Daily Drop (804): TP-Link Omada | IG Chat Bot's | Kimsuky | Muleshoe: Water | Drones: CN| HSBC: Outage | UK: MoD | Snowblind | Mustang Panda | Nvidia | UK Sanctions CN | 8220 Gang | CASR | CN & IN
06-30-24
Sunday, Jun 30 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
China-linked Group Uses Malware to Try to Spy on Commercial Shipping, New Report Says
Bottom Line Up Front (BLUF): A cyber espionage group known as Mustang Panda, linked to China, has been using malware to target computer systems of cargo shipping companies in Norway, Greece, and the Netherlands, including systems aboard cargo ships.
Analyst Comments: This report indicates a significant escalation in Chinese cyber espionage activities, now targeting the commercial shipping sector. The use of sophisticated malware to gain remote access to shipping systems poses substantial risks to global trade and maritime security. The focus on shipping companies in key maritime nations suggests a strategic interest in monitoring or potentially disrupting international trade routes. This development aligns with warnings from UK and US officials about the growing cybersecurity threat from China, particularly to critical infrastructure. The targeting of systems aboard ships is especially concerning, as it could potentially allow for real-time tracking or interference with vessel operations. This trend underscores the need for enhanced cybersecurity measures in the maritime industry and highlights the expanding scope of cyber threats to global infrastructure.
FROM THE MEDIA: ESET, a Slovakia-based cybersecurity firm, reported that Mustang Panda introduced malware over the past five months to target shipping companies. This is the first evidence of a China-linked group focusing on commercial shipping. The malware used is a "remote access trojan" type, allowing full access to infected devices. UK and US officials warned of growing cybersecurity threats from China at a conference in Birmingham. The head of GCHQ described China as the "epoch-defining challenge" for cybersecurity and the international order.
READ THE STORY: MSN
8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining
Bottom Line Up Front (BLUF): The cybercriminal group known as 8220 Gang is exploiting vulnerabilities in Oracle WebLogic Server to deploy cryptocurrency mining malware using sophisticated fileless execution techniques.
Analyst Comments: This campaign demonstrates the evolving tactics of cybercriminal groups in leveraging enterprise software vulnerabilities for financial gain. The use of fileless execution techniques, including DLL reflective loading and process injection, shows a high level of sophistication designed to evade traditional security measures. The multi-stage loading process and masquerading as legitimate applications highlight the challenge of detecting such threats. The targeting of Oracle WebLogic Server, a widely used enterprise application platform, underscores the importance of prompt patching and robust security measures in enterprise environments. The development of new tools like k4spreader indicates the group's ongoing efforts to expand and refine their operations. This activity also illustrates the persistent threat of cryptojacking to organizations, which can lead to resource drain, increased costs, and potential entry points for more damaging attacks.
FROM THE MEDIA: The 8220 Gang, tracked as Water Sigbin by Trend Micro, exploits vulnerabilities CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839 in Oracle WebLogic Server. Their attack chain involves multiple stages, including a PowerShell script, a fake WireGuard VPN application, and the PureCrypter loader. The group uses the XMRig miner for cryptocurrency mining. A new tool called k4spreader has been developed by the group to deliver the Tsunami DDoS botnet and PwnRig mining program. This tool can disable firewalls, terminate rival botnets, and self-update.
READ THE STORY: THN
Nvidia Partner Lambda Labs Seeks $800mn as AI Computing Demand Soars
Bottom Line Up Front (BLUF): Lambda Labs, a cloud computing start-up that rents out servers powered by Nvidia's AI chips, is seeking to raise $800 million in funding to capitalize on the surging demand for AI computing infrastructure.
Analyst Comments: This significant funding round for Lambda Labs underscores the intense demand for AI computing resources, particularly Nvidia's GPUs. The rapid sequence of financing for Lambda, following a recent $320 million raise and a $500 million loan, reflects the broader AI investment frenzy and the strategic importance of GPU access. Nvidia's strategy of funneling chips to companies like Lambda appears to be an attempt to diversify its customer base and create competition for major cloud providers. This trend could reshape the cloud computing landscape, potentially challenging the dominance of tech giants like Google, Amazon, and Microsoft in AI infrastructure. The high valuations and large funding rounds in this sector also raise questions about market sustainability and the potential for a bubble in AI-related investments.
FROM THE MEDIA: Lambda Labs is in talks to raise $800 million, adding to $320 million raised in February and a $500 million loan secured in April. The funding will be used to purchase more Nvidia GPUs, and associated cloud networking software, and hire more staff. JPMorgan is helping coordinate the fundraising. Lambda has benefited from a close relationship with Nvidia, as CEO Jensen Huang seeks to diversify Nvidia's customer base. The company pivoted from facial recognition to AI and then to cloud computing. Term sheets for the new funding round are expected in mid-July.
READ THE STORY: FT
The US Wants to Integrate the Commercial Space Industry With Its Military to Prevent Cyber Attacks
Bottom Line Up Front (BLUF): The US Department of Defense has launched the Commercial Augmentation Space Reserve (CASR) initiative to integrate commercial space equipment into military operations, aiming to enhance cybersecurity for military and commercial satellites.
Analyst Comments: This initiative represents a significant shift in US space defense strategy, acknowledging the growing importance of commercial space assets and the increasing risk of cyberattacks on space infrastructure. The integration of commercial technology into military operations offers potential advantages in terms of advanced capabilities and rapid innovation. However, it also introduces new challenges, including potential security vulnerabilities from using commercial off-the-shelf components and the need to manage a larger, more diverse supply chain. The success of this strategy will depend on effective leadership, standardization of cybersecurity practices across sectors, and ongoing education in space cybersecurity. This move could also influence global trends in space security, potentially encouraging similar public-private partnerships in other spacefaring nations.
FROM THE MEDIA: The CASR initiative aims to broaden the US military's pool of commercial suppliers for space operations. It's driven by the recognition that commercial space technology has, in some areas, advanced beyond government capabilities. The strategy seeks to enhance US national security and competitive advantage in space while addressing the growing risk of cyberattacks on critical space infrastructure. The article notes that cybersecurity in space has not historically been a top priority, highlighting the need for increased focus in this area. It also mentions the development of executive-level space cybersecurity courses to bridge knowledge gaps between different sectors involved in space operations.
READ THE STORY: Wired
Multiple TP-Link Omada Vulnerabilities Let Attackers Execute Remote Code
Bottom Line Up Front (BLUF): Cisco Talos researchers have identified twelve unique vulnerabilities in TP-Link Omada networking devices that could allow attackers to execute remote code, potentially leading to severe security breaches.
Analyst Comments: This disclosure highlights significant security risks in widely used small-to-medium business networking equipment. The range and severity of the vulnerabilities, including unauthenticated remote code execution and post-authentication command injection flaws, pose serious threats to network integrity and data security. The inclusion of vulnerabilities in the TP-Link Device Debug Protocol (TDDP) is particularly concerning, as it could allow attackers to gain root access or reset devices to factory settings without authentication. This situation underscores the critical importance of regular security assessments and prompt patching in network infrastructure. It also raises questions about the security practices of network equipment manufacturers and the potential for widespread impacts on business networks.
FROM THE MEDIA: Twelve vulnerabilities were identified across various TP-Link Omada devices, including wireless access points, VPN routers, and software controllers. The most severe flaws allow for remote code execution, arbitrary command execution, and device factory resets. Many vulnerabilities affect post-authentication functions in the TP-Link ER7206 Omada Gigabit VPN Router. The TDDP service is exposed for 15 minutes after device startup, creating a window for exploitation. TP-Link has been notified and has released patches to address these issues. Users are strongly advised to update their devices to the latest firmware.
READ THE STORY: GBhackers
China's Backdoor Data Infiltration: A Growing Concern For Indian Government
Bottom Line Up Front (BLUF): Indian security agencies have discovered Chinese microchips and hardware in biometric attendance systems (BAS) used in central and state government buildings, raising concerns about potential massive data breaches.
Analyst Comments: This revelation highlights a significant vulnerability in India's government infrastructure and potential compromise of sensitive data. The widespread use of these systems across various government institutions, including military and defense offices, suggests a systemic security risk. The ability of Chinese firms to potentially access data on government officials, their designations, and locations poses a serious threat to national security. This incident underscores the need for more rigorous vetting of technology suppliers and components used in critical government systems. It also highlights the challenges of securing supply chains in an interconnected global market, especially when dealing with technology from geopolitical rivals. The scale of the problem, affecting nearly 2.6 million government employees, indicates that addressing this vulnerability will require a comprehensive and coordinated response across multiple levels of government.
FROM THE MEDIA: Over a dozen Indian enterprises selling biometric attendance systems to government offices used devices with Chinese-origin parts. Approximately 7,500 central and state government institutions, employing around 900,000 central and 1.7 million state employees, may have been using over 80,000 dubious biometric attendance systems. This includes key government buildings and military and defense offices. Intelligence sources suggest these systems could be used by Chinese firms to gather data on the number of officials in specific organizations, their designations, and locations.
READ THE STORY: ISN
UK Set to Sanction Individuals Over Alleged Chinese Cyber Interference
Bottom Line Up Front (BLUF): The UK government is reportedly preparing to announce sanctions against individuals believed to be involved in Chinese state-backed cyber interference, including attacks on the Electoral Commission and targeted operations against MPs and peers.
Analyst Comments: This development marks a significant escalation in the UK's response to alleged Chinese cyber activities targeting its democratic institutions. The decision to impose sanctions indicates a hardening stance towards Beijing and a willingness to take more confrontational measures to counter perceived threats. The reported breaches, particularly the access to 40 million voters' personal details, represent a serious security concern with potential implications for electoral integrity and personal privacy. The targeting of specific MPs known for their hawkish stance on China suggests a strategic attempt to intimidate or gather intelligence on key policy influencers. This incident is likely to further strain UK-China relations and may prompt other Western nations to reassess their cybersecurity postures vis-à-vis China. The timing of this announcement, coinciding with reforms to UK spying laws, suggests a coordinated effort to strengthen the country's cyber defenses and intelligence capabilities.
FROM THE MEDIA: Deputy Prime Minister Oliver Dowden is expected to address Parliament about Beijing's involvement in cyber-attacks against MPs, peers, and the Electoral Commission. A group of politicians focused on China issues, including members of the Inter-Parliamentary Alliance on China (IPAC), have reportedly been briefed on the situation. The government is also advancing reforms to UK spying laws through the Investigatory Powers (Amendment) Bill, which aims to enhance agencies' abilities to examine and retain bulk datasets.
READ THE STORY: MSN
Say Hello to Creator-Built AI Chatbots on Instagram
Bottom Line Up Front (BLUF): Meta CEO Mark Zuckerberg announced that Instagram will soon allow creators to build AI versions of themselves that users can interact with through direct messages.
Analyst Comments: This development represents a significant shift in social media interaction, blending influencer culture with AI technology. While potentially engaging for users, it raises concerns about the authenticity of interactions and the potential for misuse or misinformation. The creation of AI personas by influencers could further blur the lines between reality and digital representation, potentially impacting users' perceptions and relationships with online personalities. From a cybersecurity perspective, these AI chatbots could present new vectors for social engineering attacks or privacy breaches if not properly secured. This move also highlights Meta's continued push into AI integration across its platforms, likely aiming to compete with other tech giants in the AI space.
FROM THE MEDIA: The feature is currently in the testing phase and will roll out gradually to Instagram users. Creators will build their AI characters using Meta's AI studio. The article also mentions other tech news, including a new hydrogen-powered race car for the Extreme H series, Hyundai's new affordable EV (not available in the US), and an FCC proposal to make it easier for consumers to unlock their phones and switch carriers.
READ THE STORY: wired
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data
Bottom Line Up Front (BLUF): The North Korean threat actor Kimsuky has been observed using a malicious Google Chrome extension called TRANSLATEXT to steal sensitive information, targeting South Korean academia focused on North Korean political affairs.
Analyst Comments: This campaign demonstrates the ongoing sophistication of North Korean cyber operations, particularly in targeting strategic research and intelligence targets. The use of a malicious browser extension as an attack vector is concerning, as it can bypass traditional security measures and operate with elevated privileges within the browser environment. The campaign's focus on South Korean academics studying North Korean affairs underscores the geopolitical motivations behind these attacks and the persistent threat to sensitive research and policy discussions. The brief appearance and deletion of the extension on GitHub suggests a highly targeted operation designed to minimize detection. This incident highlights the need for improved security awareness and vetting of browser extensions, especially in high-risk sectors and for individuals working on sensitive topics.
FROM THE MEDIA: Zscaler ThreatLabz discovered the TRANSLATEXT extension in March 2024. The extension, masquerading as Google Translate, can steal email addresses, usernames, passwords, cookies, and capture browser screenshots. The attack chain involves a ZIP archive containing a Hangul Word Processor document and an executable, which downloads additional malicious code. The extension was briefly hosted on GitHub under the name "GoogleTranslate.crx". Kimsuky has also been observed using CVE-2017-11882 to distribute a keylogger and targeting aerospace and defense sectors with job-themed lures.
READ THE STORY: THN
Russian-linked Hackers Carry Out Cyberattack on Texas Town's Water System
Bottom Line Up Front (BLUF): Bottom Line Up Front (BLUF): Cybersecurity firm Mandiant reported that a Russian intelligence unit, working with an online persona called "Cyber Army of Russia_Reborn," carried out a cyberattack on the water system of Muleshoe, a small town in Texas, causing a water tank to overflow for 30-45 minutes.
Analyst Comments: This incident highlights the vulnerability of small-town infrastructure to sophisticated cyber threats, even from state-level actors. The targeting of a town with only 5,000 residents suggests that attackers may be exploiting the generally weaker cybersecurity measures in smaller municipalities. This attack, along with suspicious activities reported in other West Texas cities, underscores the need for enhanced cybersecurity measures across all levels of critical infrastructure, regardless of population size. The involvement of a Russian intelligence unit, if confirmed, raises concerns about the potential escalation of state-sponsored cyberattacks on US infrastructure. This event may prompt a reassessment of cybersecurity priorities and resource allocation for small-town utilities across the country.
FROM THE MEDIA: The attack on Muleshoe occurred in January 2024. Suspicious activity was also reported around public water systems in three other West Texas cities: Abernathy, Hale Center, and Lockney. Cybersecurity expert Gus Serino noted that small towns may be easy targets due to a false sense of security. The White House and EPA recently urged governors to increase protection for water and wastewater systems against threats, particularly from Iran and China-linked hackers. The US water system faces vulnerabilities including weak controls, insufficient funding, and staffing shortages.
READ THE STORY: MSN
Thousands of HSBC Customers Suffer Online Banking Outage in Britain
Bottom Line Up Front (BLUF): HSBC experienced a significant outage affecting its online and mobile banking services in Britain, with thousands of customers unable to access their accounts or make payments.
Analyst Comments: This incident highlights the ongoing vulnerability of digital banking infrastructure to technical failures, even at major financial institutions. The scale of the outage, affecting thousands of customers, underscores the critical dependence on online banking services in modern society. Such disruptions can have significant impacts on individuals and businesses, potentially affecting financial transactions, bill payments, and day-to-day operations. The persistence of these issues across the UK banking sector suggests a need for improved resilience and redundancy in digital banking systems. This event may also intensify regulatory scrutiny of banks' IT infrastructure and disaster recovery capabilities. For HSBC, this outage could result in reputational damage and potential financial losses if customers face consequences from missed payments or transactions.
FROM THE MEDIA: This set of vulnerabilities, particularly the critical CI/CD pipeline flaw, poses significant risks to organizations using GitLab for version control and DevOps processes. The ability to run pipelines as any user could lead to unauthorized code execution, data breaches, or supply chain attacks. The additional vulnerabilities, including stored XSS and CSRF issues, further compound the potential attack surface. The breaking changes introduced by the fixes, such as disabling GraphQL authentication using CI_JOB_TOKEN by default, may require operational adjustments for some organizations. This incident underscores the ongoing security challenges in complex DevOps environments and the critical importance of promptly applying security updates to prevent potential exploitation.
READ THE STORY: WIBQ
Request to Declassify Information on National Security Risks of Chinese-Made Drones
Bottom Line Up Front (BLUF): Members of Congress are requesting declassification of information related to national security risks posed by drones manufactured in China, particularly those made by DJI and Autel Robotics.
Analyst Comments: This request highlights growing concerns about the security implications of Chinese-made drones, especially their widespread use by U.S. law enforcement agencies. The letter suggests there is significant classified information about these risks that, if made public, could influence policy and purchasing decisions. The request for declassification indicates a push for greater transparency and public awareness of potential cybersecurity threats associated with these drones. The mention of findings from Sandia National Laboratories and previous warnings from multiple federal agencies underscores the seriousness of these concerns. This issue intersects with broader geopolitical tensions between the U.S. and China, particularly regarding technology and data security.
FROM THE MEDIA: The letter cites a joint advisory from CISA and the FBI warning of significant risks to critical infrastructure and national security from Chinese-made drones. It notes that DJI and Autel control nearly 90% of the global drone market. Multiple federal agencies have previously warned against or banned the procurement of certain Chinese drones. Concerns include potential data collection and exploitation by the Chinese government, cyber vulnerabilities, and use of drones for surveillance of minority populations in China. The letter requests the declassification of relevant findings and a briefing to committee staff by July 2, 2024.
READ THE STORY: sUAS
China Hacked Ministry of Defence, Sky News Learns
Bottom Line Up Front (BLUF): Sky News reports that the Chinese state has hacked the UK Ministry of Defence (MoD), targeting a payroll system containing personal and financial data of current service personnel and some veterans.
Analyst Comments: This alleged breach represents a significant escalation in cyber espionage targeting UK defense infrastructure. The compromise of personnel data, including bank details, raises serious concerns about potential exploitation for intelligence gathering or financial fraud. The timing of this revelation, coinciding with Chinese President Xi Jinping's European tour, may increase diplomatic tensions between the UK and China. This incident underscores the persistent and sophisticated nature of state-sponsored cyber threats, particularly those originating from China. It may prompt a reassessment of cybersecurity measures across UK government agencies and could influence broader policy discussions about the UK's relationship with China, including in areas of technology and defense cooperation.
FROM THE MEDIA: The MoD discovered the breach in recent days and has been working to understand its scale. The hacked system is not connected to main MoD computer systems and has been taken down for review. Defence Secretary Grant Shapps is expected to make a statement to Parliament outlining a "multi-point plan" to address the breach. This incident follows recent accusations by the UK government of Chinese state-affiliated actors conducting two other "malicious" cyberattack campaigns in the country. Some MPs are calling for the UK to formally designate China as a "systemic threat" in response to these ongoing cyber activities.
READ THE STORY: Yahoo UK
Snowblind Abuses Android seccomp Sandbox To Bypass Security Mechanisms
Bottom Line Up Front (BLUF): A new Android banking trojan called Snowblind has been discovered that exploits the Linux kernel's seccomp feature to bypass anti-tampering mechanisms in apps, allowing it to steal login credentials, bypass 2FA, and exfiltrate data.
Analyst Comments: This malware represents a significant evolution in Android threats by leveraging a security feature (seccomp) to bypass app protections. The ability to circumvent anti-tampering mechanisms, even in heavily obfuscated apps, poses a serious risk to mobile banking security. This technique could potentially be adapted for various malicious purposes beyond banking trojans. The widespread availability of seccomp-bpf on Android devices running version 8 and later makes this a broad-reaching threat. This development underscores the ongoing cat-and-mouse game between security mechanisms and malware authors, highlighting the need for continuous innovation in mobile app security and runtime protection.
FROM THE MEDIA: Snowblind injects a native library with a seccomp filter before an app's anti-tampering code runs, redirecting system calls to bypass detection. It exploits seccomp-bpf, a feature available on most Android 8+ devices. The malware installs a filter allowing all system calls except open(), then uses a custom signal handler to inject the original app's file path into open() calls, effectively bypassing anti-tampering checks. This technique differs from traditional accessibility service exploitation or virtualization-based attacks like FjordPhantom.
READ THE STORY: GBhackers
Items of interest
China's Cyber Talent: Defensive Shield or Offensive Sword
Bottom Line Up Front (BLUF): The China Software Testing Center (CSTC), part of China's Ministry of Industry and Information Technology, plays a critical role in the country's cybersecurity framework, supporting both defensive capabilities and potential offensive cyber operations.
Analyst Comments: The CSTC's dual-use potential highlights the blurred lines between defensive and offensive cyber capabilities in China's strategy. While primarily focused on defensive tasks like software evaluation and vulnerability management, the center's expertise and resources could readily support offensive operations. The CSTC's involvement in military-civil fusion projects and its oversight of vulnerability reporting systems give it unique access to critical data and infrastructure. This positions the CSTC as a key player in China's cyber strategy, potentially serving as a technical resource for both defensive and offensive teams. The center's connections to the Chinese Communist Party and its role in supporting military clients further underscore its strategic importance. This multifaceted role raises concerns about the potential for Chinese cyber espionage and the challenges in distinguishing between legitimate cybersecurity efforts and preparations for offensive operations.
FROM THE MEDIA: The CSTC employs over 2,000 experts, many with advanced degrees in relevant fields. It issues technical standards similar to NIST in the U.S. and evaluates software for government use. The center oversees China's mandatory software vulnerability reporting system. CSTC's subsidiary, Beijing CCID, provides services to military clients. Books published by CSTC contain detailed information on U.S. national labs, suggesting potential dual-use applications. The center's penetration testers have conducted red-team exercises for government ministries, including the Ministry of State Security.
READ THE STORY: Cutting Room Floor
Building Bridges? Development and Infrastructure in U.S.-China Relations (Video)
FROM THE MEDIA: Amid escalating U.S.-China tensions, Washington and Beijing are focused on managing their real and significant bilateral differences on trade and other economic issues. At the same time, both countries have a major stake in the functioning of the global economic order—the institutions, rules, and norms that shape international economic affairs. Even as they address bilateral issues, therefore, it is also important for the two sides to seek areas where they may be able to work together in strengthening the global economic order.
Big Data China Interview with Michael Davidson (Video)
FROM THE MEDIA: In this video interview, Ilaria Mazzocco speaks with Michael Davidson, Assistant Professor at the UC San Diego School of Global Policy and Strategy and the Jacobs School of Engineering, about the political economy of China's climate and CleanTech policies, and the impact of U.S. policy responses on achieving its climate goals.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.