Daily Drop (864): | CN: Digital Silk Road | Glock Silencers | ICBC | Ivanti: EPM | Quad7 botnet | UA: Ramenskoye | DragonRank | Polaris Dawn | SpaceX | WHOIS | WordPress | SG: Alibaba Cloud |
09-12-24
Thursday, Sept 12 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
The Indian Ocean emerges as a key battleground in the contest for control over global communication infrastructure
Bottom Line Up Front (BLUF): The Western Indian Ocean (WIO) is becoming a critical front in the geopolitical contest over submarine data cables, with China leveraging its Digital Silk Road (DSR) to expand its influence. China's civil-military strategy, particularly through initiatives like the PEACE cable project, aims to gain control over global communication networks. This presents a significant challenge for nations like India, which are working to counter China's expansion by securing vital undersea infrastructure and enhancing their digital capabilities through strategic partnerships.
Analyst Comments: The growing competition between India and China in securing undersea data cables reflects broader regional and global power dynamics. China’s DSR and investments in submarine cables, particularly in regions like the Indian Ocean, allow it to assert influence over critical infrastructure. India, backed by like-minded nations such as those in the Quad, must accelerate its efforts to safeguard these assets, develop robust countermeasures, and establish itself as a key player in global data transmission networks. These cables are vital to both economic and military security, making their protection a priority in the evolving Indo-Pacific security landscape.
FROM THE MEDIA: Submarine data cables, the backbone of global communication, have emerged as a focal point in the geopolitical struggle for control over critical infrastructure in the Indian Ocean. China’s push through its Digital Silk Road (DSR) initiative, exemplified by projects like the PEACE cable, seeks to dominate the undersea cable industry and expand its influence across the region. In response, India is working to secure its position by protecting these cables and countering potential threats from espionage and sabotage. Strategic partnerships, such as with the Quad, are essential to mitigate China's growing influence and ensure the security of global digital communication networks.
READ THE STORY: DA
Alibaba Cloud Disrupted by Fire at Singapore Data Center
Bottom Line Up Front (BLUF): Alibaba Cloud services were disrupted after a lithium-ion battery explosion caused a fire at a Digital Realty data center in Singapore on September 10, 2024. The incident triggered service anomalies and outages in Availability Zone C, with Alibaba Cloud warning of potential network failures. Emergency measures, including a power shutdown, were implemented to prevent further damage.
Analyst Comments: The fire highlights ongoing concerns about the safety risks associated with lithium-ion batteries in critical infrastructure like data centers. As reliance on cloud services grows, incidents like this underscore the importance of robust disaster recovery systems and backup protocols. Alibaba Cloud’s rapid response mitigated some impact, but the event raises broader questions about energy storage and safety in high-density data environments.
FROM THE MEDIA: A lithium-ion battery explosion caused a fire in a Digital Realty facility housing Alibaba Cloud operations in Singapore. The fire, which started in the battery room, prompted an evacuation and emergency shutdown due to water accumulation and risks of electrical short circuits. Alibaba Cloud users were advised to activate disaster recovery plans, and the fire caused outages in several related cloud services across the region, including Digital Ocean and Cloudflare. Investigations into the cause are ongoing.
READ THE STORY: The Register
Foreign Companies Reconsider Investment in China Amid Market Challenges
Bottom Line Up Front (BLUF): Foreign companies in China are reaching a "tipping point" due to barriers to market access, low profitability, and regulatory challenges, according to the EU Chamber of Commerce. With China's domestic economy weakened and fierce competition driving down prices, many companies are now exploring alternative markets and reducing investments in the Chinese market.
Analyst Comments: China’s economic slowdown, regulatory uncertainties, and national security policies are driving foreign companies to rethink their strategies. While China remains a key global market, the attractiveness of alternative regions, coupled with China’s economic volatility, has forced companies to diversify investments and supply chains. The trend reflects growing concerns about China’s long-term business environment and its prioritization of national security over economic growth.
FROM THE MEDIA: Foreign businesses in China are facing rising challenges, with European companies reporting that barriers like stringent cybersecurity and data laws are making operations more difficult. The EU Chamber of Commerce warned that investment interest in China is waning, with foreign direct investment dropping 29% in the first half of 2024. Companies are shifting focus to other markets as growth in China becomes less profitable, despite the government's 5% GDP growth target. Many are also "siloing" their operations to meet local regulations while reducing headcounts and production efforts in the country.
READ THE STORY: FT
Hunters International Ransomware Gang Threatens to Leak Data from Chinese Mega-Bank's London HQ
Bottom Line Up Front (BLUF): Hunters International, a rising ransomware group, claims to have stolen 6.6TB of data from the London branch of the Industrial and Commercial Bank of China (ICBC). The group has threatened to release over 5.2 million files unless a ransom is paid by September 13. If the attack is confirmed, sensitive financial data from one of the world’s largest banks could be at risk, potentially damaging ICBC’s reputation and customer trust.
Analyst Comments: This attack highlights the growing trend of ransomware groups targeting high-profile financial institutions due to the value of their data. With ICBC being the largest bank globally, the pressure to meet ransom demands is immense, as such breaches can have long-term financial and reputational impacts. Additionally, Hunters International's rapid rise in the ransomware scene suggests that banks must bolster their defenses against increasingly sophisticated cyber threats.
FROM THE MEDIA: Hunters International, a ransomware-as-a-service gang, has claimed responsibility for breaching ICBC’s London branch, stealing 6.6TB of data. This could potentially expose sensitive financial information unless the bank meets its ransom demands by September 13. The ransomware group has targeted over 134 organizations this year and has made it clear that they do not target Russian entities, a common practice among cybercriminals operating from Russia. ICBC has not yet responded to inquiries about the breach.
READ THE STORY: The Register
Evolving tactics compromise routers from TP-Link, Asus, Zyxel, and others, with potential state-sponsored backing
Bottom Line Up Front (BLUF): The Quad7 botnet, known for compromising TP-Link routers, has expanded to target multiple Small Office/Home Office (SOHO) routers and VPN appliances, including devices from Asus, Zyxel, and D-Link. The botnet uses both known and unknown vulnerabilities to infiltrate systems, brute-force Microsoft 365 accounts, and deploy a new backdoor for stealthier operations. French cybersecurity firm Sekoia suggests the botnet, which opens TCP port 7777 on compromised devices, maybe the work of Chinese state-sponsored actors due to its sophistication and evolving tactics.
Analyst Comments: Quad7's expansion into targeting SOHO routers and VPN appliances signals a growing threat to both individuals and small businesses, which are often less equipped to defend against advanced botnet operations. The shift towards new backdoors and the use of HTTP-based reverse shells reflects the botnet operators' focus on maintaining stealth and avoiding detection. While the botnet's ultimate purpose remains unclear, its potential state sponsorship and ability to compromise devices across several countries make it a significant security concern for organizations relying on these vulnerable edge devices.
FROM THE MEDIA: The Quad7 botnet has expanded to target routers and VPN appliances from brands like TP-Link, Asus, and Zyxel. According to cybersecurity researchers, the botnet compromises devices using a mix of vulnerabilities and brute-force attacks to infiltrate networks. With its ability to establish remote control via HTTP-based reverse shells, Quad7 represents a highly stealthy and dangerous threat. The botnet’s evolution suggests it may be backed by a Chinese state-sponsored group, as it continues to target systems in multiple countries, including the U.S., Ukraine, and Bulgaria.
READ THE STORY: THN
Ukrainian Drone Strikes Moscow Suburb, Bringing War Closer to Russian Capital
Bottom Line Up Front (BLUF): A Ukrainian drone strike on the Moscow suburb of Ramenskoye on Tuesday killed one civilian and injured eight, marking the first reported death from drone attacks in the area. While Moscow had largely viewed the war in Ukraine as distant, this incident is a stark reminder of its proximity. Russian officials have dismissed any blame on air defense systems, framing the attack as an effort to induce panic among civilians.
Analyst Comments: This attack signals a significant escalation, breaching Moscow’s psychological barrier that had kept the war at arm’s length. With drone strikes now reaching the capital’s suburbs, public perception of safety could shift, although many residents remain detached from the conflict, treating it as a distant backdrop. For Putin, maintaining public support while minimizing the domestic impact of the war will become increasingly challenging as such attacks intensify.
FROM THE MEDIA: A Ukrainian drone strike in Ramenskoye, a Moscow suburb, caused the first reported civilian death from such attacks in the region. Russian officials said 20 drones were intercepted, but two reached residential buildings, killing a 46-year-old woman. Moscow's air defense systems are facing growing scrutiny, but local officials are focusing on providing aid to residents affected. Despite the incident, many Muscovites remain indifferent, with some still unaware of the attack, as life in the city continues largely unaffected by the ongoing conflict.
READ THE STORY: FT
SpaceX Frustrated as Starship Launch Delays Continue Due to FAA Red Tape
Bottom Line Up Front (BLUF): SpaceX is facing delays in launching its next Starship mission as it waits for the U.S. Federal Aviation Administration (FAA) to complete environmental and safety assessments. Originally ready for launch in August, SpaceX's plans to "catch" the Super Heavy Booster during the flight have been delayed until at least November. The company attributes the holdup to what it claims are unnecessary environmental reviews, but the FAA points to new information from SpaceX requiring broader analysis.
Analyst Comments: The tension between SpaceX and the FAA reflects the increasing regulatory scrutiny on space activities, especially as environmental and public safety concerns grow. While SpaceX's rapid development pace is impressive, government agencies must ensure compliance with regulations, particularly when public and environmental risks are at stake. These delays also affect NASA’s Artemis program, which relies on Starship for future lunar missions, potentially pushing back its timeline for a human return to the Moon.
FROM THE MEDIA: SpaceX’s next Starship flight, initially slated for August 2024, has been delayed due to extended FAA safety and environmental reviews. The FAA cited new information from SpaceX regarding environmental impacts as the reason for the longer review process. The approval slip has frustrated SpaceX, which accuses a small group of environmental critics of obstructing its progress. Meanwhile, the delay could push back NASA’s Artemis III mission, which depends on Starship for the lunar landing, already scheduled for no earlier than 2026.
READ THE STORY: The Register
Feds Seize 350 Websites Trafficking Counterfeit Glock Silencers from China
Bottom Line Up Front (BLUF): The U.S. Department of Homeland Security has seized over 350 websites involved in the illegal trafficking of counterfeit Glock silencers and gun conversion switches from China. The devices, prohibited under U.S. law, were used to convert firearms into automatic weapons and suppress gunfire noise. Federal agents carried out an undercover operation that led to the seizure of 700 devices and other firearms. These websites falsely labeled shipments as “necklaces” or “toys” to avoid detection, posing a significant threat to public safety.
Analyst Comments: This operation underscores the growing threat posed by counterfeit firearm accessories, particularly from China, and their impact on public safety. The Glock conversion switches, which can easily turn a semi-automatic firearm into a fully automatic weapon, have been a particular concern for law enforcement. The U.S. government’s action against these websites highlights the importance of international cooperation in combating illegal firearms trafficking and curbing violent crime facilitated by such devices. The seizure also signals that counterfeit goods trafficking, even involving small, easily concealed items, remains a significant national security issue.
FROM THE MEDIA: In a major crackdown, U.S. federal agencies have seized 355 domains involved in trafficking counterfeit Glock silencers and machinegun conversion devices from China. These websites sold illegal firearm accessories, including silencers and “switch” devices that convert semi-automatic pistols into machine guns. The operation resulted in the confiscation of 700 conversion devices, 87 silencers, and several firearms. The trafficked items were disguised as innocuous goods to evade detection, with authorities seizing the devices from U.S. postal mailboxes used by the suspects. The takedown represents a critical step in disrupting the illegal trade of dangerous firearm components.
READ THE STORY: Cybernews
WHOIS protocol flaws expose critical vulnerabilities, potentially allowing nation-state cyberattacks on trusted internet systems
Bottom Line Up Front (BLUF): Researchers from watchTowr Labs revealed at Black Hat how they exploited an expired domain tied to the WHOIS protocol for the .mobi top-level domain, exposing critical vulnerabilities in certificate authorities (CAs). This lapse allowed them to intercept millions of queries from government, military, and private systems, potentially allowing cybercriminals or nation-states to issue fraudulent certificates and compromise sensitive communications. The incident underscores significant flaws in internet infrastructure management, particularly related to expiring domains and the reliability of CAs.
Analyst Comments: This revelation highlights the fragility of the internet's foundational trust mechanisms, particularly how overlooked assets like expiring domains can lead to serious security breaches. The potential for malicious actors to exploit this gap, especially in the issuance of TLS/SSL certificates, presents a profound risk to global internet security. As governments and organizations rely on certificate authorities to verify identity and secure data, a compromised WHOIS response could facilitate large-scale man-in-the-middle attacks, undermining trust in digital communication across critical sectors.
FROM THE MEDIA: At Black Hat, watchTowr Labs researchers demonstrated how they exploited an expired domain linked to the .mobi TLD’s WHOIS server, revealing significant vulnerabilities in the certificate authority ecosystem. The researchers purchased the domain for $20 and intercepted over 135,000 systems querying the server, including those from governments, militaries, and major corporations. These vulnerabilities could have allowed nation-states to issue malicious certificates for prominent domains like Google and Microsoft, jeopardizing internet security. While no malicious activity occurred, the discovery raises concerns over the integrity of the infrastructure that keeps the internet secure.
READ THE STORY: The Register
WordPress to Enforce Two-Factor Authentication for Plugin and Theme Developers
Bottom Line Up Front (BLUF): Starting October 1, 2024, WordPress will mandate two-factor authentication (2FA) for accounts with access to updated plugins and themes, enhancing the security of the platform’s ecosystem. The new policy also includes the introduction of high-entropy SVN passwords to separate code commit access from main account credentials. These measures are designed to counter the risk of malicious actors compromising developer accounts, injecting malicious code, and triggering large-scale supply chain attacks.
Analyst Comments: WordPress's move to enforce 2FA and introduce SVN passwords marks a critical step in securing one of the most widely used content management systems. By targeting plugin and theme developers—key entry points for potential attackers—the platform seeks to mitigate the growing threat of supply chain attacks, which have plagued software ecosystems in recent years. The additional layer of security will not only bolster the trust of millions of site owners but also set a standard for other open-source platforms in addressing vulnerabilities.
FROM THE MEDIA: To bolster security, WordPress.org will require developers with plugin and theme update privileges to activate two-factor authentication (2FA) starting October 2024. This measure, along with the introduction of SVN passwords, is designed to prevent unauthorized access and mitigate risks of supply chain attacks. The announcement comes as threats to WordPress sites escalate, including recent ClearFake campaigns aimed at distributing malware. By focusing on securing developer accounts, WordPress aims to safeguard its extensive ecosystem, which powers millions of websites globally.
READ THE STORY: THN
Chinese DragonRank Hackers Exploit Global Windows Servers for SEO Fraud
Bottom Line Up Front (BLUF): The Chinese-speaking hacking group DragonRank has compromised over 30 Windows servers worldwide, including in Thailand, India, and Belgium, exploiting IIS vulnerabilities to manipulate search engine optimization (SEO) rankings. These attacks distribute scam websites and deploy malware such as PlugX and BadIIS, along with tools like Mimikatz for credential harvesting. The group operates a business-like model, offering SEO manipulation services to clients through platforms like Telegram.
Analyst Comments: DragonRank’s exploitation of Windows IIS servers highlights the growing threat of SEO-based cyberattacks. By manipulating web rankings, attackers can drive unsuspecting users to malicious websites, expanding the scope of their malware distribution. The use of advanced tools like PlugX and BadIIS underscores the sophistication of these operations, which blend cybercrime with traditional business models. Organizations must strengthen their defenses by regularly updating systems, monitoring network activity, and deploying advanced threat detection measures to counter these evolving attacks.
FROM THE MEDIA: The DragonRank hacking group has targeted over 30 Windows servers globally, using IIS vulnerabilities to manipulate search engine rankings and distribute scam websites. According to a report by Cisco Talos, the group deploys web shells like ASPXspy to gain control of compromised servers, spreading malware including PlugX, a remote access tool, and BadIIS, which alters SEO results. The group runs a professional service offering tailored SEO fraud services, further complicating efforts to combat its activities. Businesses are advised to update their systems, implement advanced threat detection, and train staff to avoid falling victim to these sophisticated attacks.
READ THE STORY: HackRead
First commercial spacewalk using SpaceX-designed suits set to take place, alongside surpassing Gemini 11's altitude record
Bottom Line Up Front (BLUF): SpaceX’s Polaris Dawn mission has successfully launched after multiple delays, with the goal of surpassing the altitude record set by Gemini 11 in 1966 and conducting the first commercial spacewalk using SpaceX-designed EVA spacesuits. The mission, expected to last five days, is led by billionaire Jared Isaacman, who also commanded the earlier Inspiration4 mission.
Analyst Comments: Polaris Dawn represents a significant step for SpaceX in commercial space exploration. By pushing the boundaries of altitude and extravehicular activity (EVA), this mission demonstrates SpaceX's growing capabilities in human spaceflight. The technology validation from this mission, particularly the testing of new spacesuits and EVA protocols without an airlock, could have lasting impacts on future deep-space missions, including NASA’s Artemis program and potential Mars expeditions.
FROM THE MEDIA: SpaceX launched its Polaris Dawn mission, aiming to set a new altitude record by reaching 1,400 km and conducting a commercial spacewalk. The mission uses the Crew Dragon Resilience capsule, which had previously flown the Inspiration4 mission. After an umbilical helium leak and weather-related delays, the Falcon 9 successfully launched the crew from Florida’s Kennedy Space Center. The mission includes a demonstration EVA, where two astronauts will exit the depressurized capsule to test SpaceX's custom-designed spacesuits.
READ THE STORY: The Register
Ivanti Urgently Patches Critical Endpoint Manager Vulnerabilities
Bottom Line Up Front (BLUF): Ivanti has released critical updates to patch multiple vulnerabilities in its Endpoint Manager (EPM), including a deserialization flaw (CVE-2024-29847) with a maximum CVSS score of 10.0. These flaws could allow remote attackers to execute code, compromising systems. Ivanti advises users to update EPM to the latest version to avoid potential exploitation. Additional vulnerabilities impacting Ivanti Workspace Control and Cloud Service Appliance were also addressed in the September update.
Analyst Comments: The vulnerabilities in Ivanti's Endpoint Manager highlight the persistent risks faced by organizations relying on unpatched software. Although there is no evidence of active exploitation, the critical severity of these flaws, including remote code execution risks, emphasizes the need for immediate action. Given Ivanti's recent history of being targeted by advanced threat actors, including China-linked groups, the urgency to apply these patches cannot be overstated, particularly for organizations managing critical infrastructure.
FROM THE MEDIA: Ivanti has issued urgent patches for critical vulnerabilities in its Endpoint Manager (EPM), addressing 10 high-severity flaws, the most dangerous being a deserialization vulnerability allowing remote code execution (CVE-2024-29847). Users are advised to upgrade to EPM versions 2024 SU1 and 2022 SU6. Though no active exploitation has been reported, Ivanti has bolstered its internal security measures to mitigate risks. This comes in the wake of cyberattacks exploiting Ivanti zero-day flaws by espionage groups, underscoring the importance of timely updates for security-critical systems.
READ THE STORY: THN
Items of interest
Nippon Steel Makes Last-Ditch Effort to Salvage $15bn US Steel Deal Amid Election Politics
Bottom Line Up Front (BLUF): Nippon Steel is sending its vice-chair to Washington in a final push to save its $15bn bid for US Steel, a deal opposed by President Joe Biden and Vice President Kamala Harris due to national security concerns. With US Steel based in the key swing state of Pennsylvania, the acquisition has become a hot issue in the 2024 US presidential race, with both Harris and Donald Trump opposing foreign ownership. Experts argue Japan, a close ally of the US, does not pose a security threat, but political considerations and the steelworkers' union opposition are complicating the deal.
Analyst Comments: The Nippon Steel acquisition of US Steel presents a complex intersection of economic interests, national security, and election-year politics. Japan, a crucial US ally, is unlikely to pose a legitimate security risk, yet the deal's timing—amid a heated presidential race—has made it a political flashpoint. Both the Biden administration's hard stance and Trump’s opposition cater to domestic union support and reflect broader concerns over foreign influence in key industries. This situation also highlights the geopolitical balancing act as the US seeks Japan’s cooperation on other security matters while resisting its economic ambitions.
FROM THE MEDIA: Nippon Steel is scrambling to salvage its $15bn bid for US Steel, which has drawn opposition from both the Biden administration and union groups. The deal, under review by the Committee on Foreign Investment in the US (CFIUS), has become a pivotal issue in the 2024 presidential election, especially in Pennsylvania, where US Steel is headquartered. Although some US officials dismiss the national security risk argument, political concerns, and the upcoming elections influence the deal’s prospects. Nippon Steel’s vice-chair is set to meet with US officials to address problems and save the acquisition.
READ THE STORY: FT
Harris Opposes US Steel-Nippon Steel Merger (Video)
FROM THE MEDIA: Vice President Kamala Harris is speaking out for the first time against Japan-based Nippon Steel's proposed acquisition of US Steel. Bloomberg's Tyler Kendall reports from the White House on how the merger is impacting the presidential race and union support for the candidates. She speaks on Bloomberg's "Balance of Power."
Why the U.S. Steel sale is generating controversy (Video)
FROM THE MEDIA: A $14 billion deal for Japan's Nippon Steel to buy out U.S. Steel is facing stiff opposition. CBS Pittsburgh money and politics editor Jon Delano examines the details of the sale — and why lawmakers oppose it.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.