Daily Drop (717): Coyote Trojan, Hive Ransomware Gang, UA CNO RU, Super Bowl LVIII Cybersecurity, Raspberry Robin Worm, APT's Asia-Pacific, FortiOS, Zardoor Backdoor, UA Disables RU Drone Control
02-09-24
Friday, Feb 09 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Ukrainian Cyberattack Disables Russian Drone Control System
Bottom Line Up Front (BLUF): Ukrainian cyber specialists successfully disrupted Russia's drone control software, causing widespread failures in the management of DJI drones and impacting the Russian military's operational capabilities.
Analyst Comments: The recent cyber operation by Ukraine's Main Intelligence Directorate (GUR) represents a significant development in cyber warfare, showcasing Ukraine's growing proficiency in the digital domain. The attack targeted the software used by Russian forces to modify DJI drones for combat, effectively crippling the friend-or-foe recognition system and denying Russian access to drone controls. This operation, which follows a previous cyberattack on a Moscow-based server used by the Russian Ministry of Defense, underscores the strategic importance of cyber capabilities in modern warfare. By targeting the enemy's technological infrastructure, Ukraine is able to disrupt key military operations and gain a tactical advantage. The shift to sophisticated cyber operations reflects an evolving battlefield where digital prowess is as crucial as physical might.
FROM THE MEDIA: According to reports by Euromaidan Press and The New Voice of Ukraine, the Ukrainian cyberattack focused on the software essential for modifying DJI drones for military use, impacting the friend-or-foe identification system crucial for operational functionality. The attack forced Russian troops to attempt manual overrides and highlighted the vulnerability of relying heavily on technology in warfare. This cyber operation is part of Ukraine's broader strategy to counter Russian aggression by targeting key digital infrastructures, thus adding a significant dimension to the ongoing conflict.
READ THE STORY: Euromaidan // Yahoo News // UNN
Chinese PR Firm Linked to Global Pro-Beijing Propaganda Network
Bottom Line Up Front (BLUF): A Chinese public relations firm, Shenzhen Haimaiyunxiang Media Co. Ltd (Haimai), is reportedly behind more than 100 websites across 30 countries, disseminating pro-China content and propaganda. These websites, camouflaged as local news outlets, blend genuine news with conspiracy theories and pro-China narratives, according to a Citizen Lab report. The discovery highlights the global reach and sophistication of China's influence operations.
Analyst Comments: The recent uncovering of a Chinese influence campaign using news websites highlights a sophisticated approach to information warfare. China's use of digital platforms mirrors historical propaganda strategies, adapted for the digital age. By embedding propaganda in seemingly credible local news sources, the impact extends beyond direct influence, risking secondary dissemination through legitimate news channels. This tactic of blending authentic news with skewed narratives is not new but demonstrates an evolved, digital iteration of traditional propaganda methods. The global spread of these websites across Europe, Asia, and Latin America underscores China's ambition to shape global perceptions, challenging traditional notions of geopolitical influence and information control.
FROM THE MEDIA: Citizen Lab's research traced back these websites to Haimai, a PR firm in Shenzhen, China. The websites present themselves as local news sources but frequently publish content favoring China, including conspiracy theories and criticisms of Western nations. Despite their low engagement so far, the risk of amplifying these narratives through local media remains high due to their rapid multiplication and adaptiveness to local contexts. These operations, which began around mid-2020, have been linked to a broader pattern of Chinese influence operations worldwide. Notably, social media giant Meta identified a significant increase in Chinese influence campaigns since 2020. South Korea's National Cyber Security Center and Italy's Il Foglio newspaper have also reported on similar findings, reinforcing concerns about the reach and impact of these operations.
READ THE STORY: Aisa Financial // Reuters // RFA
FCC Bans AI-Generated Voice Cloning in Robocalls
Bottom Line Up Front (BLUF): The Federal Communications Commission (FCC) has unanimously decided to ban AI-generated voice cloning in robocalls. This move, effective immediately, is aimed at curbing scams and preventing election-related disinformation. It leverages the 1991 Telephone Consumer Protection Act (TCPA) to enforce the ban, giving state attorneys general a new tool to prosecute offenders.
Analyst Comments: This decision marks a significant step in combating the evolving landscape of digital fraud and misinformation. AI-generated voice cloning presents a unique challenge due to its realistic imitation of human voices, making it an effective tool for deceptive practices. The FCC's move to outlaw these robocalls under the TCPA is a proactive measure against the potential misuse of AI in manipulating public opinion, particularly around elections. It's a recognition of the need for updated regulatory measures to keep pace with technological advancements. While this ruling directly addresses the emergent threat of AI in misinformation, it also sets a precedent for future regulatory actions in the rapidly advancing field of AI and digital communication.
FROM THE MEDIA: The FCC's ruling came in response to an incident involving a robocall mimicking President Joe Biden, which urged New Hampshire voters not to participate in the primary elections. The call, traced back to a Texas company, highlighted the potential for AI-generated voices to be used in election interference and scams. The FCC's action is a direct response to the growing sophistication and prevalence of AI in generating realistic voice imitations. The ruling is expected to empower state attorneys general across the U.S. to more effectively pursue individuals and entities behind such fraudulent calls. Additionally, the FCC is exploring how AI can assist in recognizing illegal robocalls, suggesting a dual approach of regulation and technological countermeasures. This development is part of a broader effort to ensure AI's safe and trustworthy deployment, as evidenced by recent appointments to the National Institute of Standards and Technology (NIST) and the creation of the U.S. Artificial Intelligence Safety Institute.
READ THE STORY: The Washington Post // The Record // The Verge
Zardoor Backdoor Targets Saudi Islamic Charity in Stealthy Cyber Espionage Campaign
Bottom Line Up Front (BLUF): Cisco Talos has discovered a sophisticated cyber espionage campaign targeting a Saudi Arabian Islamic non-profit organization, deploying a previously unknown backdoor named Zardoor. Active since at least March 2021, this advanced threat actor utilized living-off-the-land binaries (LoLBins) for backdoor deployment, command and control establishment, and persistence maintenance. The campaign's stealth and complexity suggest the involvement of a highly skilled and potentially state-backed actor.
Analyst Comments: The Zardoor campaign represents a new level of sophistication in cyber espionage, indicating an evolution in the tactics, techniques, and procedures (TTPs) of advanced threat actors. Its reliance on LoLBins and custom malware, alongside tools like Fast Reverse Proxy (FRP), sSocks, and Venom, demonstrates a refined approach to evade detection and maintain long-term network access. The choice of a Saudi Islamic charity as the target diverges from typical cyber espionage patterns, suggesting either a broadening of strategic interests or a specific, highly-targeted operation. This campaign underscores the increasing complexity and stealth of modern cyber threats, highlighting the need for enhanced cybersecurity measures in vulnerable sectors.
FROM THE MEDIA: The Zardoor backdoor campaign involved the use of a dropper component to deliver a malicious dynamic-link library ("oci.dll"), which then installed two backdoor modules, "zar32.dll" and "zor32.dll". The primary purpose of these backdoors was to establish persistence, facilitate command and control communication, and execute various malicious activities, including data exfiltration. Cisco Talos's analysis revealed that the threat actor effectively used Windows Management Instrumentation (WMI) for lateral movement within the network, spreading Zardoor by executing commands from the command and control server. The utilization of open-source reverse proxy tools for command and control activities and the campaign's long-term undetected presence in the victim's environment point to an advanced threat actor, possibly with state-level capabilities or backing. Despite the high level of sophistication, the origins of the threat actor remain undetermined, with no clear links to any known, publicly reported threat groups.
READ THE STORY: BNN // Talos // THN
Critical Vulnerability in FortiOS Actively Exploited
Bottom Line Up Front (BLUF): Fortinet has issued urgent updates to address a critical vulnerability (CVE-2024-21762) in FortiOS, with a high CVSS score of 9.6, indicating potential active exploitation. This out-of-bounds write vulnerability, affecting multiple FortiOS versions, can lead to remote code execution by unauthenticated attackers via malicious HTTP requests. Users and administrators are strongly advised to update their systems to the latest versions to mitigate this risk.
Analyst Comments: This vulnerability exemplifies the increasing sophistication and severity of threats targeting network infrastructure. FortiOS, being a widely used system, presents an attractive target for cybercriminals and potentially state-sponsored actors. The high CVSS score reflects the critical nature of the vulnerability, underscoring the potential for significant impact on network security. The active exploitation of such vulnerabilities highlights the urgency for organizations to maintain vigilance and promptly apply security updates. This incident also serves as a reminder of the importance of robust cybersecurity practices in protecting critical infrastructure from sophisticated cyber threats.
FROM THE MEDIA: Fortinet's advisory details the critical nature of CVE-2024-21762, impacting various versions of FortiOS. The vulnerability could allow remote attackers to execute arbitrary code through specially crafted HTTP requests. Users of affected FortiOS versions, ranging from 6.0 to 7.4, are advised to update to the latest fixed versions immediately. Another critical vulnerability, CVE-2024-23113, was also addressed, though there is no evidence of its active exploitation in the wild. These updates reflect Fortinet's ongoing efforts to secure its products amidst a landscape of increasing cyber threats.
READ THE STORY: CSA // Security Affairs // THN
Greg Hatcher's Dire Warning: Cyber Warfare in Full Swing in 2024
Bottom Line Up Front (BLUF): Greg Hatcher, a former Green Beret turned cybersecurity expert, has issued a stark warning about the current state of global cyber warfare. In an interview with Techopedia, Hatcher highlights the escalating cyber threats from major state actors like China, Russia, and North Korea. The revelation follows the FBI Director's acknowledgement of the vast disparity in cyber capabilities between the US and its adversaries, particularly China.
Analyst Comments: Hatcher's insights are a sobering reminder of the asymmetric nature of cyber warfare and its implications for national security. The disparity in cyber capabilities, as highlighted by the FBI, underscores the urgent need for increased investment in cybersecurity infrastructure and personnel. The reported interception of a China-sponsored botnet attack on US routers further illustrates the sophisticated and pervasive nature of these threats. Hatcher's call for greater collaboration between government and private sectors is a critical step in bolstering defenses against these increasingly sophisticated cyber threats.
FROM THE MEDIA: Hatcher's analysis paints a concerning picture of the cyber warfare landscape in 2024. The US faces serious challenges, as adversaries like China not only possess extensive cyber programs but also significantly outnumber US cyber personnel. The recent Justice Department intervention against a China-sponsored attack signifies the ongoing and complex cyber threats targeting critical US infrastructure. Hatcher's experience in teaching at the NSA and leading red teams for the federal Cybersecurity and Infrastructure Security Agency lends credibility to his assessment of the situation. The need for a combined effort from both the government and the private sector to strengthen cyber defenses is more crucial than ever.
READ THE STORY: Techopedia // GovTech
Advanced Persistent Threat Groups in Asia-Pacific: A 2023 Analysis
Bottom Line Up Front (BLUF): Research by WhoisXML API provides an in-depth analysis of six Advanced Persistent Threat (APT) groups based in or targeting the Asia-Pacific (APAC) region. The study focuses on APT29 (Russia), APT32 (Vietnam), Earth Lusca (China), Higaisa (South Korea), Sandworm Team (Russia), and Turla (Russia), revealing their extensive cyber espionage activities throughout 2023.
Analyst Comments: Advanced Persistent Threats (APTs) represent a significant concern in cyberspace, particularly for governmental and strategic organizations. The targeted nature of these attacks, often backed by nation-states, underscores a shift in the landscape of cybersecurity. In the case of the APAC region, the geopolitical tensions and strategic interests of countries like Russia, China, Vietnam, and South Korea manifest in the cyber domain. The intricate methodologies employed by these APT groups, ranging from sophisticated malware to complex social engineering tactics, highlight the evolving nature of cyber warfare. The continuous adaptation and evolution of these groups pose a perpetual challenge to cybersecurity defenses, demanding constant vigilance and updated countermeasures.
FROM THE MEDIA: The research conducted by WhoisXML API involves analyzing indicators of compromise (IoCs) related to these APT groups. Key findings include the identification of more than 150 email addresses and numerous domains connected to these groups. Specifically, APT29, linked to Russia's Foreign Intelligence Service, has focused on European and NATO member countries, with recent attention on Ukrainian organizations. The methodology encompassed compiling a list of APT groups from sources like MITRE ATT&CK Groups and Mandiant APTs, followed by a detailed analysis of domains and email addresses associated with these entities. This comprehensive study underlines the persistent and evolving threat posed by these APT groups, and the crucial need for enhanced cybersecurity measures and international collaboration to mitigate these risks.
READ THE STORY: CircleID // Elastic // Mandiant
Raspberry Robin Worm: Enhanced Cybersecurity Threat with Sophisticated Exploits
Bottom Line Up Front (BLUF): Raspberry Robin, a malware first identified in 2021, has significantly evolved, exhibiting advanced exploits and stealth tactics. It now uses rapid 1-day Local Privilege Escalation (LPE) exploits, sophisticated delivery methods including Discord, and refined evasion techniques. This evolution highlights its adaptability and the increased threat level it poses.
Analyst Comments: The progression of Raspberry Robin is a stark reminder of the dynamic nature of cyber threats. Its capability to quickly integrate new exploits, previously reliant on USB drives for propagation, now including Discord for dissemination, indicates a high level of sophistication and adaptability. These traits suggest the potential backing of a dedicated exploit developer or a well-resourced operation capable of rapid exploit development. The shift in tactics and the use of advanced evasion strategies underscore the continuous arms race in cybersecurity, where threat actors constantly evolve to outmaneuver defenses. Raspberry Robin's adaptability in delivery, communication, and evasion strategies makes it a formidable threat in the cybersecurity landscape, necessitating proactive and robust defense mechanisms.
FROM THE MEDIA: Check Point's analysis of Raspberry Robin reveals a malware that not only employs innovative methods for propagation and evasion but also demonstrates the ability to incorporate newly disclosed exploits swiftly. The malware's evolution from using USB drives to Discord for distribution marks a significant shift in its approach, broadening its potential reach. Check Point emphasizes the need for organizations to adopt proactive cybersecurity measures that can adapt to these changing malware tactics. The consistent updates and evasions implemented by Raspberry Robin's developers highlight their focus on stealth and the challenges posed to conventional security measures. This evolving threat landscape underscores the importance of up-to-date software, regular vulnerability assessments, and comprehensive security strategies to protect against sophisticated cyberattacks.
READ THE STORY: InfoSecMag // RedPacket Security // Checkpoint
Super Bowl LVIII Cybersecurity: A High-Stakes Digital Game
Bottom Line Up Front (BLUF): The digitization of Super Bowl LVIII presents a vast attack surface for cyber threats, raising significant security concerns for the NFL, fans, and associated stakeholders.
Analyst Comments: The digitization of Super Bowl LVIII introduces numerous cybersecurity vulnerabilities, expanding the threat landscape beyond the physical realm. This encompasses everything from ticketing systems to personal fan data. AI-enabled phishing attacks and deepfake scams have been identified as emerging threats, adding to traditional cybersecurity challenges. The NFL's proactive stance, including collaboration with agencies like the Department of Homeland Security and the Cybersecurity and Infrastructure Agency (CISA) in threat assessment and response planning, is commendable. However, the event's high profile and the increased use of digital platforms, such as online betting and streaming, amplify the risks of cyber attacks, including data breaches, ransomware, and DDoS attacks. It's crucial that event organizers, vendors, and participants maintain rigorous cybersecurity practices to protect against these diverse threats.
FROM THE MEDIA: According to Dark Reading and other cybersecurity news sources, Super Bowl LVIII's extensive digital integration has escalated the risk of cyber attacks. This includes threats to stadium security systems, fan personal data, and operational technology. The NFL's preparation, including comprehensive threat assessments and coordination with multiple stakeholders, is critical in addressing these risks. Moreover, the rise in online gambling associated with the event has opened new avenues for cyber scams, particularly in the form of synthetic identity fraud and privacy concerns with betting apps. Unauthorized streaming sites also present a business risk, especially for organizations allowing work-related devices for personal use. This landscape demands a multi-faceted cybersecurity approach, combining technological solutions, employee awareness, and stringent vendor risk management.
READ THE STORY: DarkReading // Forbes
Ukraine's Cyber Operations Against Russia: Aiding Ground Combat and Countering Threats
Bottom Line Up Front (BLUF): Illia Vitiuk, the head of cybersecurity at Ukraine's Security Service (SBU), revealed that Ukraine has shifted its cyber strategy from defensive to offensive post-Russia's invasion. By hacking into Russian systems, Ukraine gathers intelligence aiding ground operations and thwarting potential cyberattacks. This approach aligns with the U.S. 'defend forward' cyber strategy.
Analyst Comments: Ukraine's transition to proactive cyber operations marks a significant shift in its defense strategy, reflecting the evolving nature of modern warfare where cyber capabilities are as crucial as traditional military strength. This approach, mirroring the U.S. strategy, underscores the increasing importance of cybersecurity in national defense and the blurring lines between conventional and digital battlefields. The reliance on cyber intelligence for ground operations indicates a sophisticated integration of technology in warfare, setting a precedent for future conflicts. However, the lack of concrete evidence and the denials from targeted Russian entities add a layer of complexity to the veracity and impact of these operations.
FROM THE MEDIA: Ukrainian cybersecurity officials, led by Illia Vitiuk, have adopted an offensive stance in cyber warfare against Russia. This shift includes hacking into Russian state and private companies to collect intelligence crucial for ground operations and cyber defense. Their operations reportedly targeted various Russian entities, including research centers and the civil aviation agency. Vitiuk emphasized the necessity of this proactive approach due to the high volume and complexity of Russian cyberattacks since the war's inception. He pointed out Russia's extensive cyber training programs, indicating a significant threat not only to Ukraine but potentially on a global scale. However, these claims and operations are not backed by publicly available concrete evidence, and Russian companies typically deny such attacks. This proactive cyber strategy demonstrates Ukraine's adaptation to modern warfare dynamics, where cyber operations play a pivotal role in national defense and intelligence gathering.
READ THE STORY: TIME // The Record // CyberCom
US Government Offers Significant Rewards for Information on Hive Ransomware Gang
Bottom Line Up Front (BLUF): The U.S. State Department and FBI are offering a combined reward of $15 million for information leading to the identification, location, arrest, or conviction of members of the Hive ransomware gang. This initiative, part of the Transnational Organized Crime Rewards Program (TOCRP), follows a successful operation last year where the FBI disrupted Hive's operations, saving potential ransom payments of approximately $130 million.
Analyst Comments: The substantial reward for information on Hive gang members highlights the severity of the threat posed by ransomware to global cybersecurity. Hive's widespread impact, targeting victims in over 80 countries and making at least $100 million in its first year, underscores the growing sophistication and reach of cybercriminal networks. The U.S. government's response, including the deployment of significant resources and international cooperation, reflects an understanding of the critical nature of countering such threats. The decision to offer this reward a year after Hive’s infrastructure takedown might indicate concerns about potential resurgence or challenges in capturing key members. It also showcases a proactive stance in cybersecurity, recognizing the importance of public involvement in combating cybercrime.
FROM THE MEDIA: In a significant move against cybercrime, the U.S. State Department has announced a $10 million reward for information leading to key Hive ransomware gang members, with an additional $5 million from the FBI for information resulting in the arrest and/or conviction of individuals involved in Hive-related activities. This announcement comes a year after the FBI's successful infiltration and disruption of Hive's operations, which prevented an estimated $130 million in ransomware payments and saved over 1,300 victims. The Hive group, known for targeting a wide range of sectors including schools and hospitals, particularly during the COVID-19 pandemic, had a notable global impact. The announcement is part of ongoing efforts to combat the sophisticated and transnational nature of cybercrime, highlighting the importance of international cooperation and public participation in these efforts.
READ THE STORY: GBhackers // Bitdefender // The Record
Coyote Banking Trojan Targets Brazilian Financial Institutions
Bottom Line Up Front (BLUF): Coyote, a newly discovered banking trojan, is targeting 61 Brazilian banking institutions using advanced methods for distribution and infection. This malware employs the Squirrel installer, Node.js, and the Nim programming language as a loader, highlighting a significant evolution from traditional banking trojans which predominantly used Delphi and MSI installers.
Analyst Comments: The emergence of Coyote banking trojan represents a significant advancement in the landscape of financial cyberthreats, particularly in Brazil. Its sophisticated infection chain utilizing modern technologies like Node.js, .NET, and the Squirrel installer reflects the growing complexity and adaptability of cybercriminals. The shift from traditional programming languages to less common ones like Nim indicates a strategic move to evade detection. This development serves as a stark reminder of the constantly evolving nature of cyber threats and the need for continuous adaptation in cybersecurity strategies. The specific focus on Brazilian banks could also signal a testing ground for broader global attacks, given the history of Brazilian malware expanding internationally.
FROM THE MEDIA: Coyote targets Brazilian banks through a multi-stage infection process, leveraging the Squirrel installer and utilizing Node.js and Nim for its operations. Kaspersky's analysis reveals that Coyote differs from other banking trojans by employing these newer technologies and avoiding traditional methods like Delphi programming, commonly seen in Latin American malware. The trojan's capabilities include taking screenshots, logging keystrokes, and displaying fake overlays to capture user credentials. It can also control the victim's machine, including shutting it down or blocking it with a false update message. This new trojan signifies an advanced and worrying trend in cybercrime, where attackers are continually adopting new methods and technologies to enhance their effectiveness and evade detection.
READ THE STORY: DarkReading // Securelist // THN
Items of interest
Netflix’s “Bitconned” Exposes a High-Profile Crypto Scam
Bottom Line Up Front (BLUF): Netflix's documentary "Bitconned" sheds light on the notorious Centra Tech crypto scam, underlining the rampant fraudulence in the ICO sphere. The film showcases the journey of co-founders Ray Trapani and Sam ‘Sorbee’ Sharma, who exploited the 2017 crypto craze to swindle millions through a fraudulent initial coin offering (ICO). The documentary serves as a stark reminder of the perils in the unregulated crypto market, highlighting the importance of investor vigilance.
Analyst Comments: The revelation about Aleksei Safronov exemplifies the complex interplay between state actors and cybercriminals, particularly in Russia. Safronov's dual role as both a legal advisor to cybercriminals and a GRU officer underlines the blurred lines between state-sponsored and criminal cyber activities. This synergy is not unprecedented in Russia, where the state has often been accused of leveraging criminal hackers for intelligence purposes. The emergence of such figures complicates efforts to tackle cybercrime, especially when these individuals utilize their expertise and connections for state intelligence operations.
FROM THE MEDIA: This case emphasizes the importance of international collaboration in combating cybercrime, especially when state actors are involved. Intelligence agencies and cybersecurity firms must work together to monitor and counteract these hybrid threats. Awareness of the potential state links in cybercriminal activities should guide the development of cybersecurity strategies, focusing on both technical defenses and understanding the geopolitical context of cyber threats. Additionally, this highlights the need for stringent legal and ethical guidelines in international cyber operations to prevent the exploitation of cybercriminal networks by state actors.
READ THE STORY: CoinGeek // Protos // Business Insider
A Bitcoin SCAMMER Reveals The Secrets Behind The BIGGEST Cryptocurrency Fraud In History (Video)
FROM THE MEDIA: Ray Trapani is one of the minds behind Centra Tech; a cryptocurrency company that defrauded HALF A BILLION DOLLARS from investors. He and two friends created the business selling the idea of a new tech that didn't actually exist yet. His story has trauma, wild parties, addiction, an imaginary CEO, faked deaths, Floyd Mayweather and so much more!
Who is Ray Trapani’s Family | Where is His Family Now (Video)
FROM THE MEDIA: Ray Trapani, known for his involvement in the Centra Tech cryptocurrency scam, was raised by his single mother, Kerri Ann Hagner, in a single-income household in Atlantic Beach, New York. His grandparents, Patsy Boyle and William “Bill” Hagner, provided financial and emotional support. His family continues to support him unwaveringly.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.