Daily Drop (790): CN's Cyber Ops | Void Manticore | MITRE | JAVS Backdoored | APT31 | Nvidia's China GPUs | Deepfake Biden Robocall | RU's Replicate AI Flaw | Ex-Marine Spy Death Not Suspicious

05-25-24

Saturday, May 25 2024 // (IG): BB // ShadowNews // Coffee for Bob

*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :

A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *

Striking a Balance: China’s AI Ambitions and the Quest for Safety

Bottom Line Up Front (BLUF): The U.S. and China held their first official bilateral dialogue on AI, highlighting the tension between China's rapid AI development and international safety concerns. While China has taken steps to regulate AI domestically, the U.S. remains wary of potential misuse and continues to impose export controls on advanced technology.

Analyst Comments: The Geneva meeting underscores the complex dynamics between AI advancement and safety regulations. Historically, China's top-down approach to technological innovation has driven rapid progress, but this same approach raises concerns about the ethical and safe deployment of AI technologies. The ongoing dialogue between China and the U.S. may pave the way for a more balanced approach, though geopolitical tensions could hinder substantial cooperation.

FROM THE MEDIA: In a significant development, Chinese and U.S. envoys met in Geneva for the first bilateral dialogue on artificial intelligence, following the November 2023 Woodside Summit. The closed-door talks revealed Beijing's frustration over U.S. export controls on advanced chips, which are crucial for AI development, while the U.S. emphasized the need for safety measures to prevent AI misuse. China has taken notable steps domestically, such as regulating deepfakes and harmful algorithms since 2018, and establishing an AI safety governance committee last year. Major tech hubs like Beijing have also called for safety benchmarks. Internationally, China co-signed the "Bletchley Declaration" to strengthen AI risk cooperation and launched its "Global AI Governance Initiative" to promote secure and equitable AI technologies.

READ THE STORY:  The Diplomat

Man Behind Deepfake Biden Robocall Indicted on Felony Charges, Faces $6M Fine

Bottom Line Up Front (BLUF): Steven Kramer, a political consultant from New Orleans, has been indicted on felony voter suppression charges and faces a $6 million FCC fine for using AI-generated deepfake technology to impersonate President Biden in a robocall aimed at discouraging voting in the New Hampshire Democratic primary.

Analyst Comments: This case marks a significant precedent in the intersection of AI technology and election interference. The use of deepfakes for political manipulation underscores the growing need for robust regulations and technological safeguards. Historically, electoral fraud has relied on more rudimentary tactics, but the advent of sophisticated AI tools like voice cloning presents new challenges for election security. The FCC's hefty fine and the multiple felony charges signal a strong deterrent message against future misuse of AI in the political arena.

FROM THE MEDIA: Steven Kramer, 54, has been indicted on 13 felony counts of voter suppression and 13 misdemeanor counts of impersonating a candidate. He faces a $6 million fine from the FCC for employing deepfake technology to create a robocall that impersonated President Biden, urging voters not to participate in the New Hampshire Democratic primary. Kramer admitted to paying $150 to a "magician" for the AI-generated voice and hiring a telemarketing firm to distribute the call to over 5,000 voters. The robocall falsely claimed to be from the treasurer of a political committee and was intended to reduce voter turnout, thereby benefiting House Rep Dean Phillips (D-MN) over President Biden. The New Hampshire Attorney General's office and the FCC initiated investigations in January, resulting in Kramer's indictment. The FCC also proposed a $2 million penalty against Lingo Telecom for improperly labeling the calls to evade detection.

READ THE STORY:  The Register

Nvidia Faces Local Competition for its 'China Special' GPUs

Bottom Line Up Front (BLUF): Nvidia has reduced the price of its GPUs tailored for the Chinese market due to competition from Huawei's domestically manufactured AI hardware. This move highlights Nvidia's struggles to maintain its market share in China amidst U.S. export restrictions and local advancements.

Analyst Comments: Nvidia's situation exemplifies the challenges U.S. tech companies face under geopolitical pressures and restrictive trade policies. Historically, Nvidia has relied heavily on the Chinese market, contributing significantly to its revenue. However, the rise of capable local competitors like Huawei, combined with stringent export controls, threatens to diminish Nvidia's market dominance. This scenario underscores the broader trend of technological decoupling and the strategic efforts of Chinese companies to achieve self-sufficiency in key tech sectors.

FROM THE MEDIA: Nvidia has slashed prices for its H20, L20, and L2 GPUs, specifically designed for China, in response to competitive pressure from Huawei. Huawei's Ascend 910B, a high-performance AI accelerator produced by SMIC using 7nm technology, rivals Nvidia's A100 GPU. The Ascend 910B's competitive pricing and performance have driven some Chinese customers away from Nvidia's reduced-spec products.

Nvidia's revenue from China, which historically constituted 20-25%, has now dropped to around 17%. The company faces challenges due to U.S. export restrictions limiting the performance of GPUs that can be sold to China. Meanwhile, Samsung has denied reports of issues with its HBM3 chips, which are crucial for Nvidia's products, although concerns about supply shortages persist.

READ THE STORY:  The Register

Experts Find Flaw in Replicate AI Service Exposing Customers' Models and Data

Bottom Line Up Front (BLUF): A critical security flaw in Replicate AI's service could have allowed unauthorized access to proprietary AI models and sensitive information, potentially impacting the accuracy and security of AI-driven outputs. The vulnerability has been addressed with no evidence of exploitation.

Analyst Comments: This incident highlights the vulnerabilities inherent in AI-as-a-service platforms. The exploitation method, leveraging an open-source containerization tool, underscores the risks of deploying AI models from untrusted sources. Historically, the rapid adoption of AI technologies has often outpaced the implementation of robust security measures. The proactive disclosure and remediation by Replicate AI demonstrate the importance of vigilant cybersecurity practices in mitigating potential threats to AI infrastructures.

FROM THE MEDIA: Cybersecurity researchers at Wiz discovered a significant flaw in Replicate, an AI-as-a-service provider, allowing unauthorized access to AI models and sensitive data. The vulnerability, linked to the use of an open-source tool called Cog for packaging AI models, enabled remote code execution and potential cross-tenant attacks.

By uploading a malicious Cog container, researchers achieved elevated privileges within Replicate’s infrastructure, exploiting a Redis server in a Kubernetes cluster to inject arbitrary commands. This could compromise AI model integrity and expose proprietary and sensitive data, including personally identifiable information (PII).

READ THE STORY:  THN

US Sanctions APT31 Hackers Behind Critical Infrastructure Attacks

Bottom Line Up Front (BLUF): Geoff Huston from APNIC has identified that SpaceX's Starlink presents significant challenges to the TCP protocol due to its low Earth orbit satellite design, causing high jitter, packet loss, and latency spikes. Solutions such as the BBR protocol and CUBIC TCP could mitigate these issues.

Analyst Comments: These sanctions highlight the U.S. government's increasing efforts to curb China's state-sponsored cyber activities. Historically, China has used both front companies and real businesses to conduct cyber espionage, reflecting a sophisticated strategy that complicates attribution and accountability. This move is part of a broader strategy to deter cyber threats by targeting the financial and operational capabilities of state-affiliated hackers.

FROM THE MEDIA: The U.S. Treasury Department has sanctioned the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company used by the Chinese MSS, for its involvement in cyber attacks against U.S. critical infrastructure. Additionally, Zhao Guangzong and Ni Gaobin, Chinese nationals linked to the APT31 hacking group, have been designated for their roles in these attacks. The coordinated action involved multiple U.S. agencies, including the Department of Justice, FBI, and the Department of State, alongside the UK Foreign, Commonwealth & Development Office (FCDO). Zhao Guangzong orchestrated a 2020 spear-phishing campaign targeting the United States Naval Academy and the United States Naval War College's China Maritime Studies Institute, with Ni Gaobin's assistance in various high-profile cyber activities.

READ THE STORY:  Bleeping Computer

JAVS Courtroom Recording Software Backdoored - Deploys RustDoor Malware

Bottom Line Up Front (BLUF): A supply chain attack has compromised Justice AV Solutions' (JAVS) courtroom recording software, deploying RustDoor malware. The incident highlights vulnerabilities in software supply chains and the potential for significant impact on judicial processes.

Analyst Comments: This attack underscores the critical need for robust cybersecurity measures in software supply chains, especially for systems involved in sensitive operations like courtroom recordings. Historically, supply chain attacks have leveraged the trust placed in legitimate software providers to infiltrate systems. The use of Rust-based malware, like RustDoor, reflects the evolving tactics of cybercriminals to evade detection and enhance the persistence of their attacks.

FROM THE MEDIA: : Malicious actors backdoored the installer for the JAVS courtroom video recording software, deploying malware associated with RustDoor. This software supply chain attack, identified as CVE-2024-4978 with a CVSS score of 8.7, affects JAVS Viewer v8.3.7. The compromised installer, downloaded from the official JAVS site on March 5, 2024, included a malicious executable "fffmpeg.exe" (notably with three Fs), which was signed with an unexpected Authenticode certificate issued to "Vanguard Tech Limited" instead of "Justice AV Solutions Inc." Upon execution, "fffmpeg.exe" communicates with a command-and-control (C&C) server to relay information about the compromised host and receive further instructions. The executable runs obfuscated PowerShell scripts designed to bypass Antimalware Scan Interface (AMSI) and disable Event Tracing for Windows (ETW). Subsequently, it downloads an additional payload disguised as a Google Chrome installer ("chrome_installer.exe"), which contains Python scripts and another executable, "main.exe," aimed at credential harvesting from web browsers. However, "main.exe" contains software bugs that prevent it from running properly. RustDoor, initially targeting Apple macOS devices, was documented by Bitdefender and later identified on Windows systems as GateDoor, written in Golang.

READ THE STORY:  THN

i-SOON: “Significant Superpower” or Just Getting the Job Done?

Bottom Line Up Front (BLUF): The recent leak of documents from the Chinese IT company i-SOON reveals its operations and business strategies, focusing on practical skills over formal education, but struggling with low pay and high employee turnover.

Analyst Comments: This case highlights the complexity of China's cybersecurity landscape, where smaller firms like i-SOON play crucial roles despite challenges from larger, state-associated companies. The emphasis on practical skills over degrees shows a pragmatic approach, but also underscores systemic issues in talent retention and resource competition.

FROM THE MEDIA: i-SOON, despite low employee pay and high turnover, focuses on practical "attack and defense" skills, often recruiting from lesser-known institutions. Their business processes involve extensive collaboration and profit-sharing with larger firms, adapting to the competitive cybersecurity market in China. They face challenges in maintaining access to high-value targets, indicating the limitations of their capabilities. The leaks suggest i-SOON's involvement in state-directed cyber activities, though their independent impact is constrained by these operational challenges.

READ THE STORY:  Natto Thoughts

MITRE December 2023 Attack: Threat Actors Created Rogue VMs to Evade Detection

Bottom Line Up Front (BLUF): In December 2023, the MITRE Corporation experienced a security breach where China-linked threat actors UNC5221 created rogue virtual machines (VMs) within MITRE's VMware environment to evade detection and maintain persistent access.

Analyst Comments: The breach at MITRE highlights a sophisticated attack method where threat actors exploit zero-day vulnerabilities to infiltrate and establish control within a target's network infrastructure. By creating rogue VMs, the attackers successfully bypassed traditional security measures and centralized management interfaces. This incident underscores the need for advanced monitoring and mitigation strategies in virtualized environments, especially in high-value targets such as research and prototyping networks.

FROM THE MEDIA: MITRE Corporation disclosed that threat actors, identified as China-linked UNC5221, breached its systems by exploiting Ivanti Connect Secure zero-day vulnerabilities. The attackers created rogue VMs within the VMware environment, allowing them to evade detection and maintain control over compromised systems. The intrusion was discovered in January 2024, prompting immediate mitigation actions and the involvement of third-party forensics teams. Despite comprehensive security practices, the attackers bypassed defenses by leveraging compromised vCenter Server access to deploy malicious tools and web shells. MITRE is collaborating with authorities and affected parties to manage the breach and enhance its defenses against future threats.

READ THE STORY:  Security Affairs

Void Manticore Uses Online Personas for Cyber Attacks

Bottom Line Up Front (BLUF): Iranian state-sponsored threat actor Void Manticore, affiliated with the Ministry of Intelligence and Security (MOIS), utilizes online personas to execute destructive wiping attacks and influence operations. Collaborating with Scarred Manticore, they conduct coordinated cyber assaults targeting various regions, including Israel and Albania.

Analyst Comments: Void Manticore exemplifies the evolving sophistication of state-sponsored cyber threats. Their use of online personas such as "Homeland Justice" and "Karma" allows them to mask operations and enhance psychological warfare. The group's collaboration with Scarred Manticore underscores a strategic approach to cyber warfare, demonstrating a systematic handoff of targets to maximize damage. The deployment of custom wipers and coordinated attacks highlights the critical need for robust cybersecurity measures and international cooperation to counter such threats effectively.

FROM THE MEDIA: Void Manticore, an Iranian threat actor linked to MOIS, is known for its destructive wiping attacks and influence operations. The group adopts various online personas, such as "Homeland Justice" for attacks in Albania and "Karma" for targeting Israel. Analysis by Check Point Research (CPR) indicates a strategic collaboration with Scarred Manticore, involving a handoff process where Scarred Manticore gains initial access and exfiltrates data, followed by Void Manticore executing destructive operations. This collaboration amplifies the impact of their attacks, posing significant challenges for cybersecurity defenders. Void Manticore employs custom wipers for Windows and Linux, targeting critical files and partition tables to disrupt operations and cause significant data loss.

READ THE STORY:  SME Street

The Missing Links in US Chip Policy: A Call for Precision and Collaboration

Bottom Line Up Front (BLUF): The United States must refine its semiconductor export restrictions against China to avoid harming the economies of its allies, particularly South Korea. Strengthening "semiconductor sovereignty" through targeted measures and international collaboration is essential for maintaining technological competitiveness and national security.

Analyst Comments: Young-sun Park argues for a more nuanced approach to U.S. semiconductor export policies, emphasizing the need for precision to protect allied economies while countering China's growing influence. The reliance on China for semiconductor manufacturing poses significant risks, including economic dependence, technological competition, and supply chain disruptions. The U.S. should focus on coordinated efforts with allies to secure supply chains and maintain a competitive edge in the global semiconductor industry.

FROM THE MEDIA: Young-sun Park, a former South Korean government official, highlights the global impact of China's dominance in the semiconductor industry and the need for the U.S. to adopt more targeted export restrictions. Broad U.S. sanctions on semiconductor technology can harm allies like South Korea, which heavily rely on the Chinese market. The CHIPS and Science Act is a step toward strengthening U.S. semiconductor manufacturing, but precision in policy implementation is crucial. Park suggests a "small yard, high fence" approach, concentrating restrictions on high-military-potential technologies while reducing the overall scope to avoid straining alliance relationships. Effective policy requires international cooperation to ensure a unified front against China's ambitions and to safeguard the global semiconductor supply chain.

READ THE STORY:  The Diplomat

Death of Ex-Royal Marine Charged with Spying for China Not Suspicious, Police Say

Bottom Line Up Front (BLUF): Matthew Trickett, a former Royal Marine and UK Border Force officer accused of assisting Hong Kong intelligence services, was found dead in Grenfell Park, Maidenhead. Police have determined his death is not suspicious, and a file is being prepared for the Coronial process.

Analyst Comments: The case of Matthew Trickett's death raises questions about the broader implications of espionage charges and the potential pressures on individuals involved. His death following charges under the National Security Act and accusations of assisting a foreign intelligence service underscores the serious nature of espionage allegations. The swift conclusion by police that his death is not suspicious might lead to further scrutiny and calls for transparency regarding the investigation and handling of suspects in sensitive cases.

FROM THE MEDIA: Matthew Trickett, a 37-year-old former Royal Marine and current immigration enforcement officer, was found dead in Grenfell Park, Maidenhead. Trickett had been charged with espionage under the National Security Act, accused of assisting the Hong Kong intelligence service alongside two other individuals. Thames Valley Police have concluded that his death is not suspicious following a post-mortem and further enquiries. Trickett's death follows his bail from Westminster Magistrates' Court and an alleged suicide attempt after being charged. His family and solicitor expressed shock and mourning, while authorities continue preparing for the Coronial process. The case has attracted attention amid ongoing concerns about espionage and foreign influence operations in the UK.

READ THE STORY:  The Independent

Items of interest

China's State-Sponsored Cyber Operations: Navigating the Complex Landscape of Front Companies and Real Businesses

Bottom Line Up Front (BLUF): China's state-sponsored cyber operations employ a complex mix of front companies and legitimate businesses to achieve their strategic objectives. By examining the distinct roles and characteristics of these entities, this report provides insights into China's evolving cyber capabilities and tactics.

Analyst Comments: The strategic use of front companies and legitimate businesses by China underscores a sophisticated approach to cyber operations. Historically, this blend allows China to maintain plausible deniability, ensure operational persistence, and leverage the resources of its private sector. Understanding these dynamics is crucial for developing effective countermeasures against state-sponsored cyber threats.

FROM THE MEDIA:

Front Companies:

Front companies such as Tianjin Huaying Haitai, Hainan Xiandun, and Wuhan XRZ exhibit several characteristics distinguishing them from legitimate businesses. They maintain a minimal online presence, engage in few genuine business transactions, and typically have fewer than 10 employees. These entities often have clean business records with no legal or operational risks and rarely register patents or copyrights, indicating their primary focus is not on commercial activities. For instance, Wuhan XRZ has been identified by US and UK authorities as a front company for the Ministry of State Security (MSS), used to conduct cyber operations while maintaining plausible deniability for the Chinese government.

Real Businesses: Legitimate Entities Supporting State Objectives

In contrast to front companies, legitimate businesses such as i-SOON and Chengdu 404 actively engage in regular commercial activities, maintain substantial digital footprints, and participate in community initiatives. These companies are profit-driven, offering legitimate services and pursuing business success. They support local universities, offer scholarships, and contribute to community projects, enhancing their public image as socially responsible entities. Their relationships with various government agencies are intricate, involving collaboration and competition with other cybersecurity firms. Unlike front companies, real businesses demonstrate operational persistence due to their profit-driven nature and broader resource base. Leaked documents from i-SOON reveal its dealings with government entities, competition with other firms, and employees' perspectives on their work.

Strategic Implications and the Evolution of China's Cyber Strategy

The Natto Team's analysis underscores the strategic advantages China gains by employing both front companies and real businesses in its cyber operations. Real businesses offer access to a wider pool of resources and talent, enabling China to scale its operations more effectively. The profit-driven nature of legitimate businesses ensures the continuity and persistence of China's cyber activities, even in the face of international scrutiny or legal action. Front companies provide a layer of deniability and direct control over sensitive operations, allowing China to maintain a degree of plausible deniability. By leveraging a mix of front companies and real businesses, China demonstrates a high degree of adaptability in its cyber strategy, adjusting its approach in response to changing geopolitical and technological landscapes.

READ THE STORY:  Natto Thoughts // The Record // CyberScoop

Inside China's APT Network  (Video)

FROM THE MEDIA: A new data leak of more than 500 documents published to GitHub reveals the big business behind China’s state-sponsored hacking groups — from top-secret surveillance tools to details of offensive cyber ops carried out on behalf of the Chinese government.

Cyber Siege: Unmasking China's Assault on Global Networks (Video)

FROM THE MEDIA: When Microsoft pointed fingers at 'state-backed' Chinese hackers infiltrating its servers, targeting a minimum of 60,000 global users, the revelation hardly came as a shock. It marked just another instance in the ongoing saga of Chinese cyberattacks. Mounting security apprehensions related to China have led to the banning or restriction of Huawei from 5G networks in several countries, including the United States, the United Kingdom, and Australia.

These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.