Daily Brief

Two Chinese advanced persistent threat (APT) groups target ASEAN countries in a cyber espionage campaign, focusing on geopolitical intelligence. Mustang Panda, one group involved, utilized phishing emails and malware packages to compromise targets in Myanmar, the Philippines, Japan, and Singapore. Malware tactics include DLL side-loading and use of benign software's renamed copies to deploy the Mustang Panda malware, PUBLOAD. Unit 42 also detected network traffic between an ASEAN-affiliated entity and the command-and-control infrastructure of a second unnamed Chinese APT group. A separate threat actor, Earth Krahang, has targeted 116 entities across 35 countries using spear-phishing and vulnerabilities in servers to deliver various types of malware. Leaked documents from I-Soon, a Chinese government contractor, expose the sale of malware to Chinese government entities and the presence of “digital quartermasters” supplying multiple state-sponsored cyber groups. The Tianfu Cup, China's hacking contest, is implicated as a source for the Chinese government's accumulation of zero-day exploits and vulnerability exploitation. The leaks provided insight into China's outsourcing of cyber operations to third-party companies, showcasing a competitive market for independent hacker-for-hire entities supporting state espionage objectives.

The trend towards remote working has persisted post-pandemic, posing challenges for IT security teams in safeguarding sensitive data across varied locations. Forcepoint Data Security Everywhere aims to address these challenges by automating data loss prevention (DLP) for both managed and unmanaged devices. The platform enforces DLP policies on data regardless of its location, be it behind a corporate firewall, in the cloud, or on remote user devices, thereby alleviating manual policy implementation across different domains. An AI engine within the platform scans for structured and unstructured data across numerous fields and file types, regulating access permissions and preventing improper data exfiltration. Forcepoint's solution offers a large selection of pre-defined DLP classifiers, policies, and templates to facilitate immediate implementation without extensive IT resource investment. Organizations can easily integrate and enforce robust compliance and privacy standards using the out-of-the-box frameworks provided by Forcepoint's platform.

Finland's Police have confirmed that APT31, a hacking group with ties to the Chinese Ministry of State Security, was responsible for the 2021 breach of its parliament. The breach, initially disclosed in March 2021, involved access to multiple email accounts within the parliament, including those of Finnish MPs. A complex investigation involving Finland's Security and Intelligence Service and international agencies has identified a suspect and detailed a "complex criminal infrastructure." The U.S. Treasury Department sanctioned two APT31 operatives, who are also charged by the Justice Department for involvement in a 14-year span of cyber-operations. The UK has imposed sanctions on the same individuals and their associated front company for attacks on British targets, including parliamentarians and the Electoral Commission. The U.S. Department of State is offering rewards for information on APT31 that could help apprehend any of the seven Chinese MSS hackers linked to the group. APT31 is notorious for extensive cyber-espionage, including the theft of the NSA's EpMe exploit and targeting individuals linked to Joe Biden's presidential campaign.

Cybercriminals offer a Raspberry Pi software called 'GEOBOX' to transform the device into an anonymous cyberattack tool. Sold on Telegram for $80/month or $700/lifetime, GEOBOX provides a means for even inexperienced hackers to conduct various online crimes. The tool was discovered by Resecurity during the investigation of a banking theft affecting a high-profile corporation. GEOBOX devices operate as proxies without storing logs, complicating law enforcement efforts to track and investigate cybercrimes. Raspberry Pis, as low-cost, lightweight computers, serve as perfect vehicles for discreet cyberattacks due to their portability and concealability. GEOBOX equips users with an array of capabilities such as network spoofing, VPN and TOR access, and proxy services, tailored even for low-skilled threat actors. The tool enables a wide range of illicit activities, including financial fraud, malware distribution, and disinformation campaigns, enhancing anonymity for cybercriminals. While GEOBOX's individual functions are not novel compared to other tools or distributions like Kali Linux, its user-friendly bundle appeals to novices in the cybercriminal community.

The German Federal Office for Information Security (BSI) warns of 17,000 vulnerable Microsoft Exchange servers online. Approximately 37% of all German Exchange servers are severely vulnerable due to outdated versions or unpatched security flaws. Critical vulnerabilities could lead to remote code execution attacks, especially on servers running outdated Exchange versions from 2010 and 2013. Vulnerabilities persist despite previous warnings and the declaration of an 'IT threat situation red' by the BSI in 2021, due to the negligence of server operators in updating their systems. BSI advises admins to use current Exchange versions, apply all security updates, and configure web-based services securely, potentially limiting access or using VPN. Microsoft has responded by enabling Extended Protection by default on updated Exchange servers and continues to stress the importance of keeping on-premises servers up-to-date.

A sophisticated hacking campaign, "ShadowRay," is exploiting an unpatched flaw in the Ray open-source AI framework, impacting numerous sectors. Companies affected include those in education, cryptocurrency, biopharma, and more, exposing sensitive data and computing resources. Ray, credited with over 30,500 stars on GitHub, enables distributed AI processing and is used globally by leading firms for ChatGPT training. Five vulnerabilities were disclosed by Anyscale in November 2023; four were patched, but one critical remote code execution flaw remained unaddressed based on a design decision. Attackers have taken advantage of the disputed vulnerability, CVE-2023-48022, to gain unauthorized access to servers for activities including cryptocurrency mining and obtaining sensitive information. Oligo's investigation uncovered exploitation of public Ray servers, leading to compromised AI models, credentials, and cloud access tokens. Recommended defense strategies include following best practices for securing Ray deployments and using tools to enhance the security posture of clusters.

A suspicious package named SqzrFramework480 has been discovered in the NuGet package manager. Security firm ReversingLabs reports that the package seems to target developers working with tools from a Chinese industrial manufacturer, Bozhon Precision Industry Technology Co., Ltd. SqzrFramework480 has been downloaded almost 3,000 times and includes a DLL capable of taking screenshots and transmitting them to a remote IP address. The purpose of the package remains unclear, with possibilities ranging from industrial espionage to accidental exposure by a developer. The use of open source repositories to distribute possibly malicious packages underscores the growing challenge of supply chain threats in the software industry. Researchers urge users to thoroughly inspect libraries prior to use to mitigate risks associated with supply chain vulnerabilities. The incident draws attention to the importance of developer diligence and the need for enhanced security practices in cloud environments.

The U.S. federal authorities are urging software vendors to conduct formal code reviews to eliminate SQL injection vulnerabilities. FBI and CISA referenced the MOVEit supply chain attacks, facilitated by SQL injection flaws, to illustrate the potential damage. The Cl0p ransomware group exploited the MOVEit MFT vulnerability, impacting 2,769 organizations and about 95 million individuals. Authorities are also pressing customers to demand accountability from vendors regarding the security of their software products against SQL injection exploits. Software developers must implement a "Secure by Design" approach from the initial development stages to protect against cyber threats. Prepared statements and parameterized queries were recommended as mitigation strategies, rather than the less reliable input sanitization techniques. Agencies highlighted the importance of transparent vulnerability disclosure, encouraging the use of the CVE program. Emphasizing security from the beginning can protect not just individual software but also contribute to national security and economic stability.

Over 15 free VPN apps on Google Play leveraged a malicious SDK to turn Android phones into residential proxies for potentially illicit activities. Residential proxies disguise internet traffic, but in this case, they were likely used for cybercrime purposes such as ad fraud, phishing, and credential stuffing. The proxy services were involuntarily installed on devices, risking users' bandwidth and legal implication for the activities conducted through their devices. A report by HUMAN's Satori team identified 28 apps using the "Proxylib" library from LumiApps SDK to create a proxy network, with links to the Russian proxy provider 'Asocks'. Google has since removed the malicious apps from the Play Store following the report, and Google Play Protect has been updated to detect the LumiApp libraries. Despite the cleanup, some of the previously targeted apps have reappeared on Google Play, raising concerns about their safety and potential misuse. Users are advised to uninstall the affected apps or update to the latest version that does not include the harmful SDK; paid VPN services are recommended over free ones to avoid similar risks.

New "TheMoon" malware variant targets and infects outdated ASUS routers, branching out to IoT devices in 88 countries. Infections link to "Faceless" proxy service, which anonymizes cybercriminal activities by routing traffic through compromised devices. "Black Lotus Labs" observed over 6,000 ASUS router infections within 72 hours of the malware campaign's start in early March 2024. Researchers note that the compromised routers are primarily end-of-life models likely breached through known vulnerabilities or weak credentials. Malware evades detection and secures communication with a command and control server by establishing specific iptables rules and reaching out to hardcoded IP addresses. The "Faceless" service, which operates without KYC measures, uses some of these infected devices as proxies, with transactions in cryptocurrencies. Sustained infections suggest some compromises go unnoticed for extended periods, whereas others are resolved quickly, possibly due to active monitoring. Enhanced cybersecurity practices for router owners include using strong passwords, updating firmware, and replacing end-of-life (EoL) devices. Signs of infection include connectivity issues, device overheating, and unauthorized setting changes.

DARPA enhances its Artificial Intelligence Cyber Challenge (AIxCC) by collaborating with ARPA-H to secure critical healthcare infrastructure against ransomware. ARPA-H adds $20M in rewards for AI-based tools that can autonomously secure code in medical devices, biotech, and hospital IT systems. The increased targeting of healthcare by ransomware attacks poses significant risks to patient safety and care delivery. US Senator Mark Warner expresses concern over the potential for attacks that directly affect patient care, following a disruptive ransomware incident at Change Healthcare. In 2023, the critical infrastructure sector, particularly healthcare, saw a significant rise in ransomware, with losses exceeding $59.6M according to FBI data. The AIxCC competition focuses on addressing software vulnerabilities in critical systems, with a recent example being the Linux kernel challenge involving CVE-2021-43267. With a large percentage of medical devices running on Linux, successes in the competition are expected to translate into safer healthcare environments.

The U.S. Department of Justice has indicted seven Chinese nationals for conspiring in a cyber espionage operation spanning approximately 14 years. The hacking group, known as APT31, targeted U.S. and international critics, journalists, political figures, and businesses to further China's economic and intelligence agendas. Two of the accused are linked to Wuhan Xiaoruizhi Science and Technology Company, Limited, suspected to be a front for China's Ministry of State Security. APT31 utilized sophisticated techniques, including personalized spear-phishing campaigns, zero-day exploits, and custom malware, to compromise networks and steal sensitive information. The cyber espionage activities included monitoring of U.S. government officials and personnel from various departments, as well as political dissidents globally. The U.S. is offering up to $10 million for information on individuals associated with APT31, with sanctions also imposed by the U.K. and the U.S. against implicated persons and entities. The U.K. government has previously accused APT31 of unauthorized access to voter data from its Electoral Commission, affecting approximately 40 million people. China denies the allegations, labeling them as "completely fabricated" and criticizing the imposition of sanctions, maintaining their opposition to cyberattacks and unilateral sanctions.

Minecraft servers are facing increasing risks from Distributed Denial-of-Service (DDoS) attacks, which can disrupt gameplay and cause financial and reputational damage. Despite their prevalence, many DDoS attacks on Minecraft servers go unreported; therefore, awareness and protection are often lacking. During a DDoS attack, players may struggle with logging in, loading worlds, and the server may experience lags, disconnections, or crashes. Server owners and operators should be vigilant for signs of DDoS attacks and take immediate action by consulting with ISPs or hosting providers. The community impact of DDoS attacks can extend beyond gameplay disruption to emotional and financial consequences, such as players missing out on tournament earnings. Basic protective measures include staying informed about DDoS tactics, fostering a strong community, and involving law enforcement in serious threats. Advanced protective measures, like Gcore DDoS Protection, offer real-time, tailored defense mechanisms to protect against attacks of any scale. The gaming industry is highly targeted for DDoS attacks, with significant potential losses, highlighting the importance of specialized DDoS mitigation services like Gcore.

The FreeBSD Foundation has announced Beacon Awards which reward safer software initiatives, especially those working on CHERI-enabled hardware and the CheriBSD operating system. CHERI, standing for Capability Hardware Enhanced RISC Instructions, is aimed at enhancing security by prize safety over speed in hardware and software designs. The Beacon Awards is part of the UK government's Digital Security by Design initiative which has been funding security R&D for over six years. One of the grand prize winners is the Mojo JVM project, developing a memory-secure Java runtime that is compatible with existing Java applications with little to no code changes. Another grand prize went to Intravisor, offering innovative virtualization host technology for cloud software with improved isolation capabilities on CHERI-enabled hardware. Capabilities Limited received a grand prize for refactoring over 1.7 million lines of C++ web services software for CheriBSD and Morello hardware. The article emphasizes the importance of balancing performance with security, suggesting that despite a potential decrease in speed, the enhanced security provided by CHERI research is a valuable trade-off.

The UK Deputy Prime Minister Oliver Dowden asserts that Chinese cyber interference has not undermined UK elections. Formal accusations have been made by the UK and US against China for cyberattacks on the UK Electoral Commission and MPs in 2021. In 2021, China's state-sponsored actors were linked to the exposure of 40 million UK voters' data through the ProxyNotShell exploit in Microsoft Exchange servers. The National Cyber Security Centre (NCSC) of the UK believes the stolen data may be used by Chinese intelligence for espionage and suppressing dissidents. UK parliamentarians, particularly critics of Beijing and members of the Inter-Parliamentary Alliance on China (IPAC), were targeted by Chinese state-linked group APT31 in reconnaissance efforts. The NCSC has updated its Defending Democracy guidance to help political organizations protect against state-aligned cyberattacks. UK and US sanctions have been imposed on two Chinese nationals and one front organization linked to APT31 for their involvement in cyber espionage. Ongoing vigilance is maintained against nation state cyber threats, with China remaining one of the primary adversaries in cyberspace for both the UK and US.