Daily Drop (639): CN: EV Batteries, Vietnam: Chips, CN: Micius SAT, EleKtra-Leak, Kopeechka, RU: SAT Prod., CLoP: MOVEit, RU: VirusTotal, Starlink: AU Leaks, Canada: WeChat, KillNet, BiBi-Linux Wiper
10-31-23
Tuesday, Oct 31, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
China's Battery Surge: The Next Huawei
Bottom Line Up Front (BLUF): Chinese battery companies, with close ties to the Chinese Communist Party (CCP), are becoming dominant in the global electric vehicle (EV) battery market. Their growing influence could expose the United States and European nations to cybersecurity threats similar to those posed by Chinese tech giant Huawei in the telecommunications sector.
Analyst Comments: China's aggressive expansion into the electric vehicle (EV) and battery markets has seen companies like CATL and BYD emerge as global leaders. These companies have significant ties to the CCP, both in terms of political affiliations and corporate governance. For instance, CATL's founder, Zeng Yuqun, has served as a delegate to the Chinese People’s Political Consultative Conference, which oversees the CCP's United Front, an entity known for its influence over Chinese industry and civil society. Both CATL and BYD have extended their reach into battery-adjacent industries, including EV charging networks and battery energy storage systems (BESS) for utilities. However, these ventures come with significant risks. Research indicates that control systems for BESS are riddled with cybersecurity deficiencies, which could enable malicious actors to instigate wide-scale electrical grid blackouts. Moreover, CATL batteries have been installed in strategic locations, such as the U.S. Marine Corps base at Camp Lejeune, without stringent oversight.
FROM THE MEDIA: China's rise in the EV and battery markets is being led by companies deeply connected to the CCP. The rapid expansion and lack of oversight in the West mean that Chinese companies are gaining a stronghold in key industries, posing significant cybersecurity threats. As these companies branch into new sectors, especially battery-related utilities, the potential risks to Western infrastructure are becoming alarmingly evident. The situation mirrors the unchecked expansion of Huawei in the telecom sector, which previously raised security concerns among Western nations.
READ THE STORY: FP
Vietnam's Semiconductor Surge: A New Global Chip Hub in the Making
Bottom Line Up Front (BLUF): Vietnam is making significant strides to establish itself as a central hub in the semiconductor industry. With plans to train 50,000 engineers by 2030, the nation is laying down the infrastructure and policies to entice major investments. Already, global tech giants like Google, Samsung, SpaceX, and Intel have shown interest, and collaborations are underway. This aggressive push not only positions Vietnam as a major player in the industry but also provides an alternative to the current China-centric supply chain in the tech world.
Analyst Comments: Vietnam's ambitious plans to become a significant hub in the semiconductor industry are evident through multiple strategic moves. The country's Minister of Planning and Investment, Nguyen Chi Dung, announced at the Vietnam Semiconductor Summit that there would be investment incentives for companies in the sector. Although these incentives were not detailed, the infrastructure to support them is already present. This includes the National Innovation Center (NIC) and three high-tech parks in major cities. The recent inauguration of the US$41.7 million NIC location at Hòa Lạc Hi-Tech Park in Ha Noi further solidifies their intent. Collaborations and agreements have been signed with major companies, suggesting strong international interest. Despite this growth, Vietnam still heavily relies on overseas supplies for its chips, indicating a gap that they are keen to address. The nation's drive to attract foreign investment aligns with manufacturers' desires to diversify supply chains that are currently heavily dependent on China.
FROM THE MEDIA: Vietnam's vision for its semiconductor sector is grand, with plans to train tens of thousands of engineers and attract major global players through investment incentives. The nation is rapidly building the necessary infrastructure and forming partnerships to establish itself as a significant hub in the global chip supply chain. Their motivations are twofold: to reduce dependence on overseas chip supplies and to offer manufacturers an alternative to the China-centric supply chain.
READ THE STORY: The Register
China's Quantum Leap: Elevating Satellite Communication to New Heights
Bottom Line Up Front (BLUF): China is advancing its quantum satellite technology, aiming to build upon its groundbreaking 2016 Micius satellite mission with enhanced quantum communications capabilities in higher Earth orbits.
Analyst Comments: Since the launch of the Micius quantum communications satellite in 2016, China has been diligently progressing in its quantum technology endeavors. The country's next step involves the deployment of quantum satellites in higher orbits similar to GPS satellites. This would allow for a more extensive view of Earth and longer visibility to ground stations. The quantum keys, which are crucial for encrypted communication, will need to be transmitted over much greater distances. Wang Jianyu of the Chinese Academy of Sciences indicated the significance of micro-vibration suppression technology for precise optical or laser signal transmission from these altitudes.
FROM THE MEDIA: China, having launched the pioneering Micius satellite in 2016, is planning to take its quantum satellite technology to new heights. The focus will be on low-Earth orbit quantum key satellite networking and medium- and high-orbit quantum science experimental platforms. These satellites work on the principle of Quantum Key Distribution (QKD), using polarized photons to represent quantum information, allowing secure data communication over vast distances. The next generation of these satellites will be placed in higher orbits, requiring the transmission of quantum keys over greater distances and presenting new technological challenges.
READ THE STORY: SPACE
EleKtra-Leak: The New Cryptojacking Menace Targeting AWS Credentials
Bottom Line Up Front (BLUF): A cyber-attack campaign named EleKtra-Leak is exploiting exposed Amazon Web Service (AWS) identity and access management (IAM) credentials on public GitHub repositories. The attackers are using these credentials to facilitate cryptojacking operations, specifically mining Monero cryptocurrency. The operation has been active since at least December 2020.
Analyst Comments: The EleKtra-Leak operation has been targeting AWS IAM credentials exposed on GitHub, and within minutes of their exposure, the credentials are programmatically cloned and scanned from the repositories. The attacker has managed to create multiple AWS Elastic Compute (EC2) instances for their cryptojacking operations. Between August 30 and October 6, 2023, the operation mined Monero from as many as 474 unique Amazon EC2 instances. Another concerning detail is the attacker's rapid response to exposed AWS IAM credentials, with automated targeting within four minutes of initial exposure. This suggests a sophisticated level of automation and surveillance. There's also evidence linking the attacker to another cryptojacking campaign from January 2021, targeting Docker services. The attacker's methods exploit vulnerabilities in GitHub's secret scanning feature and AWS's AWSCompromisedKeyQuarantine policy.
FROM THE MEDIA: The EleKtra-Leak campaign is a sophisticated operation targeting AWS IAM credentials exposed on GitHub for cryptojacking purposes. Despite AWS's efforts to quarantine compromised keys, the attacker manages to bypass these measures, indicating an advanced understanding of the system's vulnerabilities. The rapid response to exposed credentials and the link to a previous campaign suggests that the threat actor is experienced and persistent. Organizations are advised to be vigilant, revoke compromised API connections, and monitor their GitHub repositories for any unauthorized activities.
READ THE STORY: THN
Putin Pushes for Radical Shifts in Satellite Manufacturing by 2024
Bottom Line Up Front (BLUF): Russia can only manufacture about 40 satellites a year, which is significantly less than its global competitors. This limitation has been a concern for Russian President Vladimir Putin, who has urged the Russian space agency, Roscosmos, to implement radical changes in satellite production methods by 2024.
Analyst Comments: The satellite industry has seen rapid growth in recent years, with the U.S. and China leading in satellite production and launches. While SpaceX's Starlink constellation dominates with 75% of this year's launched satellites, China and other countries are also significantly contributing. Russia, once a space superpower, is lagging behind with its plans for a 264-satellite constellation called "Sphere." Yuri Borisov, the chief of Russian space operations, revealed that Russia can only produce about 40 satellites annually. This production rate is dwarfed by the U.S.'s capacity to build about 3,000 satellites and China's 1,200 to 1,500 satellites per year. The primary reason for Russia's lag is its manual, time-consuming satellite construction process. Putin has expressed the urgent need for Russia to transition from serial to parallel satellite manufacturing to remain competitive.
FROM THE MEDIA: Satellite production and launches have exponentially increased globally, with the U.S. and China leading the race. Russia, despite its historical prominence in space endeavors, can only produce a fraction of satellites compared to its competitors. The country's manual satellite construction methods are a significant bottleneck, and President Putin has emphasized the need for a strategic shift in production techniques to match global standards.
READ THE STORY: arsTechnica
Russian Tool "Kopeechka" Amplifies Fake Account Creation
Bottom Line Up Front (BLUF): A Russian hacking tool named "Kopeechka" enables low-skill cybercriminals to rapidly create hundreds of fake social media accounts, bypassing traditional security measures like email and phone verification.
Analyst Comments: Kopeechka, translating to "penny" in Russian, has been active since 2019 and is designed to sidestep two primary account creation challenges: email and phone verification. It has been utilized for large-scale spam campaigns on platforms like Mastodon and has capabilities for mass registrations on major social media sites including Facebook and X (formerly Twitter). The tool's efficiency in bypassing anti-bot measures, such as CAPTCHAs and IP checks, highlights a significant cybersecurity concern. While not necessarily illegal, Kopeechka facilitates cybercrime activities, especially among less-experienced criminals.
FROM THE MEDIA: Researchers from cybersecurity firm Trend Micro have discovered Kopeechka, a service that aids in the rapid creation of fake social media accounts. The tool bypasses conventional security measures, including email and phone verification. Kopeechka provides users with access to emails received from social media platforms and has a stockpile of various email accounts. It also offers connectivity to 16 online SMS services for phone number verification, mostly from Russia. The automated nature of the tool means cybercriminals can create potentially hundreds of accounts in seconds. Its longstanding reputation has made it popular among cybercriminals, emphasizing the need for stronger cybersecurity measures by social media giants.
READ THE STORY: The Record
MOVEit software vulnerabilities lead to breach of 632,000 email addresses; Russian-speaking group CLoP believed to be behind the series of attacks.
Bottom Line Up Front (BLUF): Russian hackers have breached 632,000 email addresses from the U.S. Justice and Defense departments in a major cyberattack, primarily attributed to the Russian-speaking criminal group believed to be responsible for multiple data breaches.
Analyst Comments: The massive cyberattack, as reported by Bloomberg, took place earlier this year, targeting the email addresses of numerous employees across the Justice and Defense departments. The breach was facilitated through vulnerabilities in the MOVEit file transfer program utilized by data firm Westat. This firm is employed by the Office of Personnel Management (OPM) for administering employee surveys. While the attack was categorized as a "major incident," the compromised data is perceived to be of "low sensitivity." Moreover, several other organizations and agencies have also been victims of related breaches, implicating the file transfer software MOVEit. The Russian-speaking ransomware group CLoP has been identified as a key player in these attacks.
FROM THE MEDIA: In a substantial cyberattack, about 632,000 email addresses from the U.S. Justice and Defense departments were accessed. The breach was executed via the MOVEit file transfer program and has been primarily attributed to the Russian-speaking ransomware group, CLoP. While the data breach is significant, the compromised data is believed to be of relatively low sensitivity. This incident is part of a series of breaches that have affected various U.S. agencies and other global organizations, spotlighting vulnerabilities in the MOVEit software.
READ THE STORY: FORBES
Russia to Introduce 'Multiscanner': A Domestic Alternative to VirusTotal
Bottom Line Up Front (BLUF): The Russian government intends to launch its own malware scanning platform, analogous to Google's VirusTotal, within the next two years due to concerns over potential U.S. government access to data on the current service.
Analyst Comments: Russia's move towards creating its own version of VirusTotal, to be named "Multiscanner," is driven by its commitment to digital sovereignty and concerns over data privacy and security. The service will offer similar functionalities as VirusTotal, allowing organizations to upload suspicious files for malware checks and share results with the cybersecurity community. The introduction of this platform aligns with Russia's broader strategy of reducing reliance on U.S.-based technologies, especially in the wake of sanctions and geopolitical tensions. There is an underlying sentiment in Russia that using services like VirusTotal could be seen as unlawful due to potential U.S. government access, further exacerbated by past incidents of data exposures.
FROM THE MEDIA: VirusTotal, a popular online service owned by Google, allows organizations to scan suspected malware using various antivirus tools. The results are then shared with the cybersecurity community. In response to potential U.S. snooping, Russia plans to introduce its own version, "Multiscanner," by 2025. Alexander Shoitov, Russia's deputy minister of digital development and communications, announced the development of the platform, highlighting its collaborative creation with the National Technology Center for Digital Cryptography and other private sector entities. While the website for this platform is already live, it is currently under reconstruction. The Russian government's shift towards domestic technology solutions follows a series of sanctions and emphasizes its intent to exercise greater control over its digital landscape for national security purposes.
READ THE STORY: The Record
Starlink Satellites: A Threat to Radio Astronomy
Bottom Line Up Front (BLUF): Starlink satellites, part of Elon Musk's mega-constellation, are "leaking" radio signals that interfere with radio astronomy. Even in designated "radio quiet zones," the signals from these satellites are stronger than natural sources. This interference poses challenges for astronomers and our broader understanding of the universe.
Analyst Comments: Over the past decade, the number of satellites orbiting Earth has surged, with plans for many more in the future. These satellites, especially those in mega-constellations like Starlink, are becoming a cause for concern. They not only threaten our natural connection to the cosmos but also impede astronomical research. The latest findings reveal that Starlink satellites emit unintended radio signals, which are much brighter than any natural source in the sky, even in areas meant to be devoid of such interference. The sensitivity of radio telescopes means that these signals from satellites, even if weak, appear as bright as the most potent cosmic radio sources. This poses a significant problem, especially for significant projects like the Square Kilometre Array (SKA), a multi-billion dollar, multi-country radio observatory. While satellite operators like Starlink aren't necessarily breaking any regulations, the rapid advancement of satellite technologies means that existing regulations may not offer adequate protection for astronomical pursuits.
FROM THE MEDIA: The increasing number of satellites, particularly from mega-constellations like Starlink, poses a growing challenge for astronomers. The recent discovery of Starlink satellites "leaking" radio signals that interfere with radio astronomy is concerning. These signals, even if weak, can significantly impact the readings from sensitive radio telescopes. While current regulations may not offer immediate solutions, engagements with satellite operators, such as SpaceX, offer hope for future mitigations.
READ THE STORY: FreeThink
Canada Tightens Cybersecurity: Bans WeChat and Kaspersky on Official Devices
Bottom Line Up Front (BLUF): The Canadian government has prohibited the use of Tencent's WeChat and Kaspersky's suite of applications on its official mobile devices due to pressing security and privacy concerns.
Analyst Comments: The Canadian administration's decision underscores the country's heightened focus on cybersecurity and the protection of its digital assets. By banning these applications, especially WeChat, which boasts over a billion monthly users, the government is sending a clear message about its stance on potential cyber vulnerabilities. Additionally, this move might set a precedent for other nations to evaluate the risks associated with foreign-made apps, particularly when political tensions and data privacy issues are at play.
FROM THE MEDIA: On October 30, 2023, Canada announced a significant security measure by banning the use of WeChat, developed by Tencent, and Kaspersky's applications on government mobile devices. The decision was driven by the "unacceptable level of risk to privacy and security" that these apps reportedly pose. The government's step is not isolated, as earlier in February 2023, Canada had also barred TikTok from its government devices. Kaspersky, on the other hand, believes the ban is politically motivated rather than based on a genuine security assessment.
READ THE STORY: THN
KillNet Unleashes New DDoS-for-Hire Tool Amid Rising Cyber Threats
Bottom Line Up Front (BLUF): KillNet, a threat group, has introduced a new distributed denial of service (DDoS) tool available for rent. This release is alarming, especially as HTTP DDoS attacks have surged by 65% in recent months. The tool is marketed as a “DDoS-for-hire” service, targeting potentially geopolitical regions, and is designed for ease of use, allowing even those without technical expertise to launch attacks.
Analyst Comments: The KillNet group's new DDoS tool can be rented on a flexible pricing model, allowing users to access it for a day, a week, or a month. SOCRadar analysts observed the group advertising this service on Telegram, in collaboration with another Russophone threat actor, CombatOsint. The tool's design emphasizes precision-targeting, suggesting that it could be used with geopolitical intentions. The ease of use indicates a broader target audience, potentially leading to an increase in DDoS attacks, especially against the mentioned 'unfriendly countries.' While the introduction of such a tool is concerning, it's not unprecedented. The digital underworld has seen similar services, and DDoS tools have become more accessible and affordable. Clouflare's recent report shows a 65% increase in HTTP DDoS attacks, with hyper-volumetric attacks exploiting the HTTP/2 Rapid Reset vulnerability.
FROM THE MEDIA: The launch of KillNet's DDoS-for-hire service is part of a concerning trend of increasing accessibility to cyberattack tools. With the rise in HTTP DDoS attacks and the availability of powerful tools, businesses, especially those in targeted regions, may face a surge in potential cyber threats. It's imperative for organizations to adopt comprehensive monitoring, and control measures, and collaborate with ISPs to fortify their defenses against such attacks. The current cyber landscape underscores the critical need for preparation and strong defensive protocols.
READ THE STORY: SCMEDIA
HashiCorp's Licensing Shift: A Reflection of a Broader Trend in the Open Source Ecosystem
Bottom Line Up Front (BLUF): The open source community is grappling with the ongoing trend of companies moving away from true open source licenses, primarily driven by financial motives. The recent switch by HashiCorp in changing Terraform's license and the subsequent fallout is a symptom of a larger trend seen with other companies like Apple, MongoDB, and Elastic.
Analyst Comments: Historically, companies have both benefited from and contributed to the open-source ecosystem. However, as the commercial implications of open source became clearer, many started to drift away from the core principles. Companies have adopted various strategies, like open-core or source-available models, to strike a balance between maintaining an open-source image and monetizing their offerings. The move by HashiCorp to dump Terraform's Mozilla Public License for the Business Source License, resulting in the OpenTofu fork, and the subsequent backlash, is reminiscent of past events where companies like Elastic and MongoDB changing their licensing models in response to cloud giants profiting from their open-source software.
FROM THE MEDIA: Open source principles and profitability often seem at odds, with many companies adjusting their stances on open source for financial gains. While some like Apple have subtly incorporated open-source components into proprietary systems, others like HashiCorp face public scrutiny for more overt shifts. The broader trend indicates a challenging future for the coexistence of pure open-source principles and business monetization strategies.
READ THE STORY: The Register
BiBi-Linux Wiper: The New Malware Targeting Israeli Entities
Bottom Line Up Front (BLUF): A pro-Hamas hacktivist group is actively targeting Israeli entities using a newly identified Linux-based malware called BiBi-Linux Wiper.
Analyst Comments: The BiBi-Linux Wiper malware, an x64 ELF executable, has been designed to target and potentially destroy entire operating systems if executed with root permissions. This malware allows attackers to specify target folders, uses multithreading for enhanced speed, and can rename files with a specific "BiBi" extension. Notably, the string "bibi" has political significance in the Middle East, as it's a nickname for the Israeli Prime Minister, Benjamin Netanyahu. The malware is coded in C/C++ and has a file size of 1.2 MB. It operates using the nohup command, allowing it to run in the background without interruptions. A suspected Hamas-affiliated threat actor, known by multiple names including Arid Viper and Desert Falcon, is believed to be behind this.
FROM THE MEDIA: Amidst the ongoing Israeli-Hamas war, a new malware dubbed BiBi-Linux Wiper has emerged, being used by a pro-Hamas hacktivist group to target Israeli entities. The malware's capabilities, combined with its politically charged naming convention, underscore the increasing intersection of geopolitics and cybersecurity. The discovery also shines a spotlight on the suspected Hamas-affiliated threat actor, Arid Viper, which has a history of cyber espionage activities against both Israel and Palestine.
READ THE STORY: THN
Items of interest
Emerging Targets Include Israel-supporting Nations; An Echo of Post-Ukraine Invasion Cyber Tactics
Bottom Line Up Front (BLUF): Pro-Palestinian cyber threat groups, initially focused on Israel, are expanding their targets to nations supporting Israel, such as India and Kenya. This mirrors the pattern observed after Russia's invasion of Ukraine in 2022.
Analyst Comments: The cyber conflict that began quickly post the October 7 surprise raids by Hamas terrorists in Israel is evolving. Lower-level hacktivists are increasingly active in the Israel-Hamas conflict, while the involvement of more prominent cyber actors seems to have decelerated. However, countries like India and Kenya, which have shown support for Israel, are becoming new targets. This is reminiscent of the cyber response post Russia's 2022 invasion of Ukraine, where pro-Russian groups targeted nations allied with Ukraine. Notably, while non-Israeli targets are not new in this conflict, the persistence of certain groups is significant, especially given the decline in cyberattacks on Israeli entities.
FROM THE MEDIA: As Israel intensifies its military response in Gaza, the concurrent cyber war is undergoing changes, with its reach extending beyond Israel's borders. A recent report by SecurityScorecard highlighted the shifting dynamics, with lesser-skilled hacktivists becoming more active, while larger threat actors appear to slow down. However, the cyber war's geographical reach is expanding, targeting nations supportive of Israel. This change in tactics is not only concerning for the immediate targets but indicates a broader cyber geopolitical strategy.
READ THE STORY: Security Boulevard
Welcome to the Panopticon: Israel’s Systematic Surveillance of Palestinians & its Implications (Video)
FROM THE MEDIA: Three major stories broke over the past week about Israel’s cyber-surveillance of Palestinians, from hacking the phones of human rights defenders and officials to increased monitoring of Jerusalemites to the mass deployment of facial recognition software against Palestinians in the West Bank. To discuss these issues and their broader implications, FMEP is proud to host a conversation with four experts - Andrew Anderson (Front Line Defenders), Marwa Fatafta (Access Now), Avner Gvaryahu (Breaking the Silence), and Sophia Goodfriend (7amleh), in conversation with FMEP President Lara Friedman.
More Hackers Join Israel-Hamas War (Video)
FROM THE MEDIA: In recent times, as the conflict on the ground intensified, so did the cyber warfare. The involvement of hacktivist groups, individuals motivated by political or social agendas rather than financial gain, has become increasingly prevalent. These individuals or groups often act independently of any official organization, utilizing tactics like Distributed Denial of Service (DDoS) attacks, phishing campaigns, and spreading disinformation.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.