Thursday, Nov 21, 2024 // (IG): BB // GITHUB // SGM Jarrell
Baltic Undersea Cable Sabotage Raises Hybrid Warfare Fears: CN Involvement
Bottom Line Up Front (BLUF): Two critical undersea cables in the Baltic Sea were severed within 24 hours, connecting Finland to Germany and Lithuania to Sweden. The incidents, described as potential sabotage, have heightened concerns of hybrid warfare amidst rising tensions with Russia. European nations are investigating the disruptions, which risk undermining regional security and digital infrastructure.
Analyst Comments: These cable cuts exemplify the vulnerabilities of undersea infrastructure and its strategic importance in modern geopolitical conflicts. While accidents involving cables are not uncommon, the timing and location of these incidents strongly suggest deliberate sabotage. The events highlight the increasing use of hybrid warfare tactics, which blend physical and digital aggression to destabilize nations. Europe must urgently bolster its surveillance and protection of critical infrastructure, ensuring resilience against state-sponsored threats. The incidents also underscore the need for NATO-wide collaboration to safeguard essential communication networks.
FROM THE MEDIA: On November 18, 2024, a 1,170 km undersea cable connecting Finland and Germany, known as C-Lion1 was severed, followed by damage to a 218 km cable between Lithuania and Sweden’s Gotland Island. German Defense Minister Boris Pistorius labeled the incidents as likely sabotage, aligning them with a pattern of hybrid warfare tactics. Finnish cybersecurity firm Cinia confirmed that the damage to the Finland-Germany cable was caused by an "outside force," with repairs expected to take up to 15 days. The Swedish and Lithuanian defense ministers expressed alarm, attributing the events to increased threats from Russia. The disruptions come amid heightened tensions following Russia's invasion of Ukraine, which has seen similar incidents targeting critical infrastructure. Investigations are underway, with Swedish prosecutors treating the damage as sabotage, while Finland and Germany have launched their probes.
READ THE STORY: Toms Guide // The Pinnacle Gazette // BBC
*NOTE:
The severing of two undersea telecommunications cables in the Baltic Sea connecting Scandinavia to mainland Europe has drawn attention to potential sabotage as tensions with Russia and China persist. European officials, including German Defense Minister Boris Pistorius, labeled the incidents hybrid warfare, emphasizing the cables' strategic significance in communication and security. While accidental damage is rare, the involvement of the Chinese-flagged cargo ship Yi Peng 3 near the incidents raises further suspicion following similar events 2023 involving Chinese vessels. These disruptions, alongside Russia’s past rhetoric targeting undersea cables as "legitimate targets," suggest a broader strategy of testing vulnerabilities and destabilizing critical infrastructure. NATO and EU nations are reinforcing security measures, acknowledging the cables’ vital role in economic and geopolitical stability and the growing risk of hybrid tactics in modern conflicts.
Ngioweb Botnet Powers NSOCKS Proxy Network by Exploiting IoT Devices
Bottom Line Up Front (BLUF): The Ngioweb botnet has been found fueling the NSOCKS residential proxy network, compromising IoT devices like routers and cameras to create a global proxy service for cybercriminals. Researchers estimate that 80% of NSOCKS proxies originate from Ngioweb, with over 35,000 infected devices in daily operation.
Analyst Comments: This botnet demonstrates the increasing sophistication of proxy-based cybercrime services. By exploiting IoT vulnerabilities, cybercriminals gain access to a vast network of devices, enabling attacks such as credential stuffing, DDoS campaigns, and anonymity for malicious traffic. The commercial proxy market's growth poses a significant risk, particularly if APT groups leverage such tools for targeted attacks. Strengthening IoT security and blocking known malicious traffic is critical to curbing these activities.
FROM THE MEDIA: TThe Ngioweb botnet, first discovered in 2018, has resurfaced as a key enabler of the NSOCKS residential proxy network. According to Lumen Technologies' Black Lotus Labs, the botnet infects IoT devices such as small office/home office (SOHO) routers, leveraging automated scripts to breach vulnerable systems. Most of these devices are located in the United States. Ngioweb operates with a two-tiered architecture: an initial loader network directs bots to command-and-control (C2) nodes, which deploy the malware and register devices for sale on residential proxy marketplaces. These infected devices are then monetized, allowing customers to use them for as little as $0.20 per 24 hours.
READ THE STORY: THN
GAO Recommends Establishing Federal Agency for Data Protection and Civil Rights Safeguards
Bottom Line Up Front (BLUF): The U.S. Government Accountability Office (GAO) has advised Congress to create a new federal agency to standardize and enforce civil rights and civil liberties safeguards across federal agencies. This recommendation follows a survey revealing inconsistent approaches to managing personal data, especially in the context of emerging technologies like AI and facial recognition.
Analyst Comments: GAO’s findings reflect a critical gap in U.S. federal data governance, particularly as technologies like AI introduce new risks, including bias and misidentification. A central agency with explicit authority could address disparities and establish a framework for equitable, privacy-conscious data usage. However, bureaucratic hurdles and debates over jurisdiction could slow progress. If implemented, this could become a global data rights and technology governance model, but delays could expose citizens to ongoing risks.
FROM THE MEDIA: A recent GAO report highlights significant disparities in how 24 federal agencies manage personal data and safeguard civil rights. Notably, eight agencies admitted to lacking civil rights or civil liberties protections in their policies, and only seven had officials dedicated to overseeing civil liberties. The report warns that technological advances like artificial intelligence and facial recognition pose heightened risks of bias, misidentification, and privacy violations. For example, facial recognition can potentially suppress free speech when used to monitor protests. GAO found that many agencies need more staff expertise and the complexity of emerging technologies. The report claims that existing laws fail to provide a unified, forward-looking framework for addressing these challenges.
READ THE STORY: The Record
Google’s AI-Powered OSS-Fuzz Uncovers 26 Vulnerabilities in Open-Source Projects
Bottom Line Up Front (BLUF): Google’s AI-enhanced OSS-Fuzz tool has identified 26 vulnerabilities in open-source software, including a medium-severity flaw in OpenSSL (CVE-2024-9143). Leveraging AI-generated fuzzing targets, this advancement improves bug discovery in critical projects and enhances security for open-source ecosystems.
Analyst Comments: As demonstrated by OSS-Fuzz, the integration of AI into fuzzing workflows represents a significant leap in automated vulnerability detection. AI tools like OSS-Fuzz broaden coverage and accelerate issue discovery in widely used software by surpassing human-written fuzzing scripts. The detection of CVE-2024-9143 in OpenSSL, a library critical for secure communications, underlines the importance of such advancements. This approach is a boon for open-source security and offers a model for private sector adoption, potentially setting new standards for secure coding practices globally.
FROM THE MEDIA: Google announced that its OSS-Fuzz tool, enhanced with large language models (LLMs), has uncovered 26 vulnerabilities across various open-source projects. Among the discoveries is CVE-2024-9143, an out-of-bounds memory write flaw in OpenSSL. This issue, which could lead to crashes or remote code execution, has been in the codebase for two decades and was mitigated in recent updates of OpenSSL. The company credited OSS-Fuzz improvements to its AI-generated fuzz targets, which provide deeper code coverage and help identify vulnerabilities in 272 C/C++ projects. Since its enhancement with LLMs in August 2023, OSS-Fuzz has added over 370,000 lines of code, making it a powerful tool for uncovering latent software flaws.
READ THE STORY: THN GITHUB: OSS-FUZZ
DOJ Charges Russian National for Ransomware Attacks on Hospitals and Other Entities
Bottom Line Up Front (BLUF): The Department of Justice has charged Evgenii Ptitsyn, a Russian national, with cybercrimes linked to Phobos ransomware. Ptitsyn allegedly facilitated over 1,000 ransomware attacks targeting hospitals, schools, and nonprofits globally, extorting over $16 million. Phobos ransomware's operations disrupted critical services, including patient care in U.S. hospitals.
Analyst Comments: This case underscores the persistent threat posed by ransomware-as-a-service (RaaS) operations, which streamline cybercrime by offering malicious tools to affiliates. Targeting hospitals and other public entities reveals how ransomware groups exploit vulnerable sectors with high stakes for compliance. While this DOJ action is a significant win, the global nature of cybercrime and Russia’s lack of cooperation complicate enforcement. Sustained international collaboration and robust federal-private sector partnerships are essential to deter similar threats and protect critical infrastructure.
FROM THE MEDIA: The FBI, supported by allied nations and the Department of Defense Cyber Crime Center, led the investigation, which resulted in Ptitsyn’s indictment. The attacks disrupted patient care in U.S. hospitals, posing risks to community safety. John Riggi, the American Hospital Association’s national advisor for cybersecurity, emphasized the importance of federal collaboration in combating ransomware and urged healthcare organizations to cooperate robustly with law enforcement. This action follows ongoing concerns over the impact of ransomware on healthcare, as highlighted during a recent United Nations Security Council meeting discussing hospital-targeted cyberattacks. While the arrests mark progress, experts stress that continued vigilance and infrastructure security improvements are needed to mitigate future threats.
READ THE STORY: AHA
Apple Releases Emergency Updates to Address Exploited Zero-Day Vulnerabilities
Bottom Line Up Front (BLUF): Apple has released critical updates to patch two zero-day vulnerabilities actively exploited in the wild, CVE-2024-44308 and CVE-2024-44309. These flaws affect iOS, iPadOS, macOS, visionOS, and Safari, potentially leading to code execution and cross-site scripting attacks. Users are strongly advised to update their devices immediately.
Analyst Comments: The active exploitation of these vulnerabilities highlights the persistent targeting of Apple’s ecosystem by advanced threat actors. The involvement of Google’s Threat Analysis Group (TAG) suggests these flaws may have been used in state-sponsored espionage or mercenary spyware campaigns. This underscores the critical need for users to prioritize patching, as attackers increasingly exploit zero-days in highly targeted attacks. The updates also demonstrate Apple’s ongoing focus on quick vulnerability mitigation, which is crucial as its platforms remain attractive targets due to their widespread use in consumer and enterprise environments.
FROM THE MEDIA: Apple has issued emergency updates to address two zero-day vulnerabilities: CVE-2024-44308, a JavaScriptCore flaw enabling arbitrary code execution, and CVE-2024-44309. This WebKit cookie management issue could lead to cross-site scripting (XSS) attacks. Both vulnerabilities have reportedly been exploited on Intel-based Mac systems. These vulnerabilities, with CVSS scores of 8.8 and 6.1, were discovered and reported by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group. This suggests they may have been utilized in targeted spyware operations. The updates are available for iOS and iPadOS 18.1.1 and 17.7.2, macOS Sequoia 15.1.1, visionOS 2.1.1, and Safari 18.1.1. Apple addressed the vulnerabilities by improving checks in JavaScriptCore and enhancing state management for WebKit.
READ THE STORY: THN
China-Linked Espionage Campaign Targets Telcos in Asia and Africa
Bottom Line Up Front (BLUF): Since 2020, the Chinese state-backed hacking group Liminal Panda has targeted telecommunications networks across Southeast Asia and Africa. By exploiting the interconnected nature of telecom infrastructures, the group intercepts sensitive data such as text messages and call metadata. The campaign demonstrates the vulnerability of global networks to cascading breaches, extending risks beyond the immediate regions affected.
Analyst Comments: Liminal Panda’s focus on Southeast Asia and Africa signals a strategic shift in cyber-espionage campaigns to regions with rapidly growing yet under-resourced telecom sectors. This approach allows for less resistance while still granting access to global communications. The group's tactics raise alarms about how interconnected networks can serve as pathways for state-sponsored surveillance worldwide. The emphasis on bulk data collection and keyword searches suggests an intent to monitor political, economic, and strategic targets within and beyond these regions. Strengthening telecom infrastructure globally is essential to mitigate these cascading risks.
FROM THE MEDIA: CrowdStrike revealed that Liminal Panda, active since 2020, is targeting telecom operators in Southeast Asia and Africa, exploiting network interoperability to gain access to sensitive information. The group's tools can intercept text messages, call metadata, and other communications. CrowdStrike’s Adam Meyers explained that the attackers employ keyword-driven searches to sift through large volumes of collected data. Although evidence points to operations primarily in these regions, analysts caution that the interconnected nature of telecommunications infrastructure makes global infiltration plausible. Liminal Panda’s operations are distinct from other campaigns like Salt Typhoon, which primarily targeted U.S. providers. However, both campaigns highlight an escalating pattern of Chinese cyber-aggression tied to broader geopolitical ambitions, including espionage, regional dominance, and preparation for a potential Taiwan conflict.
READ THE STORY: Natto Thoughts // CrowdStrike
FBI Identifies BianLian Ransomware Group as Russia-Based, Shifts Focus to Extortion
Bottom Line Up Front (BLUF): The FBI and Australian Cyber Security Centre have confirmed that BianLian ransomware actors are likely based in Russia. The group has shifted tactics from encrypting systems to extorting victims with stolen data. Recent targets include healthcare organizations and charities, highlighting their willingness to attack sensitive sectors.
Analyst Comments: BianLian’s pivot to exfiltration-based extortion reflects a growing trend among ransomware groups, likely to increase pressure on victims while avoiding the technical challenges of encryption. Their ability to exploit known vulnerabilities like ProxyShell underscores the need for proactive patch management and network segmentation. The group’s origins in Russia align with patterns observed among other ransomware gangs operating under geopolitical tensions. Organizations in critical sectors should anticipate more aggressive extortion tactics, including direct employee threats, as part of the evolving cybercrime landscape.
FROM THE MEDIA: The FBI and Australian Cyber Security Centre issued an updated advisory identifying BianLian ransomware actors as likely Russia-based. The group, previously known for encrypting systems and appending the .bianlian extension, now focuses exclusively on stealing and threatening to leak sensitive data. Targets include charities like Save The Children and healthcare providers like Boston Children’s Health Physicians. On Tuesday, the group claimed responsibility for an attack on the Amherstburg Family Health Team in Canada, causing operational delays. BianLian exploits ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and other flaws, such as CVE-2022-37969, in Windows. They maintain access through tactics like creating multiple administrator accounts within breached systems.
READ THE STORY: The Record
Decade-Old Privilege Escalation Flaws Found in Ubuntu's needrestart Package
Bottom Line Up Front (BLUF): The needrestart package in Ubuntu contains five Local Privilege Escalation (LPE) vulnerabilities, allowing local attackers to gain root privileges without user interaction. These flaws, introduced as early as 2014, affect Ubuntu Server installations with the needrestart utility and have been assigned CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-11003, and CVE-2024-10224.
Analyst Comments: These vulnerabilities highlight the risks of outdated and widely deployed utilities in server environments. With functional exploits already developed, there is a significant likelihood of these being weaponized in public exploits. Organizations relying on Ubuntu Server should promptly apply updates or disable the affected functionality to mitigate risks. This serves as a reminder to periodically audit legacy components in critical environments, particularly those installed by default.
FROM THE MEDIA: The Qualys Threat Research Unit (TRU) discovered five vulnerabilities in the needrestart utility, widely deployed in Ubuntu Server to ensure services restart correctly after updates. Introduced in 2014, the vulnerabilities stem from improper handling of interpreter configurations, allowing attackers to exploit environment variables or race conditions to escalate privileges. These vulnerabilities, all rated with high CVSS scores, can enable attackers to execute arbitrary code as root during software installation or upgrade processes.
READ THE STORY: SA
Chinese Espionage and the Security of U.S. Networks
Bottom Line Up Front (BLUF): Recent revelations about Chinese monitoring of U.S. communications point to vulnerabilities stemming from outdated and emerging network technologies. Exploitation of the 1994 Communications Assistance for Law Enforcement Act (CALEA) and cybersecurity risks tied to Open Radio Access Network (O-RAN) illustrate the need for proactive and robust regulatory oversight of network security.
Analyst Comments: The exposure of Chinese surveillance underscores the persistent challenge of balancing technological innovation with security. The transition to O-RAN, while reducing reliance on Chinese hardware, introduces new vulnerabilities through disaggregated software. This situation calls for strengthened federal oversight, particularly by the FCC, to establish and enforce cybersecurity benchmarks. Past lapses in collaboration between industry and government have left critical gaps, which must be addressed through forward-looking regulations and adaptive frameworks. Cybersecurity is no longer a secondary concern—it must be integral to every network design and operation phase.
FROM THE MEDIA: A Washington Post report highlighted how Chinese cyber-espionage exploits backdoors created by CALEA, a 1994 law enabling lawful digital wiretaps. Initially designed to aid law enforcement during the shift to digital networks, the legislation inadvertently provided exploitable vulnerabilities. These weaknesses were compounded by the advancement of tools used by Chinese hackers. Adopting open radio access network (O-RAN) technology adds complexity to the cybersecurity landscape. Promoted for its cost-effectiveness and vendor diversity, O-RAN replaces proprietary hardware with software-based network functions. While this reduces dependency on companies like Huawei, it also expands the attack surface by relying on open-source code and multi-vendor components.
READ THE STORY: BROOKINGS
Oracle Alerts on Active Exploitation of Agile PLM Vulnerability
Bottom Line Up Front (BLUF): Oracle has disclosed a high-severity vulnerability in its Agile Product Lifecycle Management (PLM) Framework, tracked as CVE-2024-21287 with a CVSS score of 7.5. Currently under active exploitation, this flaw allows unauthenticated attackers to remotely access and download sensitive files, risking significant data exposure.
Analyst Comments: The exploitation of CVE-2024-21287 underscores the urgency for organizations using Oracle Agile PLM to apply available patches immediately. The vulnerability’s unauthenticated, remote exploitability presents a critical risk, especially for organizations relying on PLM software for sensitive product design and lifecycle data. This exploitation trend aligns with attackers increasingly targeting enterprise applications to access high-value data. Enterprises should also consider reviewing network segmentation and access controls as additional protective measures.
FROM THE MEDIA: Oracle has issued an alert about CVE-2024-21287, a critical flaw impacting its Agile PLM Framework. This vulnerability allows attackers to exploit the system remotely without requiring authentication, enabling them to download files accessible under the PLM application’s privileges. CrowdStrike researchers Joel Snape and Lutz Wolf identified the issue, which has been confirmed as actively exploited. Although the attackers' identities and targets remain unknown, Oracle has recommended that users update their systems with the latest security patches to mitigate the risk. The vulnerability could compromise sensitive product lifecycle data critical to various industries. Eric Maurice, Oracle's VP of Security Assurance, emphasized the potential consequences of this flaw, noting its capability to enable large-scale data breaches.
READ THE STORY: THN
Items of interest
Ukrainian Cyberwar Expertise Powers TRYZUB Cyber Training Service
Bottom Line Up Front (BLUF): CERT-UA and Cyber Ranges have launched TRYZUB, a cybersecurity training service incorporating battlefield-tested tactics from Ukraine’s defense against Russian cyberattacks. Focused on military, government, and critical infrastructure sectors, the program equips cybersecurity teams with real-world experience to counter advanced threats.
Analyst Comments: The TRYZUB initiative illustrates how practical experience in high-pressure environments, such as Ukraine’s cyberwar, can be formalized into a structured training service. By leveraging real-world intelligence and incident response techniques, TRYZUB provides a unique opportunity for organizations worldwide to prepare for state-sponsored and advanced cyber threats. Its integration of threat actor emulation, such as those tied to groups like Sandworm, highlights the value of practical defense strategies. This initiative could also set a precedent for other nations to monetize and share their cybersecurity expertise while building global resilience.
FROM THE MEDIA: CERT-UA and Cyber Ranges unveiled TRYZUB, a cyber resilience training service tailored to organizations managing critical infrastructure and high-value assets. Drawing from Ukraine’s defense against Russian state-sponsored cyberattacks during the ongoing war, the program trains participants to counter adversaries such as Sandworm and Gamaredon. TRYZUB offers realistic simulations based on advanced threat intelligence, allowing Security Operations Centers (SOCs) and incident response teams to hone their skills. The service includes attack emulation scenarios for military and civilian entities and aims to improve their defensive capabilities. TRYZUB also supports Ukraine’s recovery efforts through donations to the UNITED24 initiative, showcasing a public-private collaboration that benefits cybersecurity professionals and broader resilience efforts.
READ THE STORY: HNS
TRYZUB Cyberdrills (Video)
FROM THE MEDIA: CYBER RANGES together with the State Service of Special Communications and Information Protection (SSSCIP) of Ukraine and CERT-UA, are launching the TRYZUB cybersecurity training service powered by the CYBER RANGES next-gen attack emulation platform.
Hacking Russia: The New Frontier of Ukraine’s Cyber Defence (Video)
FROM THE MEDIA: Ben Ferguson gets an inside look at the cyberwar between Ukraine and Russia, and how it’s changing the rules of war in real time.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.