Daily Drop (888): CN: Typhoon IO | SVR: TTP | OilRig Exploits | Evil Corp: Sanctions | CN: Cyber-Nationalism | Veeam Exploit | Open Source: Supply Chain | Claude 3.5 Vul |
10-14-24
Monday, Oct 14 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
China’s Response to US Volt Typhoon Accusations: Allegations of Disinformation and Cyber Espionage
Bottom Line Up Front (BLUF): China’s National Computer Virus Emergency Response Center has released a report accusing the US of using cyber tools to misattribute cyber espionage activities to foreign states. According to China, US agencies are leveraging a toolkit, codenamed “Marble,” to disguise cyberattacks and frame other nations, including China, as the originators of these operations.
Analyst Comments: China adds a complex layer to the cybersecurity narrative surrounding Volt Typhoon. This is part of China’s broader diplomatic strategy to counter US-led narratives about Chinese state-sponsored cyber activities. By alleging the US orchestrates “false flag” operations, China appears to challenge Western credibility on cybersecurity attribution and bolster its image as a victim of cyber-espionage framing. This counters US claims and may rally some international support, especially among nations wary of US influence in digital and communications infrastructure.
FROM THE MEDIA: State-sponsored media released its third report on the Volt Typhoon, accusing the US of cyber espionage framed to appear as foreign attacks. According to Chinese sources, the US’s "Marble" toolkit enables NSA operations to insert false language strings, misleading investigators about the origins of cyberattacks. The report also claims the US has implanted spyware in major international telecommunications networks, including submarine cables, leveraging American-made tech for espionage. China’s Ministry of Foreign Affairs stated that these actions pose a global cybersecurity threat, urging the US to cease alleged surveillance operations targeting allies and adversaries alike.
READ THE STORY: GT
U.S., U.K., and Australia Expand Sanctions Against Russian Cybercrime Group Evil Corp
Bottom Line Up Front (BLUF): On October 1, the U.S. Treasury, alongside the U.K. and Australia, imposed new sanctions against seven individuals and two entities linked to Evil Corp, a Russia-based cybercrime organization known for the Dridex malware. This trilateral action follows ongoing efforts to curtail Evil Corp's global cyber activities.
Analyst Comments: These sanctions highlight a coordinated international response to transnational cyber threats, marking a significant step in disrupting Evil Corp’s influence and resource channels. The group’s confirmed ties to Russian state actors and intelligence agencies underscore the complex relationship between cybercriminals and state interests, particularly in targeting financial institutions and critical infrastructure. This alliance among the U.S., U.K., and Australia signals increased cybersecurity cooperation and could lead to expanded international measures to further isolate state-sponsored cybercriminal networks.
FROM THE MEDIA: The U.S. Treasury announced that Maksim Yakubets, Evil Corp’s leader, and other group members had direct connections with Russian government officials, leveraging these ties to shield their activities. Evil Corp’s Dridex malware has been responsible for more than $100 million in financial losses worldwide. Yakubets allegedly holds a position at the Russian National Engineering Corporation, providing cover for his criminal operations. The U.K.'s National Crime Agency noted that sanctioned member Eduard Benderskiy, a former Federal Security Service (FSB) officer, leveraged state influence to shield the group. These coordinated sanctions come as a response to Evil Corp’s long-standing role in cyber espionage and ransomware attacks against NATO countries.
READ THE STORY: MSN
Veeam Backup Vulnerability Exploited for Akira and Fog Ransomware Attacks
Bottom Line Up Front (BLUF): Attackers are actively exploiting a critical vulnerability in Veeam Backup & Replication (CVE-2024-40711) to deploy Akira and Fog ransomware. The flaw, rated 9.8 on the CVSS scale, allows unauthenticated remote code execution and is exploited through compromised VPN credentials. Veeam released a patch in September 2024, but attacks persist.
Analyst Comments: Exploiting this Veeam vulnerability emphasizes the ongoing risks associated with unpatched enterprise software, especially backup systems, which are prime targets for ransomware groups due to the critical data they store. VPNs without multifactor authentication also underscore a recurring security gap in organizations. With active ransomware campaigns targeting unprotected Hyper-V servers, healthcare, finance, and other critical sectors must prioritize securing backup applications, implementing multifactor authentication, and updating to patched versions.
FROM THE MEDIA: Sophos reported that attackers use compromised VPN gateways to access vulnerable instances of Veeam Backup & Replication, exploiting the flaw on URI /trigger
at port 8000 to escalate privileges via Veeam.Backup.MountService.exe. This attack sequence creates a local “point” account with administrative rights, enabling ransomware deployment. Fog ransomware was found on an unprotected Hyper-V server, with data exfiltration conducted using the clone tool. NHS England issued an advisory urging organizations to secure backup systems as attackers increasingly target enterprise backup solutions. Concurrently, Unit 42 has noted the emergence of Lynx ransomware, a successor to INC ransomware, active in critical sectors across the US and UK.
READ THE STORY: THN
The Rise of Cyber-Nationalism in China and Its Real-World Impact
Bottom Line Up Front (BLUF): Rising cyber-nationalism in China has been linked to a series of violent incidents, including the recent killing of a Japanese schoolboy in Shenzhen, raising concerns about the spillover of online xenophobic rhetoric into real-world actions. This trend reflects a growing tension as state-endorsed patriotism mingles with grassroots nationalism.
Analyst Comments: The persistence of jailbreak methods, even for leading models like Claude 3.5, highlights limitations in current AI safety measures. The use of emotional language to bypass safeguards demonstrates the difficulty in designing versatile and secure AI, raising concerns for users in sensitive sectors. Anthropic’s reluctance to guarantee legal protections for researchers also dampens independent evaluation efforts. AI companies could benefit from more explicit safe harbor policies, incentivizing researchers to identify vulnerabilities without fear of reprisal.
FROM THE MEDIA: A computer science student recently demonstrated a jailbreak of Anthropic's Claude 3.5 Sonnet, bypassing safety filters to generate harmful content through emotionally charged prompts. This technique aligns with standard jailbreaking practices, according to AI researcher Daniel Kang, who notes that no major AI model is impervious to manipulation. Concerns over potential legal consequences led the student to withdraw from publicizing the findings, with his professor advising caution. While Anthropic offers a Responsible Disclosure Policy, ambiguity around “good faith” assessments could discourage necessary security research.
READ THE STORY: BBC
Anthropic’s Claude 3.5 Vulnerable to Jailbreaks via Emotional Manipulation
Bottom Line Up Front (BLUF): Despite high marks for safety, Anthropic's Claude 3.5 Sonnet can be manipulated to produce harmful content when repeatedly prompted with emotionally charged language. This discovery underscores ongoing AI model safety vulnerabilities, which remain an industry-wide challenge.
Analyst Comments: China adds a complex layer to the cybersecurity narrative surrounding Volt Typhoon. This is part of China’s broader diplomatic strategy to counter US-led narratives about Chinese state-sponsored cyber activities. By alleging the US orchestrates “false flag” operations, China appears to challenge Western credibility on cybersecurity attribution and bolster its image as a victim of cyber-espionage framing. This counters US claims and may rally some international support, especially among nations wary of US influence in digital and communications infrastructure.
FROM THE MEDIA: State-sponsored media released its third report on the Volt Typhoon, accusing the US of cyber espionage framed to appear as foreign attacks. According to Chinese sources, the US’s "Marble" toolkit enables NSA operations to insert false language strings, misleading investigators about the origins of cyberattacks. The report also claims the US has implanted spyware in major international telecommunications networks, including submarine cables, leveraging American-made tech for espionage. China’s Ministry of Foreign Affairs stated that these actions pose a global cybersecurity threat, urging the US to cease alleged surveillance operations targeting allies and adversaries alike.
READ THE STORY: The Register
Supply Chain Attacks Target Entry Points in Open-Source Ecosystems
Bottom Line Up Front (BLUF): Attackers are increasingly exploiting entry points within open-source package managers like Python’s PyPI, npm, and Ruby Gems to conduct supply chain attacks. Using techniques like command-jacking and command-wrapping, these attacks allow malicious code to execute stealthily, posing significant risks to developers and enterprises.
Analyst Comments: This wave of supply chain attacks underlines the vulnerability of open-source ecosystems, especially as entry-point exploits can evade traditional security defenses. By embedding malicious commands and plugins in standard development tools, attackers can achieve persistent access to systems without detection. Strengthening monitoring practices for package dependencies and isolating build environments may help mitigate these threats, but additional safeguards are crucial for long-term resilience against these novel attack vectors.
FROM THE MEDIA: According to a report from Checkmarx, threat actors are exploiting entry points in open-source package ecosystems, leveraging vulnerabilities in PyPI, npm, Rust Crates, and others to execute malicious commands under the guise of popular tools. Command-jacking tactics involve creating counterfeit packages that mimic third-party tools like AWS
or docker
, tricking developers into installing them. More sophisticated attacks use command wrapping, where a malicious entry point executes both the attacker’s code and the intended command to evade detection. With over 512,000 malicious packages reported across open-source ecosystems since late 2023, these supply chain threats are rising dramatically.
READ THE STORY: THN
INC Ransomware Rebrands as Lynx, Resumes Cyber Attacks with Similar Tactics
Bottom Line Up Front (BLUF): Researchers at Palo Alto’s Unit 42 report that the INC ransomware gang has rebranded as Lynx, using similar code and web-based infrastructure to target new victims. While Lynx claims not to target essential services, its approach resembles that of INC, which previously attacked public sectors, including healthcare and local governments.
Analyst Comments: The rebranding of INC as Lynx is part of a broader trend where ransomware groups modify their public personas and operating models to evade detection or reset public perception. This shift likely distances the group from past activities while maintaining technical continuity. The similarity between the Lynx and INC leak sites and significant code overlap suggests that the same operators remain active. Lynx’s professed ethical guidelines could reflect a strategic move to deflect scrutiny, but the group’s history with high-profile attacks casts doubt on these claims.
FROM THE MEDIA: Following a surge in Lynx ransomware samples since July 2024, researchers confirm a 70.8% code similarity with INC, which first appeared in October 2023. Both groups operate similar TOR and public leak sites, each with nearly identical layouts and organization. INC previously attacked healthcare and government entities, while Lynx claims it will avoid such sectors. However, INC’s online leak site remains active, and recent entries indicate continued malicious activity. Lynx’s claims of new ethical standards could be an attempt to reshape its image, though experts caution against taking such statements at face value.
READ THE STORY: The Register
NSA Updates Guidance on Russian SVR Cyber Operations and Threat Mitigation
Bottom Line Up Front (BLUF): The NSA, in collaboration with the FBI, US Cyber Command, and the UK’s NCSC, has released updated guidelines to combat cyber threats from Russia’s Foreign Intelligence Service (SVR). This joint advisory details vulnerabilities being exploited and provides mitigation recommendations to enhance cybersecurity across government and private sectors.
Analyst Comments: This advisory underscores the sophistication of SVR tactics, which continue to evolve as these actors target high-value sectors worldwide. The guidance signals an urgency for U.S. and allied network defenders to adopt more robust defenses, especially given Russia’s ongoing cyber campaigns tied to its geopolitical ambitions. The recommendation to baseline authorized devices suggests a push for more robust endpoint security, indicating that SVR actors are successfully exploiting inconsistencies in device management.
FROM THE MEDIA: In their latest joint Cybersecurity Advisory (CSA), U.S. and UK agencies detailed the Russian SVR’s tactics, including spearphishing, cloud exploitation, and sophisticated proxy use, which enable them to infiltrate networks, maintain persistence, and exfiltrate data. These cyber actors, APT29 or Cozy Bear, focus on gathering intelligence from the defense, technology, and finance sectors. The NSA advises prioritizing software patches and monitoring for unauthorized devices to mitigate these risks. Since Russia invaded Ukraine, SVR operations have intensified, targeting numerous vulnerabilities across cloud and network infrastructures. The advisory also includes a list of actively exploited CVEs and suggests countermeasures to bolster security posture.
READ THE STORY: SAT NEWS
OilRig Exploits Windows Kernel Vulnerability in Espionage Campaign Across Gulf Region
Bottom Line Up Front (BLUF): The Iranian state-sponsored group OilRig (APT34) has been observed exploiting a Windows kernel vulnerability, CVE-2024-30088, to conduct espionage campaigns in the UAE and Gulf. The campaign leverages backdoors, Microsoft Exchange exploitation, and other tools to exfiltrate sensitive data and establish persistence in targeted networks.
Analyst Comments: OilRig’s campaign highlights the ongoing threat posed by state-backed cyber actors targeting geopolitically sensitive regions. Their approach, combining privilege escalation, persistent backdoors, and credential exfiltration, underscores the vulnerability of organizations using legacy systems and unpatched software. As this campaign targets critical infrastructure, it reinforces the need for timely patching and monitoring high-value assets, especially in regions with heightened geopolitical tensions.
FROM THE MEDIA: APT34, or Earth Simnavaz, has escalated its espionage activities across the Gulf, exploiting a Windows kernel vulnerability (CVE-2024-30088) patched by Microsoft in June 2024. This flaw allows the group to escalate privileges to the SYSTEM level by exploiting a race condition. OilRig deploys a backdoor called STEALHOOK to exfiltrate credentials from Microsoft Exchange servers through this vulnerability. The group uses tools like the ngrok remote management tool for persistence and the psgfilter.dll password filter for credential harvesting on domain controllers. These tactics signal OilRig’s intent to maintain a foothold within compromised networks for ongoing and future operations in the Middle East.
READ THE STORY: THN
UK Cybersecurity Shortcomings and Solutions: Insights from Gigamon’s Mark Coates
Bottom Line Up Front (BLUF): Mark Coates, VP EMEA at Gigamon, outlines critical gaps in UK cybersecurity, emphasizing the need to modernize outdated technology, secure supply chains, and adopt Zero-Trust models. Coates advocates for a more comprehensive approach to addressing these vulnerabilities, especially given the frequent targeting of critical infrastructure.
Analyst Comments: The UK’s cybersecurity challenges reflect a broader struggle among nations adapting to increasingly sophisticated cyber threats. Coates’s call for Zero Trust adoption, legacy IT modernization, and improved supply chain scrutiny highlights systemic issues that, if unaddressed, may escalate risks to critical infrastructure. Mandates on cybersecurity standards could drive significant improvement, ensuring public and private sectors align with best practices amid complex threat environments.
FROM THE MEDIA: Mark Coates paints a sobering picture of UK cybersecurity, noting widespread unpreparedness across public and private sectors. According to a recent government survey, almost half of UK businesses have experienced a cyberattack in the past year, with legacy IT systems posing a “ticking time bomb” for critical national infrastructure. Nearly a quarter of organizations in the private sector report difficulty mitigating active threats. Coates calls for the new government to prioritize two significant issues: replacing legacy systems and securing extended supply chains. He also recommends a Zero Trust framework, which limits access to essential data only, supported by secure, cohesive IT tools. Coates concludes by urging a mandate on Zero Trust to improve cybersecurity across all sectors.
READ THE STORY: Cyber Mag
Items of interest
Estonia’s Digital Revolution: Lessons in E-Governance and Cybersecurity
Bottom Line Up Front (BLUF): Estonia's digital transformation, pioneered by former President Toomas Ilves, has made it a global leader in e-governance, delivering nearly all public services online. Estonia’s model is now a benchmark for other nations, especially cybersecurity, amid escalating cyber threats linked mainly to geopolitical tensions.
Analyst Comments: This transformation illustrates how a robust digital infrastructure strengthens national security. Facing consistent Russian cyber threats, Estonia’s segmented data approach offers a model for other nations dealing with similar challenges. Its collaboration with countries like Ukraine and Kosovo highlights a commitment to supporting global cybersecurity.
FROM THE MEDIA: Estonia’s digital journey began in the 1990s with Ilves pushing for widespread internet access and digital literacy. By 1999, public services like voting and business registration were online. This digital success, however, has also made the nation a target, with over 90 cyberattacks monthly, predominantly from Russia, since the Ukraine conflict in 2022. The segmented data model has bolstered defenses, enabling Estonia to assist 57 other countries with digital infrastructure and threat intelligence.
READ THE STORY: KOHA
Estonia | The Digital State (Video)
FROM THE MEDIA: Most states rely on paper bureaucracy to ensure that they can function and provide services. Paper bureaucracy has been part and parcel of how we maintain states and corporations since the Chinese invented the first paper bureaucracy systems of management 3000 years ago.
Why Estonia Is Becoming Europe's New Economic Powerhouse (Video)
FROM THE MEDIA: Estonia is known as the world's first digital nation, having successfully transformed its society into a fully integrated digital ecosystem known as "e-Estonia." This transformation began in the 1990s, focusing on building digital infrastructure, including secure electronic identification and internet access for all. Today, Estonians use digital IDs for nearly every aspect of life—banking, healthcare, voting, and more. The digital government model emphasizes transparency, efficiency, and security, using technologies like blockchain to ensure trust in public services and data privacy.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.