Daily Drop (824): | RU: Telegram Channels | CrowdStrike | Vigorish Viper | FluxRoot | CN: CentOS | Russian-Indian S-400 | CCP: Propaganda | WhisperGate | RU: Sanctions | UAC-0063 | Moray West | CARR |
07-23-24
Tuesday, Jul 23 2024 // (IG): BB // ShadowNews // Coffee for Bob
Measures of Effectiveness (MoE):
MoEs are used to assess how well a system or operation achieves its intended goals. They are qualitative or quantitative metrics that reflect the success of achieving desired outcomes. For example, in a cybersecurity context, an MoE could be the reduction in successful cyber-attacks after implementing new security protocols.
Results: We are seeing an uptick in “163.com”, “189.com” and “QQ” subscribers.
Popular Ukrainian Telegram Channels Hacked to Spread Russian Propaganda
Bottom Line Up Front (BLUF): Over the weekend, multiple prominent Ukrainian Telegram channels were hacked through a Russian service, FleepBot, allowing the dissemination of Russian propaganda. Ukrainian officials urge caution in using software from Russia.
Analyst Comments: This incident underscores the persistent cybersecurity threats faced by Ukraine amid its ongoing conflict with Russia. The exploitation of a Russian-owned service to infiltrate and manipulate popular information channels highlights the sophisticated and multi-faceted nature of modern cyber warfare. Historical parallels can be drawn to Cold War-era propaganda efforts, but the digital age amplifies the reach and immediacy of such attacks.
FROM THE MEDIA: Ukrainian cyber officials reported that several high-profile Telegram channels were compromised to spread "provocative messages" using FleepBot. The State Service of Special Communications and Information Protection (SSSCIP) emphasized the dangers of utilizing software from Russia. Channels with vast followings, including Times of Ukraine, Real Kyiv, and Kharkiv Live, were among the victims. In response, FleepBot acknowledged unauthorized access and assured users that no personal data was compromised. Despite previous similar incidents, Telegram remains a crucial tool for real-time information, though concerns about its security persist among Ukrainian officials.
READ THE STORY: The Record // FB // Zero Day
Supply Chain Squeeze Threatens to Blow UK Wind Power Plan Off-Course
Bottom Line Up Front (BLUF): The UK’s offshore wind power expansion is facing significant delays due to global supply chain disruptions, vessel shortages, and grid connection issues, potentially impacting the government's decarbonization targets for 2030.
Analyst Comments: The offshore wind sector is crucial for the UK’s energy transition, yet it is beleaguered by logistical challenges and competition for resources. Historical parallels can be drawn to other large-scale infrastructure projects that suffered similar setbacks due to global supply constraints and local opposition. The ongoing geopolitical and market dynamics necessitate a robust strategic plan to secure supply chains and expedite grid connectivity.
FROM THE MEDIA: The offshore wind industry, pivotal to the UK’s goal of decarbonizing electricity by 2030, is grappling with supply chain bottlenecks, vessel shortages, and delayed grid connections. At the port of Nigg, components for the Moray West offshore wind farm face delays amid a global rush for turbine parts and cabling. The Wind Orca installation vessel highlights the scarcity of such ships as new markets in the US and Asia outbid for them. Developers like Ocean Winds, which operates the Moray West project, report significant challenges in moving projects forward. Additionally, local opposition to new overhead pylons for grid connections poses further delays, potentially jeopardizing the sector's growth and the 2030 targets.
READ THE STORY: FT
Google Abandons Plan to Phase Out Third-Party Cookies in Chrome
Bottom Line Up Front (BLUF): Google has reversed its plan to phase out third-party cookies in its Chrome browser, opting instead for a new user-choice experience. This decision follows regulatory scrutiny and industry feedback, highlighting the challenges of balancing privacy with advertising needs.
Analyst Comments: Google's decision underscores the complexity of shifting from third-party cookies to alternative tracking methods. While Apple and Mozilla have successfully eliminated third-party cookies, Google's dual role as a browser vendor and ad platform complicates such transitions. The Privacy Sandbox initiative faced criticism for potentially consolidating data control under Google, prompting privacy and regulatory concerns. This reversal reflects ongoing challenges in achieving industry-wide consensus on privacy standards.
FROM THE MEDIA: Google announced it will no longer phase out third-party cookies in Chrome, instead introducing a user-choice mechanism for cookie management. This policy change comes after extensive delays and regulatory challenges, with critics arguing that the Privacy Sandbox merely shifts tracking power to Google. Apple and Mozilla, which ceased third-party cookie support in 2020, have criticized Google's Topics API for potential user fingerprinting and re-identification risks. The UK's Competition and Markets Authority is reviewing Google's new approach, emphasizing the ongoing regulatory oversight of the Privacy Sandbox initiative.
READ THE STORY: THN
Hacker Groups Abusing Google Cloud for Credential Phishing
Bottom Line Up Front (BLUF): Google has identified two hacker groups, Pineapple and Fluxroot, exploiting Google Cloud serverless projects to launch credential phishing attacks, targeting users primarily in Latin America.
Analyst Comments: The exploitation of cloud services by threat actors underscores the dual-use nature of technological advancements. Serverless architectures offer flexibility and cost-efficiency, which are beneficial for developers but equally attractive to cybercriminals. This trend necessitates enhanced vigilance and robust security measures to mitigate the risks associated with cloud-based infrastructure.
FROM THE MEDIA: Google's Threat Horizons report reveals that the Pineapple and Fluxroot groups have been using Google Cloud's serverless architecture for credential phishing. Pineapple has employed Cloud Run and Cloud Functions to distribute the Astaroth info stealer, creating phishing pages on legitimate Google Cloud domains to enhance their legitimacy. Fluxroot targets the Mercado Pago payment platform in Latin America, using Google Cloud container URLs to host credential phishing pages. Fluxroot is also known for the Grandoreiro banking trojan and has exploited other cloud services like Azure and Dropbox. The use of serverless and cloud architectures allows these groups to minimize costs and evade detection, highlighting the growing trend of cloud abuse in cybercrime.
CrowdStrike Addresses Critical Windows Update Issues, Tests New Opt-In Remediation Technique
Bottom Line Up Front (BLUF): CrowdStrike is addressing a widespread Windows outage caused by a faulty update that affected around 8.5 million devices. The company is deploying new remediation techniques and working closely with customers to restore systems.
Analyst Comments: This incident highlights the challenges of large-scale software updates and the potential risks of consolidation in the tech industry. The quick response by CrowdStrike and collaboration with major tech firms underscores the importance of swift action and transparency in maintaining customer trust during such crises. Historical examples of significant IT outages reveal the critical need for robust testing and contingency planning.
FROM THE MEDIA: On July 19, CrowdStrike released a defective update that disrupted approximately 8.5 million Windows machines, causing widespread system crashes and impacting various critical organizations. The company has tested a new remediation update to accelerate system recovery and has published self-remediation steps for affected users. CEO George Kurtz and CSO Shawn Henry have publicly apologized, emphasizing the company's commitment to resolving the issue and restoring customer trust. Microsoft has released a recovery tool to assist with repairs, and Delta Airlines remains one of the most affected companies, struggling with ongoing flight cancellations. CrowdStrike's stock has dropped significantly, and the incident has sparked discussions on the risks of tech industry consolidation.
READ THE STORY: The Cyber Express // The Record
Dark Web's 'Vigorish Viper' Syndicate Exploits Football to Promote $1.7 Trillion Illegal Gambling Market and Human Trafficking
Bottom Line Up Front (BLUF): The 'Vigorish Viper' syndicate, linked to the notorious Yabo Group, is leveraging European football sponsorships to promote a vast illegal gambling network, estimated at $1.7 trillion. This Chinese cybercrime syndicate is also implicated in money laundering and human trafficking.
Analyst Comments: The use of popular sports for promoting illicit activities is not new, but the scale and sophistication of the Vigorish Viper syndicate highlight the evolving methods of cybercrime. Their strategy of exploiting high-profile football sponsorships to access new markets, combined with advanced DNS-based tactics, reflects a blend of traditional organized crime with modern cyber capabilities. This development calls for increased vigilance and cooperation between cybersecurity experts and sports organizations to combat such illicit activities.
FROM THE MEDIA: The Vigorish Viper syndicate has emerged as a major player in the illegal online gambling world, using controversial football sponsorships to attract bettors, primarily targeting Greater China. Controlled by the Yabo Group, the syndicate's operations are deeply embedded in the global illegal gambling economy. Researchers from Infoblox revealed Vigorish Viper's use of sophisticated DNS configurations and a vast network of over 170,000 active domain names to evade detection. Despite crackdowns and severe penalties in China, the syndicate continues to thrive, illustrating the persistent and adaptive nature of cybercrime.
READ THE STORY: The Cyber Express // HackRead // THN
Russian Hackers Target Ukrainian Research Organizations
Bottom Line Up Front (BLUF): CERT-UA has exposed a hacking campaign by Russian group UAC-0063, linked to the GRU-backed Fancy Bear, targeting Ukrainian research entities through malicious Word document macros and sophisticated malware.
Analyst Comments: This campaign exemplifies the persistent and evolving nature of state-sponsored cyber threats. The use of macros in phishing emails and exploitation of server vulnerabilities underscores the importance of robust cybersecurity practices, including multifactor authentication and restricting administrative privileges. Historical parallels to past Fancy Bear operations reveal a consistent strategy of targeting critical sectors to gather intelligence and disrupt adversaries.
FROM THE MEDIA: Ukraine's CERT-UA reported that Russian hackers, identified as UAC-0063 and linked to the GRU-backed Fancy Bear, initiated a campaign on July 8, 2024, targeting Ukrainian research organizations. They used a compromised email to send a malicious Word document, embedding macros to deploy HATVIBE malware, which further installed the CHERRYSPY backdoor. A related file with similar macros, traced back to Armenia, was intended for the Armenian Ministry of Defense. CERT-UA highlighted the campaign's success due to weak cybersecurity measures, such as lack of multifactor authentication and poor macro policies. This incident emphasizes the ongoing cyber threat landscape and the critical need for stringent cybersecurity protocols.
READ THE STORY: The Cyber Daily
Treasury Sanctions Russian Hackers Over Critical Infrastructure Breach
Bottom Line Up Front (BLUF): The U.S. Treasury Department has sanctioned two members of the Russian hacktivist group Cyber Army of Russia Reborn (CARR) for their involvement in a January cyberattack that caused water tank overflows in Texas.
Analyst Comments: This incident underscores the persistent threat posed by hacktivist groups targeting critical infrastructure. The sanctions signal the U.S. government's commitment to holding cybercriminals accountable and highlight the need for robust cybersecurity measures to protect vital systems. The connection to the GRU-affiliated Sandworm unit further illustrates the blending of criminal and state-sponsored cyber activities, complicating attribution and response efforts.
FROM THE MEDIA: On July 19, the U.S. Treasury sanctioned Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, leaders of the Cyber Army of Russia Reborn (CARR), for a January cyberattack on water storage tanks in Texas. The hack caused tens of thousands of gallons of water to overflow in Muleshoe and Abernathy. The Treasury's statement emphasized the unacceptable threat posed by targeting critical infrastructure. CARR also compromised a SCADA system of a U.S. energy company. The group is possibly linked to the GRU's Sandworm unit, known for attacks against Ukraine and the 2018 Winter Olympics. The Biden administration continues to sanction cybercriminals, including members of the LockBit ransomware group and Iran's CyberAv3ngers.
READ THE STORY: Meritalk
Russia Dismisses US Sanctions Against Members of 'Cyber Army' Hacktivist Group
Bottom Line Up Front (BLUF): Russia's embassy in Washington condemned US sanctions on two members of the Kremlin-aligned Cyber Army of Russia Reborn (CARR), calling them part of an ongoing anti-Russian propaganda campaign. The sanctions target Yuliya Pankratova and Denis Degtyarenko for their involvement in cyberattacks on critical infrastructure in the US and Europe.
Analyst Comments: The Russian response to the US sanctions highlights ongoing tensions between the two countries over cyber activities. The Kremlin's dismissal of the accusations as "Russophobia" fits a pattern of deflection seen in past cyber-related disputes. This rhetoric serves to rally domestic support while undermining international criticism. Historically, Russia's cyber operations have been a significant point of contention in its relations with Western nations, impacting diplomatic and security dynamics.
FROM THE MEDIA: Russia's embassy in Washington criticized the US for imposing sanctions on two members of CARR, describing the measures as part of a broader propaganda effort against Russia. The US accuses CARR of conducting malicious cyber activities targeting water supply, hydroelectric, wastewater, and energy facilities across the US and Europe, and low-impact operations against Ukraine. In response, the Russian embassy blamed the US for halting bilateral cooperation on information security and claimed the sanctions were a means to foster anti-Russian sentiments. The embassy's statement follows similar denials of cyberattack involvement in incidents with Australia and Germany.
READ THE STORY: The Record
Void Banshee Targets Victims Through Use of ‘Zombie’ Internet Explorer Zero-Day
Bottom Line Up Front (BLUF): The Void Banshee threat actor group is exploiting a critical zero-day vulnerability (CVE-2024-38112) in Internet Explorer to deploy the Atlantida info-stealer. This highlights the risks posed by legacy software on modern systems despite Microsoft releasing a patch.
Analyst Comments: The continued exploitation of vulnerabilities in legacy software like Internet Explorer underscores the importance of timely updates and the deprecation of outdated systems. The Void Banshee's use of spearphishing and sophisticated attack chains to deliver the Atlantida info-stealer reflects ongoing cyber threats targeting sensitive data. Organizations must prioritize robust cybersecurity measures, including regular updates, user education, and advanced endpoint protection to mitigate such risks.
FROM THE MEDIA: Researchers have discovered that the Void Banshee group is exploiting a critical zero-day vulnerability in Internet Explorer (CVE-2024-38112) to deploy the Atlantida info-stealer. The group disguises malicious files as e-books, distributed through various platforms, to initiate the attack chain. The vulnerability allows attackers to execute files through the disabled IE process, ultimately installing the info-stealer. Despite Microsoft patching the vulnerability, many systems remain unpatched, leaving them vulnerable. Security experts recommend immediate updates, robust email filtering, user education, and advanced endpoint protection to guard against such attacks.
READ THE STORY: The Cyber Express
Leak Exposes Details of Russian-Indian S-400 Deal
Bottom Line Up Front (BLUF): Cyber Resistance, in collaboration with InformNapalm, has leaked sensitive information from hacked emails of high-ranking Russian officers. The data reveals detailed inventories and contractual specifics of the Russian-Indian S-400 missile systems deal.
Analyst Comments: This leak underscores the significant vulnerabilities in Russia's handling of sensitive defense information and highlights potential risks for nations engaging in defense contracts with Russia. The exposure of such detailed contract information can have severe implications for diplomatic relations and national security. Historically, breaches of this nature strain trust and cooperation between involved nations, often leading to reevaluations of strategic partnerships.
FROM THE MEDIA: On July 15, 2024, Cyber Resistance and InformNapalm released a series of leaks called BaumankaLeaks, exposing sensitive details about the Russian-Indian S-400 missile systems deal. The leaks coincide with diplomatic tensions between India and Ukraine following President Zelensky’s criticism of a meeting between Indian PM Modi and Russian President Putin. The leaked emails provide comprehensive lists of S-400 components and munitions, revealing delays and dependencies in the contract. This incident demonstrates Russia’s inability to secure confidential information, posing a significant risk to its defense partners. The leaks also raise concerns about the confidentiality and security of international defense agreements in the current geopolitical climate.
READ THE STORY: Defence Blog // Infomnapalm
China Touts 'Relative Immunity' to Internet Outage Spreading from America
Bottom Line Up Front (BLUF): The Chinese government is capitalizing on the recent CrowdStrike-induced internet outage to promote its cybersecurity resilience and caution against reliance on Western technology.
Analyst Comments: China's use of this incident to bolster its cybersecurity narrative underscores the geopolitical dimensions of tech vulnerabilities. By framing the outage as a "digital pandemic," China draws a parallel to public health crises, suggesting that reliance on Western tech poses systemic risks. This rhetoric could bolster China's cyber industry while casting doubt on Western technology’s reliability.
FROM THE MEDIA: In response to the widespread outages caused by a faulty CrowdStrike software update, Chinese state media are emphasizing China’s resilience and cybersecurity capabilities. The outage, which affected 8.5 million devices globally, has had minimal impact on China, attributed to the country's lesser reliance on CrowdStrike. Chinese cybersecurity firms, such as QAX and 360 Security Technology, have seized this opportunity to promote their products. The Global Times and Xinhua have used public health analogies to describe the situation, warning of future "digital pandemics" and highlighting the importance of cybersecurity self-reliance. This incident has sparked discussions in the U.S. about potential vulnerabilities, with Senator Eric Schmitt requesting a briefing from the Department of Defense on the matter.
READ THE STORY: The Washington Times
VOA Investigates Accused Russian Hacker at Center of Ukraine Cyber Plot
Bottom Line Up Front (BLUF): Amin Stigal, a 21-year-old Russian citizen, has been indicted by a Maryland grand jury for his alleged involvement in cyberattacks against Ukrainian state institutions and critical infrastructure in January 2022. These attacks aimed to create chaos and fear by leaking stolen personal data and deploying destructive malware known as WhisperGate.
Analyst Comments: The indictment of Amin Stigal highlights the complex interplay between cybercrime and state-sponsored activities. It underscores the use of non-state actors by intelligence agencies like the GRU to conduct cyber operations, offering plausible deniability for state entities. The involvement of young hackers, often recruited from online forums and gaming communities, illustrates the evolving nature of cyber warfare, where personal and state interests intertwine.
FROM THE MEDIA: In January 2022, hackers infiltrated Ukrainian government networks, deleting systems and leaking personal data. The malware, WhisperGate, was intended to incite fear. On June 25, 2024, Amin Stigal was indicted for these attacks, allegedly conducted in collaboration with Russia's GRU. His father, Tim Stigal, also faces unrelated wire fraud charges. Both deny the accusations. Amin, a former student and gamer, allegedly attempted further hacks on a U.S. government agency and a European transport network. The FBI and DOJ emphasize their commitment to combating such cyber threats. The Stigals' cases exemplify the blurred lines between individual cybercriminals and state-sponsored cyber operations.
READ THE STORY: VOA
Items of interest
Tencent Cloud Launches CentOS Variant Tuned for Chinese Silicon
Bottom Line Up Front (BLUF): Illicit shipments of semiconductors and restricted goods to Russia via China and Hong Kong have decreased, according to the U.S. Commerce Department. However, Hong Kong remains a major hub for sanctions evasion, with numerous high-end chips being diverted to Russia.
Analyst Comments: Despite a reported reduction in illicit transshipments, the persistence of Hong Kong as a hub for sanctions evasion highlights ongoing challenges in enforcing trade restrictions. This underscores the need for continued vigilance and stricter enforcement measures to prevent critical technology from supporting Russia's military efforts.
FROM THE MEDIA: Data reveals that transshipments of semiconductors and other restricted goods to Russia through Hong Kong and China have decreased by 28% and 19%, respectively. The U.S. Commerce Department attributes this decline to aggressive enforcement and engagement with companies. However, Hong Kong remains a key node for evading sanctions, facilitating the transfer of high-end chips to Russia. Major companies like Nvidia, Texas Instruments, and Intel emphasize their compliance with U.S. export regulations amidst concerns over their products reaching Russian military applications.
READ THE STORY: The Register
Inside the Lab Exposing U.S. Chips Powering Russia’s Weapons (Video)
FROM THE MEDIA: Despite Western sanctions, Russia keeps importing critical foreign-made components for its arms used against Ukraine. Data from RUSI, a British defense and security think-tank, reveals that 70% of foreign-made components found in 27 Russian weapons systems and military equipment used in the first four months of the war were made by American companies.
Hackers expose how Russia skirts sanctions for its weapons (Video)
FROM THE MEDIA: Despite tight sanctions, Western parts are being used in Russia’s battlefield weapons. CBC’s Ben Makuch meets with Ukrainian hackers who reveal that one arms maker is after Canadian technology and how a complex web of intermediaries makes it possible.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.
Wait what… You can’t really believe that.
Hey Bob, any news on Crowdstrike being a CIA cutout, and that Friday was a dry run for the cyber plandemic that was tabletopped a couple years ago? Thanks for your reporting. I read everyone.