Daily Drop (885): Awaken Likho | Dr WEB: 10TB Leak | RU: LNG ‘Dark Fleet' | UA: UAS | RU: Cyber Crime | GoldenJackal | Asia's Internet | U.S. Telecom's | Starlink FCC Bias | Storm 1575 |
10-09-24
Wednesday, Oct 09 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
Chinese Hackers Target U.S. Telecoms, Raising National Security Alarms
Bottom Line Up Front (BLUF): Chinese state-backed hacking group Volt Typhoon has reportedly breached several U.S. telecommunications firms, including AT&T, Lumen, and Verizon. The hack, aimed at understanding U.S. counterintelligence methods, reflects escalating cyber tensions between Washington and Beijing and raises concerns about potential espionage targeting critical infrastructure.
Analyst Comments: This recent hack underscores the sophistication and persistence of China’s state-linked cyber operations and highlights vulnerabilities within U.S. telecommunications infrastructure. While U.S. agencies have frequently warned against these attacks, China’s interest in telecom networks could facilitate ongoing intelligence gathering and disruption capabilities within U.S. borders. The infiltration, especially against firms supporting U.S. counterintelligence, illustrates the asymmetric nature of U.S.-China cyber conflicts and suggests that efforts to secure telecom networks may require more proactive defensive measures.
FROM THE MEDIA: U.S. officials revealed that Chinese hackers, linked to the state-sponsored group Volt Typhoon, breached significant telecommunications firms, likely aiming to uncover U.S. counterintelligence operations that rely on these providers. Despite U.S. warnings, Chinese cyber activity targeting sensitive U.S. infrastructure has persisted, contributing to escalating tensions. While U.S. agencies frequently disclose Chinese cyber incidents, Beijing seldom reports U.S. hacking, maintaining a narrative that paints China as a victim of U.S. cyber aggression. This latest hack highlights ongoing vulnerabilities in critical infrastructure and the heightened risk to national security as cyber espionage efforts intensify.
READ THE STORY: FP
US Lawmakers Investigate FCC’s $900M Starlink Funding Reversal Amid Disaster Response
Bottom Line Up Front (BLUF): U.S. Representative James Comer has initiated an investigation into the Federal Communications Commission’s (FCC) 2022 decision to revoke an $885.5 million subsidy to SpaceX’s Starlink for rural broadband expansion. The inquiry follows the use of Starlink’s emergency services after Hurricane Helene, highlighting the potential impact of FCC’s funding decisions on disaster preparedness in underserved areas.
Analyst Comments: The timing of this investigation reflects the ongoing debate about public investment in emerging satellite technologies versus proven broadband solutions. Starlink’s role during Hurricane Helene underscores satellite broadband’s capability for quick deployment in crises, potentially advocating for its inclusion in future rural broadband plans. Despite Brendan Carr’s dissent, the FCC's hesitancy suggests regulatory caution toward subsidizing nascent technologies for public service. However, as rural connectivity remains a priority, this investigation may reshape FCC policies or lead to revised funding strategies that account for emergency readiness.
FROM THE MEDIA: Following Hurricane Helene’s devastating impact on North Carolina, Rep. James Comer, chair of the House Oversight and Accountability Committee, has questioned the FCC’s rationale for rescinding a rural broadband subsidy awarded to Starlink in 2020. FCC Chairwoman Jessica Rosenworcel had previously cited concerns about subsidizing Starlink’s emerging technology. In his letter, Comer requested FCC documents on Starlink's application process, award reversal, and discussions about Elon Musk and SpaceX, indicating a broader examination of regulatory actions affecting Musk’s ventures. Commissioner Brendan Carr criticized the FCC’s decision, suggesting it may have been influenced by broader administrative opposition to Musk’s businesses.
READ THE STORY: The Register
Ukraine Leads the World in Drone Innovation and Production Amid War
Bottom Line Up Front (BLUF): Ukraine has become a global leader in drone technology through rapid adaptation and public-private innovation amid the war with Russia. Ukrainian drones, produced at a rate higher than any NATO nation, have enabled Ukraine to engage Russian forces effectively across air, sea, and land, with drones contributing to significant damage to the Black Sea Fleet and Russian infrastructure.
Analyst Comments: The rapid scaling and deployment of Ukraine’s drone capabilities signal a transformative shift in warfare as Ukraine leverages decentralized innovation to sustain its defense against a larger adversary. This approach combines grassroots technological ingenuity with strategic foreign partnerships, fostering a resilient military-industrial complex uniquely positioned to meet real-time combat needs. As Ukraine pushes the boundaries of cost-effective drone warfare, its success may serve as a blueprint for asymmetric military strategies and influence NATO's unmanned system development.
FROM THE MEDIA: Ukraine's decentralized, innovation-driven military approach has enabled it to conduct advanced drone operations, integrating drone warfare alongside traditional forces in what’s described as the world’s first "drone, digital, and cyber war." With more than 400 Ukrainian companies now producing military technology, 200 of which focus on drones, Ukraine has adapted Western and Soviet-era technology to meet tactical needs, such as repurposing NATO missiles for Soviet jets. Ukraine's newly established Unmanned Systems Forces have effectively damaged one-third of Russia’s Black Sea Fleet, with drones deployed for both offensive and defensive operations. Additionally, unmanned systems are used extensively for reconnaissance, counter-drone tactics, and combined arms missions, including recent incursions into Russian-held territories.
READ THE STORY: TJF
How Russia’s LNG ‘Dark Fleet’ Conceals Its Trade Amid Sanctions
Bottom Line Up Front (BLUF): Russia’s fleet of “dark” liquefied natural gas (LNG) tankers has ramped up efforts to evade sanctions by engaging in deceptive practices like spoofing transfers and using false locations. These tactics, aimed at obfuscating the movement of Arctic LNG 2 shipments, allow Russia to maintain revenue flows while sidestepping international sanctions.
Analyst Comments: The increased activity of Russia’s “dark fleet” illustrates how sanctioned states adapt to continue trading despite global restrictions. This tactic, often involving ship-to-ship transfers and deceptive route information, challenges enforcement efforts and complicates the global LNG supply chain by creating ambiguity around supply destinations. Russia’s sophisticated obfuscation methods demonstrate that traditional tracking and sanction mechanisms may need updating to monitor sanctioned fleets and prevent sanction evasion effectively.
FROM THE MEDIA: Since August 2024, Russia’s LNG tankers linked to the Arctic LNG 2 project have increased their activities to evade sanctions by masking cargo transfers. One of the tankers, Pioneer, initially appeared to transfer its LNG load to another tanker, Nova Energy, in the Mediterranean. However, this spoofed operation was discovered when the vessel passed through the Suez Canal, which was still fully laden. Similarly, Nova Energy docked at a Russian storage unit in Murmansk, yet satellite and draft data suggested it may have loaded LNG rather than offloaded it. Analysts note that these methods are intended to create confusion about cargo origin and destination, complicating monitoring efforts by satellite and tracking firms. This maneuvering allows Russia to continue LNG exports, indirectly funding its economy despite sanctions.
READ THE STORY: FT
Russia Pays Criminals to Sow ‘Mayhem’ In Europe, Warns U.K. Spy Chief
Bottom Line Up Front (BLUF): U.K. MI5 Chief Ken McCallum warned that Russia and Iran are increasingly using criminal proxies to conduct sabotage, dissident targeting, and arson across Europe. This uptick in state-sponsored violence has pushed MI5 to increase countermeasures, particularly as Russian espionage relies more heavily on low-level criminals following the expulsion of hundreds of Russian diplomats.
Analyst Comments: Leveraging criminal networks for state-backed operations illustrates a shift toward more diffuse, hard-to-track aggression. Using low-level criminals provides deniability for Russia and Iran, complicating European law enforcement and intelligence efforts. Russia’s continued use of criminal agents reflects its adaptation post-diplomatic expulsions, signaling a potential increase in these operations. This approach underscores an evolution in asymmetric threats, and MI5’s collaboration with European allies suggests heightened pressure on shared intelligence initiatives.
FROM THE MEDIA: MI5 Director General Ken McCallum reported a marked increase in Russian and Iranian-led attacks on European soil, describing a “sustained mission to generate mayhem.” MI5’s investigations into such threats have surged by nearly 50% over the past year, with Russia reportedly directing more cyber and physical sabotage campaigns across Europe since its invasion of Ukraine. A notable case this summer involved arson targeting a London warehouse owned by Ukrainian businessmen, allegedly carried out by criminals funded by Russian intelligence. Iran has similarly ramped up targeting dissidents, evidenced by attacks on Iranian opposition figures in the U.K. and Spain, often utilizing drug traffickers or local criminals for deniability. McCallum warned European criminals about accepting funds from state actors, stressing severe consequences.
READ THE STORY: WSJ
Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools
Bottom Line Up Front (BLUF): The cyber espionage group “Awaken Likho,” also known as Core Werewolf and PseudoGamaredon, has launched a new cyber campaign against Russian government agencies and industrial entities, evolving its toolset for persistence and control. Their tactics include deploying MeshCentral’s remote agent for covert system access and replacing older tools like UltraVNC.
Analyst Comments: Awaken Likho’s latest tactics reflect an evolution in cyberattack methods aimed at evading detection through legitimate software. This shift towards using open-source tools like MeshCentral shows how APT groups adapt to increase the sophistication of their attacks while lowering detection risks. These attacks underscore a growing trend among threat actors to incorporate both advanced spear-phishing techniques and reputable software for cyber espionage, particularly in geopolitically tense regions. Russian entities remain attractive targets, and this escalation may drive further cybersecurity investments or regulatory changes within Russian critical sectors.
FROM THE MEDIA: Kaspersky identified a fresh wave of attacks by Awaken Likho targeting Russian state agencies and contractors since June 2024. This group, active since 2021, has adapted its approach to employ MeshCentral’s agent for remote access, shifting away from the earlier use of UltraVNC. Spear-phishing remains their primary attack vector, deploying executable files masked as Microsoft Word or PDF files (e.g., “doc.exe” or “pdf.exe”) to lure victims. Previously, Awaken Likho leveraged self-extracting archives (SFX) to install UltraVNC stealthily. In recent incidents, an SFX created via 7-Zip unpacks AutoIt scripts that install MeshAgent, allowing attackers to establish persistence via scheduled tasks that connect to a MeshCentral server. Targets also include military and defense-linked research institutes, signaling Awaken Likho’s ongoing interest in high-value intelligence.
READ THE STORY: THN
Qualcomm Urges Swift Patching Amid Targeted Exploitation of DSP Vulnerability CVE-2024-43047
Bottom Line Up Front (BLUF): Qualcomm has issued a series of urgent patches, addressing 20 vulnerabilities in its device chipsets, including a critical Digital Signal Processor (DSP) flaw, CVE-2024-43047, already exploited in targeted attacks. The company urges device manufacturers to expedite these patches to mitigate potential spyware risks, particularly on devices featuring Snapdragon 660 and newer models.
Analyst Comments: The exploitation of CVE-2024-43047 highlights the vulnerabilities in modern chipsets as high-value targets, especially with Qualcomm chipsets widely integrated into mobile devices globally. The involvement of Google's Project Zero and Amnesty International suggests that surveillance vendors or state actors may already leverage this flaw. These vulnerabilities underscore the need for coordinated patching strategies among OEMs to ensure timely updates across a vast user base. As vulnerabilities in hardware become focal points for attackers, industry reliance on rigorous patch management and faster response frameworks will likely increase.
FROM THE MEDIA: Qualcomm’s advisory, released October 8, 2024, disclosed 20 vulnerabilities in its chipset firmware, with CVE-2024-43047—affecting the FastRPC DSP driver—as the most severe. With a CVSS score of 7.8, the flaw was discovered by Google’s Project Zero and Amnesty International, suggesting exploitation by sophisticated threat actors. Targeted devices include Snapdragon 660 and newer models and select Qualcomm 5G modems and Wi-Fi/Bluetooth components. CVE-2024-33066, a critical WLAN flaw with a CVSS of 9.8, remains unexploited but carries significant risk. Qualcomm also addressed high-severity memory corruption vulnerabilities, CVE-2024-23369 and CVE-2024-33065, in the camera driver and operating system. Device manufacturers are urged to deploy these patches promptly to prevent further exploitation.
READ THE STORY: The Register
Pro-Ukrainian Hackers Claim 10TB Data Breach at Russian Cybersecurity Firm Dr.Web
Bottom Line Up Front (BLUF): DumpForums, a pro-Ukrainian hacktivist group, claims responsibility for breaching Russian cybersecurity company Dr.Web, alleging they extracted over 10 TB of sensitive data. The hacktivists report they accessed Dr.Web’s internal infrastructure, including critical servers and databases, contradicting the firm’s initial claim that no data was compromised.
Analyst Comments: This breach, if validated, would be a significant compromise of a major Russian cybersecurity firm’s defenses, raising concerns over the protection of sensitive customer data in high-stakes geopolitical conflicts. Such attacks exemplify the tit-for-tat cyber operations between Russia and Ukraine, with hacktivists increasingly playing a pivotal role. This claim highlights the risks facing cybersecurity firms involved in such conflicts, as these firms are often perceived as key assets or symbols of state resilience. Continuous attacks may degrade public confidence in Russia’s cybersecurity capabilities, potentially inciting more robust countermeasures or data protection policies.
FROM THE MEDIA: Hacktivists from DumpForums have publicly declared that they infiltrated Dr.Web’s infrastructure, accessing sensitive areas like the corporate GitLab server, corporate email, and the domain controller, which manages access across the network. The hack, reportedly beginning on September 14, 2024, went undetected for nearly a month, allowing attackers to siphon around 10 TB of data. In a post on Telegram, DumpForums contradicted Dr.Web’s initial statement that no data was taken, further alleging poor security practices within the firm. This claim comes amid escalating cyber activities between Russia and Ukraine, where hacktivists have increasingly targeted critical infrastructure on both sides. Dr.Web, as of October 9, 2024, has acknowledged the attack but continues to deny the extent of the hacktivists’ claims.
READ THE STORY: HackedRead
America vs. China: Who Controls Asia's Internet?
Bottom Line Up Front (BLUF): In a race for digital influence, the United States and China are competing for control over Asia’s critical data infrastructure, including data centers, undersea cables, and internet exchange points. China’s dominant cloud market share in several Asian countries gives it extensive control over regional data flows, while U.S.-led restrictions and alliances push back against China’s Digital Silk Road expansion.
Analyst Comments: China’s digital strategy in Asia leverages infrastructure investment and lower-cost cloud solutions to embed its influence within Asia’s rapidly expanding digital ecosystem. The implications of this digital divide are significant: China’s dominance could enable broader control over data flows and metadata access, potentially allowing manipulation or disruption of regional internet services during conflicts. Meanwhile, American efforts to limit Chinese technology adoption in Asia through alliances and tech restrictions aim to build a digital counterbalance but face the hurdle of widespread Chinese infrastructure already in place. This geopolitical digital struggle will likely shape Asia's internet sovereignty, cybersecurity posture, and regional data governance over the coming decade.
FROM THE MEDIA: Nusajaya Tech Park in Johor, Malaysia, embodies the competition between American and Chinese digital infrastructure projects. Located just 15 km from Singapore, it hosts Equinix, a U.S. data center operator, and GDS, a Chinese counterpart aligned with tech giants like Alibaba and Tencent. A significant share of Asia’s internet traffic is routed through Chinese infrastructure, with China dominating cloud clusters in seven of 12 Asian countries, according to a study from the Oxford Internet Institute. The U.S. has increased its restrictions on Chinese technology, redirecting undersea cable projects away from China and blocking firms like Huawei from 5G and other sensitive markets. However, many Asian nations remain pragmatic, balancing Chinese and American tech investments to meet growing data capacity and internet access demands.
READ THE STORY: Economist
Storm-1575 Deploys New Phishing Login Panels Targeting Microsoft and Google Users
Bottom Line Up Front (BLUF): Cybercriminal group Storm-1575 has launched new phishing login panels aimed at compromising Microsoft and Google accounts. This rebranding of their infrastructure features distinctive authentication tactics to evade detection, such as Cloudflare for Microsoft targets and arithmetic CAPTCHA for Google, raising the sophistication of these attacks.
Analyst Comments: Storm-1575’s frequent rebranding of phishing infrastructure and targeted approach highlight a strategic shift in cybercrime. By customizing phishing techniques for specific targets like Microsoft and Google, the group shows adaptability and an advanced understanding of security systems. With specialized encryption methods and verification techniques, these new login panels reflect a growing trend among threat actors to diversify phishing tactics to increase effectiveness. Such evolving threats underscore the importance of continuously updated phishing detection systems and proactive monitoring, especially as these attacks become increasingly nuanced.
FROM THE MEDIA: Analysts at ANY.RUN reported that Storm-1575, a known cybercriminal group, has restructured its phishing infrastructure by deploying new login panels targeting users of Microsoft and Google services. The new infrastructure utilizes domains such as “menlologistics.com” and includes features designed to evade detection, like Cloudflare-based verification for Microsoft and arithmetic CAPTCHA for Google. Distinguishing between these targets, the group employed more robust AES encryption for Microsoft credentials but weaker obfuscation for Google, reflecting a tailored approach. Analysts recommend using platforms like ANY.RUN’s Threat Intelligence Lookup to stay ahead of evolving tactics, with real-time access to indicators of compromise and network activity.
READ THE STORY: HackRead
GoldenJackal Targets Air-Gapped Government Systems Using USB-Based Malware
Bottom Line Up Front (BLUF): The GoldenJackal threat group has targeted air-gapped systems in European government offices through malware that leverages USB drives to transfer data in environments isolated from the internet. This attack highlights the group’s adaptability and use of multi-stage, modular malware to infiltrate highly secure environments.
Analyst Comments: GoldenJackal’s attack illustrates a sophisticated approach to breaching air-gapped systems, a critical concern for sensitive government networks. Leveraging USB drives as transmission vectors, the group exploits the physical exchange between connected and isolated devices, a method reminiscent of earlier advanced threat campaigns. Their modular approach, allowing flexibility and role specialization within malware components, shows an evolution in tactics that could inspire other threat actors. Security for air-gapped systems now faces increased pressure to control and monitor USB usage, emphasizing the need for updated policies on physical data transfers in secure facilities.
FROM THE MEDIA: ESET researchers identified GoldenJackal as the group behind a targeted attack on South Asian government offices in Europe, focused on air-gapped systems that do not connect to any network. Using known tools like JackalControl and JackalWorm, GoldenJackal initiated its attack by infecting internet-connected machines and then propagating to air-gapped computers through USB drives. The malware uses a technique that renames itself to mimic the last accessed folder on the USB, tricking users into launching it when plugged into air-gapped machines. Once inside, the malware intermittently attempts to contact Cloudflare’s DNS as an indicator of internet connectivity and strategically stores stolen data back on the USB drive, intending for eventual exfiltration through another network-connected device.
READ THE STORY: SCMedia
Items of interest
New CrowdStrike Partnerships Expand Falcon Threat Intelligence Capabilities
Bottom Line Up Front (BLUF): CrowdStrike has partnered with CardinalOps, Nagomi, and Veriti to enhance the integration and reach of its Falcon Threat Intelligence platform. These partnerships provide enterprise clients with advanced detection, security posture management, and proactive remediation capabilities, enabling real-time security adjustments against complex cyber threats.
Analyst Comments: Adding CardinalOps, Nagomi, and Veriti to CrowdStrike’s ecosystem strengthens its ability to address emerging threat intelligence needs across diverse enterprise environments. By integrating adversary-informed threat data directly into security controls, these partnerships aim to streamline detection and prevention, reducing the manual workload associated with threat management. This collaboration indicates a broader trend in cybersecurity, where vendors aim to deliver adaptable, ecosystem-compatible solutions that offer comprehensive threat intelligence, operational efficiency, and proactive defense.
FROM THE MEDIA: On October 8, 2024, CrowdStrike announced new alliances with CardinalOps, Nagomi, and Veriti, expanding its Falcon Threat Intelligence platform to deliver robust, intelligence-driven defense capabilities. Through the partnership with CardinalOps, customers gain adversary-informed detection that adapts to any SIEM, enabling faster, more accurate threat detection. Integration with Nagomi helps customers tailor threat defense by assessing and optimizing their security stack based on the latest threat actor campaigns. Veriti’s solution brings proactive exposure management, enabling clients to monitor and remediate threats with minimal operational disruption continuously. These new tools are available through the CrowdStrike Marketplace, allowing customers to quickly try, buy, and deploy solutions.
READ THE STORY: SIW
Kernel Mode vs User Mode: Why it Matters, What You Need to Know (Video)
FROM THE MEDIA: Retired Windows developer Dave Plummer dives deep into one of the most critical aspects of operating systems: Kernel Mode. We’ll explore how vulnerabilities like Spectre and Meltdown impacted system performance and why kernel mode is crucial for security and stability. From real-world disasters like the Crowdstrike outage to the differences between Windows and Linux kernel structures, this episode covers how your OS balances power and risk. Plus, we’ll explain why anti-cheat systems or bad drivers can cause your favorite game to lag.
CrowdStrike IT Outage Explained by a Windows Developer (Video)
FROM THE MEDIA: Dave explains the Crowdstrike IT outage, focusing in on its role as a kernel mode driver.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.