introduce new complexities to regional security dynamics.
FROM THE MEDIA: State media KCNA reported that North Korea views its spy satellite program as an "indispensable" measure against the U.S.'s efforts to militarize space, which it believes is aimed at bolstering the U.S.'s preemptive nuclear strike capability and achieving "world supremacy." Ri Song Jin, a researcher from the National Aerospace Technology Administration, highlighted the U.S. Space Force's recent activities in Asia, including a visit by its commander to Tokyo and the deployment of a Space Force component in South Korea. Ri asserted that these moves are veiled attempts to prepare for preemptive strikes against nations opposing the U.S., specifically naming North Korea, China, and Russia. In light of the U.S.'s aggressive space militarization in and around the Korean peninsula, Ri emphasized that space development, including military reconnaissance satellites, is vital for safeguarding North Korea's security interests and its right to exist.
READ THE STORY: Reuters
NASA's New Era: Embracing SpaceX's Falcon Heavy
Bottom Line Up Front (BLUF): NASA is ushering in the Falcon Heavy era, with SpaceX's heavy-lift rocket set to play a pivotal role in the agency's upcoming space missions. With five reserved launches in the next few years, the Falcon Heavy will support a diverse range of missions, from asteroid exploration to establishing a mini-space station around the Moon.
Analyst Comments: The strategic partnership between NASA and SpaceX, particularly with the Falcon Heavy, signifies a transformative phase in space exploration. The Falcon Heavy's unmatched capabilities, combined with SpaceX's proven track record, position it as an invaluable asset for NASA's future missions. This collaboration not only underscores the growing trust between governmental space agencies and private space companies but also sets the stage for groundbreaking discoveries and advancements in space technology.
FROM THE MEDIA: The launch of the Psyche asteroid mission marks the beginning of NASA's intensive collaboration with SpaceX's Falcon Heavy. Over the subsequent years, the space agency has planned five launches on this heavy-lift rocket, encompassing a broad spectrum of robotic space missions. These include deep space probes, astronomical observatories, weather satellites, and foundational elements for NASA's Gateway mini-space station orbiting the Moon. Currently, up to 10 Falcon Heavy missions are contracted with SpaceX, with NASA being directly or indirectly involved in nine of them. The Falcon Heavy, despite facing competition from newer rockets, remains the world's most powerful operational commercial rocket.
READ THE STORY: arsTECHNICA
Stayin Alive Campaign Focuses on Telecommunications and Government Bodies in Asia
Bottom Line Up Front (BLUF): The Stayin Alive cyber campaign, believed to be linked to China, has been persistently targeting telecommunications sectors and government bodies in Asian countries, including Vietnam, Pakistan, Uzbekistan, and Kazakhstan, since 2021.
Analyst Comments: The increasing cyber activities linked to China underscore the nation's aggressive cyber stance, especially in the Asian region. The targeting of telecommunications infrastructure indicates a strategic move to gain control over communication channels and access valuable personal data. Countries in the region, especially those with significant telecom infrastructure, should bolster their cybersecurity measures in anticipation of potential threats. The international community should also be vigilant and collaborate to counter such persistent cyber threats.
FROM THE MEDIA: Cybersecurity researchers from Check Point have unveiled the Stayin Alive campaign, which uses loaders and downloaders as initial infiltration tools against prominent entities in the targeted countries. The campaign's tools are rudimentary, disposable, and show little resemblance to known cyber products. Despite this, the origins of these tools have been traced back to ToddyCat, a Chinese-affiliated hacker group. The campaign's primary method of attack is spear-phishing emails, delivering malicious payloads using DLL side-loading techniques. One such method exploits a vulnerability in Audinate’s Dante Discovery software. The campaign's focus on the telecommunications sector is believed to be due to the sector's control over communication and its vast storage of sensitive individual data, which can be lucrative for espionage or sale on the dark web. Additionally, the campaign has targeted other government entities, especially in Kazakhstan.
READ THE STORY: Candid Tech
Diplomatic Tensions Eased as South Korean Tech Giants Secure Exemption from Sanctions
Bottom Line Up Front (BLUF): The US has permitted Samsung and SK hynix, two of South Korea's leading tech companies, to continue their semiconductor manufacturing operations in China indefinitely. This decision not only has implications for the global semiconductor supply chain but also carries significant diplomatic weight in the context of US-China and US-South Korea relations.
Analyst Comments: The US's decision to allow Samsung and SK hynix to continue their operations in China is multifaceted. On one hand, it addresses immediate concerns related to the semiconductor supply chain, ensuring that there's no disruption in the production of chips, which are critical for a multitude of industries. On the other hand, it serves as a diplomatic gesture, strengthening ties between the US and South Korea while sending a nuanced message to China. The announcement's timing, coinciding with the visit of US senators to China and rumors of a potential meeting between the US and Chinese presidents, suggests a possible thaw in the frosty US-China relations.
FROM THE MEDIA: The office of South Korea's president announced that the US has granted Samsung and SK hynix permission to persist with their chipmaking activities in China. These South Korean tech giants operate semiconductor factories in China and, as a result, need to export chipmaking equipment into the country. However, the US mandates licensing for such exports, especially if they enable the production of specific chips, due to concerns over China gaining access to advanced semiconductor manufacturing technology. Given South Korea's status as one of the US's 18 Major Non-NATO Allies, sanctions that could potentially harm two of its major businesses were diplomatically sensitive. South Korea had been lobbying for an exemption to these sanctions, fearing that any disruptions to their chipmaking assets in China could negatively impact their flagship companies and the broader economy. This lobbying has proven successful, with both Samsung and SK hynix receiving ongoing exemptions for their operations in China.
READ THE STORY: The Register
Critical Flaw in libcue Library Enables Remote Code Execution on GNOME Linux Systems
Bottom Line Up Front (BLUF): A newly identified security flaw in the libcue library, which impacts GNOME Linux systems, can be exploited to achieve remote code execution (RCE) on affected systems. The vulnerability, tracked as CVE-2023-43641, affects versions 2.2.1 and earlier of the libcue library.
Analyst Comments: The discovery of this vulnerability underscores the importance of maintaining up-to-date systems and libraries. Given the potential for remote code execution, organizations and individuals using GNOME Linux systems should ensure they have applied the necessary patches or updates to mitigate the risk associated with this flaw. The ease of exploitation, especially through a simple user action like downloading a file, makes it imperative to address this vulnerability promptly.
FROM THE MEDIA: The security flaw resides in the libcue library, which is used for parsing cue sheet files. This library is integrated into Tracker Miners, a search engine tool that comes by default in GNOME and is responsible for indexing system files for easy access. The vulnerability stems from a memory corruption issue in libcue, specifically an out-of-bounds array access in the track_set_index function. Exploitation can be achieved by luring a victim into clicking a malicious link and downloading a .cue file. Once the file is saved to the '~/Downloads' directory, it is automatically scanned by tracker-miners, which then uses libcue to parse the file. This process can exploit the vulnerability in libcue, leading to code execution. GitHub security researcher Kevin Backhouse, who discovered the flaw, emphasized the significance of the vulnerability, noting that due to its integration with tracker-miners, the libcue flaw can lead to a one-click RCE.
READ THE STORY: THN
China's Rising Cyber Threat to U.S. Utilities
Bottom Line Up Front (BLUF): The Cybersecurity and Infrastructure Security Agency (CISA) has pinpointed China as the leading nation-state cyber adversary to the U.S., with a particular focus on its aggressive targeting of American critical infrastructure.
Analyst Comments: CISA's proactive stance in safeguarding critical infrastructure is evident in its swift collaboration with the cybersecurity community, fostering enhanced intelligence sharing and sector-specific guidance. The agency's transition from emphasizing threats linked to the Russia-Ukraine conflict to those associated with China signifies the dynamic nature of cyber threats. The impending regulation under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which obliges critical infrastructure entities to report major cyber incidents to CISA within a 72-hour window, underscores the agency's dedication to prompt threat identification and mitigation. This regulation is not intended to penalize, but rather to support victims of cyberattacks and offer preemptive alerts to potential future targets. The increasing regulatory focus on cybersecurity, as evidenced by initiatives from bodies like the Securities and Exchange Commission, coupled with the call for corporate leadership to prioritize cybersecurity risks, accentuates the pressing nature of the current cyber threat environment.
FROM THE MEDIA: CISA has recently intensified its scrutiny of cyber threat activities associated with the People’s Republic of China. Speaking at the Secureworks Threat Intelligence Summit, CISA Director Jen Easterly shed light on China's growing cyber offensives against U.S. critical infrastructure. Chinese cyber operatives have been implicated in major cyber campaigns, notably the Volt Typhoon initiative, and have honed techniques that enable them to discreetly integrate into existing digital infrastructures, priming them for potential subsequent attacks. Vital sectors such as rail transportation, energy, and oil and gas pipelines are at heightened risk, especially if a military confrontation were to arise. Despite being cognizant of this threat, Easterly underscored the inherent difficulty in detecting these operatives within U.S. systems and emphasized the imperative of fortifying resilience across systems, businesses, and networks.
READ THE STORY: UtilityDive
Vietnam's Alleged Spyware Scandal: Targeting Global Politicians
Bottom Line Up Front (BLUF): Amnesty International has implicated the Vietnamese government in the acquisition and deployment of the controversial Predator spyware, allegedly targeting US and European politicians. This revelation comes amidst recent efforts by the US and Vietnam to strengthen bilateral ties.
Analyst Comments: Amnesty International's report, "The Predator Files: Caught in the Net," highlights the potential misuse of the Predator spyware, a product of Intellexa, which is blacklisted by the US. The spyware, known for its invasive capabilities, can record audio, extract messaging app data, and is installed without the user's knowledge. The report points to a now-defunct X/Twitter account, @JOSEPH_GORDON16, which shared links leading to Intellexa servers, potentially installing the spyware upon being clicked. These links targeted various high-profile individuals and entities, including members of the European Parliament, the European Commission, UN officials, the Taiwanese president, US senators, and other diplomatic figures. The evidence suggests that Vietnamese authorities or their representatives might be behind this spyware campaign. This revelation is particularly significant given the recent announcement by US President Joe Biden of a "historic new phase of bilateral cooperation and friendship" with Vietnam.
FROM THE MEDIA: The allegations against Vietnam, if substantiated, could strain its recently refreshed relationship with the US. The use of spyware, especially against foreign politicians, is a contentious issue that could have diplomatic repercussions. The international community, particularly nations with strong ties to Vietnam, will likely monitor the situation closely and assess their cybersecurity measures. The report also underscores the broader concerns about the unchecked proliferation and misuse of spyware on a global scale, emphasizing the need for stricter regulations and oversight.
READ THE STORY: The Register
Critical Vulnerability in Citrix NetScaler ADC and Gateway Devices Exploited for User Data
Bottom Line Up Front (BLUF): A critical flaw in Citrix NetScaler ADC and Gateway devices, identified as CVE-2023-3519, is being actively exploited by cyber adversaries to harvest user credentials. The exploitation has been ongoing for nearly two months, targeting primarily the U.S. and Europe.
Analyst Comments: The exploitation of the Citrix NetScaler flaw underscores the importance of timely patching and the potential risks associated with unpatched vulnerabilities. Organizations using Citrix NetScaler devices should ensure they have applied the necessary patches and monitor their systems for any signs of unauthorized access or modifications. Given the critical nature of the vulnerability and its potential for remote code execution, it's crucial for businesses to take immediate action to mitigate the risk.
FROM THE MEDIA: IBM X-Force discovered that threat actors are exploiting the critical code injection vulnerability in Citrix NetScaler devices to insert a malicious script into the authentication web page, capturing user credentials. This vulnerability, which was addressed by Citrix in July 2023, can lead to unauthenticated remote code execution. The attackers, in the recent attack chain, send a specially crafted web request to exploit the vulnerability and deploy a PHP-based web shell. This access is then used to append custom code to the NetScaler Gateway login page, which references a remote JavaScript file on attacker-controlled infrastructure. This JavaScript code captures the username and password information provided by users and sends it to a remote server. IBM X-Force identified at least 600 unique victim IP addresses with modified NetScaler Gateway login pages. The campaign's start date is unclear, but the earliest modification was on August 11, 2023. The campaign has not been linked to any known threat group.
READ THE STORY: THN
Taiwan's Stance on Peace with China: A National Day Address
Bottom Line Up Front (BLUF): Taiwanese President Tsai Ing-wen, in her National Day address, emphasized that peace between Taiwan and China is the sole viable option. Despite Beijing's increasing threats and military posturing, Tsai asserted Taiwan's commitment to maintaining the status quo and highlighted the global significance of stability in the Taiwan Strait.
Analyst Comments: Tsai's speech comes at a time of heightened tensions between Taiwan and China. Her emphasis on peace and maintaining the status quo reflects Taiwan's commitment to stability in the region. The mention of Taiwan's defense advancements indicates a proactive approach to safeguarding its sovereignty. The international community will likely monitor the situation closely, given the strategic importance of the Taiwan Strait and the potential implications of any conflict on global security.
FROM THE MEDIA: On Taiwan's National Day, President Tsai Ing-wen delivered a speech underscoring the importance of peace between Taiwan and China. She firmly stated that peace is the "only option" and highlighted the international community's view of stability in the Taiwan Strait as crucial for global security and prosperity. China, which claims Taiwan as its territory, has ramped up its military presence in the Taiwan Strait, aiming to intimidate Taiwan's population. Despite these pressures, the majority of Taiwan's citizens favor their current de-facto independence. Tsai's Democratic Progressive Party, which will contest in the upcoming elections, opposes the Nationalists' official stance supporting unification with China. Tsai, who will conclude her tenure after two terms, reiterated the importance of maintaining the status quo for peace and emphasized that neither side should unilaterally alter this balance.
READ THE STORY: The Hill
Hacktivist Onslaught in the Middle East Post Hamas-Israel Conflict
Bottom Line Up Front (BLUF): The surge in hacktivist activities post the Hamas-Israel conflict underscores the evolving nature of warfare, where physical conflicts are now accompanied by cyber warfare. The involvement of groups suspected to be state-sponsored or aligned indicates the potential for larger geopolitical implications. Monitoring these cyber activities will be crucial for understanding the broader dynamics of the conflict and its potential global ramifications.
Analyst Comments: The surge in hacktivist activities post the Hamas-Israel conflict underscores the evolving nature of warfare, where physical conflicts are now accompanied by cyber warfare. The involvement of groups suspected to be state-sponsored or aligned indicates the potential for larger geopolitical implications. Monitoring these cyber activities will be crucial for understanding the broader dynamics of the conflict and its potential global ramifications.
FROM THE MEDIA: The conflict between Palestine and Israel escalated dramatically after a surprise incursion from the Gaza border by Hamas, resulting in a deadly attack on a music festival and subsequent abductions and killings across various Israeli towns. This event led to the death of about 700 Israelis and the hostage-taking of over 150 individuals. In retaliation, Israel's counterattacks have reportedly killed at least 511 individuals in the Gaza Strip. In the cyber realm, at least 15 known cybercriminal, ransomware, and hacktivist groups have declared their involvement in disruptive cyberattacks targeting both Israeli and Palestinian institutions and their supporters. Prominent among these groups are Anonymous Sudan and Killnet. Anonymous Sudan, suspected to be a front for Russian state-sponsored cyberattacks, has been linked to major cyberattacks on entities like Microsoft and the German foreign intelligence service. Killnet, believed to be Russia-aligned, is renowned for its high-profile DDoS attacks. Both groups have declared their intent to disrupt targets primarily in Israel.
READ THE STORY: The Register
Satellite Imagery Reveals Unprecedented Railcar Traffic Across North Korea-Russia Border
Bottom Line Up Front (BLUF): Recent satellite imagery indicates a significant increase in railcar traffic from North Korea to Russia, fueling speculations that North Korea is supplying weapons to Russia. This comes in the wake of a meeting between North Korean leader Kim Jong Un and Russian President Vladimir Putin.
Analyst Comments: The increased railcar traffic, especially in the context of recent diplomatic interactions between North Korea and Russia, is a concerning development. If the speculations of weapon supplies are accurate, it could indicate a strengthening alliance between the two nations, potentially altering the geopolitical balance in the region. The situation warrants close monitoring by international stakeholders to understand the implications and potential ramifications of this newfound cooperation.
FROM THE MEDIA: Knewz.com reported the detection of 73 freight railcars crossing from North Korea into Russia, as revealed by Beyond Parallel, a website managed by the Center for Strategic and International Studies think tank. The railcars, observed on October 5, passed through the Tumangang Rail Facility, a central hub in North Korea-Russia relations. The volume of traffic noted is considerably higher than what has been observed in the past five years, even during peak COVID-19 times. This surge in movement aligns with concerns from Western countries following the recent meeting between Kim Jong Un and Vladimir Putin. Since Russia's invasion of Ukraine, it has seemingly fostered stronger ties with U.S. adversaries, including North Korea and China. The railcars, covered with tarps, are believed to be transporting weapons and munitions from North Korea to Russia.
READ THE STORY: MSN
Retaliation for Australian Support to Ukraine with Anti-Drone Technology
Bottom Line Up Front (BLUF): Pro-Russian hacking group, NoName057(16), launched DDoS attacks on Australian government websites, including the Department of Home Affairs and the Administrative Appeals Tribunal, in retaliation for Australia's decision to provide Ukraine with the Slinger "drone killer system". The attack, while disruptive, did not compromise sensitive data.
Analyst Comments: The cyberattack underscores the increasing geopolitical tensions in the digital realm. While the immediate impact of the attack was limited to website disruptions, the incident serves as a stark reminder of the vulnerabilities that even government entities face in the current cyber landscape. The ease with which the attack was executed raises concerns about the preparedness and resilience of critical infrastructure against politically motivated cyber threats. The incident is likely to prompt a review of cybersecurity measures and protocols within Australian government entities.
FROM THE MEDIA: Australia's decision to support Ukraine with the Slinger "drone killer system", a counter-drone technology manufactured by Melbourne-based Electro Optic Systems (EOS), prompted a swift cyber retaliation. The pro-Russian hacking group, NoName057(16), targeted Australian government websites with DDoS attacks. The Department of Home Affairs confirmed the cyber assault, emphasizing that no departmental holdings, including personal or sensitive information, were accessed. The attack was primarily aimed at generating publicity for the hackers, as per the department's early intelligence assessment.
READ THE STORY: AU CyberSecurity
Items of interest
Chinese APT Attacks and Threat Intelligence: A Comprehensive Survey
Bottom Line Up Front (BLUF): This survey delves into the intricacies of Chinese Advanced Persistent Threat (APT) groups and their real-world attack scenarios. It emphasizes the importance of Threat Intelligence (TI) in detecting and preventing these sophisticated cyber-attacks, highlighting the need for a multi-layered defense strategy.
Analyst Comments: The survey suggests that while many organizations are aware of the APT threat, they often deploy standalone security solutions, leading to inherent gaps in their defense mechanisms. A holistic, multi-layered approach is recommended, integrating various security products for a comprehensive defense strategy. The paper also introduces the MITRE ATT&CK model, a knowledge base that aids in understanding adversary tactics and techniques. This model serves as a foundation for developing specific threat models and methodologies in both government and private sectors. The paper advocates for a focus on the ATT&CK model and TI to devise effective countermeasures against APT attacks. The overarching message is clear: in the face of evolving cyber threats, organizations must adopt a proactive and integrated approach to cybersecurity.
FROM THE MEDIA: The paper provides an in-depth analysis of Chinese APT groups, which are state-sponsored entities that target specific sectors globally, ranging from military and intelligence departments to commercial, agricultural, and technological sectors. These APT groups employ advanced techniques, allowing them to infiltrate and remain undetected within target networks for extended periods. One of the highlighted techniques is the "living-off-the-land" approach, where attackers use existing digital infrastructure to camouflage their activities, preparing for future attacks. The paper underscores the challenges in detecting these actors, emphasizing the need for resilience across systems, networks, and businesses.
READ THE STORY: Journal PPW
Omri Misgav - Running Rootkits Like A Nation-State Hacker (Video)
FROM THE MEDIA: Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE). The passing year showed high-profile APT groups kept leveraging the well-known tampering technique to disable DSE on runtime. Meanwhile, Microsoft rolled out new mitigations: driver blocklists and Kernel Data Protection (KDP), a new platform security technology for preventing data-oriented attacks.
Super Spyware Lurked In a Telecom for Years (Video)
FROM THE MEDIA: One of the most advanced malware toolkits ever devised was found "listening" on Belgacom's network. How did it get there? And if a nation-state was responsible, what were they looking for?
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.