Daily Drop (707): Volt Typhoon, RU: Telegram, Iran and Hells Angels, Myanmar: KK Park Compound, CVE-2023-35636, Ukraine’s POW Agency, Amazon Rekognition AI, UK Biometrics
Daily Drop (707): Volt Typhoon, RU: Telegram, Iran and Hells Angels, Myanmar: KK Park Compound, CVE-2023-35636, Ukraine’s POW Agency, Amazon Rekognition AI, UK Biometrics
01-30-24
Tuesday, Jan 30 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
U.S. Government Disrupts Major Chinese Cyber Operation Targeting Critical Infrastructure
Bottom Line Up Front (BLUF): The U.S. government has successfully disrupted parts of a significant Chinese hacking campaign, "Volt Typhoon," which targeted critical infrastructure in the U.S., including power plants and communication hubs. The operation involved disabling infected internet-connected devices used as launchpads for further attacks.
Analyst Comments: This decisive action by the U.S. government against Chinese cyber operations underscores the increasing importance of cybersecurity in national defense strategies. The Volt Typhoon campaign's focus on critical infrastructure highlights a growing trend where state-sponsored cyber activities are not just about espionage but also potential pre-emptive positioning for sabotage in geopolitical conflicts. The collaboration between the U.S. government and the private sector in this operation reflects the need for a unified approach to counter sophisticated cyber threats. It also demonstrates the evolving nature of cyber warfare, where disruption and prevention are becoming as crucial as detection and defense.
FROM THE MEDIA: The U.S. Justice Department, in cooperation with the FBI, obtained legal authorization to neutralize parts of the Chinese hacking operation known as Volt Typhoon. This campaign, revealed by Microsoft in May 2023, has targeted U.S. critical infrastructure and has expanded its scope and techniques since its detection. The operation's disruption involved deactivating internet-connected devices like routers and webcams infected with malware, which were being used as a base for further attacks. These breaches could potentially allow China to disrupt important U.S. facilities, especially those supporting military operations in the Indo-Pacific region. The Volt Typhoon campaign has evaded detection by embedding into computer networks, ready to initiate further damaging attacks.
READ THE STORY: The Messenger // Security Weekly
Russia's Covert Influence on Telegram: A Tool in the Hybrid War?
Bottom Line Up Front (BLUF): Amid growing concerns about its ties to the Kremlin, Telegram, a popular messaging app, is under scrutiny for potentially being influenced by Russian intelligence services. Despite denials from its founder, Pavel Durov, evidence suggests that Telegram may be part of Russia's broader strategy in its hybrid warfare.
Analyst Comments: The increasing popularity of Telegram in Ukraine and globally, paired with its murky connections to the Russian state, poses significant cybersecurity and propaganda risks. The historical parallels drawn with the World War II Enigma machine underscore the potential for encrypted communication tools to be exploited in modern conflicts. Telegram's use of the MTProto encryption protocol and the financial and personal ties of its management to Russia further fuel suspicions about the app's reliability and independence. Moreover, the involvement of Russian investors and the selective enforcement of Telegram's policies in conflict zones indicate possible manipulation. If Telegram is indeed compromised, it could serve as a strategic tool for Russia to disseminate misinformation, gather intelligence, and potentially destabilize opposing nations.
FROM THE MEDIA: Telegram's surge in popularity, particularly in Ukraine since the Russian invasion, has raised concerns about its security and independence. Founded by Pavel Durov, who previously clashed with the Russian government over privacy issues, Telegram's connections to Russia are nonetheless questioned. Durov's refusal to explicitly condemn Russia's invasion and the potential ties of Telegram team members to Russian authorities are worrying. The app's funding sources, including investments from individuals and entities closely associated with the Kremlin, add to these concerns. Telegram's use of Russian-origin companies for network traffic transmission also raises red flags. Instances of channel interference in occupied Ukrainian cities and the shutdown of discussions on sensitive topics further suggest external manipulation of the app. Ukrainian cybersecurity experts and state organizations are moving away from Telegram, citing its questionable jurisdiction and Kremlin connections.
READ THE STORY: DW
U.S. Charges Iranian Drug Trafficker and Hells Angel Member in Plot to Assassinate Iranian Defector
Bottom Line Up Front (BLUF): The U.S. has charged Naji Sharifi Zindashti, an Iranian drug trafficker with ties to Iran’s intelligence services, for recruiting a Hells Angels member in a plot to murder an Iranian defector in Maryland. This case highlights Iran's increasing use of organized crime networks for state-sponsored operations, blurring the lines between criminal and geopolitical activities.
Analyst Comments: This case is a striking example of how state actors, particularly Iran's intelligence apparatus, are increasingly collaborating with global criminal networks to execute covert operations. The involvement of the Hells Angels, a notorious motorcycle club, in an Iranian state-sponsored assassination plot is unprecedented and signals a new dimension in Iran's transnational repression tactics. Historically, Iran has relied on its Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence for such operations. The shift towards using external criminal groups like the Hells Angels indicates a strategy to maintain plausible deniability and obscure direct links to the Iranian government. This approach also reflects a broader trend in international relations, where state actors utilize non-state agents to carry out politically motivated actions, complicating international law enforcement and diplomatic responses.
FROM THE MEDIA: Naji Sharifi Zindashti, an alleged Iranian drug trafficker linked to Iran's intelligence services, has been indicted in the U.S. for recruiting a Hells Angels member to assassinate an Iranian defector in Maryland. Zindashti, who is still at large in Iran, and his network are accused of conducting transnational repression, including assassinations and kidnappings. The U.S. and U.K. have imposed sanctions on his network, which is said to operate under Iran's Ministry of Intelligence and Security. The MI5, Britain’s counterintelligence agency, has reportedly foiled numerous Iranian plots targeting dissidents and journalists in the U.K. These operations are part of a broader pattern of Iran's use of organized criminal groups to carry out state-sponsored actions while maintaining plausible deniability. The indictment details communications between Zindashti and Canadian Hells Angel member Damion Ryan, planning the assassination and discussing payment. Both Ryan and another defendant, Adam Pearson, have been arrested on unrelated offenses.
READ THE STORY: The Record
Scam Factory in Myanmar: A Hub of Cyber Slavery Run by Chinese Mafia
Bottom Line Up Front (BLUF): Thousands of individuals are being trafficked into Myanmar's war-torn east, particularly into a notorious compound known as KK Park, where they are coerced into conducting global scam operations. These operations are linked to a vast criminal network and a notorious Chinese Triad boss.
Analyst Comments: The situation in Myanmar, particularly in the KK Park compound, highlights a disturbing trend where human trafficking and cybercrime converge. This operation, allegedly connected to the Chinese mafia, underscores the complexity and international scope of modern criminal enterprises. The involvement of a Chinese Triad boss in these operations illustrates the scale at which organized crime can operate, leveraging the vulnerabilities in conflict zones like Myanmar. The victims, trafficked under false pretenses and forced into cybercrime, are a stark reminder of the human cost of these illicit networks. The use of cryptocurrency in these scams also reflects the evolving nature of cybercrime, where digital currencies are exploited for their anonymity and cross-border transfer ease.
FROM THE MEDIA: Thousands are trafficked into Myanmar's KK Park, forced into scamming people in the US, Europe, and China. Survivors describe severe conditions, including surveillance, torture, and murders. The operation's bosses are allegedly Chinese, with local enablers from Myanmar's Border Guard Force. The money trail leads to cryptocurrency wallets linked to a Chinese businessman in Thailand and further to a Chinese mafia network. This network is associated with Wan Kuok Koi, a former 14K triad boss, who promotes China's Belt and Road Initiative while being involved in organized crime.
READ THE STORY: DW
(CVE-2023-35636) Microsoft Outlook Vulnerability Exposed User NTLM Passwords
Bottom Line Up Front (BLUF): A security vulnerability in Microsoft Outlook, identified as CVE-2023-35636, could enable attackers to acquire NTLM v2 hashed passwords. Though now patched, this vulnerability posed a significant risk to user credentials, highlighting ongoing challenges in software security.
Analyst Comments: The discovery and subsequent patching of the CVE-2023-35636 vulnerability in Microsoft Outlook represent a critical step in maintaining cybersecurity. The exploit's mechanism, relying on a user opening a specially crafted file, is a common tactic in cyber attacks, emphasizing the need for continued vigilance in digital communications. NTLM's vulnerabilities, notably its susceptibility to relay and brute-force attacks, underscore the ongoing evolution of cybersecurity threats and defenses. Microsoft's move to discontinue NTLM in Windows 11, in favor of more secure alternatives like Kerberos, reflects a proactive approach to enhancing security in the face of evolving threats.
FROM THE MEDIA: The CVE-2023-35636 vulnerability in Microsoft Outlook, now patched, enabled attackers to access NT LAN Manager (NTLM) v2 hashed passwords by tricking users into opening a malicious file. This flaw was rooted in Outlook's calendar-sharing function, where two specific headers in an email could expose a victim's NTLM hash during authentication. While Microsoft has patched this vulnerability, security researcher Dolev Taler noted that similar attacks leveraging Windows Performance Analyzer and Windows File Explorer remain unpatched. These methods pose a risk of relay and offline brute-force attacks. Microsoft's decision to phase out NTLM in Windows 11, due to its lack of support for cryptographic methods and vulnerability to relay attacks, highlights a shift towards more secure authentication methods like Kerberos. This case illustrates the continuous need for vigilance and proactive measures in cybersecurity.
Ukraine’s POW Agency Targeted in Cyberattack Amid Ongoing Conflict with Russia
Bottom Line Up Front (BLUF): The Ukrainian agency responsible for handling prisoners of war reported a distributed denial-of-service (DDoS) attack, amidst heightened tensions following the crash of a Russian transport plane. The cyberattack, part of the ongoing cyber warfare between Ukraine and Russia, aligns with Russia's increased cyber-espionage efforts targeting Ukrainian military and government agencies.
Analyst Comments: The Ukrainian agency responsible for handling prisoners of war reported a distributed denial-of-service (DDoS) attack, amidst heightened tensions following the crash of a Russian transport plane. The cyberattack, part of the ongoing cyber warfare between Ukraine and Russia, aligns with Russia's increased cyber-espionage efforts targeting Ukrainian military and government agencies.
FROM THE MEDIA: Ukraine's agency overseeing the treatment of prisoners of war reported a DDoS attack, which it links to Moscow, following a recent Russian plane crash. The agency, involved in prisoner exchanges and dealing with missing military personnel, has restored access to its website. The hacker group responsible has not been identified, but the agency connects the attack to the plane crash, suggesting a retaliatory motive. The plane, carrying Ukrainian POWs for a swap, crashed in Belgorod, Russia, killing all onboard. Ukraine has called for an international investigation into the crash, which Russia opposes. The National Cybersecurity Coordination Center in Ukraine has warned of increased phishing attacks targeting the Ukrainian military, attributing them to Fancy Bear, a Russian state-sponsored hacker group. These cyberattacks are part of a broader pattern of Russian cyber-espionage aimed at destabilizing Ukrainian society and gaining military intelligence.
READ THE STORY: The Record
FBI to Utilize Amazon Rekognition AI for Detecting Nudity, Weapons, and Explosives
Bottom Line Up Front (BLUF): The FBI plans to deploy Amazon's Rekognition AI technology, under Project Tyr, to analyze images and videos for detecting nudity, weapons, explosives, and other information. This move has sparked concerns about increased warrantless surveillance and privacy infringement, despite Amazon's previous pledge to restrict police use of Rekognition for facial recognition.
Analyst Comments: The FBI's decision to integrate Amazon Rekognition into its investigative toolkit marks a significant development in law enforcement's use of advanced AI technologies. This move raises critical questions about the balance between technological advancement in law enforcement and the safeguarding of individual privacy. Amazon's Rekognition, known for its facial recognition capabilities, has been contentious due to potential misuse and privacy concerns. The FBI's use of this technology, particularly for detecting specific content like nudity and weapons, treads into sensitive areas of privacy and civil liberties. While the technology could enhance law enforcement capabilities, especially in detecting and preventing criminal activities, it also necessitates strict oversight and clear regulatory frameworks to prevent abuse and protect citizens' rights.
FROM THE MEDIA: The FBI's upcoming use of Amazon Rekognition, named Project Tyr, is aimed at extracting insights from legally acquired images and videos. This project, currently in the initiation phase, involves using Rekognition's capabilities to identify items containing nudity, weapons, explosives, and other identifying details. Despite Amazon's indefinite ban on police use of Rekognition's facial recognition, the FBI's use doesn't violate this moratorium, as it focuses on non-facial analysis features. This development occurs amidst growing concerns about warrantless surveillance, especially involving the FBI. Recently, Amazon restricted law enforcement's access to Ring video footage, requiring a warrant.
READ THE STORY: The Register
Canadian Malware Spreader Sentenced to 2 Years in Prison
Bottom Line Up Front (BLUF): A Canadian court has sentenced Matthew Philbert, 33, to a two-year prison term for coordinating ransomware and malware attacks on various targets, including private citizens, businesses, and government agencies. Philbert pleaded guilty to charges of fraud and unauthorized computer access, with more than 1,100 victims identified during the investigation.
Analyst Comments: Matthew Philbert's activities led to significant financial losses, with some attacks resulting in thousands of dollars in fraud. Notably, he stole over $10,000 from a family-run business and targeted three Canadian police departments and a charity organization. Philbert's arrest in 2021 and subsequent sentencing highlight the severity of cybercrimes and the legal consequences they entail. Moreover, his phishing tactics, using disguised resumes to deliver malware, underscore the importance of cybersecurity awareness.
FROM THE MEDIA: Philbert, 33, pleaded guilty to charges of fraud and unauthorized computer access. The investigation uncovered more than 1,100 victims, including a family-run business that suffered a substantial loss of over $10,000. Additionally, Canadian police departments and a charity organization were among his targets. Philbert's arrest and sentencing serve as a stark reminder of the legal consequences associated with cybercrimes, emphasizing the need for robust cybersecurity measures in today's digital landscape. His use of deceptive resumes to propagate malware highlights the importance of vigilance against phishing attacks.
READ THE STORY: The Record
UK Biometrics Governance in Disarray: Commissioner's Departure Highlights Systemic Failings
Bottom Line Up Front (BLUF): Dr. Fraser Sampson, the UK's outgoing biometrics and surveillance commissioner, criticizes the Home Office's handling of biometrics technology in his final annual report. The report highlights a series of bureaucratic and technological issues, underscoring the need for more effective governance in this rapidly evolving field.
Analyst Comments: Dr. Sampson's report is a stark reminder of the challenges facing government institutions in adapting to and regulating emerging technologies like biometrics and surveillance cameras. The upcoming abolishment of the commissioner's role, as part of the Data Protection and Digital Information (DPDI) Bill, raises concerns about future oversight and ethical governance of such technologies. Sampson's frustration with bureaucratic hurdles and resource constraints reflects a broader issue in government agencies struggling to keep pace with technological advancements. The problems with the National Security Determinations (NSDs) system, including IT issues leading to inaccurate data retention and challenges in amendment processes, indicate a systemic failure in managing sensitive biometric data.
FROM THE MEDIA: The nanometer era in chip manufacturing is concluding, with TSMC planning a 1nm fab and Intel preparing to launch its 20A (20 angstroms) process technology. The shift from nanometers to angstroms as a descriptor reflects the maturity of transistor technology and the move away from FinFET to GAA (Gate-All-Around) transistors or Intel's RibbonFETs, enabling higher transistor density and better power efficiency. However, as semiconductor manufacturing reaches these ultra-small scales, the industry faces diminishing returns in performance gains relative to power consumption. Innovations in chip packaging and power delivery are emerging as crucial factors. Technologies like heterogeneous packaging, backside power delivery, and silicon photonics are gaining importance, indicating a significant departure from traditional manufacturing methods.
READ THE STORY: The Register
IRGC Cyber Operations: In-Depth Analysis of Iranian Networks and Companies
Bottom Line Up Front (BLUF): The Insikt Group's report reveals extensive cyber activities by Iranian intelligence and military entities associated with the Islamic Revolutionary Guard Corps (IRGC), focusing on espionage, ransomware attacks, and destabilization efforts targeting Western countries through a network of contracting companies.
Analyst Comments: This report underscores the sophisticated nature of state-sponsored cyber operations, particularly those conducted by the IRGC, a significant player in Iran's geopolitical and military strategy. The involvement of various contractors in these operations indicates a broad and well-coordinated effort to execute cyber-attacks and information warfare. This development is particularly concerning given the IRGC's history and its designation as a foreign terrorist organization by some countries. The use of cyber contractors allows for plausible deniability and increases the challenge of attribution in cyber warfare. Furthermore, the report's findings about the IRGC's involvement in developing technologies for surveillance and human rights abuses highlight the expanding role of cyber capabilities in state-sponsored internal suppression and external aggression.
FROM THE MEDIA: The report by the Insikt Group® discusses Iranian intelligence and military entities linked to the IRGC involved in cyber activities against Western targets. These activities, carried out through a network of contracting companies, include espionage, ransomware attacks, and destabilization campaigns. The victims span various sectors including government, media, NGOs, critical infrastructure, and healthcare. The IRGC's cyber program, supported by contractors, also involves the development of surveillance technologies contributing to human rights abuses. Financial activities of these contractors in countries like Iraq, Syria, and Lebanon suggest connections with the IRGC Quds Force for funding and support.
READ THE STORY: RecordedFuture
EU Sanctions Russian Internet Censorship Agency and Its Leader
Bottom Line Up Front (BLUF): The European Council has sanctioned the Russian Safe Internet League and its chairwoman, Ekaterina Mizulina, for their role in enforcing internet censorship and systematic repression in Russia. These sanctions are in response to the ongoing deterioration of human rights and freedom of expression in the country.
Analyst Comments: This move by the European Council represents a significant stance against Russia's internet censorship and human rights abuses. The Safe Internet League, initially founded to combat harmful online content, has progressively evolved into an instrument of state censorship, especially against content perceived as threatening to the Kremlin. Ekaterina Mizulina's involvement, considering her lineage and her mother's controversial political history, further underscores the intertwined nature of personal and political agendas in Russia's censorship practices.
FROM THE MEDIA: The European Council's sanctions target the Safe Internet League, accusing it of aiding the Russian government in censorship, and its chairwoman, Ekaterina Mizulina, for abuses of freedom of opinion and expression. The sanctions extend to three individuals in the Russian judicial system linked to human rights violations, including the case of journalist Vladimir Kara-Murza. The sanctions entail asset freezes, travel bans within the EU, and prohibition of financial contributions to these individuals. The EU's condemnation aligns with a growing concern over Russia's expansive legislation restricting civil society, media, and opposition. The Safe Internet League, established in 2011, has increasingly targeted a range of content, including LGBTQ+ material and independent artists. Ekaterina Mizulina, daughter of Yelena Mizulina, a politician known for supporting Crimea's annexation and imposing restrictions on LGBTQ+ rights, has vowed to continue her work despite the sanctions.
READ THE STORY: The Register
Juniper Networks Releases Updates for High-Severity Flaws in Junos OS
Bottom Line Up Front (BLUF): Juniper Networks has issued urgent updates for its Junos OS to address high-severity vulnerabilities in SRX and EX Series. These flaws could potentially allow threat actors to control affected systems or execute arbitrary commands.
Analyst Comments: The identification and swift response to these vulnerabilities by Juniper Networks underscores the ongoing challenge of ensuring cybersecurity in complex network environments. The severity of these vulnerabilities, particularly CVE-2024-21620 with a high CVSS score, highlights the potential risks to network security and the importance of timely patch management. This situation also reflects a broader trend in cybersecurity where vulnerabilities in widely used network systems can have significant implications for the security of numerous organizations. The involvement of watchTowr Labs in discovering these issues demonstrates the critical role of independent cybersecurity research in identifying and mitigating potential threats.
FROM THE MEDIA: Juniper Networks has released updates to mitigate high-severity flaws in its Junos OS, affecting SRX and EX Series. These include CVE-2024-21619, a missing authentication vulnerability, and CVE-2024-21620, a cross-site scripting vulnerability. Both vulnerabilities have been patched in several Junos OS versions. The company advises users to disable J-Web or restrict access to it as a temporary measure. These updates follow the discovery of other significant vulnerabilities in the same OS, like CVE-2024-21591, which could enable denial-of-service or remote code execution. These flaws were highlighted by cybersecurity firm watchTowr Labs, and two of them were added to the Known Exploited Vulnerabilities catalog by CISA due to evidence of active exploitation.
READ THE STORY: THN // PoC: CVE-2023-36846 (Chained)
Transitioning to the Angstrom Era: The End of Nanometer-Scaled Chip Manufacturing
Bottom Line Up Front (BLUF): As the nanometer era in semiconductor manufacturing nears its end, with 3nm production maturing and 2nm on the horizon, TSMC is reportedly planning for a 1nm fab. This shift signifies a transition to the angstrom age in chip production, highlighting the evolving landscape of semiconductor technology.
Analyst Comments: The semiconductor industry is at a pivotal juncture, with traditional nanometer-scale manufacturing reaching its physical and economic limits. The shift towards angstrom-scale processes, such as Intel's upcoming 20A technology, is not just a continuation of Moore's Law but a transformation in how chips are designed and produced. This transition represents a significant technological leap, necessitating new manufacturing techniques like gate-all-around (GAA) transistors. These advancements in chip architecture, along with developments in packaging and power delivery, are critical for maintaining the pace of innovation in computing power. However, they also pose substantial challenges, including increased complexity in design and manufacturing, and potential escalation in costs.
FROM THE MEDIA: The nanometer era in chip manufacturing is concluding, with TSMC planning a 1nm fab and Intel preparing to launch its 20A (20 angstroms) process technology. The shift from nanometers to angstroms as a descriptor reflects the maturity of transistor technology and the move away from FinFET to GAA (Gate-All-Around) transistors or Intel's RibbonFETs, enabling higher transistor density and better power efficiency. However, as semiconductor manufacturing reaches these ultra-small scales, the industry faces diminishing returns in performance gains relative to power consumption. Innovations in chip packaging and power delivery are emerging as crucial factors. Technologies like heterogeneous packaging, backside power delivery, and silicon photonics are gaining importance, indicating a significant departure from traditional manufacturing methods.
READ THE STORY: The Register
China-Linked Cyber Espionage in Myanmar: Mustang Panda's Backdoor Blitz on Top Ministries
Bottom Line Up Front (BLUF): The China-based cyberespionage group Mustang Panda has been implicated in recent sophisticated cyber attacks on Myanmar's Ministry of Defence and Foreign Affairs, deploying backdoors and remote access trojans to harvest sensitive information.
Analyst Comments: Mustang Panda's latest cyber operations against Myanmar's key ministries reflect an ongoing trend of state-sponsored cyberespionage in geopolitical hotspots. These attacks, using advanced techniques like DLL sideloading and exploiting legitimate software, indicate a high level of sophistication and strategic targeting. The group's history of aligning its activities with Chinese government interests suggests these attacks may be part of broader geopolitical maneuvering in the region. This situation highlights the escalating cyber threat landscape where nation-states increasingly utilize cyber capabilities to advance their geopolitical agendas, often targeting other nations' critical infrastructures and government networks.
FROM THE MEDIA: Mustang Panda, identified under various aliases like Bronze President and RedDelta, has been active since at least 2012 and is known for its cyberespionage campaigns. The group recently targeted Myanmar's Ministry of Defence and Foreign Affairs using phishing emails with malicious attachments to deploy backdoors like PUBLOAD and PlugX. These attacks, identified by CSIRT-CTI, utilized legitimate software for DLL sideloading, a technique that exploits the way Windows searches for DLL files. The group's efforts to disguise command-and-control traffic as Microsoft update traffic highlight their sophisticated methods to evade detection. Mustang Panda's activities align with the geopolitical interests of the Chinese government, including previous operations against Myanmar.
READ THE STORY: THN
Items of interest
Insikt Group's Research Highlights the Abuse of GitHub Services by APTs for Cyberattacks
Bottom Line Up Front (BLUF): Insikt Group's recent research reveals a significant trend in cybercriminals and advanced persistent threats (APTs) exploiting GitHub's services for malicious activities. These activities range from payload delivery to command-and-control operations. The report emphasizes the challenges in detecting such abuses due to their blend with legitimate traffic and the need for improved defense strategies.
Analyst Comments: The increasing abuse of GitHub by cybercriminals marks a significant shift in cyberattack strategies. The use of trusted sites like GitHub allows threat actors to evade traditional security measures, complicating the task of cybersecurity teams. This trend reflects a broader evolution in cyber warfare tactics, where legitimate platforms are subverted for malicious purposes. Historical context shows that as technology platforms grow in popularity and utility, they become more attractive targets for exploitation. The report’s focus on the "living-off-trusted-sites" (LOTS) approach indicates a sophisticated understanding of this evolving threat landscape. The suggested strategies for defense highlight the need for a dynamic and informed approach to cybersecurity, tailored to the changing tactics of cyber adversaries.
FROM THE MEDIA: Insikt Group's research discusses the growing misuse of GitHub for various cybercriminal activities by cybercriminals and APTs. GitHub’s popularity and integration into normal network traffic make it an ideal platform for illicit operations like payload delivery, dead drop resolving, full command-and-control, and data exfiltration. The research underscores a trend towards the "living-off-trusted-sites" approach among APTs and predicts its adoption by less sophisticated groups. Short-term defense strategies suggested include flagging or blocking specific GitHub services known for malicious use. For long-term solutions, the development of sophisticated detection mechanisms is essential. The study also points out that legitimate internet services will increasingly become third-party risk vectors. Mitigation strategies will likely involve advanced detection methods and a greater role for service providers like GitHub in combating these abuses.
READ THE STORY: RecordedFuture
Ransomware As A Service (RaaS): Evolution, Implications and Countermeasures (Video)
FROM THE MEDIA: Ransomware, once a threat limited to expert cyber criminals, has been democratized through the advent of Ransomware as a Service (RaaS) business models, exacerbating the already significant challenge of cyber threat mitigation. This paper proposes to investigate the escalating phenomenon of RaaS, its evolution, impact on the cybersecurity landscape, and effective countermeasures.
Windows Malware using Github as C2 (Command and Control) (Video)
FROM THE MEDIA: This video showcases how trivial it can be to build a Windows program that uses public infrastructure and services, such as Github repository, as a Command and Control C2 channel.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.