Good morning folks! I had a great time in Boston this week hanging out with a cool partner, but in my travels I gathered some updates on the threat side of things that we all should be aware of:

Score one for the good guys!

Cisco Talos and Avast teamed up with Dutch authorities to take down the Babuk Torilla ransomware strain’s key folks, and they have also worked together to provide a decryptor for potential victims.

  • Want to read more?: https://blog.talosintelligence.com/decryptor-babuk-tortilla/
  • Want to get nerdy?: See how it works in this past blog post: https://blog.talosintelligence.com/babuk-exploits-exchange/
  • Need a decryptor for this threat (or several others)?: https://www.nomoreransom.org/en/decryption-tools.html

*It should be noted that this not-for-profit site aims to combine keys for all publicly known strains and simplify decryption, rather than forcing victims to seek out competing decryptors for all variants. Pretty slick!

When victims refuse to give up easy…

We all feel like we’re under a constant barrage from adversaries, but Ukraine can claim the title of most attacked for the past few years. And we can learn a ton from them, things like:

  • How can you respond? Can you ‘hack back’?
  • How can you defend/prevent?
  • How can you survive or cope with the ones that get through?

This is particularly the case with critical infrastructure. It is critical for a reason, but Ukrainians have had to deal with the impacts for some time to their power, financial systems, communications, and other utilities for some time. In this mid-December attack, Russian state actors targeted a massive internet provider and mobile company Kyivstar, which provides connectivity to over half of all Ukrainians. This isn’t military action, folks, this is Sandworm going to do Putin’s dirty work.

  • Want to read more?: https://www.bbc.com/news/world-europe-67691222
  • Want to get nerdy? https://www.reuters.com/world/europe/russian-hackers-were-inside-ukraine-telecoms-giant-months-cyber-spy-chief-2024-01-04/
  • Ukraine continues to boldly retaliate.

Dual use tools in our software supply chain

We’re seeing more and more attacks that focus on victim-posted secrets and information rather than outright vulnerabilities. GitHub has certainly been fertile ground for that. But given its importance in so many enterprises now, adversaries have actually started to make GitHub a critical part of their own infrastructure. They are using it to deliver Command & Control (C2), provide a rarely-inspected path for exfiltration, or even host phishing schemes or redirect traffic. It should be noted that this is also happening in other ubiquitous tools: storage tools like OneDrive and DropBox, collaboration tools like Discord and Teams, and even the other code repos (Bitbucket and Gitlab). We’re all going to need to get smarter about how we monitor those flows and the activity with those services.

This week in AI:

I think we all knew this had to be the case, but the NSA has admitted to industry analysts that it is using AI and ML on top of big data to do a lot of work in tracking adversaries, in particular the Chinese threat actors. While I never thought of this before, they point out that the Chinese have been innovating more around misconfiguration and implementation flaws than on the traditional vulns (though we know they horde those too). It seems their threat actors are much more careful and thus harder to detect. Enter AI and ML to assist!

Things I am keeping an eye on myself?

  • Cyber insurers, quick to monetize the risk of breaches and incidents in a space nobody completely fathoms, have been burned by incidents like NotPetya, WannaCry, and more and are looking for ways to carve out exceptions at their customer’s expense. A large category is ‘act of war’ – which is becoming blurrier by the second given that state-sponsored actors are often the rapid reaction force for Russia, China, and others, but near impossible to attribute with complete certainty.
  • Ukraine isn’t the only target for Russian or Chinese state-sponsored hackers. AsynchRAT has apparently been operating unhindered throughout the US’s own critical infrastructure for almost a year!
  • Secret sprawl is a thing – we all commit way too many to unguarded places (like code repos or support channels) and this writeup is a great start at reducing and remediating that risk.

Good reads!

  • Not sure how I never ran across this site, but it is very helpful in finding examples of public breach information. It is by no means complete, but wow, is it educational! Kudos to Chris Farris for this resource!
  • I keep coming back to Eric Capuano’s blog called “So you want to be a SOC Analyst?” and I have to say it is a really helpful series that I think can help anyone who (like me) is trying to make sense of how this all actually works.

Please reach out if you want to talk shop or have any questions – and stay vigilent out there!