Tuesday, Nov 26, 2024 // (IG): BB // GITHUB // SGM Jarrell
Did a Former Verizon Employee lay the Ground Work For the Salt Typhoon Efforts
Bottom Line Up Front (BLUF): Ping Li, a 59-year-old IT worker and U.S. citizen, was imprisoned for four years for conspiring with China's Ministry of State Security (MSS). Over a period of nearly a decade, Li shared sensitive cybersecurity information, including details on hacking incidents and personal data on Chinese dissidents.
Analyst Comments: This case underscores China's persistent efforts to infiltrate global telecommunications networks, leveraging insiders to extract sensitive information. Li's actions reveal the potential insider threat in organizations handling critical infrastructure. With continued breaches like Salt Typhoon's targeting of U.S. telecoms, industries must reinforce insider threat programs and enhance monitoring to detect suspicious activity. Li's sentencing sends a strong message to deter such cooperation with foreign intelligence agencies.
FROM THE MEDIA: Ping Li, a former Verizon employee and IT worker for over two decades, was sentenced on November 25, 2024, to four years in prison and fined $250,000 for conspiring with China's MSS. Li, who later worked at Infosys, shared sensitive information about cybersecurity incidents, including the SolarWinds cyberattack, and internal materials from his employers. Using anonymous email accounts, Li provided MSS officers with hacking tactics and personal data on Chinese dissidents, pro-democracy advocates, and members of the Falun Gong movement. Court documents revealed that Li often traveled to China to meet his handlers and complied with requests for information, sometimes within days. In one instance, Li provided details about a high-profile hack on a U.S. company attributed to China. He was arrested in July 2024 and initially denied his activities but later confessed after being confronted with evidence. Following his sentence, Li will serve three years of supervised release. This case is part of broader concerns over China's targeting of U.S. telecoms, including breaches that allegedly accessed data from phones belonging to political figures like President-elect Donald Trump and Vice President-elect JD Vance.
READ THE STORY: The Record
*NOTE:
Ping Li's case and Salt Typhoon's activities highlight distinct yet interconnected facets of China's strategic approach to information gathering and cyber espionage. Ping Li's actions as an insider reflect a human intelligence (HUMINT) strategy, leveraging personal access to sensitive corporate and cybersecurity data. At the same time, Salt Typhoon's cyberattacks demonstrate China's use of advanced cyber tools to penetrate external defenses and target high-value systems. Although there is no publicly available evidence directly linking Li’s espionage to Salt Typhoon’s operations, both illustrate a coordinated effort to exploit vulnerabilities in U.S. telecommunications infrastructure. This underscores the importance of integrating insider threat mitigation and robust cybersecurity defenses, as adversaries often deploy overlapping methods to achieve their objectives. While it remains unclear whether these efforts were directly coordinated, their parallel existence demonstrates a persistent focus on telecommunications as a critical sector for espionage activities.
CISA’s Chemical SSGs Aim to Fortify Cyber Defenses in Critical Infrastructure
Bottom Line Up Front (BLUF): CISA has introduced sector-specific goals (SSGs) to enhance the cybersecurity of the chemical industry. These voluntary measures target key vulnerabilities in system management, mobile device security, and the removal of unnecessary systems to reduce exposure to cyber threats.
Analyst Comments: The chemical sector’s reliance on interconnected IT and OT systems increases its susceptibility to cyberattacks, with potential downstream effects on critical industries. CISA’s SSGs provide practical steps to address common vulnerabilities, such as unpatched systems and insecure mobile devices. The sector’s proactive adoption of these measures can mitigate risks, especially amid rising cyber incidents and anticipated regulatory changes.
FROM THE MEDIA: CISA introduced sector-specific cybersecurity goals (SSGs) for the chemical industry to address key vulnerabilities in IT and OT systems. The guidance focuses on system lifecycle management, emphasizing the replacement of unsupported systems and integrating cybersecurity throughout the lifecycle of hardware, software, and services. Another priority is the removal of unnecessary systems, applications, and devices to improve network security and efficiency. Mobile device management is also highlighted, with recommendations to maintain asset inventories, enforce application approval policies, and implement secure practices for personal devices. These measures aim to mitigate threats such as vulnerability exploitation, supply chain compromise, and unauthorized access. Released amid increasing incidents in the sector, the SSGs follow the expiration of the Chemical Facility Anti-Terrorism Security (CFATS) program in 2023, which left high-risk facilities without regulatory oversight.
READ THE STORY: Industrial Cyber
How Satellites Unmasked a Maritime Militia in the South China Sea
Bottom Line Up Front (BLUF): Advanced satellite technologies, like synthetic aperture radar (SAR), have uncovered China’s covert Maritime Militia operations in the South China Sea. These findings highlight using satellite imagery to monitor contested regions and expose state-sponsored activities, offering critical insights into geopolitical tensions.
Analyst Comments: The revelation of a Maritime Militia supported by the Chinese government underscores how space-based technologies reshape intelligence gathering in contested zones. While China's strategy echoes historical principles of asymmetric warfare, the ability to detect and analyze such operations with satellite data significantly shifts the balance of transparency. This development not only aids regional stability but also demonstrates how commercial space capabilities can hold state actors accountable. Future satellite imagery and analytics advancements will likely further constrain covert operations, promoting greater international awareness.
FROM THE MEDIA: China’s claim over the South China Sea has been marked by aggressive tactics, including using a state-backed Maritime Militia disguised as fishing fleets. Through Ursa Space’s automated SAR analysis, satellite data revealed armadas of over 150 boats assembling in ports and navigating to disputed zones. Many vessels disabled their radio trackers, ironically making them easier to identify. The analysis confirmed government sponsorship, contradicting narratives of independent fishermen acting patriotically. Such findings emphasize the critical role of satellites in exposing hidden activities and advancing geopolitical transparency.
READ THE STORY: Via Satellite
CISA Warns of Active Exploits Targeting Critical Array Networks Flaw
Bottom Line Up Front (BLUF): CISA has added a critical vulnerability in Array Networks AG and vxAG secure access gateways (CVE-2023-28461) to its Known Exploited Vulnerabilities catalog following reports of active exploitation. The flaw, which allows for remote code execution, has been linked to China-based cyber-espionage group Earth Kasha, targeting enterprises globally. Agencies are urged to patch their systems by December 16, 2024.
Analyst Comments: The exploitation of CVE-2023-28461 underscores the persistent targeting of SSL VPNs by advanced threat actors like Earth Kasha. These gateways are prime targets due to their direct access to sensitive networks. Including this flaw in CISA’s KEV catalog signals its criticality and widespread risk. Organizations must prioritize patching and minimizing the exposure of such devices. Additionally, Earth Kasha's ongoing campaigns illustrate China's aggressive posture in cyber espionage, mainly targeting diplomatic and enterprise entities.
FROM THE MEDIA: The vulnerability, CVE-2023-28461 (CVSS score: 9.8), was patched by Array Networks in March 2023 but remains a target for exploitation. Exploits leverage missing authentication to gain remote access and execute arbitrary code via a vulnerable URL. Active exploitation has been attributed to Earth Kasha, a China-linked group known for targeting Japanese, Taiwanese, and European entities.
Trend Micro recently linked Earth Kasha to multiple vulnerabilities, including CVE-2023-45727 and CVE-2023-27997. ESET reported Earth Kasha’s targeting of a European Union diplomatic entity using phishing lures tied to the upcoming World Expo 2025. Federal agencies must patch this flaw by December 16 to comply with CISA’s directive. Notably, according to VulnCheck, 15 Chinese hacking groups exploited the top 15 vulnerabilities of 2023, affecting over 440,000 hosts. The report highlights the critical need for robust patch management and threat intelligence to mitigate risks.
READ THE STORY: THN
Ransomware Hits Blue Yonder, Disrupting UK Grocery Supply Chain
Bottom Line Up Front (BLUF): Blue Yonder, a prominent supply chain software provider, suffered a ransomware attack on November 21, 2024, impacting its managed services environment. The incident disrupted warehouse management systems for Morrisons, a UK-based grocery chain, just before the busy Thanksgiving holiday. Investigations are ongoing, and backup systems are mitigating the impact.
Analyst Comments: The ransomware attack on Blue Yonder highlights the risks inherent in third-party supply chain dependencies, particularly during peak retail periods. The reliance on backup systems underscores the importance of contingency planning. However, the incident raises concerns about broader risks to supply chain operations and data integrity. With no claim of responsibility yet, the attack's origin and potential data breach implications remain unclear. Expect heightened scrutiny of supply chain cybersecurity, especially in sectors critical to public infrastructure and commerce.
FROM THE MEDIA: Blue Yonder, acquired by Panasonic in 2021, confirmed that its managed services-hosted environment was targeted in a ransomware attack on November 21, disrupting operations for critical clients. Morrisons reported that its warehouse management systems for fresh food were impacted, forcing the chain to rely on backup systems to maintain operations. While Blue Yonder's Azure public cloud environment remains unaffected, officials collaborate with cybersecurity experts to assess and contain the damage. The attack precedes the critical Thanksgiving shopping weekend, raising the stakes for affected retailers. Blue Yonder is actively updating customers about the ongoing investigation, though details about accessed data or specific ransomware groups remain unavailable. This incident follows a recent cyberattack on U.S. grocer Ahold Delhaize, adding to growing concerns about vulnerabilities in supply chain technology.
READ THE STORY: CyberSecurity Dive
China-Linked Gelsemium Hackers Target Linux Systems in New Espionage Campaign
Bottom Line Up Front (BLUF): The Gelsemium advanced persistent threat (APT) group has expanded its cyber-espionage operations to Linux systems, deploying newly discovered backdoors WolfsBane and FireWood. This marks a shift in their targeting strategy, previously focused on Windows systems, as state-sponsored hackers increasingly exploit Linux vulnerabilities.
Analyst Comments: Gelsemium's transition to Linux systems demonstrates the group’s adaptability and highlights the growing trend of threat actors targeting Linux platforms due to heightened Windows security measures. The introduction of WolfsBane and FireWood underscores a broader strategic effort by China-aligned actors to diversify their espionage toolkit. Organizations relying on Linux for critical systems must prioritize patching vulnerabilities in web-facing applications and invest in advanced detection capabilities to thwart such threats.
FROM THE MEDIA: Since it has been active since at least 2014 and has typically focused on East Asia and the Middle East, researchers from ESET revealed that it has deployed its first malware targeting Linux systems. The campaign, likely aimed at Taiwan, the Philippines, and Singapore, uses WolfsBane, a custom backdoor, and FireWood, a tool possibly shared with other Chinese APTs. These backdoors gather sensitive data such as user credentials and system information while remaining stealthy. The shift to Linux systems aligns with a broader trend of state-backed groups exploiting vulnerabilities in internet-facing infrastructure, much of which runs on Linux. ESET suggests this evolution reflects Chinese cyber-espionage efforts' increasing sophistication and adaptability.
READ THE STORY: The Record
APT-K-47 Exploits Hajj-Themed Lures to Deliver Upgraded Asyncshell Malware
Bottom Line Up Front (BLUF): South Asian threat actor Mysterious Elephant has launched a campaign using Hajj-themed phishing lures to deploy advanced Asyncshell malware. The operation exploits known vulnerabilities, such as CVE-2023-38831, and demonstrates enhanced capabilities, such as improved command-and-control (C2) communications and dynamic infrastructure.
Analyst Comments: Mysterious Elephant’s evolving tactics reflect its strategic focus on adapting malware to evade detection and sustain operations. Using culturally relevant themes, such as Hajj-related documents, increases the effectiveness of its phishing efforts, underscoring the importance of local context in cybersecurity defenses. The group’s shift to HTTPS-based C2 communications and flexible server configurations indicates a broader trend toward stealthier and more resilient cyberattacks. These developments emphasize the need for vigilance and targeted defense mechanisms against region-specific threats.
FROM THE MEDIA: The group’s latest operation uses ZIP archives containing a CHM file with a legitimate-looking Hajj policy document and a hidden executable. When executed, the CHM file displays the decoy document while silently installing Asyncshell malware. Asyncshell allows attackers to execute remote commands using cmd and PowerShell. The malware exploits the WinRAR vulnerability CVE-2023-38831 for initial access and employs HTTPS for secure C2 communications. Using dynamic server addresses adds a layer of complexity to the group’s attack chain. According to Knownsec 404, Mysterious Elephant has repeatedly refined Asyncshell since 2023, highlighting the malware's significance to the group’s operations.
READ THE STORY: THN
Google Uncovers GLASSBRIDGE: Pro-China Fake News Network of Over 1,000 Sites
Bottom Line Up Front (BLUF): Google, in collaboration with Mandiant, exposed and blocked a disinformation campaign dubbed GLASSBRIDGE. This operation, tied to four PR firms, created over 1,000 fake news websites promoting pro-China narratives on topics like Taiwan and COVID-19. Google banned these sites for violating transparency and deceptive practice policies.
Analyst Comments: GLASSBRIDGE exemplifies the increasing use of private PR firms to execute nation-state influence campaigns, leveraging fake news sites over traditional social media disinformation. This tactic enhances the campaigns' credibility by mimicking legitimate outlets and targeting audiences with localized content. Google’s decisive action signals a strong stance against such operations, but the scale and sophistication of GLASSBRIDGE indicate an evolving landscape for state-sponsored propaganda. Further incidents of this nature could lead to stricter global content monitoring policies by tech giants.
FROM THE MEDIA: Google's Threat Intelligence Group (TAG) identified over 1,000 websites tied to GLASSBRIDGE, a network operated by four PR firms promoting pro-China narratives globally. These sites, designed to resemble legitimate media outlets, targeted more than 30 countries, including the U.S., Japan, and Brazil.
Shanghai Haixun Technology, one of the firms, ran over 600 domains filled with repetitive pro-Beijing content. Another firm, Shenzhen Haimai Yunxiang Media, was linked to smear campaigns and a previously reported disinformation effort called PAPERWALL. DURINBRIDGE and Shenzhen Bowen Media operated additional networks focusing on regional audiences in Europe, Asia, and the Americas.
The campaign highlights how these firms leveraged services like Fiverr to amplify content and infiltrated credible platforms using subdomains. Google’s ban reflects growing efforts to combat geopolitical disinformation campaigns run by nation-state proxies.
READ THE STORY: Hack Read
Ukraine War Spurs European Race to Expand Defense Industrial Base
Bottom Line Up Front (BLUF): The ongoing war in Ukraine has prompted European nations to prioritize expanding their defense industrial capabilities, focusing on sustainable production for long-term security. The UK-German Trinity House Agreement highlights a shift toward industrial collaboration, reducing reliance on US defense systems. However, rapid adaptation is essential to meet escalating demands and geopolitical challenges.
Analyst Comments: Europe’s renewed focus on its defense industrial base represents a pragmatic response to modern warfare realities, where industrial capacity rivals military strategy in importance. The Trinity House pact signals deeper cooperation and a potential realignment of European defense priorities. However, success hinges on rapidly scaling production while navigating political transitions, such as a possible policy shift in the US under the incoming Trump administration. European defense firms face both an opportunity and a challenge: innovate and expand at unprecedented rates or risk falling short of geopolitical.
FROM THE MEDIA: The Trinity House Agreement reflects a strategic shift towards sustainable defense production, aiming to reduce dependency on U.S. systems like the ATACMS missile. However, European manufacturers need help scaling production to meet battlefield requirements and future deterrence needs. This industrial mobilization is crucial for shaping battlefield dynamics in Ukraine and strengthening European security against adversaries betting on their industrial constraints. In summary, the enhanced UK-Germany defense collaboration through the Trinity House Agreement signifies a proactive approach to addressing the industrial demands of modern warfare, emphasizing sustainable production and strategic autonomy in the face of evolving geopolitical challenges.
READ THE STORY: FT
Concerns Grow Over Microsoft's Ties to China Amid Cybersecurity Risks
Bottom Line Up Front (BLUF): Microsoft’s deep engagement with the Chinese market has raised alarm due to potential national security risks. By complying with Chinese regulations requiring access to source code and early vulnerability disclosures, Microsoft has inadvertently exposed U.S. software and users to exploitation. Critics argue this collaboration may empower Chinese cyber espionage and undermine trust in widely used software products.
Analyst Comments: Microsoft’s compliance with China’s technology laws is emblematic of broader challenges faced by U.S. tech companies in balancing global market access with national security. The potential misuse of AI models and software vulnerabilities highlights an urgent need for oversight. This issue underscores the interconnected risks between commercial ambitions and geopolitical tensions. The incoming U.S. administration should prioritize cybersecurity reforms, focusing on critical software supply chains to mitigate exposure to adversarial exploitation.
FROM THE MEDIA: Lt. Col. Clay Percle, USAF (Ret.), has raised concerns about Microsoft’s longstanding collaboration with China, highlighting the potential security implications for U.S. businesses and government. Since 2003, Microsoft has provided the Chinese government access to the Windows source code and other software products, including Azure and Office 365, as required by Chinese law. China’s mandate to disclose software vulnerabilities early has reportedly facilitated attacks on U.S. systems. Further, Microsoft’s involvement with OpenAI raises concerns about advanced AI models being accessed by Chinese intelligence. These practices, while commercially advantageous for Microsoft, expose critical software infrastructure to exploitation by the Chinese Communist Party. Percle calls for greater accountability and legislative action to address these risks.
READ THE STORY: RealClear Policy
Microsoft, Meta, and DOJ Collaborate to Dismantle Global Cybercrime Networks
Bottom Line Up Front (BLUF): Microsoft, Meta, and the U.S. Department of Justice (DOJ) have launched high-profile actions against cybercrime networks. Microsoft's takedown targeted an Egypt-based phishing operation linked to the ONNX phishing kit, while the DOJ dismantled the financial fraud marketplace PopeyeTools. Concurrently, Meta took action against scam centers running pig-butchering schemes in Southeast Asia.
Analyst Comments: These actions reflect a growing trend of public-private partnerships in combating cybercrime. The dismantling of ONNX and PopeyeTools highlights the increasing sophistication of phishing-as-a-service (PhaaS) and fraud platforms, which leverage encrypted communications and cryptocurrencies. Meta's intervention underscores the role of social media platforms in addressing global scams. Expect further collaboration among technology firms and governments, emphasizing disrupting emerging cybercrime models like AI-assisted fraud.
FROM THE MEDIA: Microsoft announced it seized 240 websites associated with ONNX, a PhaaS platform operating since 2017, which bypassed security measures to breach Microsoft accounts. The takedown was enabled by a court order in Virginia. The DOJ concurrently shut down PopeyeTools, a fraud marketplace active since 2016, and charged three administrators with multiple offenses. The site facilitated the sale of sensitive financial data, generating $1.7 million in revenue. Meta also revealed it dismantled over two million scam accounts linked to organized pig-butchering operations in Southeast Asia, where workers were coerced into conducting scams under threat of abuse. These joint efforts represent a significant step in curbing global cybercrime.
READ THE STORY: THN
U.S. CISA Adds Array Networks ArrayOS Flaws to Known Exploited Vulnerabilities Catalog
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in Array Networks' ArrayOS to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, actively exploited in the wild, highlight the need for immediate patching to secure impacted devices.
Analyst Comments: The inclusion of ArrayOS vulnerabilities in CISA’s KEV catalog underscores the ongoing targeting of networking devices by threat actors. Such vulnerabilities are prime targets for nation-state groups and cybercriminals seeking access to sensitive networks. Organizations leveraging Array Networks devices should prioritize patching and monitor for indicators of compromise. This development also illustrates the increasing use of CISA’s KEV catalog as a public warning system, encouraging faster adoption of security measures.
FROM THE MEDIA: On November 24, 2024, CISA updated its KEV catalog to include critical flaws in Array Networks AG and vxAG VPN gateways running ArrayOS. These vulnerabilities, identified as CVE-2024-56789, allow for remote code execution and unauthorized access to the device. CISA mandated all federal civilian agencies to mitigate these vulnerabilities by December 15, 2024. Reports indicate that active exploitation has been observed, potentially enabling attackers to bypass security measures and exfiltrate sensitive data.
READ THE STORY: Security Affairs
UK Minister Criticized for Overstating Russia’s Cyber Threat at NATO Conference
Bottom Line Up Front (BLUF): UK minister Pat McFadden’s speech at the NATO Cyber Defence Conference warned of a severe Russian cyber threat, claiming it could "turn off the lights for millions." However, cybersecurity experts criticized the remarks as exaggerated and misleading, highlighting the need for clear, grounded communication to foster resilience against cyber operations.
Analyst Comments: The speech underscores the challenges governments face in accurately conveying cyber threats without fueling fear or misinformation. While Russia's cyber activities are a genuine concern, overstating capabilities could inadvertently enhance their psychological impact and undermine public trust. Clear and precise messaging paired with actionable guidance will be essential for maintaining societal and operational resilience. The UK’s new Labour government must refine its cybersecurity policy and rhetoric approach as it navigates a rapidly evolving threat landscape.
FROM THE MEDIA: At the NATO Cyber Defence Conference, McFadden called Russia’s cyber capabilities “aggressive and reckless,” warning of potential attacks on critical infrastructure. Critics, including James Sullivan of RUSI, dismissed the "Hollywood scenario" as unrealistic and potentially counterproductive, arguing it amplified the Kremlin’s image as a cyber superpower. Experts also pointed out that cyber incidents typically produce gradual, insidious effects rather than instant large-scale outages. Suggestions to avoid hyperbolic rhetoric emphasized the importance of maintaining psychological resilience and providing informed public discourse.
READ THE STORY: The Record
Items of interest
Malicious PyPI Python Library "aiocpa" Exploits Telegram Bot to Steal Crypto Keys
Bottom Line Up Front (BLUF): Python Package Index (PyPI) quarantined "aiocpa" after it was found exfiltrating users' cryptocurrency API keys through an obfuscated script that transmitted data to a Telegram bot. This incident highlights the need for rigorous source code vetting, even for widely downloaded and previously trusted packages.
Analyst Comments: The aiocpa incident exemplifies the rising sophistication of supply chain attacks targeting open-source ecosystems. The attackers exploited the trust in open-source repositories by keeping the GitHub repository clean while injecting malicious code into PyPI. This emphasizes the importance of static and dynamic code analysis tools to detect anomalies in downloaded packages. Organizations relying on open-source libraries must prioritize continuous monitoring of dependencies to mitigate risks posed by such threats.
FROM THE MEDIA: Aiocpa Python library, marketed as a Crypto Pay API client, was downloaded over 12,000 times before being quarantined by PyPI administrators. Cybersecurity firm Phylum identified malicious activity in version 0.1.13, where an obfuscated script in sync.py exfiltrated sensitive API tokens using a Telegram bot. Payload, encoded and compressed recursively, was executed upon package installation. While developer's involvement remains unclear, this incident underlines attackers’ ability to manipulate package sources while maintaining seemingly clean repositories. PyPI has formally removed the package, emphasizing the critical need for users to vet dependencies rigorously before integration.
READ THE STORY: THN
DEF CON 32 - Anyone can hack IoT- Beginner’s Guide to Hacking Your First IoT Device (Video)
FROM THE MEDIA: Yes, anyone can hack IoT devices and I’ll show you how! It doesn’t matter if you’re an experienced pen tester in other fields, completely new to cybersecurity or just IoT curious, by the end of this talk you’ll have the knowledge to hack your first device. You might be thinking - but I thought IoT was complicated, required knowledge of hardware, and expensive tools. In this talk, I’m here to dispel those myths by directly showing you the methodology, tools and tactics you can use to go and hack an IoT device today (or maybe when you get home). I’ll cover what IoT devices are best for beginners, what tools you need (and don’t need), how to build a small toolkit for less than $100, common tactics to get a foothold into IoT devices and how to find your first vulnerability or bug.
I Built an AI Agent That Does EVERYTHING for You (Video)
FROM THE MEDIA: An AI agent designed to handle a broad spectrum of tasks autonomously has the potential to revolutionize how we manage daily activities, work processes, and personal responsibilities. This innovation simplifies workflows, improves efficiency, and reduces the cognitive load of multitasking.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.