Well that doesn’t look good. And it isn’t. Backdoor malware, dubbed “Kobalos” by the ESET researchers who found it, has been targeting supercomputers globally in academic and research sectors to steal their creds for secure network connections. The malware is small but complex, highly obfuscated, Hmmm I wonder who it could be? 🧐
Agent Tesla malware is new & improved with enhanced obfuscation and evasive capabilities. Extra-crunchy goodness here using TOR and Telegram chat for data exfil. The updated trojan actually goes after the software used to protect our devices, the Windows anti-malware software interface ASMI, and overwrites it so that it won’t notice all the nasty downloads to come. It also has a lot more selection for credential harvesting. I’d say Agent Tesla is definitely one to watch in 2021
There was an increased targeting of the gaming industry over the past year, including major ransomware attacks. Not surprising to see supply chain attacks now. Expect to see more supply chain attacks going forward and use this to prepare. NoxPlayer is an Android emulator used by gamers globally. ESET researchers found a supply chain compromise targeting the updating mechanism but only infecting a select few gamers in the Asia Pacific region. So far three malware strains were identified including PoisonIvy RAT and Ghost RAT.
When bug-hunter extraordinaire Tavis Ormandy says he found something, you listen. Especially if it can lead to remote code execution. The bug is in the “libgcrypt” open source library and used for encryption. And a gentle reminder: encryption is not bad/wrong/evil – it makes things safer. GnuPG is used for security in a lot of Linux distributions. Per Tavis, simply decrypting some data could lead to a heap buffer overflow that could be easily exploited. No verification or signature validation. Yes, go patch!
We like to think that APTs and threat groups are distinct. But the lines are getting blurrier, and in some places have been for a while. Why not share the tools, toys and tactics when it just makes for better mayhem at less cost? Great findings and lessons shared by both teams at Google and Microsoft. Microsoft provides details on the use of “Comebac” malware and Visual Studio. Key takeaways: security researchers are prime targets, state-sponsored attacks invest the time and effort on selected targets to bypass all defences – even gut instinct.
In light of the above item, and ongoing SolarWinds discoveries – because we knew that was going to go much deeper than what was already apparent – supply chain attacks continue to evolve and evade. Given our rush to the cloud, and the pandemic-driven need for everything online, organizations are relying ever more on third parties and online resources. Supply chain weaknesses are now even bigger opportunities for attacks.
Look no further than the carefully crafted code injection by Magecart groups to position web skimmers where they went undetected and led to massive breaches and paydays. Imitation is the sincerest form of flattery and North Korean APTs have followed suit.
There are some solid suggestions in this piece on securing third-party code, and care with automated software updates. Understand your attack surface in terms of your potential supply chain weaknesses and third party code exposures.
Happy Data Privacy Day! How about some good news? 😊
Emotet Takedown! (For now)
Per this item in Hacker News, law enforcement agencies from 8 countries worked together to takedown the infrastructure behind the Emotet cybercrime malware and botnet. Emotet evolved into lucrative and dangerous multi-purpose malware that loaded other malware. More good news: an Emotet “eraser” module is being rolled out by law enforcement to uninstall the malware by March 25, 2021. Here’s hoping 🤞
Netwalker Ransomware Takedown!
Per Bleeping Computer, the US DoJ confirmed a successful takedown of dark web sites and the arrest of a Canadian national involved. (I’m sorry 😞 )
Netwalker ransomware has been operating since 2019 and like many groups in 2020 moved into extortion, locking systems AND stealing data to release publicly if the ransom did not get paid. They made a lot of money – $25 million in just 5 months. They aren’t gone but this hit them where it hurts.
Mimecast, Palo Alto, Qualys and Fidelis. As expected, given time to go through DNS logs and networks, more companies are getting added to the SolarWinds net. Of note: both Mimecast and Palo Alto reported recent incidents that now tie back to the SolarWinds attackers. I’ll review this more in my SolarWinds section.
Make your Sudo jokes – after you patch. The bug is a critical heap based buffer overflow giving any local user root, as in TOTAL, access on a vulnerable system. This will be widespread because Sudo exists by default in almost all Linux systems. Qualys who found the bug have made a few exploits to demo it, including defeating the ASLR defence that is supposed to protect against these exploits.
Deja vu. Remember back in November when this happened? Good news: there are patches so update! These are a race condition with privilege escalation and a webkit flaw with RCE. Oh joy! Think daisy chaining flaws in targeted supply chain or cyber espionage attacks because it’s 2021 and SolarWinds. Amirite?
Be careful who befriends you … These attackers are seeking out security researchers to engage with them on projects in a well-crafted social engineering-campaign. The objective is to gain the trust of the target, then infect their device with custom backdoor malware and access the corporate network. It’s been ongoing for a few months now, with full social media profiles and security blogs to fuel the deception. As we are taught from day 1 in security: trust but verify and trust no one.
RAINDROPS in servers and TEARDROPS exploding Cobalt Strike BEACON and Malware unloading SUNBURST-wrapped packages With malicious strings SolarWinds has all my favourite things! Is it Russia? Could be China? There’s still more to learn Now UNC2452 found their favourite things SUNBURST really leaves a burn!
And this. Thanks to all involved who are researching, reporting, responding and securing. You’re doing an awesome job!
“‘highly sophisticated threat actors’ targeted its internal systems by ‘exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products’.” per ZDnet
Ouch! That has got to hurt. SonicWall is in the business of making equipment for security purposes. But as we’ve seen with the massive SolarWinds supply chain attack, everyone is a target, anyone can be compromised. FireEye, Microsoft, Cisco and Malwarebytes, advanced defenders, were all very worthy targets of an as-yet unconfirmed highly-resourced, highly capable adversary that took the time, did the recon and mapped their way right into the heart of their target, SolarWinds, to get to a whole lotta other targets. These included major government agencies for defense, justice, and the corporations that secure them, among a plethora of others. What we don’t know is the endgame in this cyberespionage master heist. SonicWall is one more organization who keep us safe and watch over our networks and data, making it a high value target for a nation-state adversary to consider using in a hypothetical well-crafted, patiently executed supply chain attack.
Reports are that earlier this week, the internal systems at SonicWall went down, and the attackers accessed source code on the corporate GitLab repository. In the past year we’ve seen increasing breaches involving source code found open and exposed in Cloud repos like Git, and attacks where databases or repos are accessed. There are past examples of supply chain attacks where tampered data and automated downloads – because trusted partners – led to very bad outcomes, NotPetya being top of mind. Breaches come with a lot of costs and consequences. And with everyone moving to Cloud, attackers are storing their mal-wares up there, for less detection and easy availability.
SonicWall has been quick to respond, as there are 0 patches for the 0-days at this time, issuing an Urgent Advisory today with mitigations you should definitely take for these products:
NetExtender VPN client version 10.x, connecting to SMA 100 series appliances and firewalls
Secure Mobile Access (SMA) version 10.x running on SMA physical appliances 200, 210, 400, 410 and the SMAv virtual appliance.
There were warnings last year to expect the trend in size of DDoS attacks to continue in 2021. Per Catalin Cimpanu in ZDNet:
“Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to bounce and amplify junk traffic as part of DDoS attacks, security firm Nui said in an alert on Tuesday.”
MrbMiner was discovered last year, September 2020, uninvited on thousands of SQL servers. While they don’t know quite how it got on there, they are looking at a couple recent botnets, Lemon_Duck and MyKings, which represent the new gen in botnet attacks. Internet-facing, unpatched vulns but of note in these MrbMiner attacks is they don’t conceal their identity. Given the slew of sanctions Iran is under, it’s safe to say they no longer give a f*ck. They’ll take the money and run. Not unlike another heavily sanctioned nation state we know 😉
Consider it a pandemic silver lining. I’ve always wanted to attend a SANS summit. But living in Canada, time and money have been big factors and limited resources. That changed today when I got to follow along online, from the safety of my locked down domicile, albeit during work. It was amazing, truly amazing. Everything I’ve heard about can’t miss talks, excellent presenters, BIG takeaways – all true.
And guess what? There’s a whole second day of the same tomorrow! And I won’t miss the opening like I did today (work). I’ll catch up on the recorded stuff I did miss. And tomorrow, three Mandiant presenters will be talking SolarWinds and supply chain attacks. I remember that Sunday when news was breaking about SolarWinds, and staying up half the night tracking it on Twitter and blogs so I’d be ready for Monday. There’s a lot of sophistication and customization in the SolarWinds attack, from the tactics and techniques the attackers used to remain undetected and protect their best malware, to the creation of specialized malware. I’ll be pressing my Do Not Disturb settings for that – and I definitely consider this relevant to work.
Today I sat in on a great workshop about setting up a cyber threat intel program for a client, “Threat Intelligence the “EASY” Way”, by Chris Cochran, which ran through the thinking process involved. What kinds of questions do you need to ask to get the right information from your stakeholders? How do you make sure you give them intel that’s relevant to them and actionable? How do you build in feedback to ensure your process continues to be effective and adapts with their needs? It’s important to make sure you understand the fundamentals. You don’t do threat intel for the sake of doing threat intel – it’s meant to meet the organization’s needs. Information that they can put to work to improve existing security controls and processes, or visibility in their network. Info that tells them how well what they’re doing is actually working, like how many “phish” get through, or do they see where their data is going. Understanding the importance of aligning risks and results with metrics for measurement because that’s what the C Suite needs to see. It helped me realize that while I work in the strategic side, which I love so much, I need to get more experience on the operational side. Segmentation is for networks, not for effective intel gathering and collaboration.
To wrap up a day of fun and learning, there was a terrific panel discussion at the end with the hosts, Katie Nickels, Rick Holland, Rebekah Brown and Robert M. Lee, and the day’s speakers. They shared great insights and recommendations on resources, how to get started, the challenge of helping people understand the value of CTI. Best of all, they shared laughter and a real sense of camaraderie. I have slack channels full of new resources to explore to now, and feel connected to the world again in a way that’s been missing for too many months now. Til tomorrow!
CyberWatch 