Good day folks! I’m prepping for my holiday shutdown here at Cisco, but before I do, I have a threat update including some interesting developments on vulnerability hoarding that would make the Grinch cringe. But first:

This one comes courtesy of my good friend Dave Frohnapfel, who has been tracking the Comcast Xfinity breach. In case you missed it, 35 Million customers has personal information stolen when an adversary leveraged Citrix Bleed to steal that data! While Citrix was pretty prompt in notifying impacted customers and Xfinity applied the patches, they were able to identify suspicious activity in their logs that showed the breach occurring prior. As Dave mentions in his post on LinkedIn, here are a few security hygiene tips to keep your online presence safe:

  1. Leverage “hide my email” services like Simple Login or iCloud’s to keep your email safe from breaches.
  2. Use unique passwords for every service to prevent hackers from accessing multiple accounts.
  3. Use Password Managers like 1Password or Bitwarden to keep track of all your passwords securely.
  4. MFA Everywhere. It’s the world we live in. Cisco Duo’s client is free from app stores, so there’s no excuse not to use it. Stay safe out there!

China is Hoarding Vulnerabilities

Chinese-affiliated threat actors have been leading the pack in attacking supply chains and in harvesting vulnerabilities in general. Collecting vulns and associated exploits is for most folks a foolish errand. Vulnerabilities are continually being addressed either through patched code or updated signatures and policies, and this makes keeping a list current AND useful unreachable for most threat actors. China is now actively collecting vulns at a massive scale, and when you apply the sheer might of a state-sponsored effort behind it, those opportunities add up quickly. Even more concerning: China’s NDVB (like their CVE Database) and reporting process seems to delay notification until its various agencies get a chance to evaluate the potential and potentially keep it under their hat. Given just how much software and firmware comes via China, this is concerning.

Worried about this? Patch like crazy. Pursue Zero Trust – ensure that the only flows in your environment are those you expect between entities you can verify. Someone wise once said that we all worry about 0-days, but it is the 365-days that make up a healthy chunk of the breach news.

  • Want to learn more? This Atlantic Council report is exhaustive AND satisfies the “getting nerdy” part too.
  • Want to see classic projection? Chinese companies are expanding their bans on iPhones and claiming foreign backdoors for geolocation intelligence gathering.

Threat Updates in AI

If you are interested in AI’s uses beyond creating snazzy graphics and rap lyrics for songs about cybersecurity, the Artificially Intelligent Enterprise Substack by Mark Hinkle is pretty cool! I am learning a lot of things that make me more optimistic. Not all the way, but it helps 🙂

Things I am keeping an eye on myself?

  • MITRE has collaborated with several other thought leaders in ICS, is currently offering a pre-release access to interested parties for their new EMB3D Threat Modeling Framework. This works well with CVE, CWE, and ATT&CK to help ensure critical infrastructure is properly cared for. Looking forward to its release!
  • The FBI has severely wounded the AlphaV/BlackCat ransomware outfit, even releasing a decryption tool for victims to use. This is awesome news! Couldn’t happen to a better gang.
  • Microsoft has taken some lumps in 2023, but they are also getting really good at countering adversaries. A few weeks back we talked about Storm-1152, and MS has taken some legal actions that allow them to disrupt Storm-1152’s business (selling fradulent MS accounts). This is big – they have to-date marketed over 750M accounts through their marketplace.
  • A new JavaScript-based malware is being used to harvest credentials from banking customers by intercepting their activity and diverting their connections to malicous projects. This seems part of a trend with “Pig Butchering Scams” which do similar things with cryptocurrencies and NFTs. Fun times!
  • Idaho National Labs was hit by a breach – they (like many labs) assist with DoE efforts including nuclear power. Not cool folks!

Good reads!

Matt Edmonson (SANS OSINT course author) posted an awesome blog on how to unmask Dark Web operations. He provides some cool insights in how cryptocurrency transactions, forum data, and other things are helpful in tracking the baddies.

Wrapping up for the Holidays

I appreciate those of you who take the time to check out my threat update and learn about hoarding vulnerabilities – I hope this is useful and helpful! For those of you taking time off in the next week or so, I wish you a happy break and Happy Holidays for those celebrating them!