Tuesday, May 07 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Dmitri Alperovitch Warns of Looming China-Taiwan Conflict and New Cold War
Bottom Line Up Front (BLUF): In his new book "World on the Brink" and a recent interview, cybersecurity expert Dmitri Alperovitch warns that Chinese President Xi Jinping is likely preparing to invade Taiwan within the next 4-8 years in order to cement his legacy. Alperovitch argues that a Chinese conquest of Taiwan would be disastrous for the U.S. and the world, allowing China to dominate the Indo-Pacific region economically and militarily.
Analyst Comments: Alperovitch's analysis of Xi Jinping's motivations and the high-stakes implications of a Chinese invasion of Taiwan underscores the urgent need for the U.S. to develop a comprehensive deterrence strategy. This includes bolstering Taiwan's defenses, leveraging economic entanglement, and exploiting technological dependencies to raise the costs of aggression for China. Evidence of China's shifting cyber activities from IP theft to infiltrating critical infrastructure near U.S. bases in the Indo-Pacific, as well as open-source satellite imagery showing Chinese forces practicing assaults on a mock-up of Taiwan's presidential palace, lend credence to Alperovitch's warnings. However, his assertion that Russia no longer poses a conventional threat to NATO, regardless of the outcome in Ukraine, is debatable, as a resurgent Russia could still menace frontline states even if currently diminished.
FROM THE MEDIA: In the interview, Alperovitch draws parallels between Xi Jinping's desire to conquer Taiwan and Putin's invasion of Ukraine, arguing that both authoritarian leaders view these actions as essential to their historical legacies. He believes the window between 2028-2032, when Xi will be in his late 70s, presents the greatest risk of a Chinese invasion. Alperovitch emphasizes that a successful Chinese takeover of Taiwan would force regional allies like Japan and South Korea to accommodate China as the new dominant power, greatly diminishing U.S. influence and economic interests. To deter China, Alperovitch advocates a strategy of "uni-directional entanglement" that makes China more dependent on the U.S. for critical technologies while reducing U.S. reliance on China for key resources. He also notes a worrying shift in Chinese cyber espionage from intellectual property theft to infiltrating infrastructure such as utilities near U.S. military bases in the Indo-Pacific, likely in preparation for potential disruption during a conflict.
READ THE STORY: SPYTALK
MoD Data Breach: Personal Details of UK Armed Forces Accessed in Hack
Bottom Line Up Front (BLUF): Researchers at the University of Toronto's Citizen Lab have uncovered a powerful Chinese cyberweapon dubbed "The Great Cannon," which was likely responsible for recent DDoS attacks on GitHub and GreatFire.org. The Great Cannon is a distinct attack tool that can hijack traffic to launch large-scale DDoS attacks and has the potential to conduct targeted surveillance by exploiting unsecured web traffic.
Analyst Comments: This data breach is a serious concern, as it involves sensitive personal information of current and former UK military personnel. The potential misuse of this data could have severe consequences for those affected and may pose risks to national security. The incident highlights the growing threat of cyber attacks and the need for robust cybersecurity measures to protect sensitive data held by government institutions and private organizations. As the MoD investigates the breach and takes steps to support those affected, it will be crucial to determine the source of the attack and assess any potential risks. This breach underscores the ongoing challenges faced by organizations in safeguarding sensitive data in an increasingly complex and hostile cyber threat landscape.
FROM THE MEDIA: According to the BBC, the data breach targeted a payroll system used by the MoD, which was managed by an external contractor. In a small number of cases, the accessed data may also include personal addresses. The MoD has taken immediate action, taking the system offline and investigating the incident. Defence Secretary Grant Shapps is expected to update MPs about the hack and set out a "multi-point plan" in response. The hack comes amid increased warnings about cyber-security threats facing the UK from hostile states and third parties, with recent accusations leveled against China and Russia for their alleged involvement in hacks targeting public institutions and democratic processes.
READ THE STORY: BBC
Mastodon Delays Full Fix for Link Preview DDoS Issue to Version 4.4.0
Bottom Line Up Front (BLUF): Mastodon has pushed back the release of a comprehensive fix for the issue of link previews causing accidental distributed denial of service (DDoS) attacks on websites. Originally slated for version 4.3.0, the remedy has been delayed to version 4.4.0 by Mastodon CTO Renaud Chaput. In the meantime, a mitigation has been put in place to reduce the link preview load on sites.
Analyst Comments: The delay in fully addressing the link preview DDoS issue highlights the challenges inherent in decentralized social networks like Mastodon. The problem arises from the federated nature of the platform, where each instance fetches its own link previews, potentially overwhelming content host servers with a flood of requests. While the temporary mitigation should alleviate some of the burden, a comprehensive solution is crucial to prevent unintended consequences for websites shared on Mastodon.
FROM THE MEDIA: According to Chaput, the full fix for the link preview DDoS issue was pushed back to version 4.4.0 due to the significant work involved in developing a federated solution. The current mitigation, which introduces a random delay of up to 60 seconds before generating previews, aims to spread out the requests and minimize the impact on content host servers. Chaput also noted that the issue is not specific to Mastodon but affects all Fediverse implementations. The project is exploring ways to share link preview information between servers, reducing the need for each instance to fetch the data independently. However, this solution must be carefully designed to prevent potential security issues, such as spoofing.
READ THE STORY: The Register
Multiple Chinese Hacker Groups Exploit Ivanti Zero-Day Vulnerabilities
Bottom Line Up Front (BLUF): Mandiant has linked multiple China-nexus threat actors to the exploitation of three zero-day vulnerabilities in Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893). These hacking groups, tracked under various uncategorized monikers, have been observed deploying custom malware and open-source tools to infiltrate target networks and establish persistence.
Analyst Comments: The exploitation of Ivanti vulnerabilities by multiple Chinese hacking groups highlights the ongoing threat posed by state-sponsored cyber espionage. These actors are quick to weaponize newly disclosed flaws, demonstrating their sophistication and adaptability. The use of custom malware, such as TERRIBLETEA, PHANTOMNET, and SPAWN, alongside open-source tools like Sliver, allows these groups to tailor their tradecraft to specific targets and evade detection. The targeting of edge appliances underscores the need for organizations to prioritize timely patching and implement robust monitoring and incident response capabilities to detect and mitigate such attacks promptly.
FROM THE MEDIA: Mandiant has identified several China-linked hacking groups exploiting the Ivanti vulnerabilities, including UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. These groups have deployed various custom malware families, such as:
TERRIBLETEA: A Go-based backdoor used by UNC5266 for command execution, keylogging, port scanning, and screen capturing.
PHANTOMNET: A modular backdoor employed by UNC5330 that uses a custom communication protocol and a plugin-based system for additional payloads.
SPAWN: A stealthy and persistent backdoor toolset utilized by UNC5337, comprising components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH.
In addition to custom malware, the attackers have leveraged open-source tools like the Sliver C2 framework and exploited LDAP bind accounts to gain domain admin access. Some groups, such as UNC5291, have associations with other known Chinese APTs like Volt Typhoon (UNC3236).
READ THE STORY: THN
U.S. Allocates $285 Million from CHIPS Act for Semiconductor Digital Twins
Bottom Line Up Front (BLUF): The U.S. Department of Commerce has announced that $285 million in funding from the CHIPS Act will be dedicated to the development of semiconductor digital twins. This work will be carried out by a newly established Manufacturing USA institute, which aims to boost domestic production of critical next-generation technologies and reduce reliance on foreign suppliers.
Analyst Comments: The allocation of CHIPS Act funds for semiconductor digital twins underscores the U.S. government's commitment to fostering innovation and competitiveness in the domestic semiconductor industry. By investing in the development of advanced simulation and modeling tools, the initiative seeks to accelerate the design, testing, and optimization of cutting-edge chips, ultimately strengthening America's position in the global semiconductor market. The establishment of a dedicated Manufacturing USA institute for this purpose highlights the strategic importance of digital twins in driving technological progress and enhancing collaboration among industry stakeholders.
FROM THE MEDIA: According to the Department of Commerce, the new CHIPS Manufacturing USA Institute will focus on the "development, validation, and use of digital twins for semiconductor manufacturing, advanced packaging, assembly, and test processes." Digital twins, described as "virtual models that mimic the structure, context, and behavior of a physical counterpart," are expected to help the U.S. move faster in designing, prototyping, and fabricating world-class chips. The funding opportunity is open to domestic entities, including nonprofits, for-profit organizations, universities, and government bodies, with the majority ownership required to be U.S.-based. The CHIPS Manufacturing Institute will join 17 other Manufacturing USA members, each dedicated to advancing specific areas of technology, such as cybersecurity, power electronics, and biofabrication.
READ THE STORY: The Register
China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices
Bottom Line Up Front (BLUF): New findings from Censys suggest that the recently uncovered ArcaneDoor cyber espionage campaign targeting perimeter network devices may be the work of China-linked actors. The attackers, tracked as UAT4356 (aka Storm-1849), have been observed exploiting vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware since July 2023.
Analyst Comments: The potential involvement of Chinese threat actors in the ArcaneDoor campaign underscores the persistent threat posed by state-sponsored cyber espionage groups targeting edge appliances. The use of custom malware like Line Runner and Line Dancer, coupled with the exploitation of zero-day vulnerabilities, highlights the sophistication and adaptability of these attackers. Organizations must prioritize timely patching, robust monitoring, and incident response capabilities to detect and mitigate such attacks effectively. The targeting of network devices from multiple vendors emphasizes the need for a comprehensive approach to securing an organization's entire attack surface.
FROM THE MEDIA: Censys's investigation of the actor-controlled IP addresses revealed that four of the five online hosts presenting the attacker-associated SSL certificate are linked to Chinese autonomous systems, suggesting the involvement of a China-based actor. Furthermore, one of the threat actor-managed IP addresses hosts an anti-censorship tool with a website written in Chinese, implying that some of these hosts were running services designed to circumvent the Great Firewall. In a separate development, French cybersecurity firm Sekoia successfully sinkholed a command-and-control server linked to the PlugX trojan, revealing the malware's presence in over 170 countries and 2.49 million unique IP addresses. Many of the affected countries are participants in China's Belt and Road Initiative, leading Sekoia to believe that the worm was developed to collect intelligence on the strategic and security concerns associated with the initiative.
READ THE STORY: THN // PoC: CVE-2024-20353
GenAI Obliterates Data Visibility and Regulatory Compliance for Enterprises
Bottom Line Up Front (BLUF): The widespread adoption of generative AI (genAI) tools by enterprises has rendered comprehensive data control and visibility virtually impossible, making regulatory compliance, especially with privacy rules like GDPR, a futile endeavor. The instant a company welcomes genAI into its environment, it loses control over its data assets, regardless of existing compliance challenges posed by cloud, IoT, mobile, third-parties, and Shadow IT.
Analyst Comments: The rapid proliferation of genAI tools across enterprises has created a perfect storm for data visibility and regulatory compliance. Even before the rise of genAI, IT teams struggled to maintain full control over their data assets due to the complexities introduced by modern technologies and work practices. The addition of genAI to this already challenging landscape has effectively obliterated any remaining semblance of data control.
FROM THE MEDIA: The article highlights a specific conflict between ChatGPT and GDPR, where the AI's inability to provide an audit trail for personal information and correct "hallucinations" violates the EU's strict privacy rules. However, this issue is just the tip of the iceberg when it comes to genAI's impact on data visibility and compliance. The author illustrates the challenges through two scenarios: an analyst working with sensitive customer data across multiple devices and locations, and a sales representative discussing contract terms via text messages. In both cases, the enterprise's ability to track and control the spread of sensitive data is severely limited, even without the involvement of genAI.
READ THE STORY: Computerworld
New US strategy looks to blunt Russian and Chinese influence in cyberspace
Bottom Line Up Front (BLUF): The US State Department has released a new cybersecurity strategy aimed at curbing Russia and China's digital influence in developing countries and countering their alleged efforts to interfere in elections. With many countries holding elections in 2024, the strategy emphasizes the need to continuously expose hackers and propagandists attempting to undermine confidence in democracies.
Analyst Comments: This new strategy marks a significant shift in the United States' approach to international cybersecurity, reflecting growing concerns over the geopolitical implications of digital dominance. By targeting the digital operations that can undermine democracies, such as election interference and misinformation campaigns, the US is reinforcing its stance against what it perceives as authoritarian overreach. Historically, such initiatives also signal a broader strategic posture that includes bolstering alliances and leveraging diplomatic channels to foster a collective resistance to digital authoritarianism. The focus on developing nations is particularly crucial, as these regions are increasingly becoming battlegrounds for technological influence, which has profound implications for global power dynamics.
FROM THE MEDIA: The strategy outlined by the State Department emphasizes continuous efforts to expose and counteract cyber threats from state actors like Russia and China, who are accused of attempting to destabilize democratic institutions through digital means. Key aspects of the strategy involve supporting innovation in the tech sector to compete globally and promoting principles that ensure cybersecurity is integral to economic and democratic health. U.S. officials have highlighted past incidents, such as the ransomware attack in Costa Rica, to underscore the vulnerabilities faced by nations without robust cyber defenses. The strategy also builds on previous US efforts to dissuade allies from integrating technology from autocratic sources, which are seen as security risks. Secretary Antony Blinken's comments at the RSA Conference underscore a proactive, coordinated international effort to shape a future cyberspace that upholds freedom and security, countering the restrictive digital models pushed by China and Russia.
READ THE STORY: Yahoo (AU)
A severe flaw in Tinyproxy could allow remote code execution, with a majority of affected hosts located in the U.S. and South Korea
Bottom Line Up Front (BLUF): A critical security flaw identified in Tinyproxy, an HTTP/HTTPS proxy service, is currently exposing over 50,000 internet-facing hosts to potential remote code execution. The vulnerability, traced as CVE-2023-49606, affects versions up to 1.11.1 and has been rated 9.8 out of 10 in severity, signaling an urgent risk to affected systems.
Analyst Comments: This incident highlights the continual risk posed by maintaining outdated or unpatched software in a networked environment. The use-after-free bug uncovered by Cisco Talos underscores the complexities and potential dangers of memory management in software development. Given the critical nature of the flaw and its widespread impact, particularly in economically significant regions like the U.S. and South Korea, this vulnerability could have substantial security and operational implications for businesses relying on Tinyproxy. Moreover, the issue of delayed communication between security researchers and software maintainers accentuates the challenges in effective vulnerability management and response in the open-source ecosystem.
FROM THE MEDIA: The vulnerability in Tinyproxy allows an unauthenticated attacker to execute remote code by sending a specially crafted HTTP header. This issue impacts a significant number of hosts globally, with the highest concentrations in the United States and South Korea. Despite Talos' efforts to report the flaw since December 2023, there was a notable delay in the Tinyproxy maintainers receiving this report, attributed to outdated contact information. This incident not only exposes the risks associated with exposure of critical services to the public internet but also highlights the importance of maintaining updated contact details for security communications. The Tinyproxy team has acknowledged the oversight and expressed that prompt reporting via platforms like GitHub could have expedited the resolution process. Users of Tinyproxy are advised to monitor for updates closely and restrict unnecessary internet exposure of the service.
READ THE STORY: THN
Revival of LockBit's Website by Law Enforcement Promises New Revelations
Bottom Line Up Front (BLUF): Law enforcement has reactivated the website previously used by the LockBit ransomware group, promising new insights into the gang's operations. The website, originally a hub for extortion, is now a platform for authorities to reveal information about LockBit, following its seizure during Operation Cronos in February.
Analyst Comments: This strategic move by law enforcement to use LockBit's own tools against them highlights a novel approach in cybercrime fighting. By repurposing the website rather than shutting it down, authorities aim to leverage it as a source of psychological warfare and information dissemination against the cybercriminals. The previous anticlimactic revelations suggest a cautious approach initially, possibly due to operational risks or ongoing investigations. However, the renewed promise of more substantial disclosures may indicate that law enforcement now has stronger evidence or more complete investigations, allowing them to expose deeper insights into the LockBit operations without compromising their methods or ongoing surveillance.
FROM THE MEDIA: The LockBit website's revival follows its initial shutdown and features a series of locked pages with a countdown, suggesting a timed release of potentially damaging disclosures about the group. The use of the group’s former communications channel could serve to demoralize the gang members and deter their activities by increasing perceived risks of exposure and capture. Despite these efforts, LockBit remains active and defiant, highlighting the ongoing challenge authorities face in permanently dismantling such resilient cybercriminal networks. The upcoming disclosures, as hinted by authorities and cybersecurity professionals at the RSA Conference, could provide unprecedented insights into the inner workings of one of the most notorious ransomware groups.
READ THE STORY: Tech Times
VPN Vulnerabilities Exposed: Traffic Can Be Diverted from Encrypted Tunnels
Bottom Line Up Front (BLUF): Leviathan Security's recent findings indicate a significant vulnerability in how VPNs handle local network connections, allowing attackers to redirect VPN traffic through rogue DHCP servers. This exploit undermines the security promises of VPN services, particularly when used on untrusted networks.
Analyst Comments: The implications of this vulnerability are severe, especially for users who depend on VPNs for secure communications in potentially hostile environments, such as public Wi-Fi networks. The research exposes a fundamental flaw in the DHCP protocol, which could be exploited to intercept and manipulate traffic that should be securely encrypted by a VPN. This attack method utilizes DHCP option 121 to create routing rules that override those of the VPN, cleverly directing traffic to a controlled gateway without alerting the user. Given the simplicity and effectiveness of the attack, it's a stark reminder of the inherent risks associated with using VPNs on untrusted networks and highlights the need for continuous scrutiny and enhancement of network security protocols.
FROM THE MEDIA: Leviathan Security's researchers discovered that attackers could manipulate DHCP server settings to reroute VPN traffic through a gateway they control. By setting up a rogue DHCP server on the same network as the victim, attackers can employ a DHCP starvation attack or a shorter DHCP lease strategy to force the victim's device to request new network configuration, inadvertently bypassing the encrypted VPN tunnel. This technique allows attackers to snoop on or manipulate traffic before it re-enters the legitimate gateway, all while the VPN connection appears secure and active to the user. This vulnerability not only questions the reliability of VPNs on compromised networks but also underscores the sophistication of network-based attacks that can silently undermine data privacy.
READ THE STORY: Krebs on Security
Items of interest
Google, Meta, and Spotify are reportedly collecting and transmitting user data in violation of Apple's stringent privacy regulations
Bottom Line Up Front (BLUF): Recent claims suggest that major tech companies like Google, Meta, and Spotify may be circumventing Apple's device fingerprinting rules on iOS by improperly collecting and transmitting user data. This practice could undermine user privacy despite Apple's efforts to enforce strict API usage protocols for app developers.
Analyst Comments: This development reflects the ongoing tension between device manufacturers and app developers over user privacy and data security. Apple's policy aims to limit the type of data apps can collect and how it is used, particularly to prevent tracking users across different digital environments without their explicit consent. The alleged non-compliance by major tech firms not only challenges Apple's authority and the effectiveness of its privacy measures but also raises questions about the balance between user privacy and the commercial uses of data. If these allegations are accurate, they could lead to significant reputational damage for the involved companies and potentially attract regulatory scrutiny.
FROM THE MEDIA: According to investigative findings, despite Apple's updated requirements for developers to justify their use of APIs capable of device fingerprinting, several large tech companies appear to be violating these guidelines. Apple has historically prohibited the collection and off-device transmission of certain types of data to prevent privacy breaches. However, Google, Meta, and Spotify are accused of not adhering to these stipulations, with their apps reportedly collecting data beyond declared reasons and transmitting it back to their servers. This controversy highlights a possible oversight or enforcement gap in Apple's privacy framework, dubbed by some critics as "privacy theater," where the measures are visible but their enforcement may not be as robust.
READ THE STORY: The Register
There’s Virtually Nothing You Can Do To Protect Your Online Privacy (Video)
FROM THE MEDIA: NBC News Digital is a collection of innovative and powerful news brands that deliver compelling, diverse and engaging news stories. NBC News Digital features NBCNews.com, MSNBC.com, TODAY.com, Nightly News, Meet the Press, Dateline, and the existing apps and digital extensions of these respective properties. We deliver the best in breaking news, live video coverage, original journalism and segments from your favorite NBC News Shows.
Regulating Big Tech: Is TikTok Still on the Clock? (Video)
FROM THE MEDIA: In 2023, the rapid pace of innovation in Silicon Valley is making it increasingly challenging for our global partners to keep up. Ray Suarez speaks with Gerard de Graaf, Senior Envoy for Digital to the US, about strengthening US-EU cooperation on digital affairs. Then, Caitlin Chin, Strategic Technologies Program Fellow at the Center for Strategic and International Studies, returns with an update on the latest digital drama between Washington and Beijing… and where a possible TikTok ban goes from here.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.