Daily Drop (901): CN: Sophos | Quad7 Botnet | LummaC2 & Rhadamanthys | SSU | ASA (Aria Sepehr Ayandehsazan) | NSO Group | Skydio | Xiū gǒu Phishing Kit | SearchGPT | CCP: Meta's Llama 13B Use |
11-02-24
Saturday, Nov 02 2024 // (IG): BB // ScraperDaddy // Cloud Email Harvester
Inside a Firewall Vendor's 5-Year War With Chinese Hackers
Bottom Line Up Front (BLUF): Over the past five years, Sophos, a UK cybersecurity firm, has battled with Chinese hackers targeting its firewall devices. This conflict highlights ongoing vulnerabilities in network security appliances that adversaries exploit for intrusion. Sophos' findings indicate a broader network of Chinese exploit researchers supplying state-sponsored hacking groups with developed techniques.
Analyst Comments: This case emphasizes the dual challenge facing cybersecurity firms: securing their products from being used as entry points for hackers and addressing state-backed cyber threats. The revelations of how a network of researchers tied to Chinese academic and contracting entities in Chengdu supplied vulnerabilities to state-linked actors demonstrate China’s strategic use of its cybersecurity ecosystem. This underscores the critical importance of patching and retiring end-of-life products to prevent exploitation. Transparency in cybersecurity practices, as shown by Sophos' proactive disclosures, may become essential in maintaining industry trust and fortifying defenses against state-backed adversaries.
FROM THE MEDIA: Sophos detailed its years-long defense against hacking campaigns traced to a network in Chengdu, China, which tested vulnerabilities on company devices and developed malware, including an advanced "bootkit." These campaigns shifted from broad infections to more targeted strikes against sensitive sectors, such as military and government agencies in Asia and beyond. Sophos collaborated with law enforcement and integrated surveillance measures into compromised devices to preempt hacker activities, a rare counter-offensive approach in the industry. The firm discovered that Chinese hackers have exploited zero-day and legacy vulnerabilities, highlighting users' need to update and decommission outdated appliances.
READ THE STORY: Wired
Microsoft Alerts on Chinese Botnet Exploiting Router Flaws for Credential Theft
Bottom Line Up Front (BLUF): Microsoft has identified a Chinese-linked botnet, Quad7 (CovertNetwork-1658), targeting SOHO routers and VPNs to conduct widespread password spray attacks against North America and Europe organizations. The botnet aims to steal Microsoft 365 credentials and enable follow-on cyber exploits.
Analyst Comments: The Quad7 botnet's use of vulnerable SOHO routers underlines the importance of securing edge devices in an organization's network. This threat highlights how state-sponsored actors leverage sophisticated infrastructure for rapid credential compromise, resulting in potential data exfiltration and lateral movement within networks. The findings emphasize the need for continuous security monitoring, patch management, and robust identity protection strategies to thwart such attacks.
FROM THE MEDIA: Active since at least 2021, the botnet has been controlled by the threat actor Storm-0940, which Microsoft assessed as operating from China. Quad7 exploits known and potentially new vulnerabilities in routers by brands like TP-Link, D-Link, and NETGEAR. The botnet has shown high evasiveness, with compromised routers opening TCP port 7777 for remote access. Microsoft noted that only a tiny fraction of the 8,000 active devices in the botnet conduct password spraying at a given time. However, the scale and operational hand-off between botnet operators and state-sponsored actors enable rapid compromises across multiple sectors.
READ THE STORY: THN
The Hidden Risks in Telecom Networks and Safeguarding Your Organization
Bottom Line Up Front (BLUF): Recent telecom breaches have exposed vulnerabilities exploited by nation-state hackers to intercept communications and collect metadata. This incident highlights the need for organizations to implement secure communication measures to protect against espionage and unauthorized access.
Analyst Comments: The ongoing espionage campaign attributed to Chinese government-linked actors underscores the urgency for advanced security measures in telecommunications. With the rise in geopolitical tensions, organizations must ensure robust security protocols are in place. Exposure to metadata and real-time communication tracking poses serious risks, including identity spoofing, targeted surveillance, and blackmail. Solutions like encrypted communication platforms are now vital for governments, corporations, and political entities seeking to safeguard their operations.
FROM THE MEDIA: Chinese state-sponsored hackers have been implicated in targeting major telecom networks, compromising calls, SMS, and metadata from high-profile U.S. political figures and campaign officials. Public telecom networks, designed for broad reachability, often need more stringent identity validation, making them susceptible to interception. The breaches allow threat actors to build comprehensive communication profiles and potentially conduct real-time monitoring. This scenario exacerbates risks associated with identity spoofing and intelligence gathering, creating opportunities for exploitation and blackmail.
READ THE STORY: Blackberry
Malware Operators Use Copyright Notices to Lure in Businesses
Bottom Line Up Front (BLUF): Cybercriminals use sophisticated phishing emails disguised as copyright infringement notices to infect businesses with info-stealing malware. This campaign, observed in Taiwan, uses decoy PDFs and thorough research to trick victims, leading to data theft.
Analyst Comments: The strategy of leveraging fake legal claims shows a keen understanding by attackers of social engineering and the business environment. The use of real company names adds credibility to their phishing attempts. Such tactics exploit trust and demonstrate how adversaries refine methods to bypass security awareness. The malware's identification as LummaC2 and Rhadamanthys—known for credential theft—indicates ongoing availability and use of potent tools from dark web sources. Businesses must bolster their defense with improved email filtering, user education, and endpoint protection.
FROM THE MEDIA: Cisco Talos researchers have detailed an attack aimed at businesses in Taiwan, where phishing emails present themselves as legal notices from copyright holders. The emails include malicious RAR file attachments disguised as PDFs. Once extracted and executed, the payload directs victims through multiple redirections, infecting them with info-stealing malware. Using reputable names and sophisticated obfuscation techniques complicates attribution and detection efforts.
READ THE STORY: SCMAG
Inside Iran's Cyber Playbook: AI, Fake Hosting, and Psychological Warfare
Bottom Line Up Front (BLUF): A joint advisory from U.S. and Israeli cybersecurity agencies has attributed sophisticated cyber operations targeting the 2024 Summer Olympics and other activities to the Iranian-backed group Emennet Pasargad, operating as ASA (Aria Sepehr Ayandehsazan). Their tactics included digital infrastructure exploitation, AI-enhanced propaganda, and psychological operations.
Analyst Comments: The recent attribution of these operations highlights the evolving nature of state-sponsored cyber warfare, where traditional espionage and psychological influence converge. ASA’s use of advanced tools like AI for voice and image manipulation points to a strategic shift toward leveraging emerging technologies for broader propaganda campaigns. Targeting international sporting events and family members of conflict-affected individuals suggests an aggressive effort to unsettle adversaries beyond conventional cyberattacks. These actions could provoke retaliatory measures and tighten international scrutiny of Iran’s cyber capabilities.
FROM THE MEDIA: The advisory reveals that since mid-2024, ASA has utilized cover names and hosting providers like Server-Speed and VPS-Agent for obfuscation and operational needs. This included partnerships with European companies such as BAcloud (Lithuania) and PQ Hosting (UK/Moldova). In July 2024, ASA compromised a French display provider to broadcast anti-Israel messages during the Summer Olympics. ASA's multifaceted efforts extended to intelligence gathering on Israeli military personnel via platforms like knowem.com and facecheck.id. Domains linked to ASA’s operations, including vps-agent[.]net and cybercourt.io, have been seized in a law enforcement effort led by the FBI and SDNY.
READ THE STORY: THN
SSU Detains CEO in Kharkiv for Assisting Russian Military Satellite Operations
Bottom Line Up Front (BLUF): Ukrainian security services have detained a Kharkiv-based CEO for aiding Russia's military and space forces by facilitating reconnaissance satellite operations. The suspect provided access and coordinated with Roscosmos to assist in calibrating Russian satellites used for military intelligence and targeting.
Analyst Comments: This arrest underscores Ukraine’s heightened internal security measures amid ongoing conflicts with Russia. The suspect’s involvement in military satellite assistance demonstrates how seemingly civilian roles can be exploited for strategic military purposes. This incident highlights the challenges faced by Ukraine in monitoring and neutralizing domestic actors who may collaborate with aggressor states. It also points to broader concerns about corporate complicity in geopolitical conflicts.
FROM THE MEDIA: The Security Service of Ukraine (SSU) announced the detention of a 47-year-old Kharkiv resident, CEO of a Russian-linked company, for collaborating with the Russian military to calibrate reconnaissance satellites, including Condor-FKA and Obzor-R models. These satellites aid in locating Ukrainian Defense Forces, directing enemy fire, and conducting surveillance. The suspect, who previously resided in Russia and participated in a Kremlin-sponsored resettlement program, managed communications and agreements with Roscosmos through emails and encrypted chat apps. Law enforcement seized documents, Russian passports, and digital evidence, along with over UAH 10 million, believed to be payment for his assistance. The individual is charged with aiding an aggressor state and faces up to 12 years in prison if convicted.
READ THE STORY: Censor
Legal Battles Highlight Challenges for Spyware Victims Seeking Justice
Bottom Line Up Front (BLUF): Legal action against spyware manufacturers like NSO Group remains challenging due to jurisdictional hurdles, sovereign immunity laws, and strategic delays. While there have been successful cases, the path for victims seeking justice is often complicated and prolonged.
Analyst Comments: The spyware industry, represented by companies like NSO Group, has proven adept at leveraging legal protections and procedural tactics to avoid accountability. Recent developments show both progress and setbacks for plaintiffs, suggesting that while some cases, such as those involving Meta and U.K. courts, show potential, broader legal reform may be needed to strengthen avenues for justice. High-profile cases like Hanan Elatr’s highlight how complex and fraught litigation against spyware firms can be, emphasizing the need for coordinated international efforts to curb the misuse of surveillance technology.
FROM THE MEDIA: Despite the challenges, efforts to hold spyware manufacturers accountable continue, exemplified by Meta's legal push against NSO Group, which involved Supreme Court rulings mandating disclosure of source code. Cases against NSO in the U.S. have faced obstacles, such as dismissal under the 1976 Foreign Sovereign Immunities Act, which protects foreign governments. The industry’s response, including strategic document withholding by Israel, has further complicated litigation. However, recent favorable rulings in U.K. courts against Bahrain and Saudi Arabia signal some progress, as do potential claims under the Alien Tort Statute for human rights abuses.
READ THE STORY: Cyber Scoop
Skydio Implements Temporary Battery Rationing Amid Chinese Sanctions
Bottom Line Up Front (BLUF): U.S. drone manufacturer Skydio is rationing batteries following Chinese sanctions that are impacting its supply chain. The sanctions were triggered by Skydio’s sale of drones to Taiwan’s National Fire Agency, reflecting China's growing use of supply chain control as a geopolitical tool.
Analyst Comments: This situation underscores the vulnerabilities faced by U.S. technology firms reliant on Chinese components, even amid efforts to diversify. The drone industry's supply chain issues are a microcosm of broader national security concerns, primarily as China seeks leverage through economic measures. Skydio's proactive measures—limiting batteries to “one per drone” and pledging extended customer support—demonstrate an industry shift towards resilience. However, this incident could accelerate legislative and corporate pushes for domestic production capabilities in critical sectors like drones.
FROM THE MEDIA: Skydio's CEO, Adam Bry, confirmed the temporary battery rationing in response to Chinese sanctions after Skydio sold drones to Taiwan. The sanctions have constrained the company's ability to source essential battery components, a dependency Skydio had yet to relocate outside China fully. Skydio reassured customers of the substantial current stock and efforts to find alternative battery suppliers, which are expected to be operational by spring 2025. The company emphasized cooperation with other Western manufacturers to foster supply chain independence from China, pointing to this disruption as a pivotal moment for the industry.
READ THE STORY: Drone Life
OpenAI Launches Enhanced Search Feature in ChatGPT
Bottom Line Up Front (BLUF): OpenAI has introduced a new search function integrated within its ChatGPT platform, enabling users to access real-time information online. This move positions OpenAI more directly against major search competitors like Google and Microsoft Bing.
Analyst Comments: This development represents a strategic expansion by OpenAI, emphasizing the growing convergence between AI language models and search capabilities. By incorporating a search function, ChatGPT enhances its utility as an all-in-one tool for real-time knowledge retrieval, potentially increasing its appeal among users seeking accurate, current data. OpenAI’s partnerships with media outlets and its new search function could disrupt traditional search engine usage patterns and push the AI landscape towards more dynamic information delivery systems.
FROM THE MEDIA: OpenAI announced the addition of a search capability to ChatGPT, set to be available initially for Plus and Team users, with future rollouts for enterprise, educational, and free-tier customers. The search tool uses a refined version of OpenAI’s GPT-4 model and partners with third-party search providers to offer timely answers and source links. This follows OpenAI’s trial of "SearchGPT," a prototype search engine, in 2024. The company has secured content deals with prominent publishers, such as Condé Nast and Time, to bolster the quality and range of information accessible through ChatGPT.
READ THE STORY: Reuters
Biden Administration Nears Completion of Second Cybersecurity Executive Order
Bottom Line Up Front (BLUF): The White House is finalizing a second cybersecurity executive order set to address AI integration, cloud security, access management, post-quantum cryptography, and secure software practices. This order builds on President Biden’s first comprehensive cybersecurity directive, responding to evolving cyber threats and technological advancements.
Analyst Comments: This upcoming executive order signifies a continued emphasis on adapting federal cybersecurity policy to meet modern challenges, particularly the rapid emergence of AI and its potential in defense and offense. By incorporating AI pilot programs and reinforcing software security postures, the administration aims to bolster national defenses against sophisticated cyber threats. The potential hurdles include ensuring adequate funding and aligning with the incoming administration's policies, which may impact the long-term execution of these initiatives.
FROM THE MEDIA: Sources indicate that the draft order has passed the interagency review and could be signed by December. The focus areas include pilot programs for AI-driven cyber defense, updates to cloud security standards under FedRAMP, and mandates for secure software attestations to boost transparency and compliance. This follows lessons learned from incidents such as the SolarWinds breach and a Chinese exploit involving Microsoft’s cloud services. The order will also enhance federal identity credentialing systems and build on recent NIST standards for post-quantum cryptography. Anne Neuberger, deputy national security adviser for cyber, has highlighted the integration of AI to advance secure coding and vulnerability management.
READ THE STORY: Cyber Scoop
New Xiū gǒu Phishing Kit Targets Five Countries, Utilizes 2,000 Fake Sites
Bottom Line Up Front (BLUF): A newly discovered phishing kit named Xiū gǒu has been deployed across campaigns in Australia, Japan, Spain, the U.K., and the U.S., leveraging advanced obfuscation and RCS messages to evade detection and steal sensitive information.
Analyst Comments: Xiū gǒu reflects the evolving landscape of phishing attacks, where cybercriminals now use advanced kits that lower the skill threshold for launching widespread campaigns. The involvement of cloud-based services and new messaging protocols like RCS highlights a shift in attackers' methods to bypass traditional defenses. Organizations must bolster their defenses with anti-phishing measures, including employee training and robust endpoint protection.
FROM THE MEDIA: According to Netcraft, the Xiū gǒu phishing kit has been used since at least September 2024, targeting public services and banking sectors. The kit, managed by Chinese-speaking threat actors and built with Golang and Vue.js, uses Cloudflare to host obfuscation and route stolen data via Telegram. These attacks trick victims with RCS messages about fake fines or package issues, leading them to phishing sites. Google has enhanced scam detection in response to these threats, piloting new features like automatic message hiding for suspicious senders in select regions.
READ THE STORY: THN
Items of interest
Chinese Military Adapts Meta's Llama Model for AI Development
Bottom Line Up Front (BLUF): Chinese researchers linked to the People's Liberation Army (PLA) have repurposed Meta's open-source Llama AI model to develop military applications, including intelligence analysis and operational decision support. Meta acknowledges the misuse but highlights limited enforcement capabilities over open-source content.
Analyst Comments: This development underscores the strategic use of open-source AI by military-linked institutions in China, indicating a potential loophole in global tech governance. The PLA's adaptation of the Llama model suggests an approach to harness foreign-developed AI without direct collaboration, raising questions about the balance between open innovation and national security. As China accelerates its pursuit of AI dominance, these practices could intensify scrutiny over the policies of U.S. tech firms and lead to stricter controls.
FROM THE MEDIA: In mid-2024, Chinese researchers, including those from the PLA's Academy of Military Science, leveraged Meta's Llama 13B model to build "ChatBIT," an AI tool for military intelligence and decision-making tasks. While Meta prohibits military uses in its acceptable use policy, the open-source nature of its models limits the company's ability to enforce restrictions. Analysts like Sunny Cheung from the Jamestown Foundation noted this as significant evidence of PLA efforts to integrate open-source AI into military strategy. The Pentagon monitors these developments amid broader U.S. measures to curb tech investments in sectors that could bolster China's military.
READ THE STORY: Reuters
"ChatBIT" for Warfare (Video)
FROM THE MEDIA: The Chinese People's Liberation Army (PLA) is making significant advancements in artificial intelligence by adapting Meta's Llama 2 model for military use. This has resulted in the creation of "ChatBIT," an AI tool designed specifically for military applications such as intelligence analysis and operational decision-making. This development raises concerns about the growing role of AI in warfare and the potential for escalating technological competition between global powers.
Civil Cyber Defense-Defend Non-Profits as They Combat Human Trafficking/Subvert Authoritarian Regime (Video)
FROM THE MEDIA: Civil Cyber Defense volunteers and students challenge high-risk adversaries and threats such as human traffickers, authoritarian regimes, and surveillance being conducted on journalists. By utilizing academic resources, OSINT skills, and free/open-source tools, civil cyber defenders are supporting vulnerable non-profits, protecting volunteers, journalists, and activists while defending human rights
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.