Sponsored by Spectra Group
————————————————————————
27 Jul 23. Global: Sophisticated new malware will pose persistent threat to business networks. On 25 July, cyber security firm Infoblox released a report on a new remote access trojan (RAT) malware, named Decoy Dog, being used and actively developed by unknown threat actors in highly targeted campaigns against enterprises across the globe. The malware was initially observed in April 2023, with Infoblox providing an in-depth analysis. Shortly after the publication of the report, the threat actors behind the malware quickly adjusted their attack infrastructure in response to the disclosure, by removing some name servers and registering new domains to maintain remote access to already compromised networks. This highlights the hackers’ attentiveness to the cyber security community’s information-sharing, responding with a rapid evolution of their tactics, techniques, and procedures (TTPs) in a bid to avoid detection. The origins of Decoy Dog remain unclear, though a state-sponsored group is highly likely due to the distinct and sophisticated TTPs. There is currently limited information publicly available regarding the targeted victims and what vulnerabilities are being exploited. The malware will therefore pose an ongoing threat to businesses over the medium term at least. (Source: Sibylline)
26 Jul 23. Attacks on software vendors by North Korean groups sustain elevated supply chain risks. On 24 July, US-based cyber security company, Mandiant, attributed a software supply chain attack to North Korean threat actor, ‘UNC4899’. This revelation follows the disclosure by software provider, JumpCloud, of an attack that targeted a small group of its customers (see Sibylline Cyber Daily Analytical Update – 18 July 2023). Mandiant was able to attribute the attack to UNC4899 following an operational security (OPSEC) mistake that exposed the group’s actual IP address. UNC4899, believed to be affiliated with North Korea’s Reconnaissance General Bureau (RGB), conducts operations focusing on cryptocurrency theft to help generate illicit incomes for Pyongyang amid extensive international sanctions. Some campaigns are also aimed at collecting intelligence from targets to serve the government’s political interests. There are precedents of attacks attributed to North Korean actors following an OPSEC failure. In June 2023, a Pyongyang-linked hacker group Andariel used human-operated commands that contained mistakes and typos in the code (see Sibylline Cyber Daily Analytical Update – 29 June 2023). With North Korean groups set to continue to target software vendors, the risk of supply chain attacks will remain high for businesses across the globe. (Source: Sibylline)
25 Jul 23. Norway: Zero-day vulnerability points to elevated security, operational risks for government entities. On 24 July, the Norwegian government revealed that it had suffered a cyber attack via a zero-day vulnerability (CVE-2023-35078). The attack reportedly affected the operations of 12 governmental departments. The zero-day vulnerability originated in a third-party information and communications technology (ICT) vendor, Ivanti, specifically in ‘MobileIron’, a type of endpoint manager mobile (EPMM) software. There is a realistic possibility that the attackers exfiltrated sensitive data from the ICT platform and that they carried out the attack for cyber espionage purposes. The Norwegian security services stated that the breach has not affected the justice, defence or foreign affairs ministries. The Norwegian prime minister’s office was also reportedly unaffected. Ivanti has released a patch for the authentication bypass vulnerability, which unknown threat actors continue to exploit. Over 2,900 MobileIron portals are currently exposed online, 36 of which are linked to local- and state-level US agencies; this underscores the active security risks posed by unpatched vulnerabilities to global government entities. (Source: Sibylline)
24 Jul 23. Allen-Vanguard donate SCORPION ECM training equipment to Kenya’s International Peace Support Training Centre (Nairobi) .
Allen-Vanguard, a global leader in providing customized solutions for defeating Radio Frequency (RF) based terrorist and extremist threats, was recently invited to speak on global developments in Electronic Counter Measures (ECM) at the 5th African Annual C-IED Conference held the International Peace Support Training Centre (IPSTC) Nairobi, Kenya. At the end of the event, Allen-Vanguard donated the training version of their SCOPRPION ECM manpacks to support future courses at the centre.
The guest of honour for the event was the Principal Secretary Ministry of Defence (The Honourable Patrick Mariru). Following a C-IED Technology Update briefing, Stuart Wilson from Allen-Vanguard presented Maj General Leuria (Assistant Chief of the Defence Forces, Operations, Plans, Doctrine and Training) inert versions of their SCORPION ECM manpacks, given their extensive use on the continent, to support future C-IEDD training for United Nations and African Union forces who deploy on peace keeping operations.
The IPSTC was established in partnership with the USA, UK, Canada, Japan, Kenya, Germany and UNDP to be the premier Peace Support Training, Research and Education Centre in Africa, with a mission to conduct training, education and research, informing military, police and civilian personnel in all aspects of peace support operations in order to improve the effectiveness of the response to complex emergencies for African Union nations and other countries. The annual C-IED conference is a 3-day gathering of international experts across policy, research and operations with the aim of sharing knowledge, best practice and future developments to improve the training and support of the 6000+ students that pass through the IPSTC before deploying on peace keeping operations.
As a key note speaker on C-IED Technology Update, Stuart Wilson (Allen-Vanguard – Business Development Director MENA) spoke specifically towards ECM. During his presentation, he explained the fundamentals of ECM, why it remains highly relevant, and how it reinforces the various levels of the C-IED pillars. Stuart also provided insight into potential future developments while highlighting design and operational constraints. After speaking, Sturt formally gifted the SCORPION training aids to the attending Generals and then provided training to the IPSTC instructors on their use and practical deployments considerations.
Bobby Strawbridge, Director Business Development for Allen-Vanguard said “We at Allen-Vanguard are very conscious that ECM equipment alone does not defeat the threat. Our vision is to create local capability, share knowledge, provide training and help to develop regional expertise so that those facing the greatest risk in peace keeping operations get the maximum possible protection. The IPSTC is a superb facility, training African nations in all aspects of peace keeping operations and we are more than happy to help contribute by supporting the defeat IED capability with our SCORPION training aids.”
24 Jul 23. USAF fields General Atomics’ Angry kitten EW system for future UAS. The US Air Force will use the electronic warfare system during the next 1-2 years to develop the best tactics, techniques and procedures of future UAS.
The US Air Force (USAF) integrated General Atomic Aeronautical Systems Inc’s (GA-ASI) latest Angry Kitten ALQ-167 Electronic Warfare (EW) Countermeasure Pod onto an MQ-9A uncrewed aerial system (UAS) for the first time in late April, according to a GA-ASI press release on 20 July.
The Georgia Tech Research Institute (GTRI) supplied the Angry Kitten EW pod to the USAF, and the pod has flown on other US Department of Defense (DoD) systems, including F-16 fighter jets.
GA-ASI integrated the EW pod in less than nine months at no cost to the USAF by using a Co-operative Research and Development Agreement.
“It was great to see the Angry Kitten pod on an Air Force platform for the first time,” said GA-ASI Vice President of DoD Strategic Development, Patrick Shortsleeve. “Flying this EW capability on an MQ-9A demonstrates its possible use on future aircraft.”
The USAF plans to continue flying with Angry Kitten Pods over the next 12 to 24 months to develop the best Tactics, Techniques, and Procedures (TTPs), leveraging EW capabilities in support of the Joint Force and partner nations.
The MQ-9A is employed primarily as an intelligence-collection asset and secondarily against dynamic execution targets, the USAF says. Given its significant loiter time, wide-range sensors, multi-mode communications suite, and precision weapons, it provides a unique capability to perform strike, co-ordination, and reconnaissance against high-value, fleeting, and time-sensitive targets.
Global MQ-9A use will popularise Angry Kitten
According to a projection from the leading intelligence consultancy company, GlobalData, in its report on the ‘Global Military UAV Market Forecast’, global spending on GA-ASI’s MQ-9 Reaper family of Medium-Altitude, Long-Endurance (MALE) UASs will increase from $22m to $169m between 2023 and 2027.
As Europe mobilises their defence and security systems for the so-called, ‘dangerous decade’, they may come to depend on the US industrial output of military equipment and resources. With GA-ASI’s successful flight of the Angry Kitten on the already popular MQ-9A system then we can expect increased use of the pod in the future. This will only increase as Nato aspires for greater integration and interoperability.
Already, Poland has purchased a distributed interactive simulation-based systems integration laboratory from the US DoD under a foreign military sales agreement in June. A deal for a systems integration laboratory consolidates the central European country’s expanding defence programme. The facility will enable Poland to establish closer military ties with the US and Nato partners with the testing of new standard system components. (Source: airforce-technology.com)
21 Jul 23. Cyber Update.
Executive summary
- Ukraine’s Computer Emergency Response Team (CERT-UA) issued a warning about the Russian advanced persistent threat (APT) group ‘Gamaredon’. Its campaigns against Ukrainian entities have involved attempts to steal data from infected networks in less than an hour after the initial compromise. This points to the speed of APT groups’ operations (see Sibylline Cyber Daily Analytical Update – 17 July 2023). In addition, the Russian APT group ‘Turla’ has reportedly targeted defence sectors across Eastern Europe and Ukraine to steal sensitive data (see Sibylline Cyber Daily Analytical Update – 21 July 2023).
- The software vendor ‘JumpCloud’ was at the centre of a highly targeted campaign conducted by a state-sponsored threat actor. The campaign aims to obtain unauthorised access to select customers’ data (see Sibylline Cyber Daily Analytical Update – 18 July 2023). This underscores the pervasive threat posed by third-party vendors to organisations. The campaign has since been attributed to the North Korean APT group ‘Labyrinth Chollima’.
- More state-sponsored threat actors are utilising cyber criminal groups as proxies for malicious activity in an effort to obfuscate attribution and save time on malware development (see Sibylline Cyber Daily Analytical Update – 19 July 2023).
- Elsewhere, the Chinese APT group ‘APT41’ has reportedly been using mobile malware as part of a new cyber espionage campaign (see Sibylline Cyber Daily Analytical Update – 20 July 2023).
What you may have missed
The US Department of Commerce’s Bureau of Industry and Security (BIS) added two surveillance technology vendors to an economic blacklist for developing spyware to obtain access to information systems. ‘Cytrox’ and ‘Intellexa’ have allegedly developed technology that can help build surveillance tools that facilitate human rights violations. Google’s Threat Analysis Group discovered three separate campaigns between August and October 2021 targeting Android users with five zero-day vulnerabilities to install Cytrox’s ‘Predator’ spyware. Additionally, Google found that Cytrox was sold to nation-state actors in Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia and Spain, likely as part of state-level surveillance operations against ‘persons of interest’. Spyware is often used by totalitarian governments to monitor journalists, dissidents and government opposition figures.
Cyber phrase of the week
This week’s cyber phrase of the week is: advanced persistent threat (APT) group. (Source: Sibylline)
————————————————————————-
Spectra Group Plc
Spectra Group (UK) Ltd, internationally renowned award-winning information security and communications specialist with a proven record of accomplishment.
Spectra is a dynamic, agile and security-accredited organisation that offers secure Hosted and Managed Solutions and Cyber Advisory Services with a track record of delivering on time, to spec and on budget.
With over 15 years of experience in delivering solutions for governments around the globe, elite militaries and private enterprises of all sizes, Spectra’s platinum and gold-level partnerships with third-party vendors ensure the supply of best value leading-edge technology.
Spectra was awarded the prestigious Queen’s Award for Enterprise (Innovation) in 2019 for SlingShot.
In November 2017, Spectra Group (UK) Ltd announced its listing as a Top 100 Government SME Supplier by the UK Crown Commercial Services.
Spectra’s CEO, Simon Davies, was awarded 2017 Businessman of the Year by Battlespace magazine.
Founded in 2002, the Company is based in Hereford, UK and holds ISO 9001:2015, ISO 27001:2013 and Cyber Essentials Plus accreditation.
————————————————————————-