Good morning folks! I have a lot of updates on the threat side of things, some talk of elections & AI, and more that we all should be aware of:

Cisco’s Talos just released an awesome 2023 Year In Review that helps break down the trends and strains that kept them up late at night changed the threat landscape. Of note?

  • Threat actors now starting to move to straight extortion rather than encryption for ransomware.
  • Lots of established (not 0-day) malware strains are evolving to evade new defenses.
  • Network infrastructure as a target is all the rage.
  • Activity trends mirror geopolitical events.
  • Talos includes a top 10 list of CVEs, top 20 ATT&CK techniques, and top brands being spoofed that they have seen in use.

Get Out (of) the Vote!

As we start gearing up for another heavily muddied election cycle in the US, increasing activity from nation-states shows they’re looking to cash in or help tilt the scales. What makes this even trickier than the last cycle is the explosion of AI as a major factor. Whether it is the use of LLMs to assist in drafting misinformation, or the application of AI to influence Search Engine Optimization, target selection, or influence social media algorithms, it is going to be dicey. Russian threat actors have diversified, and while sowing misinformation to erode support for Ukraine is still a major focus, they are now helping sow division in the US, Germany, and elsewhere. And we have for-hire groups like “Team Jorge” joining the fray, adding their own brand of chaos. Look for any lessons learned here to cause hand-wringing by governments on an epic scale.

  • Want a high-level primer?:
  • Russian state-sponsored threats: https://thehackernews.com/2023/12/russias-ai-powered-disinformation.html
  • Team Jorge (Israeli election specialists): https://www.theguardian.com/world/2023/feb/15/revealed-disinformation-team-jorge-claim-meddling-elections-tal-hanan
  • Want to get nerdy? https://www.brookings.edu/articles/how-to-deal-with-ai-enabled-disinformation/

What else?

Critical infrastructure may not seem as glamorous, but it sure can pack a punch. Alquippa, PA just had their water utility hacked by an Iranian Threat Actor who chose the moniker “Cyber Av3ngers”. Targeting the Human-Machine Interface of a Unitornics Vision system, they went to town (sorry for the pun), repeating an attack they claim to have performed throughout Israel.

  • Want a high-level primer? https://www.securityweek.com/hackers-hijack-industrial-control-system-at-us-water-utility/
  • Want to get more nerdy? https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

Microsoft is in the news for a lot of not-so-secure things of late

  • First off, they announced that the Kremlin-backed APT-28 (Fancy Bear) is exploiting a critical Outlook vuln (so read “client-side”).
  • Second, the Exchange servers themselves tend to be a dumpster fire of vulns (so read “server-side”).
  • And lastly, after the great token-stealing scandal of MS365, a ton of bad press for embarrassing vulns, and more, MS has replaced their CISO with someone who hasn’t yet been a CISO. I wish them luck – we need MS to be secure and trusted.

Things I am keeping an eye on myself?

  • The Defense Industrial Base (DIB) is also a fertile target, and China in paricular endeavors to steal Intellectual Property (IP) to help advance their own build-up. Blackberry has designated a new actor “AeroBlade” who was seen compromising an “aerospace organization in the United States”. Lots of TTPs and playbook stuff in this post!
  • China tends to engage in activity for economic/commercial reasons, but they too have their own political goals in cyber. Tibet, Taiwan, the Spratley Islands – all of these simmering topics were getting a lot of bot traffic on Meta and Google.
  • The new DNA-as-a-business game makes collecting personal data their core business. A recent breach at 23andMe is a huge quake for confidence. 14,000 customers had their data directly compromised with simple credential stuffing attacks, and untold more (who allowed sharing for determination of relatives) were also likely impacted. ONLY NOW do they and their competition mandate MFA.

Good reads!

  • Andy Greenberg at Wired Magazine did a great job (as always) interviewing and writing about the story of the 3 founders of the Mirai Botnet, who brought down some massive companies in the late 2010s and now work for the FBI. This is fascinating AND educational. (consider, a new report states >70% of internet traffic is malicious bot activity!!!)
  • This blog is a recent find for me, and Diego is teaching me a ton through it – I highly recommend subscribing! https://threathunterz.com/

Please reach out if you want to talk shop or have any questions!