Good morning folks! I have some updates on the threat side of things that I think are interesting and might help in conversations with your friends and colleagues.

Cisco Talos has updated their blog on the IOS-XE implant that caused a ruckus a couple of weeks ago. They now know it is still progressing, and the Lua-based implant is called BadCandy and already at version 3.0. Some of us would kill for that sort of release cycle! As before, fixed code is available for all impacted devices, but if you are struggling to make the upgrade happen, new curl commands are available to check for compromise.

Who am I to tell a bear that being called “Sandworm” is a little odd? C’mon, at least I didn’t call you your Microsoft APT name…

Your data should be segmented, not your blame.

Some companies’ purpose in being is to act as an example to others. Spearphishing, Smishing, Vishing – what it all comes down to is adversaries slipping past technical controls to take advantage of stressed out, overworked, distracted humans to obtain information they shouldn’t have. Companies blaming it on those end-users is a smokescreen, and they should provide the right controls, separation, and processes. Again, we’re talking Okta. Their recent report looks a lot like the type of breach that hit Cisco in May 2022. The difference? Once adversaries got hold of corporate secrets while phishing a personal Google account, they hit pay dirt – no segmentation to prevent the compromise of sensitive information. SO yes – the user shouldn’t click. But the employer should 1) limit personal and corporate use of the same asset, 2) segment data and monitor it more actively, and 3) not allow users to have service accounts in the first place.

  • Want to know more? Arstechnica‘s team has had enough.
  • Want to get nerdy? Bleeping computer distills Okta’s reports on this.

Who says you can’t teach old dogs bears new tricks?

This one is more of a throwback to my first Cisco Live Session on MITRE ATT&CK, but Sandworm (Voodoo Bear, IRIDIUM, or Iron Viking) is playing some new games. Known for their DarkEnergy exploits on Ukraine’s power grid way back in 2014, they are now tackling Ukraine telecommunications companies. They look for open RDP and SSH services, and run some popular open-source brute force and fuzzing tools to try combos for typical exposed vulnerabilities. They hide their Command & Control (C2) using open tools, like socks5 proxies and tunnels. once completed, they then wipe logs to leave no forensic traces. Yes, the target here is Ukraine, but we can expect the RU-sponsored threat actors are just sharpening their tools against a well-trained foe. These TTPs will certainly show up in attacks in your neck of the woods soon.

  • Want to read more?
  • Need to know more about Sandworm?
  • Want to get nerdy? See ATT&CK for their bag of tricks and Joe Slowik’s Dragos’ report for a newer playbook.

Emerging Tech Headaches:

AI is the most impactful “dual use” technology to become part of every dinner conversation in a long time. One of the concerns with its use is the potential to poison its outcomes and negatively influence its logic. The implications are many, but adversaries could taint the outputs of an LLM or even cause malicious actions. Even built-in protections LLM projects put in place could be undone, allowing AI to instruct others how to do harm. This speaks well to why companies might wish to both limit the use of public or uncontrolled LLMs and to roll their own special-use LLM for embedment within tools, so that they can put in mitigations and limit the attack surface.:

  • Want to read more? Learn about prompt injection here.
  • Want to get nerdy? Here is an academic paper on AI attacks. The company WithSecure did a writeup on how one of these techniques might work.

Things I am keeping an eye on myself?

  • 4 dozen countries are pledging to not pay ransoms anymore. Keep in mind, this does not bind the companies in those countries. Would doing at scale demonetize ransomware and force a change? I am not sure.
  • Good guidance here – rotate your passwords smartly after a breach. Don’t just shotgun it. This article from BHIS is awesome at helping you determine how.
  • Sometimes luck still wins! That being said, this $2.4M recovery of a BEC-related wire fraud isn’t a guaranteed outcome. Hope is not a suitable strategy.
  • Let’s discuss software supply chain security. A major threat is upstream code repots being compromised and folded in via CI/CD pipelines. GitHub has a great start to helping folks see those compromises here.
  • Rapid7 helped uncover a new set of attacks using HelloKitty exploit kits against folks running Apache’s ActiveMQ broker. If you or your customers have a multi-platform application (like MQTT!!!), they likely use a broker like this one.

I hope you all have a great weekend – please feel free to reach out if you need to shoot the breeze about any of the above!