Daily Drop (825): | Leidos Leak | DPRK: Trash Balloons | CN: X-37B Clone | Sino-Russian Linux | ML2 | Docker Flaw | UKA: Tesla Batteries | NCSC: CN VC | Fentanyl Express | Daggerfly | UN | BIND 9 DNS

07-25-24

Thursday, Jul 25 2024 // (IG): BB // ShadowNews // Coffee for Bob

---

Measures of Effectiveness (MoE):

MoEs are used to assess how well a system or operation achieves its intended goals. They are qualitative or quantitative metrics that reflect the success of achieving desired outcomes. For example, in a cybersecurity context, an MoE could be the reduction in successful cyber-attacks after implementing new security protocols.

Results: We are seeing an uptick in “163.com”, “189.com” and “QQ” subscribers.

---

CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

Bottom Line Up Front (BLUF): The Internet Systems Consortium (ISC) has released patches for multiple critical vulnerabilities in BIND 9 DNS software, which could be exploited to cause denial-of-service (DoS) conditions. The vulnerabilities, with CVSS scores of 7.5, require immediate attention to prevent potential disruptions.

Analyst Comments: These vulnerabilities in BIND 9 DNS software highlight the ongoing risks in widely used infrastructure components. Given BIND's prevalence in managing DNS, the potential for DoS attacks could severely impact internet and network services. Organizations using BIND should prioritize updating to the latest patched versions to mitigate these threats.

FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about several critical vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 DNS software suite, identified by the Internet Systems Consortium (ISC). These vulnerabilities, if exploited, could enable cyber attackers to launch denial-of-service (DoS) attacks, severely impacting DNS servers.

Among the disclosed vulnerabilities, CVE-2024-4076, with a CVSS score of 7.5, involves a logic error that can cause assertion failures during lookups that require serving stale data from local authoritative zone data. Another vulnerability, CVE-2024-1975, also with a CVSS score of 7.5, is related to validating DNS messages signed with the SIG(0) protocol, which can lead to excessive CPU usage and a subsequent DoS condition. CVE-2024-1737, with a CVSS score of 7.5, allows for crafting an excessive number of resource record types for a single owner name, significantly slowing down database processing. CVE-2024-0760, similarly rated at 7.5, involves a malicious DNS client sending numerous queries over TCP without reading the responses, causing the server to respond slowly or become unresponsive to other clients.

These vulnerabilities could lead to various adverse outcomes, including unexpected termination of a named instance, depletion of CPU resources, and a significant slowdown in query processing, rendering the server unresponsive. The ISC has addressed these issues in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1, released earlier this month. Although there are no reports of these vulnerabilities being exploited in the wild, it is crucial for organizations using BIND 9 to apply the updates promptly to secure their DNS infrastructure against potential attacks. This disclosure follows a previous patch by ISC for the KeyTrap vulnerability (CVE-2023-50387), which also posed a DoS risk by exhausting CPU resources.

READ THE STORY:  THN

Ukrainians Repurpose Tesla Batteries Amid Power Crisis

Bottom Line Up Front (BLUF): Facing severe electricity shortages due to Russian attacks, Ukrainians are creatively repurposing Tesla car batteries to provide alternative power sources for homes and businesses, highlighting resilience and innovation in the face of ongoing challenges.

Analyst Comments: The adaptation of Tesla batteries by Ukrainian businesses and households underscores a critical shift towards self-reliance and ingenuity in wartime. This initiative not only mitigates the impact of blackouts but also demonstrates the broader potential of electric vehicle technology in crisis scenarios. The ongoing conflict and its strain on infrastructure reveal the need for flexible energy solutions, reinforcing the importance of energy independence and resilience.

FROM THE MEDIA: In response to continuous power outages caused by Russian attacks on Ukraine's energy grid, local businesses are turning to innovative solutions. Mechanics in Kyiv are extracting batteries from discarded Teslas to create home battery systems, capable of powering homes for up to 10 hours. This practice has surged as the country grapples with severe electricity shortages, leaving some areas with power for only a few hours a day. Oleksandr Bentsa, a businessman in Kyiv, has spearheaded this initiative, converting old Tesla batteries into valuable resources for both civilians and the military. This effort is part of a broader trend of adapting to the crisis, with businesses and households increasingly relying on alternative energy sources to maintain operations and daily life amidst the conflict.

READ THE STORY:  FT

Chinese Hackers Using Shared Framework to Create Multi-Platform Malware

Bottom Line Up Front (BLUF): Chinese hackers, specifically the Daggerfly espionage group, are exploiting shared frameworks to develop sophisticated multi-platform malware targeting Windows, Linux, macOS, and Android systems. Recent attacks in Taiwan and against a US NGO in China exemplify the group's evolving tactics.

Analyst Comments: The use of shared frameworks in developing multi-platform malware demonstrates an advanced level of coordination and resourcefulness by cyber espionage groups like Daggerfly. This approach allows them to efficiently target a broad range of systems, thereby maximizing the impact of their operations. The integration of new tools such as the Macma backdoor for macOS and the Suzafk backdoor for Windows indicates continuous evolution in their malware toolkit, enhancing their capabilities in espionage and data theft.

FROM THE MEDIA: Symantec researchers have discovered that the Daggerfly group, known for its espionage activities, has updated its malware toolkit with new versions of existing threats and a new macOS backdoor called Macma. This malware, active since 2019, has evolved significantly, now featuring enhanced capabilities such as improved logging and screen-capture functions. The group's attacks have recently targeted entities in Taiwan and a US NGO in China, using vulnerabilities in shared frameworks and an Apache HTTP Server vulnerability.

READ THE STORY:  GBhackers

Fentanyl Express: The Supply Chain

Bottom Line Up Front (BLUF): An investigation by Reuters revealed how easily Chinese chemical suppliers ship fentanyl precursors to North America, allowing drug traffickers to produce large quantities of the deadly drug. Despite regulatory efforts, the trade remains robust due to the simplicity of the transactions and the ingenuity of sellers.

Analyst Comments: This investigation underscores the resilience and adaptability of the global fentanyl supply chain, highlighting significant challenges in regulating precursor chemicals. The ease of purchasing these chemicals online and their legal use in various industries complicates efforts to control their distribution. The findings suggest a need for enhanced international cooperation and stricter monitoring of chemical transactions to curb the flow of fentanyl precursors.

FROM THE MEDIA: Reuters reporters purchased enough precursor chemicals to make $3 million worth of fentanyl, demonstrating the simplicity and speed of these transactions. Chinese suppliers shipped the chemicals, often disguised as innocuous items, directly to addresses in Mexico and the United States. These purchases were made through regular internet searches and encrypted messaging apps, with payments primarily in Bitcoin. Despite regulatory measures, the flow of these chemicals continues, facilitated by legal loopholes and the vast volume of international trade. The investigation reveals how easily the fentanyl crisis can be perpetuated by exploiting the global chemical trade

READ THE STORY:  Reuters

Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Bottom Line Up Front (BLUF): A critical flaw in Docker Engine, CVE-2024-41110, has been disclosed, allowing attackers to bypass authorization plugins. The vulnerability carries a CVSS score of 10.0, indicating maximum severity.

Analyst Comments: This vulnerability in Docker Engine highlights the critical nature of container security, especially for organizations relying on Docker for their cloud infrastructure. The flaw, initially discovered and patched in 2019, re-emerged in later versions, underscoring the importance of rigorous version control and continuous security audits. Users should urgently update to the fixed versions to mitigate any potential exploitation.

FROM THE MEDIA: Docker has issued a warning about a critical vulnerability, CVE-2024-41110, affecting certain versions of Docker Engine that could allow attackers to bypass authorization plugins. This privilege escalation flaw carries a maximum CVSS score of 10.0, reflecting its severity. The flaw can be exploited using an API request with Content-Length set to 0, which causes the Docker daemon to forward the request without the body to the AuthZ plugin. This could lead to incorrect approval of the request by the plugin.

READ THE STORY:  THN

Proposed UN Cybercrime Treaty Sparks Controversy

Bottom Line Up Front (BLUF): Human rights and privacy advocates are raising alarms about the current draft of the proposed UN Cybercrime Treaty, arguing that it empowers state surveillance and repression, endangers freedom of expression, and marginalizes vulnerable groups.

Analyst Comments: The draft of the UN Cybercrime Treaty has ignited significant controversy due to its broad scope and potential to enhance state surveillance powers. Critics argue that it goes beyond addressing cybercrime and could facilitate repressive regimes in curbing free speech and targeting dissidents. The inclusion of provisions that push private companies to monitor and intercept data in real-time without adequate safeguards is particularly concerning, as it risks turning businesses into de facto state agents.

FROM THE MEDIA: Human rights organizations such as Human Rights Watch and the Electronic Frontier Foundation (EFF) have criticized the proposed UN Cybercrime Treaty for its potential to exacerbate surveillance and repression globally. Tirana Hassan of Human Rights Watch highlighted that many countries, especially in the Middle East and North Africa, have cybercrime laws that target dissidents and journalists under the guise of protecting computer systems. The treaty, she warns, would expand police powers internationally without sufficient human rights protections, effectively enabling cross-border surveillance.

READ THE STORY:  The Record

Bug in Update Checker Blamed for CrowdStrike Outages as Congress Demands Hearing

Bottom Line Up Front (BLUF): A faulty update checker at CrowdStrike caused global outages, impacting critical systems such as airlines and hospitals. Congress demands a hearing to investigate the incident and its implications for national security.

Analyst Comments: The CrowdStrike incident highlights the critical importance of rigorous validation and testing processes for cybersecurity tools, especially those used by major institutions. The failure in CrowdStrike’s Content Validator and the subsequent global disruptions underscore the potential risks posed by software bugs in cybersecurity solutions. This incident will likely prompt a reevaluation of updated deployment strategies across the industry.

FROM THE MEDIA: CrowdStrike's faulty update on July 19 led to a Windows operating system crash, affecting around 8.5 million devices worldwide. The company’s “Content Validator” failed to detect problematic content, leading to widespread outages. In response, CrowdStrike plans to implement more localized testing procedures, and staggered deployment strategies, and provide customers with greater control over updates. The incident drew criticism from the White House, and the House Committee on Homeland Security has called for CrowdStrike to testify about the issue. The cybersecurity firm is now under pressure to restore its reputation by improving transparency and communication with its clients.

READ THE STORY:  The Register // The Record

North Korean Trash Balloons Disrupt South Korea

Bottom Line Up Front (BLUF): North Korea launched about 500 balloons filled with trash into South Korea, causing flight disruptions and a rooftop fire. The balloons, part of a propaganda campaign, highlight escalating tensions and safety concerns.

Analyst Comments: The use of balloons for propaganda and disruption tactics between North and South Korea is a notable escalation in psychological warfare. While primarily a nuisance, the potential for such actions to cause significant disruptions or accidental harm illustrates the fragility of the current inter-Korean relations. These actions are likely to prompt stronger defensive measures from the South and could lead to increased diplomatic tensions.

FROM THE MEDIA: North Korea has released approximately 500 balloons carrying trash into South Korea, disrupting flights and causing a fire on a residential building's roof. This tactic, part of an ongoing propaganda campaign, has led to airport shutdowns and safety hazards. South Korean military officials reported that some balloons had timed poppers that could ignite fires. The recent surge in balloon activities near high-security areas like the presidential office underscores the need for heightened vigilance and response strategies. These incidents follow a pattern of psychological warfare tactics aimed at destabilizing the South and protesting against defectors and activists.

READ THE STORY:  Reuters

ConfusedFunction Vulnerability in Google Cloud Platform

Bottom Line Up Front (BLUF): Cybersecurity researchers have uncovered a privilege escalation vulnerability, named ConfusedFunction, in Google Cloud Platform's (GCP) Cloud Functions service. This flaw could enable attackers to access other services and sensitive data without authorization.

Analyst Comments: The ConfusedFunction vulnerability exemplifies the risks associated with inter-service communication and permissions management in cloud environments. While Google has implemented a fix for new deployments, existing instances remain vulnerable, highlighting the ongoing challenges in securing cloud infrastructure. Organizations using GCP should urgently review and restrict permissions for Cloud Build service accounts to mitigate potential exploits.

FROM THE MEDIA: A newly identified vulnerability, ConfusedFunction, impacts Google Cloud Platform's Cloud Functions, allowing attackers to escalate privileges and access a range of services such as Cloud Build, storage, and artifact registry. This flaw, discovered by Tenable, stems from the default permissions granted to the Cloud Build service account when a Cloud Function is created or updated. Tenable's researchers revealed that this vulnerability permits lateral movement within a victim's project, enabling unauthorized data access, updates, or deletions. This could potentially allow attackers to leak the Cloud Build service account token through a webhook, providing further access to other connected services.

READ THE STORY:  THN

US Warns Tech Start-Ups of Security Threats from Foreign Investors

Bottom Line Up Front (BLUF): The US National Counterintelligence and Security Center (NCSC) has issued a warning to tech start-ups about the risks posed by foreign investments, particularly from China, which could lead to the theft of sensitive data and intellectual property, threatening national security and economic stability.

Analyst Comments: This alert highlights the growing concern over foreign influence in critical technology sectors. The US government's emphasis on safeguarding emerging tech underscores the strategic importance of protecting intellectual property from adversarial nations. Start-ups, often in need of funding, must balance immediate financial needs with long-term security implications, reinforcing the need for stringent due diligence and regulatory compliance in investment activities.

FROM THE MEDIA: The US NCSC has cautioned tech start-ups about the risks of accepting investments from foreign entities, including those from China. The bulletin warns that adversaries might exploit these investments to gain access to sensitive data and intellectual property, posing significant threats to US economic and national security. The memo, created with input from various intelligence and security agencies, notes that foreign actors might use intermediaries and complex investment structures to avoid detection. The bulletin cites the strategic focus of Chinese venture capital on US emerging technologies, especially AI. The warning comes amid heightened vigilance in Silicon Valley against espionage and the potential collapse of start-ups due to compromised proprietary information.

READ THE STORY:  FT

Sino-Russian Tech Independence and the CrowdStrike Incident

Bottom Line Up Front (BLUF): The recent CrowdStrike update fiasco, which crippled Windows-based systems globally, highlights the increasing tech independence of China and Russia. Both nations, moving away from Western proprietary software, largely avoided the disruption due to their adoption of domestic Linux distributions.

Analyst Comments: The CrowdStrike incident underscores the strategic advantage of tech independence in geopolitical maneuvering. China and Russia's shift to domestic operating systems like Kylin and ROSA Linux not only shields them from such global tech failures but also aligns with their broader goals of reducing reliance on Western technology. This approach could pay off significantly in the long run, especially in the context of ongoing geopolitical tensions and sanctions.

FROM THE MEDIA: The CrowdStrike update disaster disrupted Windows systems worldwide, but China and Russia were notably unaffected. This resilience is attributed to their strategic shift to domestic Linux distributions, such as Kylin in China and various Debian derivatives in Russia. China has been proactively replacing non-Chinese OSes with local alternatives, boasting millions of users for distributions like Kylin and Deepin. Similarly, Russia has increased its Linux adoption due to Western sanctions, with domestic distributions thriving. This move towards tech independence highlights the countries' long-term strategy to mitigate risks associated with Western software dependencies amidst escalating geopolitical tensions.

READ THE STORY:  The Register

Data Breach at Pentagon IT Supplier Leidos

Bottom Line Up Front (BLUF): Internal documents from Leidos Holdings, a major IT services provider for the US government, were leaked on the dark web. Although the breach did not involve sensitive customer data, the incident underscores significant security vulnerabilities.

Analyst Comments: The leak from Leidos, involving internal corporate data, points to ongoing cybersecurity challenges faced by government contractors. While sensitive military information wasn't compromised, the breach raises questions about third-party security protocols and highlights the critical need for robust cybersecurity measures within defense industry supply chains.

FROM THE MEDIA: Leidos Holdings, an IT services provider for several US government agencies, experienced a data breach resulting in internal documents being leaked on the dark web. The breach, stemming from an attack on governance software provider Diligent Corporation in 2022, involved non-sensitive internal data such as employee reviews and complaints. Despite assurances that sensitive customer data was not compromised, the incident exposed vulnerabilities and emphasized the importance of enhanced security measures. Leidos, a key player in the defense sector with extensive contracts including recent NASA projects, is likely to face increased scrutiny to prevent future breaches.

READ THE STORY:  The Register

Russia's Response to Olympic Isolation: Disinformation and Fake Games

Bottom Line Up Front (BLUF): In response to its exclusion from the Paris Olympics due to doping scandals and the invasion of Ukraine, Russia is launching disinformation campaigns, cyber threats, and hosting its own alternative sporting events, highlighting its isolation and defiance on the international stage.

Analyst Comments: Russia's reaction to its Olympic ban reflects its broader geopolitical stance, characterized by defiance and attempts to undermine Western institutions. The creation of "fake Games" and disinformation campaigns indicates an ongoing strategy to project resilience and maintain national pride despite international sanctions. This approach is likely to reinforce Russia's isolation while highlighting the political dimensions of global sports.

FROM THE MEDIA: Excluded from the Paris Olympics due to doping violations and the Ukraine invasion, Russia has retaliated by organizing its own sporting events, such as the Brics Games, which saw limited international participation. Simultaneously, Russia is ramping up disinformation campaigns and cyber threats against the Paris Games. Microsoft has warned of Russian attempts to damage the International Olympic Committee's reputation and instill fear of violence at the event. Despite these efforts, Russian athletes competing under a neutral status in Paris face restrictions and backlash from Russian sports officials. The overall situation underscores the geopolitical tensions influencing international sports and Russia's strategic use of alternative narratives to maintain domestic morale.

READ THE STORY:  FT

Mistral Large 2: A Leaner, Meaner Rival to GPT-4-Class AI Models

Bottom Line Up Front (BLUF): Mistral AI has launched a 123-billion-parameter language model, Mistral Large 2 (ML2), which claims to rival top models like GPT-4 and Llama 3. Despite being significantly smaller, ML2 offers comparable performance and superior efficiency, making it an attractive option for commercial applications.

Analyst Comments: Mistral's ML2 underscores a critical shift in AI development towards optimized performance with fewer resources. By achieving high benchmark scores with a leaner model, Mistral addresses a major challenge in AI deployment: balancing computational cost and performance. This strategy not only positions ML2 as a competitive alternative to larger models but also highlights the growing importance of efficiency in AI technology.

FROM THE MEDIA: Mistral AI introduced its new 123-billion-parameter model, Mistral Large 2 (ML2), which boasts performance comparable to leading models like OpenAI's GPT-4 and Meta's Llama 3. Despite being smaller, ML2 excels in various benchmarks, including language, coding, and mathematics tests. Notably, it supports a 128,000 token context window and multiple languages, similar to its larger counterparts. ML2's compact size translates to higher throughput and lower operational costs, making it ideal for commercial use. However, it is released under the Mistral Research License, requiring a separate commercial license for business applications. This development marks a significant step in making advanced AI more accessible and efficient.

READ THE STORY:  The Register

China's Secretive Spaceplane: Dual-Use Technology Testing

Bottom Line Up Front (BLUF): China's uncrewed, reusable spaceplane, observed releasing and retrieving objects in orbit, is likely testing both military and non-military technologies. The spaceplane’s capabilities could include satellite manipulation or inspection, posing potential security concerns.

Analyst Comments: China's advancements in spaceplane technology, mirroring the US's X-37B, reflect broader strategic ambitions in space. While the spaceplane’s exact purpose remains opaque, its dual-use potential underscores a critical area of interest for global security analysts. This development is part of China's broader efforts to establish a robust presence in space, with implications for both civilian and military applications.

FROM THE MEDIA: China's reusable spaceplane, which launches atop a rocket and lands at a military airfield, is likely testing technologies that could have both military and civilian applications. During its third mission, the spacecraft was seen releasing and then retrieving an object in orbit. Experts, including Marco Langbroek and Victoria Samson, suggest the spaceplane might inspect or disable enemy satellites, or refuel its own. Despite the secrecy, the spaceplane’s activity, such as changes in altitude and orbital inclination, indicates advanced capabilities. This aligns with similar US and Russian projects, reflecting the strategic importance of reusable spacecraft in modern aerospace technology.

READ THE STORY:  Reuters // CyberNews

Revolut Secures UK Banking Licence After 3-Year Wait

Bottom Line Up Front (BLUF): Revolut has obtained a UK banking license after over three years of regulatory hurdles, enhancing its ability to expand its product offerings in its home market and marking a significant milestone for the London-based fintech.

Analyst Comments: Revolut's acquisition of a UK banking license is a pivotal development for the fintech, signaling regulatory confidence in its operations despite past auditing issues. This approval not only broadens its service capabilities but also strengthens its competitive position in the UK banking sector. The protracted approval process reflects the rigorous scrutiny fintechs face in meeting regulatory standards, particularly as they scale globally.

FROM THE MEDIA: Revolut has announced that it secured a UK banking license from the Prudential Regulation Authority, concluding a process that began in early 2021. This license will enable Revolut to expand its range of financial products and services in the UK, its largest market with about 9 million customers. The license, granted with restrictions to facilitate a phased rollout of banking operations, follows Revolut's acquisition of a European banking license from Lithuania. CEO Nik Storonsky expressed pride in reaching this milestone and committed to making Revolut the bank of choice for UK customers. The fintech, valued at $33 billion in its last fundraising round, is negotiating a share sale that could raise its valuation to $40 billion.

READ THE STORY:  FT

Items of interest

Apple Criticizes Google's Topics Ad Technology

Bottom Line Up Front (BLUF): Apple criticizes Google's Topics API for digital fingerprinting risks, based on a University of Wisconsin-Madison study. Google counters, citing flawed randomization code in the study, reducing the perceived risk. Despite updates, some re-identification risks remain.

Analyst Comments: Apple's ongoing privacy campaign contrasts sharply with Google's approach. This criticism echoes past disputes, including the Federated Learning of Cohorts (FLoC) controversy. Both companies aim to balance ad efficiency with user privacy, but Apple's stance aligns more with stringent privacy advocates, while Google navigates advertiser demands and regulatory pressures.

FROM THE MEDIA: Apple recently highlighted upcoming privacy enhancements for Safari while criticizing Google's Topics API, which serves ads based on Chrome browsing history. Apple's claims, supported by a study from the University of Wisconsin-Madison, suggest that Topics enables advertisers to fingerprint users. Google refuted these claims, pointing out a flaw in the study's randomization code, reducing the fingerprinting risk from 57% to about 3%. Despite the corrected data, some level of user re-identification persists, leading to ongoing debates about the balance between privacy and ad targeting in web technologies.

READ THE STORY:  The Register

Google’s Ad Tech Business Is Sued Over Antitrust Concerns (Video)

FROM THE MEDIA: The Justice Department has sued Google seeking to break up its digital advertising business. Google has had a foothold in nearly every part of the online ad-market and earns billions in revenue from the business.

WTF is the Justice Department’s ad tech antitrust case against Google?: Part 1 (Video)

FROM THE MEDIA: Over the past decade-plus, Google has come to dominate the digital advertising industry. And in the eyes of the U.S. Department of Justice, the search giant has become too dominant.

The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.