Good morning folks! I have some updates on the threat side of things that we all should be aware of:

In our first update, Russian SVR-backed pests known as APT29, CozyBear, NOBELIUM or the MS name of “Midnight Blizzard” are following the lead of North Korean adversaries. They’re exploiting a really bad JetBrains TeamCity vuln (CVE-2023-42793/9.8 CVSS) to manipulate source code, sign certs, and push updates. TeamCity is a CI/CD tool that helps run DevOps, sort of like Travis CI, Jenkins, CircleCI, and more. So it has the potential to be like SolarWinds issues a couple of years ago. Now appears they have patiently used it to get into more of the supply chain and gain as-of-yet dormant footholds. They are even using Dropbox to help mask their C2 – Yikes!

  • Want a high-level primer?
  • Want to get nerdy? THIS might be the most complete and well-annotated CISA briefs yet – fire with TTPs, signatures, IOCs, and more!

Speaking of the Russia, Microsoft Security (a continual target and expert on the Russian tradecraft) published a trending report. In it, MS details how Russia has waged a hybrid war on Ukraine. We talked last week about exploiting society’s division, but another trend is actually weaponizing pacifism. This really lands with respect to current public opinion in the EU and US. “The only thing necessary for the triumph of evil is for good men to do nothing.” – Edmund Burke. Demonizing refugees and targeting fears in diaspora communities have also been big priorities. The report also offers great Cyber Hygiene tips that should look familiar. We still need to remind people to help themselves!

  • Want to read more?

Cryptocurrency is far from anonymous!

Andy Greenberg is the easiest follow ever for anyone even remotely connected to information security, block chain technologies, or crime. His book “Tracers in the Dark” was one of the best books I read in 2023. Since that work, he’s followed up on the subject in his Wired pieces. In the latest, he discusses how recent US DoJ actions against the cryptocurrency exchange Binance not only landed massive fines, but opened the past books too. He has argued for years that cryptocurrencies are the antithesis of anonymity, not the enabler all think. Well just wait until law enforcement gets to connect all of those dots in immutable, undeniable terms!

  • Want to read more?
  • Want to get more nerdy? You know your in trouble when the IRS has a write-up on you.

This week in AI:

  • POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM POEM. I’m just trying to see if I can escape ChatGPT’s guardrails like these folks.
  • Some clever folks figured out how to make a very successful AI cracker. This method uses an Attacking AI and Monitoring AI to hit a victim AI prompt, building a tree of attacks that are pruned based on AI-guided tweaks. This is getting weird and scary.

Things I am keeping an eye on myself?

  • A couple of weeks back we discussed the Iranian-backed critical infrastructure attack on Alquippa PA’s water authority. The FBI is now reporting it as ‘targeted escalation’. This means they were hit because the adversary had a bone to pick with their use of Israeli-made equipment.
  • On the flip side of that, some good news! Robert M. Lee announced his company Dragos (world-renowned ICS/OT security gurus) launched a program to provide FREE software and services to small (<$100M yearly revenue) US-based utilities to help defend themselves from attack. This program also includes training, OT-CERT membership, and collective defense. Kudos to Dragos!!!
  • PWC just dropped their CISO 2024 Agenda, one of the few pointsmade is that only 3% of companies update risk for cloud stuff. The rest is pretty light, so looking elsewhere on their site, we get this slick report on C-suite trends.

Good reads!

  • I just enrolled in this Cloud Security Lab A Week (Cloud-SLAW) class with Rich Mogull. It is already helping me get acclimated with AWS! Well worth a look for a lightweight learning adventure!
  • New newsletter again this week too! Detection Engineering Weekly offers some super slick insights on what networks and environments are telling us. Even better, they discuss how to turn that into pure security insight.

Please reach out if you want to talk shop or have any questions!