Daily Drop (702): CN: MSS, ScarCruft Group Targets DPRK, Ransomware, Apple Exploit, Airman conducts NFT fraud, Nvidia Supplier Kinsus, NGA SAT, Brainwashing in Mao's China, CN: Microchip Kits
01-23-24
Tuesday, Jan 23 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
China's Ministry of State Security: A Public Force in Xi's Tightening Grip
Bottom Line Up Front (BLUF): China's Ministry of State Security (MSS), traditionally a secretive intelligence agency, is increasingly stepping into the public eye. This shift is part of President Xi Jinping's broader strategy to emphasize national security and tighten his control over China. The MSS's heightened visibility, including in social media and public campaigns, reflects its growing political influence and the Chinese government's focus on combating perceived threats like subversion, separatism, terrorism, and espionage.
Analyst Comments: The transformation of the MSS from a shadowy entity into a more openly active agency is indicative of the evolving nature of security and political power in China under Xi Jinping. Historically, China's emphasis was on economic growth and international relations, but the recent trend suggests a pivot towards a more security-centric governance model. This shift could be driven by internal challenges such as economic slowdowns and external pressures from geopolitical tensions, particularly with the U.S. and its allies. The enhanced role and visibility of the MSS also signify a broadening concept of national security within China, encompassing not just traditional espionage but also data and technological security. This development could have far-reaching implications for China's international relations and internal governance.
FROM THE MEDIA: The Ministry of State Security of China is asserting a more public and political role under Xi Jinping's leadership. Founded in 1983, the MSS, akin to a fusion of the FBI and CIA, has expanded its reach and influence, breaking from its traditionally low-profile approach. Recent activities include public accusations against foreign intelligence services, social media engagement, and participation in national security education campaigns. The MSS's increased political stature is evident through its leaders' elevated positions within the Communist Party. This shift reflects China's growing focus on national security, encompassing a wide array of issues from data protection to geopolitical challenges. The agency's public engagement, including the use of social media, aims to raise awareness among Chinese citizens about the risks of espionage and the importance of national security. This strategic move aligns with Xi Jinping's broader objective of tightening his grip on the nation, emphasizing security, and preparing for potential internal and external challenges.
READ THE STORY: FT
ScarCruft Group Targets Media and Experts in North Korean Affairs
Bottom Line Up Front (BLUF): North Korean hacker group ScarCruft, also known as APT37, has been conducting cyber espionage campaigns by weaponizing fake research reports to deliver the RokRAT backdoor. This group, linked to North Korea's Ministry of State Security (MSS), primarily targets governments, defectors, and entities related to North Korean affairs. The recent campaign in December 2023 focused on media organizations and experts, employing spear-phishing techniques for covert intelligence gathering aligned with North Korea's strategic interests.
Analyst Comments: The activities of ScarCruft underscore a growing sophistication in cyber operations conducted by state-sponsored actors, particularly from North Korea. This recent shift to using technical research reports as a decoy marks a strategic evolution in their approach, likely aiming to penetrate high-value targets involved in cybersecurity and intelligence. The timing of these operations, amid escalating tensions and North Korea's demonstration of military capabilities, suggests an intent to gather strategic intelligence that could influence decision-making processes in Pyongyang. The ongoing development and refinement of tactics by ScarCruft indicate a proactive response to international cybersecurity defenses, highlighting the persistent and evolving threat posed by state-sponsored cyber espionage.
FROM THE MEDIA: ScarCruft, a North Korean hacking group, has been intensifying its cyber espionage efforts by using innovative infection chains. One such method involves the use of fake technical research reports as a decoy, targeting individuals and organizations involved in threat intelligence and North Korean affairs. SentinelOne researchers identified this tactic in their report, noting ScarCruft's association with North Korea's MSS and its distinct operations from other North Korean groups like Lazarus Group and Kimsuky. Recent activities include a campaign against a Russian missile engineering company and efforts to subvert cybersecurity professionals. The tactics involve spear-phishing lures and multi-stage infection sequences to distribute the RokRAT backdoor, enabling covert intelligence collection.
READ THE STORY: THN
Akira Ransomware Disrupts Swedish Services: Tietoevry Datacenter Targeted
Bottom Line Up Front (BLUF): Tietoevry, a cloud hosting services provider, has reported a partial ransomware attack on one of its Swedish datacenters, impacting numerous customers including key Swedish organizations. The attack, utilizing Akira ransomware-as-a-service tools, has disrupted services for Primula, a prominent payroll and HR company in Sweden. The attack's consequences have been felt across various sectors, forcing store closures and affecting administrative operations of several government authorities.
Analyst Comments: The ransomware attack on Tietoevry signifies a growing trend in cybercrime where critical infrastructure and service providers are targeted to maximize impact. This attack, particularly affecting HR and payroll services, raises concerns about the security of sensitive personal and governmental data. The incident also underlines the interconnected nature of modern digital services, where an attack on a single provider can have wide-reaching effects on numerous entities, including government agencies. The response of Swedish authorities and Tietoevry's handling of the situation will be crucial in assessing the resilience of national infrastructure against such cybersecurity threats.
FROM THE MEDIA: Tietoevry, a Finland-based cloud service provider, experienced a ransomware attack on its Swedish datacenter, impacting several customers including Primula, a widely used payroll and HR company in Sweden. The attack led to operational disruptions for numerous Swedish entities, including government agencies and retail stores. While Tietoevry isolated the affected platform promptly and reported the incident to the police, the full extent of the attack's impact and potential data breaches remain unclear. The company is working to restore services, employing a well-tested methodology and collaborating closely with affected customers. This ransomware attack underscores the vulnerability of critical digital infrastructure and the cascading effects such incidents can have on a national scale.
READ THE STORY: The Record
(CVE-2024-23222) Apple Responds to Zero-Day Exploit with Security Patch Across Devices
Bottom Line Up Front (BLUF): Apple has released crucial security updates for a range of its operating systems and the Safari web browser to address a zero-day flaw actively exploited in the wild. Identified as CVE-2024-23222, this type confusion bug, if exploited, could lead to arbitrary code execution. The flaw was patched with improved checks, and the updates cover a wide array of Apple devices including various iPhone models, Macs, and Apple TV.
Analyst Comments: This zero-day vulnerability in Apple's software highlights the ongoing challenge of maintaining cybersecurity in an increasingly complex digital environment. Type confusion vulnerabilities like CVE-2024-23222 are particularly concerning due to their potential for causing significant security breaches. Apple's prompt response in releasing these updates is a critical step in safeguarding users against potential exploits.
FROM THE MEDIA: Apple has addressed a critical zero-day vulnerability, CVE-2024-23222, affecting iOS, iPadOS, macOS, tvOS, and Safari, which was under active exploitation. The flaw, a type confusion issue, could allow arbitrary code execution through maliciously crafted web content. The updates cover a wide range of devices, including various models of iPhones, iPads, and Macs. This proactive step by Apple follows their track record from the previous year, where they addressed 20 zero-day vulnerabilities. In addition to this, Apple backported fixes for two other vulnerabilities to older devices. The update cycle underscores the importance of regular security maintenance in protecting against evolving cyber threats. Apple's swift action reflects an ongoing commitment to user security in the face of complex cyber challenges.
READ THE STORY: THN
US Air Force Cyber Analyst Charged in NFT Fraud Case
Bottom Line Up Front (BLUF): Devin Alan Rhoden, a cyber analyst with the United States Air Force, has been arrested for his alleged involvement in a fraudulent NFT scheme. Rhoden is accused of promoting UndeadApes NFTs, part of the Bored Ape Yacht Club suite, in a "rug pull" scheme, where he falsely inflated the value of these NFTs by suggesting a non-existent collaboration with the Stoned Ape Crew, leading to significant financial loss for investors.
Analyst Comments: The arrest of Rhoden in this high-profile NFT fraud case highlights the emerging challenges and risks associated with the burgeoning NFT market. "Rug pull" schemes, where creators abandon a project and flee with investors' funds, represent a significant threat to the credibility and security of the NFT ecosystem. This case also underscores the need for stricter regulatory frameworks and enhanced due diligence in the digital asset space, especially as NFTs gain popularity. Furthermore, Rhoden's position as a cyber analyst with the Air Force brings attention to the potential risks and implications of individuals in sensitive roles engaging in fraudulent activities in the digital asset domain.
FROM THE MEDIA: Devin Alan Rhoden, a United States Air Force cyber analyst, has been charged in a landmark NFT criminal case. Rhoden allegedly used a "rug pull" scheme to promote UndeadApes NFTs, part of the Bored Ape Yacht Club NFT suite, on Discord, falsely claiming collaboration with the Stoned Ape Crew, which led to the devaluation of the NFTs. He is accused of withdrawing $80,000 from his Coinbase account, funds allegedly obtained from criminal activities. Investigations revealed several incriminating searches on his Google profile and Discord logs showing Rhoden discussing the funds received. Rhoden, currently out on bond, awaits a court date while denying knowledge of fraud.
READ THE STORY: ARTnews
Nvidia Supplier Kinsus Expands to Malaysia with Pilot Plant
Bottom Line Up Front (BLUF): Kinsus Interconnect Technology, a supplier for Nvidia and AMD, plans to establish a substrate manufacturing facility in Penang, Malaysia. This move is part of a broader trend of chipmakers expanding in Southeast Asia, driven by the need to diversify production beyond China. Kinsus, a subsidiary of iPhone assembler Pegatron, will initiate a trial run focusing on testing and quality control, with a potential full-scale expansion if successful.
Analyst Comments: Kinsus's decision to set up a pilot plant in Malaysia is indicative of a strategic shift in the global semiconductor supply chain. The ongoing US-China tech war and the desire for geographic diversification are prompting companies to establish manufacturing bases outside of China. Malaysia's emerging role as a hub for chip packaging and testing, coupled with significant investments from major players like Intel, is transforming the region into an attractive destination for semiconductor manufacturing. Kinsus's focus on automotive applications and consumer electronics aligns with the growing demand in Southeast Asia's markets. This development not only enhances the resilience of the global supply chain but also signifies the rising importance of Southeast Asia in the semiconductor industry.
FROM THE MEDIA: Nvidia and AMD supplier Kinsus Interconnect Technology is exploring the possibility of establishing a substrate manufacturing facility in Penang, Malaysia. This initiative is part of an effort to diversify production outside China and respond to the increasing demand for chip packaging and testing in Malaysia. Kinsus's initial operations will target automotive, consumer electronics, and memory chip sectors, reflecting a strategic approach to cater to diverse market needs. The decision by Kinsus to rent a plant in Penang for trial operations marks a significant step towards establishing a stronger presence in Southeast Asia. The move is aligned with the broader industry trend, where major chipmakers are expanding their manufacturing capacities in Malaysia, with Intel planning a $7 billion investment.
READ THE STORY: FT
"Brainwashing in Mao's China and Beyond" Analyzes Propaganda Impact on Public Opinion
Bottom Line Up Front (BLUF): "Brainwashing in Mao's China and Beyond," a new book by political scholars, delves into the extensive use of "cognitive warfare" by the Chinese Communist Party and other authoritarian regimes. The book aims to educate on how propaganda campaigns brainwash the public, suppress dissent, and reinforce power. It highlights the continued relevance and danger of these practices in influencing global stability and public perception.
Analyst Comments: The release of this book is timely, as it brings into focus the enduring and evolving nature of state-sponsored propaganda in shaping public opinion and political discourse. The concept of 'brainwashing,' initially used to describe the Chinese government's techniques during the Korean War, remains a significant tool for authoritarian regimes to maintain control. The book's exploration of these tactics in contemporary contexts, including their role in Taiwan's recent general elections and in other global scenarios, underscores the persistent threat to democratic processes and the autonomy of thought. Understanding these mechanisms is crucial for countering misinformation and protecting democratic values in an increasingly interconnected and digital world.
FROM THE MEDIA: Co-editors Xia Ming and Song Yongyi, in their book "Brainwashing in Mao's China and Beyond," explore the techniques of brainwashing used by the Chinese Communist Party since Mao Zedong's era. The book examines how such cognitive warfare tactics have been employed to stifle dissent and maintain power. Recent examples include Chinese propaganda targeting Taiwan during its general elections, implying threats and spreading pessimism to influence voter behavior. The book also discusses the broader global implications of these strategies, including their use in other authoritarian regimes. Taiwan's Central Election Commission's response to TikTok videos during the elections highlights the modern challenges of digital propaganda. The book's chapters cover various aspects of brainwashing, including its implementation in prisons, literature, and education, and draw parallels with practices in other totalitarian regimes.
READ THE STORY: RFA
CVE-2023-34048 Zero-Day Vulnerability Leveraged by UNC3886 for Espionage
Bottom Line Up Front (BLUF): A critical vulnerability in VMware, CVE-2023-34048, was exploited by a Chinese advanced persistent threat (APT) group, known as UNC3886, for nearly two years before it was patched. This high-severity out-of-bounds write vulnerability, rated 9.8 out of 10, significantly impacted vCenter Server, a key component of VMware's virtual environment management system. Mandiant's recent discovery reveals the depth of this APT group's technical acumen and its strategic exploitation of widely used software vulnerabilities for espionage purposes.
Analyst Comments: The exploitation of CVE-2023-34048 by UNC3886 underlines the sophisticated capabilities of state-sponsored cyber actors, particularly those affiliated with China. The ability to covertly leverage a zero-day vulnerability for an extended period highlights the strategic patience and focus of Chinese espionage efforts. These actions align with China's broader geopolitical and economic objectives, where cyber operations support state goals. This incident serves as a stark reminder of the persistent threat posed by APT groups and the importance of rapid vulnerability management and robust cybersecurity practices in safeguarding critical IT infrastructure.
FROM THE MEDIA: CVE-2023-34048, a critical vulnerability in VMware, was covertly exploited by the Chinese APT group UNC3886 as a zero-day since late 2021. This revelation by Mandiant indicates the group's high proficiency in identifying and leveraging complex vulnerabilities. UNC3886 had previously exploited another VMware zero-day, CVE-2023-20867, using it in conjunction with CVE-2023-34048 to gain remote code-execution capabilities and deploy backdoors in the compromised environments. This methodical and long-term exploitation strategy is characteristic of Chinese state-sponsored cyber activities, aimed at sustained intelligence gathering to support China's national interests. VMware customers, even those who have patched their systems, may need to re-examine their networks for signs of compromise during the zero-day period, highlighting the ongoing challenges in cybersecurity and the need for vigilant patch management.
READ THE STORY: DarkReading
Beijing's Initiative to Influence the Metaverse Includes Major Tech Players
Bottom Line Up Front (BLUF): China's Ministry of Industry and Information Technology (MIIT) has assembled a group of 60 experts from academia, government, and business to establish standards for the metaverse. This initiative involves significant tech companies like Huawei, ZTE, Tencent, NetEase, Baidu, Ant Group, and Lenovo. This move reflects China's strategic approach to shaping the development and narrative of the metaverse, a concept that is still finding its footing in practical applications but could play a significant role in the future of digital interaction.
Analyst Comments: China's creation of a metaverse standards group signals its ambition to be a key player in defining the future of this emerging digital realm. Including major tech firms and academic institutions, Beijing is poised to influence both the technical and identity standards of the metaverse. This initiative is part of China's broader strategy to assert its presence in significant technological advancements and digital domains. The involvement of globally recognized companies like Huawei and Tencent could extend China's influence in the metaverse beyond its borders. However, the global community's response to this initiative, especially considering the ongoing tech tensions between China and the West, remains to be seen.
FROM THE MEDIA: The MIIT of China has announced a working group to define standards for the metaverse, involving 60 experts from diverse sectors including technology, academia, and government. The group includes representatives from major Chinese tech companies and universities. This initiative is part of China's long-standing effort to influence the metaverse's development and standards. The working group is tasked with formulating both general and technical standards, covering aspects like metaverse terminology, identity systems, and interoperability. China's engagement in metaverse development is concurrent with global tech trends, where the focus has shifted from initial metaverse hype to more practical applications, including in generative AI.
READ THE STORY: The Register
Beijing’s Record Spending on Semiconductor Equipment to Counter Biden’s Export Controls
Bottom Line Up Front (BLUF): China has significantly increased its imports of microchip equipment, spending a record $10.6 billion in the last quarter of the previous year. This surge in imports is a strategic response to the US and other countries' restrictions on the sale of advanced microchips to China, due to concerns over their potential military and cybersecurity applications. The Chinese government's heavy investment aims to bolster its domestic semiconductor industry to mitigate the impact of US sanctions led by President Joe Biden.
Analyst Comments: China's aggressive procurement of semiconductor equipment underscores its determination to achieve self-sufficiency in the microchip sector and reduce reliance on foreign technology. This development is part of a broader techno-nationalistic strategy amidst escalating US-China tensions over technology and trade. The focus on building a domestic semiconductor industry is not only a countermeasure to sanctions but also a step towards technological independence.
FROM THE MEDIA: China's import of semiconductor equipment reached a record high as it aims to develop its domestic microchip industry in response to a much needed US-led sanctions. The imports included advanced equipment from companies like the Dutch tech giant ASML. The UK, despite being a smaller player in this sector, has also been involved, with companies like SPTS and Oxford Instruments exporting semiconductor manufacturing equipment to China. The US has specifically blocked sales of advanced chips for AI applications by companies like Nvidia to China due to their illicit activities.
READ THE STORY: The Telegraph
Internet Disruptions in Pakistan Amid Virtual Election Rally
Bottom Line Up Front (BLUF): Pakistan experienced significant internet disruptions during a virtual rally held by the party of jailed former Prime Minister Imran Khan, sparking concerns of political interference. The disruptions, which affected major social media platforms, coincide with Pakistan's preparations for general elections next month. While the Pakistani telecommunication authority attributed the outages to a technical failure, local media and political commentators suggest a more politically motivated intent aimed at disrupting Khan's party's online campaign event.
Analyst Comments: The timing of these internet disruptions, particularly in the context of an important virtual political rally, raises questions about the integrity of digital platforms in the political process in Pakistan. Internet outages during crucial political events can have significant implications for democratic participation and freedom of expression. This incident echoes a broader global concern about the role of internet accessibility and digital rights in electoral processes, especially in politically sensitive periods. The reliance on virtual platforms for political campaigning, accentuated by Imran Khan's inability to conduct in-person campaigning, underscores the critical nature of unimpeded internet access for fair and free elections.
FROM THE MEDIA: Pakistan faced widespread internet outages that coincided with a virtual rally by Imran Khan's political party (PTI), ahead of the country's general elections. The disruptions affected access to platforms like Facebook, Instagram, X, and YouTube. PTI called the outages "desperate tactics" by the incumbent government and suggested using VPNs to bypass restrictions. Internet monitoring firms and local media reports indicate that the outages were systematic and aligned with previous restrictions during PTI events. This is not the first instance of such disruptions in Pakistan, as similar incidents occurred earlier in January and December, raising concerns about the use of internet control as a political tool. The situation in Pakistan mirrors actions taken by other nations like Russia, Iran, Belarus, and Cuba, where internet shutdowns have been used in response to protests or opposition activities.
READ THE STORY: The Record
Australian Government Identifies and Sanctions Russian Medibank Hacker
Bottom Line Up Front (BLUF): The Australian government has taken a significant step in the realm of cybersecurity by identifying and imposing sanctions on a Russian individual, Aleksandr Ermakov, responsible for the major Medibank cyber attack in 2022. Ermakov's involvement in the theft of sensitive personal information from 9.7 million Medibank customers, including medical records, has led to the implementation of sanctions, marking a crucial development in Australia's cybersecurity strategy.
Analyst Comments: The Medibank cyber attack was one of Australia's worst data breaches, affecting millions of individuals and even targeting Australian Prime Minister Anthony Albanese. Australian intelligence agencies had long suspected Russian involvement in the breach, which had previously been linked to the REvil ransomware collective. After an extensive 18-month investigation, Australia decided to name Aleksandr Gennadievich Ermakov as the individual behind the attack, making it the first time an Australian government has identified a cybercriminal and imposed cyber sanctions.
FROM THE MEDIA: The Australian government has publicly identified and sanctioned Aleksandr Ermakov, a Russian citizen, for his role in the cyber attack on Medibank in 2022. This marks the first use of Australia's cyber sanctions framework, which was legislated in 2021. Ermakov's involvement in the theft of sensitive medical records and their subsequent leak on the dark web led to severe penalties, including a travel ban and strict financial sanctions. Home Affairs Minister Clare O'Neil emphasized the significance of this action for cybersecurity in Australia and vowed to unveil the identities of cybercriminals who target the nation.
READ THE STORY: The Register
Unauthorized Party Hijacks SEC's X Account via SIM Swap Attack, Law Enforcement Agencies Join Probe
Bottom Line Up Front (BLUF): The Securities and Exchange Commission (SEC) has disclosed that an unauthorized party took control of the SEC's X account through a SIM swapping attack. This cyber incident involved the hijacking of the phone number associated with the account and the subsequent posting of messages on social media. While multifactor authentication was initially enabled, it was disabled due to access issues and later reinstated after the breach. Law enforcement agencies, including the FBI and the Justice Department, are collaborating on the investigation.
Analyst Comments: The SEC revealed that the breach of its X account occurred due to a SIM swapping attack, where scammers transferred the phone number to another device under their control. The attackers gained access via the telecom carrier, not through SEC systems. Fortunately, there is no evidence to suggest that the unauthorized party accessed SEC systems, data, devices, or other social media accounts.
FROM THE MEDIA: The SEC has attributed the hack of its X account to a SIM swapping attack, emphasizing that access occurred through the telecom carrier and not SEC systems. Despite multi factor authentication being initially enabled, it was temporarily disabled and later reinstated after the breach. An investigation is underway with the involvement of multiple law enforcement agencies, reflecting the severity of the incident. Blame has been shifted away from the social media company X, which had been falsely implicated in the incident.
READ THE STORY: The Record
Items of interest
Software Supply Chain Vulnerability Exposes Java and Android Applications to MavenGate Attack
Bottom Line Up Front (BLUF): Java and Android applications using abandoned but still utilized libraries face a significant risk from a new software supply chain attack called MavenGate. This attack allows threat actors to hijack projects through domain name purchases, potentially injecting malicious code into applications and compromising the build process. All Maven-based technologies, including Gradle, are vulnerable to this attack, affecting major companies such as Google, Facebook, Signal, and Amazon. While experts argue that the attack may not be feasible due to automation, it highlights the need for security measures and vigilance in managing dependencies.
Analyst Comments: Security researchers have uncovered the MavenGate attack, which targets abandoned libraries still in use in Java and Android applications. This attack exploits vulnerabilities in the default build configurations of these applications, making it challenging to detect whether an attack is occurring. Successful exploitation of these vulnerabilities allows attackers to compromise the build process by injecting malicious code.
FROM THE MEDIA: The MavenGate attack poses a risk to Java and Android applications that use abandoned libraries. This software supply chain attack allows attackers to hijack projects and potentially inject malicious code. While some experts argue about the feasibility of the attack, it emphasizes the importance of secure dependency management and vigilance in the face of evolving cyber threats.
READ THE STORY: THN
All About DLL Hijacking (Video)
FROM THE MEDIA: DLL hijacking, also known as DLL preloading or DLL side-loading, is a cybersecurity vulnerability that can be exploited by malicious actors to execute arbitrary code on a target system. It occurs when a program loads a dynamic link library (DLL) without specifying the full path to the DLL, allowing an attacker to trick the program into loading a malicious DLL instead.
How Hackers Hijack Applications Using Malicious DLLs: And How To Improve Cyber Defenses Against It (Video)
FROM THE MEDIA: DLL load order hijacking allows hackers to hijack applications and compromise critical systems. This week's #TechTalkTuesday covers what DLL search order hijacking is, how nation-state hackers used the technique in the past to compromise systems, and how to find DLL hijacking in your threat hunting, incident response, and other cybersecurity operations.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.