Daily Drop (893): Quantum Threats | UK: CND | Nidec: Breach | RU: Disinfo Surge | Gophish | SolarWinds: Fines | Rybar | Docker Exploits | OPA NTLM | Bumblebee: Returns | DOJ | CN: Online Oppression
10-23-24
Wednesday, Oct 23 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
Chinese Research Using Quantum System to Crack Encryption a 'Cautionary Tale'
Bottom Line Up Front (BLUF): Chinese researchers recently claimed to have used D-Wave’s quantum system to crack password-based encryption, alarming the IT industry. However, the attack was on a 22-bit key—far shorter than current encryption standards. While the research advances discussions on quantum threats, experts caution that it does not yet pose an immediate risk to modern encryption methods like AES-2048.
Analyst Comments: This research demonstrates quantum computing’s growing potential to disrupt encryption, yet the immediate threat to widely used cryptographic systems remains distant. Focusing on a 22-bit key highlights the limitations of quantum systems like D-Wave's, which are still far from having the power to break larger, industry-standard keys. However, the study serves as a reminder of the urgent need for post-quantum cryptography standards, as the eventual rise of more robust quantum computers could undermine today’s security frameworks.
FROM THE MEDIA: Chinese researchers reported in a May 2024 paper that they successfully used D-Wave’s Advantage quantum system to crack password-based encryption algorithms with 22-bit keys. The news sparked concerns across industries reliant on encryption, such as defense and banking. However, experts quickly pointed out that modern encryption systems use far longer keys—typically 2048 or 4096 bits—making the immediate threat negligible. The research, while necessary, serves more as a cautionary tale about quantum computing’s future capabilities rather than an imminent threat. The development of quantum-resistant standards, like those from NIST, is already underway to counter the risks posed by future advances in quantum computing.
READ THE STORY: Security Boulevard
UK Minister Dan Jarvis Signals Stronger Cyber Defense Measures in Response to Growing Threats
Bottom Line Up Front (BLUF): UK Security Minister Dan Jarvis announced that the British government is considering all options, including reforming the Computer Misuse Act, to bolster its cyber defense capabilities. His speech at the Predict conference emphasized the increasing threat of ransomware and nation-state cyberattacks, particularly from Russia and China, targeting UK businesses, infrastructure, and institutions.
Analyst Comments: The UK’s focus on reforming the Computer Misuse Act and considering new legislative measures to address cyber threats reflects the growing sophistication of criminal and state-sponsored cyberattacks. The emphasis on ransomware and foreign cyber espionage underscores the evolving nature of cyber warfare, where government partnerships with private industries will play a critical role. The UK's stance on holding Russia and China accountable signals a robust, coordinated response to mitigate cyber risks and protect national security.
FROM THE MEDIA: During the Predict conference on October 22, 2024, Dan Jarvis outlined the UK government's commitment to tackling cyber threats through legal reforms, including revisiting the outdated Computer Misuse Act. Jarvis acknowledged the significant harm cyberattacks are causing, particularly ransomware, which is the most acute threat for UK organizations. He praised the work of cybersecurity professionals and highlighted the importance of countering state-sponsored cyberattacks, specifically naming Russia and China as significant threats. Russia, Jarvis stated, allows cybercriminals within its jurisdiction to act unchecked, while China presents a more complex, long-term challenge.
READ THE STORY: The Record
U.S. Officials Warn of Russian Disinformation Surge During Post-Election Period
Bottom Line Up Front (BLUF): The U.S. intelligence community has warned about the likelihood of a significant disinformation campaign led by Russia after the 2024 election. Officials expect Russian actors to exploit the period of vote counting and certification to sow doubt about the election’s legitimacy and to undermine confidence in democratic processes.
Analyst Comments: The post-election period represents a critical phase where disinformation campaigns can profoundly impact public perception, especially in tightly contested elections. Russia’s coordinated influence campaigns are designed to exacerbate existing political divisions, potentially destabilizing social cohesion. While these foreign efforts complement domestic misinformation, they signal a persistent threat to democratic institutions and may increase polarization or violence.
FROM THE MEDIA: U.S. intelligence officials warned of foreign disinformation campaigns, mainly from Russia, aimed at undermining the integrity of the U.S. election. Moscow is expected to amplify false claims of voter fraud and spread propaganda during the vote counting and certification phase. This includes efforts to manipulate social media, deface public-facing websites, and potentially encourage political protests or violence. Intelligence officials noted that Russia has already been involved in recruiting unwitting Americans to participate in such demonstrations, and Russia-linked actors have used fabricated content to spread false allegations against political candidates.
READ THE STORY: Cyberscoop
Phishing Campaign Leverages Gophish to Deploy DarkCrystal and PowerRAT
Bottom Line Up Front (BLUF): A new phishing campaign targeting Russian-speaking users employs the open-source Gophish toolkit to deliver two remote access trojans (RATs), DarkCrystal RAT (DCRat) and a previously unknown variant dubbed PowerRAT. These attacks use modular infection chains via malicious documents and HTML links, exploiting vulnerabilities through user-triggered interactions.
Analyst Comments: This campaign's use of the Gophish toolkit highlights how open-source malicious actors can co-opt frameworks intended for defensive training. The combination of sophisticated techniques, such as HTML smuggling and the deployment of modular trojans like PowerRAT and DCRat, demonstrates the evolving threat landscape. With PowerRAT still in development, the campaign could signify ongoing efforts to enhance attack payloads aimed at espionage or broader cyber exploitation, particularly in regions using Russian-dominant services like Yandex and VK.
FROM THE MEDIA: According to Cisco Talos researchers, a phishing campaign leveraging Gophish was uncovered on October 22, 2024. The campaign targets Russian-speaking users, delivering DarkCrystal RAT (DCRat) or the newly identified PowerRAT via malicious Microsoft Word documents and HTML files. Once a user enables macros, the infection chain begins, using a Visual Basic script to execute PowerShell-based malware. PowerRAT connects to command-and-control servers in Russia to receive further instructions. Another infection path uses JavaScript embedded in HTML files, ultimately leading to DCRat malware deployment. These trojans enable attackers to gain control of compromised systems and exfiltrate sensitive data.
READ THE STORY: THN
Four Cybersecurity Companies Fined for Misleading SolarWinds Disclosure
Bottom Line Up Front (BLUF): The Securities and Exchange Commission (SEC) has fined four cybersecurity companies—Check Point, Avaya, Unisys, and Mimecast—millions of dollars for providing misleading disclosures about their involvement in the 2020 SolarWinds breach. These companies downplayed the extent of the cybersecurity risks they faced after Russian hackers exploited SolarWinds’ Orion software.
Analyst Comments: This action reflects the SEC's growing focus on corporate accountability for cybersecurity disclosures. The fines against these companies signal that the SEC expects transparency in reporting cyber incidents, especially those that affect shareholders and the public. As cyberattacks like SolarWinds become more frequent, companies must ensure accurate and timely communication about potential risks to avoid legal consequences. This move may prompt other firms to re-evaluate their cyber risk reporting practices.
FROM THE MEDIA: The SEC announced fines totaling millions of dollars against four cybersecurity companies—Unisys, Avaya, Check Point, and Mimecast—for downplaying the effects of the SolarWinds cyberattack. Unisys was fined $4 million, while Avaya, Check Point, and Mimecast were fined $1 million, $995,000, and $990,000, respectively, and the SEC accused these companies of making “materially misleading” disclosures, minimizing the true scope of the breach. The investigation revealed that these companies had been breached during the Russian-linked SolarWinds attack but failed to fully disclose the extent of the intrusion. All four companies settled without admitting to the allegations.
READ THE STORY: The Record
U.S. Offers $10 Million Bounty for Information on Russian Propaganda Outlet Rybar
Bottom Line Up Front (BLUF): The U.S. State Department has announced a $10 million reward for information on Rybar, a Russian media organization accused of spreading divisive propaganda to influence the upcoming U.S. presidential election. Rybar, linked to Russia’s state-backed entities, has been using social media platforms to stoke political discord in the U.S.
Analyst Comments: This move is part of the U.S. government's increasing efforts to curb foreign interference in its elections, mainly from Russia, which has long been accused of using disinformation campaigns to destabilize democratic processes. Rybar's alleged activities fit within Russia's broader information warfare strategy, leveraging social media to amplify divisive issues like immigration and political polarization. The substantial reward underscores the seriousness of these efforts and reflects the growing concern about safeguarding electoral integrity.
FROM THE MEDIA: The U.S. State Department announced a reward of up to $10 million for information about the Russian propaganda outlet Rybar and its employees. Rybar, which operates multiple social media channels with over 1.3 million followers, is accused of promoting pro-Russian and anti-Western narratives aimed at disrupting the U.S. political environment. The organization is believed to be financially backed by Russian defense entities currently under U.S. sanctions. Rybar’s founder, Yevgeniy Prigozhin, was closely linked to Russian military activities, and the group has been actively involved in campaigns to create societal discord in the U.S., including operating platforms targeting immigration issues and anti-U.S. rhetoric.
READ THE STORY: Cyberscoop
Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks
Bottom Line Up Front (BLUF): Cybercriminals exploit exposed Docker API servers to deploy the SRBMiner cryptocurrency miner, leveraging the gRPC protocol over HTTP/2 (h2c) to bypass security layers. The attack targets Docker hosts to mine XRP cryptocurrency using containers created through unauthorized Docker API access.
Analyst Comments: This attack highlights the growing trend of threat actors exploiting misconfigured Docker API servers to launch crypto mining operations. Using the gRPC protocol over h2c, attackers can evade detection and bypass standard security measures. Organizations running Docker in production environments should prioritize securing their API servers by implementing strong authentication and access controls. Regular monitoring and container security best practices are critical to detecting and mitigating such threats.
FROM THE MEDIA: According to Trend Micro, cybercriminals target public-facing Docker API servers by initiating discovery processes to find vulnerable systems. The attackers use gRPC methods to manipulate Docker functionalities, creating containers that run SRBMiner to mine XRP cryptocurrency. The attackers utilize a stealthy approach to bypass security solutions by upgrading HTTP/2 connections to h2c (sans TLS encryption). This campaign is part of a broader trend of crypto mining attacks, including deploying perfctl malware, which similarly exploits Docker API vulnerabilities.
READ THE STORY: THN
Russia-Linked Hackers Target Japan Amid Rising Military Tensions
Bottom Line Up Front (BLUF): In October 2024, two pro-Russian cyber threat groups, NoName057(16) and the Russian Cyber Army Team, launched a series of DDoS attacks on Japan’s government, logistics, and manufacturing sectors. The attacks followed Japan's increased defense spending and military drills with regional allies, marking a significant escalation in cyber activity aligned with geopolitical tensions.
Analyst Comments: The coordinated DDoS attacks against Japan by Russia-linked groups reflect a growing pattern of state-affiliated cyber operations that pressure geopolitical adversaries. These actions are part of Russia's broader cyber strategy to retaliate against countries supporting Ukraine, especially those involved in military escalations. While DDoS attacks are disruptive, they often serve as a precursor to more sophisticated cyber espionage or sabotage operations. As Japan continues to expand its military capabilities, it should brace for continued cyber retaliation aimed at undermining its political and economic stability.
FROM THE MEDIA: Russian-affiliated hacking groups, NoName057(16) and the Russian Cyber Army Team, initiated a series of DDoS attacks against Japanese government agencies and key industries, particularly in logistics, shipbuilding, and manufacturing. The attacks coincided with Japan’s decision to increase its defense budget and its participation in military exercises with allies, including the United States. The attacks targeted approximately 40 Japanese domains, using multiple attack vectors to maximize disruption, according to threat intelligence firm Netscout. Japan’s government has launched an investigation, with officials linking the attacks to Russia's displeasure over Japan's growing military cooperation with NATO and its support for Ukraine.
READ THE STORY: Dark Reading
Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers
Bottom Line Up Front (BLUF): A now-patched vulnerability in Styra's Open Policy Agent (OPA), tracked as CVE-2024-8260, could have allowed remote attackers to leak NTLM hashes by exploiting a Server Message Block (SMB) force-authentication flaw. This vulnerability could have been exploited to bypass authentication or crack user passwords.
Analyst Comments: This flaw highlights the persistent vulnerability of NTLM-based authentication to relay and cracking attacks, which remain a notable security concern despite efforts to phase out NTLM in favor of more robust protocols like Kerberos. As open-source solutions like OPA become integral to modern infrastructures, ensuring robust security practices around input validation and minimizing public service exposure are critical steps in reducing attack surfaces.
FROM THE MEDIA: Researchers at Tenable disclosed a vulnerability in Styra’s Open Policy Agent (OPA) that allowed NTLM hashes to be leaked to remote servers. This flaw, present in OPA's CLI and Go SDK for Windows, involved improper input validation, permitting attackers to capture and relay the NTLM authentication details. The issue, discovered in June 2024, was patched in version 0.68.0 of OPA in August 2024. Attackers could exploit the flaw by forcing SMB authentication through malicious Universal Naming Convention (UNC) paths, allowing them to capture NTLM hashes for offline cracking or relay attacks. This comes amid broader concerns around the ongoing security risks of NTLM, which Microsoft plans to phase out.
READ THE STORY: THN
Nidec Confirms Ransomware Attack Exposed Sensitive Data Online
Bottom Line Up Front (BLUF): Nidec Corporation, a leading manufacturer of electric motors, confirmed a ransomware attack in June 2024 that exposed sensitive company data on the dark web. While the attackers did not encrypt the company's systems, they stole and later leaked nearly 51,000 files containing confidential documents. Two ransomware groups, 8BASE and Everest, are believed to be involved.
Analyst Comments: This attack underscores a growing trend where cybercriminals focus more on data theft and extortion than system encryption. Nidec’s failure to pay the ransom likely led to the handoff of stolen data between threat groups, illustrating the collaborative nature of modern ransomware actors. The fact that attackers gained access via stolen VPN credentials further highlights the importance of strong access control measures, particularly in securing remote work environments.
FROM THE MEDIA: Nidec Corporation reported a data breach in June 2024 after its subsidiary, Nidec Precision, suffered a ransomware attack. Hackers obtained sensitive information, including business documents, contracts, and safety policies, by using stolen VPN credentials from an employee. While no encryption was applied to the company's systems, nearly 51,000 files were stolen. Initially, ransomware group 8BASE claimed responsibility, accusing the company of underreporting the extent of the breach. After a failed extortion attempt, another group, Everest, leaked the stolen data on the dark web. Despite multiple threats, Nidec did not pay a ransom.
READ THE STORY: MSN
Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies
Bottom Line Up Front (BLUF): The Bumblebee and Latrodectus malware families have resurfaced in new phishing campaigns following disruptions caused by law enforcement's "Operation Endgame." These malware loaders are being used to steal sensitive data and deploy further malicious payloads on compromised systems, focusing on sectors such as finance and business.
Analyst Comments: The return of Bumblebee and Latrodectus indicates a persistent evolution in malware techniques despite previous takedown efforts. Both malware families now employ more sophisticated phishing methods, such as hijacked email threads and impersonating well-known cloud services. These campaigns represent a significant threat to organizations, as they leverage stealth techniques like fileless execution to avoid detection. Organizations should reinforce their phishing defenses, especially around email filtering and user awareness.
FROM THE MEDIA: In the wake of the May 2024 Operation Endgame, which disrupted several malware strains, including IcedID and Bumblebee, both Bumblebee and Latrodectus have resurfaced. Latrodectus, linked to the IcedID family, has been used by initial access brokers TA577 and TA578 in phishing campaigns that exploit hijacked email threads. Phishing emails often impersonate legitimate services like Microsoft Azure and Google Cloud to trick recipients into downloading malicious files. Similarly, Bumblebee’s infection chain uses ZIP files with malicious LNK files to deliver malware payloads without writing them to disk. The malware avoids creating new processes and leverages DLL injections to execute the final payload in memory.
READ THE STORY: THN
China Cracks Down on Puns and Memes to Tighten Online Censorship
Bottom Line Up Front (BLUF): China's internet regulators have intensified efforts to control online speech by targeting puns, homophones, and memes used by citizens to discuss sensitive topics under the guise of humor. The campaign, part of the ongoing "clear and bright" initiative, seeks to eliminate "irregular and uncivilized" language from the internet, further tightening the country's strict censorship practices.
Analyst Comments: This crackdown on puns and wordplay underscores the Chinese government's constant struggle to suppress dissent and control discourse. By targeting creative methods like homophones and memes, often used by citizens to sidestep direct censorship, China aims to curtail even subtle forms of criticism. This move may signal heightened state efforts to preemptively address emerging ways of challenging authority, but it could also drive citizens to find ever more inventive means of expressing dissent.
FROM THE MEDIA: Chinese regulators announced a new campaign aimed at clamping down on internet puns and memes. The Cyberspace Administration of China, along with the Ministry of Education, is focusing on curbing "irregular and uncivilised" language, including homophones that allow users to critique sensitive topics without detection. Puns like using "paratrooper" as a substitute for "idiot" are popular strategies to evade censorship, as well as using indirect references to President Xi Jinping, such as comparisons to Winnie the Pooh. Authorities have signaled that even benign-sounding wordplay will be targeted, part of broader efforts to maintain ideological control online.
READ THE STORY: The Guardian
DOJ Proposes Rule to Curb Overseas Sale of Americans’ Sensitive Data
Bottom Line Up Front (BLUF): The U.S. Department of Justice (DOJ) proposed new regulations restricting the sale of sensitive personal data to adversarial nations such as China, Russia, and Iran. This rule aims to prevent the sale of bulk data categories like geolocation, health information, and biometric data to reduce national security risks. It also imposes security requirements on companies handling such data, especially when third-party vendors or foreign nationals are involved.
Analyst Comments: This proposed rule is vital to safeguarding sensitive American data from potential misuse by adversarial nations, reflecting growing concerns about data privacy and national security. As adversaries increasingly exploit personal data for espionage and cyberattacks, this regulation could set a precedent for stricter global data protection standards. However, while these restrictions are vital, the rule may face challenges balancing national security concerns with the accessible data flow in a globalized economy.
FROM THE MEDIA: DOJ formally introduced new regulations to curb the sale of sensitive U.S. personal data to foreign adversaries. The rule bans the transfer of data categories like Social Security numbers, health records, and biometric data to nations like China, Russia, and North Korea. Companies dealing with this data must comply with cybersecurity standards the Cybersecurity and Infrastructure Security Agency (CISA) and NIST set. Exemptions are provided for clinical trials and telecom services, but any company transacting with these nations must meet strict reporting and compliance requirements. The move follows growing concerns over how adversarial nations could use Americans' data for nefarious purposes, including espionage.
READ THE STORY: Cyberscoop
Items of interest
Quantum Annealing Poses Growing Threat to Cryptographic Standards
Bottom Line Up Front (BLUF): D-Wave's quantum annealing technology, employed in recent research by Chinese scientists, shows potential in breaking lightweight symmetric encryption ciphers, such as PRESENT and GIFT-64, outperforming classical methods. While the technology has yet to crack high-level encryption like RSA-1024, ongoing advances highlight the increasing risk quantum systems pose to traditional cryptographic frameworks.
Analyst Comments: The progress in quantum annealing, particularly in attacking symmetric ciphers, signals a notable shift in cryptographic vulnerabilities. D-Wave’s technology is optimized to solve complex optimization problems, including specific cryptographic attacks. Although still constrained by hardware and algorithm limitations, further developments could extend these techniques to more secure encryption algorithms, such as AES. Governments and institutions must accelerate the development of quantum-resistant encryption standards to avoid these emerging threats.
FROM THE MEDIA: Chinese researchers, initially published in the Chinese Journal of Computers and later removed, demonstrate a breakthrough in using D-Wave’s quantum annealing hardware to attack lightweight symmetric encryption algorithms. This research achieved a practical attack on ciphers like PRESENT and GIFT-64 by utilizing quantum tunneling to optimize searches for cryptographic weaknesses. The research outperformed classical methods, such as simulated annealing, by reducing solution times from hundreds of seconds to just over two seconds. Although the attack was limited to smaller encryption algorithms and unable to break military-grade encryption like AES, the implications of this advance signal the growing capability of quantum computing to disrupt current cryptographic practices.
READ THE STORY: Natto Thoughts
Quantum Optimization: Real-World Commercial Success Stories (Video)
FROM THE MEDIA: Exponential growth of the direct-to-consumer genetic testing (DTC-GT) industry has led to vast, privately owned datasets containing individual-level genetic measures. Global companies, such as Spotify and AirBnB, have already partnered with DTC-GT companies and started incorporating genetic data into their business strategies.
RSA Encryption Cracked using Quantum in China, Clorox Behind on Plastic Reduction (Video)
FROM THE MEDIA: In today's episode, we discuss groundbreaking research from Chinese scientists who demonstrated that D-Wave’s quantum computers can break RSA encryption and threaten widely used cryptographic methods, emphasizing the urgency for quantum-safe solutions. We also cover the aftermath of a significant cyberattack on Clorox, which has impacted its sustainability goals. We also analyze a report from Checkmarx detailing "command jacking" vulnerabilities in open-source packages, highlighting the need for robust security measures in software development. Join us as we unpack these critical cybersecurity developments and their implications for businesses and the future of data protection.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.