Daily Drop (632): Long March-2D, Hamas Videos, China: Canada, Alfa-Bank, Operation Triangulation, Google: IP Protection, Huawei: ASML IP, DoNot Team, FTC: Social Media, Terran Orbital SATs
10-24-23
Tuesday, Oct 24, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
Hamas Hostage Execution Videos Threaten Social Media Platforms
Bottom Line Up Front (BLUF): Hamas has publicly declared its intention to broadcast videos of hostage executions on social media, causing tech companies to ramp up their monitoring efforts. Despite the deployment of various "operations centers" by companies like Meta and TikTok, the industry's lack of transparent countermeasures raises concerns.
Analyst Comments: After Hamas attacked Israel on October 7, the group announced plans to execute an Israeli hostage for every Israeli attack on Gaza, with the executions to be livestreamed on social media. Currently, Hamas is holding 220 hostages, as reported by the Israel Defense Forces. Tech companies have activated special operation centers to track content on various platforms but have been vague on specific countermeasures. Experts criticize the tech industry's lack of transparency and question the efficacy of existing content moderation systems. Imran Ahmed, CEO of the Center for Countering Digital Hate, argues that social media platforms should be as effective in detecting extremist content as they are in detecting copyrighted material.
FROM THE MEDIA: Hamas threatens to bring a new form of psychological warfare into the Israel-Gaza conflict by live streaming hostage executions. Social media companies have activated monitoring systems but have not disclosed specific plans to counter this threat. Expert opinion suggests the tech industry's response has been inadequate and lacks transparency, calling into question the effectiveness of the platforms in stopping the spread of such disturbing content.
READ THE STORY: Wired
China Linked to Cyber Attacks on Canadian MPs: What You Need to Know
Bottom Line Up Front (BLUF): Canadian MPs have been targeted in a series of "spamouflage" cyber attacks that originated from China, according to an announcement from Global Affairs Canada (GAC). The online campaign has been leaving thousands of comments on social media accounts of politicians, including Prime Minister Justin Trudeau, and has escalated in scale since its onset in early August.
Analyst Comments: The series of cyber attacks on Canadian MPs involved spamming their social media accounts with comments in both English and French. These comments accused the politicians of various criminal and ethical violations and also suggested the possible use of AI-generated videos in the campaign. The attacks were not confined to a particular political party and were widespread across the country. Global Affairs Canada utilized the "Rapid Response Mechanism" (RRM) to trace these cyber activities back to China. According to the RRM, the campaign started in early August and continued to escalate through September. The attacks, however, were concluded to not pose a direct safety threat to the politicians targeted.
FROM THE MEDIA: Canadian politicians, irrespective of their party affiliations, have been targeted in a "spamouflage" cyber attack campaign linked to China. These attacks involved spamming social media accounts with derogatory and accusatory comments, aiming to discredit and denigrate the MPs. The situation is under ongoing investigation, and MPs targeted have been briefed on protective measures. With a public inquiry into Chinese election interference already underway, the attacks highlight the increasing concern of foreign interference in Canadian politics.
READ THE STORY: TNC
Collaboration Between Ukrainian Hacktivists and SBU Exposed in Alfa-Bank Hack
Bottom Line Up Front (BLUF): Ukraine's security services (SBU) collaborated with Ukrainian hacker groups KibOrg and NLB to breach Russia's largest private bank, Alfa-Bank, as confirmed by a source within the SBU.
Analyst Comments: Two pro-Ukrainian hacker groups, KibOrg and NLB, infiltrated Alfa-Bank last week and claimed to have obtained personal and financial data of more than 30 million customers. The bank is owned by Russian-Israeli billionaire Mikhail Fridman and was sanctioned by the United States and Europe following Russia’s invasion of Ukraine. Some of the leaked data was released online, featuring information about Fridman and other prominent individuals. Alfa-Bank has denied the reports of the data leak, while a source within the SBU confirmed the agency’s involvement without providing additional details.
FROM THE MEDIA: In a collaborative effort with Ukraine's security services, the SBU, hacker groups KibOrg and NLB successfully breached Alfa-Bank, Russia’s largest private bank, gaining access to data of over 30 million customers. The hack appears to be part of Ukraine's broader cyber intelligence strategy and aims to advance multiple operational goals, such as identifying enemy targets and movements. Despite the breach, Alfa-Bank has denied any data leaks, while the hackers plan to share the obtained information with investigative journalists.
READ THE STORY: The Record
Deep Dive into Operation Triangulation: iOS Zero-Day Attack Unearthed
Bottom Line Up Front (BLUF): Operation Triangulation is a complex cyber-attack that targets iOS devices using a zero-click exploit delivered via iMessage. The attack employs multiple modules for various malicious activities such as recording the microphone, extracting iCloud Keychain data, and tracking the victim's location. Russian cybersecurity firm Kaspersky has released a detailed report outlining these findings.
Analyst Comments: The attack chain starts with an invisible iMessage attachment that triggers a zero-click exploit. It weaponizes zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) to deliver a malicious payload gaining full control over the iOS device. The operation uses a backdoor named TriangleDB, which is implanted into the victim’s device after exploiting a kernel vulnerability. Two validator stages, JavaScript Validator and Binary Validator, are executed to ensure the targeted device is not associated with a research environment before deploying the implant. The attack is sophisticated, with multiple stages designed to avoid detection. It also collects sensitive information from the compromised device to assess its suitability for further exploitation. The threat actor employs techniques like canvas fingerprinting to fingerprint the device, and the information is sent to a remote Command and Control (C2) server.
FROM THE MEDIA: Operation Triangulation is a multi-faceted cyber-attack campaign targeting iOS devices. It uses a zero-click exploit and multiple validator stages to implant a backdoor named TriangleDB. The attack framework consists of several modules that perform malicious activities like stealing sensitive data, recording audio, and even tracking the victim's location. The cyber-attack is sophisticated and designed to evade detection, and its origin remains unidentified. Kaspersky’s report highlights the complexity and the advanced nature of this threat, which is still under investigation.
READ THE STORY: THN
Google's IP Protection in Chrome Aims to Rival Apple's Private Relay
Bottom Line Up Front (BLUF): Google is prototyping a new feature called IP Protection for its Chrome browser to mask user IP addresses using network proxies. This move, similar to Apple's iCloud Private Relay service for Safari, aims to enhance user privacy by limiting cross-site tracking.
Analyst Comments: The IP Protection initiative initially focuses on both desktop and Android versions of Chrome. This feature will serve as a privacy measure, making it difficult to use IP addresses for user fingerprinting or CNAME tracking. Initially, Google will test this feature on domains it controls using a single Google-owned proxy. A more advanced phase involves a two-hop proxy system comprising both a Google-owned and a third-party proxy server. Although some concerns have been raised about Google's approach, the feature resembles the IETF's Masque proposal. No timeline has been established for full-scale testing, and there is no confirmation if Google will seek a design review from the W3C's Technical Architecture Group (TAG).
FROM THE MEDIA: Google is stepping up its efforts in user privacy by planning a proxy-based IP Protection feature for Chrome. While still in the prototype phase, the feature aims to make cross-site tracking and user profiling more challenging. The company will carry out initial tests using a single Google-owned proxy, followed by a more elaborate two-hop proxy system. However, key details and timelines are yet to be finalized. Google also plans to drop support for the Theora video codec in upcoming versions of Chrome.
READ THE STORY: The Register
Czech Government Websites: Pro-Russia Group Implicated
Bottom Line Up Front (BLUF): A Russia-based hacking group called NoName057 has been identified as the perpetrator of today's cyberattacks on multiple Czech government websites, including the Interior Ministry, police force, Prague Airport, and the chambers of parliament. No data was stolen, but the attacks caused service disruptions.
Analyst Comments: This incident is just the latest in a series of cyberattacks targeting Czech institutions, and the scale of today's operation suggests a growing sophistication in the capabilities of the hackers involved. Given that NoName057 has previously targeted Ukraine, the motivation seems to be politically driven, likely linked to Czechia’s stance on the Ukraine conflict. The hacking group employed Distributed Denial of Service (DDoS) attacks, which overwhelm servers with traffic, rendering them temporarily inoperable. Coupled with a near 100% year-over-year increase in cybercrimes reported in Czechia for 2022, today’s attacks underline the urgent need for bolstered cybersecurity measures.
FROM THE MEDIA: The Russia-based hacking group NoName057 executed a coordinated cyberattack against multiple Czech government websites today, causing temporary service disruptions but not resulting in any data theft. The motive is suspected to be related to Czechia's support for Ukraine. These attacks add to a growing list of cybercrimes in Czechia, with a significant uptick reported last year. The situation is a cause for concern and underscores the need for robust cybersecurity measures.
READ THE STORY: Expats
Long March-2D Rocket Completes 492nd Mission, Enhances China's Space Capabilities
Bottom Line Up Front (BLUF): China successfully launched its new Yaogan-39 remote sensing satellite from the Xichang Satellite Launch Center in Sichuan Province on October 24, 2023. The satellite was carried into space by a Long March-2D carrier rocket.
Analyst Comments: The successful launch of the Yaogan-39 remote sensing satellite demonstrates China’s growing capabilities in both rocket and satellite technology. Given that this is the 492nd mission of the Long March rocket series, China has amassed significant experience and reliability in space launches. Remote sensing satellites like Yaogan-39 have various applications, ranging from environmental monitoring to defense. The successful launch not only reinforces China's presence in space but also potentially broadens its capabilities in gathering intelligence and conducting surveillance.
FROM THE MEDIA: The Long March-2D carrier rocket lifted off at 4:03 a.m. Beijing Time, marking the 492nd mission for the Long March rocket series. The launch took place at the Xichang Satellite Launch Center in southwest China’s Sichuan Province. The successful mission confirms China's advancements in space technology, particularly in the field of remote sensing.
READ THE STORY: Xinhua
Former ASML Employee Accused of Intellectual Property Theft Allegedly Joins Huawei
Bottom Line Up Front (BLUF): A former ASML employee, accused of stealing trade secrets related to advanced chipmaking equipment, is reportedly now working for Huawei, according to Dutch newspaper NRC. ASML, a critical player in the semiconductor industry, had earlier mentioned the theft in its 2022 annual report but downplayed its impact on business.
Analyst Comments: The allegation of intellectual property theft and the individual's subsequent employment with Huawei raises several questions about the security and integrity of proprietary technologies within the semiconductor industry. The issue is accentuated by the fact that Huawei has been cut off from foreign chipmaking capabilities since landing on the U.S. Entities list in 2019. Meanwhile, ASML's role as the only supplier of crucial EUV equipment and recent restrictions on its sale to China make intellectual property even more valuable. This incident could further strain relations between China and countries wary of technology transfer and may potentially impact future trade negotiations and policies.
FROM THE MEDIA: Unnamed sources cited by the NRC suggest that the accused individual has moved on to Huawei after leaving ASML. While the specifics of the stolen data were not disclosed, ASML assured investors that the theft did not pose a material threat to its business. In a broader context, this incident comes as the Dutch company faces increasing scrutiny due to geopolitical tensions. It is the sole supplier of extreme ultraviolet (EUV) lithography equipment essential for producing advanced sub-7nm chips. Owing to U.S. sanctions, the export of such equipment to China has been restricted. Given these trade limitations, intellectual property theft has become a major concern for ASML and similar companies.
READ THE STORY: The Register
Rising Cyber Threats from DoNot Team and Mysterious Elephant
Bottom Line Up Front (BLUF): DoNot Team has deployed a novel .NET-based backdoor named Firebird, targeting victims in Pakistan and Afghanistan. This development accompanies other malicious activities, including those by Mysterious Elephant, affecting the Asia-Pacific region.
Analyst Comments: Cybersecurity firm Kaspersky has released its APT trends report for Q3 2023, revealing that DoNot Team has been using a new .NET-based backdoor called Firebird to target a select group of victims in Pakistan and Afghanistan. The backdoor is part of an attack chain that also delivers a downloader named CSVtyrei. DoNot Team is suspected to be of Indian origin and has been active in cyber espionage through spear-phishing and rogue Android apps. The article also references other threat actors, including Transparent Tribe and Mysterious Elephant, who have been active in the region. Transparent Tribe has been targeting the Indian government, while Mysterious Elephant has focused on Pakistan.
FROM THE MEDIA: The emergence of DoNot Team's Firebird backdoor poses a new threat to Pakistan and Afghanistan. The attack landscape in the Asia-Pacific region is increasingly complex, with multiple actors such as Transparent Tribe and Mysterious Elephant employing a variety of techniques to compromise security. The growing focus on Linux-based systems also signifies a shift in the types of operating systems targeted. Effective cybersecurity measures are critical to countering these evolving threats.
READ THE STORY: THN
Leaders of 'Five Eyes' Countries Unite to Call Out China's Espionage Activities
Bottom Line Up Front (BLUF): The intelligence leaders of the 'Five Eyes' alliance have expressed serious concerns about China's ongoing global espionage efforts. The warning was given during their first-ever joint public appearance on CBS News' '60 Minutes.
Analyst Comments: Leaders of the 'Five Eyes' intelligence alliance—comprising the United States, the United Kingdom, Canada, Australia, and New Zealand—publicly flagged China as a major threat in the arena of global espionage. This was revealed in a recent episode of CBS News' '60 Minutes,' where FBI Director Christopher Wray characterized China as "the defining threat of this generation." The intelligence leaders also noted that China's espionage activities extend beyond national security concerns and involve theft of intellectual property from companies.
FROM THE MEDIA: The 'Five Eyes' alliance's joint public appearance underscores the heightened concern over China's extensive espionage activities, which are not limited to national security but also involve intellectual property theft. Alongside China, the leaders are also wary of Russia's ongoing intelligence activities. The unity among these intelligence agencies highlights the collaborative efforts in countering these threats at a global scale.
READ THE STORY: Devdiscourse
Massive Crackdown in Spain: 34 Arrested in Cyber Fraud Operation Seizing €3 Million in Assets
Bottom Line Up Front (BLUF): Spanish authorities have arrested 34 individuals involved in multi-million-dollar online scams, seizing assets worth €3 million. These arrests come amid rising concerns over cybercrime in the country.
Analyst Comments: Spanish law enforcement carried out an operation targeting a criminal network responsible for various online scams. The group had illegally profited around €3 million ($3.2 million). Searches were conducted across 16 locations in different cities, including Madrid, Malaga, Huelva, Alicante, and Murcia. The seized items included simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end vehicles, and computer and electronic material worth thousands of euros. The group had amassed a database containing information on four million people, gathered from financial and credit institutions.
FROM THE MEDIA: A significant operation by Spanish law enforcement has led to the arrest of 34 individuals involved in various online scams, culminating in the seizure of assets amounting to €3 million. The criminal network employed a range of tactics including phishing, fraudulent representation, and unauthorized access to databases. The arrests highlight the growing concern and actions being taken to combat cybercrime in Spain.
READ THE STORY: THN
FTC Plans to Hire Child Psychologists to Scrutinize Social Media Impact on Youth
Bottom Line Up Front (BLUF): The Federal Trade Commission (FTC) is planning to hire child psychologists to better understand and regulate the impact of social media on children. This move is backed by the strong support of Chair Lina Khan and FTC Commissioner Alvaro Bedoya, and comes amid increasing concerns over the mental health implications of social media use among young people.
Analyst Comments: The FTC, traditionally known for its focus on law enforcement, consumer protection, and antitrust matters, has gradually incorporated other experts, such as economists and technologists, to better navigate the complexities of the sectors it regulates. This new initiative to hire child psychologists aims to further specialize the agency's expertise, especially concerning the growing issue of social media's impact on children's mental health. Alvaro Bedoya, a key figure in digital privacy, revealed the plans in a recent interview. He emphasized that the initiative is not merely a reaction but a considered approach to address the intricate relationship between technology and youth mental well-being.
FROM THE MEDIA: The FTC is proactively seeking to broaden its capabilities by hiring child psychologists, a move designed to offer more specialized insights into the effects of social media on children. This strategic decision is part of the FTC's broader mission to adapt and expand its expertise in line with emerging societal challenges. The agency aims to have these new experts integrated into their operations by next fall. With rising public and legislative attention on the psychological impact of social media use among young people, this initiative marks a significant step in evolving government oversight in the digital age.
READ THE STORY: The Record
Lockheed Martin’s $816M Contract Boosts Terran Orbital's Satellite Production
Bottom Line Up Front (BLUF): Terran Orbital announced that they have been contracted to build 36 satellite buses for Lockheed Martin, a key investor and customer. Lockheed Martin's $816 million contract is part of the Space Development Agency’s Transport Layer Tranche 2 Beta program, which aims to build a mesh network of military satellites in low Earth orbit.
Analyst Comments: Terran Orbital, a Florida-based company that also operates in California, specializes in manufacturing satellite buses. This deal reinforces Lockheed Martin's ongoing project to produce military satellites for the Space Development Agency (SDA), an entity under the U.S. Space Force. The 36 satellite buses will be part of the Transport Layer Tranche 2 Beta portion of the SDA's constellation. Lockheed Martin has previously secured orders for 88 satellites from the SDA, including portions from Tranche 0 and Tranche 1 of the Transport Layer. The launch for Tranche 2 is slated for 2026.
FROM THE MEDIA: Terran Orbital will build 36 satellite buses for Lockheed Martin as part of the latter's $816 million contract with the Space Development Agency. This deal is a significant step in the SDA’s Transport Layer Tranche 2 Beta program, which is aimed at establishing a secure high-bandwidth data transport network in low Earth orbit. Terran Orbital is also planning to expand its production capacity, aligning with Lockheed Martin's ambitious plans for the satellite constellation. The launch of Tranche 2 is expected in 2026.
READ THE STORY: SN
Threat Actors Modify Cisco
Bottom Line Up Front (BLUF): The threat actor responsible for implanting backdoors in Cisco devices has altered the exploit to evade previous fingerprinting methods. The modifications now require a specific HTTP Authorization header for the implant to respond, effectively bypassing detection efforts. Cisco has started rolling out security updates, but the identity of the threat actor remains unknown.
Analyst Comments: Security teams discovered that the backdoor implant in Cisco devices has been modified to avoid detection by previous methods. The alteration was pointed out by NCC Group's Fox-IT team, who noted that the implant now checks for an extra header. This means that many devices believed to be safe may still be compromised. The exploits involve chaining two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, which enable the threat actor to gain unauthorized access to the devices. The number of affected devices is estimated to be in the thousands, although this figure has declined sharply recently, presumably due to the newly implemented evasion methods. Cisco has confirmed these behavioral changes and shared a curl command to check for the implant's presence. The company is also in the process of rolling out security patches, the schedule for which has not yet been disclose
FROM THE MEDIA: The backdoor implant affecting Cisco devices has been modified by the threat actor to evade detection methods that were effective until recently. The change involves the implant responding only if a specific HTTP Authorization header is set. The identity of the threat actor is still unknown, and Cisco has begun deploying security updates to address the vulnerabilities. With thousands of devices potentially still compromised, there is an urgent need for updated security measures.
READ THE STORY: THN
Items of interest
Norway Warns of Business Impact from Cisco Zero-Days
Bottom Line Up Front (BLUF): The head of Norway’s National Security Authority (NSM), Sofie Nystrøm, has issued a warning about the exploitation of two Cisco zero-day vulnerabilities affecting important businesses in Norway, calling the situation "very serious."
Analyst Comments: Sofie Nystrøm, chief of NSM, revealed that these vulnerabilities in Cisco IOS XE have been actively exploited, compromising critical businesses in Norway. The exact number of affected organizations and their identities have not been disclosed, but they are described as "important" and some provide community services. Cisco had disclosed these vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in security advisories published as early as October 16, noting that one of them received the highest possible score of 10/10 under the Common Vulnerability Scoring System.
FROM THE MEDIA: The exploitation of two Cisco zero-day vulnerabilities is severely impacting important businesses in Norway, including those involved in community services. The vulnerabilities have been rated as high-risk, and although Cisco has released an initial patch, compromised systems have been observed with newly created administrative accounts. The situation is described by NSM as "very serious," and remedial measures are actively being coordinated at a national level.
READ THE STORY: The Record
Why are Hackers Using More Zero Day Vulnerabilities (Video)
FROM THE MEDIA: More Zero-days are being found than ever before thanks to bug bounties and other similar programs. However, hackers are also finding more zero days than ever, and in recent years seem to be more willing to burn them shortly after discovery with Chinese hackers, in particular, using 8 Zero-Days in 2021 alone. Today we take a look at this phenomenon and discuss why it's happening and what it means for the future of cyber security.
Zero Click Exploits Explained: Technical (Video)
FROM THE MEDIA: Zero-click attacks are typically highly targeted and use sophisticated tactics. They can have devastating consequences without the victim even knowing that something is wrong in the background. The terms ‘zero-click attacks’ and ‘zero-click exploits’ are often used interchangeably. They are sometimes also called interaction-less or fully remote attacks.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.