Daily Drop (862): | Kazatomprom | xAI | Biden-Xi | Musk Eco Views | RAMBO | APT-C-36 | Mustang Panda | NCA: CyberCrime | Quasar RAT | DHS: CSRB | Ford: In-Car ADs | Kimsuky | TrueLayer | CN: Apple AI

09-10-24

Tuesday, Sept 10 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester

---

---

Mustang Panda APT leverages Visual Studio Code’s reverse shell feature in espionage campaign targeting Southeast Asia.

Bottom Line Up Front (BLUF): The China-linked Mustang Panda APT group is exploiting Visual Studio Code’s reverse shell capabilities to launch cyber espionage attacks on government entities in Southeast Asia. By abusing the software’s portable version, the attackers gain remote access to compromised networks, executing commands and delivering malware. This campaign also involved the ShadowPad malware, suggesting either coordination between two Chinese threat actors or overlapping attacks by the same group.

Analyst Comments: Mustang Panda’s innovative use of Visual Studio Code for cyber espionage marks a concerning shift in tactics, as it demonstrates the group’s ability to repurpose legitimate tools for malicious purposes. This method allows them to infiltrate government systems stealthily and extract sensitive information, using widely available software. The simultaneous use of ShadowPad malware further complicates attribution, as it may indicate collaboration between multiple Chinese APT groups. The evolving nature of these attacks calls for stronger monitoring of developer tools and network traffic in high-risk regions like Southeast Asia.

FROM THE MEDIA: Mustang Panda, a Chinese APT group active since 2012, is using Visual Studio Code’s reverse shell feature to target government networks in Southeast Asia. Once compromised, attackers can remotely execute commands and spread malware across the network. The attack also featured ShadowPad, a modular backdoor, indicating potential collaboration between two Chinese espionage groups. The operation underscores the increasing complexity of cyber-espionage tactics in the region, as threat actors leverage both advanced tools and zero-day vulnerabilities to enhance their reach.

READ THE STORY:  THN

Apple's AI Shortcomings in iPhone 16 Disappoint Chinese Users Amid Huawei Rivalry

Bottom Line Up Front (BLUF): Apple's iPhone 16 launch faces criticism in China due to the delayed availability of its AI features, giving an edge to Huawei, which is set to unveil its tri-fold smartphone. Despite the backlash, analysts suggest that the absence of AI will not heavily impact Apple's short-term sales, though it could pose challenges in the long run.

Analyst Comments: Apple's latest iPhone 16 release highlights the company's struggle to keep pace with local competitors like Huawei in the critical Chinese market. The delayed launch of AI features in China underscores Apple's broader challenge of tailoring its products to local tastes. While Apple continues to enjoy brand loyalty due to its robust operating system, its competitive edge could erode as rivals like Huawei increasingly integrate AI as a key differentiator. This AI gap reflects a missed opportunity in a market that heavily values technological innovation.

FROM THE MEDIA: Apple unveiled its iPhone 16 with AI capabilities, but Chinese consumers were quick to express disappointment over the delayed availability of its AI functions, which will not support the Chinese language until next year. Social media discussions on platforms like Weibo were dominated by criticisms, with many users comparing Apple’s offering to Huawei’s upcoming foldable smartphone. However, some analysts argue that Chinese customers are not yet driven by AI features in making purchasing decisions. While Apple’s short-term sales are unlikely to be severely impacted, experts warn that long-term competitiveness could be at risk as AI becomes a significant factor in the domestic smartphone market.

READ THE STORY:  Reuters

Renewed military communication follows Biden-Xi agreement to stabilize US-China relations

Bottom Line Up Front (BLUF): US Indo-Pacific commander Admiral Samuel Paparo and Chinese General Wu Yanan held their first video call as part of ongoing efforts to reduce tensions between the US and China. This follows the agreement between Presidents Biden and Xi Jinping to restore military-to-military communication, a critical step in stabilizing bilateral relations. Paparo urged China to reconsider its "dangerous" actions in the South China Sea, highlighting the importance of international law and norms.

Analyst Comments: This exchange represents a cautious but important step toward restoring military dialogue between the US and China, which has been strained since the 2022 suspension of talks. The South China Sea remains a flashpoint in US-China relations, especially as China intensifies its assertive maritime behavior, not only towards the US but also its allies like the Philippines. Historically, direct military communication has been crucial in preventing misunderstandings and avoiding escalation, particularly in contested regions like the Indo-Pacific.

FROM THE MEDIA: US Indo-Pacific commander Admiral Samuel Paparo and China’s General Wu Yanan engaged in their first call, signaling renewed military engagement between the two countries. This follows an agreement made between President Biden and President Xi Jinping to reopen military channels to prevent rising tensions from spiraling into conflict. During the call, Paparo raised concerns about China’s coercive activities in the South China Sea, where confrontations with US allies, particularly the Philippines, have escalated. Both sides described the conversation as constructive, with hopes for further military dialogue to ensure operational safety and compliance with international laws.

READ THE STORY:  FT

New RAMBO Attack Leverages RAM Radio Signals to Steal Data from Air-Gapped Networks

Bottom Line Up Front (BLUF): A newly discovered attack, codenamed RAMBO, can exfiltrate data from air-gapped networks by manipulating random access memory (RAM) to emit radio signals. These signals can be intercepted remotely using standard radio equipment, posing a severe threat to highly isolated networks. Developed by Dr. Mordechai Guri from Ben Gurion University, the method allows sensitive information like keystrokes, documents, and encryption keys to be stolen via malware that encodes and transmits data through radio frequencies.

Analyst Comments: The RAMBO attack is the latest in a series of sophisticated techniques targeting air-gapped networks, traditionally seen as highly secure due to their isolation from external internet connections. By exploiting the physical properties of hardware like RAM, these attacks bypass conventional digital defenses. The challenge for cybersecurity professionals is twofold: protecting against the initial malware infection in air-gapped systems and mitigating the novel physical attack vector through techniques like radio jammers or physical isolation measures like Faraday cages.

FROM THE MEDIA: Dr. Guri’s research introduces RAMBO, a side-channel attack that uses electromagnetic signals from RAM to leak data from air-gapped systems. Once malware compromises a device, it manipulates RAM to generate radio signals, which can be captured remotely using software-defined radio (SDR) technology. The attack can steal data at a speed of 1,000 bits per second, enough to exfiltrate encryption keys, keystrokes, and small files. Countermeasures include physical isolation (Faraday cages), monitoring memory access at the hypervisor level, and using intrusion detection systems.

READ THE STORY:  THN

UK National Crime Agency Faces Cybercrime Challenges Amid Staffing Crisis

Bottom Line Up Front (BLUF): A new report highlights the critical staffing and resource issues within the UK's National Crime Agency (NCA), warning that it is "on its knees" due to a significant loss of experienced personnel, particularly in its cybercrime division. The NCA is losing nearly a fifth of its cyber capacity annually, driven by stagnant pay and a broken system that relies on temporary staff. These challenges come as cybercrime and online fraud surge, requiring an urgent overhaul of the agency's structure and funding.

Analyst Comments: The NCA’s current struggles reflect the broader issue of public sector underfunding in the UK, exacerbated by inflation and post-austerity budget constraints. With cybercrime on the rise, especially in the realms of ransomware and online fraud, the NCA’s reduced capacity puts the UK's security at risk. Comparisons with the FBI, where pay and retention are far stronger, further emphasize the agency’s dire need for reform. If the new Labour government is to fulfill its campaign promise of revitalizing the public sector, immediate investment in the NCA’s workforce is essential to prevent a deeper collapse in its ability to handle cyber and organized crime threats.

FROM THE MEDIA: The NCA, once seen as Britain’s answer to serious organized crime, is now severely hampered by a “brain drain” as experienced personnel exit the agency. The agency’s cyber division is losing nearly 20% of its workforce each year, largely due to low pay and unattractive working conditions. This exodus has forced the NCA to hire temporary staff and consultants, further straining its budget. Cybercrime, particularly online fraud, continues to grow, and the NCA’s ability to respond is being compromised. The report calls for immediate government action to restructure pay and provide the NCA with the resources it needs to combat these threats.

READ THE STORY:  The Record

Exploring how Musk’s economic views might align with Trump’s proposed efficiency commission and impact broader US policy

Bottom Line Up Front (BLUF): As Donald Trump contemplates reappointing Elon Musk to lead an efficiency commission for a potential second term, questions arise about how Musk’s libertarian-leaning economic views might influence U.S. governance. Musk opposes tariffs like Biden’s EV duties on China, raising concerns about how he’d handle Trump’s broader tariff policies. Musk’s ventures like Tesla and SpaceX have benefited from government funding, making his push for deregulation and privatization paradoxical in some ways.

Analyst Comments: Elon Musk’s economic philosophy is a blend of free-market ideals and heavy reliance on government support, a combination that mirrors past American industrial titans who leveraged public resources to grow their private enterprises. Historically, privatization in areas like space exploration has driven innovation but also increased monopoly power, as seen with SpaceX. If Musk were granted influence over economic policy, his vision of deregulation and reducing governmental oversight might lead to efficiencies but could also exacerbate wealth concentration and limit public accountability, particularly in strategic sectors like energy and technology.

FROM THE MEDIA: Musk’s potential involvement in Trump’s proposed efficiency commission could bring a crypto-libertarian lens to governance, emphasizing deregulation and privatization. While Musk has successfully lowered costs in sectors like space travel with SpaceX, critics worry about the concentration of economic power in the hands of a few tech moguls. His opposition to Biden’s tariffs on Chinese electric vehicles (EVs) is notable, especially since Trump’s economic plans involve further tariff expansions. Musk’s economic influence, particularly if he gains more policymaking power, could deepen debates over the role of public funding in private sector innovation and the limits of deregulation.

READ THE STORY:  FT

Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT

Bottom Line Up Front (BLUF): The advanced persistent threat group Blind Eagle (APT-C-36) has launched a phishing campaign targeting the Colombian insurance sector. Using fake emails that impersonate the Colombian tax authority, the group is distributing a customized version of Quasar RAT, dubbed BlotchyQuasar, to infiltrate systems. The malware collects sensitive data, including keystrokes, browser information, and banking credentials, while hiding behind VPN nodes and compromised routers to evade detection.

Analyst Comments: Blind Eagle’s campaign against the Colombian insurance sector exemplifies the growing sophistication of regionally focused cyber threats. By customizing Quasar RAT with additional obfuscation layers and leveraging legitimate platforms like Google Drive for distribution, the group demonstrates advanced tactics to compromise financial institutions. The group's continued reliance on phishing lures and dynamic DNS services points to the importance of enhancing phishing defenses and monitoring network traffic for unusual activity, particularly in high-risk sectors like insurance and banking.

FROM THE MEDIA: Blind Eagle (APT-C-36) is targeting the Colombian insurance sector using phishing emails disguised as tax notifications. These emails lead victims to download a malware-laden ZIP file from Google Drive, containing a customized version of Quasar RAT. The malware, BlotchyQuasar, is equipped with keylogging, data theft, and command execution capabilities. This campaign primarily focuses on financial and governmental entities in Colombia and Ecuador, using compromised routers and VPN nodes to shield its infrastructure.

READ THE STORY:  THN

DHS Cyber Review Board Prepares for New Investigation Announcement

Bottom Line Up Front (BLUF): The Department of Homeland Security's (DHS) Cyber Safety Review Board (CSRB) will soon announce its next investigation, according to DHS Undersecretary Rob Silvers. The board, which was formed in 2021 to analyze significant cybersecurity breaches, has previously looked into high-profile incidents such as the Log4j vulnerability and Microsoft’s email breach. While speculation surrounds potential areas of focus, including a recent CrowdStrike outage, Silvers hinted the new investigation would meet strict criteria.

Analyst Comments: The CSRB’s work is vital for understanding cybersecurity vulnerabilities and enhancing defense strategies. Its upcoming investigation could delve into a major incident affecting either public or private sectors. The board’s focus on deep, factual inquiries ensures a comprehensive approach to root cause analysis. However, with its limited subpoena powers, future challenges may arise in extracting necessary information from uncooperative parties. As cyber threats from state actors and ransomware groups continue to evolve, CSRB's next move will be crucial in shaping US cybersecurity policy.

FROM THE MEDIA: Rob Silvers, chair of the DHS Cyber Safety Review Board, teased an imminent announcement regarding its next investigation, during a recent event in Washington, D.C. The board, which was created under President Biden's administration to examine critical cybersecurity incidents, has already conducted reviews of major threats like Log4j and the Lapsus$ hacking group. With seven full-time staff, the CSRB is gearing up to investigate another significant breach, with discussions about its scope already underway. Speculation includes high-profile cases such as the CrowdStrike outage in July, although Silvers declined to provide details.

READ THE STORY:  The Record

Kazatomprom Warns Ukraine War Hinders Uranium Supply to the West

Bottom Line Up Front (BLUF): Kazatomprom, the world’s largest uranium producer, has warned that Russia's war in Ukraine is complicating its ability to supply uranium to western markets. With growing demand from Russia and China, the company is facing increased pressure to shift its focus eastward, even as it seeks to maintain a diverse customer base in the West. Sanctions and disrupted supply routes have forced Kazatomprom to explore more costly alternatives to ship uranium to the West, raising concerns about future availability for western utilities.

Analyst Comments: Kazatomprom's warning underscores the increasing geopolitical risks surrounding global uranium supply chains. Russia's influence over Kazakhstan's uranium industry, coupled with China's growing demand, signals a potential shift in the balance of uranium exports away from western markets. Historically, Kazakhstan's central position in the uranium sector—producing 43% of global supply—has been a critical asset for both East and West. However, the ongoing war in Ukraine, sanctions on Russia, and logistical challenges may force Western utilities to seek alternative sources, highlighting the vulnerability of global energy supply chains in times of conflict.

FROM THE MEDIA: Meirzhan Yussupov, CEO of Kazatomprom, revealed that the war in Ukraine is creating challenges for the company to supply uranium to western countries. While Kazakhstan aims to maintain a diverse client base, shipping uranium through traditional routes via Russia is no longer viable due to sanctions. Instead, Kazatomprom is resorting to more expensive alternatives through the Caspian Sea and the Black Sea. With Russia and China leading global nuclear power expansion and exerting more influence over Kazakhstan, concerns are rising about long-term uranium availability for Western markets. The company is already sending a growing share of its production to Asia, with 49% directed to the region last year.

READ THE STORY:  FT

Ford Seeks Patent for In-Car Ads Based on Driver Conversations

Bottom Line Up Front (BLUF): Ford is pursuing a patent for technology that would allow its vehicles to listen to driver conversations and analyze trip data to serve personalized advertisements. This system, dubbed "in-vehicle advertisement presentation," could monitor conversations for keywords, predict routes, and assess driving conditions to deliver tailored ads. The move has raised privacy concerns, as the application does not clarify how such data would be protected.

Analyst Comments: Ford’s attempt to integrate targeted advertising into vehicles reflects the broader push towards monetizing user data across industries. While this innovation could offer relevant ads based on driver behavior, it raises significant privacy issues. Monitoring in-car conversations and collecting real-time location data may lead to concerns over surveillance and data security, particularly if the technology is widely adopted. Without clear data protection measures in place, this system could face legal and ethical challenges similar to other controversial patents Ford has explored, including tech that assists police in tracking speeding vehicles.

FROM THE MEDIA: Ford’s patent application outlines a system that would track conversations, driving speed, and destination data to deliver personalized ads through in-car interfaces. The technology is software-based, requiring no new hardware, and would gather information from audio signals and historical user data to predict ad relevance. Ford defended the patent, stating that such filings are routine and not necessarily indicative of future business plans. However, privacy advocates have raised concerns about potential data misuse, especially given Ford’s recent controversial patents involving law enforcement and vehicle repossession technologies.

READ THE STORY:  The Record

Multi-Manager Hedge Funds Face First Outflows in Seven Years Amid Weaker Returns

Bottom Line Up Front (BLUF): For the first time in seven years, multi-manager hedge funds have experienced net outflows, with over $30 billion in withdrawals over the past 12 months. These funds, which once attracted significant investment due to their consistent returns, have seen enthusiasm dwindle, partly due to weaker performance in 2023 and rising fees. While top funds like Citadel and Millennium continue to perform well, smaller players and rising operational costs have contributed to declining investor interest.

Analyst Comments: Multi-manager hedge funds, long considered a hot spot in the industry, now face a shift in investor sentiment. While the larger players remain closed to new money, smaller funds are underperforming compared to the risk-free rate, reflecting broader trends in hedge fund investment cycles. The increased operational costs, compounded by high pass-through fees, have strained these funds’ ability to maintain their allure. This shift may mark a cooling-off period, but the overall relevance of multi-manager hedge funds in the broader financial ecosystem remains intact, especially as top performers continue to show resilience.

FROM THE MEDIA: The multi-manager hedge fund sector, which gained prominence for delivering consistent returns through diversified trading strategies across multiple asset classes, is seeing its first outflows since 2016. Goldman Sachs data reveals more than $30 billion in net withdrawals in the year ending June 2024, with institutional investors like pension funds pulling back after years of ramping up exposure. Underperformance among smaller funds and high operational costs, driven by pass-through fees, have played a key role in reduced appetite. Despite this downturn, larger firms like Citadel and Millennium still show strong performance, and the sector remains influential in the broader hedge fund space.

READ THE STORY:  FT

North Korean-Linked Group Targets Russia and South Korea in Espionage Campaigns

Bottom Line Up Front (BLUF): The North Korean state-sponsored group Kimsuky, through its Konni-linked cyber actors, has ramped up cyber-espionage campaigns targeting South Korea and Russia. Using phishing emails and custom malware, Konni seeks to infiltrate governmental and enterprise systems in both countries. Researchers noted that the group employs nearly identical tactics to compromise devices and steal sensitive information, using phishing lures related to taxes and finance to infect targets with remote access trojans.

Analyst Comments: Konni’s simultaneous targeting of both South Korean and Russian entities demonstrates North Korea’s broadening cyber-espionage efforts, particularly as the regime seeks geopolitical intelligence. This dual targeting approach reflects a more complex cyber strategy, aimed at gathering sensitive information from both a traditional adversary, South Korea, and an uneasy ally, Russia. The use of similar malware and command-and-control methods across different regions shows Konni’s efficiency in repurposing established techniques while maintaining operational stealth. Understanding these patterns can help defenders better protect critical systems from North Korean cyber threats.

FROM THE MEDIA: A new report reveals that the Konni group, tied to North Korea's Kimsuky, has heightened cyber-attacks on South Korea and Russia, focusing on espionage through phishing campaigns. The group has been active since 2014 and has targeted entities like the Russian Ministry of Foreign Affairs and various South Korean enterprises. By using custom malware and similar attack methods in both countries, Konni has been able to maintain a significant presence in cyber-espionage operations, highlighting the persistent threat North Korean cyber actors pose to regional and global security.

READ THE STORY:  The Record

Elon Musk refutes claims of xAI licensing talks to boost Tesla's driver-assistance technology

Bottom Line Up Front (BLUF): Elon Musk denied reports that his AI startup, xAI, was in discussions with Tesla over a revenue-sharing deal in exchange for licensing its AI technology. The Wall Street Journal had suggested that xAI's models might be used to enhance Tesla’s full self-driving (FSD) software, potentially sharing future revenue. Musk, however, rejected these claims, stating Tesla had no need to license xAI technology despite its engineers helping with advancements in unsupervised FSD.

Analyst Comments: This denial highlights the complex interplay between Musk's ventures and raises questions about resource allocation and potential conflicts of interest. While Musk emphasizes xAI's indirect contributions to Tesla's self-driving advancements, his dual leadership of both companies might continue sparking speculation about deeper integration, especially given Tesla's push to refine its FSD capabilities. Historically, Musk has leveraged his cross-company synergies to innovate across sectors, so while direct licensing talks may not be happening now, closer collaboration between Tesla and xAI cannot be ruled out in the future.

FROM THE MEDIA: A recent report suggested that Tesla and xAI, Elon Musk’s artificial intelligence startup, were negotiating a deal that would grant Tesla access to xAI’s technology in exchange for a share of Tesla’s FSD revenue. Musk quickly disputed this, clarifying that while xAI engineers had contributed to Tesla's progress in achieving unsupervised FSD, no formal licensing agreement is in place. The Wall Street Journal had also indicated potential future integration of xAI’s technology into Tesla products, including voice assistants and humanoid robots.

READ THE STORY:  Reuters

Items of interest

Europe Must Reduce Dependence on US Payment Systems, Warns Stripe-backed Fintech

Bottom Line Up Front (BLUF): TrueLayer’s CEO, Francesco Simoneschi, has warned that Europe’s heavy reliance on US-based payment systems poses significant risks, especially in light of upcoming political changes in the US. The CEO of the Stripe-backed fintech company suggests that Europe must strengthen its own payment infrastructure to avoid potential disruptions and security threats. His comments come as the UK’s payment systems face scrutiny over Visa and Mastercard’s dominance.

Analyst Comments: Simoneschi’s concerns reflect growing awareness of Europe’s vulnerability due to its dependence on American payment technologies. While open banking and new initiatives like the European Payments Initiative aim to diversify the region’s payment infrastructure, progress has been slow. As geopolitical tensions and technological risks rise, Europe’s ability to build independent, resilient systems becomes critical to its financial stability and sovereignty. The current duopoly of Visa and Mastercard underscores the challenges in reshaping this landscape.

FROM THE MEDIA: The TIDRONE cyber espionage group, first identified in 2024, has primarily targeted Taiwanese drone manufacturers as part of a broader military-focused cyber campaign. According to cybersecurity firm Trend Micro, the group deploys advanced malware, including the CXCLNT backdoor and CLNTEND remote access tool (RAT). These tools facilitate data exfiltration, privilege escalation, and the disabling of antivirus software. The attackers exploit common enterprise resource planning (ERP) software and sideload malicious DLL files through Microsoft Word. Security researchers link TIDRONE’s tactics and tools to other known Chinese cyber espionage campaigns.

READ THE STORY:  FT

What is SWIFT Payment system? How will Swift action impact Russia (Video)

FROM THE MEDIA: The Digital Euro Association (DEA) hosts a webinar on the future of payments in the euro area. It will be discussed, how the future of money will look like and which role digital currencies, i.e. central bank digital currencies (CBDCs), cryptocurrencies, and stablecoins, will play for European payment systems.

BRICS Intra-bank Payment System Launched: What next? (Video)

FROM THE MEDIA: Russia and Iran, as two BRICS members, have finalized the integration of their national payment systems, a significant step toward enhancing their economic cooperation and circumventing U.S. sanctions. The heads of the central banks from both nations have been working closely to link Iran's SEPAM system with Russia's System for Transfer of Financial Messages (SPFS).

The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.