There were donuts and APTs involved, just not at the same time 😉
The events were well done, with excellent talks and my sincere appreciation to the volunteers who made it all happen and were super helpful. I was so happy, so honored to have been invited to speak at each of these villages virtually this year, and to have been involved in Defcon this year. I miss the live conference experience and especially Hacker Summer Camp ❤
This is to accompany my talk at Defcon 29 Adversary Village (ZOMG really thrilled to say that). It’s a work in progress. Chinese APTs are wonderfully, frustratingly complex entities. There’s a lot of overlap, sharing of tools, techniques, malware. Of note was certificate abuse across the board. And several companies with striking resemblance to SolarWInds offering trusted high level network management to major organizations and government globally. It’s happened before, it will happen again.
So take this as a starting point. Rather than reinvent the wheel, check the links in the file for download to Thaicert’s excellent site on Threat actors, and of course the relevant pages from MITRE. I’ll revise and refresh this as I dig deeper. These attacks are only going up.
Spark a Journey! This is the week! Friday July 16 and Saturday July 17. This year’s event will be virtual again, building off success and lessons learned from last year.
As the website states, TDI is a diversity-driven conference committed to helping all underrepresented genders, sexualities, races and cultures in Information Security.
The theme for 2021 is “Spark A Journey” to celebrate that force, that spark within each of us that can lead to many ways we inspire and drive change. The beautiful stylized images of the paper cranes by the wonderful @1dark1 represent metamorphosis, a symbolic re-emergence after the many long months of pandemic confinement and isolation. It’s a hopeful, empowering message we all need just now.
This year’s event will have multiple speaker tracks, fully expanded villages and workshops and a women-led Capture the Flag event. Tickets are available and so affordable! Get yours here and come join us: https://hopin.com/events/2021-diana-initative
To be honest and cliche, today feels like the first day or the rest of my life. There are so many still in that dark place of despair and isolation but this second dose represents a lifeline up and out, to brighter days and all the possibilities. Hang onto your hope
I’m honoured to represent The Diana Initiative again this year at RSA! We’ll be hosting an interactive and engaging session on Career Paths as part of the “Birds of a Feather” series. What better way to give back and welcome in new talent and ideas! Our session will be on Wednesday May 19, starting at 10:05 PST / 1:05 EST just after the amazing opening talk by Caroline Wong. https://www.rsaconference.com/usa
I’m sorry for not posting these past two weeks. My tank is low and what I had was used for work and volunteering. Please take care of yourself and don’t feel bad if you need to scale back because these times are hard on all of us. Your best is enough
Geopolitics: Yesterday the US hit back hard at Russian cyberattacks and meddling. An exec order from the Oval Office delivers wide-ranging economic sanctions that hit right where it hurts, so that Russia won’t be able to raise the funds it needs the way it has been, plus adds in some diplomatic expulsions. And it prohibits US banks from buying ruble bonds. The EO impacts several tech firms including Positive Technologies. You can read the details here. Be prepared for fallout.
CISA issued this advisory on Thursday for a number of severe vulnerabilities in OpENer EhterNet/IP stack that could put industrial systems at risk of RCE, DoS and data leaks. The warning extends to all OpENer commits and versions before February 10 2021. To exploit, an attacker need only send crafted ENIP or CIP packets to a device. As we now know (because I keep telling you 😊) OT and industrial systems are different and need our attention.
In a year of supply chain compromise, here’s another. Codecov is an online platform used by over 29,000 enterprise organizations like Atlassian, GoDaddy, proctor &Gamble. Yeah. It helps measure source code execution during testing, because stats matter.
Looks like a threat actor may have found their way into the system back in January, and tampered with the Bash Uploader script, the tool clients use to upload their code reports. The tainted version – omg does this feel like SolarWinds?!- could allow access and export of sensitive client info including credentials, tokens, keys plus services, app codes etc. If you are using this service you need to get on this asap.
Patch it NOW: Patch Tuesday walloped us with four exciting new RCE vulnerabilities for on-prem Exchange servers. Thankfully no known exploits and Cloud servers are safe. But if you have on-premise Exchange, stop reading and get patching. Please
Patch it Now: per Malwarebytes Lab, There are active exploits 2 vulnerabilities, CVE-2021-21206 and 21220, affecting the Chrome browser but also Edge, Brave and Vivaldi. You can let Google update Chrome automagically but better to make sure it does. Based on current malware trends, there are a hella lot more browser exploits happening.
Buyer Be Wary: per Threatpost. We know a lot of nasty stuff finds its way into GooglePlay store and Google sites. ESentire wrote a report detailing a hundred thousand malicious web pages loaded with malware, awaiting victims sent there via SEO tactics, all for the sake of an invoice template.
This drive-by-download compromise is increasing, bacause it works. And given the new way or working remote, the potential for individual compromise to become corporate is definitely a concern. Case in point: a victim in FI who sought a free version of a document and trusted their search results via Google to a Google site page where threat actors took over. Given these are cybercriminals at work, their dirt RATs are all about “show me the money”.