Tuesday, Jan 14, 2025 // (IG): BB // GITHUB // SGM Jarrell
Poland Uncovers Russian Disinformation Campaign Targeting Presidential Elections
Bottom Line Up Front (BLUF): Poland's Digital Affairs Minister Krzysztof Gawkowski has accused Russia of conducting a disinformation campaign aimed at influencing the country’s May 2025 presidential elections. The campaign, allegedly orchestrated by the GRU, seeks to disrupt Poland’s political landscape and exploit existing social tensions. Poland is reinforcing its defenses against both disinformation and potential cyberattacks on electoral infrastructure.
Analyst Comments: Poland’s critical role in supporting Ukraine and its opposition to Russian aggression have made it a prime target. This campaign reflects broader trends seen in recent Russian disinformation efforts across the region, including Romania and other NATO-aligned nations. As Poland bolsters its defenses with significant cybersecurity investments, the effectiveness of these measures will be closely watched as a potential model for mitigating election interference. However, the rapid evolution of tactics, including the use of platforms like TikTok for disinformation, signals that Poland may face increasingly complex challenges.
FROM THE MEDIA: Minister Krzysztof Gawkowski stated that the disinformation campaign is part of a larger Russian strategy to destabilize the Polish political landscape ahead of the upcoming elections. While he provided few details on the group's exact methods, previous Russian operations in the region have leveraged fake news, social media manipulation, and cyber sabotage. Poland’s cybersecurity landscape has been under heavy pressure, reporting over 400,000 cyber incidents in the first half of 2024 alone. In September 2024, Polish security services dismantled a Russian and Belarusian-linked cyber sabotage group allegedly planning attacks against government entities. The group was accused of extracting sensitive information from military and state security systems. In a separate incident in May 2023, Russian-linked hackers attempted to spread false reports of military mobilization through a breach of the Polish Press Agency.
READ THE STORY: The Record
Aviatrix Controller RCE Vulnerability Exploited for Cryptojacking and Backdoor Attacks
Bottom Line Up Front (BLUF): A critical vulnerability in Aviatrix Controller (CVE-2024-50603) has been actively exploited to deploy backdoors and cryptojacking malware in cloud environments. The flaw allows remote code execution (RCE) and privilege escalation in default AWS deployments, and its public proof-of-concept (PoC) has accelerated exploitation. Affected users are urged to patch immediately and restrict public access to the controller.
Analyst Comments: The integration of Aviatrix Controller with high-privilege AWS roles has made it an attractive target for lateral movement and data exfiltration. While no lateral attacks have been confirmed, the observed deployment of malware like Silver backdoors and XMRig cryptominers indicates that attackers may be preparing for further exploitation, including extortion or data theft. Organizations using Aviatrix should prioritize patching, conduct forensic analysis for signs of compromise, and reevaluate the exposure of critical cloud management tools.
FROM THE MEDIA: CVE-2024-50603 was disclosed on January 7, 2025, and a PoC exploit was published online the next day. The vulnerability affects Aviatrix Controller versions prior to 7.1.4191 and between 7.2.x and 7.2.4, enabling attackers to execute commands remotely and escalate privileges in default AWS deployments. Researchers at Wiz noted that Aviatrix's default configuration, which grants high IAM privileges in AWS, creates pathways for lateral movement and privilege escalation. Exploitation activity was observed between January 7 and 10, resulting in malware deployments including persistent Silver backdoors and XMRig cryptominers. These attacks target exposed Aviatrix Controllers, with 681 instances identified via Shodan scans. While lateral movement has not yet been observed, researchers warn of potential data exfiltration or extortion attempts if attackers leverage the cloud permissions they have gathered.
READ THE STORY: The Register
U.S. Cyber Offensive Debate Heats Up Amid Calls for Stronger Retaliation Against Chinese Threats
Bottom Line Up Front (BLUF): The incoming Trump administration and key lawmakers are advocating for a stronger cyber offensive posture in response to Chinese cyber threats, particularly the Volt Typhoon group's targeting of U.S. critical infrastructure. While some officials support more proactive measures, experts caution that offensive cyber operations are complex, risky, and may not yield the desired deterrent effect.
Analyst Comments: The discussion around cyber offense reflects growing concerns about U.S. cyber resilience amid escalating tensions with China. However, offensive actions in cyberspace risk unintended consequences, including escalation and exposure of classified capabilities. Advocates for stronger action must also navigate the legal and operational complexities of offensive cyber campaigns. A strategic approach combining defense, diplomacy, and targeted cyber actions may be more effective than large-scale retaliation. The new administration’s direction on this issue will shape U.S. cyber policy and its approach to deterring state-sponsored attacks.
FROM THE MEDIA: National security adviser Mike Waltz has argued for a more assertive cyber strategy to impose costs on adversaries like China, comparing the need for offensive cyber measures to Cold War-era nuclear deterrence. Waltz’s concerns stem from threats posed by Volt Typhoon, a Chinese group accused of embedding malware in U.S. infrastructure. At a recent Senate hearing, lawmakers echoed similar sentiments, questioning why the U.S. has not responded more aggressively. However, cyber experts remain skeptical, emphasizing the logistical challenges of cyber operations and the potential escalation risks. Past offensive cyber operations, such as the Stuxnet attack on Iranian centrifuges and election-related actions targeting Russia and Iran, demonstrate the potential impact of cyber strikes but also highlight the need for strategic clarity. Some experts argue that offensive measures must be supported by persistent "cyber campaigns" rather than isolated attacks to achieve meaningful deterrence.
READ THE STORY: Cyberscoop
Fortinet Firewalls Hit by Mass Exploitation Campaign, Zero-Day Suspected
Bottom Line Up Front (BLUF): A widespread exploitation campaign targeting Fortinet FortiGate firewalls was observed by Arctic Wolf Labs, with indications that a zero-day vulnerability may have been used. The intrusions involved unauthorized configuration changes, creating new VPN access points, and credential harvesting for lateral movement. Despite Fortinet’s investigation, no specific CVE has been identified or patched yet. The attackers’ end goal remains unclear, though ransomware involvement is "not off the table."
Analyst Comments: The attack campaign on Fortinet devices peaked in early December 2024, leveraging unauthorized access to the firewalls’ web-based command-line interface (CLI). The attackers created new super admin accounts, opened VPN tunnels, and harvested Active Directory credentials using techniques like DC Sync. Arctic Wolf Labs suspects that a zero-day flaw in Fortinet firmware, potentially affecting versions 7.0.14 to 7.0.16, was exploited. This event raises concerns about the security of internet-exposed management interfaces on critical infrastructure devices.
FROM THE MEDIA: In early December, Arctic Wolf Labs detected a spike in intrusions targeting Fortinet FortiGate firewalls. The attackers accessed devices through the web-based command-line interface (CLI) via TCP ports 8023 and 9980. They created new super admin accounts and modified VPN configurations to gain persistent access across multiple networks. Observed activity included rapid, automated login attempts—up to four events per second—indicating the use of advanced automated scripts. The campaign was reported to Fortinet on December 12, and the company acknowledged the investigation on December 17. The attackers' methods involved configuring settings to "standard" and "more" modes, likely to test their access. Changes to configurations became more substantial by December 4, when the attackers began creating SSL VPN portals and harvesting Active Directory credentials using the DC Sync technique.
READ THE STORY: The Register
Kremlin-Linked APT28 Targets Kazakhstan in Cyber-Espionage Campaign
Bottom Line Up Front (BLUF): A cyber-espionage campaign linked to Russia’s APT28 (Fancy Bear) has targeted Kazakhstan’s diplomatic entities using legitimate government documents to deliver malware strains, Cherryspy and Hatvibe. The operation appears to focus on gathering economic and political intelligence to reinforce Russia’s influence in Central Asia. The attack demonstrates APT28’s ability to adapt its infection methods and highlights geopolitical tensions in the region.
Analyst Comments: This latest operation underscores the GRU-backed Fancy Bear's continued focus on geopolitical espionage, leveraging legitimate-seeming documents to increase credibility and improve phishing success rates. The discovery of a previously undocumented malicious code highlights ongoing technical evolution within Russian cyber capabilities. Kazakhstan’s strategic position as a key trade partner between China and Europe and its shifting political stance may explain its heightened vulnerability. Moving forward, neighboring Central Asian nations and Western partners should enhance defenses against similar social engineering tactics.
FROM THE MEDIA: Cybersecurity firm Sekoia identified nearly two dozen malicious files linked to the group UAC-0063, which is suspected to be associated with APT28. The malicious documents were disguised as administrative notes and correspondence from Kazakhstan’s Ministry of Foreign Affairs, dated from 2021 to late 2024. The hackers deployed Cherryspy, a backdoor capable of executing Python commands remotely, and Hatvibe, which downloads and executes files to facilitate deeper infiltration. The infection chain involved bypassing traditional security solutions, demonstrating a tailored approach. Previous research by Ukraine’s CERT-UA linked UAC-0063 to APT28 with "medium confidence," highlighting their operational history in Ukraine, Israel, India, and Central Asian nations. Sekoia's report emphasizes that the campaign likely aims to monitor Kazakhstan’s foreign relations and partnerships with Western and regional allies.
READ THE STORY: The Record // Cyberscoop
CISA Adds Second BeyondTrust Vulnerability to KEV Catalog Amid Active Exploitation
Bottom Line Up Front (BLUF): CISA has added CVE-2024-12686, a medium-severity command injection flaw in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows attackers with administrative privileges to execute system commands remotely. This follows the earlier addition of CVE-2024-12356, a critical flaw in the same products, as active exploitation continues.
Analyst Comments: The addition of multiple BeyondTrust vulnerabilities to the KEV catalog underscores an alarming trend of attackers leveraging SaaS-based security solutions as initial access points. The suspected exploitation of these vulnerabilities as zero-days suggests sophisticated threat actors, likely state-sponsored, are adapting quickly to target critical infrastructure. The recent Treasury Department breach, attributed to the Chinese-affiliated Silk Typhoon group, highlights the operational risk posed by API key compromises and administrative-level exploits. Organizations using BeyondTrust must prioritize patching and re-evaluate the security of privileged access management solutions.
FROM THE MEDIA: CISA flagged CVE-2024-12686 due to ongoing active exploitation. The flaw allows attackers with administrative access to upload malicious files and execute OS-level commands within the context of the BeyondTrust site user. This follows the earlier discovery of CVE-2024-12356, a critical command execution vulnerability with a CVSS score of 9.8. Both vulnerabilities emerged during BeyondTrust’s investigation into a December 2024 breach involving a compromised SaaS API key, which hackers used to reset local account passwords and escalate privileges. The cyberattack was linked to Silk Typhoon (Hafnium), a Chinese APT group previously associated with high-profile infrastructure attacks. Reports indicate that Silk Typhoon targeted the Treasury Department's Office of Foreign Assets Control (OFAC) and other sensitive divisions. Meanwhile, CISA has also added Qlik Sense CVE-2023-48365, used by the Cactus ransomware group, to the KEV catalog. Federal agencies have until February 3, 2025, to patch these vulnerabilities.
READ THE STORY: THN
Securing Mature-Node Semiconductors: A National Priority Amid Rising Geopolitical Tensions
Bottom Line Up Front (BLUF): Microchips produced using older process technologies, critical for systems like vehicles, medical devices, and military hardware, are vulnerable due to foreign supply chain dependencies, particularly from China. The Biden administration's probe into Chinese semiconductor manufacturing underscores national security concerns tied to supply chain disruptions. Strengthening U.S. chip production capabilities is essential to mitigate potential threats and safeguard critical infrastructure.
Analyst Comments: While much attention is given to cutting-edge semiconductors for AI and advanced computing, chips based on mature manufacturing processes play a pivotal role in cyber-physical systems such as industrial controls and defense equipment. The global semiconductor shortage highlighted vulnerabilities in these supply chains, causing economic setbacks across industries, including automotive manufacturing. China's dominance in producing mature-node semiconductors and controlling key materials heightens security risks. Recent U.S. legislation, such as the CHIPS and Science Act, aims to bolster domestic production and reduce foreign reliance, though this shift requires significant investment and infrastructure support.
FROM THE MEDIA: Older-generation semiconductors, used across key industries like healthcare, defense, and energy, are vital to daily operations and national security. These semiconductors, produced using mature-node technologies, play a critical role in cyber-physical systems such as industrial controls and defense networks. Despite their importance, they remain overshadowed by more advanced chips in public discourse. The semiconductor shortage of recent years exposed systemic vulnerabilities, underscoring the urgency of diversifying supply chains and bolstering domestic production. Legislative measures, such as the CHIPS and Science Act, aim to reduce U.S. dependency on foreign manufacturing while promoting a secure and resilient production ecosystem.
READ THE STORY: The Hill
Turks and Caicos Grapples with Ransomware Attack Impacting Government Services
Bottom Line Up Front (BLUF): The Turks and Caicos Islands government is recovering from a major ransomware attack that disrupted tax collection, welfare payments, and other essential services since mid-December 2024. External cybersecurity specialists, with support from the U.K., are assisting in restoring systems and investigating the incident. The attack has sparked political backlash over the government's cybersecurity preparedness and response.
Analyst Comments: The absence of basic protections, such as firewalls and cyber insurance, as alleged by critics, suggests systemic gaps in the islands' security infrastructure. The reliance on manual processes during recovery illustrates how ransomware attacks can severely cripple governmental functions. With no ransomware group claiming responsibility, the incident also aligns with a broader trend of Caribbean nations being targeted, possibly due to lower defense budgets and strategic economic vulnerabilities.
FROM THE MEDIA: The ransomware attack, confirmed on December 19, 2024, compromised the Turks and Caicos Islands Government (TCIG) financial systems, delaying welfare payments, customs clearances, and issuing of government licenses. On December 24, the government shut down key digital services to prevent further spread. By December 30, most departments had reverted to manual operations. Essential services such as driver’s license printing resumed by year-end, and the payment system was restored by January 6, 2025. U.K. cybersecurity experts have been deployed to assist with forensic investigations and technical recovery. According to officials, continuity plans are focused on financial operations, but some systems remain offline. The incident has become a political issue, with opposition leaders criticizing the lack of transparency and failure to hold a press conference. They also questioned the absence of firewalls and cyber insurance.
READ THE STORY: The Record
Items of interest
Data Broker Unacast Reports Massive Breach to Norwegian Authorities Amid Privacy Concerns
Bottom Line Up Front (BLUF): Unacast, a leading data broker and parent company of Gravy Analytics, reported a major breach of its Amazon Web Services (AWS) environment after a hacker accessed sensitive location data using a misappropriated access key. The breach potentially exposed historical smartphone location data sourced from thousands of popular apps. The incident raises serious concerns over how third-party consumer data is managed and secured. The breach follows recent Federal Trade Commission (FTC) scrutiny over Gravy’s data collection practices, adding pressure to regulatory calls for stronger consumer data protections.
Analyst Comments: This breach underscores growing vulnerabilities in third-party data broker ecosystems, where massive amounts of consumer location data are aggregated from popular apps and sold without adequate transparency or safeguards. The hack not only exposes private user data but also highlights concerns about government agencies purchasing such information from brokers rather than obtaining it through traditional warrants. This incident may accelerate regulatory actions and calls for stricter oversight of location data brokers, particularly in Europe, where privacy laws like the General Data Protection Regulation (GDPR) already impose stringent requirements.
FROM THE MEDIA: Unacast confirmed to Norway's Data Protection Authority that its AWS cloud storage was compromised due to a misappropriated access key, enabling unauthorized access to an unknown number of files. According to reports by NRK and 404 Media, the compromised data included historical smartphone location data collected from apps like Tinder, Grindr, Candy Crush, and religious and pregnancy tracking apps. The hacker notified Unacast of the breach on January 4, prompting the company to investigate the contents of the files. The breach raises concerns about whether user data was anonymized and how the information may be exploited. Gravy Analytics, which owns Venntel, has previously faced criticism from the FTC for selling non-anonymized location data without verifiable user consent. The FTC’s recent investigation cited that the companies gathered and sold over 17 billion location signals daily from millions of smartphones. The regulatory order also aimed to curb law enforcement agencies' use of location data from brokers in cases where warrants are required.
READ THE STORY: The Record
How Analysts & Researchers Use Gravy's Location Data Forensics (Video)
FROM THE MEDIA: In this episode of our Product Insights series, Gravy's Director of Product Marketing Megan Ryan explains how Location Data Forensics can help analysts and researchers do various analyses by using Gravy's Forensic Flags.
Your location data is for sale... (Video)
FROM THE MEDIA: In this episode, we explore the shocking reality of how data brokers, like Gravy Analytics, collect and sell your location data from various apps to government agencies and beyond. Discover how pervasive and unregulated this ecosystem is, the implications of data leaks, and the legal grey areas surrounding it. We also discuss the limitations of protecting your privacy in a modern technological world and the need for top-down legislative action to safeguard personal data.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.