Daily Drop (789): Russia's Shadow War | China Sanctions | GHOSTENGINE | Chat Xi PT | Starlink TCP | ICS Disconnect | AMD vs Intel | Win11 Security | Exchange Flaws | DNA Test Warning | Eng. Viruses
05-22-24
Wednesday, May 22 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Estonia Accuses Russia of Waging 'Shadow War' on the West
Bottom Line Up Front (BLUF): Estonian Prime Minister Kaja Kallas claims Russia is conducting a "shadow war" against Western nations, marked by a surge in sabotage, espionage, and electronic warfare. This assertion aligns with rising tensions in frontline nations like Estonia, Latvia, Lithuania, Finland, and Poland as Russia's actions intensify amidst its ongoing conflict in Ukraine.
Analyst Comments: Estonia's accusations highlight the persistent and evolving threat posed by Russia's hybrid warfare tactics. These actions reflect a broader strategy to undermine Western unity and destabilize regional security. The use of nonmilitary methods such as cyberattacks, disinformation, and espionage underscores the Kremlin's shift towards more covert operations, likely in response to the geopolitical landscape and sanctions. The call for a coordinated Western response is crucial to counteract these multifaceted threats effectively.
FROM THE MEDIA: Estonian Prime Minister Kaja Kallas has accused Russia of engaging in a "shadow war" against Western countries, citing increased incidents of sabotage, electronic warfare, and spying attributed to Moscow. Estonia, along with neighboring Latvia, Lithuania, Finland, and Poland, has strengthened its defenses in response to these threats. Lithuanian President Gitanas Nauseda warned of potential sabotage acts, while Polish Prime Minister Donald Tusk reported arrests related to Russian-directed criminal activities. Despite NATO's assertion that Russia is intensifying its campaign from the Baltics to Britain, there is skepticism about the interconnectedness of these attacks.
READ THE STORY: Breaking News
China Sanctions U.S. Defense Companies Over Arms Sales to Taiwan
Bottom Line Up Front (BLUF): China has imposed sanctions on three major U.S. defense companies—General Atomics Aeronautical Systems, General Dynamics Land Systems, and Boeing Defense, Space & Security—citing their involvement in arms sales to Taiwan. This move escalates tensions between China and Taiwan and targets U.S. entities involved in Taiwan's defense.
Analyst Comments: China's recent sanctions on U.S. defense firms highlight the escalating geopolitical tension surrounding Taiwan. By placing these companies on its "unreliable entities list," China aims to undermine the military support that the U.S. provides to Taiwan, reinforcing its stance on Taiwan's sovereignty. The timing of these sanctions, coinciding with Taiwanese President Lai Ching-te's inauguration, underscores Beijing's intent to project its disapproval of Taiwan's political maneuvers and international support.
FROM THE MEDIA: China's Ministry of Commerce announced sanctions against General Atomics Aeronautical Systems, General Dynamics Land Systems, and Boeing Defense, Space & Security for their arms sales to Taiwan. The sanctions prohibit these companies from investing in or engaging in import-export transactions with China and ban their senior executives from entering the country. The move, intended to safeguard China’s sovereignty, security, and development interests, also targets Caplugs for allegedly circumventing sanctions. This action follows a pattern of similar sanctions earlier in the year, reflecting China's firm stance on Taiwan and its efforts to penalize foreign entities supporting Taiwan’s defense.
READ THE STORY: Jurist // ABC // Barron’s
GHOSTENGINE Exploits Vulnerable Drivers in Sophisticated Cryptojacking Campaign
Bottom Line Up Front (BLUF): A newly identified cryptojacking campaign, tracked as REF4578 and deploying the GHOSTENGINE payload, leverages vulnerable drivers to disable security solutions (EDRs) and ensure the persistence of XMRig cryptocurrency miners. This campaign uses a complex attack chain involving PowerShell scripts, backdoors, and multiple obfuscation and persistence techniques.
Analyst Comments: The GHOSTENGINE cryptojacking campaign underscores the evolving threat landscape where attackers exploit vulnerable drivers to disable security tools, evade detection, and maintain persistence. The use of BYOVD (Bring Your Own Vulnerable Driver) attacks illustrates the increasing sophistication of cybercriminal tactics to bypass even advanced security measures. Organizations must prioritize robust detection mechanisms, frequent updates of vulnerable driver blocklists, and proactive threat hunting to mitigate such threats.
FROM THE MEDIA: The GHOSTENGINE campaign, identified by Elastic Security Labs and dubbed HIDDEN SHOVEL by Antiy Labs, targets endpoint detection and response (EDR) solutions to facilitate cryptojacking operations. The attack begins with an executable file, "Tiworker.exe," which runs a PowerShell script to download and execute additional payloads from a command-and-control (C2) server. These payloads include vulnerable drivers, such as aswArPot.sys and IObitUnlockers.sys, which are used to terminate and delete EDR agents. The primary payload, smartsscreen.exe (GHOSTENGINE), disables security processes and installs the XMRig miner. The malware ensures persistence by creating scheduled tasks and employing a PowerShell script (get.png) to fetch and execute further commands and updates. Notably, the campaign also attempts to disable Microsoft Defender and clear Windows event logs to avoid detection.
READ THE STORY: Elastic // THN // Antiy (CN) // PoC: CVE-2021-44228
China's Latest AI Model, "Chat Xi PT," Embodies Xi Jinping's Political Philosophy
Bottom Line Up Front (BLUF): China has introduced a new large language model, "Chat Xi PT," trained on President Xi Jinping's political philosophy. Developed by the Cyberspace Administration of China (CAC), this AI aims to control and inform internet users in line with Xi's "Thought on Socialism with Chinese Characteristics for a New Era." Initially used at a research center, it may eventually be released for wider use, adhering to strict speech norms and embodying core socialist values.
Analyst Comments: "Chat Xi PT" represents China's strategic move to harness AI for propagating state-approved ideology while managing free speech constraints. By embedding Xi Jinping's philosophy into the AI's responses, the model ensures alignment with government directives and reduces risks of generating politically sensitive content. This initiative aligns with broader efforts to disseminate Xi's thoughts through various media and educational mandates. The development highlights the ongoing tension between fostering technological innovation and maintaining strict political control in China's digital landscape.
FROM THE MEDIA: China's new large language model, "Chat Xi PT," has been trained on President Xi Jinping's political philosophy and other official literature provided by the Cyberspace Administration of China (CAC). The AI, currently used at a research center, aims to disseminate Xi's "Thought on Socialism with Chinese Characteristics for a New Era" while controlling free speech. The model is designed to generate professional and authoritative content, ensuring it aligns with socialist values and avoids subverting state power. This effort complements China's extensive dissemination of Xi's ideas through books, news apps, and educational programs. Companies like Baidu and Alibaba have already implemented strict controls in their generative AI models to avoid sensitive topics, reflecting the broader regulatory environment enforced by the CAC.
READ THE STORY: FT
Starlink’s LEO Network Challenges TCP Protocol, Suggests Expert
Bottom Line Up Front (BLUF): Geoff Huston from APNIC has identified that SpaceX's Starlink presents significant challenges to the TCP protocol due to its low Earth orbit satellite design, causing high jitter, packet loss, and latency spikes. Solutions such as the BBR protocol and CUBIC TCP could mitigate these issues.
Analyst Comments: Starlink's innovative use of low Earth orbit satellites brings unparalleled connectivity to remote areas but at the cost of introducing complexities for traditional TCP protocols. The frequent handovers between satellites lead to increased jitter and latency, complicating stable connections. Huston’s analysis highlights the necessity for advanced TCP protocols like BBR and CUBIC, which adapt better to the high variability and frequent interruptions inherent in LEO satellite communications. This underscores the ongoing need for protocol innovation in response to evolving network environments.
FROM THE MEDIA: Starlink’s satellite internet service, using low Earth orbit (LEO) satellites, presents an unusually hostile environment for TCP due to frequent satellite handovers every 15 seconds, causing latency spikes and packet loss. APNIC's Geoff Huston noted in his analysis that this environment results in high jitter and regular latency shifts from 30ms to 80ms. The service’s performance, measured using Speedtest, showed a median download speed of 120Mbps, though it varied significantly. Huston suggests protocols like Google's BBR and CUBIC TCP, and techniques like Explicit Congestion Notification (ECN) could help manage these challenges by improving how TCP handles the unique conditions of Starlink's network.
READ THE STORY: APNIC // The Register
Rockwell Automation Advises Disconnecting Internet-Facing ICS Devices Amid Cyber Threats
Bottom Line Up Front (BLUF): Rockwell Automation is urging customers to disconnect industrial control systems (ICS) from the internet due to increased geopolitical tensions and global cyber threats. Immediate actions include assessing and cutting off internet access for devices not meant to be exposed and ensuring security patches are applied to critical vulnerabilities.
Analyst Comments: The advisory from Rockwell Automation reflects the rising threat landscape targeting critical infrastructure. With cyber actors increasingly focusing on ICS/OT systems for political and economic gains, proactive measures like disconnecting internet-facing devices and applying patches are vital. This guidance aligns with longstanding concerns from agencies like CISA and NSA about the vulnerabilities of internet-accessible operational technologies.
FROM THE MEDIA: Rockwell Automation has issued an urgent advisory for customers to disconnect industrial control systems (ICS) from public-facing internet connections to mitigate cyber threats linked to heightened geopolitical tensions. The advisory emphasizes that ICS devices should not be configured for direct internet access, reducing exposure to unauthorized cyber activities. Customers are also advised to apply necessary security patches to address several critical vulnerabilities, including CVE-2021-22681 (CVSS score: 10.0), CVE-2022-1159 (CVSS score: 7.7), and CVE-2024-21915 (CVSS score: 9.0). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) supports these recommendations, highlighting ongoing threats from advanced persistent threat (APT) groups targeting ICS/OT systems. Recent research underscores the risk of Stuxnet-style attacks via compromised web applications and PLC interfaces, which can manipulate physical processes and falsify data.
READ THE STORY: THN
AMD Unveils Epyc 4004-Series: Rebaged Ryzens Targeting Intel's Entry-Level Xeons
Bottom Line Up Front (BLUF): AMD has launched its new Epyc 4004-series processors, which are essentially rebadged Ryzen 7000 chips, aimed at competing with Intel's entry-level Xeon E-2400 processors. These processors use the AM5 platform and offer enterprise features, targeting the low-end server market.
Analyst Comments: The introduction of AMD’s Epyc 4004 series highlights a strategic move to capture the lower-end server market segment. By rebranding Ryzen 7000 chips with additional enterprise validation, AMD offers cost-effective solutions with sufficient performance for entry-level server needs. However, limitations such as fewer PCIe lanes and memory channels compared to higher-end Epycs suggest these are best suited for environments with less demanding I/O requirements. This approach allows AMD to leverage existing silicon to expand its market share against Intel.
FROM THE MEDIA: AMD has launched the Epyc 4004 series processors to compete with Intel’s low-power Xeon E-2400 series. These processors, built on the AM5 platform, use the same silicon as Ryzen 7000 chips but include features validated for server environments, such as integration with baseboard management controllers and software RAID support. The series includes eight SKUs with core counts ranging from four to 16 and TDPs between 65W and 170W. While these processors offer competitive performance, they are limited to 28 PCIe 5.0 lanes and two memory channels, which might constrain their use in more demanding server environments. AMD aims to capture more of the entry-level server market by offering these cost-effective, validated solutions.
READ THE STORY: The Register
Windows 11 to Deprecate NTLM and Enhance Security with AI-Powered App Controls
Bottom Line Up Front (BLUF): Microsoft will deprecate NT LAN Manager (NTLM) in Windows 11 by late 2024, enhancing user authentication security. New measures include Local Security Authority (LSA) protection, virtualization-based security (VBS) for Windows Hello, and AI-powered Smart App Control to block untrusted applications. These updates aim to strengthen Windows 11's defense against evolving cyber threats.
Analyst Comments: The deprecation of NTLM in favor of Kerberos marks a significant step in bolstering Windows 11's security, addressing NTLM's susceptibility to relay attacks. The integration of AI in Smart App Control exemplifies the proactive measures being taken to prevent malware and unauthorized application execution. These enhancements are critical in an era where advanced persistent threats and state-sponsored attacks are increasingly sophisticated. Organizations must prepare for these changes and ensure compatibility with Kerberos for seamless authentication processes.
FROM THE MEDIA: Microsoft announced plans to deprecate NT LAN Manager (NTLM) in Windows 11 during the second half of 2024, aiming to enhance security by transitioning to Kerberos for authentication. NTLM, known for its vulnerabilities to relay attacks, has been a target for hackers, notably the Russia-linked APT28 group. Alongside this, Microsoft will enable Local Security Authority (LSA) protection by default for new consumer devices and implement virtualization-based security (VBS) for Windows Hello. Additionally, Smart App Control will use AI to assess and block untrusted applications. Other security improvements include Win32 app isolation, limiting admin privilege abuse, VBS enclaves for third-party developers, and Windows Protected Print Mode (WPP) to secure the printing stack. Microsoft also plans to enforce stronger cryptographic standards and introduce Zero Trust Domain Name System (ZTDNS) to restrict Windows devices to approved network destinations.
READ THE STORY: THN // Yahoo News
MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks
Bottom Line Up Front (BLUF): A new report reveals that over 30 entities in Africa and the Middle East, including government agencies and banks, have been targeted by an unknown threat actor exploiting known vulnerabilities in Microsoft Exchange Server to deploy a keylogger. This malware collects account credentials, accessible via a special internet path. Organizations must update their servers and check for compromise signs.
Analyst Comments: The exploitation of ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in Microsoft Exchange Server highlights ongoing risks from unpatched systems. These flaws allow attackers to bypass authentication and execute remote code, leading to severe breaches. The deployment of a keylogger on the main server page underscores the need for diligent patch management and monitoring. Entities should prioritize securing their Exchange servers to prevent such intrusions and review server logs for any indicators of compromise.
FROM THE MEDIA: An unknown threat actor has been exploiting known security vulnerabilities in Microsoft Exchange Server to deploy keylogger malware, targeting over 30 entities, including government agencies, banks, IT companies, and educational institutions across Africa and the Middle East. These attacks date back to 2021 and leverage ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), which were patched by Microsoft in May 2021. The attackers inject keylogger code into the server's main page (logon.aspx), capturing user credentials and storing them in a file accessible via a special internet path. Positive Technologies discovered this intrusion and has notified all affected victims. Organizations are urged to update their Exchange servers to the latest version and check for any signs of compromise on their main server page and logon.aspx file.
READ THE STORY: THN // Positive Technologies // PoC: CVE-2021-31207 , CVE-2021-34523, CVE-2021-34473
Critical Vulnerabilities in Honeywell's Virtual UOC Could Lead to Remote Code Execution
Bottom Line Up Front (BLUF): Multiple critical vulnerabilities in Honeywell’s ControlEdge Virtual Unit Operations Center (UOC), discovered by Team82, can allow remote code execution without authentication. The most severe vulnerability, CVE-2023-5389, enables attackers to write files to any location on the controller, leading to remote code execution. Honeywell has addressed these issues, and users are urged to update their systems to the latest versions.
Analyst Comments: The discovery of vulnerabilities within Honeywell’s ControlEdge Virtual UOC highlights the ongoing challenges in securing industrial control systems (ICS). The EpicMo protocol, integral to Honeywell's controllers, was found to contain functions that allow unauthorized file writes, potentially leading to remote code execution. Such weaknesses underline the importance of continuous security assessments and proactive updates to protect critical infrastructure. Honeywell’s swift response to these vulnerabilities is commendable, but organizations must remain vigilant and regularly update their ICS environments to mitigate potential threats.
FROM THE MEDIA: Team82 uncovered critical vulnerabilities in Honeywell’s ControlEdge Virtual Unit Operations Center (UOC), focusing on the proprietary EpicMo protocol. One significant flaw, CVE-2023-5389, involves the LoadFileToModule function, allowing attackers to write files without restriction, leading to potential remote code execution. Exploitation involves sending a series of packets to the controller, resulting in the execution of malicious code upon reboot. Another vulnerability, CVE-2023-5390, also poses security risks. Honeywell has released updates to address these issues, and the Cybersecurity Infrastructure & Security Agency (CISA) has advised users to apply these updates to secure their systems.
READ THE STORY: GBhackers // Claroty
Critical Vulnerability in Veeam Backup Enterprise Manager Demands Immediate Update
Bottom Line Up Front (BLUF): A critical security flaw (CVE-2024-29849) in Veeam Backup Enterprise Manager allows attackers to bypass authentication and gain unauthorized access. Users are urged to update to the latest version to mitigate this and other related vulnerabilities.
Analyst Comments: This significant vulnerability underscores the ongoing risks posed by software flaws in widely used enterprise solutions. The high CVSS score of 9.8 for CVE-2024-29849 indicates the severity and potential impact on organizations. Historically, similar vulnerabilities have been exploited by threat actors to deploy ransomware and other malicious payloads, making timely patching crucial.
FROM THE MEDIA: Veeam Backup Enterprise Manager users need to update to version 12.1.2.172 immediately due to a critical vulnerability (CVE-2024-29849) that permits attackers to bypass authentication. This flaw, rated with a CVSS score of 9.8, allows unauthorized access to the web interface. Additionally, three other vulnerabilities were disclosed: CVE-2024-29850 (CVSS 8.8) allowing account takeover via NTLM relay, CVE-2024-29851 (CVSS 7.2) allowing privileged users to steal NTLM hashes, and CVE-2024-29852 (CVSS 2.7) allowing privileged users to read backup session logs. Other recent updates include patches for a local privilege escalation flaw in Veeam Agent for Windows (CVE-2024-29853, CVSS 7.2) and a critical remote code execution vulnerability in Veeam Service Provider Console (CVE-2024-29212, CVSS 9.9). Past vulnerabilities in Veeam software have been exploited by groups like FIN7 and Cuba for ransomware attacks, highlighting the need for prompt updates to maintain security.
READ THE STORY: THN
Items of interest
US, UK Police Identify and Charge Russian Leader of LockBit Ransomware Gang
Bottom Line Up Front (BLUF): The Department of Homeland Security (DHS) has amassed DNA data from over 1.5 million immigrants since 2020, following a rule mandating such collections. This practice has sparked privacy and ethical concerns, with calls for the Biden administration to reverse the policy and delete the collected data.
Analyst Comments: The expansion of DNA collection by DHS represents a significant shift in immigration enforcement and surveillance, potentially infringing on civil liberties and raising constitutional questions. Historically, similar expansions of government surveillance have often led to increased scrutiny and legal challenges, particularly regarding the balance between security and individual rights. The concerns outlined by the Georgetown Law Center on Privacy & Technology highlight the ongoing debate over privacy, technology, and government power.
FROM THE MEDIA: Since the implementation of a 2020 rule under the Trump administration, DHS has dramatically increased the collection of DNA from detained immigrants, rising from 30,000 samples collected over 15 years to 1.5 million in just four years. The DNA is stored in the Combined DNA Index System (CODIS), a criminal database accessible to international and domestic law enforcement. Many immigrants were unaware their DNA was being used in this way, with reports of confusion and fear during the collection process. Critics argue that this practice disproportionately affects communities of color and violates constitutional rights, as it allows for detention without probable cause. The Georgetown Law Center on Privacy & Technology calls for the Biden administration to reverse the policy and expunge the collected data, emphasizing the dangers of indefinite DNA storage amid advancing technology and minimal legal safeguards. DHS has not commented on these findings.
READ THE STORY: The Record
Pentagon Warns Military Personnel To Not Use DNA (Video)
FROM THE MEDIA: While not all online tests pose a significant risk, it's generally wise to be cautious about sharing personal information online, especially for military personnel and government employees who may be targeted by adversaries seeking to exploit vulnerabilities. It's advisable to verify the legitimacy of the test's source, review privacy policies, and limit the amount of personal data shared. Of course the Pentagon is going to err on the side of caution given the high stakes involved in protecting national security information.
Engineered Viruses Are the New Biological Weapons, Here's What You Need to Know (Video)
FROM THE MEDIA: As the field of genetic engineering advances, it is crucial to balance the potential benefits with the associated risks and ethical considerations. This requires ongoing research, public discourse, and the development of appropriate regulations and guidelines to ensure the responsible use of these technologies for the betterment of society.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.