Daily Drop (742): US: ByteDance to Divest TikTok, NJ: LexisNexis, Spinning YARN campaign, AlphV/BlackCat, DoJ: Linwei Ding, SEMI: EU Semiconductors, CASC far behind SpaceX, Snake Info Stealer
03-07-24
Thursday, Mar 07 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
U.S. Lawmakers Propose Legislation to Force ByteDance to Divest TikTok or Face Ban
Bottom Line Up Front (BLUF): A bipartisan group of U.S. lawmakers has introduced a bill aimed at addressing national security concerns associated with TikTok's Chinese ownership. The legislation proposes giving ByteDance, TikTok's parent company, a 165-day ultimatum to divest from the popular social media platform or face a ban in the U.S. This move reflects escalating worries about the potential for user data misuse and foreign influence.
Analyst Comments: The introduction of this bill marks a significant escalation in the U.S. government's approach to regulating foreign-owned technology platforms, particularly those from China. Given the historical context of U.S.-China relations and the ongoing concerns about data privacy and national security, this legislative effort underscores the increasing scrutiny on technological ties between the U.S. and China. The focus on TikTok, a platform with over 170 million American users, highlights the intersection of technology, geopolitics, and public policy in an era where digital platforms play a central role in cultural exchange and information dissemination.
FROM THE MEDIA: Lawmakers from both parties have taken a firm stance against ByteDance, citing national security risks due to its Chinese ownership of TikTok. The proposed legislation, spearheaded by prominent figures such as Mike Gallagher and Raja Krishnamoorthi, is the first notable legislative action in nearly a year aimed directly at restricting or eliminating TikTok's operations in the U.S. The bill not only seeks to enforce a divestiture but also aims to prohibit app stores and web hosting services from supporting any ByteDance-controlled apps, effectively leading to a ban if compliance is not met within the specified timeframe. While the bill avoids direct enforcement against individual users, it has sparked significant debate around issues of free speech and the potential impact on small businesses that rely on the platform. The Biden administration has expressed support for the legislative effort, emphasizing its importance in protecting Americans' sensitive data from foreign adversaries.
READ THE STORY: The Register // Reuters
New Jersey Law Enforcement Personnel Sue LexisNexis for Retaliation and Privacy Violations
Bottom Line Up Front (BLUF): Over 18,000 individuals associated with New Jersey law enforcement have filed a class action lawsuit against LexisNexis Risk Data Management, alleging the data broker retaliated against them for requesting privacy by freezing their credit and falsely reporting them as identity theft victims. This lawsuit follows a separate class action filed earlier, accusing LexisNexis and other data brokers of failing to comply with takedown requests under Daniel’s Law.
Analyst Comments: This legal challenge against LexisNexis highlights a growing concern over the practices of data brokers and the protection of personal information. The plaintiffs' allegations, if proven true, could indicate a serious misuse of power by LexisNexis, aiming to deter individuals from exercising their privacy rights under Daniel’s Law. The law, designed to protect law enforcement officials and their families from targeted violence by keeping their personal information private, underscores the delicate balance between public data accessibility and individual privacy rights. The outcome of this lawsuit could set a significant precedent for how data brokers handle sensitive information and respond to legal requests for privacy.
FROM THE MEDIA: In a significant legal action, over 18,000 New Jersey law enforcement personnel have taken a stand against LexisNexis Risk Data Management by filing a class action lawsuit. The lawsuit accuses the data broker of retaliating against individuals who requested their personal information be removed from public access in compliance with Daniel’s Law. Allegedly, LexisNexis responded by freezing their credit and inaccurately reporting them as victims of identity theft, actions that could have long-term financial and personal consequences for the affected individuals. This lawsuit is part of a broader struggle for privacy and data protection in the digital age, where personal information is easily accessible and can be exploited. Daniel’s Law, which prohibits the online disclosure of home addresses and personal details of law enforcement personnel and their families, represents a critical step towards safeguarding individuals who serve in sensitive and potentially dangerous roles.
READ THE STORY: The Record // Fedscoop
Emerging malware exploits vulnerabilities in Docker, Apache Hadoop, Redis, and Confluence servers for crypto mining and establishes persistent access
Bottom Line Up Front (BLUF): An emerging malware campaign, dubbed Spinning YARN by Cado Security researchers, exploits misconfigurations and vulnerabilities in widely used cloud services such as Docker, Apache Hadoop YARN, Atlassian Confluence, and Redis. This sophisticated attack delivers cryptocurrency miners and spawns reverse shells for persistent remote access, highlighting the increasing focus of attackers on exploiting cloud environments.
Analyst Comments: The Spinning YARN campaign signifies a shift in attacker focus towards the exploitation of complex cloud infrastructure. By targeting specific services known for their prevalent use in cloud environments, attackers demonstrate a deep understanding of cloud vulnerabilities and the operational intricacies of these services. This campaign not only leverages Golang payloads for automating the exploitation process but also deploys advanced techniques for persistence, including the installation of rootkits and open-source reverse shell utilities. Such comprehensive strategies underscore the critical need for rigorous security configurations and timely patching of known vulnerabilities within cloud infrastructures.
FROM THE MEDIA: The Spinning YARN campaign initiates by exploiting misconfigured or vulnerable servers running critical web-facing services, deploying four novel Golang payloads to automate the discovery and exploitation process. This approach allows attackers to conduct Remote Code Execution (RCE) attacks efficiently, spreading malware across new hosts. Once access is secured, the attackers execute a series of steps to install rootkits for hiding malicious processes, drop reverse shell utilities for sustained access, and launch the XMRig miner for cryptocurrency mining. Notable techniques include the abuse of common misconfigurations, exploitation of an N-day vulnerability (CVE-2022-26134) in Confluence, and sophisticated evasion methods to avoid detection. These actions reflect a deep understanding of cloud environments and an intent to maintain a stealthy presence while exploiting computing resources for financial gain.
Agencies deny involvement in takedown notice, pointing to an elaborate scam by the ransomware group
Bottom Line Up Front (BLUF): The AlphV/BlackCat ransomware group, known for its high-profile cyber attacks, has allegedly conducted an exit scam, duping its affiliates out of a $22 million ransom obtained from a recent attack on Change Healthcare. Law enforcement agencies involved in a previous takedown of the group's infrastructure have denied any involvement in a new notice posted on the gang's leak site, which experts and cybercriminals believe to be part of the scam.
Analyst Comments: While exit scams are not unprecedented in the digital underworld, the use of a fake law enforcement takedown notice as a cover for such a scam is novel and highlights the sophisticated deceit employed by these groups. The incident also raises questions about the efficacy of ransom payments, as the stolen data remains at risk of exposure or sale regardless of the payment. This event may serve as a cautionary tale for both cybercriminals and their victims, emphasizing the unpredictable and treacherous landscape of the cybercrime ecosystem.
FROM THE MEDIA: The AlphV/BlackCat ransomware group, implicated in a series of devastating cyber attacks including one on Change Healthcare, seems to have orchestrated an exit scam, leading to speculation and confusion among its criminal affiliates and victims. Despite a substantial $22 million ransom payment, supposedly for data recovery and non-disclosure, an affiliate has accused the group of absconding with the entire sum. This development followed the group's attempt to feign another law enforcement takedown of their operations, a claim refuted by the DOJ, Europol, and the NCA. The FBI has abstained from commenting. Cybersecurity experts have critiqued the technical credibility of the posted takedown notice, labeling it a clear fabrication intended to mislead and absolve the group's leaders from responsibility. The move to sell the source code and officially close the project has been confirmed by group spokespersons, signaling a possible end to their operations.
READ THE STORY: Krebs on Security // The Record // DoJ
Linwei Ding accused of exfiltrating over 500 confidential documents detailing Google’s AI infrastructure
Bottom Line Up Front (BLUF): Linwei Ding, a former Google employee, faces charges of stealing critical AI trade secrets from Google and clandestinely working for two Chinese companies. Allegedly bypassing Google's security controls, Ding exfiltrated over 500 documents related to Google's datacenters, including hardware infrastructure, software platforms, and AI models. His actions have prompted a significant response from the U.S. Department of Justice, emphasizing the national security implications of such intellectual property theft.
Analyst Comments: This case highlights a growing concern over the protection of intellectual property within the tech industry, especially as it pertains to AI and machine learning technologies that are central to the strategic interests of nations. The alleged ease with which Ding circumvented Google’s data-loss prevention systems raises questions about the effectiveness of current corporate security measures against insider threats. Furthermore, Ding’s dual employment with Chinese AI firms while holding a position at Google underlines the complex web of global tech espionage and the need for more stringent employee monitoring and vetting procedures. This incident serves as a stark reminder of the ongoing technology war between the U.S. and China, where AI and machine learning capabilities are increasingly seen as pivotal battlegrounds.
FROM THE MEDIA: Linwei Ding, a 38-year-old Chinese national, was apprehended in Newark, California, following a U.S. Department of Justice indictment revealing his unauthorized extraction of sensitive Google documents. Ding’s tenure at Google involved developing software for machine learning and AI applications, granting him access to confidential information crucial to Google's AI endeavors. His method of exfiltrating data involved copying source files into Apple Notes, converting them to PDFs, and uploading them to a personal Google Cloud account, a tactic that initially evaded Google's detection mechanisms.
READ THE STORY: The Register // FT
SEMI Advocates for Last-Resort Use of Export Controls, Citing Risk to European Semiconductor Industry's Competitiveness
Bottom Line Up Front (BLUF): SEMI, representing over 3,000 chip vendors, urges the European Union to reconsider plans for imposing export controls on China. Emphasizing the complex, global supply chain of the semiconductor industry, SEMI argues that such measures should only be employed as a last resort for national security concerns, fearing they may deter foreign investment critical for the industry's growth.
Analyst Comments: SEMI's position underscores a tension between national security interests and the economic vitality of the semiconductor industry. The call for restraint in applying export controls highlights the intricate balance between safeguarding sensitive technologies and sustaining the global competitiveness of European chipmakers. This plea from SEMI comes amid increasing geopolitical competition and technological shifts that have propelled semiconductors to the forefront of international trade disputes. The industry's reliance on global supply chains and foreign investment complicates efforts to restrict technology flow to certain regions without undermining the sector's financial foundation.
FROM THE MEDIA: SEMI's recent position paper criticizes the European Commission's strategy aiming to restrict the export of chip technology to China, a move influenced by US policies to limit China's advancement in semiconductor manufacturing. The association calls for a careful application of export controls, stressing that the European semiconductor industry benefits significantly from global investment and collaboration. Highlighting the potential risks of scaring away non-EU investors, especially in light of the European Chips Act, SEMI advocates for policies that support the sector's global competitiveness without imposing excessive burdens.
READ THE STORY: The Register // SEMI
CASC Announces Plans for New Rockets and Reusable Launchers to Enhance Space Program
Bottom Line Up Front (BLUF): China's Aerospace Science and Technology Corporation (CASC) has outlined ambitious plans for its space program, including the development of new rockets and the introduction of reusable launch vehicles. With plans for over 100 space launches in 2024 alone, China is poised to make significant strides in space exploration and commercial space ventures.
Analyst Comments: The announcement by CASC marks a significant step in China's efforts to compete in the global space race, particularly against commercial space giants like SpaceX. The development of reusable rockets represents a strategic move to reduce launch costs and increase the frequency of missions, mirroring the cost-saving strategies employed by SpaceX with its Falcon and Starship rockets. China's focus on large diameter reusable rockets indicates its ambition to send larger payloads into space, potentially for moon missions and the construction of low Earth orbit megaconstellations. This development underscores China's commitment to establishing itself as a leading spacefaring nation, with implications for global space industry competitiveness and strategic geopolitical positioning.
FROM THE MEDIA: CASC has announced the development of two new reusable rockets with diameters of four and five meters, set to launch in 2025 and 2026, respectively. These rockets are part of China's broader initiative to enhance its space program's capabilities and reduce launch costs through reusability. Additionally, CASC plans to debut three new rockets this year: Long March-6C, Long March-12, and an updated version of Long March 8, each designed to support a variety of orbital missions and increase payload capacities. This ambitious launch schedule demonstrates China's commitment to expanding its presence in space and supporting commercial space endeavors.
READ THE STORY: The Register // SN
New Python-Based Snake Info Stealer Targets Facebook Users
Bottom Line Up Front (BLUF): A new Python-based malware, dubbed "Snake," is being spread through Facebook messages, targeting users to steal credentials and sensitive data. The malware utilizes various platforms, including Discord, GitHub, and Telegram, to transmit the harvested credentials from victims.
Analyst Comments: The emergence of Snake highlights a growing trend in cybercriminal activity focusing on social media platforms to distribute malware. The utilization of Facebook messages as a vector for spreading the info stealer underscores the evolving tactics of cybercriminals to exploit popular communication channels. The specific targeting of Vietnamese users, as indicated by the support for the Cốc Cốc Browser and Vietnamese language references in the source code, suggests a geographically focused campaign. This operation's sophistication, including the use of multiple stages in the infection process and the exploitation of a GitHub vulnerability, demonstrates the increasing complexity of threats facing users on social media platforms.
FROM THE MEDIA: Cybereason researchers have uncovered a campaign using Facebook messages to distribute a Python-based information stealer, Snake, designed to exfiltrate credentials, cookies, and other sensitive data. The campaign, first noticed in August 2023 on the social media platform X, leverages RAR or ZIP archive files to initiate the infection process. Following intermediate stages that involve downloading the malware from actor-controlled GitLab repositories, the stolen data is sent to the attackers via Telegram Bot API. Notably, the malware focuses on gathering information from web browsers, including the Vietnamese Cốc Cốc Browser, hinting at a focus on Vietnamese users.
READ THE STORY: THN
Spoofed Zoom, Skype, Google Meet Sites Distribute RATs to Compromise Devices
Bottom Line Up Front (BLUF): Cybercriminals are employing fake websites mimicking Google Meet, Skype, and Zoom to deploy Remote Access Trojans (RATs) such as SpyNote, NjRAT, and DCRat, affecting both Android and Windows devices. The campaign, which has been active since December 2023, uses typosquatting to deceive victims into downloading malicious software.
Analyst Comments: The strategy of leveraging spoofed sites of reputable video conferencing tools showcases the adaptability and cunning of threat actors to capitalize on the trust and ubiquity of these platforms. This campaign's targeting of a broad audience, including Android and Windows users, signifies an alarming escalation in the sophistication and reach of malware distribution efforts. The absence of targeting towards iOS users, however, suggests a potential limitation in the threat actors' capabilities or a strategic choice to focus on more vulnerable systems. These developments call for heightened vigilance among users and increased investment in cybersecurity measures by organizations.
FROM THE MEDIA: Zscaler ThreatLabz researchers have uncovered a sophisticated campaign using spoofed Russian websites of popular video conferencing services to distribute RATs, aiming to steal confidential information and compromise devices. The attack method involves luring victims to download malicious files, which then trigger a multi-stage infection process leading to the execution of RATs. This tactic not only threatens individual users' security but also poses significant risks to organizational data and network integrity.
READ THE STORY: THN
Items of interest
First Fatalities in Houthi Campaign Against Commercial Shipping Highlight Escalating Gulf of Aden Tensions
Bottom Line Up Front (BLUF): A Houthi missile attack on the Barbados-flagged cargo ship, True Confidence, in the Gulf of Aden resulted in the deaths of three crew members and injuries to two others. This marks the first fatalities in the Houthi's campaign against commercial shipping, escalating concerns over maritime security in the region. The True Confidence was recently purchased from the US private equity group Oaktree Capital, and the attack has drawn international condemnation and calls for action to secure vital shipping lanes.
Analyst Comments: The attack on True Confidence by the Houthi rebels signifies a dangerous escalation in the ongoing conflict in Yemen, now spreading to international waters and impacting global shipping routes. The Gulf of Aden, a crucial maritime chokepoint, has witnessed over 40 ship attacks since November, but this incident marks the first with fatalities. The Houthi's targeting of commercial vessels underlines their capability and willingness to disrupt international trade, possibly leveraging maritime security as a bargaining chip in broader geopolitical conflicts. This event also highlights the vulnerabilities of shipping lanes to asymmetric warfare tactics and the challenges in protecting vast oceanic expanses against missile threats.
FROM THE MEDIA: The Houthi attack on the True Confidence, a Barbados-flagged dry bulk carrier, resulted in the first recorded fatalities in their naval campaign, killing one Vietnamese and two Filipino crew members. The vessel, recently acquired from US private equity group Oaktree Capital, was targeted in the Gulf of Aden, underscoring the heightened risks to commercial shipping in the area. The Indian Navy evacuated the survivors to Djibouti for medical treatment. The United States condemned the attack, emphasizing the threat to global trade and the loss of innocent lives. The Houthis, backed by Iran, claimed responsibility, framing the attack as part of their support for Palestinians in Gaza. The incident has drawn attention to the murky world of ship ownership and the difficulty in protecting commercial vessels in conflict zones.
Houthi missile attack kills three on cargo ship True Confidence in Gulf of Aden (Video)
FROM THE MEDIA: Three people have been killed in a Houthi air strike on a commercial vessel in the Gulf of Aden. The missile attack on the Barbados-flagged freight ship marked the first deadly operation since the Iran-backed rebels began targeting commercial shipping in the region.
Israeli-Operated Ship Targeted by Houthis (Video)
FROM THE MEDIA: The US central command says an anti-ship ballistic missile fired by Yemen’s Houthi Rebels hit a Swiss-owned Israeli-operated container vessel in the Gulf of Aden.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.