Daily Drop (876): G7: Quantum Tech | Salt Typhoon | ICEFCOM | SloppyLemming | Pwn2Own | Mozilla: GDPR | CrowdStrike | RU: VPN Apps | TEMU | Shipping Industry: Lumma Stealer, StealC, DanaBot Attacks
09-26-24
Thursday, Sept 26 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
Salt Typhoon: China’s Infiltration of U.S. Internet Providers
Bottom Line Up Front (BLUF): Salt Typhoon, a Chinese state-sponsored cyber campaign, has infiltrated U.S. internet service providers (ISPs) in a sophisticated effort to gather intelligence and pre-position itself for potential disruptive attacks. This operation is part of a broader pattern of Chinese cyber activities targeting critical U.S. infrastructure, raising significant concerns about national security vulnerabilities.
Analyst Comments: Salt Typhoon exemplifies China's evolving cyber capabilities, emphasizing both espionage and preparation for conflict scenarios. Its targeting of core U.S. internet infrastructure parallels earlier operations like Volt and Flax Typhoon, revealing a strategic emphasis on controlling key systems that could hinder U.S. responses in a geopolitical crisis, particularly regarding Taiwan. The sophistication of Salt Typhoon's tools, such as in-memory malware and rootkits, underscores the urgency of bolstering defenses in sectors critical to national security.
FROM THE MEDIA: Salt Typhoon, attributed to Chinese APT groups including GhostEmperor and FamousSparrow, launched a campaign in 2024 focusing on U.S. ISPs, potentially breaching sensitive network infrastructure. Employing advanced tactics such as rootkits, in-memory malware, and lateral movement through compromised networks, the group targeted Cisco routers and other core internet systems. This effort parallels other Chinese APT operations like Flax and Volt Typhoon, aimed at long-term surveillance and pre-positioning for future attacks. These activities align with China’s broader strategic ambitions, particularly concerning geopolitical hotspots like Taiwan. The threat posed by Salt Typhoon underscores the need for enhanced cybersecurity to protect critical infrastructure from such state-sponsored threats.
READ THE STORY: Cyber Roundup
China Accuses Taiwan's Cyber Warfare Unit of Sponsoring Anti-Beijing Attacks; Taipei Laughs Off Claims
Bottom Line Up Front (BLUF): China's Ministry of State Security accused Taiwan of orchestrating cyberattacks through its Information, Communications, and Electronic Force Command (ICEFCOM), allegedly sponsoring the group Anonymous64. These attacks reportedly targeted websites in mainland China, Hong Kong, and Macau with anti-government content. Taiwan has denied the allegations, dismissing China's claims as baseless, while Anonymous64 mocked the accusations online. The incident is the latest development in the ongoing cyber and political tensions between the two governments.
Analyst Comments: China’s latest cyber accusations against Taiwan reflect the growing importance of cyber warfare in geopolitical confrontations. While both countries continue to ramp up their cyber capabilities, this incident underscores Beijing's focus on controlling narratives and Taiwan's rejection of unification efforts. Accusing Taiwan’s military of backing Anonymous64 seems part of a larger strategy to frame cyber attacks as part of Taipei’s broader pro-independence agenda. With China’s emphasis on protecting digital infrastructure, this narrative fuels its internal propaganda while prompting the region to remain vigilant in defending against both cyberattacks and misinformation.
FROM THE MEDIA: China’s Ministry of State Security accused Taiwan’s military of sponsoring cyberattacks through the group Anonymous64, targeting Chinese government-related websites with politically charged content. The ministry claimed that Anonymous64, reportedly part of Taiwan’s ICEFCOM, aimed to control internet portals and broadcast anti-Beijing messages. Taiwan quickly dismissed these claims as untrue, with its defense ministry calling the accusations baseless. Anonymous64 further mocked China’s allegations by sharing a GIF online, adding to the tensions. Beijing’s response highlights the ongoing cyber conflict between the two entities, with China reiterating its stance that Taiwan’s efforts for independence are futile.
READ THE STORY: The Register
House Republicans Compare Temu's Potential Security Risks to TikTok Amid Concerns Over Chinese Data Access
Bottom Line Up Front (BLUF): House Republicans have called for an investigation into Chinese e-commerce platform Temu’s data practices, citing potential ties between the platform's parent company, Pinduoduo (PDD), and the Chinese Communist Party (CCP). The inquiry seeks to understand whether Temu’s handling of American consumer data presents a national security risk, following similar concerns raised about TikTok.
Analyst Comments: The scrutiny of Temu echoes previous Congressional investigations into TikTok, marking a growing pattern of concern over the security of personal data handled by Chinese-owned companies. With Pinduoduo's past allegations of exploiting vulnerabilities and its suspension from Google’s app store, the push for an investigation is grounded in precedent. Temu’s rapid rise in the U.S., combined with China's strict data laws, makes it a focal point for U.S. lawmakers wary of data being accessed by the CCP. This reflects the broader tension in U.S.-China relations, particularly regarding technology and cybersecurity.
FROM THE MEDIA: House Republicans have urged U.S. agencies, including the FBI and the Securities and Exchange Commission (SEC), to investigate the data practices of Temu, a Chinese e-commerce platform that has seen rapid growth in the U.S. since 2022. Concerns are mounting over Temu’s potential links to the Chinese Communist Party, mirroring issues raised in the ongoing scrutiny of TikTok. Lawmakers are asking whether Temu’s parent company, Pinduoduo, has been investigated for data security risks, citing past reports of malware and security vulnerabilities. The request for investigation comes amid rising fears that Chinese platforms may be compromising U.S. consumer data for national security purposes.
READ THE STORY: The Record
India-Linked SloppyLemming Hackers Target South and East Asian Entities
Bottom Line Up Front (BLUF): SloppyLemming, an India-linked advanced threat actor, is conducting cyber espionage campaigns against South and East Asian entities using spear-phishing, credential harvesting, and malware attacks. The group has been active since 2021, targeting critical sectors such as government, law enforcement, and energy across Pakistan, Sri Lanka, Bangladesh, China, and more.
Analyst Comments: SloppyLemming’s operations, particularly its use of cloud platforms like Cloudflare Workers for command-and-control (C2), reflect a growing trend of sophisticated cyber campaigns utilizing legitimate services to evade detection. The overlap with known Pakistani actors like SideCopy and Indian groups such as SideWinder points to a broader regional contest involving cyber espionage. These activities suggest that geopolitical tensions are increasingly spilling over into the cyber domain, targeting key infrastructure and sensitive government data.
FROM THE MEDIA: Cloudflare has issued warnings about SloppyLemming, an advanced threat group with links to India, targeting various government and critical infrastructure entities in South and East Asia. Active since at least 2021, the group uses cloud services for credential harvesting and malware deployment, leveraging spear-phishing emails to trick recipients into clicking malicious links. Targets include government agencies, law enforcement, and energy sectors in countries like Pakistan, Sri Lanka, and Bangladesh. Their tactics include using a custom-built tool called CloudPhish and exploiting vulnerabilities to deploy remote access trojans (RATs) such as Ares RAT. SloppyLemming's use of legitimate cloud services complicates detection, posing a significant threat to regional cybersecurity.
READ THE STORY: THN
House Republicans Compare Temu's Potential Security Risks to TikTok Amid Concerns Over Chinese Data Access
Bottom Line Up Front (BLUF): House Republicans have called for an investigation into Chinese e-commerce platform Temu’s data practices, citing potential ties between the platform's parent company, Pinduoduo (PDD), and the Chinese Communist Party (CCP). The inquiry seeks to understand whether Temu’s handling of American consumer data presents a national security risk, following similar concerns raised about TikTok.
Analyst Comments: The scrutiny of Temu echoes previous Congressional investigations into TikTok, marking a growing pattern of concern over the security of personal data handled by Chinese-owned companies. With Pinduoduo's past allegations of exploiting vulnerabilities and its suspension from Google’s app store, the push for an investigation is grounded in precedent. Temu’s rapid rise in the U.S., combined with China's strict data laws, makes it a focal point for U.S. lawmakers wary of data being accessed by the CCP. This reflects the broader tension in U.S.-China relations, particularly regarding technology and cybersecurity.
FROM THE MEDIA: House Republicans have urged U.S. agencies, including the FBI and the Securities and Exchange Commission (SEC), to investigate the data practices of Temu, a Chinese e-commerce platform that has seen rapid growth in the U.S. since 2022. Concerns are mounting over Temu’s potential links to the Chinese Communist Party, mirroring issues raised in the ongoing scrutiny of TikTok. Lawmakers are asking whether Temu’s parent company, Pinduoduo, has been investigated for data security risks, citing past reports of malware and security vulnerabilities. The request for investigation comes amid rising fears that Chinese platforms may be compromising U.S. consumer data for national security purposes.
READ THE STORY: The Record
Cybercriminals Target North American Transportation Companies with Info-Stealing Malware
Bottom Line Up Front (BLUF): Cybersecurity firm Proofpoint has identified a new malware campaign targeting transportation and shipping companies in North America. Using compromised email accounts and industry-specific software lures, attackers deliver malware strains designed to steal sensitive information, though the threat actor remains unidentified.
Analyst Comments: The targeted malware campaign underscores the vulnerability of essential industries like transportation and logistics, which rely on complex digital infrastructure. This attack highlights the increasing sophistication of financially motivated hackers who use realistic lures and familiar workflows to infiltrate their targets. These industries’ role in the supply chain makes them especially attractive to cybercriminals, particularly as these sectors increasingly digitize operations. Similar to past attacks, compromising emails and industry-specific tools shows a growing trend of specialized phishing techniques that exploit trust within business processes.
FROM THE MEDIA: Researchers from Proofpoint have been monitoring a cyber campaign since May 2024, which targets North American transportation and logistics companies through compromised legitimate email accounts. The attackers deliver a range of malware, including Lumma Stealer, StealC, DanaBot, and Arechclient2, aimed at stealing information from affected systems. To deceive victims, hackers impersonate industry-specific software such as Samsara and Astra TMS, indicating their familiarity with the sector. Proofpoint reported at least 15 compromised email accounts but has not attributed the attacks to any specific threat actor. The campaign’s precision and tailored approach suggest a well-researched and financially motivated operation.
READ THE STORY: SecurityWeek
Mozilla Faces GDPR Complaint Over Firefox Tracking Without User Consent
Bottom Line Up Front (BLUF): Mozilla is facing a privacy complaint from Austrian privacy group noyb for enabling its Privacy-Preserving Attribution (PPA) feature in Firefox without obtaining users' consent. The feature, introduced in Firefox version 128, tracks user behavior to measure ad performance without sharing personal data. However, noyb argues that activating PPA by default violates the European Union's GDPR regulations and limits user control over their privacy.
Analyst Comments: Noyb argues that Mozilla's activation of the Privacy-Preserving Attribution (PPA) feature in Firefox without explicit user consent violates the EU's GDPR. The privacy group claims that enabling PPA by default undermines user control, as it tracks behavior without users opting in, which goes against GDPR's requirement for informed consent. While Mozilla positions PPA as a non-invasive tracking method, noyb contends that it still infringes on privacy rights and criticizes Mozilla for lacking transparency in rolling out the feature.
FROM THE MEDIA: The privacy-focused organization noyb has filed a complaint against Mozilla for enabling a tracking feature called Privacy-Preserving Attribution (PPA) in Firefox without user consent. The complaint, submitted to the Austrian Data Protection Authority, accuses Mozilla of violating the GDPR by activating the feature by default. Mozilla introduced PPA as a way for advertisers to track ad performance without compromising user privacy. However, noyb contends that PPA still tracks user behavior and undermines user choice, calling for the feature to be disabled unless explicitly opted into by users.
READ THE STORY: THN
CrowdStrike July 2024 Incident Reveals Possible State-Sponsored Exploitation Amid Scrutiny Over Software Quality
Bottom Line Up Front (BLUF): On July 19, 2024, a misconfiguration in CrowdStrike’s Falcon sensor update led to widespread IT outages, affecting healthcare, airlines, and financial markets globally. The incident, affecting 8.5 million devices, was linked to a memory error in Channel File 291. While CrowdStrike attributes the failure to an internal coding issue, minimal disruptions in Russia and China have raised suspicions of potential state-sponsored interference. The case has prompted a critical review of CrowdStrike’s update protocols and broader concerns about supply chain security and software testing standards.
Analyst Comments: The Falcon outage underscores the fragility of global IT infrastructures when key security systems fail. The incident reflects the growing threat posed by supply chain vulnerabilities, often targeted by state-sponsored actors. Despite CrowdStrike’s assurances, the lack of impact in Russia and China is too significant to dismiss as coincidental. This event, echoing incidents like SolarWinds, may highlight how hostile nations can exploit industry oversights. Beyond the potential geopolitical dimensions, it also exposes the broader issue of rushed software releases compromising cybersecurity.
FROM THE MEDIA: On July 19, 2024, an update to CrowdStrike’s Falcon sensor caused massive disruptions across critical industries due to an input mismatch error in Channel File 291, leading to system crashes on millions of devices worldwide. While airlines, hospitals, and banks faced severe outages, both Russia and China reported minimal impact. This selective exclusion has fueled speculations of possible state-sponsored cyber activities, exploiting software supply chain vulnerabilities. Following this incident, CrowdStrike’s internal processes, including testing and update deployments, have come under scrutiny, raising broader concerns about declining code quality and gaps in security standards across the industry.
READ THE STORY: The Record // Cyber Roundup
Mozilla Faces GDPR Complaint Over Firefox Tracking Without User Consent
Bottom Line Up Front (BLUF): Mozilla is facing a privacy complaint from Austrian privacy group noyb for enabling its Privacy-Preserving Attribution (PPA) feature in Firefox without obtaining users' consent. The feature, introduced in Firefox version 128, tracks user behavior to measure ad performance without sharing personal data. However, noyb argues that activating PPA by default violates the European Union's GDPR regulations and limits user control over their privacy.
Analyst Comments: Noyb argues that Mozilla's activation of the Privacy-Preserving Attribution (PPA) feature in Firefox without explicit user consent violates the EU's GDPR. The privacy group claims that enabling PPA by default undermines user control, as it tracks behavior without users opting in, which goes against GDPR's requirement for informed consent. While Mozilla positions PPA as a non-invasive tracking method, noyb contends that it still infringes on privacy rights and criticizes Mozilla for lacking transparency in rolling out the feature.
FROM THE MEDIA: The privacy-focused organization noyb has filed a complaint against Mozilla for enabling a tracking feature called Privacy-Preserving Attribution (PPA) in Firefox without user consent. The complaint, submitted to the Austrian Data Protection Authority, accuses Mozilla of violating the GDPR by activating the feature by default. Mozilla introduced PPA as a way for advertisers to track ad performance without compromising user privacy. However, noyb contends that PPA still tracks user behavior and undermines user choice, calling for the feature to be disabled unless explicitly opted into by users.
READ THE STORY: THN
Nearly 100 VPN Apps Pulled from Russia’s App Store in Coordinated Censorship Effort
Bottom Line Up Front (BLUF): Apple has removed nearly 100 VPN apps from its Russian App Store, reportedly complying with demands from Russia's communications regulator, Roskomnadzor. While Russia officially acknowledged the removal of 25 VPN apps, a report by GreatFire revealed that Apple took down significantly more apps, many without public acknowledgment. This move raises concerns over corporate complicity in state censorship, as VPNs play a crucial role in circumventing government control and ensuring secure communications.
Analyst Comments: Apple’s removal of VPN apps from its Russian App Store reveals the growing influence of authoritarian regimes over tech companies. This quiet compliance undermines the digital freedoms of Russian citizens, cutting off vital tools for secure communication and information access. While Apple has taken a public stance against the Russian invasion of Ukraine, these actions contradict its commitment to human rights, highlighting the difficult balance between adhering to local laws and protecting global digital rights.
FROM THE MEDIA: A report by GreatFire revealed that Apple has quietly removed 98 VPN apps from its Russian App Store, surpassing the official figures provided by Roskomnadzor. The removals, which accelerated between July and September 2024, have sparked concerns over Apple’s role in supporting Russian censorship efforts. Digital rights advocates criticize Apple’s actions for undermining secure communication and internet freedom, as VPNs are essential for bypassing government-imposed censorship. Critics argue that these decisions set a dangerous precedent for how tech companies may collaborate with authoritarian regimes.
READ THE STORY: CyberNews
Items of interest
G7 Warns Financial Sector to Brace for Quantum Computing Threats
Bottom Line Up Front (BLUF): The G7 Cyber Expert Group has urged financial institutions to prepare for the impending risks posed by quantum computing, which could crack traditional encryption methods, potentially exposing sensitive financial data. The group recommends that financial entities assess quantum-related vulnerabilities and adopt post-quantum cryptography standards, highlighting efforts by NIST and ENISA to develop quantum-resistant encryption algorithms.
Analyst Comments: Quantum computing, while still in development, poses a looming threat to the global financial system due to its ability to break widely used encryption algorithms. This warning from the G7 is significant, marking a shift from theoretical concerns to actionable urgency in cybersecurity. By urging financial institutions to adopt quantum-resistant encryption, the group is pushing the sector to future-proof its operations against the inevitable evolution of computational technology. Similar warnings have been echoed in recent years, signaling that the financial sector is a priority target for nation-states and cybercriminals leveraging quantum advancements.
FROM THE MEDIA: The G7 Cyber Expert Group has raised alarms about the potential of quantum computing to compromise traditional encryption methods, urging financial institutions to take preemptive measures. The group emphasized the risks posed by quantum’s capacity to render current encryption obsolete, putting sensitive financial information at risk of exposure. To mitigate this, institutions are encouraged to conduct thorough assessments of their quantum-related vulnerabilities. The group also supports the adoption of post-quantum cryptography standards being developed by prominent organizations like the U.S. National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA), both of which are working on quantum-resistant encryption solutions designed to withstand the power of quantum computers.
READ THE STORY: The Record
Quantum Resistant Encryption Emerges as Crucial Cybersecurity (Video)
FROM THE MEDIA: In our latest SIGNAL Executive Video Series, we learn how cybersecurity experts are working on stronger, quantum-resistant encryption to safeguard against powerful technology that will be able to break keys in seconds that would take traditional computers millennia.
Post-Quantum Cryptography: the Good, the Bad, and the Powerful (Video)
FROM THE MEDIA: This video featuring NIST’s Matthew Scholl emphasizes how NIST is working with the brightest minds in government, academia, and industry from around the world to develop a new set of encryption standards that will work with our current classical computers—while being resistant to the quantum machines of the future. Quantum computers will be incredibly powerful and will have the potential to provide tremendous societal benefits; however, there are concerns related to how quantum computers could be used by our adversaries, competitors, or criminals. This video explores these scenarios and explains how we are staying ahead of this potential cybersecurity threat.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.