Saturday, Feb 15, 2025 // (IG): BB // GITHUB // SN R&D
China’s Cybersecurity Strategy: Rebranding as a Non-Aggressor in Cyberspace
Bottom Line Up Front (BLUF): China is seeking to reposition itself as a defender rather than an aggressor in cyberspace. A recent report from China’s 360 Security Group highlights over 1,300 Advanced Persistent Threat (APT) attacks on critical sectors in 2024, with origins traced to regions including North America and East Asia. The disclosure marks a notable shift in China’s public approach to cyber threats, presenting itself as a frequent target rather than an initiator of cyber operations.
Analyst Comments: China’s attempt to reshape its image comes amidst global concerns about its cyber activities. Notably, Chinese state-affiliated actors have been linked to telecommunications breaches across multiple continents, compromising sensitive data from global telecom providers. These operations, often facilitated through commercial-grade infrastructure equipment from companies like TP-Link, highlight the duality of China’s cyber posture: while claiming a defensive stance, its capabilities remain deeply embedded in global digital infrastructures.
FROM THE MEDIA: While China moves to reframe its image from cyber aggressor to victim, the global community remains cautious, balancing China’s rhetoric against its ongoing cyber operations. The duality in China’s actions—promoting transparency while leveraging commercial infrastructure for covert operations—continues to drive skepticism. Ultimately, China’s bid to rebrand itself in cyberspace will be measured not only by its declarations but also by the conduct of its cyber operations and the impact on global cybersecurity norms.
READ THE STORY: OODALOOP
New "whoAMI" Attack Exploits AWS AMI Name Confusion for Remote Code Execution
Bottom Line Up Front (BLUF): Cybersecurity researchers from Datadog Security Labs have disclosed a new supply chain-style attack, dubbed whoAMI, that exploits name confusion in Amazon Machine Images (AMIs) to gain remote code execution (RCE) on AWS Elastic Compute Cloud (EC2) instances. The vulnerability stems from misconfigurations in the use of the AWS ec2:DescribeImages API, which allows attackers to publish malicious AMIs with deceptive names. Although AWS has addressed the issue, organizations are urged to review their AMI usage configurations to prevent exploitation.
Analyst Comments: Similar to dependency confusion attacks, this vector highlights the risks of relying on name-based identifiers without ownership verification. Datadog’s finding that approximately 1% of monitored organizations were vulnerable suggests that the issue, while niche, could have had a broad impact if exploited at scale. AWS's quick mitigation and introduction of "Allowed AMIs" show proactive security improvements, but organizations should further harden their configurations by enforcing explicit owner filters and reviewing infrastructure-as-code templates. As dependency confusion-style attacks become more common in cloud environments, security teams should prioritize supply chain risk assessments.
FROM THE MEDIA: The attack occurs when developers use the AWS ec2:DescribeImages API without specifying an owner, enabling an attacker to publish a malicious AMI with a matching name pattern. If victims search for the most recent image without filtering by owner, they may inadvertently deploy an attacker-controlled AMI, granting RCE capabilities to the attacker. Datadog found vulnerable code examples in multiple languages, including Python, Go, Java, Terraform, Pulumi, and Bash. AWS responded to Datadog’s responsible disclosure on September 16, 2024, and resolved the issue within three days. In December 2024, AWS introduced Allowed AMIs, a security control enabling customers to limit the use of AMIs to trusted sources. Additionally, HashiCorp Terraform introduced warnings for configurations using most_recent = true without an owner filter in version 5.77.0 and will elevate this to an error in version 6.0.0. AWS confirmed that no malicious exploitation of the technique was detected beyond the researchers' proof-of-concept tests.
READ THE STORY: THN
Cyber Vulnerabilities in Battery Energy Storage Systems (BESS) Pose Safety and Security Risks
Bottom Line Up Front (BLUF): Battery Energy Storage Systems (BESS) are critical for stabilizing the electrical grid, but cybersecurity gaps are leaving them exposed to both intentional and unintentional cyber incidents. Recent cases highlight how vulnerabilities in control systems can trigger catastrophic events such as thermal runaway fires. Additionally, concerns have been raised about BESS components sourced from China, which could introduce backdoors or facilitate unauthorized remote access. Experts are calling for immediate improvements to cybersecurity standards and supply chain security for BESS infrastructure.
Analyst Comments: The increasing use of BESS in grid operations is accompanied by growing cybersecurity risks, which remain largely unaddressed in industry standards. Incidents such as the Moss Landing fire and the reported compromise of BESS at Camp Lejeune highlight how cyber vulnerabilities can have physical consequences. The reliance on foreign-made components, particularly from China, raises concerns about supply chain security and potential state-sponsored cyber intrusions. Addressing these risks will require updated regulatory standards, mandatory cybersecurity protocols, and better supply chain transparency.
FROM THE MEDIA: The Electric Power Research Institute (EPRI) found that many BESS failures stem from control system issues, though they were often misclassified as “unknown” causes. Weiss cited the 2021 Moss Landing BESS fire, where a programming error in the Very Early Smoke Detection Apparatus (VESDA) system triggered a water release below the design threshold, causing further damage. Additionally, Weiss highlighted a cybersecurity compromise at Marine Corps Base Camp Lejeune, where Chinese-made batteries from CATL were suspected of having backdoor vulnerabilities, allowing remote access. Duke Energy, under congressional pressure, disconnected the system and canceled future projects with CATL.
READ THE STORY: Control
Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks
Bottom Line Up Front (BLUF): DPRK state-backed Lazarus Group has launched a new cyber espionage campaign, Marstech Mayhem, targeting developers with a previously undocumented JavaScript implant known as Marstech1. Delivered via malicious GitHub repositories and compromised NPM packages, the malware collects system data, targets cryptocurrency wallets, and enables remote payload execution. SecurityScorecard has identified 233 victims across the U.S., Europe, and Asia, with evidence of the malware’s active development.
Analyst Comments: The Marstech1 campaign highlights the growing risk of supply chain attacks, particularly in open-source ecosystems. By embedding malicious implants in repositories and NPM packages, Lazarus Group exploits the trust developers place in community-driven resources. The malware’s focus on cryptocurrency wallets aligns with North Korea’s ongoing cyber-financing strategy to circumvent sanctions. The use of sophisticated obfuscation techniques suggests an effort to evade detection and analysis, underscoring the group’s technical capabilities.
FROM THE MEDIA: The GitHub profile, “SuccessFriend,” active since July 2024, was used to host the implant before being removed. The malware was designed to search Chromium-based browser directories and manipulate extension settings for cryptocurrency wallets such as MetaMask, Exodus, and Atomic. It also exfiltrated stolen data to a command-and-control (C2) server at 74.119.194[.]129:3000/uploads and could download additional payloads from the same server on port 3001. SecurityScorecard observed advanced evasion techniques, including JavaScript control flow flattening, dynamic variable renaming, and XOR-based multi-stage decryption. The campaign compromised 233 victims globally. Additionally, Recorded Future linked this operation to the Contagious Interview campaign, where North Korean IT workers engaged in fraudulent employment schemes to infiltrate cryptocurrency firms. The group, tracked under aliases such as PurpleBravo, Famous Chollima, and Tenacious Pungsan, has a history of using insider access to steal proprietary information and introduce backdoors into targeted systems.
READ THE STORY: THN
'Mustang Panda' Suspected of Moonlighting in Ransomware Attacks
Bottom Line Up Front (BLUF): Symantec researchers report that a Chinese state-linked cyber espionage group, known as Mustang Panda (aka Fireant or Earth Preta), may be engaging in ransomware operations. In November 2024, the group allegedly exploited a Palo Alto Networks vulnerability (CVE-2024-0012) to breach a South Asian software company, steal data, and deploy RA World ransomware. The attackers demanded a $2 million ransom, marking a rare instance of a China-linked espionage group engaging in financially motivated cybercrime.
Analyst Comments: While North Korean actors are known for such dual-purpose activities, this would be a notable shift for Chinese espionage actors, who traditionally focus on intelligence collection. The reuse of Mustang Panda’s signature PlugX backdoor and the group’s return to espionage operations shortly after the ransomware incident suggest possible rogue activity within the group rather than a policy shift by Beijing. Nevertheless, if financially motivated operations by state-linked actors become a trend, it could signal a more complex and fragmented Chinese cyber landscape.
FROM THE MEDIA: The attackers exploited a vulnerability in Palo Alto Networks devices (CVE-2024-0012) to gain access to the company’s Veeam server and steal AWS S3 credentials, allowing them to exfiltrate sensitive data. The intruders then deployed RA World ransomware, demanding $2 million, with an offer to reduce it to $1 million if paid within three days. Symantec identified the group by their use of a custom PlugX backdoor, a tool exclusively linked to Mustang Panda in previous espionage operations. Despite this financially motivated attack, the group resumed espionage activities in January 2025, targeting a Southeast Asian government ministry. Symantec noted that such a shift to ransomware for profit is uncommon for Chinese-linked actors and may indicate personal profit-seeking by individuals within the group rather than a strategic shift in China’s cyber operations.
READ THE STORY: The Register
Human Expertise Crucial for AI Advancement, Says Former NSA Director Nakasone
Bottom Line Up Front (BLUF): At the Munich Cyber Security Conference, former NSA Director Paul Nakasone emphasized that integrating human expertise with AI is vital for national security. He highlighted the importance of developing a workforce skilled in both policy and technology, capable of using AI as a force multiplier while addressing its ethical implications. Additionally, Enabled Intelligence CEO Peter Kant advocated for neurodiverse teams to identify biases and errors in AI models.
Analyst Comments: Nakasone’s remarks reflect a growing consensus that human intuition and contextual understanding remain irreplaceable, even as AI advances. His call for cross-disciplinary skills underscores a broader trend: the blending of technical acumen with strategic and ethical foresight. Meanwhile, Kant’s promotion of neurodiverse teams aligns with a larger movement toward inclusivity in the cybersecurity workforce. These approaches are likely to shape both public and private sector strategies, especially as AI becomes central to defense operations.
FROM THE MEDIA: Paul stressed that while AI accelerates operations, human operators provide critical judgment, particularly in nuanced tasks like analyzing adversary communications. Nakasone argued that future professionals must be proficient in both coding and policymaking to harness AI effectively. Peter Kant, CEO of Enabled Intelligence, highlighted how neurodiverse individuals enhance AI reliability by spotting hallucinations and biases in large language models. Kant described their unique ability to detect anomalies in satellite imagery, such as camouflaged military assets. Both speakers agreed that human insight remains central to AI’s effectiveness and security.
READ THE STORY: The Record
PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks
Bottom Line Up Front (BLUF): Threat actors who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356) in December 2024 also leveraged a newly discovered SQL injection flaw in PostgreSQL, tracked as CVE-2025-1094 (CVSS 8.1). The PostgreSQL flaw, which affects the psql interactive tool, enables remote code execution (RCE) via meta-command abuse. PostgreSQL maintainers have issued patches, and security experts warn organizations to update immediately.
Analyst Comments: The requirement to exploit both the BeyondTrust and PostgreSQL vulnerabilities to achieve RCE demonstrates how threat actors leverage multiple vectors to gain persistence and control. Organizations using PostgreSQL should immediately patch their systems, especially since the vulnerability allows direct operating system command execution. Additionally, this incident reinforces the importance of securing third-party software, such as remote support tools, which often have privileged access to sensitive systems. Federal agencies, already instructed to address the SimpleHelp vulnerability (CVE-2024-57727), should treat the PostgreSQL and BeyondTrust patches with equal urgency.
FROM THE MEDIA: The PostgreSQL vulnerability, which affects the psql interactive tool, results from improper handling of invalid UTF-8 characters, enabling SQL injection attacks that allow attackers to execute arbitrary shell commands using the \! meta-command. Rapid7 found that the BeyondTrust zero-day exploitation relied on chaining it with the PostgreSQL vulnerability to achieve remote code execution (RCE). PostgreSQL maintainers have released patches addressing CVE-2025-1094 in versions 17.3, 16.7, 15.11, 14.16, and 13.19. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-57727, a vulnerability in SimpleHelp remote support software, to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by March 6, 2025.
READ THE STORY: THN
House Committee Report Warns of Rising Chinese Cyber Espionage and Intellectual Property Theft
Bottom Line Up Front (BLUF): The U.S. House Committee on Homeland Security has released an updated China Threat Snapshot report, highlighting over 60 cases of cyber espionage and intellectual property theft linked to the Chinese Communist Party (CCP) from 2021 to 2024. The report underscores the impact of Chinese cyber operations on U.S. critical infrastructure, businesses, and universities. Notable incidents include the Salt Typhoon and Volt Typhoon attacks on U.S. infrastructure and transnational repression activities on U.S. soil. Lawmakers are pushing for stronger measures to counter these threats.
Analyst Comments: The use of cyber intrusions to gain access to critical infrastructure, as seen in the Salt Typhoon and Volt Typhoon campaigns, signals a focus on long-term strategic advantage rather than short-term disruption. Additionally, cases like the Manhattan clandestine police station reveal how cyber-enabled surveillance can support broader influence operations. As cyber threats increasingly converge with physical security concerns, federal and state agencies are likely to ramp up countermeasures, including supply chain security, data protection mandates, and transnational repression deterrence.
FROM THE MEDIA: The Committee credited the Trump administration’s policies and Texas Governor Greg Abbott’s executive orders for enhancing defenses against these threats. Secretary of State Marco Rubio and DHS Secretary Kristi Noem also emphasized the urgency of countering China’s cyber operations during their confirmation hearings. Additionally, Congress is prioritizing solutions to address the cybersecurity workforce gap, recognizing it as a key vulnerability in protecting U.S. critical infrastructure.
READ THE STORY: Industrial
Chinese APT Exploits New Windows Zero-Day Vulnerability, ClearSky Reports
Bottom Line Up Front (BLUF): Israeli cybersecurity firm ClearSky Cyber Security has identified a new Windows zero-day vulnerability being exploited by the Chinese APT group Mustang Panda. The flaw, which Microsoft currently classifies as “low severity,” is a UI vulnerability that hides extracted files from compressed RAR archives within Windows Explorer, allowing attackers to execute hidden payloads via the command line. The vulnerability has not yet been assigned a CVE.
Analyst Comments: The exploitation of a UI-based vulnerability, rather than a more conventional system-level exploit, suggests a focus on evading detection within compromised networks. While Microsoft’s low severity rating may be based on the limited scope of automated exploitation, the ability to conceal malicious payloads could make this vulnerability a valuable tool for targeted attacks. Organizations should monitor ClearSky’s upcoming detailed report and apply workarounds to mitigate potential threats until an official patch is released.
FROM THE MEDIA: The athe new Windows vulnerability, exploited as a zero-day, allows files extracted from compressed RAR archives to remain hidden from users in Windows Explorer, despite being executable from the command line. The flaw creates an “Unknown” file type using an ActiveX component when system file attributes are altered with the attrib -s -h command. ClearSky attributed the exploitation to Mustang Panda, a Chinese APT group known for using backdoors such as PlugX. Microsoft has acknowledged the issue but categorized it as low severity.
READ THE STORY: SecurityWeekly
Chinese Hackers Target Kuwait’s Telecom Towers; Authorities Foil Attack and Make Arrest
Bottom Line Up Front (BLUF): Kuwait’s Interior Ministry announced it had thwarted a large-scale cyber attack on telecommunications infrastructure orchestrated by a group of Chinese hackers. Authorities intercepted the source of the attack in Farwaniya, seizing a vehicle and arresting a Chinese national involved in the scheme. The suspect confessed to participating in network breaches and fraudulent messaging campaigns.
Analyst Comments: Telecommunications networks are prime targets due to their role in both civilian and military communications. The quick identification and arrest signal Kuwait’s improved cyber defense capabilities. However, the arrest of only one participant suggests that a broader network remains active, potentially signaling more attempts in the region. Such incidents may also escalate diplomatic tensions between Kuwait and China, especially if further evidence suggests state involvement.
FROM THE MEDIA: The authorities detected suspicious signals originating from a vehicle in the Farwaniya district, leading to the arrest of a Chinese national. During interrogation, the suspect admitted to collaborating with others to hack telecommunications networks and send fraudulent messages impersonating banks and telecom providers. The Ministry emphasized the use of advanced electronic devices in the attack. The announcement was made via the Ministry’s official account on X (formerly Twitter).
READ THE STORY: NOVANEWS
USAID Staff Allege DOGE Compromised Security Clearance Data and Endangered Overseas Workers
Bottom Line Up Front (BLUF): A new lawsuit filed against the Department of Government Efficiency (DOGE) accuses the agency of accessing USAID security clearance records without proper authorization, jeopardizing the safety of staff deployed in conflict zones. The lawsuit alleges DOGE workers, under Elon Musk’s leadership, obtained root access to USAID systems, disrupted critical communications, and exposed personnel to security threats through data transfers and doxxing incidents.
Analyst Comments: The reported root access by DOGE, combined with the disruption of safety applications, suggests potential failures in access management and auditing protocols at USAID. Additionally, the transfer of sensitive data outside the agency raises potential violations of federal data privacy laws. This case could lead to increased scrutiny of private-sector involvement in government IT operations, particularly regarding security clearance data and safety systems. Agencies relying on third-party contractors should prioritize zero-trust architectures and enforce strict privileged access management (PAM) policies to prevent similar incidents.
FROM THE MEDIA: A lawsuit filed in Maryland federal court accuses the Department of Government Efficiency (DOGE) of compromising USAID security and endangering personnel. The lawsuit alleges that DOGE workers, under Elon Musk’s leadership, gained root access to USAID systems in early February 2025, which provided full control over sensitive databases containing security clearance records. The accessed data included Social Security numbers, financial records, foreign contacts, and personal safety phrases. Following this breach, hundreds of USAID staff reportedly lost access to their email accounts, and overseas workers were locked out of security and safety apps on their government devices. A USAID employee deployed in a high-risk area of the Middle East reported that all safety apps were remotely removed from their phone, eliminating their ability to signal danger or request assistance. Additionally, the lawsuit claims that DOGE transferred sensitive personnel data outside the agency and that some USAID workers were doxxed following the breach. The lawsuit references a February 11, 2025, press conference where Elon Musk mentioned the net worth of certain USAID employees, implying he had reviewed their financial records. The Maryland federal judge has instructed the plaintiffs to refile their complaint due to its length exceeding court rules.
READ THE STORY: The Record
Items of interest
TP-Link Routers Under Scrutiny: Security Experts Recommend Replacement Despite Workarounds
Bottom Line Up Front (BLUF): Cybersecurity experts are advising users to replace their TP-Link routers due to concerns about potential backdoors and data exfiltration to China. While adding firewalls or installing custom firmware like OpenWRT can mitigate some risks, these measures are not foolproof. Despite TP-Link’s dominance in the US router market, security professionals argue that long-term safety outweighs short-term convenience.
Analyst Comments: The concerns surrounding TP-Link routers highlight growing scrutiny of technology linked to countries with histories of cyber espionage. This debate echoes previous controversies, such as bans on Huawei equipment, underscoring the intersection of cybersecurity and geopolitics. Experts emphasize that while technical workarounds, like separate firewalls and custom firmware, can reduce risk, they are complex and may still leave users exposed. If policymakers move forward with a ban, it could significantly disrupt the US home networking market, where TP-Link currently dominates.
FROM THE MEDIA: Terry Dunlap of NetRise compared using TP-Link to installing "a lock made by burglars," urging users to avoid vendors with ties to authoritarian regimes. Chris Sherwood, a networking expert, dismissed firewall-based solutions, noting that TP-Link could still route traffic through domestic servers. Meanwhile, Microsoft engineer Mithilesh Ramaswamy warned that even custom firmware like OpenWRT cannot protect against hardware-level backdoors. Despite these warnings, the article also offers security tips for those who choose to keep their TP-Link routers, such as disabling remote management, segmenting networks, and using VPNs.
READ THE STORY: Cybernews
TP LINK Ban In USA How To Secure Your Router (Video)
FROM THE MEDIA: It's time to secure your network. TP-Link may be banned in the USA soon but there are things you can do today to secure your router! Curious about making your home or business network safe from cyber attacks? Join me on this journey to learn how to secure your network.
Are TP-Link Routers a Threat to National Security? (Video)
FROM THE MEDIA: In this episode, we get into the growing cybersecurity concerns surrounding TP-Link, a Chinese company responsible for over 65% of Wi-Fi routers in the US. Amid heightened scrutiny of Chinese tech firms due to national security issues, we explore the technological and economic suspicions against TP-Link. We also discuss the broader implications of the US potentially banning TP-Link hardware, drawing parallels with previous actions taken against Huawei.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.