Daily Drop (643): EncroChat, Post-Quantum Crypto, Starlink, CanesSpy, Zero-Day Exploits, SBF FTX, CyberHUB: NSO, StripedFly, Crypto Washing, CVE-2023-4911, GRU Burned, DOE & Argonne Labs, Huawei
11-04-23
Saturday, Nov 04, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
A Tangled Web of Betrayal: EncroChat Breach Exposes Police Misconduct
Bottom Line Up Front (BLUF): Natalie Mottram, a former intelligence analyst for Cheshire Police, has been sentenced to three years and nine months for leaking sensitive information about the EncroChat cybercrime investigation to a criminal acquaintance.
Analyst Comments: Mottram's actions represent a severe breach of trust within UK law enforcement, undermining the significant progress made in Operation Venetic. This case illustrates the critical vulnerabilities that can arise from internal corruption, particularly in operations targeting widespread criminal networks. The legal repercussions reflect the gravity of such misconduct, which has broader implications for the integrity of law enforcement agencies.
FROM THE MEDIA: In a striking revelation of corruption, 25-year-old Natalie Mottram, previously employed by Cheshire Police, has been convicted for her role in warning a friend about the EncroChat encrypted messaging app compromise. This breach comes as part of the larger Operation Venetic, a landmark investigation that has seen over 3,000 arrests and 1,240 convictions based on intelligence from EncroChat. Mottram's disclosure to her friend, who was involved in criminal activities, has raised questions about internal security measures within the police forces. The severity of her offense is mirrored in her sentencing, reflecting the justice system's stance on corruption and betrayal by public officers.
READ THE STORY: The Register // The Record
UK NCSC Cautions on Complexities of Post-Quantum Cryptography Transition
Bottom Line Up Front (BLUF): The UK's National Cyber Security Centre (NCSC) has released new guidance underscoring the intricate challenges associated with transitioning to post-quantum cryptography (PQC). The NCSC warns that while current quantum computers are not yet a significant threat to public-key cryptography, the potential future development of such technology necessitates a shift to PQC, a process that will be highly complex and resource-intensive.
Analyst Comments: The NCSC's evaluation indicates that moving to PQC will involve more than just the adoption of new mathematical algorithms. It will require extensive re-engineering of existing protocols and services, particularly those that underpin critical national infrastructure (CNI). The organization points out that many CNI systems operate on legacy technology with limited resources, which complicates the transition. However, they also note that for most organizations and individuals, the change should occur seamlessly behind the scenes, thanks to the proactive efforts of cybersecurity professionals across various sectors.
FROM THE MEDIA: The guidance from the NCSC comes as quantum computing advances steadily, with the understanding that quantum computers will eventually be capable of breaking traditional cryptographic systems. Highlighting the work of American mathematician Peter Shor, the NCSC points to a future where public-key cryptography could be rendered obsolete by quantum algorithms. In anticipation, researchers and organizations are developing PQC standards, including efforts by Google and the U.S. National Institute of Standards and Technology (NIST). Despite the anticipated difficulties, the UK agency is optimistic that the transition can be managed effectively, especially if planning is incorporated into technology refresh cycles. The push for PQC is framed as a necessary evolution in the ongoing battle to maintain data security against future threats.
READ THE STORY: The Record
SpaceX's Satellite Broadband Service Shows Promising Growth as Rival Boeing Steps Back
Bottom Line Up Front (BLUF): Elon Musk claims SpaceX's Starlink satellite broadband service has reached a cash flow breakeven point, indicating potential financial sustainability and sparking discussions about a possible public offering. Boeing, meanwhile, has retreated from the satellite broadband market after relinquishing its FCC license for a non-geostationary satellite orbit constellation.
Analyst Comments: Starlink's reported revenue of $1.4 billion in 2022 marks a significant increase from the previous year, although it fell short of initial high projections. With over 5,000 satellites in low Earth orbit and plans to launch more, Starlink dominates the active satellite count and is expanding its global service coverage. The breakeven milestone is critical for SpaceX as it aligns with Musk's criteria for considering an IPO for Starlink. Conversely, Boeing's withdrawal from the satellite broadband scene, along with its forfeiture fee payment to the FCC, suggests a strategic pivot or admission of challenges in competing with SpaceX.
FROM THE MEDIA: SpaceX's Starlink has achieved a pivotal financial milestone, reaching breakeven cash flow, which improves its prospects for an IPO. The service's success is highlighted by its expanding infrastructure and growing revenue, despite not meeting initial lofty profit predictions. Starlink's growth contrasts with Boeing's decision to exit the satellite broadband competition, reflecting the high barriers to entry and SpaceX's formidable market presence. The developments suggest a reshaping of the satellite broadband landscape, with Starlink leading the charge and potentially opening up new investment opportunities through a public offering.
READ THE STORY: The Register
CanesSpy: The Hidden Threat in Modded WhatsApp Versions
Bottom Line Up Front (BLUF): Unofficial modified versions of WhatsApp have been discovered to contain a spyware module known as CanesSpy, capable of compromising user privacy and security. The malicious software is being spread through dubious websites and Telegram channels, targeting users primarily in the Middle East and North Africa.
Analyst Comments: Cybersecurity experts have identified that these trojanized versions of WhatsApp possess additional components not present in the original app, which are designed to activate upon the phone's startup or while charging. Once active, CanesSpy connects to a command-and-control server and transmits sensitive data including the device's IMEI, phone number, and contact details. The spyware's capability to adjust its control server settings and communicate in Arabic suggests that the developers are Arabic-speaking and have been actively targeting specific regions since mid-August 2023.
FROM THE MEDIA: The infiltration of CanesSpy through altered WhatsApp versions underscores a growing trend of utilizing popular messaging services as conduits for distributing malware. WhatsApp, owned by Meta, officially regards these third-party apps as counterfeit and cautions against their use due to the inherent security risks. The incident echoes the broader challenge facing users in discerning safe software and the responsibilities of digital platforms in curbing the spread of malicious applications. With the lawsuit against developers in China and Taiwan for distributing similar unofficial apps, WhatsApp reiterates the dangers of non-validated third-party app stores and channels which often bypass security checks, potentially leading to widespread user account compromises.
READ THE STORY: THN
Rising Tide of Zero-Day Exploits: Federal Networks Under Siege
Bottom Line Up Front (BLUF): CISA has observed a significant rise in zero-day exploits globally, posing an immediate and concerning threat to federal government networks, as reported by Michael Duffy at a recent cybersecurity panel.
Analyst Comments: According to Duffy, the associate director for capacity building within CISA’s cybersecurity division, there has been a notable increase in zero-day exploits after a period of decline. This uptick in sophisticated cyber threats, including ransomware and DDoS attacks, has had a direct impact on federal operations. The NSA echoes this concern, emphasizing the need for unified defense strategies across government and industry sectors. Recent attacks demonstrate the adversaries' capacity to exploit vulnerabilities in critical networks, prompting a strategic response from federal agencies.
FROM THE MEDIA: In the last six months, cybersecurity officials have faced a challenging environment marked by a surge in zero-day vulnerabilities and sophisticated state-backed hacking campaigns. Despite a previous year's decrease in detected zero-day exploits, the current trend indicates a resurgence, with far-reaching implications for national security. Federal agencies experienced one of the first ransomware attacks this fiscal year, highlighting the evolving threat landscape. Nonetheless, there is a growing sense of alignment within the government on cybersecurity strategies, suggesting a robust and thoughtful approach to combat these sophisticated cyber threats.
READ THE STORY: CyberScoop
Crypto King's Fall: Sam Bankman-Fried Found Guilty of Historic Financial Fraud
Bottom Line Up Front (BLUF): Sam Bankman-Fried, the erstwhile crypto wunderkind and founder of the now-defunct FTX exchange, was found guilty of all charges in a landmark financial fraud case, potentially facing a maximum sentence of 110 years. Sentencing is scheduled for March 2024.
Analyst Comments: The trial's swift conclusion after just four hours of jury deliberation underscores the potency of the prosecution's evidence against Bankman-Fried. His fall from grace was catalyzed by the testimonies of his inner circle, who turned against him to reveal the intricate web of deceit at the heart of FTX. With the verdict, Bankman-Fried's narrative as the golden boy of cryptocurrency has been irrevocably tarnished. His defense, maintaining his innocence, foreshadows an appeal, while additional charges loom on the horizon, pending prosecutorial discretion by February.
FROM THE MEDIA: In an unprecedented turn of events, Sam Bankman-Fried's trial saw his former allies – including FTX co-founders and his ex-girlfriend – plead guilty to related charges, cooperating with authorities and effectively sealing his fate. The trial stripped away the veneer of legitimacy that Bankman-Fried had cultivated, revealing a classic tale of corruption. Despite his legal team's efforts to humanize him through challenges faced during incarceration, the jury's decisive verdict speaks to the weight of his alleged crimes. As Bankman-Fried braces for his sentencing, the crypto community grapples with the ramifications of one of the most significant financial frauds in American history.
READ THE STORY: Fredericksburg // WSJ
State-Sponsored Cyber Threats Escalate in Armenia
Bottom Line Up Front (BLUF): Apple has begun issuing warnings to Armenian users about potential state-sponsored hacking attempts, suspected to be linked to Pegasus spyware. CyberHUB, an Armenian digital rights organization, corroborates this with findings of increasing spyware infections over the past two years, often related to escalations in Armenian-Azerbaijani tensions.
Analyst Comments: The recurrent notifications from Apple, while not explicitly naming the spyware, align with the pattern of Pegasus use, a tool developed by the Israeli firm NSO Group and known for being employed by governments for surveillance. CyberHUB's investigation suggests a steady rise in these incidents, especially during periods of heightened conflict with Azerbaijan. The use of Pegasus was notably documented during the 2020 war, targeting Armenian officials and civilians. The recent military actions in Nagorno-Karabakh by Azerbaijan have potentially triggered another wave of cyber espionage, raising concerns over digital rights and national security.
FROM THE MEDIA: The alerts from Apple, combined with CyberHUB's ongoing investigation, point towards a worrying trend of escalating cyber espionage in Armenia. The suspected use of Pegasus spyware by Azerbaijani operators raises alarm bells, given the spyware's capabilities for deep surveillance. While the full extent of the cyberattacks is difficult to gauge, the targeting pattern is clear, with high-profile individuals and those involved in the Nagorno-Karabakh conflict being at risk. The broader implications of such state-sponsored cyber activities underscore a pressing need for international dialogue on cyber norms and the protection of digital rights in conflict zones.
READ THE STORY: The Record
StripedFly Malware Campaign Uncovered: A Stealthy Cyber Threat
Bottom Line Up Front (BLUF): The StripedFly malware, an advanced and stealthy threat, has infected over a million devices in five years, evading detection by masquerading as a cryptocurrency miner.
Analyst Comments: Kaspersky's latest findings reveal that StripedFly, a sophisticated malware strain, has been operating under the radar since 2017, affecting a staggering number of devices globally. The malware is characterized by its modular framework, supporting both Linux and Windows systems, and its use of a custom EternalBlue SMBv1 exploit to infiltrate systems. With capabilities for data harvesting, self-uninstallation, and covert operations via TOR tunnels, StripedFly represents a significant cybersecurity threat.
FROM THE MEDIA: StripedFly utilizes a variety of methods to maintain persistence and avoid detection, including modifying the Windows Registry and creating scheduled tasks. It employs a Monero miner as a decoy to mask its extensive functionalities, which include gathering credentials, capturing screenshots, and recording audio without users' knowledge. The malware spreads to other machines using a worming module and communicates with its command-and-control server via a custom TOR client. Kaspersky's analysis also links StripedFly to the Equation Group's exploits, highlighting the possibility of involvement by an advanced persistent threat (APT) actor. Despite suggestions of commercial motives, the true purpose of StripedFly remains elusive, underscoring the complex and clandestine nature of this cyber threat.
READ THE STORY: THN
Analyzing the Treasury's Crackdown on Virtual Currency Laundering
Bottom Line Up Front (BLUF): The U.S. Treasury Department has imposed sanctions on a Russian woman for laundering virtual currency, linking her to the Ryuk ransomware and other illicit activities, signaling a robust U.S. stance on cybercrime and sanctions evasion.
Analyst Comments: This action by the Treasury is indicative of the U.S. government's increasing resolve to combat cybercrime, specifically targeting individuals aiding in the evasion of sanctions through virtual currency transactions. The sanctions reflect a broader strategy to disrupt financial networks that support ransomware operations and international cybercrime. Despite the symbolic nature of such sanctions, they serve as a clear warning to individuals and entities engaged in or supporting cybercriminal activities, reinforcing the message that the U.S. will use its financial clout to challenge cyber threats and the undermining of its sanctions regime.
FROM THE MEDIA: Ekaterina Zhdanova has been sanctioned by the Treasury Department for her role in laundering money for Ryuk ransomware affiliates and facilitating the evasion of sanctions for Russian elites. Her activities included the movement of substantial funds through the Garantex cryptocurrency exchange, already designated by OFAC in 2022. This move by the Treasury underlines the U.S. government's commitment to using its financial system to fight cybercrime and sanction evasion. It also highlights the ongoing challenges of cyber threats, as exemplified by Ryuk ransomware's significant impact on the healthcare sector during the COVID-19 lockdowns. While sanctions may not directly impede the operations of those outside the U.S. financial system, they contribute to an environment of increased risk for international cybercriminals and those who support them.
READ THE STORY: The Record
An Emerging Threat in the Cloud: Kinsing Actors Target Looney Tunables Vulnerability
Bottom Line Up Front (BLUF): Kinsing threat actors are exploiting the new Linux flaw, Looney Tunables (CVE-2023-4911), marking the first reported incident of its active exploitation aimed at compromising cloud environments.
Analyst Comments: The Kinsing group, known for rapidly adapting to exploit fresh security vulnerabilities, has now weaponized the recent Linux flaw to escalate privileges and potentially hijack cloud services. This pattern of behavior aligns with their historical modus operandi, including the use of a high-severity bug in Openfire (CVE-2023-32315) for remote code execution. The group’s latest strategy involves leveraging the PHPUnit vulnerability (CVE-2017-9841) to gain initial access and then executing a Python-based exploit for Looney Tunables. Notably, this activity signifies a strategic pivot, as the group now focuses on harvesting credentials from Cloud Service Providers (CSPs), broadening their operational scope and signaling a potential intensification of their attacks.
FROM THE MEDIA: Aqua Security's report to The Hacker News underscores a critical shift in the Kinsing actors’ tactics. After initial access via PHPUnit, the attackers use a Python exploit for the Looney Tunables flaw, followed by a PHP exploit which unravels to a JavaScript web shell for backdoor access and data extraction. This progression from deploying Kinsing malware for cryptojacking to actively seeking CSP credentials indicates an enhanced threat to cloud-native environments. The security community is urged to follow this development closely, as it may herald a new wave of sophisticated cloud-targeted attacks.
READ THE STORY: THN
Personal Data of Millions, Including GRU Agents, Leaked Amidst Russia-Ukraine Cyber Warfare
Bottom Line Up Front (BLUF): Rosgosstrakh, Russia's second-largest insurance firm, has suffered a significant cybersecurity breach. An anonymous hacker, known as "Apathy," is selling over 400GB of stolen sensitive data, including the personal information of Russian military intelligence agents.
Analyst Comments: The compromised data contains extensive personal and financial details dating back to 2010, impacting millions of individuals. Sensitive information about 730,000 individuals, including Russian Social Security Numbers and bank routing information, is at risk. The sale of this data, especially that pertaining to GRU agents, underscores the multifaceted risks of cyber warfare where financial gain intersects with geopolitical tensions.
FROM THE MEDIA: In the shadow of the Russia-Ukraine conflict, the cyberattack on Rosgosstrakh exposes vulnerabilities in even the most established organizations. The breach's scope and the inclusion of data on GRU agents amplify the incident's seriousness, potentially affecting national security and international relations. The incident serves as a stark reminder of the pervasive threat of cyberattacks and the importance of robust cybersecurity measures.
READ THE STORY: HackRead
DOE and Argonne Laboratory Spearhead Cybersecurity Exercise for Students Amidst Increasing Threats
Bottom Line Up Front (BLUF): The Department of Energy (DOE), in conjunction with the Argonne National Laboratory, is conducting the ninth CyberForce Competition—a cybersecurity simulation where student teams defend a distributed energy resources (DER) management company against cyberattacks. This initiative aligns with the Biden administration's commitment to a secure transition to clean energy and aims to bridge the workforce gap in the cyber defense sector.
Analyst Comments: With over 100 student teams participating, the CyberForce Competition emphasizes practical skills in cybersecurity for the energy sector, specifically targeting the resilience of DERs such as solar panels and electric vehicle chargers. The event underscores the urgency to develop a skilled workforce capable of safeguarding critical energy infrastructure. Given the significant projected growth of DERs and their integration into the national grid, ensuring that new market entrants can protect against cyber threats is paramount. The Biden administration's recent investment and the DOE's report on DER vulnerabilities highlight the strategic importance of developing secure-by-design technologies and fostering a capable cyber workforce.
FROM THE MEDIA: The CyberForce Competition provides a platform for students to experience real-world cyber defense scenarios, focusing on the emerging market of DERs—a critical component of the nation's clean energy strategy. The competition's unique approach, which balances technical prowess with system usability during cyberattacks, aims to prepare the next generation of cybersecurity professionals for the challenges ahead. As threats to critical infrastructure persist, exercises like CyberForce are crucial in advancing the national dialogue on cybersecurity and workforce development, ensuring that the energy sector remains resilient against the evolving landscape of cyber threats.
READ THE STORY: CyberScoop
Huawei's Pivotal Role in Boosting Nigeria's ICT Sector
Bottom Line Up Front (BLUF): Huawei Technologies Company Nigeria Limited has become a cornerstone in Nigeria's quest to cultivate a robust Information and Communication Technology (ICT) workforce, critical for the country's digital transformation.
Analyst Comments: Despite Nigeria's impressive $75.6 billion investment in telecommunications and a 15% contribution to GDP from this sector, the nation faces a talent drain, with over 2,000 ICT professionals emigrating in 2022 alone. To counter this trend, Huawei has launched various initiatives, training over 50,000 Nigerians in ICT. These initiatives range from E-Government training for civil servants to annual technology and cultural exchanges for students in China. Additionally, Huawei's ICT Competition has become a global platform for Nigerian students to showcase their technological prowess, contributing to the nation's reputation as a hub of ICT talent.
FROM THE MEDIA: Huawei's commitment extends to a "Three-Year Plan, Thirty Thousand People" project, aiming to mitigate the local ICT skills shortage and strengthen the talent pool. Their efforts are in tandem with national aspirations to enhance the digital economy and leverage technology for sustainable growth. Recent memorandums of understanding with educational institutions further solidify Huawei's dedication to Nigeria's digital future, demonstrating their long-term investment in the nation's human capital.
READ THE STORY: The Guardian
Ace Hardware Grapples with Major Cyberattack Impacting Over a Thousand Devices
Bottom Line Up Front (BLUF): Ace Hardware has confirmed a significant cyberattack affecting 1,202 devices and 196 servers, disrupting key IT systems and halting order placements. As the company strives to restore operations, it warns of phishing attempts exploiting the breach.
Analyst Comments: The cyberattack on Ace Hardware has resulted in a substantial operational disruption, as crucial systems for managing warehouses, orders, and customer rewards are currently suspended. Ace Hardware, a cooperative with over 5,700 shops globally, is experiencing halted deliveries and order processing, urging retailers to avoid placing new orders. Despite efforts to restore systems, with 51% of servers back online, the situation remains dynamic, with ongoing challenges in accurately conveying updates. Cybercriminals are taking advantage of the situation, targeting retailers with phishing scams, further complicating recovery efforts.
FROM THE MEDIA: Ace Hardware's recent cyberattack has led to widespread IT system interruptions, impacting store operations across their vast network. The cooperative is actively working with IT experts to bring systems back online and has made progress in server restoration. However, the company faces a complex recovery process, underscored by additional threats from opportunistic cybercriminals. Ace Hardware emphasizes the malicious nature of the attack and reassures its commitment to overcoming these adversities, framing the situation as a battle between good and evil.
READ THE STORY: BleepingComputer
Items of interest
Major Data Breach Strikes The Hilb Group: Tens of Thousands Affected
Bottom Line Up Front (BLUF): The Hilb Group has issued a warning to over 81,000 individuals regarding a significant data breach, where unauthorized access to employee email accounts led to the possible theft of sensitive personal information.
Analyst Comments: Upon discovering unauthorized access in January, The Hilb Group confirmed that the breach occurred between December 2022 and January 2023. The exposed information potentially includes names, Social Security numbers, and extensive financial data, revealing a critical vulnerability in the company’s data security measures. The delay in both the detection and subsequent notification to the affected individuals raises concerns about the company’s incident response efficiency and transparency.
FROM THE MEDIA: After detecting suspicious activity in their systems, The Hilb Group's investigation, aided by a third-party firm, determined the timeframe of the breach and the nature of the data compromised. Completing their review by late July, the firm took months to notify the individuals at risk, only beginning to issue notices in October. In response to the breach, The Hilb Group has implemented additional security measures and offered credit monitoring services to those impacted. The company's management of the breach will likely remain under close examination as they work to rebuild trust and secure their systems.
READ THE STORY: The Register
Teenage Credit Card Scammers Stealing From the Rich (Video)
FROM THE MEDIA: We chat to a young credit card scammer who has been ‘’deetsing’’ – buying account details online to purchase whatever he wants without the account holder's knowledge or consent.
Miami’s Darklord of Credit Card Scams (Video)
FROM THE MEDIA: At 26 years old John Boseak was one of the most prolific manufacturers of counterfeit credit cards in the international cyber crime industry. He Went from a homeless kid on the streets of Miami at 14 years old, to one of the most cunning scammers, counterfeiters, identity thieves, and escape artists ever. He was even selling credit cards to the Russian mob at one point.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.