Cyber Review - December 2023

National

Bharat hosted the Global Partnership on Artificial Intelligence as “Global Hub for AI Innovation”.

Bharat, the Chair of the Global Partnership on Artificial Intelligence (GPAI), hosted the GPAI Summit from 12-14 December 2023, in New Delhi. Around 30 sessions were organised and were attended by the global AI experts from GPAI, industry/startup, academia, and international organisations. Over 22,000 persons attended the summit and out of these 15,000+ AI enthusiasts participated in the summit virtually. As outcome, GPAI New Delhi Declaration build the consensus among GPAI members on advancing safe, secure and trustworthy AI and commitment to supporting the sustainability GPAI projects. Prime Minister Narendra Modi also gave a clarion call to work together and prepare a global framework for the ethical use of AI. GPAI New Delhi Summit also witnessed the presence of all major AI initiatives— UN Advisory Group on AI, UK AI Safety Summit.^[1]

Cabinet approved MoC signed between Bharat and Kingdom of Saudi Arabia on cooperation in digitisation and electronic manufacturing.

The Cabinet, led by Prime Minister Narendra Modi, was informed on 15 December 2023, of a Memorandum of Cooperation (MoC) on cooperation in the field of digitisation and electronic manufacturing that was signed on 18 August between the Ministry of Electronics and Information Technology (MeitY), Bharat, and the Ministry of Communications and Information Technology, Kingdom of Saudi Arabia.

The MoC intends to strengthen the existing cooperation on digitisation, electronic manufacturing, e-Governance, smart infrastructure, e-health, and e-education, promoting partnership in research in the use of emerging technologies, including Artificial Intelligence (AI), Internet of Things (IoT), Cloud Computing, and Blockchain.^[2]

Rust-based Malware targeted Bharatiya government entities.

Operation RusticWeb, a Rust-based malware operation designed to obtain intelligence through phishing attacks, was first discovered in October 2023 and was directed towards defence and government agencies in Bharat. Security researcher at SEQRITE Sathwik Ram Prakki stated, “New Rust-based payloads and encrypted Power Shell commands have been utilised to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server.” SEQRITE reported in November 2023, on several efforts that the threat actor ran to propagate trojans, including Ares RAT, DRat, and AllaKore RAT, against Bharatiya government agencies.^[3]

MeitY issued advisory to all intermediaries to comply with existing IT Rules.

Considering the growing concerns around misinformation enabled by AI/Deepfakes, the MeitY, on 26 December 2023, issued an advisory to all intermediaries, ensuring compliance with the existing IT Rules. “The content not permitted under the IT Rules, in particular those listed under Rule 3(1)(b), must be clearly communicated to the users in clear and precise language including through its terms of service and user agreements and the same must be expressly informed to the user at the time of first-registration and also as regular reminders, in particular, at every instance of login and while uploading/sharing information onto the platform,” read the advisory.

The advisory emphasises that digital intermediaries must ensure users are informed about penal provisions, including those in Bharatiya Nyaya Sanhita 2023 (formerly known as the Indian Penal Code) and the IT Act 2000, in case of Rule 3(1)(b) violations. Rule 3(1)(b) of the IT rules requires intermediaries to communicate their rules, regulations, privacy policies, and user agreements in the user’s preferred language. They must also take reasonable steps to prevent users from hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating, or sharing any information related to the 11 listed user harms or prohibited content on digital intermediaries. This rule aims to ensure that platforms detect and remove misinformation, false or misleading content, and material impersonating others, including deepfakes, as soon as possible.^[4]

Cabinet approved proposal of Micron for setting up a Semiconductor unit in Gujarat, Bharat.

On 06 December 2023, the Cabinet led by PM Modi had approved the proposal of Micron for setting up a Semiconductor unit in Sanand, Gujarat, with Capital Investment of ₹22,516 Crore (USD 2.75 billion approx.) in June 2023. Over the next five years, the unit is expected to generate up to 5,000 direct and 15,000 indirect job opportunities. The “Bharat (India) Semiconductor Mission”, the Government of Gujarat, and Micron are collaborating with academia to train approximately 10,000 engineers. More than 30 gases, chemicals, equipment, substrate manufacturing, and other ancillary industries are in various stages of planning to set up shop in Gujarat. Micron, Bharat (India) Semiconductor Mission, and the Government of Gujarat signed agreements (today) to ensure project milestones are met on time and incentives are disbursed.^[5]

International

Malware abused Google OAuth endpoint to revive cookies and hijack accounts.

Despite an account’s password was reset, a family of multiple an information stealing malware abuses an undocumented Google OAuth endpoint— “Multilogin”, by restoring expired authentication cookies and log into users’ accounts. In late November 2023, it was discovered that two-information stealers— Lumma and Rhadamanthys, claimed to restore the expired google authentication cookies stolen in attacks.^[6]

German Police busted “Kingdom Market” Dark Web marketplace.

On 16 December 2023, Germany’s Federal Police Service (BKA) and Frankfurt Prosecutor’s Office for Cyber Crime (ZIT) revealed the crackdown of an infamous Dark Web marketplace— Kingdom Market, engaged in selling drugs, malware and other illicit items. The marketplace was operatingsince March 2021 and could be accessed through the TOR and I2P anonymisation networks. The marketplace had thousands of registered users and hundreds of vendors. At the time of its removal, it included over 42,000 products. To ensure their privacy, buyers made payments using Bitcoin, Litecoin, Monero, and Zcash. The site managers withheld 3 per cent of the total amount paid. The BKA appreciated the assistance of its law enforcement allies in the US, Moldova, Ukraine, and Switzerland.^[7]

Global Police seized USD 300m linked to online scams

Interpol’s operation— HAECHI IV, ran between July-December 2023, has led to the arrest of 3500 suspects and the seizure of assets worth USD 300m in connection with several organised cyber-crime schemes. The operation was supported by the South Korean government and involving police from 34 countries across the globe. The operation targeted seven types of cyber-enabled scams: voice phishing, romance scams, sextortion, investment fraud, money laundering associated with illegal online gambling, business e-mail compromise (BEC) and e-commerce fraud. Investment fraud, e-commerce, and BECaccounted for majority, 75 per cent, of cases investigated in the operation. Authorities blocked 82,112 suspicious bank accounts, seizing a combined USD 199 million in cash and USD 101 million in virtual assets. Police also worked with virtual asset service providers (VASPs) to identify and freeze 367 virtual asset accounts, such as crypto accounts, linked to transnational organised crime.^[8]

Iran-backed hackers used “MuddyC2Go” in telecom espionage attack across Africa.

Iran-backed hacker— MuddyWater, leveraged a newly discovered command-and-control (C2) framework— MuddyC2Go in its attacks on telecom sector across Africa, mainly Egypt, Sudan, and Tanzania. Active since 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), primarily singling out entities in the West Asia. Attack carried out by the group weaponised phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.^[9]

References

^[1]“Three-Day GPAI Summit concluded today at Bharat Mandapam”, Press Information Bureau- Ministry of Electronics and IT, 14 December 2023, available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1986475 [2]
^[2]“Cabinet approves Memorandum of Cooperation signed between India and Kingdom of Saudi Arabia on cooperation in the field of digitisation and electronic manufacturing”, Press Information Bureau- Cabinet, 15 December 2023, available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1986853 [3]
^[3]“Operation RusticWeb: Rust-based Malware Targets Indian Government Entities”, The Hacker News, 22 December 2023, available from: https://thehackernews.com/2023/12/operation-rusticweb-rust-based-malware.html; [4] SEQRITE: https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/ [5]
^[4]“MeitY issues advisory to all intermediaries to comply with existing IT Rules”, Press Information Bureau- Ministry of Electronics and IT”, 26 December 2023, available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1990542 [6]
^[5]“Micron’s semiconductor project at Sanand in Gujarat on fast track”, Press Information Bureau- Ministry of Electronics and IT”, 06 December 2023, available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1983128 [7]
^[6]Karthick, Pavan M. “Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking”, CloudSEK, 29 December 2023, available from: https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking [8]
^[7]Muncaster, Phil. “German Police take down Kingdom Market Dark Web marketplace”, Infosecurity Magazine, 21 December 2023, available from: https://www.infosecurity-magazine.com/news/police-take-down-kingdom-market/ [9]
^[8]Muncaster, Phil. “Global Police seize $300m linked to online scams”, Infosecurity magazine, 20 December 2023, available from: https://www.infosecurity-magazine.com/news/global-police-seize-300m-linked-to/ [10]
^[9]“Iranian hackers using MuddyC2Go in Telecom Espionage attacks across africa”, thehackernews, 19 December 2023, available from: https://thehackernews.com/2023/12/iranian-hackers-using-muddyc2go-in-new.html [11]