Daily Drop (646):Baidu: Huawei Chips, CN: TJS-10, CN: CNO, ICE Security Exposed, CN: Online Anonymity, DBS: Citibank Attack, Jupyter: Malware, Baltic Pipeline Sabotage, Digital Frontline: Israel-Hamas
11-07-23
Tuesday, Nov 07, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
Baidu's Strategic Turn: Choosing Huawei Over Nvidia for AI Chip Supply
Bottom Line Up Front (BLUF): Chinese tech giant Baidu has placed an order for Huawei's AI chips, signifying a strategic pivot toward domestic suppliers in the wake of tightened US export controls.
Analyst Comments: This development is a clear response to the US government's restrictions on exports to China, particularly concerning advanced chip technology from companies like Nvidia. The order, consisting of 1,600 Huawei Ascend 910B AI chips, highlights a significant shift in the sourcing strategy of Baidu, which is preparing for a future where access to Nvidia's chips may be restricted. With this move, Baidu is not only securing its supply chain but also supporting the growth of China's burgeoning semiconductor industry.
FROM THE MEDIA: Baidu's recent AI chip order from Huawei, estimated at around 450 million yuan ($61.83 million), represents a strategic move to reduce reliance on Nvidia amid escalating US-China tech tensions. While Huawei's Ascend chips are considered less advanced than Nvidia's, they are currently the most sophisticated option within China. This shift could herald a broader trend among Chinese technology firms towards domestic chipmakers and away from American suppliers. The order also underscores Huawei's ongoing efforts to penetrate the AI chip market, leveraging national industry support and overcoming challenges posed by US sanctions.
READ THE STORY: The Reuters
China's TJS-10 Mission: Expanding Horizons in Geostationary Orbit
Bottom Line Up Front (BLUF): China has successfully launched the TJS-10 satellite, intended for communication technology experimentation in geostationary orbit, marking another stride in the nation's space endeavors and raising questions about the satellite's undisclosed capabilities.
Analyst Comments: The TJS-10 launch via a Long March 7A rocket signifies China's continuous push into space technology, with the satellite positioned to transition into a geostationary belt above Earth. Despite official reports stating the satellite's purpose for high-speed communication experiments, the lack of detailed public information fosters speculation about potential multifaceted functionalities, including signals intelligence and missile early warning systems. This launch aligns with China's ambitious space mission agenda, planning to deploy over 200 spacecraft in the upcoming year.
FROM THE MEDIA: China's TJS-10 satellite, part of a series with somewhat opaque missions and capabilities, has successfully launched, set to join the geostationary orbit—a key vantage point for Earth observation and communication. This step reflects China's sustained commitment to establishing a more prominent presence in space, with the TJS series possibly playing a multifunctional role in the nation's space strategy. The continued development and deployment of these satellites underscore China's objectives to enhance its communication technology and secure a foothold in the strategic domain of space.
READ THE STORY: BP
The Evolution of Chinese Cyber Capabilities
Bottom Line Up Front (BLUF): Chinese state-sponsored cyber operations have undergone a significant transformation, marked by sophisticated exploitation of zero-day and known vulnerabilities, strategic targeting, and advanced operational security measures. This evolution positions China as a formidable global cyber power, with implications for international security and cyber defense strategies.
Assessment:
Analyst Comments: Over the last five years, China's cyber-espionage efforts have become more discreet and focused, shifting from widespread IP theft to targeting specific strategic, economic, and geopolitical interests. This shift has been influenced by internal military restructuring, regulatory changes, and external scrutiny from Western governments and security entities. The adoption of novel vulnerabilities, especially in public-facing devices, necessitates a defense strategy beyond vulnerability management to include the detection of lateral movement and persistent threats. China's emphasis on operational security, use of anonymization networks, and exploitation of public-facing appliances underscores the sophistication of its cyber operations.
FROM THE MEDIA: China's cyber operations have evolved into a stealthier and more targeted threat, focusing on strategic economic and geopolitical goals rather than indiscriminate IP theft. This change reflects both a response to external pressures and internal policy shifts, resulting in more sophisticated, harder-to-detect cyber threats. With a significant investment in offensive cyber operations, China's capabilities in espionage and information warfare are reaching new heights, necessitating a reassessment of cyber defense strategies worldwide. The use of shared capabilities across various groups indicates a coordinated effort to maximize the impact of these operations. The global community must adapt to this heightened threat by enhancing defensive measures, especially for critical infrastructure and sensitive sectors.
READ THE STORY: Recorded Future
ICE Device Security Failings: A Call for Stringent Measures
Bottom Line Up Front (BLUF): The U.S. Department of Homeland Security's Inspector General has identified severe security lapses in the mobile device management of ICE, exposing sensitive government data to the risk of espionage and cyber attacks by foreign entities.
Analyst Comments: The audit conducted between April and August revealed that ICE agents installed thousands of unauthorized personal applications and VPNs on their official devices, many of which could be susceptible to exploitation by foreign adversaries, including those linked to China and Russia. Despite ICE's quick action to address identified vulnerabilities, the presence of such applications points to a need for more robust and regularly updated security policies.
FROM THE MEDIA: The findings by the DHS Office of the Inspector General paint a worrying picture of ICE's device security practices, raising alarms about the potential for sensitive data to fall into the hands of foreign spies. The report underscores an urgent need for comprehensive policy overhaul and enforcement, as well as continuous monitoring and management of mobile devices within federal agencies. ICE's commitment to improving its digital security posture is a positive step, but ongoing vigilance and action are essential to protect against the ever-evolving cyber threats.
READ THE STORY: The Register
China's Crackdown on Online Anonymity
Bottom Line Up Front (BLUF): China's recent mandate for prominent social media influencers to disclose their real names marks a significant policy shift, aiming to curtail anonymous influence and tighten state control over public discourse.
Analyst Comments: The directive issued on November 1 by major Chinese platforms like Weibo, WeChat, Douyin, and Bilibili targets "Big V" accounts, which have been influential in shaping public opinion. This move aligns with Beijing's broader strategy of surveillance and control, reflecting a growing unease with the platform these influencers command. The policy potentially exposes users to doxxing, raising privacy and safety concerns. While the regulation currently affects users with over half a million followers, there is apprehension that it might extend to those with smaller followings.
FROM THE MEDIA: As China reinforces its regulations on online anonymity, the digital space for personal expression narrows, particularly for social media users with substantial followings. The simultaneous announcement by key social media platforms suggests a coordinated effort to align with the Chinese government's vision of a more regulated and transparent internet. This crackdown could significantly impact online discourse, stifle dissent, and increase self-censorship among users, fundamentally altering the landscape of China's social media engagement.
READ THE STORY: NewsWeek
Sabotage in the Baltic Sea: A Multimillion-Dollar Enigma
Bottom Line Up Front (BLUF): The Balticconnector pipeline sabotage, alongside similar incidents affecting undersea cables, has sparked a high-stakes investigation with significant financial and geopolitical implications, particularly for insurers grappling with the classification of these events as potential acts of war.
Analyst Comments: The recent sabotage of critical infrastructure in the Baltic Sea has prompted a complex international investigation to uncover the responsible parties. The involvement of the vessel NewNew Polar Bear, with its connections to Russian and Chinese state enterprises, is under scrutiny. Insurers are closely monitoring the situation due to the potential reclassification of insurance claims, contingent on whether these acts are attributed to state actors, which could render standard insurance policies void under "act of war" exclusions. This predicament is exacerbated by the evolving nature of warfare, where non-military acts of aggression challenge traditional understandings and legal definitions of war.
FROM THE MEDIA: The sabotage of the Balticconnector pipeline, valued at €187 million and insured for €50 million, raises the stakes for insurers and insured entities, setting a precedent for future incidents involving non-military tactics. The outcome of this investigation will have far-reaching consequences, affecting the interpretation of insurance contracts and the broader international legal framework governing acts of aggression. As the lines between state and non-state actions blur, the need for clarity in distinguishing acts of war from other forms of sabotage becomes increasingly critical.
READ THE STORY: FP
Analysis of Digital Warfare in the Israel-Hamas Conflict
Bottom Line Up Front (BLUF): The Israel-Hamas conflict has underscored the seamless integration of cyber warfare into traditional combat, challenging the distinction between physical and digital battlegrounds. The situation necessitates a reevaluation of international cyber warfare guidelines.
Analyst Comments: As Israel and Hamas navigate a terrain of both physical barriers and cyber defenses, the conflict reveals the depth of cyber combat's integration into modern warfare. With Israel’s advanced cyber capabilities and Hamas’s alleged use of low-tech and sophisticated digital tools, both sides demonstrate the strategic importance of cyber operations. The engagement of multiple hacktivist groups further complicates the scene, making attribution difficult and revealing the shortcomings of current frameworks in governing cyber conflict.
FROM THE MEDIA: The current conflict between Israel and Hamas extends beyond the physical realm into the complexities of cyber warfare, where both state and non-state actors engage in espionage, disinformation, and digital attacks on infrastructure. With advanced surveillance and cyber defense mechanisms at play, and the involvement of external hacktivist groups, this digital frontline showcases the challenges of attributing cyberattacks and the urgent need for internationally recognized rules of cyber engagement. As the conflict persists, it becomes clear that the repercussions of cyber warfare will likely outlast any ceasefire, with the potential to affect regional security long-term. The blurred lines between physical and cyber attacks necessitate a revision of international laws to address the novel challenges posed by digital warfare.
READ THE STORY: Inkstickmedia
Jupyter Infostealer Evolves with Stealthier Techniques
Bottom Line Up Front (BLUF): An enhanced version of Jupyter Infostealer has been identified, exhibiting advanced methods to maintain a low profile on infected systems and posing increased challenges to cybersecurity defenses.
Analyst Comments: VMware Carbon Black researchers have uncovered a new iteration of the Jupyter Infostealer malware, now employing improved stealth tactics. The malware uses PowerShell command modifications and digitally signed certificates to masquerade as legitimate software. These updates highlight a trend in stealer malware evolution, where features like loaders and randomized builds become common, potentially leading to more serious second-stage attacks such as ransomware. This evolution emphasizes the continuous arms race in cybersecurity, with attackers consistently refining their tools to evade detection.
FROM THE MEDIA: The cybersecurity landscape is witnessing the rapid evolution of Jupyter Infostealer, a malware known for its credential harvesting and data exfiltration capabilities. Its latest version showcases sophisticated measures to establish persistence on victim machines by leveraging PowerShell and digital certificates to appear genuine. This advancement is indicative of a broader trend where stealer malware is becoming increasingly accessible and adaptable, allowing even less technically skilled actors to launch potent cyberattacks. With the emergence of new threats like the Socks5Systemz botnet and the continuous improvements in existing malware like Lumma Stealer and Mystic Stealer, the need for robust cybersecurity measures and awareness has never been more critical.
READ THE STORY: THN
Operational Disruption at DBS and Citibank: A Case of Overheating Data Centers
Bottom Line Up Front (BLUF): The Monetary Authority of Singapore (MAS) has reported that technical issues with the data center cooling systems used by DBS and Citibank were the primary cause of extensive outages that disrupted 2.5 million transactions.
Analyst Comments: The outages, which occurred on October 14, 2023, were triggered by overheating in the Equinix data center due to a cooling system malfunction. The subsequent rise in temperatures led to both banks' systems going offline, resulting in a two-day halt of online banking services. This failure directly affected 810,000 attempts to access banking platforms and stopped 2.5 million payment and ATM transactions, highlighting the fragility of highly digital financial systems in the face of infrastructural failures.
FROM THE MEDIA: The recent outages at DBS and Citibank, caused by cooling system failures at an Equinix data center, have exposed significant weaknesses in the banks' IT disaster recovery and business continuity plans. With both banks experiencing additional technical setbacks that impeded system recovery at backup data centers, the MAS concluded that their IT system resiliency fell short of regulatory standards. Consequently, MAS has imposed stringent penalties on DBS, including a temporary ban on business expansion and increased risk-weighted assets for operational risk. This incident serves as a stark reminder of the importance of robust and redundant systems, especially as extreme weather events become more common worldwide. It also underscores the critical need for diversified payment options to maintain economic stability during digital service interruptions.
READ THE STORY: The Register
ByteDance's VR Arm Pico to Undergo Major Restructuring Amid Sluggish Marke
Bottom Line Up Front (BLUF): ByteDance is set to significantly restructure its VR subsidiary Pico due to a slowdown in the virtual reality market. This move marks the largest organizational change for Pico since ByteDance's acquisition in 2021, with a focus on realigning the division's strategy amid optimistic market growth estimates that have not materialized as expected.
Analyst Comments: The decision follows an optimistic overestimation of market growth, leading to a recalibration of Pico’s focus from software to hardware and core technology development. This shift indicates a reevaluation of Pico's role in ByteDance’s broader strategy, potentially moving away from direct competition with Meta's Quest VR line.
FROM THE MEDIA: In response to declining VR headset sales, ByteDance is downsizing its VR arm, Pico, impacting 'hundreds' of jobs as it merges much of the software team back into its own product development division. Despite the reorganization, ByteDance affirms a long-term commitment to VR, suggesting a continued but recalibrated investment in the technology. This move comes as a strategic pivot amidst a challenging period for the VR industry, which has seen a 44.6% decrease in headset shipments year-on-year.
READ THE STORY: The Reuters
Escalating Cyber Warfare: Iran-linked Hackers Target Israeli Entities
Bottom Line Up Front (BLUF): Iranian state-backed hackers, known as Agonizing Serpens, have intensified cyberattacks against Israeli education and technology sectors by deploying new destructive malware aimed at data destruction and sowing discord.
Analyst Comments: Amid the ongoing conflict with Hamas, Israeli organizations face cyber threats from Iranian hackers employing sophisticated malware. These attacks, primarily targeting educational and technological institutions, signify an aggressive campaign to compromise sensitive information and disrupt normal operations. The deployment of new wipers, like MultiLayer Wiper and BFG Agonizer Wiper, alongside the Sqlextractor tool, indicates a focused intent to obliterate data and undermine Israel's cyber resilience. This tactic aligns with the broader pattern of state-sponsored cyber activities seeking strategic advantages or geopolitical influence.
FROM THE MEDIA: The emergence of destructive cyber campaigns by Agonizing Serpens against Israeli targets during heightened geopolitical tensions showcases the evolving nature of cyber warfare. With the group's origins tracing back to 2020 and its history of the wiper and fake ransomware attacks, the current wave of aggression seeks to cause irreversible data loss and operational disruptions rather than financial gain. This strategy reflects a shift in cyber warfare tactics, where the infliction of fear and reputational harm through the dissemination of stolen data becomes a weapon itself. Given the strategic deployment of these attacks amidst the Israeli-Palestinian conflict, the cyber realm is increasingly recognized as a critical battleground in modern warfare, necessitating vigilant and robust defensive measures.
READ THE STORY: The Record
Automation, Affiliates, and Telegram Bots Fuel Cybercrime Surge
Bottom Line Up Front (BLUF): Classiscam, a Russian-based scam-as-a-service operation, has significantly expanded its reach globally, leveraging Telegram bots and a refined affiliate system to automate scams and facilitate the spread of fake classified ads, impacting numerous brands and banking institutions across 79 countries.
Analyst Comments: Group-IB's cybersecurity research reveals Classiscam's growing complexity and sophistication, as well as its sustained growth trajectory during the COVID-19 pandemic. This scam operation has advanced its organizational hierarchy, specialized roles, and technical capabilities, enabling a seamless execution of phishing schemes that mimic legitimate brands and banking websites. Classiscam's modus operandi hinges on the automated creation of phishing sites, exploitation of victims through social engineering, and a system that allows for profit sharing among affiliates and developers, demonstrating a low entry barrier but high efficiency and impact.
FROM THE MEDIA: The Classiscam operation has emerged as a dominant force in the cybercrime landscape, characterized by its innovative use of Telegram bots to automate scams and recruit affiliates worldwide. The scam employs a range of deceptive tactics, from fake ads to sophisticated phishing websites, ensnaring victims by offering too-good-to-be-true deals and then harvesting personal and financial data. To combat such threats, consumers must exercise caution by maintaining transactions within official platforms, verifying seller credibility, and adopting secure online practices. The scheme's expansion and technical advancement serve as a stark reminder of the evolving nature of cyber threats and the need for continuous vigilance in digital spaces.
READ THE STORY: Gear Rice
South Korea Set to Launch First Indigenous Military Satellite Amid Rising Tensions
Bottom Line Up Front (BLUF): South Korea is poised to launch its first domestically built spy satellite by the end of November to enhance its independent surveillance capabilities over North Korea, which is concurrently attempting to expand its nuclear arsenal and develop its own reconnaissance satellites with alleged Russian assistance.
Analyst Comments: This strategic move by South Korea is a significant step toward self-reliance in military surveillance and a response to the growing security challenges posed by North Korea's weapons programs. By leveraging SpaceX's Falcon 9 rocket for the launch, South Korea aims to deploy a total of five military reconnaissance satellites by 2025, moving away from dependence on U.S. satellite intelligence. The initiative underscores an evolving defense posture that integrates space-based assets into South Korea's 'three-axis' defense system, potentially transforming the regional security dynamics.
FROM THE MEDIA: The announcement of South Korea's first military spy satellite launch comes at a time of heightened military activity on the Korean Peninsula. While South Korea's 2022 satellite launch demonstrated its space capabilities, the upcoming deployment from Vandenberg Air Force Base represents a strategic shift to an indigenous and real-time surveillance system. Meanwhile, North Korea's repeated failures to launch its own satellite and its alleged pursuit of Russian support highlight the ongoing arms race in the region. Both Koreas' advancements in satellite technology and reconnaissance capabilities signify a new frontier in their longstanding rivalry, with significant implications for regional stability and international security.
READ THE STORY: C4ISR
SpaceX’s Starlink Secures Mexico Rural Internet Contract
Bottom Line Up Front (BLUF): Starlink, SpaceX’s satellite internet division, has successfully obtained a significant contract from Mexico’s Comisión Federal de Electricidad (CFE) to provide rural internet services through December 2026, showcasing competitive pricing and strategic market positioning.
Analyst Comments: Starlink’s win, valued between 887.5 million to 1.8 billion Mexican pesos, is a testament to the competitive edge the service offers in terms of pricing and infrastructure capabilities. The contract aligns with Mexico’s initiative to enhance internet access in rural regions, while for SpaceX, it represents a consolidation of its global satellite internet footprint. Moreover, this development indicates a growing recognition of satellite internet as a viable solution for connectivity challenges in remote areas, which could set a precedent for future contracts in other regions.
FROM THE MEDIA: The recent contract acquisition by Starlink marks a pivotal moment for SpaceX as it continues to expand its satellite internet services internationally. The deal, which is poised to last until the end of 2026, not only underscores Starlink’s competitive pricing model but also its potential to significantly impact rural internet access. This strategic win for SpaceX comes amidst a broader landscape where tech giants and startups alike are vying for dominance in the evolving space of artificial intelligence and advanced communication technologies. As SpaceX anticipates increased revenues and sets ambitious targets for the coming years, its foray into the global market with projects like Starlink could herald a new era of connectivity and technological integration.
READ THE STORY: Yahoo Finance
Atlassian and Apache Vulnerabilities Under Active Exploit by Ransomware Groups
Bottom Line Up Front (BLUF): Cybersecurity experts have raised the alarm regarding ransomware groups that have started to exploit recent vulnerabilities in Atlassian Confluence and Apache ActiveMQ. These exploits are facilitating unauthorized activities, including data loss and the deployment of Cerber ransomware.
Analyst Comments: Rapid7's observation of active exploitation of critical flaws - CVE-2023-22518 and CVE-2023-22515 - in customer environments is a concerning development, leading Atlassian to update its advisory to the maximum severity score of 10.0. The exploitation attempts seem to be orchestrated from various global locations, signaling a coordinated effort by multiple threat actors to leverage these vulnerabilities. This situation underscores the imperative need for organizations to expedite the patching process and secure their systems against these high-risk exploits.
FROM THE MEDIA: The cybersecurity landscape is witnessing a surge in ransomware attacks, with adversaries now actively exploiting known vulnerabilities in widely-used software like Atlassian Confluence and Apache ActiveMQ. The exploitation of these vulnerabilities can result in the creation of unauthorized administrator accounts and subsequent ransomware deployment, posing significant risks to data integrity and system security. Organizations must remain vigilant, update their systems promptly, and enforce robust cybersecurity measures to mitigate the risk of such attacks. The cybersecurity community continues to monitor and respond to these threats as they evolve.
READ THE STORY: THN
Unregulated Data Broker Market Threatens Military Personnel Privacy and Safety
Bottom Line Up Front (BLUF): The sale of highly sensitive personal information on American military service members by data brokers poses a significant threat to individual privacy and national security. Researchers at Duke University have highlighted the ease with which this data can be acquired, emphasizing the urgent need for legislative action to regulate the industry.
Analyst Comments: The current state of the data broker industry presents a clear and present danger to the security of U.S. service members. The research conducted by Duke University's Sanford School of Public Policy reveals that for a minor cost, detailed personal data of military personnel can be obtained with minimal verification of the buyer's identity. This data includes health, financial, and personal information that could potentially be used by hostile entities to compromise or blackmail service members.
FROM THE MEDIA: The study by Duke University underscores the perils of an unregulated data broker market, where sensitive information pertaining to U.S. military personnel is readily available for purchase. The implications of this practice extend beyond privacy violations, potentially endangering the lives and operational security of service members and their families. The findings call for immediate action from Congress to curtail the unchecked sale of such data and protect the national security interests of the United States.
READ THE STORY: The Record
Items of interest
WinRAR Vulnerability Exploited by Pakistani-Linked Cyber Threat Actor
Bottom Line Up Front (BLUF): SideCopy, a cyber threat actor with ties to Pakistan, has been exploiting a security flaw in WinRAR to conduct targeted attacks on Indian government entities. These sophisticated campaigns aim to deploy various remote access trojans, signaling an alarming escalation in cyber espionage activities.
Analyst Comments: The recent discovery of SideCopy's operations by SEQRITE highlights the group's continued focus on Indian and Afghan targets, with possible connections to the Transparent Tribe (APT36). By leveraging a WinRAR vulnerability (CVE-2023-38831), the threat actor has not only compromised Windows systems but has also targeted Linux systems, which are increasingly used in the Indian government and defense sectors. This strategic targeting, along with the deployment of multiple trojans capable of stealing sensitive information and gaining remote access, poses a severe threat to the security of critical government infrastructure.
FROM THE MEDIA: The ongoing cyber espionage campaigns by SideCopy represent a complex threat landscape for Indian government organizations. With the exploitation of a critical WinRAR vulnerability and the use of sophisticated trojans like AllaKore RAT, Ares RAT, and DRat, the attackers have demonstrated a high level of adaptability and malicious intent. The ability to target both Windows and Linux systems shows a calculated response to shifts in technology deployment by government entities. The need for robust cybersecurity measures and the rapid patching of known vulnerabilities is more critical than ever to thwart such targeted cyber threats.
READ THE STORY: THN
SideCopy malware campaigns (Video)
FROM THE MEDIA: Guest Asheer Malhotra, Threat Researcher of Cisco Talos Intelligence Group, joins Dave to discuss his team's research "InSideCopy: How this APT continues to evolve its arsenal." Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT.
Operation Clairvoyance: How APT Groups Spy on the Media Industry (Video)
FROM THE MEDIA: Cyber espionage actors have demonstrated great interest in the media industry. These actors seem to like to see Taiwan's daily activities through the "eyes" of these media companies and journalists. During Taiwan's intense 2022, we saw more and more Advanced Persistent Threat (APT) groups infiltrate Taiwan's media industry. In our observation, the media has become the first non-government target of those APT groups.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.