Daily Drop (630): Google Ads: Malvertising, ICC: Sept. Cyber Attack, DarkGate, Finnish Psychotherapy Breach, CVE-2023-20273, Disinformation: Israel-Hamas, Ragnar Locker: Key Arrests, China: AI Warfare
10-22-23
Sunday, Oct 22, 2023 // (IG): BB // 勿撳
Malvertising Campaign Targets Popular Software Through Google Ads
Bottom Line Up Front (BLUF): Cybercriminals are leveraging Google Ads to target users searching for popular software like Notepad++ and PDF converters. Once clicked, the ads direct users to malicious landing pages designed to fingerprint their system and distribute malware. This technique effectively evades Google's ad verification checks.
Analyst Comments: This malvertising campaign is unique for its ability to serve time-sensitive payloads while fingerprinting the users. According to Malwarebytes, if the user is considered a viable target, their system is assigned a unique ID for tracking. A similar campaign is also abusing Punycode to target KeePass users. Expert Jérôme Segura notes that these evasion techniques allow cybercriminals to be more selective in choosing their victims. Additionally, Proofpoint researcher Dusty Miller highlights the abuse of fake browser updates, pointing to a constant, evolving threat landscape.
FROM THE MEDIA: The malvertising campaign highlights the increasing sophistication of cyber attacks through search engines. The tactic of leveraging Google Ads and fingerprinting allows the attackers to selectively target users and bypass ad verification checks. Users must be cautious while clicking on ads, especially those promoting popular software, as these can be part of a more extensive, highly targeted cyber attack. The emergence of these tactics suggests a need for ongoing vigilance and updated cybersecurity measures.
READ THE STORY: THN
ICC Identifies September Cyberattack as Espionage Effort
Bottom Line Up Front (BLUF): The International Criminal Court (ICC) recently identified a significant cybersecurity breach as an act of espionage aimed at undermining its mandate. Though no perpetrator has been explicitly named, the attack is currently under investigation by Dutch authorities. The incident exposes the vulnerabilities of international institutions and the intersection of cybersecurity with global geopolitics.
Analyst Comments: The attack on the ICC represents a multifaceted problem touching on national security, geopolitics, and the current state of cybersecurity norms. The ICC’s role in international justice places it at the crossroads of various national security concerns, as it holds sensitive data related to ongoing investigations and witnesses who could be at risk if exposed. Geopolitically, the incident raises questions about attempts to undermine international institutions that hold individuals accountable for war crimes and crimes against humanity. This attack could inflame global diplomatic relations and potentially escalate existing tensions. Finally, the breach exposes vulnerabilities in cybersecurity protocols for international organizations, calling into question the adequacy of existing legal frameworks and norms in the cyber realm. As such, a comprehensive approach is needed that includes strengthening the ICC’s cybersecurity framework, international collaboration to identify the perpetrators, and a reevaluation of existing cybersecurity norms to better protect against such complex threats.
FROM THE MEDIA: The ICC has publicly announced that it fell victim to a severe cyber-espionage operation, putting its highly sensitive data at risk. Although the Court did not indicate who might be behind the attack, Dutch law enforcement agencies have initiated a criminal investigation. The timing of the incident is especially noteworthy as it aligns with the Court’s issuance of arrest warrants against Russian officials, as well as Russia's subsequent retaliatory actions. This attack brings to the forefront questions about the vulnerability of international institutions, and it could serve as a dangerous precedent if not properly addressed.
READ THE STORY: The Record
Vietnamese Actors Unleash Multi-Faceted Cyber Attacks Using DarkGate Malware
Bottom Line Up Front (BLUF): Vietnamese hackers have been found to deploy DarkGate malware in targeted attacks against entities in the U.K., the U.S., and India. Coupled with other malicious tools like Ducktail, LOBSHOT, and RedLine Stealer, these campaigns indicate a significant rise in malware activity, facilitated by the DarkGate's availability on a malware-as-a-service (MaaS) basis. Understanding this trend is crucial for cyber defense strategies as the initial infection vectors evolve and diversify, including through platforms like LinkedIn and Google Drive.
Analyst Comments: The emergence of multi-tool cyber-attacks orchestrated by Vietnamese actors presents a complex and escalating cybersecurity threat. This evolution showcases the adaptability of these threat actors and the ease with which they can shift strategies and tools through a cybercrime marketplace. The MaaS model for DarkGate indicates a lower barrier to entry for advanced cyber capabilities, making the malware more accessible to various threat actors. Such a trend complicates defense mechanisms because threat identification based solely on malware types may no longer suffice. Also, the expansion to multiple social engineering platforms like LinkedIn adds another layer of complexity. The overall situation calls for robust, dynamic, and layered cyber defense strategies that can adapt to this evolving threat landscape.
FROM THE MEDIA: DarkGate malware, previously used privately since 2018, has been rented out on a MaaS basis, allowing threat actors to deploy it in coordinated attacks against multiple countries. While Ducktail operates as a data stealer, DarkGate functions as a remote access trojan (RAT) providing backdoor access to compromised systems. The infection techniques involve spear-phishing via platforms like LinkedIn and distributing malicious files through Google Drive. A security report by WithSecure underlines the overlapping use of tools and strategies, thereby highlighting the role of a "cybercrime marketplace" in these attacks.
READ THE STORY: THN
Hacker accused of breaching Finnish psychotherapy center facing 30,000 counts
Bottom Line Up Front (BLUF): Recent investigations reveal that Hamas, under significant cyber and physical assault, likely collaborates with external hacking entities, including the known cyber espionage group TAG-63 and potentially Iranian-linked operatives, to sustain its online operations and propaganda, circumventing substantial disruptions and censorship efforts.
Analyst Comments: This case is one of the most extensive criminal cases in Finnish history, according to chief prosecutor Pasi Vainio. Kivimäki allegedly stole the treatment records of over 33,000 patients, more than 21,000 of whom have filed criminal reports. The breach is a stark reminder of the vulnerabilities in healthcare data systems, especially those dealing with sensitive personal information. It underlines the need for healthcare institutions to bolster their cybersecurity measures significantly.
FROM THE MEDIA: Kivimäki, previously a member of the hacking group Lizard Squad, was arrested in France in February. The Finnish firm Vastaamo, victim to the cyberattack, managed multiple psychotherapy centers across Finland. After breaching the center's database, Kivimäki attempted to extort over $380,000 in Bitcoin. He also demanded payments from patients in exchange for not releasing their therapy records, which were later found posted on the dark web when the company refused to pay. Up to 500 victims connected to the psychotherapy center hack have expressed a desire to participate in the upcoming court hearings, which Finnish media describe as “exceptionally large.”
READ THE STORY: The Record
Cisco Zero-Day Vulnerabilities Actively Exploited
Bottom Line Up Front (BLUF): Cisco has warned of two critical vulnerabilities (CVE-2023-20273 with a CVSS score of 7.2 and CVE-2023-20198) affecting its IOS XE software. These flaws are actively being exploited to implant malicious Lua-based backdoors on vulnerable devices. A fix will be released on October 22, 2023. Cisco recommends disabling the HTTP server feature on affected devices as a temporary measure. More than 41,000 devices have already been compromised, primarily targeting smaller entities and individuals.
Analyst Comments: These vulnerabilities pose significant security risks, as they allow for privilege escalation and potential control over an affected system. It is crucial for companies, especially smaller entities that are the primary targets, to take immediate preventive measures. Disabling the HTTP server feature is essential until a patch is released. Businesses need to consider enhanced security measures, including zero-trust architecture and multi-layered protection systems, to defend against such vulnerabilities in the future.
FROM THE MEDIA: According to cybersecurity news outlets, the zero-day flaws have led to a considerable number of compromised devices. A report from Censys and LeakIX estimates that more than 41,000 Cisco devices running the vulnerable IOS XE software have been exploited. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory, stating that an unauthenticated remote actor could exploit these vulnerabilities to take complete control over an affected device. The vulnerabilities are particularly dangerous as they allow the attacker to create a privileged account, granting them full control over the device.
READ THE STORY: THN
EU Presses Meta and TikTok on Disinformation Measures Amid Israel-Hamas Conflict
Bottom Line Up Front (BLUF): The European Commission has asked Meta and TikTok for information on their actions to curb disinformation related to the Israel-Hamas conflict. These requests come under the framework of the Digital Services Act (DSA), which went into effect in November. The companies could face fines up to 6% of their global annual revenue for non-compliance with the DSA, and in extreme cases, could even be banned from operating within the European Union.
Analyst Comments: This is a significant move by the European Union to hold major tech companies accountable for the spread of disinformation and illegal content. As "very large online platforms," both Meta and TikTok are obligated to comply with all provisions of the DSA, including those related to illegal content, disinformation, and "any negative effects on the exercise of fundamental rights."
FROM THE MEDIA: According to the European Commission, Meta and TikTok must provide details on their risk assessments and propose "mitigation measures" to counter the spread of misinformation as required by the DSA. For Meta, the Commission has also requested information on how it plans to safeguard election integrity. Both companies have specific deadlines to respond: Meta must reply by October 25th on its actions related to the Israel-Hamas war, and November 8th for its election work, while TikTok must respond by October 25th. Research analyst Joseph Bodnar from the Alliance for Securing Democracy states that the EU's move shows that the world no longer has to take platforms' word for their actions, indicating a significant step towards accountability.
READ THE STORY: The Record
Key Arrest in Ragnar Locker Ransomware Case Marks Significant Achievement for Global Law Enforcement
Bottom Line Up Front (BLUF): Europol announced a significant operation against the Ragnar Locker ransomware group, which has targeted multiple organizations globally since its emergence in 2019. The operation led to the arrest of a key developer in France and the confiscation of servers in multiple countries. This multi-agency effort involved law enforcement from 11 countries and represents a major step in combating ransomware crimes.
Analyst Comments: The takedown is notable for its international scope and coordinated action, involving authorities from countries such as Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Previously arrested members hail from Ukraine and Canada, indicating a geographically dispersed group. The group was known for using double extortion tactics—demanding payments for both decryption tools and to prevent the release of stolen sensitive data. The arrest of a key developer and other operational disruptions suggest a significant blow to Ragnar Locker's capabilities. Alongside this, other law enforcement actions against different cybercrime groups show a rising tide in international cooperation against cybercrime. For example, Ukraine's Cyber Police shut down the Trigona ransomware group's leak site, and India's Central Bureau of Investigation raided multiple locations tied to various cyber-enabled financial crimes.
FROM THE MEDIA: The recent arrest in Paris and subsequent actions against the Ragnar Locker ransomware group indicate a maturing and increasingly effective international response to ransomware threats. With law enforcement agencies from 11 countries participating, the coordinated effort led to multiple raids, interviews, and seizures of the ransomware’s infrastructure in the Netherlands, Germany, and Sweden. This multi-faceted approach is demonstrative of the increasing capability of global law enforcement to combat high-level cybercriminal activity. These actions send a strong message to ransomware operators about the risks of their illicit activities, which is a positive step toward improving cybersecurity measures globally.
READ THE STORY: The Record // THN
Pentagon Sounds Alarm on China's AI Ambitions in Warfare
Bottom Line Up Front (BLUF): The Pentagon warns that China is aggressively pursuing advancements in Artificial Intelligence (AI) to dominate in what it calls "intelligentized warfare." With a clear roadmap to become the world leader in AI by 2030, China is already implementing AI in various military applications. This signifies a critical national security concern that the U.S. and its allies need to address immediately.
Analyst Comments: China's strategic focus on AI encompasses various applications, including facial recognition, natural language processing, and more advanced military capabilities like "Multi-Domain Precision Warfare." The latter aims to exploit vulnerabilities in the U.S. operational system for precision strikes. This push for AI dominance is backed by national-level funding and collaboration between academia, industry, and the military. The country has already made significant advancements in AI hardware, although it still relies on foreign capabilities for some components. These activities underscore China's commitment to integrating AI into its military capabilities and indicate that the nation poses a growing threat in the sphere of intelligentized warfare.
FROM THE MEDIA: The Pentagon's recent report indicates that China aims to overtake the West in AI research and development by 2025 and lead globally by 2030. China has established research centers and is marketing domestically-designed AI chips. The U.S. has responded by tightening chip export regulations, but more comprehensive action is required. The developments also raise ethical and global security concerns. Given that AI has dual-use applications in both civilian and military contexts, the international community must find a way to address the potential risks involved with AI proliferation in warfare.
READ THE STORY: Fox Business
Items of interest
Coordinated Crackdown on Tech Support and Crypto Scams in India
Bottom Line Up Front (BLUF): Tech giants Microsoft and Amazon collaborated with India's Central Bureau of Investigation (CBI) and international agencies to conduct raids on alleged fake tech support and cryptocurrency scams in India. This marks a significant step in combating cybercrime and underlines the need for continued vigilance and international cooperation.
Analyst Comments: The operation highlights the evolving nature of cybercrime, encompassing both traditional tech support scams and more modern challenges like cryptocurrency fraud. It represents a significant move in the fight against such fraudulent activities, especially considering the collaboration between private tech giants and international law enforcement agencies. This joint effort could serve as a model for future operations aimed at disrupting cybercrime networks.
FROM THE MEDIA: The CBI conducted 76 searches across India, targeting call centers that have allegedly been operating tech support scams for at least five years. The raids also uncovered a cryptocurrency scam that had defrauded investors of over $20 million via a complex network of shell companies. Assisted by agencies like the FBI, Interpol, and others, the operation shows a united front against increasingly sophisticated cybercrime tactics. Microsoft and Amazon's participation indicates an industry willingness to actively combat these issues.
READ THE STORY: The Register
Beating Scammers at Their Own Game (Video)
FROM THE MEDIA: It's hacker versus scammer. Scam baiter @JimBrowning beats call center scammers at their own game. He’s able to hack their computer systems and watch their every move as they try to trick people out of their life savings.
Telling a Scam Call Center their Real Names (Video)
FROM THE MEDIA: Scammers are ruthless criminals that have no problem stealing every last dime from their victims bank accounts. Please protect yourself as well as family members who might not be familiar with these type of scams.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.