Raiders of the Lost ARP

Amateur Security Archaeologists, trying not to break things.

Author: Mike (Page 1 of 11)

cartoon of cartoon of a middle-aged & bearded indiana jones running away from a Volt Typhoon
I know I am vulnerable, but lightning really doesn't ascribe to a single TTP, does it?

What’s causing Mike’s Indigestion now? Stormy Nights (12 April 2024)

April 11, 2024 / / 0 Comments

Hey folks! After a busy week, I am finally sitting down to see what is new in the world of threat actors and trends. We’re barrelling into Friday with a lot of attention on probably THE key software vendor in the world (Microsoft), and more attention on Volt Typhoon. Yet even hardware vulnerabilities are a thing, and it just goes to show how our supply chain is riddled with dependencies. And those dependencies open doors to vulnerabilities. So let’s check in and see some of the more interesting threads!

Microsoft Email breach becomes more concerning by the day

As we’ve discussed in multiple prior updates, Microsoft has had a very difficult time with a breach of its ubiquitous Exchange Online email service by multiple threat actors, most notably Midnight Blizzard and Storm-0558. Well, it seems that the former’s efforts detected in January have been riling CISA and the US Government. CISA’s Emergency Directive is a pretty bad sign that this impacted serious government business.

It seems that emails between Microsoft and their customer (the Federal Civilian Executive Branch) were snooped on, and included authentication details. Whoops! ED-24-2 directs all agencies to take action, review emails, reset credentials, and more.

  • Want to read more? HPE looks like they were hit before MS, which goes to show how prolific this APT is.
  • Want to get nerdy? Wiz.io has a very interesting write-up on the “how” of the breach, based on publicly available information.

Chinese persistence in Critical Infrastructure

CISA created a High Risk Communities center on their website, and it is full of awesome guidance and resources. Maybe you’re tempted to ignore that – maybe that is out of scope? Adversaries certainly aren’t passing up opportunities to cross-train and reuse techniques, neither should you!

Chinese threat actors in particular have been honing their skills on western infrastructure for some time. In that spirit, CISA has released a fact sheet to help decision makers prepare for PRC-backed threats like Volt Typhoon. What is inside? Advice we should all heed: patch your stuff, harden OSes, monitor for LOLBins, train continuously, and update/rehearse IR and DR plans. These are all good advice we keep getting, but maybe your organization needs a name for the fear – well here you go! Volt Typhoon it is!

Diversity of skills and operations are a Chinese hallmark. Look at recent research by folks like Trend Micro, who have done a lot of work on malware families they call Earth Lusca and Earth Krahang, leveraged by an APT known as TAG-22. These threat actors are perfecting their skills in leveraging cross-organizational trust to pivot between victim organizations. Right now, the research is focused on operations in Southeast Asia. It is probably an objective to start replicating this in western governments and infrastructure soon, if they are not already.

This week in AI

I think we’re seeing so much AI painted on pretty much everything these days that it can desensitize us to a great use case. Toothbrushes with AI? Seriously? But I think we can all see some positive uses in helping get through more tedious tasks. One of the things that slows a lot of organizations down in cybersecurity is the collection and processing of intel. This write-up by Thomas Roccia offers a slick look at how LLMs might really help. And another wonderful person to follow, Roberto Rodriguez from Microsoft has done some awesome open experimentation with GenAI and Jupyter Notebooks. I think it is worth following along and potentially trying myself!

Things I am keeping an eye on

  • Software supply chains are rightfully a big focus, but don’t sleep on the hardware! Binarly released a research paper showing how server firmware for Intel, Lenovo, and Supermicro included vulns that bypass security controls. Patch it, you say? The Intel and Lenovo hardware in question is no longer supported – so it is eternally vulnerable.
  • DPRK threat actors have been actively using two new sub-techniques from the upcoming MITRE ATT&CK matrix. I think we all love innovation, but not by the bad guys.
  • Even security companies get hit once in a while. Lastpass admitted an employee fell victim to a voice phishing attack that used a deepfake of their CEO.
  • Apple warned a LOT of people from over 150 countries that mercenary spyware from folks like NSO Group is targeting them. If you are an NSO Group customer, we are not friends.
  • This research on alternate app-level protocols for carrying out DDoS attacks has my head spinning. Very insightful, and very concerning!
  • A bipartisan effort in Congress sees a serious attempt at tackling online privacy! This is a huge effort – the current state is rife with fractures, inconsistencies, and a lack of cohesion. Who knew Congress had it in them???

Good Reads

  • The folks at Active Countermeasures (who also count Black Hills Information Security and Antisiphon as sister companies) run an awesome blog chock-full of info, and this blog on tunneling C2 beacons by Fann Rossouw is very informative. They also have a slick place to see their upcoming training here.
  • Last week we touched a lot on the XZ supply chain open source attack, and this timeline looks like the outline for a multi-part mini-series. I think that Nick Offerman might make a good protagonist. Maybe vs. Amy Poeler? Parxz & Wreck folks! (it is late).

I hope that this week’s summary of things I found interesting is helpful. As always, please have a good and safe weekend and feel free to reach out and chat!

cartoon showing a software supply chain being stretched to the breaking point while two big businessmen pull it in opposite directions
It seemed like such a good idea to do a stock buyback rather than support open source solutions we depend on!

What’s causing Mike’s Indigestion now? Supply Chain Heist (5 April 2024)

April 4, 2024 / / 0 Comments

Happy weekend, folks! Loads of cool stuff going on in the day job, but lots chatter focused on 2 areas on opposite sides of the software ecosystem. The resourcefulness of adversaries never ceases to amaze me. Both stories offer a lot of intricate technical details, but the big takeaway is that we’re in serious trouble unless we tackle best-practices, hygiene, and find support for the massive base of open source projects. So let’s get going!

Open Source projects need our help

Since the beginning of the Internet Age, applications and operating systems have been dependent on open source. Despite the riches raked in by for-profit companies for their software, all of them stand on the shoulders of open source software libraries and packages. I think we all get it – using open source accelerates innovation. Why reinvent the wheel, right? But it is high time that we all consider how we support those open source projects. The maintainers of those efforts are usually coding these as a passion project or hobby. And they are all overwhelmed and outmatched. Need proof? Heartbleed, Log4j, Java and NPM vulnerabilities, Shellshock, and multiple Apache Struts CVEs can jog your memory.

Last week an attentive Microsoft engineer Andres Freund luckily stumbled on a performance issue, and traced it back to a hijacked open source compression library used in most modern Linux flavors known as XZ Utils. An adversary made a 2+ year effort to gain trust as a contributor and eventually gain commit-level privileges. They then disabled testing of their contributions and slowly nudged the code base to support their efforts to embed a malicious backdoor flaw into the package. This interferes with authentication in SSH and injects code to open up a backdoor. Holy cow!

Lucky for us, Andres caught it – before the code could be promoted to released versions of Linux. But we have a big problem. Expecting these projects to operate with no funding, 1 to a few contributors, and zero support in testing and validation is supply chain suicide. It is time for the many prosperous companies that benefit from these heroic efforts give back and assist in securing these projects for the greater good.

  • Want to learn more? Kevin Beaumont does a great job talking about this entire caper holistically.
  • Want to get nerdy? The SANS ISC does a splendid job of explaining the technical how of this backdoor here.

Microsoft struggles to use their own tools securely

Lest we think that Open Source cannot be relied on and that professionals and closed source are the safest bet, Microsoft shows that no one is infallible. If you recall, APT Storm-0588 compromised Microsoft’s Exchange Online email service through information from a developers laptops and a stolen Azure signing key. Despite happening 10 months ago, Microsoft is still not publicly aware of what happened, and CISA and the US Department of Homeland Security called them out for their handling of the matter. Don’t confuse with the breach of their own senior leadership team’s email accounts, which it appears they are still struggling with months later – talk about persistence!

  • Want to learn more? Bleeping Computer’s synopsis boils it down for us. Ars Technica goes into more details about how the breach was made.
  • Want to get nerdy? You can read Microsoft’s own analysis of the situation here.

This week in AI

Seeing the confluence of massive AI adoption and the emergence of so many open-ended concerns, what is obvious is that we’ve already lost control of AI’s propogation. Talking to my good friend Mark Stephens, he clued me in on a book by Nick Bostrom called “Superintelligence: Paths, Dangers, Strategies“. Amongst other things, he discusses how AI – given a simple goal of making the best paper clip – would make decisions that eventually threaten human life. Needless to say, that book is on order!

Things I am keeping an eye on

Good Reads

  • Nothing too new – I am about 1/4th of the way into Children of Ash and Elm (the Viking history book). It’s amazing how misunderstood they are. The many languages and transitions of knowledge between groups and regions contributed to that confusion. Seems like history certainly rhymes!
  • I am also reading the latest SANS Threat Hunting Survey results, and as explained in David Bianco’s video highlights, it is concerning that more than a third of customers Threat Hunt without a formal process, and the same percentage find that it impairs security, rather than improves it!

I hope that this update unravels a little of the many mysteries we are all being impacted by in cyberspace. If you have any feedback please send it along!

cartoon of a middle-aged and bearded Indiana Jones who is trying to squeeze into an army uniform while hiding behind a stack of crates.
I wonder how long I have to wait before the attack - I can't hold it much longer!

Persistence: How Uninvited Attackers Avoid Being Bounced from the Party

April 2, 2024 / / 1 Comment

Hello folks – welcome to Part 5 of the series on MITRE ATT&CK Tactics! Today we’re talking about how adversaries maintain a foothold. Like any invading force, threat actors work hard to ensure that they get initial access, and they would rather not have to repeat that effort. Traditional aggressors most often resolve to maintaining pressure on the front once their initial attack lands. This has the effect of exhausting the defenders and ensuring they are unable to reset or respond effectively. Some attackers will leverage asymmetrical warfare elements like guerilla forces, local resistance forces, or agents to undermine defenses and guarantee access. Cyber adversaries need the same sort of effects, and that guaranteed access is arguably their highest priority. So let’s discuss the MITRE ATT&CK Persistence tactic and see why it is vital and how they might achieve it!

Continue reading
a cartoon of a bunch of computer hackers who look like the rolling stones
This isn't quite the tour we had in mind, lads! Good thing Keith's good at persistence...

What’s causing Mike’s Indigestion now? Real Stones on that one! (29 Mar 2024)

March 28, 2024 / / 0 Comments

Wow, I am so sorry folks! it has been 3 weeks between updates – as I mentioned on LinkedIn, things have been busy on the travel front! In that crazy time, a lot of interesting things have happened that are worth a good look! Much of the biggest news this week in the world of threats is on another one of our state sponsored threat actors, APT31, so let’s see what the buzz is about.

Continue reading
AI Generated image of Mongol warriors having fun while making a scary shadow puppet show for their victims.
We should take this one to Broadway, boys! Shadow puppets are way more fun than germ warfare!

Execution: Ruthless attackers run malicious code on your systems

March 25, 2024 / / 1 Comment

Welcome to Part 4 of our series on MITRE’s ATT&CK Tactics! At this point in the attack, adversaries have pulled the trigger on an attack and defenders have had their first fair shot at detecting the transgression. Like a fortress’s defenders seeing the build-out of siege weapons and the digging of trenches, defenders now know from where a part of the attack is coming. For the attacker, they are relying on their preparation, coordination, and focus to overcome defensive efforts. For the defender, they are likely depending on the training and processes – and their garrison’s trust and cohesion – to disrupt and repel. How able are the attackers to carry out their plan, to sap the fortifications, to breach the walls? This is the MITRE ATT&CK Execution Tactic, and it is the phase from which all later phases branch.

Continue reading
« Older posts

© 2024 Raiders of the Lost ARP

Theme by Anders NorenUp ↑

Verified by MonsterInsights