Daily Drop (757): GoFetch: New Side-Channel Attack, CN: Economic Revival Plan, Nemesis Market Shutdown, CN: Intel and AMD, MuddyWater, Kimsuky: CHM, IR: Aviation, The PR of 'Made in China'
03-25-24
Monday, Mar 25 2024 // (IG): BB // ShadowNews // Coffee for Bob // Proxies
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
GoFetch: New Side-Channel Attack Targets Apple CPUs to Extract Secret Keys
Bottom Line Up Front (BLUF): A team of researchers from US universities has disclosed a novel side-channel attack named GoFetch that targets Apple CPUs to extract secret cryptographic keys from constant-time cryptographic implementations. This attack specifically leverages data memory-dependent prefetchers (DMPs) present in Apple's m-series CPUs, posing potential risks to systems using m1, m2, and m3 processors.
Analyst Comments: The discovery of the GoFetch attack highlights an evolving cybersecurity landscape where hardware components can become vectors for sophisticated exploits. This vulnerability underscores the importance of comprehensive security approaches that encompass both software and hardware aspects. Apple, known for its strong security posture, faces a new challenge in mitigating this exploit, emphasizing the ongoing arms race between security professionals and threat actors. The ability to extract cryptographic keys through side-channel attacks represents a significant threat, as these keys often protect sensitive data and communications.
FROM THE MEDIA: The GoFetch attack exploits DMPs in Apple CPUs, bypassing the constant-time programming paradigm to extract secret keys. Demonstrations of the attack showed its effectiveness against various cryptographic schemes, including those used in post-quantum cryptography. The researchers' reverse-engineering of DMPs on Apple's m-series CPUs revealed that almost any value loaded from memory could trigger the DMP, leading to potential key extraction. While Apple CPUs m1 through m3 are believed to be vulnerable, mitigation strategies include disabling DMP on supported CPUs and adopting input blinding in cryptographic operations. The research team has notified Apple and plans to release a proof-of-concept (PoC) exploit, urging the application of patches and updates to mitigate the attack's impact.
READ THE STORY: Security Affairs
China's Economic Revival Plan: Emphasis on High-Tech and Clean Energy Manufacturing
Bottom Line Up Front (BLUF): China unveils a new economic strategy under the slogan "new, quality productive forces," aimed at rejuvenating its stagnant economy through significant investments in high-tech and clean energy manufacturing, alongside robust R&D spending. This initiative seeks to counterbalance the negative impacts of a prolonged housing market downturn but lacks detailed measures to boost household spending.
Analyst Comments: China's latest economic revival strategy reflects a continuation of its longstanding approach to economic growth, focusing on state-led investments in manufacturing and innovation. By highlighting sectors such as high-tech and clean energy, China is positioning itself to lead in industries critical for future global economic competitiveness. However, the absence of concrete steps to encourage consumer spending raises questions about the sustainability of this growth model. This emphasis on manufacturing also sparks concerns among international observers about potential global overcapacity and the implications for trade balances, as China aims to increase exports.
FROM THE MEDIA: China's premier, Li Qiang, recently announced a new economic strategy aimed at addressing the nation's economic stagnation, exacerbated by a decades-long housing market downturn. The plan, articulated under the banner of "new, quality productive forces," focuses on invigorating the economy through substantial investments in manufacturing sectors deemed crucial for future growth, such as high-tech and clean energy. This strategy also involves significant expenditure on research and development to spur innovation. Despite the forward-looking vision, the plan has been critiqued for its lack of specific measures to stimulate Chinese household spending, a factor considered vital for sustained economic recovery. The move has raised eyebrows internationally, with concerns about the potential for manufacturing overcapacity and the impact on global trade dynamics, as China appears poised to ramp up exports.
READ THE STORY: The New York Times
Global Strike Against Cybercrime: Nemesis Market Shutdown
Bottom Line Up Front (BLUF): In a coordinated international effort, German, U.S., and Lithuanian law enforcement agencies have dismantled Nemesis Market, a prominent darknet platform dealing in narcotics, stolen data, and cybercrime services. Seizing servers in Germany and Lithuania and confiscating €94,000 in cryptocurrency, this action marks a significant step in the ongoing fight against internet criminal activities.
Analyst Comments: The successful shutdown of Nemesis Market underscores the increasing effectiveness of international collaboration in the fight against cybercrime. Operating since 2021, Nemesis Market had become a critical node in the darknet ecosystem, facilitating a wide range of illegal activities from drug sales to the provision of ransomware services. The involvement of the Bundeskriminalamt (BKA) alongside the FBI, DEA, and other agencies highlights a concerted effort to tackle the complex networks that underpin the global underground economy. This operation not only disrupts a significant source of illegal goods and services but also sets a precedent for future actions against similar cybercriminal ventures. The focus on further investigations based on the secured marketplace data may lead to more significant disruptions within the cybercriminal community, signaling to operators and users of such platforms the increasing reach and impact of law enforcement actions.
FROM THE MEDIA: The joint operation led by the German Federal Criminal Police Office (BKA), in collaboration with U.S. and Lithuanian authorities, resulted in the shutdown of Nemesis Market, a darknet marketplace involved in the distribution of narcotics, stolen data, and cybercrime services. Launched in 2021 and accessible via the Tor network, Nemesis Market had attracted over 150,000 users and 1,100 sellers globally, nearly 20% of whom were based in Germany. The platform offered a variety of illegal goods and services, including drugs, fraudulently obtained data, and tools for conducting ransomware, phishing, and DDoS attacks. The operation, which saw the seizure of digital assets worth €94,000 and the platform's server infrastructure, was the culmination of extensive investigations starting in October 2022 by the BKA, ZIT, FBI, DEA, and IRS-CI.
READ THE STORY: THN // BKA (DE)
China Enforces Ban on Intel and AMD Chips in Government PCs
Bottom Line Up Front (BLUF): China has issued new guidelines to exclude U.S. microprocessors from Intel and AMD, as well as Microsoft's Windows operating system, from government computers, steering towards domestic technology to ensure "safe and reliable" procurement. This move aligns with China's broader strategy to enhance its technological sovereignty and reduce reliance on foreign technologies amid escalating U.S.-China tech tensions.
Analyst Comments: China's decision to phase out Intel and AMD chips from government use signifies a deepening tech rift with the U.S., reinforcing a trend towards technological decoupling between the two superpowers. This policy could accelerate China's drive towards self-reliance in critical technologies and encourage the development and adoption of domestic alternatives. However, it also poses challenges for global tech companies that have viewed China as a key market. The ban reflects broader geopolitical tensions and the ongoing battle for technological and economic supremacy, potentially leading to further retaliatory measures from both sides.
FROM THE MEDIA: According to a recent report by the Financial Times, China has introduced procurement guidelines aimed at removing U.S. microprocessors, specifically those from Intel and AMD, from government-owned personal computers and servers. This directive extends to sidelining Microsoft's Windows operating system in favor of domestic software solutions. The guidelines, which call for "safe and reliable" processors and operating systems, signify a substantial push towards utilizing Chinese technology within government agencies. Issued by China's industry ministry, these criteria align with lists published in late December that designate CPUs, operating systems, and centralized databases deemed "safe and reliable," all originating from Chinese companies. This policy is part of a larger narrative of tech self-sufficiency amid ongoing U.S. efforts to bolster its semiconductor industry and reduce dependencies on China and Taiwan, exemplified by the Biden administration's CHIPS and Science Act.
Iran-Linked MuddyWater Advances Phishing Tactics Targeting Israeli Entities
Bottom Line Up Front (BLUF): The Iran-affiliated cyber group MuddyWater, also known as Mango Sandstorm or TA450, has launched a sophisticated phishing campaign using the legitimate remote monitoring tool, Atera, to target Israeli sectors, including manufacturing, technology, and information security. This operation signifies a shift in the group's approach, embedding malicious links within PDF attachments to distribute malware.
Analyst Comments: MuddyWater's recent activities mark an evolution in the cyber espionage tactics associated with Iranian intelligence efforts, reflecting a strategic adaptation to improve the success rate of infiltrations. By exploiting legitimate software like Atera for malicious purposes, the group underscores a concerning trend in cyber warfare: the use of authentic tools to bypass conventional security measures. This approach complicates the detection and mitigation of threats, as distinguishing between legitimate and malicious use becomes increasingly challenging. Additionally, the campaign's focus on Israeli targets amid ongoing geopolitical tensions highlights the persistent risk of cyber operations used to advance national interests. The breach into Rashim Software, facilitating a supply chain attack against the Israeli academic sector by another Iranian group, Lord Nemesis, further emphasizes the growing sophistication of cyber threats and the importance of robust security measures, including multi-factor authentication, to defend against such intricate attacks.
FROM THE MEDIA: MuddyWater, an Iran-linked cyber espionage group, has initiated a phishing campaign against Israeli entities, deploying a novel tactic that leverages the Atera Remote Monitoring and Management (RMM) tool. According to Proofpoint, the campaign targeted organizations in the global manufacturing, technology, and information security sectors from March 7 to March 11, 2024. This shift in methodology involves sending emails with PDF attachments containing malicious links, a departure from the group's previous direct embedding of links in email bodies. This operation is part of a broader pattern of attacks against Israeli organizations, utilizing legitimate software for espionage and system compromise.
READ THE STORY: THN // ProofPoint
Kimsuky's New Tactic: Exploiting Compiled HTML Help Files in Cyber Espionage
Bottom Line Up Front (BLUF): The North Korea-affiliated cyber espionage group Kimsuky has adopted a new method of deploying malware via Compiled HTML Help (CHM) files to collect sensitive information. This evolution in tactics signifies the group's ongoing refinement of cyber operations aimed at entities in South Korea and beyond.
Analyst Comments: Kimsuky's shift towards using CHM files as a vector for malware distribution underscores a tactical evolution that leverages less scrutinized file formats to bypass security measures. CHM files, while traditionally used for help documentation, offer a unique advantage due to their ability to execute JavaScript when opened, making them an attractive option for cyber attackers. This method's effectiveness is further enhanced when CHM files are delivered within seemingly innocuous file types like ISO, VHD, ZIP, or RAR, complicating detection efforts. The continued adaptation and sophistication of Kimsuky's strategies, including their utilization of a variety of infection vectors and their focus on intelligence gathering, highlight the persistent threat posed by state-sponsored actors.
FROM THE MEDIA: The Kimsuky group, linked to North Korea and active since 2012, has been identified employing Compiled HTML Help (CHM) files to deliver malware targeting South Korean organizations. According to cybersecurity firm Rapid7, this technique is part of a broader array of methods that Kimsuky has used over the years, including weaponized Microsoft Office documents and ISO files. The CHM files are distributed within various types of archives, triggering a VBScript to establish persistence and communicate with a remote server for further instructions upon opening. This recent development is part of Kimsuky's ongoing and evolving cyber attacks, focusing on harvesting sensitive data from organizations based in South Korea. Additionally, the group's employment of the Golang-based Endoor backdoor in recent cyber attacks, targeting users downloading security programs from a Korean construction-related association's website, signals an expanded arsenal of cyber tools. These activities coincide with a United Nations investigation into North Korean cyber attacks, emphasizing the extensive and continued use of cyber operations to fund its nuclear weapons program.
READ THE STORY: THN
Iran's Aviation Sector Struggles Under Sanctions: A Fleet Far from Reach
Bottom Line Up Front (BLUF): Iran's aviation industry grapples with a significant shortfall in its operational fleet due to international sanctions, impacting its capacity to meet the domestic demand for air travel. With only 180 aircraft currently in service against a goal of 250 by the end of last year, the industry's struggle underscores the broader challenges facing Iran amid sanctions related to its nuclear program, human rights issues, and geopolitical stance.
Analyst Comments: The persistent sanctions on Iran have deeply affected its aviation sector, illustrating the far-reaching consequences of geopolitical tensions on civil infrastructure. The Civil Aviation Organization's report highlights a stark discrepancy between Iran's aviation needs, estimated at 550 aircraft to adequately serve its population, and the reality of a fleet constrained by sanctions. This situation is exacerbated by operational challenges, including delays in customs clearance for essential aircraft parts, which impede efforts to maintain, let alone expand, the fleet. The addition of over 50 aircraft and helicopters last year indicates some level of procurement success, yet falls significantly short of requirements. Furthermore, domestic production limitations and import restrictions have compounded these challenges, affecting flight schedules and raising safety concerns. Iran's aviation woes serve as a microcosm of the broader economic and infrastructural challenges facing the country under the weight of international sanctions.
FROM THE MEDIA: Iran's aviation industry is under significant strain due to international sanctions, with only 180 aircraft in service out of a planned 250 by the end of the previous year. Mohammad Mohammadi-Bakhsh, head of the Civil Aviation Organization, emphasized the disparity between the current fleet size and the country's actual needs, estimated at 550 aircraft to adequately serve Iran's population. Despite efforts to bolster the fleet, including a reported increase in operational aircraft to 178 before the Norouz holiday and the procurement of over 50 aircraft and helicopters last year, the industry remains hindered by sanctions related to Iran's nuclear activities, human rights record, and support for Russia's actions in Ukraine. Operational challenges, including delays in customs for aircraft parts, along with limitations on domestic production and import restrictions, further exacerbate the situation, leading to flight delays and safety concerns within Iranian airlines.
READ THE STORY: Iran International
From Cold War to Consumer Culture: The Rise of 'Made in China' in America
Bottom Line Up Front (BLUF): The strategic importation of Chinese products, starting with vodka and extending to sporting goods, spearheaded by U.S. businessmen like Charles Abrams and Don King in the 1970s, revolutionized the U.S.-China trade relationship. Their marketing ingenuity not only opened the American market to Chinese goods but also reshaped consumer attitudes towards products labeled "Made in China."
Analyst Comments: Abrams and King's endeavors occurred at a time when U.S.-China relations were thawing after decades of isolation. By promoting Chinese vodka and sporting goods, they tapped into the American fascination with the exotic and the novel, effectively normalizing and making desirable the "Made in China" label. This was not merely a commercial movement but a significant cultural shift that realigned global manufacturing and trade patterns. The initiative to market Chinese products in the U.S. underlined a strategic shift in viewing China not just as a market for American goods but as a vital source of affordable products and labor.
FROM THE MEDIA: The initiative began with Abrams welcoming a shipload of Chinese vodka in New York in 1976, marking the first significant import of Chinese goods since the end of World War II. This event was not merely a transaction but a spectacle, symbolizing the potential of Sino-American trade. Abrams, along with King, a prominent boxing promoter, utilized their flair for showmanship to popularize Chinese products. They capitalized on the novelty of trading with China, leveraging everything from elaborate marketing stunts to direct mail campaigns, to entice American consumers and businesses. Through strategic branding, such as renaming Sunflower Vodka to "Great Wall Vodka" for the American market, Abrams aimed to infuse the products with an aura of Chinese cultural heritage and allure, making them more attractive to American consumers. This approach was not just about selling vodka but about selling an idea of China that Americans were eager to embrace amid the Cold War's thawing tensions.
READ THE STORY: FP
Cyber Shadows: China's Potential Cyber Strategy Against US Interests
Bottom Line Up Front (BLUF): As tensions between the United States and China escalate, concerns grow over China's potential use of cyber operations to target both U.S. military assets and critical civilian infrastructure in a conflict scenario. Such operations could aim to disrupt decision-making, induce societal panic, and impede U.S. military responses, representing a significant shift from China's known cyberspace activities focused on espionage.
Analyst Comments: The delineation of cyber operations within Chinese military strategy as a means to achieve quick, decisive victories underscores a strategic pivot towards exploiting the interconnected vulnerabilities of modern warfare and civil society. The theoretical advantage of cyber operations lies in their ability to be conducted remotely, anonymously, and against a broad attack surface, making U.S. military and civilian networks appealing targets. However, the efficacy of such operations as a strategic tool remains uncertain, given the potential for increased vigilance and defensive measures in conflict scenarios. The recent emphasis on penetrating U.S. civilian infrastructure hints at a more aggressive Chinese posture, aiming to coerce U.S. policy by leveraging the societal impact of infrastructure disruptions.
FROM THE MEDIA: Joshua Rovner's analysis highlights a growing consensus among U.S. officials and cybersecurity experts that China may actively be preparing for aggressive cyber operations targeting both U.S. military communications and civilian infrastructure. This perspective is fueled by the evolution of Chinese military doctrine, emphasizing "systems confrontation" and rapid initiative in conflict situations, and recent activities suggesting a broadening of China's cyber operational focus beyond regional military networks to include critical U.S. civilian infrastructure. Such a shift raises alarm over the potential for widespread societal and economic disruption in the event of conflict. However, the strategic utility of cyber operations, particularly against civilian targets, remains debatable. Key assumptions underpinning the effectiveness of infrastructure-focused cyber operations, including their impact on U.S. societal resilience and policy decisions, warrant scrutiny. The historical analogy to strategic bombing in World War II, wherein initial expectations of decisive impacts gave way to a more nuanced understanding of technological limitations and enemy resilience, offers a cautionary parallel for current expectations of cyber warfare.
READ THE STORY: War on The Rocks
Navigating the Cyberstorm: UnitedHealth's $14 Billion Claims Recovery and Broader Implications
Bottom Line Up Front (BLUF): In the aftermath of a significant cyberattack, UnitedHealth Group's subsidiary Change Healthcare is processing over $14 billion in claims, spotlighting the vulnerability of healthcare payment systems to cyber threats. This incident not only disrupts healthcare operations but also ignites federal investigations, emphasizing the critical need for enhanced cybersecurity measures across the healthcare sector.
Analyst Comments: The growing trend of targeted cyber threats against critical infrastructure sectors, including healthcare. UnitedHealth Group's swift response, involving substantial financial support for affected healthcare providers and the rapid restoration of critical services, highlights the sector's resilience and the importance of contingency planning. However, this incident serves as a stark reminder of the cybersecurity challenges facing the healthcare payment ecosystem. It accentuates the necessity for ongoing vigilance, investment in cybersecurity infrastructure, and collaboration with federal agencies to safeguard sensitive health information against increasingly sophisticated cyber threats.
FROM THE MEDIA: UnitedHealth Group's encounter with cyber threats through its subsidiary Change Healthcare reveals a multi-billion dollar challenge that extends beyond financial implications to impact patient care and trust in healthcare systems. Following a cyberattack that halted operations and initiated a federal investigation by the Department of Health and Human Services, UnitedHealth's efforts to mitigate the impact included the payment of $2.5 billion to support healthcare providers and the restoration of critical services. This event underscores the necessity for robust cybersecurity measures and the importance of federal oversight in protecting healthcare information and infrastructure.
READ THE STORY: PYMNTS
SLB's Firm Stand in Russia Amid Ukraine Conflict: Economic Necessity or Ethical Dilemma?
Bottom Line Up Front (BLUF): Despite widespread withdrawal by Western companies from Russia in response to the Ukraine war, oilfield services giant SLB (formerly Schlumberger) has decided to maintain its operations within Russia. This stance raises significant ethical questions regarding the support of Russia's war efforts through continued economic engagement, juxtaposed against the backdrop of international sanctions and escalating geopolitical tensions.
Analyst Comments: SLB's decision to stay in Russia, where it generates about 5% of its revenues and employs around 9,000 people, underscores a complex interplay between business imperatives and geopolitical pressures. While SLB asserts adherence to international sanctions and a commitment to de-escalating hostilities in Ukraine, its presence in Russia draws criticism from Ukrainian officials and human rights groups, spotlighting the moral quandaries faced by multinational corporations in wartime. This scenario exemplifies the broader challenges of global business operations amidst geopolitical strife, where economic interests may inadvertently entangle companies in the political machinations of host nations.
FROM THE MEDIA: SLB's continuation of operations in Russia, as articulated by CEO Olivier Le Peuch to the Financial Times, highlights a strategic calculus that weighs operational autonomy against mounting external pressures for disengagement. While SLB has implemented controls to curtail the shipment of technology to Russia, these measures have not quelled concerns regarding the company's indirect facilitation of Russia's war efforts through oil revenue generation. The Ukrainian government's designation of SLB as an "international sponsor of war" intensifies the scrutiny on the company's activities and their alignment with broader international efforts to isolate Russia economically.
READ THE STORY: FT
Items of interest
The Loop DoS Threat: A Ticking Time Bomb in Cyberspace
Bottom Line Up Front (BLUF): A recently disclosed Loop Denial-of-Service (DoS) attack technique threatens approximately 300,000 internet-facing servers and devices, exploiting vulnerabilities in UDP-based services like TFTP, DNS, and NTP. This attack mechanism, which has yet to be exploited but poses a serious threat due to its simplicity and potential impact, highlights the urgent need for widespread patching and heightened cybersecurity vigilance.
Analyst Comments: The emergence of the Loop DoS attack technique underscores the persistent evolution of cyber threats and the importance of proactive cybersecurity measures. By exploiting basic error-handling mechanisms in common protocols, attackers can create an unending loop of error messages between two vulnerable servers, depleting resources and rendering them inoperable. This threat is particularly concerning due to its ease of execution and the significant number of potentially vulnerable systems identified worldwide.
FROM THE MEDIA: The Loop DoS attack technique's disclosure brings to light the vulnerabilities inherent in even the most fundamental aspects of internet infrastructure. The potential for such an attack to disrupt critical services without ongoing effort from the attacker highlights a significant risk to internet stability and reliability. The fact that this vulnerability has existed since at least 1996, according to Rossow and Pan, without widespread recognition or mitigation efforts, illustrates the challenges of maintaining a secure and resilient cyberspace.
READ THE STORY: The Register
Understanding Loop DoS Attacks (Video)
FROM THE MEDIA: Loop Denial of Service attacks are a sophisticated form of cyber assault where the attacker exploits a vulnerability within the system to create an endless loop of requests.
North Korea's secretive nuclear weapons program (Video)
FROM THE MEDIA: The hackers are back. In fact, the cyber criminals never went away. The Lazarus Heist Season 2 tells the story of the theft of billions of dollars around the globe. Investigators say a secretive, elite North Korean hacking ring is responsible. Nicknamed the Lazarus Group, it’s claimed they are becoming more ambitious, more audacious and more successful. North Korea says it has nothing to do with these cybercrimes, saying the United States is making these allegations to try and tarnish its image.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.