Cyber Intelligence Weekly (October 1, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight Episode 1 of our Hackin’ SaaS Webinar Series on October 10th, 2023, where we dive deep into the world of SQL Injection.

At Echelon, our Offensive Security team confronts web app vulnerabilities daily, and SQL Injection remains one of the most prevalent threats. In this webinar, we'll not only demonstrate how to break into SQL statements but also teach you how to prevent these attacks.

Don't miss this chance to boost your application security expertise and safeguard your web apps with Jake Murphy, Evan Isaac, and Kristofer Johnson. Secure your spot now!

📅 Date: October 10th, 2023

🕒 Time: 3:00 PM EST

Register for this LinkedIn Live event here: https://www.linkedin.com/events/hackin-saas-top10webappvulnerab7105295202419949568/theater/

Away we go!

1. Chinese Hackers Hiding in Routers in the US And Japan

Cybersecurity agencies in the United States and Japan issued warnings on Wednesday about a sophisticated hacking group linked to the Chinese government, known as BlackTech. Active since 2010, this group modifies router firmware to hide their activities while targeting organizations primarily in the U.S. and Japan. Upon gaining entry to a company's internal networks, BlackTech not only exploits the company's main networks but also pivots to its subsidiaries, effectively using trusted network relationships to widen their access. Their prime objective is to steal intellectual property and sensitive data from a broad range of public organizations and private sectors spanning the U.S. and East Asia.

BlackTech, which goes by various other names including Palmerworm, Circuit Panda, and Radio Panda, primarily focuses on government entities and companies within the industrial, tech, media, electronics, and telecommunication domains. They employ custom malware and go to great lengths to erase their digital footprints. Their latest evasion techniques involve using stolen code-signing certificates, enabling them to camouflage their malicious software. The hackers specifically target "branch routers," which are used in remote branch offices of organizations. Exploiting these tools not only grants them access to main networks but also lets them seamlessly blend in with regular corporate network traffic. Interestingly, they have been observed replacing the firmware of certain Cisco routers with malicious tools that provide them heightened network access.

This advisory is part of a series of recent reports pointing towards an increased cyber activity by China-based hackers. Last week, other cybersecurity researchers highlighted how China's espionage attacks, especially in African countries, serve their broader soft power goals on the continent. While the U.S. Department of Defense is prioritizing China's cyber campaigns and has engaged in discussions with the People's Republic of China (PRC) defense officials, China's Ministry of State Security retorted with accusations of the U.S. targeting Chinese entities and painting itself as a "cyberattack victim." This escalating cyber tension underscores the emerging significance of cyberspace in safeguarding national security.

2. Chinese Hackers Compromise US State Department Emails in Microsoft Breach

According to a recent Reuters report, Chinese hackers, who earlier this year infiltrated Microsoft's email platform, were successful in extracting tens of thousands of emails from U.S. State Department accounts, as disclosed by a Senate staffer. The State Department's IT officials briefed lawmakers, revealing that around 60,000 emails were accessed from 10 distinct accounts. Most of these compromised accounts, nine in total, pertained to officials working on East Asia and the Pacific matters, while one was associated with European affairs. These details were shared by a staffer working for Senator Eric Schmitt.

Earlier in July, U.S. officials, along with Microsoft, had reported that from May onwards, Chinese hackers with suspected ties to their state accessed email accounts of approximately 25 organizations, inclusive of the U.S. Commerce and State Departments. However, the full scale and depth of this compromise remain yet to be clarified. This cyber assault further exacerbated the already strained U.S.-China relationship, especially with Beijing refuting the allegations. The breached State Department accounts were primarily those engaged in Indo-Pacific diplomatic initiatives. Moreover, the hackers procured a comprehensive list of the department's emails. Notably, the attack vector was traced back to a compromised device belonging to a Microsoft engineer.

Highlighting the expansive influence Microsoft holds in delivering IT solutions to the U.S. government, this breach has sparked concerns. As a precautionary response, the State Department is transitioning to a "hybrid" IT environment, integrating services from multiple vendors and accentuating the implementation of multi-factor authentication. Senator Schmitt, emphasizing the need for robust cybersecurity measures, also questioned the wisdom of the federal government's over-reliance on a solitary vendor. Microsoft identified the hacking entity as "Storm-0558," responsible for intruding webmail accounts on its Outlook service. As of now, Microsoft and the State Department have yet to issue detailed comments or statements on the matter.

3. Russian Firm Offers $20M Bounty for Mobile Zero-Day Exploits

A Russian-based company, Operation Zero, specializing in the acquisition and sale of zero-day exploits (previously unknown vulnerabilities in software) has announced a significant increase in its payout for hacking tools. The company is now offering a whopping $20 million for tools that can hack into iPhones and Android devices, a jump from the previous $200,000. This announcement was made on its official channels, including Telegram and X (you know, the platform formerly known as Twitter).

Emphasizing their exclusive clientele, Operation Zero mentioned that their customers are solely "Russian private and government organizations." Sergey Zelenyuk, the CEO of Operation Zero, elaborated that the current bounties might be temporary, reflecting market dynamics and the complexities of hacking iOS and Android systems.

Unlike conventional bug bounty platforms, which inform vendors about vulnerabilities in their products, companies like Operation Zero directly sell these vulnerabilities to governmental entities without notifying the affected software or product vendor. The business of trading in zero-day vulnerabilities is somewhat of a gray area, with fluctuating prices, secretive clients, and few regulations.

Another player in this space, Zerodium, offers up to $2.5 million and $2 million for vulnerabilities in Android and iOS devices, respectively. Meanwhile, Crowdfense, a UAE-based competitor, offers up to $3 million for similar vulnerabilities.

The zero-day market largely operates without stringent regulations. However, in specific countries, firms must procure export licenses for selling to particular nations. Such dynamics have politicized the market. An illustrative example is China's recent regulation mandating its security researchers to report vulnerabilities to the government before the actual software creators. Many believe this move aims to monopolize the zero-day market for intelligence and strategic advantages.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about