Daily Drop (815): Bellingcat: X | Graphcore | CRYSTALRAY | MSS: APT40 | 'Looted' Grain | NATO | Beijing: Narrivate Spinning | AU: China Cyber | IBAT | South Korean Lasers | NuGet NPM | RU BOTS
07-13-24
Friday, Jul 13 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Beijing Accused of Misusing Western Research to Claim Volt Typhoon is a Ransomware Group
Bottom Line Up Front (BLUF): China's national cybersecurity agency has been accused of misrepresenting Western research to deny allegations that a Beijing-backed hacking group, Volt Typhoon, is behind cyberattacks targeting critical infrastructure in the West. Trellix and other cybersecurity firms have pushed back against these claims, stating that the Chinese government's report distorts their findings and aims to manipulate public perceptions.
Analyst Comments: The Chinese government's efforts to discredit allegations against Volt Typhoon reflect an ongoing strategy to obscure its involvement in cyber espionage. By misrepresenting Western cybersecurity research, China aims to sow doubt about the credibility of these accusations and deflect attention from its cyber activities. This tactic underscores the importance of rigorous, transparent intelligence analysis and international collaboration in attributing cyber threats. The response from Trellix and other cybersecurity firms highlights the challenges of countering state-sponsored misinformation and the critical role of the cybersecurity community in maintaining the integrity of threat intelligence.
FROM THE MEDIA: China’s National Computer Virus Emergency Response Center (CVERC) has been accused of distorting Western cybersecurity research to deny that the hacking group Volt Typhoon, also known as Bronze Silhouette, is linked to Beijing. Trellix, a prominent cybersecurity firm, criticized a recent CVERC report that falsely attributed ransomware activity by the Dark Power group to Volt Typhoon. The report contained numerous inaccuracies and misrepresentations, including grammatical errors and misleading interpretations of intelligence assessments from companies like Mandiant and ThreatMon. These distortions were likely an effort by the Chinese government to manipulate public perception and deflect blame for cyber espionage activities targeting critical infrastructure in the West.
READ THE STORY: The Record
Economic Dependencies Influence Hungary's NATO Position
Bottom Line Up Front (BLUF): Hungary's significant economic ties with China are a major factor influencing its reluctance to support NATO evolving into an "anti-China" bloc. These financial dependencies shape Budapest's foreign policy decisions, underscoring the interconnectedness of economic interests and geopolitical strategies.
Analyst Comments: Hungary's foreign policy, particularly its stance on China, is heavily influenced by substantial financial investments from Beijing. Over recent years, China has invested around EUR 15.2 billion in Hungary, making it a crucial economic partner. These investments have brought advanced technologies and created thousands of jobs, particularly in the automotive sector. This economic relationship provides Hungary with financial stability and growth opportunities, making it less inclined to support international actions that could jeopardize these benefits. Historically, such economic dependencies have often led to political alignments that reflect the interests of major investors, as seen in Hungary's approach to both China and Russia. This strategic balancing act allows Hungary to leverage its relationships for maximum economic and political gain, even as it navigates complex geopolitical landscapes
FROM THE MEDIA: Hungary's Foreign Minister Peter Szijjarto recently emphasized that NATO should not become an "anti-China" bloc, highlighting the country's significant trade and investment ties with China. This stance is reflective of Hungary's broader economic strategy, which has seen substantial Chinese investments in key sectors like automotive manufacturing. Hungary's position is influenced by its need to maintain these beneficial economic relationships, which have bolstered its economy through job creation and technological advancements. Additionally, Prime Minister Viktor Orban's meetings with Chinese leaders underscore the strategic importance of these financial ties. Hungary's approach is indicative of how economic dependencies can shape foreign policy, ensuring that national interests are aligned with those of major economic partners
READ THE STORY: Reuters // Daily News Hungry // The Diplomat
SoftBank Acquires UK AI Chipmaker Graphcore
Bottom Line Up Front (BLUF): SoftBank has acquired the UK-based AI chipmaker Graphcore for approximately $600 million. This acquisition is seen as a strategic endorsement of Graphcore's technology and team, aimed at enhancing SoftBank's AI capabilities and potentially integrating Graphcore's technology with Arm, another SoftBank-owned company. SoftBank has a long-standing relationship with Saudi and China's tech sector, heavily investing in major companies such as Alibaba, ByteDance, and Didi Chuxing. These investments have allowed SoftBank to tap into China's booming tech market and establish significant influence within the industry. SoftBank's Vision Fund, which includes substantial investments in Chinese startups, further cements these ties.
Analyst Comments: While evading US chip bans might be one motive, China has multiple logical reasons to acquire Graphcore. These include technological advancement, strategic independence, economic benefits, research synergies, and geopolitical strategy. Collectively, these factors make acquiring Graphcore a strategic move to bolster China’s position in the global tech industry. China could leverage its relationship with SoftBank to circumvent the US Chips Act, which restricts the export of advanced semiconductors to Chinese entities. By utilizing SoftBank's acquisitions and technological assets, such as Graphcore's IPUs, China might gain indirect access to advanced AI technology.
FROM THE MEDIA: Japan's SoftBank has purchased the UK AI chipmaker Graphcore, a company known for its advanced IPUs designed to accelerate AI workloads. Graphcore's technology has been praised for its performance, notably outperforming Nvidia's A100 GPUs in some cases. However, the company has faced significant financial challenges, reporting low revenues and high operating expenses, which led to substantial job cuts. The acquisition, valued at around $600 million, is less than the total funding Graphcore had previously raised. SoftBank, which also owns the CPU designer Arm, sees this acquisition as a way to enhance AI compute capabilities and possibly integrate Graphcore's technology with Arm's offerings, potentially making the AI infrastructure market more competitive.
READ THE STORY: Reuters
U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation
Bottom Line Up Front (BLUF): The U.S. Department of Justice (DoJ) has seized two internet domains and nearly 1,000 social media accounts used by a Russian bot farm to spread pro-Kremlin disinformation. The operation utilized AI to create fictitious social media profiles, promoting messages supporting Russian government objectives across several countries, including the U.S., Poland, Germany, and Ukraine.
Analyst Comments: The disruption of this AI-powered Russian bot farm highlights the sophisticated tactics employed in modern disinformation campaigns. By leveraging AI to generate authentic-appearing social media profiles, the bot network was able to disseminate pro-Kremlin narratives effectively. This operation underscores the ongoing threat of state-sponsored influence operations and the critical need for robust cyber defenses and international cooperation to counteract such activities. The DoJ’s actions reflect a significant step in addressing the misuse of AI in disinformation and the importance of safeguarding democratic institutions against foreign interference.
FROM THE MEDIA: The U.S. Department of Justice (DoJ) has dismantled a Russian bot farm that utilized AI to create nearly 1,000 fictitious social media profiles for spreading disinformation. The operation, which involved seizing the domains mlrtr[.]com and otanmail[.]com, was part of a scheme by Russian state-owned media outlet RT, sponsored by the Kremlin and aided by an officer of Russia's Federal Security Service (FSB). The bot network aimed to promote pro-Kremlin messages and influence public perception in countries including the U.S., Poland, Germany, the Netherlands, Spain, Ukraine, and Israel.
READ THE STORY: THN
Bellingcat Faces Censorship Allegations from Social Media Platform X
Bottom Line Up Front (BLUF): Bellingcat, an investigative journalism group, has accused the social media platform X (formerly Twitter) of censorship after their research on a Russian missile attack on a Ukrainian children's hospital was labeled as "potentially spammy or unsafe."
Analyst Comments: The launch of Cosmos 2576 marks a concerning escalation in space militarization. Given Russia's historical and current capabilities, the deployment of counter-space weapons, including nuclear-armed satellites, could severely undermine global satellite infrastructure. This move challenges existing treaties and could trigger a new space arms race, compelling nations like the United States and China to enhance their defensive and offensive space capabilities. Diplomatic efforts and strategic alliances will be critical in addressing this emerging threat.
FROM THE MEDIA: Bellingcat's latest research on a Russian missile strike in Kyiv has been labeled as spam by the social media platform X. This action has raised concerns about censorship and the role of social media in spreading or curbing disinformation. Bellingcat's investigation provided evidence countering Russian propaganda, which falsely claimed Ukrainian responsibility for the attack. The situation underscores the ongoing information warfare and challenges faced by investigative journalists in disseminating their findings on platforms with significant reach and influence.
READ THE STORY: The Record
Beijing Accused of Misusing Western Research to Claim Volt Typhoon is a Ransomware Group
Bottom Line Up Front (BLUF): China's national cybersecurity agency has been accused of misrepresenting Western research to deny allegations that a Beijing-backed hacking group, Volt Typhoon, is behind cyberattacks targeting critical infrastructure in the West. Trellix and other cybersecurity firms have pushed back against these claims, stating that the Chinese government's report distorts their findings and aims to manipulate public perceptions.
Analyst Comments: The Chinese government's efforts to discredit allegations against Volt Typhoon reflect an ongoing strategy to obscure its involvement in cyber espionage. By misrepresenting Western cybersecurity research, China aims to sow doubt about the credibility of these accusations and deflect attention from its cyber activities. This tactic underscores the importance of rigorous, transparent intelligence analysis and international collaboration in attributing cyber threats. The response from Trellix and other cybersecurity firms highlights the challenges of countering state-sponsored misinformation and the critical role of the cybersecurity community in maintaining the integrity of threat intelligence.
FROM THE MEDIA: China’s National Computer Virus Emergency Response Center (CVERC) has been accused of distorting Western cybersecurity research to deny that the hacking group Volt Typhoon, also known as Bronze Silhouette, is linked to Beijing. Trellix, a prominent cybersecurity firm, criticized a recent CVERC report that falsely attributed ransomware activity by the Dark Power group to Volt Typhoon. The report contained numerous inaccuracies and misrepresentations, including grammatical errors and misleading interpretations of intelligence assessments from companies like Mandiant and ThreatMon. These distortions were likely an effort by the Chinese government to manipulate public perception and deflect blame for cyber espionage activities targeting critical infrastructure in the West.
READ THE STORY: THN
Ukraine Seizes Cargo Ship for Exporting 'Looted' Grain from Crimea
Bottom Line Up Front (BLUF): Ukraine has seized a foreign cargo ship and detained its Azeri captain on suspicion of exporting grain stolen from Russian-occupied Crimea. This rare action aims to deter future incidents of illegal grain trade, amidst ongoing tensions and accusations against Russia.
Analyst Comments: The seizure of the Cameroon-flagged USKO MFU by Ukraine underscores the heightened scrutiny and enforcement measures Kyiv is adopting against illegal grain exports from Russian-occupied territories. This action not only sends a strong signal to international traders about the risks of circumventing sanctions but also highlights the complexities of maintaining security and sovereignty over critical resources during the conflict. Historically, the illegal appropriation of agricultural products during conflicts has been a common tactic, used to disrupt economies and supply chains. Ukraine's decisive move may provoke reactions from trading partners and potentially escalate maritime tensions in the Black Sea and Danube regions.
FROM THE MEDIA: Ukraine's prosecutor for Crimea, Ihor Ponochovny, emphasized the importance of this seizure as a warning to countries aiding Russia in circumventing sanctions. Despite claims from the ship's management that the vessel did not transport cargo from occupied Ukrainian territories, Ukrainian authorities are proceeding with investigations to identify all involved parties. The Danube River remains a vital route for Ukrainian grain exports, especially after the collapse of a UN-brokered deal allowing Kyiv to sell food during the war.
READ THE STORY: Reuters
Australia Accuses China of Backing Cyber Espionage Group
Bottom Line Up Front (BLUF): Australia, supported by key intelligence partners, has accused a China-backed hacking group, APT 40, of conducting extensive cyber espionage operations. The Australian Signals Directorate (ASD) identified APT 40 as targeting Australian and regional government and private sector networks. This marks the first direct attribution of malicious cyber activity to a Chinese state-sponsored actor by Australia, signaling a significant escalation in international pushback against Beijing's cyber activities.
Analyst Comments: The attribution of cyber attacks to APT 40 represents a notable shift in Australia's cyber policy and international relations. By leading this charge, Australia is taking a prominent role in global cyber defense, particularly in the Indo-Pacific region. The ASD’s proactive stance reflects increasing concerns over China's cyber capabilities and the strategic threats they pose. This move is part of a broader effort to enhance cybersecurity and protect sensitive information from state-sponsored actors.
FROM THE MEDIA: Australia's cyber intelligence agency, the Australian Signals Directorate (ASD), has accused a Chinese-backed hacking group known as APT 40 of targeting government and private sector networks in Australia and the surrounding region. APT 40, linked to China's Ministry of State Security, has been involved in cyber espionage and has compromised numerous networks. The ASD's advisory, co-signed by Five Eyes partners and other allies, marks the first direct attribution of cyber attacks to a Chinese state-sponsored actor by Australia. China’s Foreign Ministry has rejected these accusations, asserting that they aim to smear China’s reputation.
READ THE STORY: ABC (AU)
IBAT: Portable Plant Design Promises Cheaper, Faster Lithium Production
Bottom Line Up Front (BLUF): International Battery Metals (IBAT) has successfully commercialized a novel direct lithium extraction (DLE) technology, marking a significant milestone for the lithium industry. This new approach promises to revolutionize lithium production by being faster, more efficient, and environmentally friendly.
Analyst Comments: The commercialization of IBAT's DLE technology is poised to transform the global lithium supply chain, crucial for the burgeoning electric vehicle (EV) market. This breakthrough addresses long-standing issues in traditional lithium extraction methods, such as high water use and long production times. By utilizing portable, modular plants, IBAT offers a scalable and relocatable solution that can be rapidly deployed to various brine sources globally. The technology’s ability to recycle over 98% of the water used further underscores its environmental benefits. This innovation not only enhances the efficiency of lithium extraction but also positions IBAT as a key player in the sustainable energy sector.
FROM THE MEDIA: International Battery Metals (IBAT) has become the first company to commercially produce lithium using a novel filtration-based DLE technology. At a site in Utah, IBAT is producing nearly 5,000 metric tons of lithium per year. This portable plant design allows for scalable and relocatable production, with each plant capable of being moved and reused at new deposits, significantly reducing construction costs. This method also recycles over 98% of water used, addressing one of the major environmental concerns in lithium production.
READ THE STORY: Reuters
ATP40-PRC-MSS: Tradecraft in Action
Bottom Line Up Front (BLUF): The National Security Agency (NSA) and Australian Signals Directorate (ASD) have released a cybersecurity advisory detailing the tactics of China-based cyber group APT40, revealing their methods of exploiting vulnerabilities and targeting government networks.
Analyst Comments: The joint advisory titled “PRC MSS Tradecraft in Action” outlines the advanced tactics employed by the Chinese state-sponsored cyber group APT40, also known by various aliases such as Kryptonite Panda and GINGHAM TYPHOON. APT40 has been active since 2017, exploiting widely used software vulnerabilities like Log4J and Microsoft Exchange to infiltrate US and Australian networks. This group, linked to the PRC Ministry of State Security (MSS), utilizes compromised devices, including outdated home office equipment, to launch attacks that blend with regular network traffic, making detection challenging.
FROM THE MEDIA: ASD and other international cybersecurity agencies, have issued a comprehensive advisory on APT40's cyber espionage activities. The advisory highlights the group's sophisticated methods of exploiting software vulnerabilities and using compromised infrastructure to evade detection. It provides actionable recommendations to help network defenders mitigate and respond to these threats effectively. The advisory underscores the importance of maintaining up-to-date security practices to protect against advanced persistent threats like APT40.
READ THE STORY: MeriTalk // NCSC
South Korea to Deploy Laser Weapons Against North Korean Drones
Bottom Line Up Front (BLUF): South Korea will become the first country to deploy and operate laser weapons to counter North Korean drones. This advanced defense system, developed with Hanwha Aerospace, is designed to enhance South Korea's military response to drone provocations.
Analyst Comments: The deployment of laser weapons by South Korea represents a significant leap in military technology, marking a new era in defense capabilities. These weapons, part of the so-called "StarWars project," are notable for their efficiency and low cost per shot. By burning down engines and other electrical components with beams of light, these systems offer a silent and invisible countermeasure against unmanned aerial threats. This development comes in response to increasing drone incursions from North Korea, highlighting the ongoing tensions and the need for innovative defense solutions. The strategic importance of this technology is underscored by its potential to revolutionize drone warfare and provide a robust deterrent against aerial provocations.
FROM THE MEDIA: South Korea's Defense Acquisition Program Administration (DAPA) announced the deployment of laser weapons to shoot down North Korean drones, marking the first operational use of such technology globally. The system, developed with Hanwha Aerospace, can incapacitate drones by targeting their engines and electronics with focused laser beams for 10 to 20 seconds. This move follows a recent incursion of five North Korean drones into South Korean airspace, prompting a scramble of fighter jets and attack helicopters. The deployment aims to strengthen South Korea's defensive capabilities against unmanned threats, leveraging cost-effective and environmentally friendly technology.
READ THE STORY: Reuters
60 New Malicious Packages Uncovered in NuGet Supply Chain Attack
Bottom Line Up Front (BLUF): Threat actors have launched a new wave of malicious packages on the NuGet package manager, using advanced techniques to avoid detection. Approximately 60 packages with 290 versions were identified, continuing a campaign that started in August 2023. These packages aim to deliver the SeroXen remote access trojan (RAT) through sophisticated methods, including IL weaving to inject malicious code into legitimate software.
Analyst Comments: The ongoing NuGet supply chain attack represents a significant threat to developers and organizations relying on open-source packages. The attackers' shift from using MSBuild integrations to employing IL weaving illustrates their evolving tactics to enhance stealth and efficacy. By injecting malicious code into Portable Executable (PE) .NET binaries, they create nearly indistinguishable imposter packages, posing a severe risk to software supply chain security. This highlights the necessity for stringent security measures and vigilance among developers to detect and mitigate such threats. The removal of these malicious packages underscores the continuous cat-and-mouse game between cybersecurity professionals and threat actors.
FROM THE MEDIA: Cybersecurity firm ReversingLabs has reported a new surge of malicious packages on the NuGet package manager. These packages, about 60 in total and spanning 290 versions, utilize a refined technique known as IL weaving to inject malicious functionality into legitimate .NET binaries. This method involves modifying an application's code post-compilation, enabling the delivery of the SeroXen remote access trojan (RAT). The attackers have used homoglyphs to create deceptive package names, further complicating detection efforts.
READ THE STORY: THN
Sysdig Unveils CRYSTALRAY's Use of Off-the-Shelf Tools in Cyberattacks
Bottom Line Up Front (BLUF): The Sysdig Threat Research Team has identified a new cyber threat group, CRYSTALRAY, which uses a variety of open-source tools to steal credentials, install cryptominers, and maintain persistent access to victim networks.
Analyst Comments: Since February, CRYSTALRAY has expanded its operations to over 1,500 victims by employing open-source tools like zmap, asn, httpx, nuclei, platypus, and SSH-Snake. These tools are used for scanning, verifying vulnerabilities, and lateral movement within compromised networks. The group utilizes a package manager, pdtm, to organize these tools, making their operations efficient and scalable.
FROM THE MEDIA: Sysdig has exposed the activities of CRYSTALRAY, a new threat group using open-source tools for malicious purposes. By employing sophisticated scanning and exploitation techniques, CRYSTALRAY has successfully targeted over 1,500 networks. Their strategy includes utilizing tools like ASN, zmap, httpx, and nuclei for scanning and exploiting vulnerabilities, and SSH-Snake for lateral movement. The group’s reliance on open-source tools underscores the need for comprehensive cybersecurity measures to detect and prevent such attacks.
READ THE STORY: Computing // DarkReading
Russian Plot to Assassinate Rheinmetall CEO Armin Papperger Uncovered
Bottom Line Up Front (BLUF): U.S. intelligence discovered a Russian plot to assassinate Armin Papperger, CEO of German arms manufacturer Rheinmetall, which has been supplying weapons to Ukraine. German security services, informed by the U.S., successfully protected Papperger.
Analyst Comments: Actions like this underscore the heightened geopolitical tensions stemming from the Ukraine conflict, with Russia potentially targeting key figures in Western defense industries. Rheinmetall's role in supplying weapons to Ukraine has placed its leadership in the crosshairs. Historically, such assassination plots reflect broader strategies to destabilize and intimidate opponents by targeting influential individuals. The thwarting of this plot highlights the importance of international intelligence cooperation in safeguarding against asymmetric threats.
FROM THE MEDIA: U.S. intelligence services identified a Russian conspiracy to assassinate Armin Papperger, the CEO of Rheinmetall, a significant supplier of military equipment to Ukraine. Acting on this intelligence, German security services swiftly intervened to protect Papperger, effectively neutralizing the threat. This development is indicative of the ongoing clandestine efforts by Russia to undermine support for Ukraine amidst the ongoing conflict. Rheinmetall's contributions to Ukraine's defense capabilities have been substantial, making its leadership a potential target for hostile actions.
READ THE STORY: Reuters
Items of interest
China's APT41 Crew Adds Stealthy Malware Loader and Fresh Backdoor to Its Toolbox
Bottom Line Up Front (BLUF): Chinese government-backed cyber espionage gang APT41 has introduced a new loader named DodgeBox and a backdoor called MoonWalk to their malware arsenal. These tools enhance APT41's capabilities in digital espionage and financial crimes, continuing their focus on targeting entities in the Southeast Asian region.
Analyst Comments: APT41's introduction of DodgeBox and MoonWalk marks a significant evolution in their cyber toolkit. DodgeBox, a sophisticated shellcode loader, exhibits advanced features such as AES encryption, call stack spoofing, and environmental checks to ensure it targets the right systems and evades detection. Its design shows a clear progression from its predecessor, StealthVector, with significant improvements in its implementation. MoonWalk, used as a payload by DodgeBox, incorporates similar evasion techniques and leverages Google Drive for command-and-control (C2) communications, highlighting the group's continuous innovation in malware development. This development underscores the persistent threat posed by APT41 and their adaptive strategies in cyber espionage.
FROM THE MEDIA: Chinese cyber espionage group APT41, also known as Barium, Wicked Panda, and other aliases, has added new malware tools to its operations. Zscaler’s ThreatLabz research team identified a loader named DodgeBox and a backdoor called MoonWalk, both enhancing APT41's capabilities. DodgeBox is a shellcode loader written in C with features like AES encryption and call stack spoofing, making it more sophisticated than its predecessor, StealthVector. It performs various environmental checks and evasion techniques, such as using a salted FNV1a hash for DLL and function names to avoid static detection. MoonWalk, deployed by DodgeBox, uses Google Drive for C2 communications and shares similar evasion techniques.
READ THE STORY: The Register
APT41 2021 world tour (Video)
FROM THE MEDIA: Nikita Rostovtsev holds a master's degree in information security. He has worked at Group-IB for three years and is currently researching nation-state groups. In his spare time Nikita teaches Threat Intelligence courses for students.
Nullcon Berlin 2024 | How Things Are Going For APT41 In 2024 (Video)
FROM THE MEDIA: During our talk, we will share information about a recent cyberattack that we analyzed in January 2024 and attributed to APT41. It targeted a game development company located in South Korea, and its analysis revealed various innovative tricks used by attackers. Firstly, we will discuss how the threat actor leveraged the network storage of the attacked organization to infect target machines.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.