Daily Drop (658): OpenAI: Sam's Out, China and Saudi Arabia: Currency Swap, RU: Dark Fleet, DarkCasino, AIS Spoofing, LummaC2 Malware, Citrix Bleed, Houthi: Ship Jacking, BRI: Renewable Energy
11-20-23
Monday, Nov 20, 2023 // (IG): BB // The Leek Sino-Satire // Coffee for Bob
OpenAI Turmoil: Staff Threaten Mass Exodus Over CEO Controversy
Bottom Line Up Front (BLUF): OpenAI faces a crisis as the majority of its staff threatens to quit unless the board reinstates former CEO Sam Altman and ex-president Greg Brockman. This article delves into the turmoil at OpenAI, where over 500 employees, including executives, have signed a letter demanding the board's resignation. Meanwhile, Microsoft has made a surprising move by hiring Altman and Brockman to lead a new advanced AI research team, adding another layer to the unfolding drama.
Analyst Comments: The turmoil at OpenAI has sent shockwaves through the tech industry. The board's decision to remove Sam Altman as CEO and Greg Brockman's resignation led to a mass outcry from employees who believe in their leadership. The lack of transparency around the reasons for Altman's ouster has further fueled the controversy. Microsoft's rapid hiring of Altman and Brockman to lead an AI research team is a significant development that raises questions about the future of OpenAI and its mission.
FROM THE MEDIA: OpenAI is in the midst of a crisis as staff members, including executives, threaten to resign unless the board reinstates former CEO Sam Altman and ex-president Greg Brockman. The situation began when the board fired Altman, citing issues with his communication and transparency. However, this move triggered a wave of support for Altman and Brockman from within the company and the tech industry. Microsoft's surprising decision to hire Altman and Brockman to lead an advanced AI research team adds a new twist to the unfolding drama. The controversy highlights the challenges in balancing the rapid development of AI with concerns about transparency and accountability.
READ THE STORY: Engadget // FT // IE // The New York Times
China and Saudi Arabia Sign $6.93 Billion Currency Swap Agreement
Bottom Line Up Front (BLUF): The People's Bank of China and the Saudi Central Bank have inked a local currency swap agreement valued at 50 billion yuan ($6.93 billion) or 26 billion Saudi riyals. This agreement, valid for three years and extendable by mutual consent, aims to enhance financial cooperation, increase the utilization of local currencies, and boost trade and investment between Riyadh and Beijing. It signifies the deepening relationship between the world's top oil exporter, Saudi Arabia, and the largest energy consumer, China.
Analyst Comments: Saudi Arabia and China have been diversifying their relations beyond the energy sector in recent years, exploring collaborations in various domains, including security and technology. The currency swap agreement further solidifies their economic ties, providing a financial mechanism to facilitate trade and investment activities between the two nations. China has become a major importer of Saudi crude, making up a significant portion of the kingdom's exports to China. Although China has expressed its intention to purchase oil and gas in yuan, it has not yet used the currency for Saudi oil transactions.
FROM THE MEDIA: The recent currency swap agreement between China and Saudi Arabia, valued at $6.93 billion, demonstrates the growing economic partnership between the two nations. As the world's top oil exporter and the largest energy consumer, Saudi Arabia and China are expanding their collaboration beyond the energy sector. The three-year agreement, extendable by mutual consent, is expected to strengthen financial cooperation, promote the use of local currencies, and facilitate trade and investment activities. While China continues to import a significant amount of Saudi crude, the adoption of yuan for oil transactions has not yet materialized. This agreement reflects the evolving dynamics of global economic partnerships.
READ THE STORY: National Post
Russia's Strategies to Evade Western Oil Sanctions
Bottom Line Up Front (BLUF): Despite Western sanctions, Russia has found ways to circumvent restrictions on its oil trade, particularly the $60 price cap placed on a barrel of seaborne Russian Urals oil. Almost none of the seaborne crude shipments in October were executed below the price cap, and the average price received exceeded $80 a barrel. Russia has employed various tactics to evade sanctions, including using little-known trading firms, deploying a fleet of 'shadow tankers,' and engaging in complex oil transfers at sea. This has made it challenging for authorities to police and enforce the sanctions effectively.
Analyst Comments: Russia's ability to work around Western sanctions underscores its determination to sustain its oil trade despite international constraints. The shift from established oil companies to less prominent trading entities has enabled Russia to continue exporting oil, primarily to Asian markets. Furthermore, the utilization of 'shadow tankers' and intricate cargo transfers at sea has obscured the tracking of Russian oil exports, making it difficult for sanctions to have their intended impact.
FROM THE MEDIA: Western sanctions designed to curb Russia's oil revenues have not been entirely successful, as Russia has devised innovative methods to evade these limitations. The adoption of unconventional trading partners, the emergence of 'shadow tankers,' and the use of undisclosed destinations for oil shipments have created significant challenges for authorities tasked with enforcing sanctions. This evolving situation highlights the complexities of overseeing a fluid and adaptable market in the face of geopolitical pressures.
READ THE STORY: HSNN
Satellite Data Reveals Extent of Damage and Ongoing Conflict in the Region
Bottom Line Up Front (BLUF): Israel's 42-day offensive in Gaza has resulted in extensive damage to northern Gaza, with over half of its buildings suffering severe destruction, according to analysis of satellite data. The conflict shows no signs of abating, with Israel focusing its efforts on Gaza City and southern Gaza. The use of radar signals collected from the European Space Agency's Sentinel-1 satellite provides a sobering assessment of the situation.
Analyst Comments: The analysis of radar data reveals that Israel's military campaign in northern Gaza has left nearly half of the district's structures in dire condition. This data is corroborated by videos and reports from social media, television reporters, and the Israeli Defense Forces (IDF), all depicting a landscape of devastation. Key targets for Israel's military operations have been clustered around areas identified as strategically important, aligning with its ground invasion. The path of destruction extends from the northern Gaza Strip, which served as a staging ground for Israel's advance into Gaza City. Notably, as Israeli troops moved towards their primary objective, al-Shifa hospital, they caused substantial damage to neighborhoods en route, including the al-Shati refugee camp. IDF's actions, including the destruction of Hamas leader Ismail Haniyeh's home, are evident in the radar data, with only 30% of the camp remaining intact.
FROM THE MEDIA: Israel's military campaign in Gaza, as revealed by satellite data analysis, has led to extensive damage in the northern part of the region. The conflict continues to escalate, with Israel now targeting Gaza City and southern Gaza. The radar data underscores the scale of destruction and displacement, highlighting the urgent need for a resolution to the ongoing conflict. The international community remains concerned about the safety of civilians caught in the crossfire, urging a more precise and targeted approach to minimize casualties.
READ THE STORY: FT
Analysis of DarkCasino's Use of CVE-2023-38831 Vulnerability
Bottom Line Up Front (BLUF): Cybersecurity firm NSFOCUS has uncovered DarkCasino, an APT group, leveraging a recently disclosed WinRAR zero-day vulnerability known as CVE-2023-38831. DarkCasino's attack pattern employs this zero-day to conduct phishing attacks against forum users through online trading forum posts.
Analyst Comments: NSFOCUS Research Labs' analysis reveals that DarkCasino is an economically motivated APT group with strong technical capabilities. They effectively integrate various APT attack technologies, including malicious shortcuts and image steganography, into their attack processes. Initially, DarkCasino primarily targeted Mediterranean countries and select Asian nations, focusing on online financial services. However, they have since shifted their tactics to target cryptocurrency users globally, including non-English-speaking Asian countries like South Korea and Vietnam. Since April 2023, DarkCasino has employed CVE-2023-38831 to deliver the Trojan DarkMe, a versatile malware with capabilities such as collecting host information, taking screenshots, file manipulation, registry manipulation, command execution, self-updating, and maintaining persistence.
FROM THE MEDIA: DarkCasino, an APT group, has exploited the recently disclosed WinRAR zero-day vulnerability CVE-2023-38831 to conduct phishing attacks. NSFOCUS Research Labs' analysis highlights their technical proficiency and evolving tactics. Initially, DarkCasino targeted Mediterranean and select Asian countries but has since expanded their focus to cryptocurrency users globally. Their use of CVE-2023-38831 to deliver the DarkMe Trojan poses a significant threat, as it encompasses various malicious functions. Multiple APT groups, including Dark Pink, APT28, APT29, Sandworm, APT40, Ghostwriter, and Konni, have been observed exploiting this vulnerability, indicating its widespread danger. This development raises concerns about future victims falling prey to the WinRAR vulnerability exploitation.
READ THE STORY: Security Affairs
Insights into AIS Spoofing and Dark Fleet Activity
Bottom Line Up Front (BLUF): Deceptive shipping practices (DSPs), including AIS spoofing and dark fleet activity, have surged in recent years, presenting significant challenges in compliance and security. This article, authored by the Research Team at Pole Star Global in collaboration with Blackstone Compliance, sheds light on strategies to comprehend, detect, and mitigate these practices, particularly in the context of evolving maritime sanctions evasion.
Analyst Comments: The implementation of sanctions related to Russia, along with restrictions on the sale of Russian oil and petroleum products, has prompted threat actors to adopt more sophisticated tactics for sanctions evasion. Their objective is to operate in a shadow economy that operates beyond the reach of US, UK, EU, and G7 law, thus deceiving authorities and financial crime compliance programs. AIS spoofing and dark fleet activity have emerged as key components of this strategy, allowing vessels to conceal their true identities and locations, making them challenging to track and monitor. Detecting and countering these DSPs requires a multi-faceted approach that combines advanced technology, regulatory cooperation, and industry-wide awareness.
FROM THE MEDIA: In response to the evolving landscape of maritime sanctions evasion, this article explores the rise of deceptive shipping practices (DSPs) such as AIS spoofing and dark fleet activity. Authored by experts from Pole Star Global and Blackstone Compliance, the article delves into the challenges posed by these practices and offers insights on how to comprehend, detect, and mitigate them effectively. With threat actors aiming to create a shadow economy beyond the jurisdiction of major international laws, the maritime industry must stay vigilant and adopt proactive measures to combat these DSPs. Collaboration between regulatory bodies, industry stakeholders, and technology providers is essential to ensure a secure and compliant maritime environment.
READ THE STORY: Motorship
LummaC2 Malware Evolves with Trigonometry-Based Anti-Sandbox Technique
Bottom Line Up Front (BLUF): LummaC2, a stealer malware, has introduced an innovative anti-sandbox technique based on trigonometry. This technique detects human activity on infected endpoints by analyzing mouse behavior, allowing the malware to evade detection and steal sensitive information. LummaC2, originally sold in underground forums since December 2022, has undergone iterative updates, making it more resilient and versatile.
Analyst Comments: LummaC2's use of trigonometry to detect human behavior represents a novel approach to evade detection by security systems. By analyzing cursor movements, the malware delays its execution until it detects genuine human interaction, making it challenging for sandbox environments to identify and analyze its behavior. This development showcases the ongoing sophistication of malware and the need for advanced cybersecurity measures to combat such threats.
FROM THE MEDIA: LummaC2, a notorious stealer malware, has evolved with a unique anti-sandbox technique that relies on trigonometry to detect human behavior on compromised endpoints. This technique involves analyzing cursor positions and calculating angles to determine if genuine human mouse activity is present. By doing so, the malware can avoid immediate detection by security systems that rely on sandboxing for analysis. LummaC2, initially introduced in underground forums in December 2022, continues to adapt and poses a significant threat to cybersecurity. This development underscores the importance of proactive cybersecurity measures to counter evolving malware tactics.
READ THE STORY: THN
Government-Backed Hackers and Criminal Groups Targeting Vulnerable Systems
Bottom Line Up Front (BLUF): A critical flaw in Citrix Systems Inc. software, known as Citrix Bleed, has been exploited by government-backed hackers and criminal groups, according to cybersecurity experts. The vulnerability was initially abused in secret for weeks before a fix was issued last month. Despite the patch, hackers have accelerated their attacks, targeting organizations that have not applied the necessary updates. The flaw allows hackers to potentially steal sensitive information and gain network access.
Analyst Comments: Citrix Bleed, a critical software vulnerability, has become a prime target for malicious actors, including nation-state hackers and criminal groups. The flaw was discovered and patched by Citrix in October 2023, but it had already been exploited by some hackers before the fix became available. The US Cybersecurity and Infrastructure Security Agency (CISA) is providing assistance to victims of these attacks, but the exact extent of the breaches remains undisclosed. Among the criminal groups exploiting the Citrix Bleed bug is LockBit, a notorious hacking gang known for ransomware attacks.
FROM THE MEDIA: The Citrix Bleed software vulnerability, which had been abused by hackers in secret before a fix was issued, continues to pose a significant threat to organizations that have not applied the necessary patches. Government-backed hackers and criminal groups are actively targeting vulnerable systems to potentially steal sensitive information and gain broader network access. The situation highlights the importance of promptly applying security updates and patches to mitigate the risk of cyberattacks. CISA is working to assist affected organizations, but cybersecurity experts emphasize the need for proactive measures to safeguard against such vulnerabilities.
READ THE STORY: National Post
China and North Korea Identified as Major Sources of Cyberattacks in Russia
Bottom Line Up Front (BLUF): Recent data from Russia's security firm Solar highlights that state-sponsored cyberattacks in Russia are predominantly originating from China and North Korea. Advanced persistent threats (APTs), often linked to state-sponsored groups, accounted for 20% of all incidents investigated by Solar. Chinese APTs, in particular, were highly active during a September 2023 campaign, targeting Russian organizations with cyber espionage activities. North Korean group Lazarus also maintains its presence in Russia, focusing mainly on government authorities.
Analyst Comments: The report reveals that despite good diplomatic relations, cyber threats from China and North Korea pose significant challenges to Russia's cybersecurity. Chinese APTs, such as APT 10, APT 15, APT 31, and APT 41, conducted extensive cyber espionage campaigns, infecting Russian systems with malware. Lazarus, a North Korean group, continued its activities against Russian government authorities, indicating persistent threats. Despite the ongoing conflict in Ukraine, Asian cyber groups remained the most active, making it challenging to pinpoint Ukrainian involvement directly.
FROM THE MEDIA: China and North Korea are identified as the primary sources of state-sponsored cyberattacks in Russia, with well-resourced advanced persistent threats (APTs) responsible for a significant portion of incidents. Chinese APTs, notably active during a September 2023 campaign, targeted Russian organizations with cyber espionage efforts. The Lazarus group from North Korea maintained a consistent presence in Russia, primarily focusing on government authorities. Although other regions may be involved in cyberattacks against Russia, Asian cyber groups dominated, making attribution challenging. Cybersecurity firm Solar's report underscores the ongoing cyber threats facing Russia, with APTs expected to remain active in 2024.
READ THE STORY: CyberNews
Israel-Hamas Conflict Escalates with Houthi Seizure of Israeli-Linked Ship
Bottom Line Up Front (BLUF): Yemen's Houthi rebels have taken control of an Israeli-linked cargo ship in the Red Sea, holding 25 crew members hostage. The rebels, backed by Iran, justify the hijacking by their connection to Israel, signaling a new front in the ongoing Israel-Hamas conflict. This development has raised regional tensions and concerns over the safety of international shipping in this crucial maritime route.
Analyst Comments: he Houthi rebels' seizure of the cargo ship, named Galaxy Leader, represents a significant escalation in the Israel-Hamas conflict. Their actions are a direct response to what they perceive as Israel's aggression against Gaza's Hamas rulers. The rebels have vowed to target any ships with links to Israel, or owned by Israelis, in international waters, potentially disrupting maritime trade and energy supplies in the Red Sea region. Israeli authorities have attributed the attack to the Houthis and have labeled it an "Iranian act of terror." They assert that the ship is British-owned and Japanese-operated, but ownership details indicate connections to an Israeli billionaire, Abraham "Rami" Ungar. Israel sees this incident as part of a broader strategy by Iran to arm the Houthi rebels and further destabilize the region.
FROM THE MEDIA: Yemen's Houthi rebels have seized the Israeli-linked cargo ship Galaxy Leader, taking 25 crew members hostage. The rebels attribute the hijacking to their opposition to Israel and vow to target ships connected to Israel or owned by Israelis in international waters. This move represents a significant escalation in the Israel-Hamas conflict, with regional implications and potential disruptions to global shipping in the Red Sea. Israel has labeled it an "Iranian act of terror" and sees it as part of Iran's strategy to support the Houthi rebels. The incident has raised concerns about the safety of critical maritime routes in the region.
READ THE STORY: Aljazeera // AP
China's Belt and Road Initiative Shifts Focus to Renewable Energy Projects
Bottom Line Up Front (BLUF): A new study from Wood Mackenzie reveals that China's Belt and Road initiative is increasingly directing its efforts toward renewable energy projects, accounting for 57% of overseas development projects currently planned or under construction. This shift comes as the cost of wind turbines and solar panels declines, and global pressure mounts to reduce reliance on fossil fuels. The report indicates a transformation in China's strategy, emphasizing renewables and direct investment over bilateral lending.
Analyst Comments: Over the past decade, China's Belt and Road initiative has played a significant role in developing power generation capacity in other countries. However, recent developments show a shift towards renewable energy sources, reflecting the global trend towards sustainability. This shift is driven by falling prices of renewable technologies and growing concerns about the environmental impact of fossil fuels. Wood Mackenzie's study highlights that 128 gigawatts of generating capacity, equivalent to approximately $200 billion in investments, have been completed through the Belt and Road initiative by 2023. An additional 80 gigawatts of projects are in the planning or construction phases, with a predominant focus on Asia.
FROM THE MEDIA: China's Belt and Road initiative is increasingly prioritizing renewable energy projects, with renewables accounting for 57% of planned or under-construction overseas development projects. This shift reflects China's changing strategy towards cleaner energy sources, driven by lower costs and environmental concerns. While significant renewable capacity has been added, some coal and natural gas projects continue, highlighting the complexity of China's energy transition within the initiative.
READ THE STORY: BNN
Vulnerability Alert: Bitcoin Wallets Created between 2011-2015 at Risk of Hacking
Bottom Line Up Front (BLUF): Bitcoin wallets created between 2011 and 2015 face a significant security threat due to a new exploit called Randstorm. This exploit compromises the security of these wallets, potentially allowing attackers to recover passwords and gain unauthorized access. Approximately 1.4 million Bitcoins stored in such wallets are at risk, highlighting the importance of upgrading to more secure wallet solutions.
Analyst Comments: A security vulnerability in Bitcoin wallets created during the 2011-2015 era has come to light, posing a serious risk to cryptocurrency holders. This vulnerability, referred to as Randstorm, is a combination of bugs, design choices, and API changes that reduce the quality of random numbers generated by web browsers during that time frame. As a result, cryptographic keys used in these wallets may be vulnerable to attacks.
FROM THE MEDIA: Bitcoin wallets created between 2011 and 2015 are at risk of being hacked due to the Randstorm exploit. Approximately 1.4 million Bitcoins may be vulnerable, emphasizing the urgency of upgrading to more secure wallet solutions. The vulnerability highlights the broader issue of security in open-source dependencies and the importance of keeping software infrastructure up to date to mitigate risks.
READ THE STORY: THN
Items of interest
China Seeks Increased Investment from French Firms: President Xi's Message to Macron
Bottom Line Up Front (BLUF): China's President Xi Jinping expressed the desire for greater investment from French companies in China while emphasizing the importance of a fair and non-discriminatory business environment for Chinese firms. This message was conveyed during a phone call with French President Emmanuel Macron. The call aimed to fortify ties between the two nations following Macron's visit to China earlier this year. Amidst challenges, including an EU investigation into electric vehicle subsidies and concerns about China's foreign company regulations, both leaders discussed cooperation at various levels.
Analyst Comments: President Xi Jinping's message to President Macron underscores China's interest in deepening economic ties with France. The call also demonstrates China's commitment to fostering a favorable business environment for Chinese companies operating in France. It serves as a continuation of diplomatic efforts to strengthen relations between China and its European partners.
FROM THE MEDIA: China is actively seeking increased investment from French companies and is committed to providing a fair business environment for Chinese firms operating in France. The phone call between President Xi Jinping and President Emmanuel Macron aims to enhance economic ties and diplomatic relations between the two nations. Despite challenges in the international landscape, both leaders expressed their willingness to cooperate and contribute to positive developments in China-EU relations and global issues.
READ THE STORY: Reuters
Ukraine’s prosecutor general on investigating alleged Russian war crimes (Video)
FROM THE MEDIA: Ukrainian Prosecutor General Andriy Kostin is leading the charge for an international investigation into alleged Russian war crimes committed in Ukraine. Kostin joins Washington Post Live to discuss the challenges in building accountability, the International Criminal Court’s arrest warrant for Russian President Vladimir Putin and the state of Ukraine more than a year into the war with Russia.
Putin's Attack on Ukraine: Documenting War Crimes (Video)
FROM THE MEDIA: “Putin’s Attack on Ukraine: Documenting War Crimes” draws on original footage; interviews with Ukrainian citizens and prosecutors, top government officials, and international war crimes experts; and a vast amount of previously unpublished evidence obtained and verified by the AP — including hundreds of hours of surveillance camera videos and thousands of audio recordings of intercepted phone calls made by Russian soldiers around Ukraine's capital city, Kyiv.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.