Geopolitical and Cybersecurity Risk Weekly Brief 17 August 2020

17 august 2020

Attacks and cybersecurity news

 

SafeBreach Labs disclosed a new 0day vulnerability in Windows Print Spooler, the same component that was exploited by the Stuxnet worm to damage centrifuges at Iran’s Natanz nuclear facility. Microsoft was warned about the bug in January 2020. CVE-2020-1048 was patched in May, but one month later, researchers uncovered a new way to bypass the patch on the latest version of Windows. This bypass has been designated CVE-2020-1337. Chaining these vulnerabilities and bypasses together could potentially create a threat with the propagation power of the Stuxnet worm. As CVE-2020-1337 is unpatched, the researchers have withheld technical details about the exploit until Microsoft has rolled out patches worldwide.

 

Security researcher Mazin Ahmed has disclosed new vulnerabilities in Zoom. Two of the issues affect Zoom’s Linux client. If successfully exploited, these bugs could lead to information disclosure and remote code execution. The vulnerabilities were reported to Zoom in April and patched in July with version 5.2.4. Zoom recommends users apply the patches as soon as possible.

 

All three Emotet botnets have been distributing moderate to heavy amounts of malspam. The emails appear to be leveraging a new template that has been dubbed ‘no_values’ due to the message that pops up before the lure is opened. The Qbot banking Trojan is still the main payload. Cyjax analysis revealed victims included the Government of Malaysia, Pharma Israel, and Crime Check Ghana. Additionally, Emotet has been distributed via the UNESCO E-Team webpage. An email inbox of the Quebec Ministry of Justice was also reportedly compromised to send out Emotet malspam.

 

The FBI has issued a Private Industry Notification claiming that an Iranian state-sponsored threat group has been attempting to compromise vulnerable BIG-IP ADC devices since early July 2020. The same threat actors have previously exploited VPN vulnerabilities including CVE-2019-11510 and CVE-2019-11539 (Pulse Secure), and the Citrix ADC.Gateway bug designated CVE-2019-19781. The group is known to target a variety of US organisations, including government, defence, finance, healthcare, IT, and media. The FBI warning also states that once the network is compromised, patching the flaw is not sufficient to deny attackers access to previously hacked devices.

 

Cybercrime investigators have uncovered a new cyber-espionage campaign linked to a Russian APT that specialises in infiltrating foreign enterprises to steal confidential corporate documents. The group, known as RedCurl, has launched 26 attacks against 14 firms without being detected. This was largely due to the use of custom hacking tools and copying the TTPs of professional penetration testers. Victims varied across continents and industry sectors. They included banks from Russia, Ukraine, Canada, Germany, Norway, and the UK. The earliest RedCurl activity was identified in May 2018. The group are Russian speakers and were most active throughout 2019, particularly between June and December.

 

Threat actor VandaTheGod has claimed responsibility for attacking and defacing the Bhutan Manghdechu Hydroelectric Project website (mhpa[.]gov[.]bt). This is the first site that VandaTheGod has defaced since being released from prison. It was unclear whether he would return to malicious activity, as his identity was revealed by Check Point while he was in jail. Previously, Vanda predominantly attacked South American sites. However, it appears he is now targeting organisations in other countries.

 

Vulnerabilities have been discovered in the Amazon Alexa virtual assistant platform which could allow threat actors to access users' banking data history or other personal data such as home address. These bugs include a cross-site scripting (XSS) flaw and cross-origin resource sharing (CORS) misconfiguration. The vulnerabilities can allow an attacker to install apps on a user's Alexa account; get a list of all installed apps already installed on the account; remove any installed apps; and obtain the victim's voice history and personal information.

 

The SANS Institute, one of the largest cybersecurity training and certification organisations, has reported a security breach. It appears that on 11 August a member of staff interacted with a phishing email. This resulted in a malicious Office 365 add-on being installed on the employee's account. 513 emails from the account were forwarded to an unknown external email address.

 

COVID-19 Cybersecurity Update

 

A new campaign is targeting India’s Micro, Small, and Medium Enterprises (MSME) sector: this has been attributed to the GorgonGroup from Pakistan. The attacks involve COVID-19-themed spam emails with attached malicious documents. The AgentTesla infostealer was delivered inside the documents. AgentTesla is a well-known keylogger and infostealer written in .NET that GorgonGroup has used previously. It collects information from a variety of applications like Web Browsers, Email Clients, FTP Clients, Messenger applications, and VPN clients, and can also take screenshots. All stolen data in this campaign was exfiltrated over SMTP.

 

The Emotet botnet has begun sending coronavirus-related spam emails to US businesses. These emails imitate the "California Fire Mechanics" and relate to a May COVID-19 update. The email was stolen from a legitimate company and incorporated into the spam campaign. Emotet will also download additional malware such as Qbot or Trickbot, and use it to steal data and passwords, and potentially deploy ransomware such as Ryuk.

Data breaches, fraud, and vulnerabilities

 

Data Breaches

 

Security researcher Bob Diachenko claims that pharmaceutical company Daiichi Sankyo Europe has exposed some data online. Diachenko claims that credentials from the company’s infrastructure have been “left in the wild for a long time”. The company recently informed its customers that spam messages and fake job postings were being sent that purported to be from Daiichi Sankyo. These messages and job postings used domain names such as @daiichi-pharma[.]com. The company says that it has no affiliation with these messages and requests that users delete them promptly.

 

Michigan State University (MSU) has disclosed a Magecart attack in which attackers stole the credit card and personal information of around 2,600 people from the university's online store (shop.msu.edu). The threat actors exploited a website vulnerability, which has since been patched, to inject malicious web skimming scripts designed to harvest and exfiltrate payment card data. The script was active on the MSU online store for nine months between 19 October 2019 and 26 June 2020. Other than the stolen credit card details, exposed information included names and addresses. The university claims that no Social Security numbers were exposed, and that the vulnerability used to gain access to the site has now been patched.

 

Medical software company, Adit, has exposed the details of 3.1 million patients in a publicly available unauthenticated database. One week after a researcher responsibly disclosed the breach, a meow bot attack wiped the data, leaving the word “meow” in its place. These attacks have become common in recent weeks, targeting numerous exposed Elasticsearch and MongoDB databases. The motivations of the threat actor is unclear: some have speculated that he is attempting to teach organisations a lesson by wiping their data before it is stolen.

 

Researchers discovered a misconfigured Amazon S3 storage bucket containing more than 60,000 records with protected health information. The information related to people involved with the BioTel Heart cardiac data network. Most of the records were scanned faxes asking for medical records on certain patients.

 

Ransomware

 

Another data leaks blog linked to a ransomware group has emerged. The Avaddon ransomware operators announced a data leaks blog on which they will publish the stolen data of victims who do not pay their ransom. The threat actors made the announcement on darknet forum xss.is, stating that they are still recruiting new affiliates and looking for network and RDP access to systems. There is currently only one entry on the group’s blog: EFCO Forms (or EFCO Formwork Solutions), a US-based construction company.

 

DiVal Safety Equipment, Virtu KCG Holdings, The Old Spaghetti Factory and Salem Media Group have been announced as the latest victims of the DoppelPaymer ransomware.

 

Virtu KCG Holdings is a global financial services firm. The Old Spaghetti Factory is a US-based Italian restaurant chain operating in multiple states. DiVal Safety Equipment is a distributor of safety equipment based in New York.

 

The operators of the NetWalker ransomware named WoodStream, Drivestream, Florstar Sales and a branch of Canadian Tire as their latest victims:

 

  • Florstar Sales are a wholesale floor covering distributor based in the US.
  • WoodStream is an international manufacturer of pest-control products.
  • Drivestream is a provider of Oracle cloud consulting services and solutions.
  • Canadian Tire is a Canadian retail chain focusing on the automotive sector.

 

The operators of the REvil (Sodinokibi) ransomware have announced three new victims on their data leaks blog: Data Net Solutions, Brown-Forman and CIBanco SA. The post concerning Brown-Forman is noteworthy for several reasons. Firstly, the REvil operators explicitly threaten to “start notifying investors, clients and competitors about what has occurred”. This tactic has previously been discussed by the REvil operators. They also encourage Brown-Forman employs to sue their employer if the data is leaked. Finally, the REvil operators also discuss the potential fines Brown-Forman could receive due to GDPR. These threats underscore how the reputational damage potentially caused by a ransomware incident (and subsequent leaking of stolen data) is now central to ransomware operators' modus operandi.

 

Fraud

 

A large-scale phishing campaign has targeted government and university websites in the US to host articles that lead to malware and scams. UNESCO.org was compromised and defaced to display an article on how to hack Instagram accounts. Other sites experienced similar compromises with articles pushing fake hacking tools for Netflix, WhatsApp, Facebook, TikTok, Instagram, and Snapchat. Vulnerabilities in CMS platforms are being exploited to insert the malicious articles onto compromised sites. Additionally, the threat actors have successfully performed blackhat SEO, promoting the articles in Google’s search results. One commonly observed delivery method exploited Drupal’s Webform component to upload PDFs with links to the fake hacking tools.

 

A new phishing scam has been observed targeting cPanel users with a fake security advisory. The message informs recipients that updates have been released to fix "security concerns" in cPanel and WHM software versions 88.0.3+, 86.0.21+, and 78.0.49+. All users, according to the fake advisory, are recommended to install the updates. This was a relatively convincing attack, with few grammar or spelling mistakes. The attackers also used language appropriate to security advisories.

 

The US Financial Industry Regulatory Authority (FINRA) has warned its members of a site that is impersonating the company and potentially being used in phishing attacks. This fake site mimics the FINRA website but has an extra letter in its domain name (finnra[.]org - fake instead of finra.org - legitimate). The fake site includes a registration form, which could be used to collect sensitive personally identifiable information from FINRA members and in phishing attacks.

 

A new phishing campaign is targeting Verizon customers to steal user credentials, passwords, and personal details. The email claims to be an "urgent" message from Verizon Support, stating that the recipient's attention is required. If opened, the email takes the target to a Verizon lookalike website with a phishing flow. This asks them to log in using their Verizon log ID and password, and then asks for the victim's email address and password, and their phone number.

Vulnerabilities

 

A vulnerability has been discovered in Google’s Chromium browsers that could allow an attacker to bypass the Content Security Policy (CSP) on websites to steal data and execute malicious code. Affected Browsers include Chrome, Opera, and Edge, on Windows, Mac, and Android devices. This potentially affects billions of users. This issue was present for more than a year before it was patched. Researchers claim that because of this, the full implications of the bug are not yet known. The flaw may also have been exploited in attacks in the wild but this, too, remains unconfirmed.

 

In September 2019, researchers disclosed a 0day RCE vulnerability in vBulletin versions 5.0-5.4 tracked as CVE-2019-16759. This flaw could have allowed an attacker to remotely execute PHP commands on the remote server without logging into the forum. A new 0day vulnerability has now been discovered in vBulletin, the exploit for which can bypass the patch issued for CVE-2019-16759.

A fix has also been released alongside full disclosure of the vulnerability to give customers the chance to patch their servers.

 

A security researcher discovered vulnerabilities in the HDL automation system for smart homes and buildings. These could be exploited to allow the takeover of accounts belonging to other users and control their associated devices. These attack techniques have not yet been used in the wild. However, these solutions are deployed widely, presenting a broad attack surface. Threat actors with control over various aspects of an affected building could cause serious issues for residents and users. The problems were fixed quickly, which did not provide sufficient time for the researcher to fully explore the exploitation avenues presented by the vulnerabilities.

 

A vulnerability, tracked as CVE-2019-17098, has been discovered in SmartLock devices which could facilitate WiFi password eavesdropping. The SmartLock device sends encrypted communication to the configuration application on the smartphone, but the encryption key is hardcoded into the application. As a result, potential attackers could, within a certain distance, eavesdrop on the traffic and intercept the WiFi password.

 

There has been an increase in script-based malware currently propagating through Internet Explorer browser exploits. Two different malware campaigns continue to leverage CVE-2019-0752, a bug in the Microsoft scripting engine that can corrupt memory in such a way as to permit arbitrary code execution. This threat highlights that organisations with up-to-date Windows hosts and those that follow security best practices for secure web browsing have a much lower risk of infection.

 

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

 

  • Multiple high-risk vulnerabilities have been disclosed in the Jenkins software framework. Successful exploitation can lead to cross-site scripting, cross-site request forgery, or password disclosure.
  • Critical patch updates for multiple ICS products. Successful exploitation can lead to path traversal, unauthorised modification of data, remote code execution, or a denial of service condition. The advisories are as follows:
    • ICSA-20-224-01 : Yokogawa CENTUM
    • ICSA-20-224-02 : Schneider Electric APC Easy UPS On-Line
    • ICSA-20-224-03 : Tridium Niagara
  • Critical patch updates for multiple Siemens ICS products. Successful exploitation can lead to sensitive data being read and remote code execution on the affected devices.
  • Intel has released a patch for a critical vulnerability affecting several of its motherboards, server systems, and compute modules. This rare flaw could allow an unauthenticated remote attacker to elevate their privileges and conduct malicious activities.
  • Citrix has released patches for multiple vulnerabilities affecting its Citrix Endpoint Management (CEM) software, also known as XenMobile. There are five vulnerabilities in total which affect on-premise instances of XenMobile servers.
  • SAP released its August 2020 Patch Tuesday security updates. 16 vulnerabilities were patched in total, one of which is rated critical.
  • Adobe has released its August 2020 Patch Tuesday security updates for Adobe Acrobat and Reader and Adobe Lightroom. A total of 26 vulnerabilities were patched, 11 of which were rated critical.
  • Microsoft has released its August 2020 Patch Tuesday security updates, with 120 vulnerabilities patched in total. Of these, 17 are classed as critical, and the other 103 are classed as important.
  • A high-severity vulnerability, tracked as CVE-2020-12648, has been disclosed in versions 5.2.0 and earlier of TinyMCE, an open-source text editor used in the content management systems (CMS) of websites. This flaw could potentially be exploited by remote attackers to gain administrative privileges to the website.

APT Activity and Malware Campaigns

 

APT activity

 

The NSA and FBI released a security advisory over previously undisclosed malware, dubbed Drovorub, that has been attributed to the Russian military intelligence unit better known as FancyBear (also known as Strontium, APT28, PawnStorm, and Sofacy). As noted by the authorities, Drovorub presents a threat to National Security Systems, Department of Defense, and Defence Industrial Base customers that use Linux systems. Network defenders and system administrators can find detection strategies, mitigation techniques, and configuration recommendations in the advisory to reduce the risk of compromise. It can be expected that more attacks attributed to FancyBear will surface in the run-up to events such as the 2020 US Presidential Election and the 2021 Tokyo Summer Olympics. FancyBear’s most recent campaigns include the targeting of US networks belonging to state and federal government agencies, critical infrastructure, and educational systems, as well as the mass scanning of vulnerable email servers across the internet.

 

North Korean threat group Lazarus has been observed targeting dozens of defence and governmental organisations in Israel and around the world as part of a new campaign dubbed Operation Dream Job. The group manipulated targets with a "dream job" offering from prominent defence and aerospace companies in the US – such as Boeing, BAE, and McDonnell Douglas. Sophisticated social engineering campaigns used platforms such as LinkedIn to appear more legitimate. The first attack in this campaign is believed to have been against an Israeli defence company in March 2019. Israel recently claimed to have thwarted an attempted cyberattack by Lazarus that used fake LinkedIn profiles to lure victims with potential job offers. It is possible that this was yet another attempted Operation Dream Job attack, although this has not been confirmed. ClearSky claims that Operation Dream Job is the group's main attack campaign this year. This operation is likely to continue, therefore, infecting victims both in Israel and globally.

 

A new malware has been linked to the CactusPete APT. The malware, an updated variant of the group’s Bisonal Backdoor, has been used since February 2020 against targets from the financial and military sectors in Eastern Europe. The distribution method of this new campaign has not been uncovered but it is likely to be via spear-phishing with attachments that can exploit recently discovered and patched vulnerabilities. CactusPete (often called TontoTeam) has been publicly known since at least 2013. Historically, the group's activity has been focused on information gathering campaigns against military, diplomatic and infrastructure targets in Asia and Eastern Europe.

 

A new exploit chain leverages two critical 0day vulnerabilities in Microsoft products: a remote code execution (RCE) vulnerability in Internet Explorer and an elevation of privilege flaw in Windows. These are being actively exploited. Based on the similarities present in previously disclosed exploits, the threat actors deploying these 0days are likely connected to the DarkHotel APT group. This new campaign has been dubbed Operation PowerFall and targets the latest builds of Windows 10 and Internet Explorer 11. Using these two vulnerabilities together, the DarkHotel group can subsequently install programs; view, change, or delete data; or create new accounts with full user rights.

 

Malware

 

The operators of Cerberus have released the full source code for Cerberus v2 to all premium users of the Russian hacking forum xss[.]is. Full access to the admin panel and the installation script has also been included. While the impact of Cerberus' release as open-source will not be known for some time, there is a precedent which may indicate what is to come. The source code of Anubis, a similar Android RAT popular among cybercriminals, leaked in 2019 leading to a rapid proliferation of Anubis samples, as well as new Android RATs incorporating the leaked source code into their design. Although restricting access to the Cerberus source code may limit proliferation in the short-term, it will almost certainly become more widely available over time.

 

New variants of the Agent Tesla remote access Trojan (RAT) include modules dedicated to stealing credentials from web browsers, VPN software, FTP, email clients, and more. Researchers discovered dedicated code that was collecting both app configuration data and user credentials from multiple applications. Agent Tesla is being delivered in phishing emails, using various social engineering lures, such as the COVID-19 pandemic.

 

The Muhstik botnet has been detected brute-forcing SSH and executing malicious code. Once successfully downloaded, the Muhstik Trojan will start mining Monero and set up connections to its C&C server. Many well-known Chinese companies have been attacked by the botnet with thousands of servers compromised at the time of writing.

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has observed threat actors using phishing emails to deploy the KONNI malware. KONNI is a remote administration tool (RAT) used by malicious actors to steal data, record keystrokes, take screenshots, and execute arbitrary code on infected devices. The RAT has previously been used by various threat groups but has mainly been attributed to Konni, which is believed to be a state-sponsored North Korean APT known for attacking areas in and around the Korean peninsula.

 

A new Latin American banking Trojan, dubbed Mekotio, has been disclosed. The malware mainly targets Brazil but has also claimed victims in Chile, Mexico, Peru, Spain, and Portugal. Interestingly, Mekotio uses an SQL database as a C&C server. This technique relies on executing SQL procedures for communication, a technique also used by other Latin American banking Trojans. Attacks linked to Mekotio have been traced back to 2015. The Latin American threat landscape is influenced and defined by government corruption, organised crime, and persistent attacks on industries such as retail, finance, and hospitality, as well as broader geopolitical dynamics. Cybercriminal groups in the region generally focus on financial attacks, as well as fraud campaigns, and have also been known to work with drug cartels across the continent.

 

Darknet

 

The dedicated forum for Empire market, known as Empire Forum, has grown rapidly since its launch in late July. This was to be expected, as the forum is now the only place where users can contact the Empire admin with support requests. However, the forum now hosts discussions on a wide range of topics, including vendor reviews, product requests and broader darknet trends. If Empire continues to be the dominant market, this forum may soon become one of the most popular darknet forums.

 

Conversely, the darknet forum Torum shut down this week. The individual responsible for hosting Torum simply stated they wished to move away from the darknet for the time being, though they did not rule out a possible return in the future. Torum was one of the few English-language darknet forums that focused on hacking. This, and the fact that it was free to register, meant it generally attracted lower-skilled cybercriminals. Most of these users will likely migrate to other similar English-language darknet hacking forums, such as Torigon or CryptBB.

Geopolitical Threats and Impacts

 

Americas

 

On 13 August, the US Department of State designated the Confucius Institute as a ‘foreign mission’ of China. In a statement, Secretary of State Mike Pompeo said that Confucius Institutes, which offer Chinese language and cultural programmes, advance ‘Beijing’s global propaganda and malign influence campaign’ in US classrooms. The designation means that staff at US-based Confucius Institutes will need to register with US authorities, while the institutes will also face restrictions similar to those imposed on diplomatic missions. The move may prompt some US universities to reconsider their ties to Confucius Institutes. It is also likely to prompt tit-for-tat retaliation from Beijing against equivalent US institutions providing English language instruction and US cultural classes in China. More broadly, the announcement marks a further worsening of bilateral relations, already heavily strained by disputes over the novel coronavirus (COVID-19) pandemic, Hong Kong’s political status, Beijing’s treatment of ethnic Uyghurs, and Chinese trade practices, among other bilateral and multilateral issues. Organisations with interests in Sino-US educational and linguistic programmes should monitor updates and anticipate likely retaliation from Beijing.

 

The US Department of Transportation announced the suspension of most charter flights between the US and Cuba. The measure will come into force on 13 October, following a 60-day wind-down period. Authorised public charters to Havana, flights for emergency medical purposes and for other travel deemed in the interest of the US are exempt from the suspension. The US banned regular commercial flights to Cuban destinations other than Havana in October 2019 and this latest measure seeks to further reduce tourism and travel revenue to the Cuban government, which the US accuses of supporting repression domestically and in Cuba’s close ally, Venezuela. The move also has important political implications and is likely to be well received in electorally critical Cuban and Venezuelan communities, particularly in Florida, ahead of November’s presidential election. Organisations with interests in US-Cuba travel, particularly airlines, should adjust operational and financial planning to account for the imminent charter flight suspension.

 

On 11 August, presumptive Democratic Party presidential candidate Joe Biden announced that California Senator Kamala Harris would be his running mate in November’s presidential election. Harris, a former California attorney general of Indian-Jamaican heritage, becomes the first black woman to be nominated for the role of vice president.

 

In a virtual meeting on 13 August, the presidents of Chile and Ecuador formally signed a new bilateral trade agreement. The pact features lower tariff barriers for Ecuadorian exports to Chile, particularly agricultural products such as rice, corn, and sugar. For Chilean businesses, the pact allows their participation in Ecuadorian public contract tenders on the same terms as local companies, among other measures facilitating trade. Despite multiple regional initiatives and trade blocs, commerce among Latin American countries has often produced disappointing results, with many of the region’s countries counting the US or China as their main trading partner. This agreement, penned by two of the region’s most prominent supporters of free trade, seeks to boost bilateral commerce amid a very difficult economic climate dominated by the impact of the novel coronavirus (COVID-19) pandemic. While companies in both countries are set to benefit, the agreement is likely to benefit Ecuador more than Chile, as Chile is a more significant trade partner for Ecuador than vice versa. Companies with interests in bilateral trade should review the provisions of the agreement and assess its impact on operations, finances, and investment plans.

 

On 14 August, the US Department of Justice announced the seizure of 1.1 million barrels of Iranian oil from four vessels bound for Venezuela. The US government said that the shipments violated US sanctions. In comments to the press, President Donald Trump said that the seized oil would be moved to Houston, Texas. Iran’s ambassador to Venezuela, Hojat Soltani, said that neither the vessels nor their owners were Iranian. The development marks the US’s largest-ever seizure of Iranian oil, and comes amid heightened diplomatic tensions with both Tehran and Caracas. The most significant aspect of the oil seizure is that it was not carried out by force. Instead, Washington threatened the ships’ owners, insurers, and captains with sanctions, and unspecified international partners assisted with the seizure of the oil. Organisations with interests in Iran and Venezuela’s trade, particularly in the oil and shipping industries, should adjust planning in light of recent seizures and the enforcement of US sanctions.

 

Asia-Pacific

 

Local Hong Kong media reported that 40 per cent of American Chamber of Commerce (AmCham) Hong Kong members are considering moving capital, assets, or operations from the territory due to concerns over the national security law (NSL) imposed by Beijing and US government sanctions. Specific concerns relate to the ambiguity of the NSL and the implications of the end of Hong Kong’s preferential trade status with the US on a wide range of commercial and legal issues. In addition, more than 50 per cent of individuals who responded to the survey, which represented 13 per cent of AmCham’s members, said they were actively considering leaving Hong Kong. Other foreign companies, notably from Western economies, are likely to share similar concerns and sentiments. The six-month outlook is likely to be crucial in determining whether the AmCham survey represents a snapshot or an indicator of a more substantial trend. Key future issues during this period include the outcome of November’s US elections, the course of the coronavirus pandemic and actions of the local and Beijing governments towards peaceful dissent. As the past six-month period illustrated, the speed and implications of unforeseen events can - and most probably will - alter many planning assumptions and require senior management to quickly reassess their corporate options.

 

On 10 August, the Chinese foreign ministry imposed sanctions on 11 US citizens including lawmakers Marco Rubio and Ted Cruz, as well as Kenneth Roth – the executive director of US-based Human Rights Watch – and Michael Abramowitz, the president of Freedom House, another US-based NGO. The individuals were targeted for ‘egregious behaviours on Hong Kong-related issues.’ Chinese foreign ministry spokesperson Zhao Lijian said the sanctions were in direct response to the US state department’s decision on 7 August to issue targeted sanctions against 11 Hong Kong and China-based individuals, including Hong Kong’s chief executive, Carrie Lam. The reciprocal moves underscore a continued escalation in political tensions between Washington and Beijing, which have been exacerbated by China’s national security law (NSL) on Hong Kong which was imposed in July

 

On 14 August, Alphabet-owned Google announced that it would no longer provide data in response to requests from Hong Kong authorities after the imposition of new national security legislation in the territory. The move comes after other US tech giants, including Facebook and Twitter, announced similar measures in July. On a practical level, the decision will complicate the investigative work of the Hong Kong police and judicial authorities. More broadly, the decision highlights the gradual elimination of Hong Kong’s privileged ties to the US and other western countries, amid criticism of the new national security legislation. In the short-to-medium term, there is a high likelihood of further US companies and organisations altering their presence and operations in Hong Kong due to the territory’s evolving political status.

 

On Thursday (13 August), authorities in the southern city of Shenzhen stated that a sample of frozen chicken wings imported from Brazil had tested positive for COVID-19. Municipal authorities said that everybody who had come into contact with potentially contaminated food products had been tracked and had tested negative for COVID-19. Local health authorities have encouraged the public to take precautions when handling imported meat and seafood to reduce the risk of potential infection. To lower the risk of contaminated food products being imported, Beijing has banned some meat imports from countries including the US and Brazil, while all meat and seafood containers arriving at major Chinese ports are subject to screenings for coronavirus. This latest case elevates the risk of further export bans, while any decision to augment port screenings would increase the likelihood of disruption along the meat supply chain. Companies with interests in the export of meat and seafood to China should monitor official national and local government announcements regarding the coronavirus and assess their impact on the supply chain.

 

Up to 4,000 students staged a protest in Bangkok’s Thammasat University on 10 August evening to demand the resignation of Prime Minister Prayuth Chan-ocha. One student group also issued a 10-point call for reforms to the monarchy, an institution accorded near-divine status in Thailand. It is evident there is now a high probability that the rapidly spreading student movement and the state are moving closer to a direct confrontation. Tension can be expected to increase in the one-week outlook and foreign companies in Thailand, notably Bangkok, should assess their vulnerability to violent and disruptive protests during this period and beyond.

 

Tensions are now high in Thailand, notably in the capital Bangkok, following a large but peaceful demonstration in the city on 16 August during which the status and role of the country’s monarchy were openly challenged. Up to 20,000 mainly young people, the majority students from the capital’s universities, had gathered around the city’s Democracy Monument to demand the military-led government resign. No serious incidents were reported during the protest, the largest since the 2014 military coup, with the security forces maintaining a low profile.

 

On 17 August, Facebook’s Director of Public Policy in India, South and Central Asia, Ankhi Das, filed an official complaint with Delhi Police Cyber Cell Unit, the capital’s cybercrimes agency, in New Delhi. The complaint was broadly against numerous unnamed individuals who have been propagating politically motivated hate speech and other related content on the social media platform. Das filed the complaint in response to a 14 August article in the Wall Street Journal that claimed that she permitted such content, particularly those posted by the ruling Bharatiya Janata Party (BJP), out of commercial interests.

 

The BJP has used Facebook and numerous other social media platforms to effectively reach out to its supporters, particularly those who appeal to the party’s Hindu nationalist, anti-Muslim and xenophobic agendas. Among the fastest growing ‘politics’ pages on Facebook is of a BJP politician from Telangana state, T Raja Singh, who has advocated for the public execution of Muslims and the destruction of mosques. He is not alone. Das’ application is a likely result of pressure coming from senior leadership at US headquarters. Facebook has been particularly impacted from the blowback from numerous companies, including adidas, Coca-Cola, Ford and Starbucks, that have pulled advertising campaigns or launched boycotts to put financial pressure on the social media giant to clamp down on hate speech. This was as a result of public pressure from customers and civil society organisations. Companies with advertising campaigns in India should factor in similar targeting and pressure and consider contingency plans to minimise advertising and marketing efforts. Company public relations or strategic communications teams should also prepare a public response to this development.

Europe and Russia

 

According to multiple reports, a Greek and Turkish frigate collided on 13 August after what appears to have been an incorrect manoeuvre from the captain of the Turkish vessel Kemal Reis, which sustained damage. Greek foreign minister Nikos Dendias said he intended to inform European counterparts about ‘real events’ and ‘operational incidents’ of recent days. Apparently in reference to the incident, Turkey’s President Recep Tayyip Erdogan said the Oruc Reis seismic vessel was attacked, prompting a retaliation. At present, there is little evidence to support Erdogan’s version of events, and Ankara’s response is a likely attempt to deflect attention away from a potentially embarrassing mistake by a navy captain. Mutual accusations of hostilities, however, will continue to fuel heightened tensions, which were triggered after the Oruc Reis was sent out on 10 August with a military escort to conduct research in Greek waters. While key conditions for a wider de-escalation – including a cessation of Oruc Reis’s activities in Greece’s continental shelf – have not been met, regional tensions will remain elevated.

 

The UK has officially entered an economic recession after the largest downturn ever recorded occurred between April and June amid COVID-19-related restrictions. The size of the economy decreased by 20.4 per cent during that period compared to the first three months of 2020.

 

CNIL, France’s privacy watchdog, launched a probe into TikTok, a popular video-sharing social media app owned by Chinese technology firm ByteDance. A CNIL spokesman said the investigation, which forms part of broader scrutiny on the firm’s plans to establish EU headquarters, would focus on how TikTok communicates with users and what safeguards exist for children. Last week, TikTok said it would set up a data centre in Europe through a EUR420 million investment in Ireland. Multiple probes are underway across Europe, including in Denmark and the Netherlands to determine whether TikTok complies with the EU’s stringent data protection laws. For companies partnering with TikTok and which consider the app as an essential tool for marketing campaigns, the outcome from the probes may have wide-ranging consequences.

 

 

Middle East, North Africa and Central Asia

 

The White House announced on 13 August that an accord had been reached by Israel and the United Arab Emirates. If fulfilled, it will make UAE the third Arab country to normalise diplomatic ties with Israel after Egypt in 1979 and Jordan in 1994. Under the agreement, which was facilitated by the Trump administration, Israel has agreed to suspend its plans to annex areas across the West Bank and declare sovereignty over parts of the territory.

 

Prior to this, the UAE had no formal economic or diplomatic relations with Israel, in a similar vein to the rest of the Gulf region. The accord, however, effectively formalises a relationship that has been improving unofficially for several years. It also signals that political dynamics across the MENA region are beginning to shift as willingness to predicate relations with Israel on the Palestinian conflict diminish in favour of prioritising the threat of Iran. The UAE is likely also hoping that official relations with Israel will bolster its reputation in the US, which has been damaged due to its role in ongoing conflicts across Yemen and Libya. The announcement has already been met with opposition from Palestinian leaders who likely fear that this will bring Israel further legitimisation in occupying Palestinian territory. Protest activity across Israel and Palestinian Territories is likely to occur over the issue in the coming days; militant attacks against Israel from the Gaza strip are also a possibility.

 

At least 11 people were arrested during protests denouncing Israeli Prime Minister Benjamin Netanyahu in the early morning hours of 16 August. The protests began late Saturday night and saw an estimated 10,000 people take part. Many of the participants gathered outside Netanyahu’s residence in Jerusalem and outside his private home in Caesarea. Hundreds also demonstrated at bridges and traffic junctions around the country. The protests were organised by the ‘Black Flag’ anti-corruption group, which has been staging weekly demonstrations on Saturday nights at symbolic sites all over the country. The protesters are demanding the resignation of Netanyahu, who is on trial for alleged corruption and has been accused by critics of subverting democracy by attacking the justice system, law enforcement and the media. During the latest rally, the protesters lambasted the historic Israel-UAE normalisation deal, portraying it as beneficial politically to Netanyahu while the people of Israel are suffering from the government’s failure to manage the economic and health crisis caused by the COVID-19 pandemic.

 

Meanwhile, Israel’s Central Bureau of Statistics reported on 16 August that the country’s GDP had plummeted by 28.7 per cent in the second quarter of 2020, marking the worst economic performance in more than 40 years. Despite efforts at gradually resuming economic activity over the past few weeks, the COVID-19 crisis has triggered unprecedented unemployment of 26 per cent, compared to 4 per cent prior to the outbreak. The poor second quarter performance will provide more fuel for Netanyahu’s opponents, who have also criticised parliament for approving a relief package to aid struggling businesses and unemployed workers but not clearly specifying who will receive aid. Security managers should monitor the situation for updates and anticipate additional protests, with these likely to occur on Saturday nights in major urban centres and at highways and junctions across the country. Another stimulus bill is likely to be announced in the 3 to 5 month period as Netanyahu’s government seeks to improve its public standing and prevent further economic collapse.

 

Authorities from Laâyoune-Sakia El Hamra, situated on the southwestern coast of Morocco, announced that the port of Laâyoune would be closed until ‘further notice’. The closure is due to a rise in COVID-19 infection cases in the country since the beginning of August. Recent data from 12 August indicated that cases per day were now at around 1500, a sharp rise from 500 on 28 July. The port’s closure will likely have a significant impact on the local economy’s fishing sector as no boats will be permitted to use the facility. On a larger scale, the closure will also affect the Western Sahara’s phosphate mining industry. Businesses with interests in the phosphate mining industry should continue to monitor developments via all official government announcements, but anticipate that the port will likely be closed until infection cases begin to decline in number.

 

Ali Rabiee, an Iranian government spokesman, confirmed this week that runoff parliamentary elections will be held on 11 September. A week of campaigning will be held prior to the final round of voting. The announcement comes after elections were delayed earlier this year due to the COVID-19 crisis. Given a recent low-level resurgence in anti-government protests, it is possible that pockets of social unrest could occur, particularly in the days following the election results. Staff are advised to avoid any anti-government activity, this includes posting content related to the government on social-media sites, due to the significant personal security risks this poses.

 

In a national TV address on 10 August, Lebanese Prime Minister Hassan Diab announced the entire government’s resignation due to serious failures surrounding the explosions at the Beirut port including decades of systemic corruption. As of 11 August, the death toll in the incident stands at 220, while another 110 people remain missing. President Michel Aoun stated on Monday that the government has been asked to remain in a caretaker capacity until a new cabinet is formed. It marks the third time Lebanon will have to appoint a prime minister in under a year. Previous heads of state including Saad Hariri in October 2019 have stepped down amid public outrage over corruption in the ruling elite which is widely believed to have caused the current financial crisis.

 

Diab’s announcement signals the official collapse of the government following a week of widespread violent anti-government protests and the resignation of multiple government officials since the explosions at Beirut port on 5 August. Parliament will now be required to decide on a new prime minister. Given the likelihood for further discord due to an entrenched sectarian political system, this process is at risk of taking months. There is a realistic possibility that the government collapse will have significant implications for economic stability, likely further delaying the reinstatement of IMF negotiations and the securing of financial aid via the successful implementation of reforms. Any change in government will have important consequences for both the business and security environments. Business managers are advised to continue monitoring all developments and prepare to incorporate these into strategic planning.

 

On 10 August, three Iraqi security force personnel informed Reuters news that an explosion occurred around 2100 local time in the southeastern Jraischan border crossing between Iraq and Kuwait. The explosion reportedly targeted a convoy that was carrying equipment for US forces. Both the Iraqi and Kuwaiti militaries have denied that the attack took place and that the border remains secure; a little-known Iraqi Shiite militia group, Ashab Al-Kahf – which is likely a group operating with Iranian backing – claimed responsibility for the attack. As of 11 August, the US military has not confirmed whether the attack took place. Vehicles are regularly loaded and unloaded with military equipment at the Jraischan border, an area which is reportedly contracted out by the US military to foreign companies who provide security. If the attack is confirmed, it is further evidence of an increase in such activity against US interests by pro-Iran Shia militia groups. Businesses in the region with affiliations to the US are at a heightened risk of sustaining collateral damage. Those with facilities in close proximity to US interests should exercise heightened caution due a collateral risk to the safety of their staff and physical assets.

Sub-Saharan Africa

 

On 6 August, South African telecoms company MTN Group announced plans to downsize its operations in the Middle East, due to an increasingly challenging geopolitical environment there and US sanctions. The announcement and media reports signal significant restructuring of MTN’s operations over the coming two to three years, as it reportedly seeks to focus its operations on the pan-African market, including investments in Ethiopia’s telecoms market, which is being deregulated. Further MTN divestment announcements are likely to be made over the next six months. Companies reliant on their operations that have active contracts with any of their subsidiaries should seek clarity from their relationship manager and monitor further announcements to assess the impact on their operations.

 

A Reuters news wire report on 7 August said that the Serious Investigating Unit (SIU) of the South African police (locally referred to as ‘the Hawks’) was seeking prosecution of German software maker SAP. Specifically, the SIU wants a special tribunal – which was set up by President Cyril Ramaphosa in 2019 to fast-track the recovery of funds lost to irregular spending and corruption – to order the company to repay a total of ZAR413 million (USD23.68 million) for two contracts signed in 2015 and 2016 with the Department of Water and Sanitation. SAP responded to Reuters’ request for comments that it ‘continues to cooperate with South African authorities/law enforcement and remains committed to the highest standards of business ethics’.

 

These reports deal a reputational blow to SAP: the company was one of many to have been implicated in a series of corruption allegations against former president Jacob Zuma and the Guptas – a wealthy business family. In 2018, the company admitted to paying USD9 million to intermediary companies controlled by the Guptas for contracts related to state-owned power utility Eskom and the public transport operator Transnet. The investigation also underscores the high risk of corruption prosecution in South Africa, following years of suspected embezzlement of public funds during the Zuma administration. As the struggling South African economy is facing another heavy blow due to the impact of the COVID-19 pandemic, which has also seen more than 20 corruption investigations being opened by the SIU since March, and public pressure is mounting on Ramaphosa to recover state assets from potentially corrupt deals, scrutiny is likely to continue to mount on companies that signed contracts with public entities over the past five to 10 years.

 

The US Treasury’s Office of Foreign Assets Control (OFAC) on 7 August imposed sanctions against Bi Sidi Souleymane (also known as Sidiki Abbas), the leader of the Retour, Réclamation et Réhabilitation (known as the 3R) non-state armed group of the Central African Republic. This is due to human rights abuses committed by the group, which is present in the western parts of the CAR. The move follows the UN Security Council’s decision on 5 August to target Souleymane with travel bans and asset freezes over the same abuses. The US sanctions prohibit any US national or commercial entity from conducting business with Abbas, while the UNSC sanctions impose similar impediments. While the sanctions are unlikely to significantly alter the 3R’s modus operandi and limit the likelihood of further human rights abuses, they are likely to increase compliance risks for organisations operating in the CAR as well as in neighbouring countries such as Cameroon and Chad. Companies with operations there should review their compliance processes, including for third party due diligence.