Daily Drop (710): US: OSINT vs CN, Anonymous Sudan, CN: Crypto Anti-Laundering, Bao Fan, Joshua Schulte (POS), DirtyMoe/PurpleFox, Operation Synergia, Okta Creds, FritzFrog, Blackbaud, RU: Spies
02-02-24
Friday, Feb 02 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
The Evolution and Contrast of Open Source Intelligence in the U.S. and China
Bottom Line Up Front (BLUF): The United States and China hold fundamentally different views on the role of Open Source Intelligence (OSINT) and Science and Technology Intelligence (STI) in their respective intelligence processes. While the U.S. often treats OSINT as a supplementary source to classified intelligence, China prioritizes it as a primary source. This divergence extends to STI, where China, unlike the U.S., places significant emphasis and resources. The U.S.’s fragmented approach to monitoring foreign science and technology contrasts with China’s more comprehensive and centralized system. Establishing a dedicated U.S. National S&T Analysis Center could mitigate the risks associated with this approach and enhance the country's capabilities in this area.
Analyst Comments: The distinct approaches of the U.S. and China towards OSINT and STI have profound implications for their respective intelligence capabilities and national strategies. The U.S. tends to view OSINT as merely enabling classified intelligence, potentially underutilizing a vast resource of openly available information. In contrast, China’s focused investment in OSINT and STI, deeply integrated into its national decision-making process, illustrates the high value it places on these intelligence forms. This difference is rooted in historical, cultural, and linguistic factors, with the Chinese term "qingbao" encompassing both "intelligence" and "information." The U.S. could benefit from a more integrated and comprehensive approach to OSINT and STI, learning from China’s expansive system that supports strategic objectives, including technological advancement and global competitiveness. The recommendation to establish a reflects a strategic move to address these disparities and enhance the U.S.’s capability to monitor and respond to global technological developments effectively.
FROM THE MEDIA: China and the U.S. approach OSINT with contrasting strategies, impacting their intelligence processes and national security decisions. China’s extensive system of STI, dating back to 1958, has significantly contributed to its strategic technological advancements. Its STI operations involve a vast network of over 100,000 workers, ranging from collectors to field operatives. The system is supported by numerous journals and social organizations, reflecting its professionalization and integration into the national framework. In the U.S., however, STI is often overshadowed by classified intelligence work, leading to a more fragmented and less effective approach to leveraging open-source information. This disparity suggests the U.S. might be missing critical insights and opportunities presented by openly available data. The creation of a U.S. National S&T Analysis Center is proposed to address these challenges, drawing inspiration from China’s successful STI model.
READ THE STORY: Bloomberg // CSET // FA
China to Revise Anti-Money Laundering Rules, Targeting Crypto amid Cybercrime Crackdown
Bottom Line Up Front (BLUF): China plans to update its anti-money laundering (AML) regulations to include provisions for virtual assets, particularly targeting the use of cryptocurrencies in money laundering activities. This move, expected to be implemented in 2025, follows a notable increase in crypto-related financial crimes, despite the country's ban on cryptocurrencies since 2021. The revisions aim to adapt to the evolving landscape of financial crimes involving digital assets.
Analyst Comments: China's decision to amend its AML rules marks a significant shift in its regulatory approach towards cryptocurrencies. Historically, China has maintained a stringent stance on digital currencies, evident from its 2021 crypto ban. However, the persistent use of virtual assets in illicit financial activities, including money laundering, has necessitated a more nuanced approach. By including cryptocurrencies in AML regulations, China acknowledges the challenges of enforcing a complete ban and shifts its focus towards controlled regulation. This strategy reflects a growing global trend where countries are increasingly recognizing the need to adapt their legal frameworks to address the complexities posed by digital financial instruments.
FROM THE MEDIA: The Chinese government's initiative to include cryptocurrencies in AML regulations is a response to the mainstream trend of using virtual currencies for money laundering. Despite the crypto ban effective since 2021, crypto money laundering rings and scam operations have been active in China and Southeast Asia. The State Council, chaired by Prime Minister Li Qiang, discussed updating AML laws, which have remained largely unchanged since 2007. Notably, the current draft of the AML regulation, open to public view, does not mention crypto, but a new draft expected later this year will. Experts like Chao Xi and Angela Ang emphasize the need for clarity and legal certainty in these regulations. China's unique position of regulating a banned sector indicates a recognition of the ineffectiveness of the outright prohibition of cryptocurrencies. This change comes amid a broader crackdown on cybercrime, including large-scale raids and repatriation of suspects involved in fraud and money laundering. The anticipated legislation is seen as a positive step by industry experts like Desmond Yong, as it aims to counteract illicit activities while acknowledging the global nature of cryptocurrency.
READ THE STORY: DLNews // CISA // The Record
Joshua Schulte's transmission of CIA's classified data to WikiLeaks marked as one of the largest unauthorized disclosures in U.S. history
Bottom Line Up Front (BLUF): Joshua Adam Schulte, a former CIA software engineer, has been sentenced to 40 years in prison for leaking classified CIA documents to WikiLeaks (known as the Vault 7 and Vault 8 leaks) and for possessing child pornography. These actions are considered some of the most significant breaches of classified information in U.S. history, causing severe harm to national security and risking CIA personnel's lives.
Analyst Comments: The sentencing of Schulte underlines the gravity of national security breaches and the severe consequences of leaking classified information. The Vault 7 leak, described as a "digital Pearl Harbor," revealed the CIA's extensive cyber espionage capabilities, including tools to compromise various electronic devices. This case highlights the challenges that intelligence agencies face in safeguarding sensitive data in the digital era. Moreover, Schulte's actions reflect a disturbing trend of individuals within security agencies misusing their access for personal motives, necessitating more robust internal security measures and oversight. His additional involvement in child pornography adds a heinous dimension to his crimes, underscoring the complex profiles of individuals involved in such high-level security breaches.
FROM THE MEDIA: Joshua Schulte, 35, was sentenced by the Southern District of New York for espionage, computer hacking, making false statements, and possession of child pornography. His crimes represent the largest data breach in the CIA's history, with stolen information including hacking tools and exploits used in intelligence gathering operations. Schulte, who worked in the CIA's Center for Cyber Intelligence from 2012 to 2016, abused his administrative privileges to steal sensitive information. The leaked data exposed U.S. intelligence methods and tools, causing substantial financial losses and endangering CIA personnel. Schulte's defense of these actions as retribution against the CIA for its response to his security breaches while employed there was rejected by the court. His attempts to continue leaking information and spinning false narratives while in detention reflect a deep and persistent threat to national security. The severity of the sentence imposed by the court reflects the magnitude of Schulte's crimes and their impact on U.S. national security.
READ THE STORY: Aljazeera // The Guardian // THN
Widespread DirtyMoe (PurpleFox) Malware Attack Infects Over 2,000 Computers in Ukraine
Bottom Line Up Front (BLUF): The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted the public about a widespread cyberattack involving the DirtyMoe (also known as PurpleFox) malware, which has affected more than 2,000 computers across Ukraine. This sophisticated malware is known for its capabilities in cryptojacking, DDoS attacks, and its challenging rootkit component that hinders removal.
Analyst Comments: DirtyMoe, also referred to as PurpleFox, has been a known threat since 2016. It usually infiltrates systems through deceptive MSI installer packages for popular software like Telegram or exploits known security vulnerabilities. Its advanced tactics include a worm-like propagation method and the use of a rootkit, making it notoriously difficult to detect and eradicate. The malware's infrastructure predominantly links back to compromised equipment located in China. CERT-UA's investigation utilized indicators of compromise (IoCs) shared by cybersecurity firms Avast and TrendMicro, leading to the identification of these infections in the Ukrainian segment of the internet.
FROM THE MEDIA: CERT-UA's discovery of the widespread DirtyMoe infection underscores the growing sophistication of cyber threats. The malware's self-propagation capabilities and use of rootkits for persistence pose significant challenges to cybersecurity. To combat this, CERT-UA recommends network segmentation, regular system updates, and diligent network traffic monitoring. They have also detailed technical steps for detecting and eradicating the malware, emphasizing the importance of cybersecurity vigilance and preparedness.
READ THE STORY: CERT-UA // ET-CISO // Bleeping Computer // THN
Operation Synergia: A Global Crackdown on Cybercrime
Bottom Line Up Front (BLUF): Interpol's "Operation Synergia," conducted from September to November 2023, brought together law enforcement agencies from over 50 member countries to combat cybercrime, specifically targeting phishing, malware, and ransomware. The operation successfully identified 1300 suspicious IP addresses/URLs, led to the dismantlement of 70% of command-and-control servers, resulted in 31 arrests, identified 70 suspects, and facilitated multiple server and device seizures. Europe led in server takedowns and arrests, followed by significant contributions from Hong Kong, Singapore, and Kuwait.
Analyst Comments: Operation Synergia underscores the escalating challenge of transnational cybercrime and the critical need for international collaboration in cybersecurity. The operation's success demonstrates how strategic partnerships between law enforcement, ISPs, and cybersecurity firms (like Group-IB, Kaspersky, and TrendMicro) can significantly disrupt criminal cyber infrastructures. By targeting the command-and-control servers, the operation struck at the heart of cybercriminal operations, significantly hindering their ability to carry out attacks. This operation reflects a growing trend of multinational efforts against cyber threats, highlighting the importance of cross-border cooperation and intelligence sharing in the digital age.
FROM THE MEDIA: Operation Synergia, a coordinated effort by Interpol involving over 50 countries, was a response to the increasing sophistication of cybercrime. The operation targeted phishing, malware, and ransomware, leading to the identification of 1300 suspicious IP addresses and URLs. With 31 arrests and 70 suspects identified, the operation made significant strides in disrupting cybercriminal networks. The majority of command-and-control server takedowns occurred in Europe, followed by significant activities in Hong Kong and Singapore. Kuwait's collaboration was crucial in victim identification and impact mitigation. Private sector partners like Group-IB, Kaspersky, TrendMicro, Shadowserver, and Team Cymru played a significant role in providing intelligence and analysis support. The operation not only resulted in immediate disruptions to cybercriminal activities but also set a precedent for future international cooperation in combating cyber threats.
READ THE STORY: Interpol // Group-IB // CloudSEK
Intrusion by Suspected State-Sponsored Actors Using Stolen Okta Credentials
Bottom Line Up Front (BLUF): Cloudflare experienced a security breach on Thanksgiving Day, November 23, 2023, traced back to stolen credentials from an Okta breach in October. The attackers, believed to be state-sponsored, targeted Cloudflare's Atlassian services, accessing internal wikis, bug databases, and source code management systems. Despite their extensive efforts, Cloudflare's use of Zero Trust architecture limited the attackers' lateral movement, and no customer data or critical systems were compromised.
Analyst Comments: This incident highlights the growing sophistication of state-sponsored cyberattacks and underscores the critical importance of robust security protocols, especially in the wake of breaches involving third-party service providers like Okta. Cloudflare's rapid response and transparent communication exemplify effective crisis management in cybersecurity. However, the breach also serves as a reminder of the necessity for rigorous credential management and the potential risks of service token misuse. The fact that Cloudflare, a leader in internet security and infrastructure, was targeted and infiltrated, albeit with limited success, signals an escalating cyber threat landscape where even the most secure organizations are at risk.
FROM THE MEDIA: The breach was detected on Thanksgiving Day when unauthorized access to Cloudflare's Atlassian server was identified. Attackers used credentials obtained from the Okta breach to access Cloudflare’s internal systems, including their Atlassian services, source code management system, and internal wikis. Despite gaining access to some internal documentation and source code, the attackers were unable to move laterally due to Cloudflare's Zero Trust architecture. Cloudflare’s comprehensive response, dubbed "Code Red," involved a company-wide effort in credential rotation, system analysis, and security hardening. External security firm Crowdstrike conducted an independent assessment, confirming Cloudflare's findings and actions. This event emphasizes the evolving challenges in cybersecurity and the importance of continuous vigilance, even for organizations with advanced security measures.
READ THE STORY: The Register // SiliconRepublic // Cloubflare Blog
FritzFrog Botnet Resurfaces with Log4Shell and PwnKit Exploits
Bottom Line Up Front (BLUF): FritzFrog, a peer-to-peer botnet, has reemerged with a new variant exploiting the Log4Shell vulnerability and the PwnKit flaw. This variant, first identified by Guardicore (now part of Akamai), has evolved to target internal network hosts even after internet-facing applications have been patched, exploiting unaddressed vulnerabilities in these internal systems. It also includes a module for local privilege escalation using the PwnKit flaw, CVE-2021-4034.
Analyst Comments: The resurgence of FritzFrog with enhanced capabilities is a significant development in the cyber threat landscape. This botnet, active since 2020 and known for targeting servers with weak SSH credentials, now demonstrates a strategic shift by exploiting the widely publicized Log4Shell vulnerability for internal propagation within networks. The addition of the PwnKit exploit for privilege escalation further indicates the botnet's increasing sophistication. FritzFrog's ability to remain undetected by avoiding disk file drops, using /dev/shm and memfd_create for fileless execution, and targeting internal systems often neglected in patch management, underscores the need for comprehensive security strategies that go beyond perimeter defense.
FROM THE MEDIA: The new variant of FritzFrog takes advantage of the Log4Shell vulnerability to spread within compromised networks, targeting internal hosts that are often less prioritized for patching. It employs brute-force methods to exploit vulnerable Java applications and has improved its SSH brute-force component to identify specific targets. The malware also uses the PwnKit flaw for local privilege escalation and continues its stealthy operations by avoiding file drops on disk, instead utilizing shared memory locations and executing memory-resident payloads. This evolution in FritzFrog's capabilities represents a significant threat, especially for organizations with unpatched internal systems, highlighting the importance of comprehensive internal network security and regular patch management.
READ THE STORY: RedPacket Security // Akamai // THN // PoC
FTC Orders Blackbaud to Overhaul Security Practices After 2020 Data Breach
Bottom Line Up Front (BLUF): The U.S. Federal Trade Commission (FTC) has mandated Blackbaud, an education technology company, to significantly revamp its security protocols following a 2020 data breach. The breach resulted from weak security practices that allowed hackers to access and exfiltrate sensitive consumer data, including Social Security and bank account numbers. Blackbaud has agreed to delete unnecessary data and reform its cybersecurity practices as part of the settlement.
Analyst Comments: This enforcement action by the FTC signifies a growing regulatory focus on corporate cybersecurity responsibilities. Blackbaud’s case is particularly noteworthy due to the scale of the data breach and the nature of the compromised information, which included highly sensitive personal data. The FTC's decision underscores the importance of robust cybersecurity measures and the legal and reputational risks companies face when they fail to protect consumer data adequately. This settlement also highlights the increasing expectation for companies to not only prevent data breaches but also to have transparent and prompt responses when they occur. The lag in Blackbaud's disclosure and the initial underestimation of the breach's severity further compounded the situation, leading to heightened scrutiny by the FTC.
FROM THE MEDIA: The FTC alleges that Blackbaud’s inadequate security measures allowed hackers to access its network and personal data of millions of consumers. The breach, occurring in February 2020, involved the exploitation of unencrypted sensitive data, including Social Security and bank account numbers. Blackbaud initially misled customers about the extent of the breach and delayed the full disclosure of the compromised data. The FTC's complaint cites failures in Blackbaud’s cybersecurity infrastructure, including poor monitoring of hacker attempts, inadequate data segmentation, weak password management, and delayed software patching. Additionally, Blackbaud's practice of retaining consumer data beyond its necessity has been criticized. The settlement requires Blackbaud to develop a comprehensive information security program and establish a data retention policy.
READ THE STORY: TC // FTC // The Record // Complaint
Russian Intelligence Operatives Impersonate Western Researchers in Cyber Espionage Campaign
Bottom Line Up Front (BLUF): Russian intelligence operatives, identified as part of state-sponsored hacking groups, are reportedly conducting a cyber espionage campaign by impersonating Western researchers and academics. This campaign aims to gain access to the email accounts of colleagues in the academic community, using sophisticated spearphishing techniques. The operation has involved sending emails with deceptive content and fake articles to solicit feedback, thereby harvesting login credentials of the recipients.
Analyst Comments: This latest cyber operation attributed to Russian intelligence services demonstrates a continued strategic interest in intellectual and political espionage. By targeting academics and researchers, the operatives gain access to a wealth of sensitive and intellectual data, potentially including unpublished research and personal communications of significant value. The method of impersonation reflects a high level of sophistication and understanding of academic communication channels. The involvement of state-sponsored groups like Iron Frontier (also known as Calisto, Coldriver, or Star Blizzard/Seaborgium) suggests a coordinated effort to influence or disrupt Western academic and political discourse. The success of such campaigns can lead to significant compromises in personal, institutional, and national security. Therefore, awareness and training in cybersecurity practices are crucial for individuals and institutions at risk.
FROM THE MEDIA: The phishing campaign involves Russian spies posing as fellow researchers to infiltrate the email accounts of academics, primarily in the UK, US, and Europe. The campaign uses credible-sounding emails to lure victims into reviewing seemingly legitimate academic articles or draft documents, which are actually traps to capture email login details. Secureworks and Mandiant, two cybersecurity firms, independently analyzed the emails and attachments, confirming the involvement of Russian state-sponsored groups. The campaign’s effectiveness lies in its highly convincing impersonation tactics and the use of genuine-sounding academic content. One notable aspect of this operation is the creation of entire fake articles to support the ruse, adding to the authenticity of the phishing attempts. The UK's National Cyber Security Centre (NCSC) has advised victims not to feel embarrassed, given the sophistication of these attacks.
READ THE STORY: MalwareTips // Unmasking Russia (SubStack) // The Record
Items of interest
Missing Chinese Billionaire Banker Bao Fan Resigns, Leaving Unanswered Questions
Bottom Line Up Front (BLUF): Chinese billionaire banker Bao Fan, who had been missing for nearly a year during an investigation, has resigned from all roles at China Renaissance Holdings, citing "health reasons" and a desire to spend more time with family.Bao Fan's sudden resignation without clear details about his whereabouts or the investigation raises concerns about the transparency of corporate leadership changes in China and the broader implications for financial security.
Analyst Comments: North Korea's heightened focus on ideological indoctrination among its youth is a strategic move to strengthen the regime's control over future generations. By targeting young minds, the regime aims to safeguard its ideology against the infiltration of external influences that could potentially challenge its authority. The emphasis on shunning foreign media reflects Pyongyang's apprehension about the impact of global culture and information on its domestic narrative. This approach also underscores the regime's efforts to create a buffer against the penetration of democratic ideals and capitalist values, which are seen as existential threats to its socialist framework. These intensified ideological campaigns are likely to have long-term implications on the social fabric and political landscape of North Korea, shaping the perceptions and loyalties of its future leaders and citizens.
FROM THE MEDIA: Bao Fan, a prominent Chinese banker, vanished in February 2023 and resurfaced a year later only to resign from his company, China Renaissance Holdings. While citing health and family reasons, his disappearance coincided with an unnamed investigation by Chinese authorities. This lack of transparency echoes a concerning trend of missing Chinese business executives, raising questions about the rule of law and the arbitrary nature of power in China.
This isn't an isolated incident. In recent years, several high-profile figures like Xiao Jianhua, Guo Guangchang, and Ren Zhiqiang have either disappeared or faced legal troubles with little public explanation. This pattern fuels anxieties about the business climate in China, creating an environment of fear and uncertainty for entrepreneurs and investors.
Whether Bao Fan's resignation signifies the end of his ordeal remains unclear. His case, along with similar disappearances, highlights the need for greater transparency and accountability within China's legal system. Until then, the shadow of uncertainty will continue to loom over the country's business landscape.
READ THE STORY: BBC // The New York Times
Why China's Billionaires Keep Disappearing (Video)
FROM THE MEDIA: Jack Ma, the founder of Alibaba, made headlines when he was recently spotted at Yungu School in Hangzhou, where the company is headquartered. He had rarely made a public presence since he irked the Chinese Communist Party for criticizing the country's financial regulatory system in 2020. "He described them as having a 'pawnshop mentality,' and that really ruffled a lot of feathers," said Dexter Roberts, a senior fellow at the Atlantic Council Indo-Pacific Security Initiative and author of The Myth of Chinese Capitalism. "Also, just the brash character of Jack Ma rubbed a lot of regulators and very powerful people in China the wrong way."
Chinese Billionaire Missing | Bao Fan Nowhere to be Found Amid Crackdown (Video)
FROM THE MEDIA: Bao Fan, the founder and executive director of China Renaissance, is a major figure in the Chinese tech industry. He's now missing. Palki Sharma tells you more.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.