Daily Drop (798): Chinese Drones | Youth Embrace Location Tracking | SneakyChef | Oyster Backdoor | Sino-French Space Collaboration Launches | AI Bypasses Publisher Protections | Pakistani Targets
06-23-24
Sunday, Jun 23 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
Bottom Line Up Front (BLUF): The U.S. House Committee on Homeland Security is calling on the Department of Homeland Security (DHS) and Department of Energy (DOE) to declassify information about national security threats posed by Chinese-manufactured drones, particularly those made by DJI and Autel Robotics. This request follows findings by Sandia National Laboratories highlighting significant security risks associated with these drones.
Analyst Comments: This push for declassification underscores growing concerns about the potential for Chinese-made drones to be used for espionage or data collection against U.S. interests. The dominance of Chinese companies in the global drone market, especially their widespread use by U.S. law enforcement agencies, presents a complex national security challenge. The committee's urgency in seeking declassification suggests they believe the public and local agencies are not fully aware of the risks. This situation highlights the ongoing tension between technological adoption and national security concerns, particularly regarding Chinese-made tech products. The potential declassification could lead to more restrictive policies on drone use and procurement, impacting both government agencies and the commercial drone market in the U.S. It also reflects broader geopolitical tensions between the U.S. and China in the technology sector.
FROM THE MEDIA: DJI and Autel Robotics control nearly 90% of the global drone market, with DJI drones widely used by U.S. state and local law enforcement. Multiple federal agencies have warned against or banned the procurement of certain Chinese-made drones due to security risks. The House recently passed legislation banning the sale of DJI drones in the U.S. Previous government assessments have suggested these drones could be used to collect sensitive U.S. data and potentially coordinate physical or cyber attacks against critical infrastructure sites. The committee is requesting a briefing from CISA and DOE by July 2, 2024, emphasizing the public interest in understanding these threats.
READ THE STORY: Industrial Cyber // MSN
Forget privacy, young internet users want to be tracked
Bottom Line Up Front (BLUF): Younger internet users are increasingly comfortable with location tracking, viewing it as a safety feature rather than an invasion of privacy. This generational shift in attitudes towards digital surveillance is reshaping norms around personal data sharing.
Analyst Comments: This trend highlights a significant shift in privacy expectations among younger demographics. The willingness to share location data with friends and family could potentially normalize broader surveillance practices, raising concerns about long-term privacy implications. The contrast between older and younger users' attitudes suggests an evolving landscape of digital privacy norms that could impact future policy and technology development.
FROM THE MEDIA: The article notes a generational divide in attitudes toward location tracking. Older users (40s and up) are less interested or aware of these features, while younger users freely share their location with friends and partners. Apps like Life360 and Snapchat's location-sharing map have made tracking seem like a normal, even fun activity. The author raises concerns about this trend normalizing wider surveillance and potentially changing behavior patterns, citing research that suggests up to half of US families use some form of tracking.
READ THE STORY: FT
Chinese-aligned hacking group targeted more than a dozen government agencies, researchers find
Bottom Line Up Front (BLUF): Researchers from Cisco Talos have uncovered a Chinese-speaking cyberespionage group dubbed "SneakyChef" that has targeted ministries of foreign affairs and embassies in at least nine countries across Africa, the Middle East, Europe and Asia. The group uses sophisticated lures and custom malware tools to gather intelligence on geopolitical hotspots.
Analyst Comments: This report highlights the persistent and evolving threat of Chinese-aligned cyber espionage operations targeting government agencies worldwide. The group's rapid development of new malware and aggressive targeting suggest a well-resourced and motivated actor, likely with state backing. The focus on foreign affairs ministries and embassies indicates an interest in gathering diplomatic intelligence and potentially influencing geopolitical dynamics. The use of non-public government documents as lures demonstrates the group's access to sensitive information and their ability to craft highly convincing phishing campaigns. The targeting of countries in strategic regions, including those involved in the Belt and Road Initiative, aligns with China's known geopolitical interests. This activity underscores the need for enhanced cybersecurity measures in government agencies, particularly those dealing with sensitive diplomatic information.
FROM THE MEDIA: This report highlights the persistent and evolving threat of Chinese-aligned cyber espionage operations targeting government agencies worldwide. The group's rapid development of new malware and aggressive targeting suggest a well-resourced and motivated actor, likely with state backing. The focus on foreign affairs ministries and embassies indicates an interest in gathering diplomatic intelligence and potentially influencing geopolitical dynamics. The use of non-public government documents as lures demonstrates the group's access to sensitive information and their ability to craft highly convincing phishing campaigns. The targeting of countries in strategic regions, including those involved in the Belt and Road Initiative, aligns with China's known geopolitical interests. This activity underscores the need for enhanced cybersecurity measures in government agencies, particularly those dealing with sensitive diplomatic information.
READ THE STORY: CyberScoop
ExCobalt Targets Russian Sectors
Bottom Line Up Front (BLUF): The cybercrime gang ExCobalt is targeting various Russian sectors using a new Golang-based backdoor called GoRed. The group, believed to have ties to the notorious Cobalt Gang, has been active since at least 2016 and is focusing on cyber espionage.
Analyst Comments: ExCobalt's emergence and targeting of Russian organizations highlight the evolving landscape of cyber threats, where former members of established cybercrime groups form new entities with refined tactics. The use of a custom Golang backdoor demonstrates the group's technical capabilities and adaptability. Their focus on multiple sectors, including government and critical infrastructure, suggests a broad intelligence gathering operation, possibly with state sponsorship. The group's ability to exploit supply chain vulnerabilities and use sophisticated tools indicates a high level of threat that requires enhanced cybersecurity measures across Russian industries.
FROM THE MEDIA: ExCobalt has targeted various Russian sectors over the past year, including government, IT, metallurgy, mining, software development, and telecommunications. They use tools like Metasploit, Mimikatz, ProcDump, and Linux privilege escalation exploits. The GoRed backdoor allows for command execution, credential theft, and system information gathering. The group has shown flexibility in their tactics, adapting to changes in security measures.
READ THE STORY: THN
China, France launch astronomical satellite
Bottom Line Up Front (BLUF): China and France have successfully launched the Space Variable Objects Monitor (SVOM) satellite from the Xichang Satellite Launch Center in China's Sichuan Province. The satellite, carried by a Long March-2C rocket, aims to study gamma-ray bursts and contribute to our understanding of cosmic evolution.
Analyst Comments: This joint space mission represents a significant collaboration between China and France in astrophysics research, demonstrating China's growing capabilities in space technology and its willingness to engage in international scientific partnerships. The SVOM mission's focus on gamma-ray bursts could provide valuable insights into the early universe and cosmic evolution. However, the launch also highlights ongoing concerns about China's space program, particularly regarding the safety of its inland launches. Reports of rocket debris falling in populated areas underscore the need for improved safety measures and transparency in China's space activities. This incident may lead to increased scrutiny of China's space program practices, potentially affecting future international collaborations. The mission also showcases the complex geopolitical landscape of space exploration, with China actively seeking partnerships amid restrictions on cooperation with the United States.
FROM THE MEDIA: The SVOM satellite, weighing 930 kg, carries four instruments (two French, two Chinese) designed to detect and study gamma-ray bursts. These cosmic events, resulting from massive star explosions or compact star mergers, can release as much energy in seconds as the Sun will emit over its entire lifetime. The mission aims to detect the most distant gamma-ray bursts, potentially providing data on the earliest stages of the universe. However, reports indicate that rocket debris from the launch fell over a populated area in Guizhou province, raising safety concerns. The Long March 2C rocket uses toxic hypergolic propellants, posing potential health risks to individuals in the debris fall zone.
READ THE STORY: BAHA // Barron’s
Multiple AI companies bypassing web standard to scrape publisher sites, licensing firm says
Bottom Line Up Front (BLUF): Content licensing startup TollBit has informed publishers that multiple AI companies are circumventing the Robots Exclusion Protocol (robots.txt) to scrape content from publisher websites without permission. This practice raises concerns about content monetization and the sustainability of journalism in the age of generative AI.
Analyst Comments: This revelation highlights the growing tension between AI companies and content publishers over the use of online content for training and generating AI responses. The bypassing of robots.txt, a long-respected web standard, represents a significant escalation in this conflict. It undermines publishers' ability to control access to their content and potentially threatens their revenue models. The involvement of multiple AI companies suggests this is a widespread practice rather than an isolated incident. This situation could lead to legal challenges, as some publishers have already sued AI companies for copyright infringement. It also underscores the need for clearer regulations and industry standards regarding the use of online content for AI training and generation. The emergence of companies like TollBit, offering mediation services between AI firms and publishers, indicates a potential path forward through licensing agreements, though disagreements over content valuation persist.
FROM THE MEDIA: TollBit's letter, which doesn't name specific AI companies or affected publishers, comes amid a public dispute between AI search startup Perplexity and Forbes. The News Media Alliance, representing over 2,200 U.S. publishers, expressed concern about the impact on content monetization and journalist pay. TollBit's analytics suggest numerous AI agents are bypassing the robots.txt protocol. The robots.txt standard, created in the 1990s, has historically been widely respected but lacks clear legal enforcement mechanisms. Some publishers have sued AI companies for copyright infringement, while others are signing licensing agreements.
READ THE STORY: Reuter
Oyster Backdoor Spreading via Trojanized Popular Software Downloads
Bottom Line Up Front (BLUF): A malvertising campaign is distributing the Oyster backdoor (also known as Broomstick and CleanUpLoader) through trojanized installers of popular software like Google Chrome and Microsoft Teams. Users are redirected to lookalike websites hosting malicious payloads after searching for legitimate software on search engines.
Analyst Comments: This campaign demonstrates the evolving sophistication of malware distribution techniques, leveraging users' trust in popular software and search engines. The use of lookalike websites and the installation of legitimate software alongside the malware shows a high level of deception designed to avoid detection. The connection to the Russia-linked group ITG23, known for TrickBot, suggests potential nation-state involvement or at least highly organized cybercrime. The campaign's ability to bypass typical security measures, including search engine safeguards, highlights the need for enhanced user awareness and more robust security protocols for software distribution. Additionally, the emergence of new phishing-as-a-service platforms like ONNX Store indicates a growing ecosystem of cybercrime services that could lower the barrier to entry for less sophisticated attackers.
FROM THE MEDIA: The Oyster backdoor is capable of gathering system information, communicating with a command-and-control server, and executing remote code. Unlike previous distributions that used a separate loader, this campaign directly deploys the backdoor. After infection, the malware installs legitimate Microsoft Teams software to maintain the deception. The article also mentions related threats, including the Rogue Raticate group's phishing campaign delivering NetSupport RAT and the ONNX Store phishing-as-a-service platform, which uses advanced techniques like QR codes in PDF attachments and encrypted JavaScript to evade detection.
READ THE STORY: THN
Military-themed Email Scam Spreads Malware to Infect Pakistani Users
Bottom Line Up Front (BLUF): A new phishing campaign dubbed PHANTOM#SPIKE is targeting individuals in Pakistan using military-themed emails to distribute a custom backdoor. The attackers use password-protected ZIP files containing malicious CHM and executable files to infect target machines and establish remote access.
Analyst Comments: This campaign demonstrates the ongoing evolution of targeted phishing attacks, leveraging current events and topics of interest to potential victims. The use of military-themed lures, particularly referencing a legitimate international event, shows the attackers' attempts to add credibility to their emails. While the malware itself is not particularly sophisticated, its ability to establish persistent access and execute remote commands makes it a significant threat. The targeting of Pakistani users suggests this may be part of a broader geopolitical or espionage campaign, though attribution remains unclear. This incident underscores the importance of user education and robust email security measures, especially for organizations dealing with sensitive military or government information.
FROM THE MEDIA: The phishing emails contain a ZIP archive purportedly related to the International Military-Technical Forum Army 2024 event. The archive includes a CHM file that displays meeting minutes and images, but also secretly runs a hidden executable when clicked. This executable, named "RuntimeIndexer.exe," functions as a backdoor that connects to a remote server to receive and execute commands on the infected system. The malware can gather system information, run various commands, and establish persistence through scheduled tasks.
READ THE STORY: THN
New Threat Actor 'Void Arachne' Targets Chinese Users with Malicious VPN Installers
Bottom Line Up Front (BLUF): A newly discovered threat actor group called Void Arachne is targeting Chinese-speaking users with malicious Windows Installer (MSI) files that deliver the Winos 4.0 backdoor. The campaign uses SEO poisoning and social media platforms to distribute malware disguised as VPN software, AI tools, and language packs.
Analyst Comments: This campaign demonstrates the evolving sophistication of cyber threats targeting specific language groups. The use of legitimate software installers bundled with malware exploits users' trust and desire for privacy tools like VPNs, which are particularly sought after in China due to internet restrictions. The inclusion of AI-powered deepfake and voice manipulation tools in the malicious packages is especially concerning, as it could facilitate various forms of online abuse and fraud. The modular nature of the Winos 4.0 backdoor, with its extensive plugin system, provides attackers with a highly flexible and powerful tool for compromising target systems. This campaign highlights the need for improved user awareness around software downloads and the importance of robust endpoint security measures.
FROM THE MEDIA: Void Arachne uses SEO poisoning and Telegram channels to distribute malicious MSI files disguised as popular software like Google Chrome, VPNs, and Chinese language packs. The malware installs the Winos 4.0 backdoor, which has capabilities including file management, DDoS attacks, webcam control, and keylogging. The campaign also promotes compromised installers for AI-powered deepfake and voice manipulation tools. Researchers found the group targeting Chinese-speaking users since early April 2024, potentially reaching a substantial audience in East Asia.
READ THE STORY: THN
House Intelligence chair blasts White House over Russia's space nuke threat
Bottom Line Up Front (BLUF): House Intelligence Committee Chair Mike Turner (R-Ohio) criticized the Biden administration for not being transparent enough about intelligence regarding Russia's alleged development of a space-based nuclear weapon. Turner is calling for a declassification of more information about the status of this program.
Analyst Comments: Turner's public criticism of the White House's approach to this intelligence highlights growing tensions between Congress and the executive branch over the handling of sensitive national security information. The congressman's characterization of the threat as a "Cuban missile crisis in space" suggests he believes the situation is more urgent than the administration has conveyed. His push for declassification indicates a belief that public awareness could serve as a deterrent to Russia and inform international cooperation efforts. However, the White House's more measured public stance may reflect concerns about escalating tensions or protecting intelligence sources and methods. This disagreement underscores the delicate balance between transparency and national security in addressing emerging space-based threats.
FROM THE MEDIA: Turner first raised alarms in February about Russia's efforts to place a nuclear device in orbit capable of generating an electromagnetic pulse to disable satellites. The White House confirmed seeing intelligence about an anti-satellite threat but said it was not yet operational. Turner accused the administration of "sleepwalking into an irreversible 'day zero'" and called for the U.S. and NATO to jointly enforce the 1967 Outer Space Treaty banning weapons of mass destruction in orbit. He argued that disclosing more information would not jeopardize intelligence sources and methods but could help deter Russia and inform cooperation with allies.
READ THE STORY: SpaceNews
PrestaShop Website Under Injection Attack Via Facebook Module
Bottom Line Up Front (BLUF): A critical vulnerability (CVE-2024-36680) has been discovered in the "Facebook" module (pkfacebook) for PrestaShop, allowing guest users to perform SQL injection attacks. The vulnerability is being actively exploited to deploy web skimmers that steal credit card information from customers.
Analyst Comments: This vulnerability highlights the ongoing security challenges faced by e-commerce platforms and their third-party modules. The refusal of the module's author to provide the latest version for security verification is concerning and complicates mitigation efforts. The active exploitation of this vulnerability to deploy webskimmers poses a significant threat to both online retailers and their customers, potentially leading to financial losses and data breaches. This incident underscores the importance of regular security audits for e-commerce platforms and prompt patching of identified vulnerabilities.
FROM THE MEDIA: The vulnerability stems from an Ajax script containing a sensitive SQL call that can be executed with a trivial HTTP call. All versions of the module are considered potentially vulnerable. Malicious actors are actively exploiting this vulnerability to deploy webskimmers. Recommended mitigation steps include upgrading to the latest module version, updating PrestaShop, implementing proper SQL sanitization, changing default database prefixes, and activating OWASP 942 rules on Web Application Firewalls.
READ THE STORY: GBhackers
Japan's space agency hit by series of cyberattacks since last year, official says
Bottom Line Up Front (BLUF): Japan's space agency JAXA has experienced multiple cyberattacks since last year, according to Japan's Chief Cabinet Secretary Yoshimasa Hayashi. While sensitive rocket and satellite information was reportedly unaffected, the attacks have prompted an in-depth investigation and network shutdowns.
Analyst Comments: This series of cyberattacks against JAXA highlights the ongoing threat to space and aerospace agencies worldwide from state-sponsored and criminal hackers. The persistence of these attacks, despite previous incidents, suggests a determined adversary with specific intelligence gathering goals. While officials claim sensitive data was not compromised, the potential access to business operations and staff personal information is concerning. The involvement of "hackers from outside Japan" hints at possible nation-state involvement, with China being a likely suspect given past incidents and current geopolitical tensions. This situation underscores the need for continuous improvement in cybersecurity measures for critical infrastructure and research organizations, especially those involved in advanced technological fields like space exploration. The incident may also impact international collaborations and information sharing in the space sector, as agencies become more wary of potential data breaches.
FROM THE MEDIA: JAXA has been targeted multiple times since 2016, including an alleged attack by Chinese military hackers that year. Recent attacks focused on a JAXA server to access general business operations, potentially breaching communications with external partners like Toyota. There are concerns that the personal information of JAXA staff may have been leaked. Japan's cyber official Kazutaka Nakamizo has previously warned of increased cyber threats to critical infrastructure, particularly from China. The country's cybersecurity agency and port of Nagoya were also reportedly breached by suspected Chinese hackers last year.
READ THE STORY: The Records
Critical Infrastructure Misinformation; France's Atos Bid
Bottom Line Up Front (BLUF): This week's CISO Corner covers several key cybersecurity issues, including France's bid to acquire Atos' cybersecurity division, cloud data protection challenges, China's cyber offensive capabilities, NIST CSF 2.0 implementation, space-based cyber threats, and misinformation in critical infrastructure security.
Analyst Comments: The diverse range of topics in this digest highlights the complex and evolving nature of cybersecurity challenges facing organizations today. The French government's move to acquire Atos' cybersecurity division underscores the increasing importance of national control over critical technologies. The cloud data breaches at major companies like Ticketmaster and Santander Bank demonstrate that multi-factor authentication alone is insufficient for protecting sensitive data in cloud environments. China's leveraging of civilian hackers and bug bounty programs for cyber offense capabilities raises concerns about the global vulnerability disclosure landscape. The adoption of NIST CSF 2.0 offers opportunities for organizations to improve their security posture, while the emerging threats in space-based systems and the impact of misinformation on critical infrastructure security highlight new frontiers in cybersecurity that require proactive planning and public education.
FROM THE MEDIA: The digest covers various topics, including France's bid for Atos' cybersecurity division, cloud data protection challenges, China's cyber offensive capabilities, NIST CSF 2.0 implementation guidance, potential space-based cyber threats, and the impact of misinformation on critical infrastructure security perceptions. Each article provides insights into current cybersecurity trends, threats, and strategic considerations for security leaders.
READ THE STORY: DarkReading
Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information
Bottom Line Up Front (BLUF): Illegal Chinese OTT (Over-The-Top) platforms are experiencing data breaches that expose sensitive user information, including names and financial details. These platforms use vulnerable HTTP File Server (HFS) software for file sharing, particularly version 2.3 beta, which has significant security weaknesses.
Analyst Comments: This situation highlights the significant risks associated with using unregulated or illegal streaming services, particularly those originating from China. The exposure of sensitive personal and financial data through these platforms poses substantial threats to users, including identity theft, financial fraud, and potential harassment. The use of outdated and vulnerable file-sharing software (HFS 2.3 beta) by these services demonstrates a severe lack of security practices. The ability to easily identify these servers using tools like Criminal IP further underscores their vulnerability to exploitation. The practice of domain fluxing by these platforms to evade detection complicates efforts to shut them down, emphasizing the need for more robust network-level blocking strategies by law enforcement and content providers.
FROM THE MEDIA: Illegal Chinese OTT platforms are using vulnerable HFS (HTTP File Server) software, particularly version 2.3 beta, which exposes user data in plain text files. These files contain sensitive information including names, addresses, phone numbers, and credit card details. The platforms employ domain fluxing to evade detection and continue operations. Tools like Criminal IP can be used to identify these servers by searching for specific HFS signatures. Law enforcement and content providers are advised to focus on network-level blocking strategies to counter these evasive tactics.
READ THE STORY: GBhackers
DARPA's military-grade 'quantum laser' will use entangled photons to outshine conventional laser beams
Bottom Line Up Front (BLUF): DARPA has awarded a $1 million grant to researchers developing a prototype "quantum photonic-dimer laser" that uses quantum entanglement to create a more powerful and resilient laser beam capable of operating over long distances and in adverse conditions like thick fog.
Analyst Comments: This development represents a significant advancement in laser technology with potential military applications. The use of quantum entanglement to "glue" photons together could overcome current limitations of conventional lasers, particularly in challenging environments. This technology could enhance military capabilities in areas such as communications, targeting, and surveillance. The ability to maintain precision and strength over greater distances and in adverse conditions could provide a strategic advantage in various military operations. However, the development of such advanced technology also raises concerns about potential escalation in military capabilities and the need for updated international regulations governing the use of such technologies in warfare.
FROM THE MEDIA: The quantum photonic-dimer laser works by binding pairs of photons through quantum entanglement, creating photonic dimers that act as a single entity. This process increases the energy and stability of the laser, making it more effective over long distances and in adverse conditions like extreme temperatures and fog. The technology has potential applications in quantum computing and telecommunications, possibly leading to faster and more secure data transmission methods. Previous research by the team explored using this technology for deep brain imaging, demonstrating its potential beyond military applications.
READ THE STORY: SPACE
U.S. East Asia envoy says South China Sea situation deeply concerning
Bottom Line Up Front (BLUF): U.S. Assistant Secretary of State for East Asia and Pacific Affairs Daniel Kritenbrink expressed deep concern over the situation in the South China Sea, particularly regarding China's recent actions around the Second Thomas Shoal, which he described as "irresponsible, aggressive, dangerous, and deeply destabilizing."
Analyst Comments: Kritenbrink's statements highlight the escalating tensions in the South China Sea, particularly between China and the Philippines. The U.S. diplomat's strong language and reaffirmation of U.S. support for the Philippines under their mutual defense treaty signals a firm stance against China's assertive actions in the region. This situation poses significant risks for regional stability and international maritime law. The U.S. emphasis on respecting international law and responsible behavior in maritime domains appears aimed at countering China's expansive territorial claims. However, the delicate balance of power in the region and the economic interdependencies among nations involved make resolving this conflict particularly challenging.
FROM THE MEDIA: Kritenbrink made these comments during a visit to Hanoi, emphasizing U.S. commitment to stand with its Filipino allies. He mentioned that Washington had made it clear to Beijing that its mutual defense treaty obligations with the Philippines were "ironclad." The U.S. official also stressed the need for all countries in the region, including China, to respect international law and behave responsibly in the maritime domain. The article notes that China claims almost the entire South China Sea, a vital conduit for global trade, despite a 2016 ruling by the Permanent Court of Arbitration in The Hague that China's claims had no legal basis.
READ THE STORY: Reuters
Thousands of Car Dealerships Stalled Out After Software Provider Cyberattack
Bottom Line Up Front (BLUF): CDK Global, a major software provider for car dealerships, experienced two cyber incidents that forced thousands of dealerships to shut down operations. The attacks began on June 19, 2024, impacting vehicle sales and services across the US.
Analyst Comments: This supply chain attack on CDK Global demonstrates the far-reaching consequences of cybersecurity breaches in critical business software systems. The incident's timing during a traditionally busy sales period (Juneteenth holiday) likely amplified its economic impact on the automotive retail sector. The occurrence of a second cyber incident after initial mitigation efforts suggests a persistent and possibly sophisticated threat actor. The lack of detailed information about the nature of the attacks and the extent of the damage highlights the challenges in rapid incident response and transparent communication during ongoing cyber crises. This event underscores the need for robust cybersecurity measures in software supply chains and the importance of business continuity planning for dealerships and other businesses reliant on third-party software providers.
FROM THE MEDIA: The first cyber incident was reported around 2 a.m. Eastern Time on June 19, with a second incident occurring late that evening. CDK Global proactively shut down most of its systems in response to the second incident. Many dealerships were forced to close or operate with limited capacity using paper records. Experts speculate that ransomware might be involved, though the specific nature of the attacks has not been disclosed. The full extent of the damage and the timeline for system restoration remain unclear.
READ THE STORY: DarkReading
Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features
Bottom Line Up Front (BLUF): A new botnet named Zergeca has been discovered, showcasing advanced capabilities beyond typical DDoS botnets. Implemented in Golang, Zergeca supports six different attack methods and features additional functionalities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information.
Analyst Comments: The emergence of Zergeca represents a significant evolution in botnet capabilities, posing a more diverse and sophisticated threat than traditional DDoS botnets. Its advanced features, including multiple DNS resolution methods and the use of the Smux library for encrypted C2 communication, demonstrate a high level of technical sophistication. The botnet's ability to target multiple platforms and its persistence mechanisms make it particularly challenging to mitigate. The connection to previous Mirai botnet operations suggests an experienced threat actor behind its development. Zergeca's targeting of regions like Canada, the United States, and Germany indicates a focus on high-value targets in developed nations. The cybersecurity community should be on high alert for this threat, as its multi-functional nature and advanced evasion techniques make it a formidable adversary.
FROM THE MEDIA: Zergeca was first detected on May 20, 2024, by the XLab Cyber Threat Insight Analysis system. It uses a modified UPX packer and prioritizes DNS over HTTPS for C2 resolution. The botnet primarily targeted Canada, the US, and Germany in early to mid-June 2024, mainly using ackFlood attacks. Zergeca achieves persistence through a system service named geomi.service and uses XOR encryption for sensitive strings. It includes a "Silivaccine" module to eliminate competitor threats on infected devices. The botnet supports various DDoS attacks, scanning, reverse shell, and other functions.
READ THE STORY: GBhackers
Items of interest
Starlab Space adds Palantir as a strategic partner in the commercial space station effort
Bottom Line Up Front (BLUF): Starlab Space, a commercial space station developer, has partnered with Palantir Technologies to leverage AI capabilities for station operations. The partnership will focus on developing a digital twin of the Starlab station to optimize operations, detect issues, and identify preventative maintenance needs.
Analyst Comments: This partnership represents a significant step in the commercialization of low Earth orbit operations, bringing advanced AI and data analytics capabilities to space station management. The involvement of Palantir, known for its work in national security space, suggests a growing convergence between commercial and government space technologies. The use of digital twin technology could potentially improve the efficiency and safety of space station operations, setting a new standard for future space habitats. However, the success of this venture will depend on the ability to effectively integrate these technologies into the complex environment of a space station. This collaboration also highlights the increasing competition in the commercial space station market, with multiple companies vying to provide successors to the International Space Station.
FROM THE MEDIA: Starlab Space is a joint venture between Voyager Space and Airbus Defence and Space, with additional investments from Mitsubishi and MDA Space. The company aims to launch a commercial space station late this decade, designed to launch on SpaceX's Starship vehicle. Starlab is one of three companies, alongside Axiom Space and Blue Origin, with NASA funding to support design work on commercial space stations. The partnership with Palantir follows similar strategic agreements with Northrop Grumman and Hilton Hotels.
READ THE STORY: SpaceNews
Operation Clairvoyance: How APT Groups Spy on the Media Industry (Video)
FROM THE MEDIA: Cyber espionage actors have demonstrated great interest in the media industry. These actors seem to like to see Taiwan's daily activities through the "eyes" of these media companies and journalists. During Taiwan's intense 2022, we saw more and more Advanced Persistent Threat (APT) groups infiltrate Taiwan's media industry. In our observation, the media has become the first non-government target of those APT groups.
A World-View of IP Spoofing in L4 Volumetric DoS Attacks - and a Call to Enable BCP38 (Video)
FROM THE MEDIA: In this talk we will analyze the global view of spoofing from Cloudflare, to understand IP spoofing on network-layer DoS attacks, and analyze geographic, longitudinal and network-specific characteristics of spoofing sources. We developed and applied IP spoofing detection techniques on three months of network-layer DoS traces, and used the insights to understand where and why BCP38 is most urgently needed.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.