Stealth, command, exfiltrate: The three-headed cyber dragon of Crimson Palace.
Crimson Palace targets Asian organizations on behalf of the PRC. Europe’s AI Convention has lofty goals and legal loopholes. The NoName ransomware gang may be working as a RansomHub affiliate. Wisconsin Physicians Service Insurance Corporation, SLIM CD, and Acadian Ambulance Service each suffer significant data breaches. CISA adds three vulnerabilities to its Known Exploited Vulnerabilities Catalog. Researchers from Ben-Gurion University in Israel develop new techniques to exfiltrate data from air-gapped computers. In our latest Threat Vector segment, David Moulton, Director of Thought Leadership at Unit 42, sits down with Ryan Barger, Director of Offensive Security Services, to explore how AI is revolutionizing offensive security. Sextortion scammers have gone to the dogs.
Today is Tuesday September 10th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Crimson Palace targets Asian organizations on behalf of the PRC.
Dark Reading has published an examination of Operation Crimson Palace, a sophisticated cyber campaign linked to three threat clusters working on behalf of the People’s Republic of China (PRC). These clusters—tracked as Alpha, Bravo, and Charlie—have been actively breaching public and private organizations in Asia, including a Southeast Asian government agency, to steal strategic data.
Each cluster has a specific role. Cluster Alpha focuses on initial access, performing network reconnaissance, establishing persistence, and disabling security measures. Cluster Bravo manages the infrastructure, spreading across networks and setting up command-and-control (C2) channels, often hiding its activities within normal network traffic, making it hard to detect. Bravo has been particularly active in recent months, using compromised infrastructure from previous victims to stage further attacks.
Cluster Charlie, the most active and advanced of the three, is responsible for maintaining access and exfiltrating data. Known for its adaptability, Charlie frequently switches tactics when detected. After a run-in with cybersecurity researchers in 2023, Charlie began using open-source tools like Cobalt Strike to evade detection and deploy malware. It has shown a relentless ability to innovate, using numerous sideloading chains and shellcode loaders to deliver its malicious payloads.
Despite ongoing efforts to combat Crimson Palace, its clusters continue to evolve and pose a significant threat to organizations across Asia. Their persistence and creativity make them a formidable adversary in the cybersecurity landscape.
Europe’s AI Convention has lofty goals and legal loopholes.
The AI Convention, officially titled the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law, was signed on September 5, 2024. It aims to protect human rights from potential misuse of AI but faces challenges due to exemptions and broad language.
Unlike the EU AI Act, this Convention focuses on safeguarding democracy and human rights but allows countries to exempt AI activities tied to national security, which can be broadly defined during geopolitical tensions. Legal experts, like Francesca Fanucci, criticize its vague principles and lack of enforceability.
The Convention imposes stricter obligations on public authorities than private industry, which only needs to “address” risks. Though well-intentioned, the Convention’s exclusions and conflicting national interests limit its effectiveness. While it sets a positive framework for AI oversight, differing priorities between human rights, security, and economic competitiveness undermine its ability to fully protect against AI-related harm.
The NoName ransomware gang may be working as a RansomHub affiliate.
The NoName ransomware gang, also known as CosmicBeetle, has been active for over three years, targeting small and medium-sized businesses. Using custom tools from the Spacecolon malware family, the group gains network access through brute force and exploits old vulnerabilities like EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472). Recently, NoName shifted from the Scarab encryptor to ScRansom, a more versatile malware capable of encrypting files across various drives. ScRansom’s encryption process is complex, sometimes leading to errors that prevent file decryption even with the correct keys.
NoName is experimenting with LockBit 3.0’s leaked ransomware builder to increase its visibility, setting up extortion sites similar to LockBit’s. Though not fully confirmed, ESET believes NoName may be working as a RansomHub affiliate, evidenced by overlapping malware and tactics. Despite its shortcomings, ScRansom continues to evolve, showing NoName’s persistence in the ransomware scene.
Wisconsin Physicians Service Insurance Corporation, SLIM CD, and Acadian Ambulance Service each suffer significant data breaches.
Wisconsin Physicians Service Insurance Corporation (WPS) is notifying approximately 950,000 individuals that their personal data was stolen in the 2023 MOVEit hack. The breach, orchestrated by the Cl0p ransomware group, exploited a zero-day vulnerability in the MOVEit Transfer software. WPS initially found no evidence of data theft but later confirmed that personal information, including names, Social Security numbers, and Medicare details, was compromised. Although no fraud has been reported, WPS is offering affected individuals credit monitoring and identity protection services.
SLIM CD, a payment gateway provider, experienced a significant data breach between August 2023 and June 2024, compromising sensitive personal and credit card information of over 1.7 million customers. The stolen data includes names, addresses, credit card numbers, and expiration dates. Though the attack method remains undisclosed, experts suggest phishing or malware may be involved. SLIM CD advises affected customers to monitor their accounts for suspicious activity and offers free credit monitoring services to mitigate the risks of identity theft and financial fraud.
Acadian Ambulance Service, a Louisiana-based emergency care provider, reported a data breach affecting nearly 3 million individuals following a ransomware attack by the Daixin group in June 2024. Sensitive information, including names, addresses, Social Security numbers, and medical details, was stolen and published on the dark web. Acadian detected the breach on June 21 and launched an investigation. The company disputes Daixin’s claim that 10 million patients were affected. Acadian is offering free credit monitoring and faces multiple lawsuits over security negligence.
CISA adds three vulnerabilities to its Known Exploited Vulnerabilities Catalog.
The Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging organizations to address them promptly. These vulnerabilities include:
1. ImageMagick Improper Input Validation Vulnerability (CVE-2016-3714): A flaw in the image processing library allows remote code execution through crafted images.
2. Linux Kernel PIE Stack Buffer Corruption (CVE-2017-1000253): A local attacker can escalate privileges using a buffer corruption vulnerability in the Linux kernel, known to be exploited in ransomware campaigns.
3. SonicWall SonicOS Improper Access Control (CVE-2024-40766): This flaw allows unauthorized access to SonicWall firewalls, potentially causing a system crash.
CISA advises organizations to apply patches or discontinue affected products if mitigations are unavailable, with a remediation deadline of September 30, 2024.
Researchers from Ben-Gurion University in Israel develop new techniques to exfiltrate data from air-gapped computers.
Security researchers from Ben-Gurion University in Israel have developed new techniques to exfiltrate data from air-gapped computers—systems isolated from unsecured networks. Led by Dr. Mordechai Guri, the team exploited electromagnetic, acoustic, thermal, and optical emanations from computer components to transmit data to nearby receivers.
For example, the “RAMBO” attack uses electromagnetic emissions from RAM to leak data, while “AIR-FI” generates WiFi signals via DDR memory buses. Other techniques like “POWER-SUPPLaY” manipulate power supplies to create acoustic signals, and “LED-it-GO” uses hard drive LEDs to encode data. Even subtle vibrations from computer fans can be detected by nearby smartphones.
These attacks show that air gaps, though effective, are not foolproof. To defend against such sophisticated methods, organizations must apply stringent access controls, endpoint protection, and monitoring.
Next up, we’ve got our Threat Vector segment with host David Moulton and guest Ryan Barger discussing how AI is revolutionizing offensive security. We’ll be right back.
Welcome back. You can find the link to David and Ryan’s full conversation in our show notes and catch new episodes of Threat Vector every Thursday on your favorite podcast app.
Sextortion scammers have gone to the dogs.
And finally, our love-and-marriage desk reports a new twist on the classic sextortion scam is now targeting spouses, claiming their partner is cheating, and even offering a link to “proof.” In typical fashion, the scammers demand money to keep these so-called secrets quiet. While you’d think no one would fall for such tricks, these scams have been quite profitable, pulling in over $50,000 a week when they first appeared in 2018.
The latest scam, which surfaced three weeks ago, has Reddit buzzing with confused spouses. Recipients report getting emails from sketchy domains, using personal details not commonly shared online—like second last names or even pet names. One poor soul received an email accusing their dog, Mr. Wiggles, of cheating. Yes, the dog.
The source of these personal details is still unclear, with some pointing fingers at wedding planning sites. While the emails are unsettling, they’re just scams. If Mr. Wiggles gets accused again, just hit delete.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.