I’ve been reading some more about Google Project Zero’s “In-the-Wild Series”. Yesterday there was a great article in ZDNet by Catalin Cimpanu about their recent findings which involved a sophisticated hacking scheme that daisy-chained vulnerabilities – including 0days – together (yes, think Stuxnet) from Chrome, WIndows and Android to target both WIndows and Android devices. The operation involved two exploit servers, two sets of these vulnerability chains, and watering hole attacks. Very, very clever work that is modular, flexible, efficient and designed to escape sandboxes. When you’re dealing with a highly resourced and skilled adversary, typically backed by a nation-state, you’re looking at something like this. While you probably won’t see this coming – just ask anyone caught up in the SolarWinds attack – you can apply the lessons we’ve been learning over cumulative attacks to look past the standard checklist, and what you expect to find, to go hunt for recent changes in registry keys, files renamed, and processes diverted.
Huge kudos and appreciation to the team hard at work discovering things that go bump in the night including Maddie Stone, Mark Brand, Sergei Glazunov, and @j00ru.
This past week, we lost a valued member of our community. Yonathan Klijnsma was a brilliant threat researcher, and headed up that department at Risk IQ. Cancer stole his future and robbed us all. I am sorry that I did not meet him or get to tell him how much I appreciated the work he did, and how much I have learned from him over these past few years. So in tribute, let me share that here.
Yonathan is one of the researchers I started following in my early days because of how perceptive he was, and I learned so much from the details in the information he shared. He has contributed greatly to our field, presented at numerous information security conferences including DEF CON and Virus Bulletin, and provided information to various media and news sources such as Wired and CBS. A bio from One Conference 2019 described his work to “focus around threat intelligence in the form of profiling, analyzing and taking apart the means by which digital crime groups work.”
I benefitted most from Yonathan’s work on Magecart, which was insightful, detailed and definitive. When British Airlines UK was breached by Magecart in June 2018, he cited the actual extent of a rapidly progressing trend in cybercrime that targeted coding weaknesses in e-commerce sites.
“While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster,” said Klijnsma. “We believe it’s cause for far greater concern — Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon.”
Because of how well he explained things, I was able to succinctly summarize and share the nature of this threat with a varied audience where I work, and consequently developed a fascination with the groups and the tactics. Web-skimming has evolved considerably in just a few years, feeding off our increasing online society and further fueled by the current pandemic lockdows. Last June Magecart-style tactics were observed in use by the North Korean advanced persistent threat group “Hidden Cobra” to fill nation state coffers.
Here is a link to Yonathan’s presentation “Inside Magecart: The History Behind the Covert Card-Skimming Assault on E-Commerce” at the Virus Bulletin 2019 conference in London.
My favourite 3 letter word: APT for advanced persistent threat. These are some powerful accounts of just how far state-sponsored attackers can go. Cyber espionage opens the networks to prolonged intrusion, strategic curation over months without detection, to then craft the most effective operations. We’re finding the footprints in the butter they wanted us to find, years later. Which means where else have they been and what else have they done? Fascinating stuff we need to learn from and apply.
I have done a lot of research on ransomware. What you need to know BLUF is that targeted attacks have greatly increased this year, and the bad guys are not just locking up your systems but they are taking your data before they go. And then, they are sharing their ill-gotten goodies on “name and shame” sites to ensure you pay them. Because extortion is paying that ransom these days.
There are at least a dozen operators making money this way, with Maze and their newly formed cartel at the top of the list. Sodinokibi and RagnarLocker have been recently active too.
You want to understand how the attack chain works because ransomware is getting delivered in multi-stage attacks, with initial infections coming via phishing or exploitation via exposed remote desktop protocol RDP. You want to be monitoring for TrickBot and Emotet especially. As for mitigations, have multiple backups and ideally one off the network. Test them. Keep them clean. The attackers are looking for and deleting any online backups or shadow volumes they find.
Here’s the thing: once the ransomware is launched, it’s pretty much game over. You need to be hunting for these guys in your network while they are doing recon and mapping your systems, looking for what is valuable and what to shut down. Catch them when they are going low and slow, stealing legitimate Windows processes to make their own and evade detection.
That said, I’ll share this piece by my friends at TripWire so you can get a more detailed sense of the current ransomware landscape:
If you work for a major corporation chances are you use Citrix, especially for remote access.
So when these kinds of systems get major vulnerabilities the attackers are waiting in the winds to pounce on and exploit those.
Yesterday multiple vulns were disclosed affecting the Citrix Application Delivery Controller or ADC, often known as NetScalar ADC, and Gateway. These could allow code injection by unauthorized remote attack, denial of service and information access. Nope, not a good day at the office when that happens.
Here’s a link for more details but the twitters are all abuzz. And I’d be a little concerned since Citrix had similar ugly bugs earlier this year. Do not be waiting for patch cycles – fix this sh*t now.
I am proud of my graduate. Grateful to the teachers who guided their students through unprecedented times. The celebrations may be small but the accomplishment is mighty. Covid does not get to take that too.
It’s some day, in a week, in some month after RSA. Without snow. 2020 has been brutal and relentless and it cannot end soon enough. Grateful as I am to live in a land with healthcare, government support and a closed border, the people I love and miss are on the other side of that border which massively sucks.
This year Defcon actually has been cancelled. It’s not funny when it’s for real. For many of us the annual pilgrimage to Vegas is like a massive family reunion. These have been long, hard and lonely months, even for a community of introverts.
Please follow the recommendations: stay 6 feet apart, wash your hands often, avoid big gatherings and wear a mask. We have all lost too much to go through this again.
I am going to share my space here with a host of wonderful and inspiring voices. This has needed to happen for a long time and I am so excited to see it in action and be able to support however I can.
Hell yes! For any talk I get to give I would hand that mic over with warmth and encouragement to a Person of Colour so that we all would get the benefit of truly diversifying this community, and broadening our thinking. This is how we grow together.
Understanding how systemic racism influences cybersecurity is integral to protecting the American people, deterring U.S. adversaries, and defending American businesses as the United States seeks to return to its position of international leadership.
— Read on www.cfr.org/blog/systemic-racism-cybersecurity-threat
Because there is more we can do. And we need to do more