Daily Drop (704): CN: ASML Sales, Cozy Bear: HPE Emails, NSO: Fed Judge Regects Motion, F-35: Software Delay, Kasseika, Apple AI, CherryLoader Malware, NSPX30, LODEINFO, China Dark Matter Experiment
01-25-24
Thursday, Jan 25 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
ASML's China Sales Surge Despite US-Dutch Agreement to Limit Shipments
Bottom Line Up Front (BLUF): A confidential agreement between the US and the Netherlands to restrict ASML Holding NV’s shipments of advanced chipmaking equipment to China failed to prevent a significant surge in sales. ASML, essential in the semiconductor manufacturing process, turned to the Chinese market to offset weaker global demand, leading to China becoming ASML's largest market last year. The Dutch government, influenced by global economic conditions, permitted increased exports, allowing Chinese firms to stockpile equipment before the enforcement of new US-led export restrictions.
Analyst Comments: This development highlights the intricate dynamics of international trade and technology control in the semiconductor industry, a sector increasingly seen as vital for national security and economic competitiveness. The US's strategy to limit China's semiconductor capabilities is complicated by global market forces and the essential role of companies like ASML in the industry. The surge in sales to China, despite the secret US-Netherlands agreement, underscores China's determination to advance its semiconductor industry. This situation also reflects the challenges that multinational companies face in navigating geopolitical tensions, especially in industries crucial to global technological and economic infrastructure.
FROM THE MEDIA: ASML, the sole producer of machines needed for the most advanced semiconductors, found its products in high demand in China, especially as Beijing sought to circumvent impending export bans. Despite the agreement intended to prioritize shipments outside of China, the global downturn led ASML to push for and receive Dutch government approval for increased exports to China. This shift resulted in China becoming ASML's largest market in 2023. The situation raised concerns in the US, which has been intensifying efforts to restrict China's access to advanced semiconductor technology. The conflict between the US's strategic objectives and the realities of the global semiconductor market continues to evolve, with significant implications for the industry's future landscape.
READ THE STORY: Bloomberg
Hewlett Packard Enterprise (HPE) Suffers Email Breach by Russian Hacker Group 'Cozy Bear'/APT29/Midnight Blizzard…
Bottom Line Up Front (BLUF): Hewlett Packard Enterprise (HPE) has recently reported a significant breach in its cloud-based email systems. The attack, which was disclosed in a filing with the Securities and Exchange Commission (SEC), was carried out by a Russian state-sponsored hacker group, widely known as 'Cozy Bear' or 'Midnight Blizzard'. This breach involved unauthorized access and subsequent data exfiltration from a small yet critical portion of HPE's mailboxes, primarily those belonging to individuals in cybersecurity and business functions.
Analyst Comments: The breach at HPE underscores the persistent threat posed by state-sponsored cyber actors, particularly those with Russian affiliations like APT29 or 'Cozy Bear'. This group has a notorious history, including involvement in the 2020 Solar Winds attack and the 2016 Democratic National Committee intrusion. The tactics used, such as password spraying, highlight a concerning trend of sophisticated actors utilizing relatively simple attack methods, which often exploit overlooked vulnerabilities like insufficient authentication measures. The repeated targeting of major tech firms like HPE and Microsoft signifies a broader strategic objective, possibly intelligence gathering or disruption. These incidents also reflect the increasing importance of robust cybersecurity measures in the tech industry, particularly for safeguarding sensitive communication channels like email.
FROM THE MEDIA: HPE's recent SEC filing revealed a significant cybersecurity incident involving unauthorized access to its cloud-based email environment, attributed to the Russian state-sponsored actor known as 'Cozy Bear'. The breach, detected in December 2023, originated from a small percentage of mailboxes, focusing on individuals in critical segments like cybersecurity. This followed an earlier incident in May 2023, where SharePoint files were compromised. Simultaneously, Microsoft reported a similar breach, where their senior leadership's email accounts were compromised by what is believed to be the same Russian threat actor. Both companies implemented immediate response measures, but the method of attack, password spraying, raises concerns about the security of cloud environments and the effectiveness of current cybersecurity practices.
READ THE STORY: The Register // THN
Federal Judge Rejects NSO Group's Motion to Dismiss Apple's Pegasus Lawsuit
Bottom Line Up Front (BLUF): A federal judge has rejected NSO Group's motion to dismiss Apple's lawsuit, which accuses the spyware maker of violating computer fraud laws through its Pegasus tool. The ruling affirms that NSO Group's actions fit the anti-hacking purpose of the Computer Fraud and Abuse Act (CFAA), with Pegasus being used globally to spy on human rights activists, journalists, and politicians.
Analyst Comments: The court's decision marks a significant moment in the ongoing battle against cybercrime and the misuse of surveillance technology. NSO Group's Pegasus software has been a contentious topic in international circles, cited for its role in enabling repressive regimes and others to conduct clandestine surveillance. This case also underscores the increasing legal scrutiny over cybersecurity practices and the ethical responsibilities of tech companies in the global digital landscape. It reflects a broader trend where technology firms are held accountable for how their products are used, especially when they impinge on privacy and human rights.
FROM THE MEDIA: NSO Group, known for its Pegasus spyware, has been challenged by Apple in a lawsuit alleging violations of computer fraud laws. The Northern California District judge upheld Apple's claims, noting that NSO's sale of Pegasus to governments worldwide aligns with the anti-hacking intentions of the CFAA. Pegasus's history of being used for spying hacks globally, including cases in the UAE, Spain, Mexico, and against journalists criticizing Russia's actions in Ukraine, highlights its controversial use. The Biden administration blacklisted NSO in 2021, citing misuse of its spyware. Amid declining profits and reputation damage, NSO is attempting to rehabilitate its image, including publishing a transparency report and lobbying against Biden administration regulations. Apple's lawsuit emphasizes the company's efforts and expenses in combating Pegasus, labeling NSO Group as "notorious hackers" and accusing them of exploiting Apple's systems through deceptive means.
READ THE STORY: The Record
Software Issues Delay F-35 Fighter Jet Deliveries Again
Bottom Line Up Front (BLUF): Lockheed Martin's F-35 fighter jets are facing delivery delays due to software challenges associated with the Technology Refresh 3 (TR-3) update. This delay continues a trend of challenges for the F-35 program, which has faced various issues since its inception. TR-3, a crucial part of the aircraft's modernization, includes enhancements in data processing, user interface, and various combat capabilities. Despite the company's efforts, the full implementation of TR-3 has been pushed back, impacting delivery schedules and overall program timelines.
Analyst Comments: The F-35 program's delay highlights the growing complexities and challenges in integrating advanced software systems into modern military aircraft. TR-3's focus on data processing, cybersecurity, and improved combat capabilities indicates an understanding of the evolving demands of modern warfare. However, the delay reflects the difficulties in aligning these advanced technological requirements with practical implementation. It also underscores the critical role of software in military aviation and the potential implications of delays on national security and defense preparedness. Lockheed Martin's challenge lies in balancing the need for advanced capabilities with the practical realities of software development and integration in a highly complex system like the F-35.
FROM THE MEDIA: Lockheed Martin initially planned to deliver TR-3 equipped F-35s in 2023 but has now shifted the target to the third quarter of 2024. These software delays follow a pattern of setbacks for the F-35 program, including issues with maintenance, training, parts availability, and escalating modernization costs. The GAO has reported concerns regarding the F-35's readiness and cost overruns, particularly with the Block 4 modernization, which has seen its costs increase significantly. The recent software challenges add to the program's growing list of difficulties, raising questions about the F-35's long-term viability and its ability to meet the evolving needs of the U.S. military and its allies.
READ THE STORY: The Register
Kasseika Ransomware Employs BYOVD Technique to Neutralize Security Measures
Bottom Line Up Front (BLUF): The ransomware group Kasseika is utilizing the Bring Your Own Vulnerable Driver (BYOVD) attack method to disable security processes on compromised Windows systems. This approach is part of a growing trend among ransomware groups like Akira, AvosLocker, and BlackByte. Kasseika, linked to the defunct BlackMatter group, uses phishing emails for initial access and employs various techniques, including a legitimate signed driver, to evade defenses and execute ransomware attacks.
Analyst Comments: The evolution of ransomware tactics, as seen in Kasseika's use of the BYOVD method, highlights the increasing sophistication of cybercriminal groups. This trend underscores the need for continuous adaptation in cybersecurity measures. The connection between Kasseika and previous groups like BlackMatter suggests a continual recycling and evolution of cybercriminal tools and strategies. Such developments reinforce the importance of proactive and dynamic security measures, emphasizing the need for organizations to stay ahead of emerging cyber threats through advanced security solutions and awareness training.
FROM THE MEDIA: Kasseika's attack chain begins with phishing emails, followed by the use of remote administration tools (RATs) for network infiltration. The group uses a legitimate signed driver, "Martini.sys," to disable 991 security tools, crucial for their defense evasion. The ransomware payload, executed via "Martini.exe," encrypts data using ChaCha20 and RSA algorithms and demands a 50 bitcoin ransom within 72 hours. Kasseika also clears system event logs to cover its tracks. This operation is part of a larger trend of ransomware groups adopting sophisticated techniques to bypass security measures and execute their attacks effectively. Additionally, the BianLian ransomware group's shift from double extortion to encryptionless extortion attacks, as detailed by Palo Alto Networks Unit 42, indicates a dynamic and evolving ransomware landscape.
READ THE STORY: THN
Apple's on-device gen AI for the iPhone should surprise no-one. The way it does it might
Bottom Line Up Front (BLUF): Apple is subtly integrating generative AI into its iPhone devices, an unsurprising move given the tech giant's historical emphasis on machine learning. However, the constraints of mobile hardware indicate that significant AI features might not be a major part of iOS in the near future. Apple's approach, focusing on incremental improvements to user experience, contrasts with the generative AI hype seen in other tech companies. The company's neural processing units (NPUs) and the power of its A17 Pro chip suggest computational capability isn't the main obstacle, but memory could be a limiting factor for running larger AI models on Apple devices.
Analyst Comments: Apple's cautious approach to implementing generative AI mirrors its overall strategy of late adoption with refined execution. The company's existing AI usage, like photo handling, sets the stage for more complex applications. However, the challenge lies in balancing the need for more powerful AI models with the limitations of mobile hardware, especially memory. Apple's development of its own large language models indicates a desire to maintain control over AI integration, tailoring it to the specific needs and constraints of its devices. This approach may delay widespread AI features in iOS but could result in more efficient, effective, and user-centric AI implementations in the long run.
FROM THE MEDIA: Apple's AI efforts have been primarily behind-the-scenes, enhancing user experiences rather than headline-grabbing features. The company's NPUs, termed “Neural Engines,” have been handling AI workloads efficiently, suggesting that Apple's hardware is capable of more robust AI tasks. The potential memory constraint, a crucial aspect of running AI models, is a key consideration for Apple in developing its AI capabilities. A recent paper by Apple researchers hinted at running large language models (LLMs) using flash memory, suggesting innovative solutions to hardware limitations. As Apple ventures into generative AI, its cautious and conservative approach may avoid the pitfalls experienced by other companies that rushed to implement AI capabilities, aiming instead for a more reliable and user-friendly integration of AI into its ecosystem.
READ THE STORY: The Register
Google Kubernetes Engine Vulnerability Allows Any Google Account to Commandeer Kubernetes Clusters
Bottom Line Up Front (BLUF): A significant security loophole in Google Kubernetes Engine (GKE) has been identified, allowing any Google account holder to potentially take control of a Kubernetes cluster. This vulnerability, codenamed Sys:All, affects approximately 250,000 active GKE clusters, stemming from a misinterpretation of the system:authenticated group's scope in GKE. This issue highlights a critical need for enhanced security measures and awareness in cloud services.
Analyst Comments: The discovery of the Sys:All vulnerability in Google Kubernetes Engine underscores a pervasive challenge in cloud computing - the complexity and potential misconfiguration of security settings. The fact that this flaw could allow any Google account holder to control a Kubernetes cluster represents a severe oversight in access control mechanisms. It reflects a broader issue in cloud security where the ease of use and flexibility of cloud services can inadvertently lead to significant security risks. This situation serves as a reminder for organizations to rigorously evaluate and monitor their cloud infrastructure configurations, ensuring compliance with the principle of least privilege and safeguarding against such exploitable vulnerabilities.
FROM THE MEDIA: The vulnerability was identified by Orca Security, revealing that the system:authenticated group in GKE, which is presumed to only include verified identities, actually encompasses any Google authenticated account. This misconfiguration can lead to unauthorized access and control of Kubernetes clusters by external actors using their Google OAuth 2.0 bearer token. Such access could lead to serious security incidents like lateral movement, cryptomining, and data theft. Google has responded by blocking the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later, and by implementing additional security measures. Despite these efforts, users are urged to review their configurations and ensure the system:authenticated group is not over privileged, as there remains a risk of other roles and permissions being exploited.
READ THE STORY: THN // The Record
Ukrainian Hackers Target "Planeta" Russian Scientific Research Center
Bottom Line Up Front (BLUF): Ukrainian hackers, reportedly from the group "BO Team," have claimed responsibility for a cyberattack on the State Research Center on Space Hydrometeorology, known as "Planeta," a Russian scientific research center. They assert to have destroyed the center's database, valuable equipment, and disrupted critical operations. Ukraine's defense intelligence directorate (GUR) reported significant damage, including the loss of weather and satellite data and impairment of supercomputers. The claims include a substantial financial impact on Russia, although independent verification remains elusive.
Analyst Comments: This incident illustrates the escalating cyber warfare aspect of the ongoing Russia-Ukraine conflict. The targeted facility, crucial for processing satellite data for Russian state entities, represents a strategic target in cyberspace. The attack, if confirmed, signifies a significant escalation in Ukraine's cyber capabilities and strategy, potentially disrupting Russian military and strategic operations. This follows a series of similar cyber operations attributed to Ukraine against Russian targets, reflecting a broader trend of state-sponsored or state-aligned cyber activities in contemporary conflicts. However, the lack of independent verification and direct acknowledgment from Ukraine's intelligence poses challenges in assessing the actual impact and the evolving nature of cyber warfare in this conflict.
FROM THE MEDIA: The attack on "Planeta" reportedly involved the destruction of servers and loss of critical data, with claims of paralyzing supercomputers and disrupting internal systems like air conditioning and power regulation. The hackers also mentioned cutting off internet at a Russian Arctic station with military significance. GUR estimated a financial loss of at least $10 million for Russia. This incident follows a series of cyberattacks by Ukrainian forces, including the IT Army of Ukraine's attack on Russian telecom company Akado and disruptive operations against Russia's state tax service and civil aviation agency. These actions, coupled with limited public evidence and mixed responses from Russian entities, highlight the growing use of cyberattacks as a tool in modern geopolitical conflicts.
READ THE STORY: THN
Cybercriminals Extract $1.7 Billion from Crypto Platforms in 2023
Bottom Line Up Front (BLUF): In 2023, cybercriminals stole $1.7 billion from cryptocurrency platforms, a decrease from the previous year's record high. However, the number of incidents rose, highlighting vulnerabilities in the crypto ecosystem. Chainalysis attributes the decline in total losses partly to improved security on decentralized finance (DeFi) platforms and a drop in overall DeFi activity. North Korean groups like Kimsuky and Lazarus Group contributed significantly to these thefts, with their attacks aimed at funding government activities, including their nuclear weapons program.
Analyst Comments: The decrease in the total value of stolen cryptocurrency, juxtaposed with an increase in the number of attacks, indicates a complex landscape in the crypto security domain. The attacks predominantly targeted DeFi platforms, reflecting their emerging status as lucrative targets for cybercriminals due to inherent vulnerabilities in smart contract design and implementation. This trend underscores a critical challenge in the crypto industry: balancing rapid growth with the need for robust security measures. The involvement of state-sponsored actors, particularly from North Korea, in these cyber thefts presents a worrying dimension, linking cryptocurrency thefts to broader geopolitical agendas and national security concerns.
FROM THE MEDIA: Despite the decline in total stolen value, several high-profile incidents occurred in 2023, including significant losses at Euler Finance, Curve Finance, Mixin Network, CoinEx, Poloniex Exchange, Kyber Network, and HTX. Experts attribute many of these breaches to inadequate or absent security audits and flaws in smart contract designs. Chainalysis notes a shift towards better security practices in the DeFi space, which may have contributed to the overall decline in stolen values. North Korean groups' involvement, characterized by sophisticated laundering tactics using platforms like Sinbad and Tron blockchain, reflects the state's reliance on cybercrime as a significant revenue source, circumventing international sanctions.
READ THE STORY: The Record
CherryLoader Malware Emerges, Impersonating CherryTree Application
Bottom Line Up Front (BLUF): CherryLoader, a new Go-based malware loader discovered by Arctic Wolf Labs, mimics the legitimate CherryTree note-taking app to deploy additional payloads for subsequent exploitation. It employs advanced techniques like process ghosting and features modular capabilities for swapping exploits without recompiling code. CherryLoader's primary targets are privilege escalation tools like PrintSpoofer and JuicyPotatoNG. The distribution method remains unclear, but it's housed in a RAR archive file on a specific IP address and uses multiple anti-analysis techniques, highlighting a sophisticated approach in modern malware attacks.
Analyst Comments: The emergence of CherryLoader underscores the evolving sophistication of cyber threats, where attackers not only exploit system vulnerabilities but also leverage social engineering through application impersonation. The use of Go language and modular design for exploit swapping signifies a trend towards more adaptable and resilient malware tools. CherryLoader's focus on privilege escalation exploits reflects a strategic approach to gain deeper access and control over compromised systems. The employment of process ghosting, a relatively new technique, indicates the attackers' adeptness at avoiding detection.
FROM THE MEDIA: CherryLoader operates by deceiving users into installing a malicious application that appears legitimate. The loader, along with associated files, is contained within a RAR archive, initiated by an executable that unpacks and launches the Go-based binary. It uses a hard-coded MD5 password hash for execution and employs encryption methods to detonate alternative privilege escalation exploits. The loader activates PrintSpoofer or JuicyPotatoNG for escalating privileges and subsequently executes a script for persistence and disabling security measures like Microsoft Defender. This multi-stage downloader's blend of encryption and anti-analysis techniques, along with its capacity to deploy various exploits without recompilation, demonstrates a high level of sophistication in current cyber threat landscapes.
READ THE STORY: THN
Study Reveals Factors Influencing Ransomware Payment Decisions
Bottom Line Up Front (BLUF): A study by Dutch researcher Tom Meurs, analyzing 382 ransomware attacks, reveals key factors influencing whether victims pay ransoms. Companies working with third-party incident response firms or having insurance coverage tend to pay higher ransoms. Data exfiltration increases the ransom amount but not the likelihood of payment. The study, focusing on attacks in the Netherlands from 2019-2022, shows that companies with insurance paid significantly higher ransoms, and those with backed-up data were less likely to pay, though they paid more when they did.
Analyst Comments: This research provides valuable insights into the decision-making process of ransomware victims. The inclination of insured companies to pay higher ransoms suggests a possible moral hazard, where the presence of insurance leads to higher ransom demands or increased willingness to pay. The critical role of data exfiltration in determining ransom amounts underscores the value of sensitive data as leverage in ransomware attacks. The findings also highlight a paradox where companies with backup systems, presumably better prepared for cyber incidents, end up paying more, possibly indicating the high value of their data. This study underscores the complexity of ransomware response strategies and the need for comprehensive risk management approaches, including effective incident response planning and robust data protection measures.
FROM THE MEDIA: Meurs' study, based on incidents reported to Dutch police and an incident responder, found that 28% of the 430 victims from 2019-2022 paid a ransom, with an average payment of about €431,000. Companies with insurance paid an average of €708,105, significantly more than those without. The study suggests moral hazard and ethical considerations as possible explanations for this trend. Data exfiltration, while not increasing the likelihood of payment, significantly raised the ransom amount. Companies engaging incident response firms were more likely to pay ransoms, and the IT sector, despite having a high rate of backups, paid more on average, likely due to the critical nature of their services.
READ THE STORY: The Record
"NSPX30" Spyware: China-backed Hackers Compromise Software Updates
Bottom Line Up Front (BLUF): A China-aligned threat group, Blackwood, has been implementing adversary-in-the-middle (AitM) attacks to hijack legitimate software updates and deliver the sophisticated NSPX30 implant. Discovered by ESET, this multi-stage implant targets Chinese and Japanese manufacturing, trading, and engineering companies, as well as individuals in the U.K. The malware has evolved from Project Wood, a 2005 malware, and is capable of bypassing Chinese anti-malware solutions, keystroke logging, and taking screenshots, among other functions.
Analyst Comments: The Blackwood group's method of delivering NSPX30 via compromised software updates represents a significant escalation in cyber espionage tactics. The use of legitimate software update processes as a vector for malware delivery highlights the sophistication and stealth of these attacks. This technique can effectively bypass conventional security measures and exploit the trust users have in software updates. The evolution of NSPX30 from earlier malware like Project Wood and its variants indicates a long-term development strategy in cyber espionage tools by state-backed actors. This tactic's successful deployment against targets in various sectors underscores the need for heightened security protocols, especially in supply chain and software update processes.
FROM THE MEDIA: NSPX30 is deployed via update mechanisms of software like Tencent QQ, WPS Office, and Sogou Pinyin. The implant includes a dropper, an installer, loaders, an orchestrator, and a backdoor with multiple plugins. The dropper is delivered when downloading software updates from unencrypted HTTP protocol servers, leading to system compromise. The loader then executes additional files, culminating in the execution of the orchestrator component and the backdoor. The threat actors have previously used compromised routers to distribute malware, suggesting a potential network implant in victims' networks. The backdoor can perform various functions, including creating a reverse shell, collecting file information, and uninstalling itself.
READ THE STORY: THN
Broadcom Axes VMware's Aria SaaS Amid Subscription Push
Bottom Line Up Front (BLUF): Broadcom has discontinued VMware's Aria SaaS, a cloud-based version of VMware's Aria management tools, as part of its move to offer VMware products only in bundled formats. This decision aligns with Broadcom's strategy of selling bundles and add-ons, deviating from VMware's past approach of providing some tools as standalone SaaS offerings. Aria SaaS was among 59 products that VMware ceased selling as standalone options, marking a significant shift in VMware's product strategy under Broadcom's ownership.
Analyst Comments: The discontinuation of Aria SaaS signifies a strategic pivot by Broadcom in the handling of VMware's product lineup, emphasizing bundled offerings over standalone SaaS solutions. This move could be seen as a step back from the flexibility and innovation associated with SaaS models, potentially impacting customers who preferred the cloud-based management tools. It reflects Broadcom's larger strategy of streamlining VMware's offerings into more comprehensive, but less customizable, bundles. This could lead to increased costs and complexity for VMware users, as they may now need to subscribe to larger bundles that include more products than required. The transition also raises questions about the future direction of VMware's product development and customer engagement in a rapidly evolving virtualization and cloud services market.
FROM THE MEDIA: Broadcom's decision to discontinue Aria SaaS follows its broader approach to restructure VMware's offerings into bundled packages, which can be run on-premises or as SaaS in various clouds. This shift has led to the cessation of several VMware products as standalone offerings, not all of which were included in the new bundles. While VMware has stated that there is no immediate action required for users of the discontinued products, the future for these users involves aligning with VMware's updated portfolio at the time of contract renewal. This change has been met with mixed reactions from the VMware user community, with concerns about the implications for value, flexibility, and cost of VMware products under Broadcom's new bundling strategy.
READ THE STORY: The Register
(CVE-2024-23897): A High-Risk Security Flaw in Jenkins Software
Bottom Line Up Front (BLUF): Jenkins, the open-source automation server, has resolved a critical security flaw (CVE-2024-23897) that could enable remote code execution (RCE). The vulnerability, identified as an arbitrary file read issue via the built-in command line interface (CLI), affected Jenkins versions 2.441 and earlier, and LTS 2.426.2 and earlier. This vulnerability could allow attackers to read arbitrary files on the Jenkins controller file system, leading to various potential attacks, including RCE, decryption of secrets, and deletion of items in Jenkins.
Analyst Comments: The discovery and prompt resolution of this critical vulnerability in Jenkins highlight the ongoing risks associated with open-source CI/CD tools in the software development lifecycle. The specific nature of this vulnerability, allowing arbitrary file access, presents a severe threat to systems using Jenkins, especially considering the widespread adoption of Jenkins in various development environments. The ability of attackers to exploit this flaw to conduct a range of malicious activities, from remote code execution to stealing sensitive data, underscores the importance of maintaining up-to-date security practices, including regular software updates and vigilant monitoring for unusual activities.
FROM THE MEDIA: The vulnerability in Jenkins was due to a feature in the command parser that replaces an '@' character followed by a file path in an argument with the file's contents. This feature was enabled by default in affected versions and was not disabled, leading to the security flaw. Attackers with "Overall/Read" permission could exploit this to read entire files, while those without this permission could read the first three lines of files, depending on the CLI commands used. Jenkins has fixed the flaw in versions 2.442, LTS 2.426.3 by disabling the command parser feature. As an interim solution, Jenkins recommends turning off access to the CLI.
READ THE STORY: THN // PoC: CVE-2024-23897
Chinese APT Group Stone Panda Updates LODEINFO with Advanced Capabilities
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified updates in the LODEINFO fileless malware, used predominantly in spear-phishing attacks. The malware, attributed to the Chinese nation-state actor Stone Panda (APT10), has evolved to include new features and sophisticated anti-analysis techniques. LODEINFO's capabilities include executing arbitrary shellcode, capturing screenshots, and exfiltrating files. Recent updates have enhanced its evasion tactics and expanded its target range beyond Japanese language settings.
Analyst Comments: The evolution of LODEINFO malware underscores the continuous advancements in cyber-espionage tools by state-sponsored actors like Stone Panda. The addition of anti-analysis techniques in versions 0.6.6, 0.7.1, and 0.7.3 of LODEINFO indicates an increased emphasis on evading detection and enhancing operational stealth. The shift from targeting only Japanese environments to potentially broader targets is a significant development, suggesting an expansion in Stone Panda's operational scope. The fileless nature of LODEINFO, coupled with its advanced evasion tactics, poses a significant challenge for traditional cybersecurity defenses. Organizations, especially in the targeted sectors, should prioritize advanced endpoint security solutions capable of detecting and mitigating threats in memory, along with heightened vigilance in monitoring spear-phishing activities.
FROM THE MEDIA: LODEINFO is distributed through phishing emails containing malicious Microsoft Word documents. Upon opening, these documents execute VBA macros, leading to the deployment of the LODEINFO implant. The malware now includes remote template injection methods for executing malicious macros and has undergone changes to bypass language setting checks. Notably, the updated versions use a new intermediate stage involving a shellcode downloader that fetches a file masquerading as a Privacy-Enhanced Mail (PEM) from a command-and-control server, loading the backdoor directly into memory. This fileless malware requires specific countermeasures, such as products that can scan and detect threats in memory.
READ THE STORY: THN // Help Net Security
Items of interest
China Inaugurates CJPL-II, Deepest Dark Matter Lab
Bottom Line Up Front (BLUF): China has unveiled the Jinping Underground Laboratory (CJPL-II), the world's largest and deepest underground laboratory dedicated to dark matter research. Situated 2,400 meters below the Jinping Mountains, this facility expands China's capabilities in exploring dark matter, a mysterious substance believed to constitute a significant portion of the universe's mass. The lab's deep location minimizes cosmic ray interference, enhancing the sensitivity of experiments like the Particle and Astrophysical Xenon Experiments (PandaX) and the China Dark Matter Experiment (CDEX).
Analyst Comments: The establishment of CJPL-II represents a significant advancement in the global pursuit of understanding dark matter. Its depth and size provide an ideal environment for conducting sensitive experiments that require minimal background noise. The upgrade of PandaX's detector and the expansion of CDEX highlight China's commitment to leading in this field of astrophysics. The lab's ability to shield experiments from cosmic rays and radioactive interference is crucial for detecting the weak signals that could reveal dark matter's presence. CJPL-II's scale and capabilities position it at the forefront of a global scientific effort, potentially enabling breakthroughs in our understanding of the universe.
FROM THE MEDIA: CJPL-II's operational commencement follows three years of construction, surpassing Italy's Gran Sasso National Laboratory in both depth and volume. The lab's deep underground setting provides an ultra-low cosmic ray environment, crucial for dark matter detection experiments. The PandaX team has already capitalized on the expanded facility by upgrading its liquid xenon detector capacity, enhancing its ability to detect potential dark matter collisions. Similarly, the CDEX team has upgraded to a larger germanium detector, targeting lower-mass dark matter particles. The goal of building even larger detectors aligns CJPL-II with other major global experiments, indicating a competitive yet collaborative international landscape in dark matter research.
READ THE STORY: SCI AM
China's hidden wonder: China Dark Matter Experiment (CDEX) (Video)
FROM THE MEDIA: The China Dark Matter Experiment (CDEX) is a key scientific initiative aimed at detecting and understanding dark matter, a hypothesized form of matter that is believed to constitute most of the universe's mass but remains undetected by conventional means. CDEX, operating as part of the China Jinping Underground Laboratory (CJPL), uses advanced detectors to search for weakly interacting massive particles (WIMPs), one of the prime candidates for dark matter.
Yong Yang: Recent results and Status of PandaX experiment (Video)
FROM THE MEDIA: PandaX project is a staged xenon-based dark matter and other rare events searching project located at the China JinPing underground Laboratory (CJPL). The second phase of the project, PandaX-II with 580 kg liquid xenon in the sensitive volume, has concluded its mission in 2019. The next experiment, PandaX-4T, is a 4-ton scale liquid xenon experiment and is expected to be one order of magnitude more sensitive than PandaX-II. In this talk we will present the latest dark matter and new physics search results using the full data collected from March 2016 to August 2018. The progress and status of PandaX-4T will be discussed.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.