Daily Drop (640): DPRK: Shells for SAT, AI: Global Regs., Telegram: Israel-Hamas, Scarred Manticore, KANDYKORN, Space-Based Solar Farms, Kazuar Backdoor, JFK Taxi System, NSO: US Lobbyists, Arid Viper
11-01-23
Wednesday, Nov 01, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
Pyongyang aids Moscow's Ukraine war; receives satellite tech in return.
Bottom Line Up Front (BLUF): North Korea has supplied Russia with over one million artillery rounds for use in the Russia-Ukraine war. In exchange, Russia seems to have provided North Korea with technical advice on satellite technology.
Analyst Comments: Historic allies North Korea and Russia have further strengthened their ties amidst global sanctions. Following a summit between their leaders, Kim Jong Un and Vladimir Putin, in September, the U.S. claimed that North Korea began providing weapons to Russia. The South Korean National Intelligence Service (NIS) confirmed multiple arms transfers from North Korea to Russia since August. In return for the artillery, Pyongyang appears to have gained technical know-how from Moscow for its military reconnaissance satellite launch. Even though North Korea postponed its satellite launch initially set for October, it is making final preparations, indicating a potential higher success rate due to Russian expertise. The U.S., along with Seoul and Tokyo, have condemned North Korea's arms support to Russia. Furthermore, Pyongyang's stance on Russia's invasion of Ukraine has been supportive, with Kim prioritizing bilateral ties with Moscow.
FROM THE MEDIA: Amidst global tensions and sanctions, North Korea and Russia have deepened their alliance. North Korea has been supplying artillery rounds to Russia, aiding its war efforts in Ukraine. In return, Russia has shared technical advice with North Korea on satellite technology, which might result in a more successful satellite launch by Pyongyang in the near future. This collaboration has been met with condemnation from several global powers, including the U.S., Seoul, and Tokyo.
READ THE STORY: BARRONS
Chinese AI Experts Urge for Stricter Global Regulations
Bottom Line Up Front (BLUF): Chinese artificial intelligence experts, along with some Western academics, are urging stronger AI regulations than those proposed by the UK, US, and EU, warning that advanced AI could pose significant existential threats in the upcoming decades.
Analyst Comments: Ahead of a major global AI safety summit set to take place at Bletchley Park, England, numerous Chinese scholars attending the summit have expressed concerns about the potential dangers of advanced AI. This group, including renowned computer scientist Andrew Yao, advocates for the establishment of an international AI regulatory body, mandatory registration and auditing of AI systems, and the implementation of instant "shutdown" mechanisms. These suggestions aim at addressing more profound existential threats than the recent AI-related policies from the US and EU. The UK's draft for the summit, however, does not explicitly call for these specific regulations. The stance of these Chinese experts seems to indicate China's potential approach to global AI regulations amid ongoing technological tensions between China and the US.
FROM THE MEDIA: As nations prepare for the upcoming global AI safety summit, there's a growing call for tighter AI regulations, especially from Chinese AI experts who have joined forces with some Western scholars. Their primary concern revolves around the existential risks that unchecked advanced AI could present in the future. They propose the creation of an international AI governing body, compulsory registration and monitoring of AI systems, and the inclusion of instant shutdown procedures to mitigate these risks. These recommendations starkly contrast with the more moderate AI policies recently proposed by the UK, US, and EU.
READ THE STORY: FT
Telegram's Role in the Israel-Hamas Conflict: A Digital Onslaught
Bottom Line Up Front (BLUF): Telegram, a popular messaging app, became a primary platform for the dissemination of videos and information during the recent Israel-Hamas conflict. Due to its lax content moderation, Hamas was able to broadcast real-time attacks, playing a significant role in psychological warfare.
Analyst Comments: Telegram's capability to rapidly share unfiltered content made it an effective tool during the conflict. The platform's lack of robust content moderation allowed for content to quickly reach millions of individuals. While major tech companies requested Telegram to ban Hamas' channels due to the extreme content, the company largely refrained, citing the complexities of policing speech during a conflict. The weaponization of the platform has been evident, with Hamas accounts, banned from most other social media platforms, flourishing on Telegram. Their channels witnessed exponential growth, showcasing the power of the app to spread content faster than traditional media.
FROM THE MEDIA: During the recent conflict between Israel and Hamas, Telegram emerged as a central platform for sharing videos and information. With the absence of rigorous content moderation, Hamas leveraged the platform to share real-time broadcasts of their attacks, leading to a digital onslaught that paralleled their physical offensives. The rapid spread of such content created a significant impact, fostering an environment of panic and uncertainty. Despite calls for stricter moderation and channel bans, Telegram's leadership remains hesitant, highlighting the challenges of content regulation during geopolitical crises.
READ THE STORY: Wired
U.S. Government Files Suit Against SolarWinds Over Cyber Espionage
Bottom Line Up Front (BLUF): The U.S. has filed a lawsuit against Texas-based software company SolarWinds, stemming from a significant Russian cyber espionage campaign.
Analyst Comments: The Securities and Exchange Commission (SEC) is targeting SolarWinds for civil penalties, and reimbursement of “ill-gotten gains”, and is seeking the removal of the company’s top security executive, Tim Brown. This action follows allegations that SolarWinds and Brown repeatedly overlooked significant cyber risks. The 2020 SolarWinds cyberattack resulted in major breaches, affecting government agencies such as the Justice Department and the Department of Homeland Security, as well as numerous private firms and think tanks. SolarWinds and Brown's legal representatives have expressed disappointment and disagreement with the SEC's claims.
FROM THE MEDIA: In late 2020, SolarWinds faced a substantial cyberattack that compromised several government agencies and over 100 private entities. The SEC alleges that the company and its top security executive, Tim Brown, had been consistently ignoring cyber risks, which has led to this lawsuit. While the SEC seeks penalties and the removal of Brown, both SolarWinds and Brown's representatives have defended their actions and commitment to cybersecurity. The lawsuit underscores the mounting tensions and challenges related to cybersecurity in the U.S.
READ THE STORY: The Hill
Iranian Group Scarred Manticore Spies on Middle East Entities
Bottom Line Up Front (BLUF): A recently released report uncovers that an Iranian nation-state threat actor, known as Scarred Manticore, is actively conducting espionage activities against prominent organizations in the Middle East. Targeting primarily government, military, and telecom sectors across multiple countries, their activities have been linked to the interests of Iran's Ministry of Intelligence and Security (MOIS). Their use of advanced malware, Liontail, has raised concerns about the evolving cyber capabilities of Iranian-affiliated groups.
Analyst Comments: Scarred Manticore has been targeting government, military, and telecom sectors in several Middle Eastern countries including Saudi Arabia, UAE, Jordan, Kuwait, Oman, Iraq, and Israel. Researchers from Check Point, who investigated this campaign, believe that this group is affiliated with Iran's Ministry of Intelligence and Security (MOIS). The victim profile and interests align with the MOIS's known targets. Active since 2019, Scarred Manticore's tools have evolved, with their latest attacks using advanced malware named Liontail. This malware allows remote command execution via HTTP requests and is designed to evade detection. While Liontail is unique, some tools overlap with the Iranian hacker group OilRig or its affiliates. Scarred Manticore is also potentially linked to attacks on Albanian government infrastructure.
FROM THE MEDIA: Iranian hackers, under the banner of Scarred Manticore, are implicated in a cyber espionage campaign against key Middle Eastern entities. The campaign's primary victims are government, military, and telecom sectors across several countries. Check Point's research suggests that the group's activities align with Iranian interests. Their advanced malware, Liontail, indicates the significant progress of Iranian cyber capabilities. Some tools used have similarities with those of the Iranian hacker group OilRig. Future operations by Scarred Manticore are anticipated to align with Iran's long-term objectives.
READ THE STORY: The Record
KANDYKORN macOS Malware: North Korean Cyber Espionage Targets Blockchain Engineers
Bottom Line Up Front (BLUF): North Korean state-sponsored threat actors are deploying a novel macOS malware, KANDYKORN, targeting blockchain engineers of an unnamed crypto exchange platform. The attackers impersonate blockchain engineers on public Discord servers and employ social engineering tactics to deceive victims.
Analyst Comments: The Lazarus Group, a notorious North Korean hacker collective, is believed to be behind this latest attack, exhibiting patterns consistent with their past activities. Victims are lured on Discord through a Python application, which initiates a complex multi-stage intrusion that uses advanced defense evasion techniques. The ultimate goal is to deliver the KANDYKORN malware. KANDYKORN is described as a sophisticated implant with capabilities for monitoring, interaction, and evasion. Initial access is achieved by tricking victims into downloading a ZIP archive with malicious content. The North Korean objective appears to be the theft of cryptocurrency, possibly as a strategy to sidestep international economic sanctions.
FROM THE MEDIA: KANDYKORN is the latest in a series of malware campaigns by the Lazarus Group, with previous instances involving macOS malware like RustBucket. A distinguishing factor in this campaign is the impersonation of blockchain engineers on public Discord servers. By masquerading as legitimate software, the threat actors trick victims into downloading malicious software that eventually installs KANDYKORN. Concurrently, another North Korean threat group, Kimsuky, has been identified as deploying an updated version of an Android spyware named FastViewer.
READ THE STORY: THN
Space-Based Solar Farms: A Feasible Solution for Earth's Energy Demands
Bottom Line Up Front (BLUF): Researchers from the University of Surrey and the University of Swansea have determined that space-based solar farms are commercially viable after a six-year research project.
Analyst Comments: The study, which is a first of its kind, observed a satellite's solar panels over 30,000 Earth orbits, analyzing their power generation and resilience to solar radiation. The University of Swansea's Centre for Solar Energy Research produced new solar cells from cadmium telluride, resulting in lightweight panels covering a larger area and generating more power than current technology. These panels are also cost-effective to manufacture. The University of Surrey contributed by designing instruments to measure the panels' performance in space. The satellite used for this study was created at the Surrey Space Centre in collaboration from the Algerian Space Agency. While the efficiency of these cells decreased over time, the researchers are confident that space-based solar power stations are feasible and commercially viable.
FROM THE MEDIA: Solar farms in space could be the future of clean energy, as evidenced by a collaborative research project between the University of Surrey and the University of Swansea. These space-based solar panels, made from cadmium telluride, are efficient, cost-effective, and resilient in space conditions. As the panels have successfully weathered space conditions and continue to generate power, they are seen as a promising solution to Earth's growing energy needs.
READ THE STORY: New Civil Engineer
Turla's Evolving Threat: The Enhanced Kazuar Backdoor
Bottom Line Up Front (BLUF): The Russia-linked hacking group Turla has updated its known second-stage backdoor, Kazuar, enhancing its anti-detection capabilities.
Analyst Comments: The upgraded version of Kazuar emphasizes stealth operation, evasion from detection, and resistance to analysis efforts. These enhancements are evident through the employment of advanced anti-analysis techniques and robust encryption and obfuscation practices. Furthermore, the backdoor has expanded its features, jumping from 26 commands in 2017 to 45 in the latest variant. These updates indicate the persistent evolution and sophistication of the threat actor, underscoring the continuous threat they pose to cybersecurity.
FROM THE MEDIA: Palo Alto Networks Unit 42 identified the updates in Kazuar, noting the malware's improved ability to operate secretly, avoid detection, and thwart analysis. Active since 2004, the Turla group is linked to the Russian Federal Security Service (FSB). The malware, Kazuar, is known for its stealthy interactions with compromised hosts, exfiltrating data without detection. Recent improvements suggest that Turla continues to refine its attack methods, with advanced obfuscation and encryption techniques to remain undetected. The malware's multithreading model and expanded command set further highlight its growing capabilities.
READ THE STORY: THN
Hacking the Queue: The JFK Airport Taxi Dispatch Scandal
Bottom Line Up Front (BLUF): Two Americans and two Russians are alleged to have hacked the JFK airport taxi dispatch system for two years, selling prime spots in the dispatch line to taxi drivers.
Analyst Comments: Between September 2019 and September 2021, the JFK airport taxi dispatch system was reportedly compromised by four individuals – two Americans (Daniel Abayev and Peter Leyman) and two Russians (Aleksandr Derebenetc and Kirill Shipulin). Their alleged motive was to monetize the high demand for airport fares by offering taxi drivers a chance to skip the long wait in the dispatch line for a fee. By manipulating the system, they could position a taxi at the front of the queue, providing a significant advantage given the unpaid waiting time taxi drivers usually face. The Americans have pleaded guilty and await sentencing, while the Russians, having received more than $100,000 for their role, remain at large.
FROM THE MEDIA: The JFK airport taxi dispatch system was reportedly hacked by a group of four, aiming to capitalize on the financial incentive taxi drivers have to avoid long wait times. The hacking scheme was diverse, including attempts to bribe insiders, unauthorized Wi-Fi access, and stealing connected tablets. Once they gained access, taxi drivers were offered a chance to move to the front of the queue for a $10 fee. The scheme proved popular, with as many as 1,000 trips per day skipping the regular queue. The U.S. Justice Department claims the group recorded 2,463 queue cuts in a single week in December 2019. The indicted Americans have admitted their guilt, while the Russians, who have been charged, are yet to be apprehended.
READ THE STORY: The Register
NSO Group Recruits Top-tier Lobbyists Amid Regulatory Challenges
Bottom Line Up Front (BLUF): NSO Group, the company behind the controversial Pegasus spyware, has hired lobbyists with deep-rooted experience in the National Security Agency and Commerce Department to represent their interests in Washington.
Analyst Comments: The NSO Group's decision to bring in high-profile lobbyists, particularly Stewart Baker and Jeff Weiss, underscores their strategic move to address national security and export control challenges in the U.S. The past blacklisting of the NSO Group by the Commerce Department, which prohibited the company from acquiring materials from U.S. vendors, coupled with the global scrutiny over the misuse of their Pegasus software, has put them under significant pressure. With the hiring of these lobbyists, the NSO Group is making a clear attempt to navigate the complex regulatory landscape of the U.S. and potentially rehabilitate its image.
FROM THE MEDIA: The NSO Group, known for its Pegasus spyware linked to various human rights abuses, has retained two influential lobbyists, Stewart Baker and Jeff Weiss, both with significant experience in the U.S. National Security and Commerce sectors. This move comes after the company faced backlash and was placed on the Commerce Department's Entity List in 2021, effectively barring it from sourcing materials from U.S. suppliers. The Pegasus software has been implicated in multiple scandals, including being used against journalists, politicians, and activists globally. The hiring of these lobbyists is a clear indication of NSO's strategy to address its challenges in the U.S. market.
READ THE STORY: The Record
Malicious Campaign Targets Google's Dynamic Search Ads to Distribute Malware
Bottom Line Up Front (BLUF): A malvertising campaign has been discovered that exploits Google's Dynamic Search Ads to promote malicious versions of the popular Python developer program, PyCharm, through compromised websites.
Analyst Comments: The campaign operates by leveraging a compromised wedding planning portal to display fraudulent versions of PyCharm in Google search results. Jérôme Segura, the director of threat intelligence at Malwarebytes, highlights that victims who clicked on these ads were directed to a hacked webpage. Instead of getting the legitimate software, users ended up downloading multiple malware. The core of this campaign's success lies in Google's Dynamic Search Ads, which auto-generates ads based on the content of the website. Threat actors who can modify the website's content can misuse this feature, leading to Google Search users being served potentially harmful ads. Akamai has also highlighted a sophisticated phishing campaign targeting hospitality sites, which has been active since June 2023.
FROM THE MEDIA: Cybersecurity experts have identified a malvertising campaign that targets Google's Dynamic Search Ads to distribute malware-ridden versions of the PyCharm software. Victims who search for PyCharm and click on these ads are directed to a compromised wedding planning website, which serves malicious software downloads instead of the genuine program. The tactic exploits Google's ad algorithm, which generates ads based on website content, making it a lucrative tool for cybercriminals. Additionally, a separate phishing campaign targeting the hospitality sector has been uncovered, signaling an increase in cyber threats.
READ THE STORY: THN
Ovzon Granted Extension for Satellite Deployment Amidst Delay
Bottom Line Up Front (BLUF): Ovzon, a Swedish satellite company, has received a six-month extension from international regulators for the deployment of its debut satellite, Ovzon 3, after facing a series of manufacturing and launch delays.
Analyst Comments: The delay primarily stemmed from a change in launch providers and subsequent manufacturing issues at Maxar Technologies. Despite these challenges, the satellite is on track for shipment to SpaceX’s launch site in Florida by late November. This delay has financial implications for Ovzon, as they have had to revise their 2023 revenue projections downward due to the inability to finalize new orders on time.
FROM THE MEDIA: Ovzon 3, built by Maxar and weighing 1,500 kilograms, is a relatively small satellite compared to traditional geostationary communication satellites. The company was at risk of losing its priority spectrum rights for Ovzon 3 due to the aforementioned changes in launch providers from Arianespace to SpaceX. Although the satellite's launch via SpaceX's Falcon 9 is scheduled for December, it will take several months to reach its intended geostationary orbital slot. Ovzon's financial outlook has been impacted, with projected 2023 revenues reduced from an expected 357 million Swedish krona ($32 million) to 250 million Swedish krona, primarily because of these delays.
READ THE STORY: SN
NuGet Repository Targeted: Malicious Packages Distributing SeroXen RAT Detected
Bottom Line Up Front (BLUF): Cybersecurity researchers have detected a series of malicious packages on the NuGet package manager that have been distributing the SeroXen RAT malware. These packages were discovered to exploit NuGet's MSBuild integrations feature for malicious code implantation.
Analyst Comments: ReversingLabs, a software supply chain security firm, described the malware distribution campaign as coordinated and active since August 1, 2023. The threat actors behind these malicious packages have been persistent in their attempts to introduce malware into the NuGet repository. The packages, which are designed to mimic popular packages, exploit a feature called inline tasks to execute malicious code. This strategy is a first of its kind in the NuGet repository. The packages also employed tactics like using spaces and tabs to hide the malicious code and artificially inflated download counts to appear legitimate. A secondary .NET payload is fetched from a temporary GitHub repository once the decoy packages are executed.
FROM THE MEDIA: A range of rogue NuGet packages have been discovered delivering the SeroXen RAT malware. These packages imitate legitimate ones and exploit NuGet's inline tasks feature to execute their malicious code. The packages, including names like "Pathoschild.Stardew.Mod.Build.Config" and "KucoinExchange.Net", have been removed. The threat actors have been meticulous in their approach, as evident from their strategies of hiding the malicious code and inflating download counts. The goal of these decoy packages is to serve as a medium for fetching a secondary .NET payload from a temporary GitHub repository.
READ THE STORY: THN
Items of interest
Arid Viper's Deceptive Spyware Campaign: Dating Apps as a Facade
Bottom Line Up Front (BLUF): The cyber espionage group "Arid Viper" (also known as APT-C-23, Desert Falcon, or TAG-63) is behind a deceptive Android spyware campaign that targets Arabic-speaking users. This campaign involves a counterfeit dating app, disguising it as an authentic dating service to harvest data from infected devices.
Analyst Comments: Arid Viper has been active since at least 2017 and is associated with Hamas, the Islamist militant group governing the Gaza Strip. However, there's no evidence linking the cyber campaign to the ongoing Israel-Hamas conflict. Interestingly, the malicious mobile software shares source code similarities with a legitimate online dating app named "Skipped." This suggests that the Arid Viper operators might have ties to the app's developers or replicated its features for deceptive purposes. The approach aligns with the group's previous tactics, where they've used seemingly benign chat applications laden with malware. Notably, the group uses a method where targets are sent a link to a tutorial video for the purported dating application. A URL in the video description leads the user to an attacker-controlled domain that deploys the malware APK.
FROM THE MEDIA: The Arid Viper group's strategy highlights a growing trend in cyber espionage: using legitimate-looking applications to disguise malicious intent. Their target demographic, Arabic-speaking users, is lured through a counterfeit dating app, revealing a sophisticated method of data harvesting. Furthermore, the connection between the spyware's source code and the "Skipped" app raises concerns about potential overlaps between legitimate app developers and cyber espionage entities. The cybersecurity community must remain vigilant against such tactics, as they blur the lines between genuine applications and malicious software.
READ THE STORY: THN
Invisible surveillance: How spyware is secretly hacking smartphones (Video)
FROM THE MEDIA: An investigation by a consortium of media organizations has found that military-grade spyware licensed by an Israeli firm has been used to hack smartphones belonging to journalists and others.
Watering-Hole Attacks Exploit MacOS Spyware Named DazzleSpy (Video)
FROM THE MEDIA: A new generation of cyber-espionage spyware designed to target macOS & transmitted through a Safari backdoor has been used against pro-democracy, politically active inhabitants of Hong Kong. Google TAG first discovered these watering-hole attacks in August, which found growing a potent macOS backchannel termed DazzleSpy.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.