Daily Drop (649): ICBC: LockBit, IMPERIAL KITTEN: IRGC, US & CN: AI, Ransomed.vc, Intel: AVX Chip, Nvidia: CHIPS GPU, RedLine Stealer: Malvert, Milomir Desnica, Kamran Spyware, MOIS & IRGC: Israel

11-10-23

Friday, Nov 10, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob

Cyber Siege on ICBC: Disruption in the U.S. Treasury Market

Bottom Line Up Front (BLUF): A ransomware attack targeting ICBC Financial Services, the U.S. subsidiary of China's largest bank, disrupted transactions in the U.S. Treasury market. This incident underscores the vulnerability of major financial institutions to cyber threats and raises questions about the resilience of critical financial infrastructure.

Analyst Comments: The attack, attributed to the LockBit ransomware group, significantly impacted the settlement of Treasury trades and other financial transactions. It reveals a concerning trend of rising cyber attacks on key financial services. The incident not only disrupted ICBC Financial Services' operations but also had a ripple effect across the market, affecting liquidity and trade rerouting. The situation was further complicated by reports of other major entities, such as law firm Allen & Overy, also falling victim to ransomware attacks. This series of events illustrates a growing sophistication in cybercriminal tactics and a pressing need for enhanced cybersecurity measures in the financial sector.

FROM THE MEDIA: The ransomware attack began on a Wednesday, paralyzing ICBC FS's systems and preventing the settlement of Treasury trades and some equity transactions. This led market participants, including hedge funds and asset managers, to reroute their trades. Despite the disruptions, ICBC FS managed to clear U.S. Treasury and repo financing trades executed on subsequent days. The incident, which was reportedly executed using LockBit 3.0 software, was significant enough to draw attention from the U.S. Treasury Department and raised concerns about the potential impact on the liquidity of U.S. Treasuries. This attack is part of a broader trend of increasing cyber threats, especially in the financial sector, which has traditionally invested heavily in cybersecurity. The response from ICBC and the broader financial community highlights ongoing challenges in defending against and responding to sophisticated cyber attacks.

READ THE STORY:  FT // Reuters // The Record

Cyber Espionage Escalates: Iranian Group Targets Middle East Tech

Bottom Line Up Front (BLUF): Iranian-linked cyber group, Imperial Kitten, escalates cyber-attacks targeting the transportation, logistics, and technology sectors in the Middle East, including Israel, signifying a marked increase in Iranian cyber activities amid regional tensions.

Analyst Comments: CrowdStrike attributes the recent surge in cyber attacks to Imperial Kitten, an Iranian group known for its strategic intelligence operations linked to the IRGC. This group, active since 2017, is notorious for its use of social engineering tactics, particularly job recruitment-themed content, to deliver custom .NET-based implants. The attacks leverage compromised websites, primarily Israeli, to profile visitors using bespoke JavaScript and exfiltrate information to attacker-controlled domains. Additionally, tactics like phishing, exploitation of one-day exploits, and targeting IT service providers for initial access are noted. Post-exploitation activities involve lateral movement and delivery of malware strains such as IMAPLoader and StandardKeyboard, along with a RAT that uses Discord for command and control.

FROM THE MEDIA: Imperial Kitten's October 2023 attacks marked a significant spike in Iranian cyber activities, especially post the onset of the Israel-Hamas war. The group employed strategic web compromises and phishing campaigns involving macro-laced Microsoft Excel documents. These activities led to the deployment of a Python-based reverse shell and other malware tools aimed at intelligence gathering. Microsoft's observations suggest that Iranian cyber activities at the war onset have been more reactive and opportunistic, focusing on exaggerating the success of their network attacks and amplifying these claims through online propaganda. The situation is further compounded by the involvement of other Iran-linked groups, like Arid Viper, targeting Arabic speakers with Android spyware, indicating a broader regional cyber threat landscape.

READ THE STORY:  THN // The Record

The U.S.-China AI Arms Race: Navigating a New Era of Technological Rivalry

Bottom Line Up Front (BLUF): The Asia Society Policy Institute’s webinar series, “U.S.-China Generative AI Competition,” delves into the intensifying rivalry between the United States and China in the field of artificial intelligence (AI). This competition, extending beyond technological dominance to geopolitical and military implications, is dissected by experts from academia, industry, and policy.

Analyst Comments: The webinar aims to explore various facets of the U.S.-China AI competition, particularly in military AI advancements. Insights from leading experts like Paul Scharre of CNAS and Paul Triolo of Albright Stonebridge Group offer perspectives on China's progress in AI, the challenges and opportunities of AI adoption, and its global implications. The series will cover financial investments in AI, the impact of U.S. sanctions on Chinese AI firms, and evolving U.S. policies. The webinar will also address concerns over China's use of AI in surveillance and military contexts.

FROM THE MEDIA: Scheduled for November 29, the webinar is the third in a series focusing on the escalating AI rivalry between the U.S. and China. The series features discussions with top experts, including Paul Scharre, known for his work on autonomous weapons and AI in warfare, and Paul Triolo, an expert in Chinese technology policy. The session will examine the advancements in generative AI by significant players like OpenAI, Google, Baidu, Tencent, and Alibaba, and discuss the broader implications of this rivalry, especially its impact on global security. Lizzi C. Lee, an Affiliated Researcher at the Asia Society Policy Institute, will moderate the event, bringing her expertise as an economist and journalist. The webinar series is part of the Asia Society Policy Institute’s efforts to provide in-depth analysis and understanding of critical policy issues in Asia and the bilateral relationships with the United States.

READ THE STORY:  Asia Society

Ransomed.vc Ransomware Gang Announces Shutdown Amidst Alleged Affiliate Arrests

Bottom Line Up Front (BLUF): Ransomed.vc, a ransomware gang known for its attacks on high-profile targets, has announced its shutdown following the arrest of six of its affiliates. The group, active since August, has been involved in various cybercriminal activities, including threatening victims with European data breach fines.

Analyst Comments: The sudden decision by Ransomed.vc to cease operations and dismiss its affiliates is a notable development in the cybersecurity landscape. The group's claim of shutting down due to affiliate arrests suggests increasing pressure and success from law enforcement agencies in combating cybercrime. However, the authenticity of these claims and the true reason behind the shutdown remain to be fully verified. The group's previous activities, including its recent interest in selling the entire operation, highlight the fluid nature of cybercriminal enterprises and the challenges in tracking and attributing ransomware attacks.

FROM THE MEDIA: Ransomed.vc's shutdown marks a significant moment in the ongoing battle against ransomware groups. The group's history of targeting major corporations and its recent attempts to sell its operation indicates a sophisticated level of organization within the cybercriminal community. The potential arrest of its affiliates and the group's subsequent disbandment could signify a turning point in international efforts to deter cybercrime. However, the possibility of rebranding or resurfacing under a different guise remains a concern. This development underscores the importance of continued vigilance and international cooperation in tackling the evolving threat of ransomware.

READ THE STORY:  The Record

Lawsuit Claims Intel Ignored Known AVX Chip Vulnerability, Resulting in Billions of Insecure Processors

Bottom Line Up Front (BLUF): Intel faces a lawsuit from PC buyers over its alleged failure to address a known vulnerability in its AVX instruction set. This flaw, part of the broader Downfall vulnerability, reportedly left billions of chips insecure and was only patched years later with a fix that significantly reduced performance.

Analyst Comments: The lawsuit alleges that Intel was aware as early as 2018 of the vulnerabilities in its Advanced Vector Extensions (AVX) instruction set, which could be exploited through side-channel attacks similar to the notorious Spectre and Meltdown flaws. Despite this knowledge, Intel is accused of continuing to sell billions of insecure chips without addressing the defect. The issue came to a head with the public disclosure of the Downfall vulnerability in 2023, affecting Intel Core processors from the 6th to the 11th generation. The lawsuit contends that Intel's eventual patch, while mitigating the vulnerability, also leads to a performance reduction of up to 50%, impacting a wide range of applications from gaming to professional software.

FROM THE MEDIA: The Downfall vulnerability exposes a significant flaw in speculative execution—a technique used by CPUs to enhance performance—allowing potential attackers to access sensitive data. This vulnerability is part of a series of side-channel vulnerabilities that have plagued Intel since the 2018 Spectre and Meltdown disclosures. The lawsuit, filed in San Jose, California, references third-party vulnerability reports and a social media post by hardware enthusiast Alexander Yee as evidence that Intel was aware of the flaw. The plaintiffs argue that Intel should have secured its AVX instructions in 2018, but failed to do so, leading to the discovery of the Downfall vulnerability five years later. The case raises serious concerns about Intel's handling of security vulnerabilities and the implications for consumers and businesses relying on their technology.

READ THE STORY:  The Register

Nvidia Navigates New US-China Trade Waters with Sanction-Compliant GPUs

Bottom Line Up Front (BLUF): Nvidia, in a quick response to the Biden administration's stringent export controls on AI accelerators to China, is set to release new GPUs designed to comply with these restrictions. These GPUs, potentially outperforming current models in specific tasks, highlight the rapid adaptation of tech companies to evolving geopolitical landscapes.

Analyst Comments: Nvidia's upcoming GPUs, including the H20, L20, and L2, are reportedly designed to perform within the boundaries set by the new US export rules to China. These rules, focusing on limiting the performance density and interconnect bandwidth of AI accelerators, aim to restrict the use of advanced American-designed AI technologies in China. Nvidia's move indicates a strategic pivot to maintain its market presence in China while adhering to US regulations. This development underscores the ongoing tech rivalry between the US and China and the challenges faced by global tech companies in navigating these geopolitical tensions.

FROM THE MEDIA: The Biden administration's recent export controls on AI accelerators significantly impacted Nvidia, prompting the company to adapt its product line to meet these new constraints. The upcoming GPUs, set to be announced after the full enforcement of the export restrictions, demonstrate Nvidia's agility in adjusting to regulatory changes. These GPUs, although offering lower FLOPS compared to their high-end counterparts, are engineered to provide enhanced performance in specific AI tasks like inferencing on large language models. This approach of developing sanction-compliant chips reflects a broader trend among US tech companies, including Intel and AMD, as they seek to balance compliance with market demands in a complex international trade environment.

READ THE STORY:  The Register

Malvertising Menace: Fake Windows News Portals Spreading Malware

Bottom Line Up Front (BLUF): A sophisticated malvertising campaign has been discovered, utilizing fake Windows news portals to distribute malware-laden installers. This campaign targets popular utilities like CPU-Z, Notepad++, Citrix, and VNC Viewer, employing cloaking techniques to evade detection and trick unsuspecting users.

Analyst Comments: The campaign cleverly masquerades as a legitimate Windows news portal, duping users searching for legitimate software on search engines. The malicious ads redirect to a fake site, which serves a signed MSI installer containing a PowerShell script, the FakeBat loader, and ultimately deploys the RedLine Stealer malware. The use of cloaking ensures that unintended targets see an innocuous blog instead of the malicious content. This approach indicates a high level of sophistication and planning, suggesting the involvement of an organized cybercrime group.

FROM THE MEDIA: This malvertising campaign represents an evolving threat landscape where threat actors use increasingly deceptive methods to distribute malware. By mimicking a trusted Windows news portal and employing cloaking techniques, the attackers increase their chances of successfully tricking users into downloading malicious software. The campaign not only highlights the need for heightened awareness among internet users but also underscores the importance of robust cybersecurity measures. The involvement of malware like RedLine Stealer, known for stealing sensitive information, adds to the severity of this threat. This incident serves as a reminder of the persistent and evolving nature of cyber threats in the digital age.

READ THE STORY:  THN

Milomir Desnica Admits to Running Major Narcotics Platform, Faces Life Imprisonment

Bottom Line Up Front (BLUF): Milomir Desnica, a 33-year-old Serbian national, has pleaded guilty to operating 'Monopoly Market,' a significant darknet platform for drug trafficking. The guilty plea comes as a major development in the ongoing global effort to combat illicit activities on darknet marketplaces.

Analyst Comments: Desnica's operation of Monopoly Market since late 2019 involved facilitating the sale of various drugs, including opioids and stimulants, with an estimated $18 million in narcotics sales worldwide. His arrest and extradition to the U.S. signify a substantial law enforcement success against darknet marketplaces. The takedown of Monopoly Market, which included seizing over $53.4 million in cash and virtual currencies and significant quantities of drugs, marks one of the largest actions against a darknet marketplace. Desnica's use of cryptocurrency exchange services for laundering proceeds illustrates the complex nature of modern digital drug trafficking operations.

FROM THE MEDIA: Desnica's guilty plea in the District of Columbia underscores the global reach of law enforcement in addressing darknet-based crime. His operation of Monopoly Market from Serbia, with sales extending to the U.S., demonstrates the transnational nature of darknet marketplaces. The case highlights the challenges and successes in combating digital drug trafficking and the growing role of cryptocurrencies in these illicit activities. Desnica's potential life imprisonment sentence reflects the severity of the charges and the seriousness with which such crimes are treated. This case adds to the narrative of ongoing efforts to disrupt illegal online marketplaces and bring their operators to justice.

READ THE STORY:  The Record

Kamran Spyware Campaign Targets Urdu-Speaking Users in Gilgit-Baltistan

Bottom Line Up Front (BLUF): A new watering hole attack targeting Urdu-speaking users of the Gilgit-Baltistan region has been identified, using a regional news website to distribute a previously unknown Android spyware named Kamran. This campaign highlights the increasing use of regional and linguistic targeting in cyber espionage.

Analyst Comments: The attack, discovered by ESET, involves the use of the Hunza News website to prompt visitors to download a malicious Android app that masquerades as a legitimate application. The spyware has infected at least 20 devices since its appearance on the website between January and March 2023. Kamran is designed to harvest a wide range of sensitive information, including contacts, call logs, SMS messages, and location data, and uploads this data to a Firebase-hosted command-and-control server. This campaign's timing coincides with significant regional protests, suggesting a potential link to surveillance and intelligence-gathering motives.

FROM THE MEDIA: The Kamran spyware campaign represents a sophisticated and targeted cyber espionage operation. The use of a regional news website to lure victims is indicative of the attackers' understanding of local digital behaviors and their ability to exploit these behaviors for malicious purposes. The spyware's simplistic design, lack of remote control capabilities, and repetitive data transmission suggest a primary focus on gathering as much information as possible from the targeted individuals. This incident underlines the importance of vigilance when downloading apps from sources outside official app stores and the need for ongoing monitoring and analysis of regional cyber threats.

READ THE STORY:  THN

New Entity PinnacleOne Strategic Advisory Group Formed to Enhance Global Cybersecurity Leadership and Expertise

Bottom Line Up Front (BLUF): Cybersecurity leader SentinelOne has announced the acquisition of the advisory firm Krebs Stamos Group, founded by Christopher Krebs and Alex Stamos. This strategic move aims to create PinnacleOne Strategic Advisory Group, a new entity focused on providing top-tier intelligence and risk management strategies in the cybersecurity landscape.

Analyst Comments: The acquisition of Krebs Stamos Group, known for its high-profile cybersecurity consulting services, marks a significant expansion for SentinelOne. Christopher Krebs, the first director of the U.S. Cybersecurity and Infrastructure Security Agency, and Alex Stamos, former Facebook Chief Security Officer, bring a wealth of experience and expertise to SentinelOne. Krebs will serve as chief intelligence and public policy officer, while Stamos will take on the role of chief trust officer. The formation of PinnacleOne signifies SentinelOne's commitment to adapting and responding to the evolving global business landscape through unparalleled intelligence and transformative risk management strategies.

FROM THE MEDIA: SentinelOne's move to acquire Krebs Stamos Group and establish PinnacleOne Strategic Advisory Group represents a significant development in the cybersecurity industry. This new venture is poised to provide valuable insights and advice to executives, helping them understand and navigate the complex threats they face in the modern digital world. The involvement of Krebs and Stamos in leadership roles underscores the group's potential to influence and shape cybersecurity practices and policies significantly. This development reflects the increasing importance of high-level expertise and strategic advice in the continuously evolving field of cybersecurity.

READ THE STORY:  The Record

Iranian Cyberattacks on Israel Followed, Rather Than Coincided With, Hamas Assault

Bottom Line Up Front (BLUF): Microsoft's recent presentation at the CyberWarCon defense conference in Washington DC reveals that Iran's cyber activities related to the Israel-Hamas conflict were reactive and opportunistic, rather than coordinated with the Hamas attack on October 7.

Analyst Comments: Microsoft's analysis indicates that Iranian cyber groups affiliated with the Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC) became actively involved in cyberattacks against Israel 11 days after the onset of the ground conflict. These attacks, including at least two destructive cyberattacks targeting Israel's infrastructure, appear to have been more opportunistic than strategically planned in tandem with Hamas's actions. Additionally, Microsoft noted that the Iranian groups exaggerated the impact of these attacks, a common tactic in their information operations.

FROM THE MEDIA: This insight from Microsoft provides a nuanced understanding of the dynamics between cyber activities and physical conflicts. The timing and nature of the Iranian cyberattacks suggest a pattern of exploiting opportunities in the wake of existing conflicts rather than initiating coordinated cyber-offensives. The report also underscores the growing trend of integrating cyber warfare with information operations, particularly through the use of social media to amplify and distort the perceived impact of these activities. This analysis contributes to the broader understanding of state-sponsored cyber activities and their role in geopolitical conflicts.

READ THE STORY:  The Register

Microsoft Identifies Active Exploitation of CVE-2023-47246 by Ransomware Distributors

Bottom Line Up Front (BLUF): The threat actor Lace Tempest, known for distributing the Cl0p ransomware, has been linked to exploiting a zero-day vulnerability in SysAid IT support software. Microsoft's recent findings highlight the ongoing threat posed by ransomware groups leveraging software vulnerabilities for malicious activities.

Analyst Comments: The identified vulnerability, tracked as CVE-2023-47246, is a path traversal flaw that could lead to code execution in on-premise installations of SysAid software. Lace Tempest's exploitation of this vulnerability involves delivering a malware loader for the Gracewire malware, followed by human-operated activities such as lateral movement, data theft, and ransomware deployment. This exploitation pattern underscores the advanced capabilities of Lace Tempest in utilizing software vulnerabilities for comprehensive cyber attacks.

FROM THE MEDIA: The exploitation of CVE-2023-47246 by Lace Tempest is part of a larger pattern of ransomware groups targeting vulnerabilities in widely-used software. SysAid has patched the vulnerability in version 23.3.36 of its software, but the exploitation highlights the importance of timely patch management and vigilant cybersecurity practices for organizations. The use of legitimate system tools by attackers for malicious purposes, as noted by the FBI, further complicates the detection and prevention of such threats. This incident serves as a reminder of the evolving tactics of ransomware groups and the need for continuous monitoring and updating of cybersecurity defenses.

READ THE STORY:  THN

Items of interest

SETI Institute Receives $200M Bequest from Late Qualcomm Cofounder Franklin Antonio

Bottom Line Up Front (BLUF): The SETI Institute, a non-profit organization dedicated to the search for extraterrestrial intelligence, has received a transformative $200 million donation from the late Qualcomm co-founder Franklin Antonio. This bequest will significantly bolster the institute's research and development capabilities.

Analyst Comments: Franklin Antonio's bequest is nearly ten times the annual operating budget of the SETI Institute, offering a substantial financial boost to its programs. SETI, which primarily relies on philanthropy and private donations due to limited federal funding, plans to treat this contribution as an endowment to permanently fund its research, including SETI activities. Antonio, who had a long-standing relationship with SETI, contributed around $15 million to the institute before his passing, demonstrating his commitment to advancing the search for intelligent life beyond Earth.

FROM THE MEDIA: This generous donation from Franklin Antonio, a key figure in Qualcomm's early technological breakthroughs, will have a lasting impact on SETI's ability to explore and understand the universe. The funds will support various initiatives, including modernization efforts for the Allen Telescope Array and the Laser SETI program, which seeks to detect potential alien laser signals. SETI's plans to establish postdoctoral fellowships, expand international collaborations, and develop new educational initiatives signify a new era of growth and discovery for the institute. This bequest not only honors Antonio's legacy in technology and philanthropy but also marks a significant milestone in the ongoing quest to unravel the mysteries of the cosmos.

READ THE STORY:  The Register

Seth Shostak on SETI (Search for Extra Terrestrial Intelligence) (Video)

FROM THE MEDIA: Dr Seth Shostak explains the mission and outlook for SETI, a non-profit organization that looks for evidence of life beyond earth. This lecture was given at Singularity University, in NASA Ames, California, in August 2010.

SETI Talks: Mysterious Radio Signals in the Milky Way (Video)

FROM THE MEDIA: At the end of 2021, a group of astronomers detected unusual signals from deep in the heart of the Milky Way. More recently, another group happened upon a celestial object releasing giant bursts of energy, unlike anything ever seen before. These mysterious signals, which seem natural, were discovered using recently built radio astronomy facilities, such as the Murchison Widefield Array telescope and the ASKAP radio telescope, both in Australia.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.