Daily Drop (887): CISA: SBD | UA VPN: Runet | IA | 23andMe: Data Value | MGU | F5 BIG-IP Cookies | SVR: JetBrains TeamCity and Zimbra | MSS: Device Mgnt | Senate: Salt Typhoon | DoJ: Google |
10-13-24
Sunday, Oct 13 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
How a Google Antitrust Break-Up Could Reshape the Tech Industry
Bottom Line Up Front (BLUF): The U.S. Department of Justice (DoJ) is pushing for a historic restructuring of Google’s core search business to address anti-competitive practices. If successful, this could open up opportunities for AI-driven startups and smaller search competitors, potentially transforming the digital advertising and technology landscape.
Analyst Comments: A potential Google break-up represents one of the most ambitious moves in tech antitrust, possibly setting a new precedent for handling digital monopolies. Breaking down Google’s dominant positions—such as its search engine’s exclusive contracts and extensive data leverage—could benefit new AI players and reduce advertiser costs. However, even if the DoJ succeeds, enforcing meaningful competition will be complex, as Google’s network effects are deeply entrenched across mobile, browser, and app ecosystems. The regulatory push could lead to broader scrutiny of other Big Tech monopolies, signaling a major shift in U.S. tech regulation.
FROM THE MEDIA: The DoJ’s antitrust case against Google took a major step forward this week, with a judge’s ruling that the company’s exclusive deals illegally maintained its dominance in search. Scheduled to present a concrete proposal on November 20, the DoJ has hinted at significant remedies, including prohibiting exclusive deals and potentially breaking up Google by separating its search, Android, and Chrome businesses. Critics argue that such drastic measures could destabilize established ecosystems, yet proponents believe it will create fairer competition, enabling AI startups like You.com and Perplexity AI to challenge Google. The DoJ’s proposals also include granting rivals access to Google’s core search data and advertising networks to foster competition, a strategy akin to past antitrust actions against Microsoft.
READ THE STORY: FT
U.S. Lawmakers Demand Briefing on Chinese Breach of Telecom Networks
Bottom Line Up Front (BLUF): Following reports that hackers linked to China’s Ministry of State Security breached U.S. telecommunications networks, lawmakers are calling for a closed-door briefing with telecom executives to address cybersecurity vulnerabilities. The breach compromised systems used by law enforcement for wiretaps, raising national security concerns.
Analyst Comments: The breach attributed to Salt Typhoon, a China-linked group, exemplifies the high level of sophistication in cyber espionage targeting critical infrastructure. This infiltration reveals significant security gaps within telecommunications infrastructure, which may now prompt federal regulatory review, especially around baseline cybersecurity standards. Given the strategic nature of these systems, the incident may accelerate legislative efforts to mandate more robust cybersecurity protocols across telecom networks and implement stricter penalties for non-compliance.
FROM THE MEDIA: U.S. lawmakers from the House Select Committee on China demanded an urgent briefing with executives from Verizon, AT&T, and Lumen Technologies after news of a months-long breach by Salt Typhoon, a Chinese hacking group. Reports indicate that these hackers infiltrated networks linked to federal wiretaps, raising alarms around counterintelligence and data security. Representatives John Moolenaar (R-MI) and Raja Krishnamoorthi (D-IL) expressed concerns over the nation’s vulnerability to state-sponsored cyberattacks. The committee has requested a comprehensive telecom account regarding their detection, response, and coordination with law enforcement. In addition, Senator Ron Wyden (D-OR) calls for updated federal cybersecurity standards with penalties for inadequate protection.
READ THE STORY: Washington Examiner // The Register // Senate
Ukraine Arrests VPN Operator Enabling Access to Russian Internet
Bottom Line Up Front (BLUF): Ukrainian authorities have detained a 28-year-old man in Khmelnytskyi for running a VPN service that allowed users to bypass Ukraine’s sanctions on Russian websites, granting access to Russia’s restricted internet (Runet). This case highlights the cybersecurity and intelligence risks Ukraine faces as it enforces access restrictions on Russian domains.
Analyst Comments: The arrest reflects Ukraine's strict stance on cybersecurity as it manages sanctions amid the ongoing conflict with Russia. The VPN service bypassed Ukrainian internet restrictions and posed a potential security threat, with authorities suggesting Russian intelligence agencies may have exploited it. This event underscores the geopolitical and digital complexities of enforcing information access controls during wartime and could prompt heightened cybersecurity measures and surveillance in the region.
FROM THE MEDIA: Ukrainian cyber police arrested a 28-year-old in Khmelnytskyi for operating an unauthorized VPN service that facilitated access to Russia’s internet (Runet), contravening Ukraine’s national restrictions. This VPN, active since Russia’s 2022 invasion, allowed users—including Russian sympathizers and residents in Russian-occupied Ukrainian territories—to access banned Russian government and media sites. Authorities believe Russian intelligence agencies may have leveraged this service to monitor and gather data from its users. Operating with a local server and additional international servers, the VPN reached over 48 million Russian IP addresses and managed over 100 gigabytes of data daily. Ukrainian officials have seized electronic equipment and are investigating further to locate any accomplices.
READ THE STORY: TechNadu // CircleID
GitHub, Telegram Bots, and ASCII QR Codes Fuel New Phishing Attacks
Bottom Line Up Front (BLUF): Threat actors are using innovative phishing techniques, including GitHub links, ASCII QR codes, and Telegram bots, to bypass security filters and deploy malware. These tactics target users in finance and insurance sectors with tax-themed lures and malware like Remcos RAT, using GitHub and Unicode-based QR codes to evade detection.
Analyst Comments: The combination of legitimate platforms like GitHub and Telegram with evolving tactics such as ASCII QR codes illustrates a refined approach to phishing that leverages trust in popular services. Using GitHub for malware distribution is an effective method for bypassing security because GitHub is widely trusted, allowing attackers to conceal malicious links within legitimate-looking repositories. Additionally, the expanded use of Telegram bots and automated phishing tools in booking scams is significant, as it allows for highly personalized attacks that are harder for victims to recognize. Organizations in high-target sectors should prioritize frequent security training and awareness to mitigate risks.
FROM THE MEDIA: cybersecurity researchers from Cofense revealed a novel phishing campaign in which attackers use GitHub to deliver Remcos RAT (Remote Access Trojan) via phishing emails, targeting financial and insurance companies. By posting the malicious payload in GitHub comments and then deleting the comment, attackers leave an active link that bypasses security measures. Additionally, ASCII QR codes are employed to deliver links evading email filtering. Another campaign, noted by ESET, details how threat actors use Telegram bots to conduct phishing scams on booking platforms like Airbnb and Booking.com, impersonating legitimate customer support to obtain user payment information. Law enforcement in Czechia and Ukraine recently disrupted some of these operations, arresting developers of malicious Telegram bots.
READ THE STORY: THN
China Warns of Cyber Espionage Threat from Idle Network Devices
Bottom Line Up Front (BLUF): China’s Ministry of State Security (MSS) has warned foreign intelligence agencies using idle or outdated network devices, like servers and cameras, to conduct cyber espionage. The MSS cautions Chinese organizations to secure abandoned equipment to prevent exploitation for surveillance and cyberattacks.
Analyst Comments: China's alert spotlights a growing global security risk: outdated and discarded network devices can be easily co-opted for unauthorized access and data exfiltration. While China warns its citizens, this threat is universal, especially for organizations with minimal cybersecurity protocols around unused devices. Countries with advanced cybersecurity frameworks may start implementing stricter disposal policies and monitoring controls, especially concerning critical infrastructure. The MSS’s message also reflects ongoing international tensions around cybersecurity and espionage, as China remains a frequent target of similar accusations.
FROM THE MEDIA: Ukrainian cyber police arrested a 28-year-old in Khmelnytskyi for operating an unauthorized VPN service that facilitated access to Russia’s internet (Runet), contravening Ukraine’s national restrictions. This VPN, active since Russia’s 2022 invasion, allowed users—including Russian sympathizers and residents in Russian-occupied Ukrainian territories—to access banned Russian government and media sites. Authorities believe Russian intelligence agencies may have leveraged this service to monitor and gather data from its users. Operating with a local server and additional international servers, the VPN reached over 48 million Russian IP addresses and managed over 100 gigabytes of data daily. Ukrainian officials have seized electronic equipment and are investigating further to locate any accomplices.
READ THE STORY: Divdiscourse // FP
CISA Warns of Threat Actors Using F5 BIG-IP Cookies for Reconnaissance
Bottom Line Up Front (BLUF): The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about threat actors exploiting unencrypted cookies in the F5 BIG-IP Local Traffic Manager (LTM) module. This technique allows attackers to identify network resources, creating potential risks for non-internet-facing devices.
Analyst Comments: The use of unencrypted cookies in network reconnaissance highlights a broader vulnerability trend where unprotected session management data can reveal internal network architecture to attackers. If exploited further, this could enable lateral movement and compromise within target networks. For organizations using F5 BIG-IP, encrypting cookies and running diagnostics like the BIG-IP iHealth tool are crucial steps to limit reconnaissance opportunities. As state-sponsored groups like APT29 continue to evolve, organizations should baseline device access and scrutinize any deviations from authorized network behavior.
FROM THE MEDIA: CISA’s advisory cautions that cyber actors have been observed leveraging unencrypted cookies in F5 BIG-IP LTM to gather network details. Without disclosing specific threat actors, CISA noted that these cookies allow attackers to map network devices beyond the internet-facing ones, potentially exposing exploitable vulnerabilities. CISA advises enabling cookie encryption and using the BIG-IP iHealth diagnostics tool for real-time assessment and issue resolution. The advisory coincides with recent U.S.-U.K. bulletins about APT29 (also known as Cozy Bear), a Russian cyber espionage group targeting critical sectors through advanced evasion techniques, such as using Tor and residential proxies to blend with legitimate traffic.
READ THE STORY: THN
CISA Subcommittee Analyzes Economic Hurdles to Secure by Design Adoption
Bottom Line Up Front (BLUF): The Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee's Secure by Design (SBD) subcommittee has evaluated economic barriers to adopting Secure by Design (SBD) principles in software and hardware. Their findings highlight a need for CISA to incentivize software vendors and buyers to prioritize cybersecurity early in development.
Analyst Comments: Despite CISA's advocacy for SBD principles, the subcommittee found longstanding assumptions about security economics to be unsubstantiated, such as the idea that security failures severely impact customer loyalty. This suggests the need for new strategies beyond awareness campaigns to drive meaningful SBD adoption. CISA might focus on creating incentives and compliance measures, particularly for critical infrastructure, and providing resources to smaller organizations for SBD adherence. Enhanced collaboration with industry and evidence-based research could help CISA make a stronger case for secure software investment.
FROM THE MEDIA: The CISA Cybersecurity Advisory Committee’s SBD subcommittee recently outlined challenges to making secure-by-design principles an industry standard. It determined that traditional beliefs—such as customers abandoning brands after a significant security failure or the high cost-effectiveness of early vulnerability fixes—may lack solid empirical backing. Target, Samsung, and SolarWinds all survived publicized breaches, indicating limited customer defection. In its report, the subcommittee noted a need to quantify the economic impacts of early vs. late security measures. Recommendations included funding a study to identify real economic impacts of security design flaws, building mechanisms for mandatory compliance assessments within critical infrastructure, and supporting demand-driven security standards among consumers.
READ THE STORY: CyberScoop
23andMe Data Breach Raises Concerns Over DNA Security and Privacy
Bottom Line Up Front (BLUF): Facing financial instability, 23andMe has left 15 million users uncertain about the future handling of their sensitive genetic data. Following a 2023 data breach that compromised 6.9 million profiles, users question the company's data protection commitments if it faces acquisition or shutdown.
Analyst Comments: The situation with 23andMe highlights the risks associated with companies handling sensitive data in financially vulnerable positions. Users' uncertainty over data privacy, amplified by the 2023 breach, underscores the need for clear regulatory guidelines around data retention and disposal, particularly for companies facing closure or acquisition. With genetic data holding high personal and security value, potential buyers of 23andMe could face substantial regulatory and consumer scrutiny.
FROM THE MEDIA: 23andMe, which reported $299 million in 2023 revenues, is now financially strained, with its stock price falling to $0.29 per share and consumer revenues declining due to limited repeat business. This downturn, coupled with the October 2023 breach where nearly 7 million user accounts were compromised, has sparked user concerns regarding data security should the company close or be acquired. While users can request data deletion via 23andMe’s account settings, the company states that certain information may be retained for legal compliance. Recent developments reveal a $30 million settlement reached to address the class-action lawsuit tied to the breach, which involved sensitive data of specific demographic groups.
READ THE STORY: USA Today
Russia Showcases New Supercomputer and High-Capacity Gas Turbine Amid Sanctions Pressure
Bottom Line Up Front (BLUF): Russia's Moscow State University (MGU) has unveiled one of the world’s most powerful supercomputers, purportedly ranking as the second or third globally, and its first domestically developed high-capacity gas turbine. These achievements showcase Russia’s efforts to bridge its technology gap amid Western sanctions, although questions remain regarding component sourcing and performance claims.
Analyst Comments: These developments reflect Russia's strategic push to become more self-reliant in critical technology sectors under Western sanctions. The MGU supercomputer’s reliance on imported components, possibly through intermediaries, highlights Russia's ongoing challenge in sourcing advanced hardware. The gas turbine’s release is a significant step forward for Russia's energy independence, primarily as imported turbines have historically powered its grid. However, the effectiveness of these new technologies in achieving true technological sovereignty remains uncertain. If these projects succeed, they could embolden Russia’s broader push toward self-reliant technology in fields like artificial intelligence and energy.
FROM THE MEDIA: Moscow State University revealed a supercomputer that it claims ranks as the world’s second or third most powerful. Skepticism surrounds this claim, as reports suggest that MGU used rebranded Nvidia components acquired through Chinese intermediaries to circumvent sanctions. Estimated to cost RUB 2.8 billion ($28 million), the supercomputer appears to have been assembled at a fraction of the typical $280 million cost. Also this week, President Vladimir Putin presented Russia’s first domestically produced high-capacity gas turbine at the Udarnaya power station. Previously, Russia relied on imported turbines from companies like Siemens and GE, but the GTD-110M turbine, developed with Rostec and Silovye Mashiny, promises comparable performance and efficiency. Putin’s daughter, Katerina Tikhonova, a lead AI researcher at MGU, oversees research projects supported by the new supercomputer, focusing on AI with potential civilian and military applications.
READ THE STORY: bne Intellinews
Agencies Warn of Russian Government Hackers Exploiting Unpatched Vulnerabilities
Bottom Line Up Front (BLUF): U.S. and U.K. cyber agencies issued a joint advisory warning that Russian intelligence agency hackers tied to the SVR are actively exploiting unpatched software vulnerabilities. The attackers target specific organizations, such as government and defense contractors, while scanning the internet for other susceptible systems.
Analyst Comments: This advisory emphasizes a sustained Russian focus on exploiting weaknesses in widely used software, especially among critical infrastructure and technology sectors. The SVR’s “targets of opportunity” approach expands the threat landscape significantly, putting even smaller organizations at risk. Using advanced stealth tactics such as TOR for anonymity and dismantling infrastructure to avoid detection suggests the SVR’s strategy is evolving. In response, targeted entities may need to enhance vulnerability management, employing proactive measures like multi-factor authentication and regular auditing.
FROM THE MEDIA: The FBI, NSA, Cyber National Mission Force, and the U.K.'s National Cyber Security Centre released a joint alert detailing recent cyber campaigns by Russian SVR hackers. Known for previous cyber espionage campaigns, the SVR is exploiting software vulnerabilities in platforms like JetBrains TeamCity and Zimbra. They have also employed social engineering tactics, using impersonation on Microsoft Teams to gain access. The advisory, an update to a similar 2021 alert, outlines how SVR is infiltrating systems for intelligence gathering and setting up access for potential supply chain attacks. Organizations are urged to disable unnecessary internet-accessible services, enforce multi-factor authentication, and monitor cloud accounts.
READ THE STORY: Cyberscoop
Items of interest
Internet Archive Faces Multiple Challenges: Data Breach, DDoS Attacks, and Legal Setbacks
Bottom Line Up Front (BLUF): The Internet Archive recently experienced a major data breach affecting 31 million user accounts, along with ongoing DDoS attacks that have disrupted services. Additionally, a court ruling against its digital lending practices threatens the Archive’s ability to lend digital books, sparking discussions on cybersecurity, copyright law, and the sustainability of digital preservation efforts.
Analyst Comments: The combination of cyberattacks and legal rulings poses serious risks to the Internet Archive's operations, especially as its services remain critical to public access and historical preservation. Cyberattack tactics, including data exfiltration and DDoS disruption, indicate that these incidents are more than random disruptions; they represent targeted efforts that could undermine confidence in digital archives. This development may prompt greater scrutiny and investment in securing nonprofit digital repositories and could fuel a push to modernize copyright laws to accommodate digital preservation.
FROM THE MEDIA: On October 9, 2024, the Internet Archive suffered a significant data breach and simultaneous DDoS attack, exposing data for 31 million users, confirmed by both the Archive and Have I Been Pwned (HIBP). Hacktivist group SN_BlackMeta claimed responsibility for the DDoS attack, citing political motivations, although it denied involvement in the data breach itself. The Archive’s founder, Brewster Kahle, announced on social media that defensive measures have been implemented, though DDoS attempts have persisted. Compounding these cybersecurity threats, the Archive also lost a court battle regarding its Controlled Digital Lending (CDL) practices, which may limit its ability to lend digital content moving forward.
READ THE STORY: TC
Hackers are destroying the Internet's history book right now (Video)
FROM THE MEDIA: The Internet Archive's Wayback Machine was hit by hackers recently with DDoS attacks, a data breach, and vandalism on its website. Over 31 million accounts were compromised and the Wayback Machine has been temporarily taken offline.
The Internet Archive Situation Just Got Worse... (Video)
FROM THE MEDIA: This time we sit down to take a look at what appears to be the Internet Archive and around 500,000 books being delisted due to the legal pressures that keep mounting. What could happen next may affect preservation across the board.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.