Friday, May 10 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
China's Digital Silk Road and Its Global Impact (CN Espionage Infrastructure)
Bottom Line Up Front (BLUF): China's Digital Silk Road (DSR) initiative is intensifying its influence on the global stage, advancing beyond traditional infrastructure projects to encompass digital technologies in developing countries. This strategic expansion not only challenges Western technological dominance but also raises significant security concerns due to the potential for increased surveillance and data collection by Beijing.
Analyst Comments: The DSR represents a pivotal shift in China’s approach to international relations and economic statecraft, leveraging digital infrastructure to gain strategic footholds in developing regions. The initiative’s focus on deploying technologies like 5G, AI, and e-commerce platforms extends China’s capacity to influence global digital standards and norms. However, this expansion is not without its controversies, particularly concerning the security and privacy implications for nations involved. The use of Chinese technology in sensitive sectors poses risks of surveillance and could give Beijing unprecedented access to vast amounts of data, potentially leading to geopolitical and security tensions.
FROM THE MEDIA: China's Digital Silk Road initiative aims to export digital technology infrastructure to developing countries, offering them affordable alternatives to Western technology but with strings attached. This includes investments in critical areas such as 5G networks, data centers, and surveillance technology, which are often accompanied by conditions that enhance Beijing's influence over these nations' digital landscapes. For example, in Zimbabwe, a partnership with a Chinese company involved exchanging biometric data of millions of citizens for surveillance technology, illustrating the potential privacy and sovereignty compromises involved.
READ THE STORY: Eurasia Review
APT28 Targets Polish Institutions in Coordinated Malware Campaign
Bottom Line Up Front (BLUF): Polish government institutions have come under a sophisticated malware attack orchestrated by the notorious Russia-linked APT28. Using deceptive emails and malicious links, the campaign employs DLL side-loading and other tactics to deploy malware, exploiting legitimate services to evade detection.
Analyst Comments: APT28's recent campaign against Polish institutions underscores the group's persistent threat and evolving tactics. The use of legitimate web services for malicious redirections reflects a clever strategy to bypass security measures, complicating the detection and response for targeted organizations. This operation aligns with APT28’s historical pattern of targeting political and governmental entities, highlighting the geopolitical motivations behind their cyber espionage activities. The repeated involvement of APT28 in high-profile cyber operations indicates a sustained Russian interest in the political machinations and security postures of Eastern European nations, particularly those in close proximity to conflict zones.
FROM THE MEDIA: The attack begins with phishing emails that redirect victims to a series of legitimate but compromised websites, ultimately leading to the download of a disguised malicious payload. This payload, when executed, sideloads a malicious DLL that triggers a batch script capable of performing various malicious activities, including data exfiltration. The use of legitimate sites like Mocky and webhook.site in the attack chain helps the malware avoid detection by blending in with normal traffic, a method known for its effectiveness in concealing cyber espionage activities. The discovery of this campaign is part of a broader pattern of malicious activities attributed to APT28, which has historically targeted a wide range of entities in Western Europe and beyond. The involvement of this group in ongoing geopolitical conflicts, coupled with their advanced capabilities, poses a significant cybersecurity threat. The tools and tactics employed in this campaign are sophisticated, involving multiple stages of obfuscation and misuse of legitimate services to achieve persistence and stealth.
READ THE STORY: THN // Euractiv
U.S. Revokes Chip Licenses for Huawei, Citing National Security Concerns
Bottom Line Up Front (BLUF): The U.S. Department of Commerce has revoked existing licenses allowing companies like Intel and Qualcomm to conduct business with Huawei Technologies. This decision, effective immediately, targets the supply of chips used in Huawei's computer and mobile phone products, marking a significant escalation in the U.S. efforts to restrict the Chinese tech giant's access to advanced technology due to ongoing national security concerns.
Analyst Comments: The U.S. government's decision to revoke these licenses reflects deepening concerns over national security and the strategic technology competition between the U.S. and China. The move is part of a broader policy aimed at containing China's technological ascent and mitigating potential risks associated with Huawei's alleged ties to Chinese state-sponsored cyber espionage activities. By cutting off access to critical semiconductor technology, the U.S. aims to limit Huawei's ability to develop advanced electronic equipment, potentially slowing the company's growth and reducing its influence globally.
FROM THE MEDIA: The revocation affects key components that Huawei relies on for developing its computing and mobile technologies. Previously, despite being on the U.S. trade restriction lists since 2019, Huawei had made notable advances, such as the launch of an AI-enabled laptop. The decision to revoke the licenses follows assessments by the Department of Commerce aimed at continually adapting to the "constantly changing threat environment and technological landscape."
READ THE STORY: MSN
MITRE to Boost US Government AI Capabilities with New Supercomputer
Bottom Line Up Front (BLUF): MITRE is set to enhance AI research and application development across US government agencies with a new supercomputer, the Nvidia DGX SuperPOD. This system, featuring 256 Nvidia H100 GPUs, will provide significant computational power, specifically designed for AI tasks, to facilitate advancements in national security, healthcare, transportation, and climate research.
Analyst Comments: MITRE's initiative to allocate AI computing resources through the Federal AI Sandbox marks a pivotal step in democratizing high-performance computing for AI across federal agencies. While the system's 17 petaFLOPS of FP64 performance may not place it among the top supercomputers globally, its design and capability are tailored to meet the specific needs of AI and machine learning applications which often require less precision. This strategic deployment underscores the growing importance of AI in government operations and the need for dedicated infrastructures that can accelerate the development and deployment of AI-driven solutions in critical sectors.
FROM THE MEDIA: The upcoming Federal AI Sandbox by MITRE, an Nvidia DGX SuperPOD system, is scheduled to be operational by the end of 2024 in Ashburn, Virginia. Despite its relatively modest size compared to leading supercomputers like the DOE's Frontier, the DGX SuperPOD's design is optimized for AI computations, boasting one exaFLOPS of AI-level performance. This capability is essential for training large-scale AI models and conducting complex simulations across various data types, including images, audio, and text. Access to the supercomputer will be available to US agencies currently engaged with any of MITRE’s research and development centers, facilitating a broad range of experimental and prototyping activities. This initiative not only aligns with President Biden's executive order to enhance AI adoption across federal operations but also significantly boosts the computational resources available to agencies that have historically lacked the necessary infrastructure to explore advanced AI technologies.
READ THE STORY: The Register
CVE-2023-40000 Exploited in LiteSpeed Cache Plugin for WordPress
Bottom Line Up Front (BLUF): The LiteSpeed Cache plugin for WordPress, affecting over 5 million websites, has been compromised by hackers exploiting CVE-2023-40000, a stored cross-site scripting (XSS) vulnerability. This flaw allows unauthenticated attackers to create rogue admin accounts and gain full control over the websites, leading to potential data breaches and malware spread.
Analyst Comments: The exploitation of CVE-2023-40000 represents a significant security risk, primarily due to the wide installation base of the LiteSpeed Cache plugin and its critical role in website performance optimization. The ability of hackers to create admin accounts without authentication highlights a severe oversight in security practices concerning user input sanitization. This vulnerability underscores the continual need for rigorous security testing and updates in software development, especially in widely-used applications that form the backbone of many internet operations.
FROM THE MEDIA: Discovered and initially patched in October 2023, CVE-2023-40000 was publicly disclosed by Patchstack in February 2024. This vulnerability resides in a function that fails to properly sanitize user input, allowing attackers to inject malicious scripts into WordPress sites. These scripts enable the attackers to bypass normal authentication processes and create admin accounts with elevated privileges. According to WPScan, malicious actors have already exploited this flaw to inject admin users named wpsupp-user and wp-configuser, leveraging them for further malicious activities such as data exfiltration and malware installation.
READ THE STORY: THN // PoC:CVE-2023-40000
China Rejects UK Accusations of Cyber Attacks (They Did)
Bottom Line Up Front (BLUF): Lin Jian, spokesperson for China's Ministry of Foreign Affairs, has officially dismissed allegations made by the UK concerning Chinese involvement in cyber attacks. These denials come in response to reports from British media that implicate China in cyber espionage activities targeting the UK’s Electoral Commission and various political figures in 2021.
Analyst Comments: China's swift rejection of these accusations is consistent with its longstanding policy of denying involvement in cyber espionage. Lin Jian's call for countries to produce "sufficient and objective evidence" before making such claims underscores China’s defensive posture in the realm of international cyber diplomacy. This incident highlights the ongoing tension between China and Western nations over cybersecurity and espionage, with both sides maintaining a cautious approach to dialogue and cooperation in this area. The emphasis on dialogue and legal frameworks for combating cybercrime reflects China's strategy to position itself as a responsible major power in cyberspace governance. However, these statements also serve to deflect international criticism and manage the narrative surrounding China's global cyber activities. The ongoing disputes illustrate the complex dynamics of trust and verification in international cyber relations, where accusations and denials form part of broader geopolitical strategies.
FROM THE MEDIA: The response from the Chinese Foreign Ministry follows a report by The Sun, which detailed alleged cyber attacks by China against the UK's Electoral Commission in 2021. The report comes ahead of a speech by the UK's Deputy Prime Minister, Oliver Dowden, expected to address the broader issue of cyber threats from China to the UK's political systems. The UK government appears to be preparing to further expose and discuss the cybersecurity threats posed by China, suggesting a possible escalation in diplomatic tensions over this issue. This situation highlights the challenges in international relations and cybersecurity, where evidence and accusations often lead to increased scrutiny and diplomatic friction.
READ THE STORY: MSN
Mastodon Delays Full Fix for Link Preview DDoS Issue to Version 4.4.0
Bottom Line Up Front (BLUF): Mastodon has pushed back the release of a comprehensive fix for the issue of link previews causing accidental distributed denial of service (DDoS) attacks on websites. Originally slated for version 4.3.0, the remedy has been delayed to version 4.4.0 by Mastodon CTO Renaud Chaput. In the meantime, a mitigation has been put in place to reduce the link preview load on sites.
Analyst Comments: The delay in fully addressing the link preview DDoS issue highlights the challenges inherent in decentralized social networks like Mastodon. The problem arises from the federated nature of the platform, where each instance fetches its own link previews, potentially overwhelming content host servers with a flood of requests. While the temporary mitigation should alleviate some of the burden, a comprehensive solution is crucial to prevent unintended consequences for websites shared on Mastodon.
FROM THE MEDIA: According to Chaput, the full fix for the link preview DDoS issue was pushed back to version 4.4.0 due to the significant work involved in developing a federated solution. The current mitigation, which introduces a random delay of up to 60 seconds before generating previews, aims to spread out the requests and minimize the impact on content host servers. Chaput also noted that the issue is not specific to Mastodon but affects all Fediverse implementations. The project is exploring ways to share link preview information between servers, reducing the need for each instance to fetch the data independently. However, this solution must be carefully designed to prevent potential security issues, such as spoofing.
READ THE STORY: The Register
China-Linked Hackers Utilize ROOTROT Webshell in Sophisticated MITRE Network Intrusion (Mirai Botnet Delivery)
Bottom Line Up Front (BLUF): Juniper Threat Labs reports active exploitation of two critical vulnerabilities in Ivanti Pulse Secure products, identified as CVE-2023-46805 and CVE-2024-21887, which enable authentication bypass and command injection, respectively. These vulnerabilities are being utilized to deliver the Mirai botnet, escalating the threat landscape for organizations using these network appliances.
Analyst Comments: The exploitation of these vulnerabilities highlights a concerning trend of attackers leveraging enterprise network appliances to distribute malware, such as the notorious Mirai botnet. This scenario underscores the necessity for organizations to promptly apply security patches and adopt comprehensive network security measures. It also demonstrates the sophistication and persistence of cybercriminals in exploiting network-based vulnerabilities to establish a foothold within corporate networks, potentially leading to further malicious activities, including data theft and ransomware deployment.
FROM THE MEDIA: The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affect Ivanti Connect Secure and Ivanti Policy Secure Gateways, exposing them to remote attacks that bypass authentication mechanisms and execute arbitrary commands. The flaw resides particularly in the handling of API endpoints, where inadequate security controls allow attackers to manipulate network traffic and device operations. Juniper Threat Labs observed attacks in the wild where these vulnerabilities were chained to inject and execute malicious scripts that facilitate the installation of the Mirai botnet. This malware is known for its capability to carry out large-scale distributed denial-of-service (DDoS) attacks, making it a potent tool for cybercriminal activities.
READ THE STORY: THN // Juniper // PoC: CVE-2023-46805 and CVE-2024-21887
U.S. Allocates $285 Million from CHIPS Act for Semiconductor Digital Twins
Bottom Line Up Front (BLUF): The U.S. Department of Commerce has announced that $285 million in funding from the CHIPS Act will be dedicated to the development of semiconductor digital twins. This work will be carried out by a newly established Manufacturing USA institute, which aims to boost domestic production of critical next-generation technologies and reduce reliance on foreign suppliers.
Analyst Comments: The allocation of CHIPS Act funds for semiconductor digital twins underscores the U.S. government's commitment to fostering innovation and competitiveness in the domestic semiconductor industry. By investing in the development of advanced simulation and modeling tools, the initiative seeks to accelerate the design, testing, and optimization of cutting-edge chips, ultimately strengthening America's position in the global semiconductor market. The establishment of a dedicated Manufacturing USA institute for this purpose highlights the strategic importance of digital twins in driving technological progress and enhancing collaboration among industry stakeholders.
FROM THE MEDIA: According to the Department of Commerce, the new CHIPS Manufacturing USA Institute will focus on the "development, validation, and use of digital twins for semiconductor manufacturing, advanced packaging, assembly, and test processes." Digital twins, described as "virtual models that mimic the structure, context, and behavior of a physical counterpart," are expected to help the U.S. move faster in designing, prototyping, and fabricating world-class chips. The funding opportunity is open to domestic entities, including nonprofits, for-profit organizations, universities, and government bodies, with the majority ownership required to be U.S.-based. The CHIPS Manufacturing Institute will join 17 other Manufacturing USA members, each dedicated to advancing specific areas of technology, such as cybersecurity, power electronics, and biofabrication.
READ THE STORY: The Register
Google Patches Chrome Zero-Day Vulnerability Exploited in the Wild
Bottom Line Up Front (BLUF): Google has swiftly addressed a critical zero-day vulnerability, identified as CVE-2024-4671, in its Chrome browser that had an exploit existing in the wild. This vulnerability, situated within the Visuals component of Chrome, could allow remote attackers to execute arbitrary code on a user’s system by exploiting heap corruption via a specially crafted HTML page.
Analyst Comments: The quick response by Google to patch this zero-day vulnerability underscores the ongoing cat-and-mouse game between software developers and cyber attackers. The nature of the exploit, allowing for arbitrary code execution, highlights the severe threat level posed by such vulnerabilities, particularly those that are actively exploited in the wild. The potential for attackers to gain elevated privileges or to execute actions on the user’s system could have significant repercussions, especially for those with administrative rights.
FROM THE MEDIA: CVE-2024-4671 is a "use after free" vulnerability affecting the Visuals component of Google Chrome. This flaw could lead to exploitable heap corruption when a user visits a maliciously crafted HTML page. The vulnerability has been patched in the latest stable desktop versions of Chrome, specifically versions v124.0.6367.201/.202 for Mac and Windows, and v124.0.6367.201 for Linux. The update process for users who do not have automatic updates enabled involves manually checking for the update and restarting the browser to ensure the changes take effect. For those with automatic updates, Google has assured that the rollout will occur progressively over the coming days or weeks, with a pending update notification prompting users to restart their browser.
READ THE STORY: Help Net Security
LLMjacking: Exploitation of Cloud Credentials Targets AI Services
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified a sophisticated attack, named LLMjacking, targeting cloud-hosted AI services using stolen cloud credentials. This method exploits vulnerabilities in cloud infrastructure to gain unauthorized access to large language models (LLMs), enabling attackers to sell illicit access to these resources.
Analyst Comments: The emergence of LLMjacking signifies a shift in cyberattack strategies towards exploiting the growing reliance on cloud-hosted AI services. By hijacking cloud accounts, attackers can not only cause substantial financial losses by racking up usage fees but also potentially gain access to sensitive information processed by these AI models. The exploitation of a known vulnerability in the Laravel framework, CVE-2021-3129, highlights the critical importance of timely patch management and robust cloud security measures to defend against such sophisticated threats.
FROM THE MEDIA: LLMjacking involves attackers first gaining entry through a system running a vulnerable version of Laravel, subsequently leveraging this access to exfiltrate AWS credentials. These credentials are then used to infiltrate cloud-hosted LLMs such as Anthropic’s Claude models. Attackers deploy tools like a key checker and a reverse proxy to assess and exploit various AI services without exposing stolen credentials directly. This method allows them to stealthily monetize their access by offering illicit LLM services to other cybercriminals. The exploitation process also involves careful avoidance of detection mechanisms, suggesting a high level of sophistication and planning. The financial implications for victims can be severe, with potential daily costs exceeding $46,000 due to unauthorized LLM usage. This scenario underlines the need for organizations to enhance their security posture by implementing detailed logging, continuous monitoring of cloud environments, and rigorous access controls to mitigate the risk of similar attacks.
READ THE STORY: THN // Sysdig // PoC: CVE-2021-3129
Dmitry Khoroshev Identified as LockBit Ransomware Administrator by International Law Enforcement
Bottom Line Up Front (BLUF): Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, has been unmasked as the administrator behind the notorious LockBit ransomware operation. Facing a myriad of charges from global law enforcement agencies, Khoroshev is now subject to international sanctions and a substantial bounty for his arrest, highlighting a significant blow to one of the most pervasive ransomware-as-a-service (RaaS) networks.
Analyst Comments: The identification and indictment of Dmitry Khoroshev signify a pivotal moment in the ongoing battle against cybercrime, particularly ransomware operations. LockBit's extensive impact, affecting thousands of entities worldwide, underscores the critical need for coordinated international efforts to dismantle cybercriminal networks. The comprehensive charges and the substantial bounty reflect the severity and global reach of Khoroshev's alleged crimes, emphasizing the high stakes involved in cybersecurity enforcement and the importance of robust legal and operational frameworks to combat such threats.
FROM THE MEDIA: Dmitry Khoroshev, operating under aliases like LockBitSupp and putinkrab, has been a central figure in the LockBit ransomware operations, which have targeted thousands of organizations globally, extracting over $500 million in ransoms. With the unsealing of an indictment by the Department of Justice, Khoroshev faces 26 counts, including conspiracy to commit fraud and extortion, which cumulatively could lead to a maximum sentence of 185 years. The LockBit operation, known for its ransomware-as-a-service model and double extortion tactics, was significantly disrupted by Operation Cronos in February, leading to a dramatic decrease in its activities. Despite attempts to revive its operations, LockBit remains at a reduced capacity, struggling to regain its previous influence in the cybercrime landscape.
READ THE STORY: Yahoo News // THN
"TunnelVision" Exploit Bypasses VPN Encryption via Rogue DHCP Servers
Bottom Line Up Front (BLUF): A newly discovered attack method, named "TunnelVision", poses a significant risk by diverting VPN traffic through rogue DHCP servers, effectively bypassing VPN encryption. This attack, which exploits DHCP option 121, has been disclosed by Leviathan Security with a CVE identifier of CVE-2024-3661, warning users about the potential for intercepted and unencrypted traffic.
Analyst Comments: The "TunnelVision" attack highlights a critical vulnerability in the security architecture of commonly used VPN protocols that rely on system-level routing. By exploiting the absence of an authentication mechanism in DHCP, attackers can manipulate routing tables to divert traffic to malicious gateways without disrupting the VPN's secure connection indicator. This method underscores the necessity for enhanced security measures in VPN and DHCP configurations, especially in environments where attackers can control or influence network infrastructure, such as public Wi-Fi networks.
FROM THE MEDIA: Leviathan Security's report reveals that attackers can set up a DHCP server that forcibly alters the routing tables on a connected device, causing the VPN traffic to bypass the encrypted tunnel and flow directly to a malicious gateway. This vulnerability has been lingering in systems since 2002, yet no known active exploitations have occurred. The vulnerability affects most operating systems, including Windows, Linux, macOS, and iOS, with Android being the exception due to its lack of support for DHCP option 121. Leviathan has recommended several mitigation strategies to counter the vulnerability, such as using network namespaces on Linux to isolate network interfaces, configuring VPN clients to block non-VPN traffic, and setting systems to disregard DHCP option 121 while connected to VPNs. These steps are crucial for users frequently connecting to public or untrusted networks where the risk of encountering a rogue DHCP server is heightened.
READ THE STORY: THN // Bleeping Computer // PoC: CVE-2024-3661
Chinese Hacking Operations Permanently Alter Cyberthreat Landscape
Bottom Line Up Front (BLUF): US federal officials at the RSA Conference indicated that even if the US government manages to counter the current Chinese hacking operations known as Volt Typhoon, the implications of such campaigns have already permanently transformed the cyberthreat landscape. These operations have advanced from traditional espionage to more aggressive disruptions intended to sow societal panic and facilitate potential military conflicts.
Analyst Comments: The evolution of China's cyber strategy, as demonstrated by the Volt Typhoon operation, represents a significant shift in the nature of nation-state cyber activities. Moving beyond mere data theft, these operations now aim to establish persistent access within critical infrastructures, possibly pre-positioning for sabotage or severe disruption during geopolitical crises. This strategic pivot not only heightens the stakes for national security cyber defenses but also necessitates a more robust, proactive approach to cybersecurity across both government and private sectors in the US and allied nations.
FROM THE MEDIA: The Volt Typhoon operation has exposed vulnerabilities in numerous home and office routers, marking a tactical shift in Chinese state-backed cyber operations toward utilizing consumer devices as gateways to broader network access. This method increases the difficulty of defending against and mitigating such threats, as it leverages devices often lacking in robust security features or regular updates. The operation's broad scope and the sophisticated nature of the attacks underscore the necessity for enhanced security protocols, particularly in devices at the network's edge, which can serve as entry points for attackers.
READ THE STORY: The Record
Items of interest
Ukraine's Military Intelligence Targets Russian Software Firm in Cyberattack
Bottom Line Up Front (BLUF): Ukraine's military intelligence agency, HUR, has successfully executed a cyberattack against the 1C Company in Moscow, a major Russian software developer. This operation led to the temporary shutdown of crucial business services and cloud solutions, marking a continued escalation in the cyber dimensions of the ongoing conflict.
Analyst Comments: This strategic cyber strike by Ukraine underscores the growing sophistication and boldness of Ukraine's cyber operations amid heightened tensions with Russia. Targeting a software firm deeply embedded in Russia's business infrastructure highlights a shift towards disrupting everyday economic activities, potentially aiming to exert psychological and operational pressure on Russian enterprises. This attack not only disrupts Russian business operations but also sends a clear signal about Ukraine's capabilities and resolve in the cyber domain.
FROM THE MEDIA: The cyberattack disabled a corporate cloud provider and a remote work server crucial for 1C Company's operations, rendering several business tools and databases inaccessible. This operation is part of a series of aggressive cyber activities attributed to Ukraine's HUR, reflecting an intensified cyber warfare strategy against Russian state-affiliated entities. Previous targets have included the online platforms of Russia's ruling party, United Russia, especially during politically sensitive periods such as their Victory Day campaign.
READ THE STORY: The Kyiv Independent
How Ukraine and Russia are rewriting the rules of cyber war (Video)
FROM THE MEDIA: Armies of vigilante cyber hackers on both sides have caused chaos – taking down websites, stealing private data and hijacking broadcasts.
kraine war: Cyber-teams fight a high-tech war on front lines (Video)
FROM THE MEDIA: Ukraine cyber-operators are being deployed on the front lines of the war, duelling close-up with their Russian counterparts in a new kind of high-tech battle. "We have people who are directly involved in combat," says Illia Vitiuk, the head of the Ukrainian Security Service's (SBU) cyber department.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.