Hey folks! This may be the last one of these for a couple of weeks, because I am headed to Amsterdam for Cisco Live Europe! I am excited to be talking about MITRE ATT&CK and helping facilitate a Threat Picture discussion with my good friend King Mark. We’ve got a lot of nation stake hackers causing a ruckus, so let’s go ahead and get into the threat update and look in on some news!
Nation-state actors stepping up activity
It is getting pretty hard to discern between APTs that target companies vs. governments, but that may be because it is harder and harder to separate them. Adversaries gain access to key strategic companies not only for the intellectual property, but the intelligence value and – increasingly – the economic impact, erosion of trust or manipulation of systems. With so many APTs out there, and many working for nation states, it makes cruel sense that they, like the companies they target, specialize and have scopes they tend to adhere to. This makes recent events concerning, as we’re seeing dozens of threat actors from all quarters stepping up their activities. The US Senate Intel chair is asking CISA to combat influence campaigns as we head to the November elections in the US. Ukraine’s allies are also getting hit. And we’re only in January.
Russian ops against Ukraine have picked up considerably
Our poor friends continue to see impact from cyber events while swatting drones and grinding it out in trenches. While the Kyivstar outage we mentioned last time certainly caused disruption, agencies are now determining the monetary impact of that breach. This single attack had direct monetary impact of $96M. Consider that this is one of hundreds of such attacks, and that the direction is coming from the very top. Those coordinated attacks continue relentlessly.
- Want to read more? Here is the Veon announcement discussing the assessment of damages.
- Want to get nerdy? Reuters is reporting more of the details of the Kyivstar operation.
The World’s state-sponsored APTs vs. Microsoft
Just in case we thought the Russian APTs were busy, we have some dire news from Microsoft, who is reporting that Russian threat actor Midnight Blizzard have targeted Microsoft’s own M365 instance to monitor executive communications. This is awfully bad especially given it comes hot on the heals of Chinese APT Storm-0558 having had their way with M365 just months prior.
- Want to read more? Here is the ArsTechnica reporting on this.
- Want to get nerdy? Microsoft’s own reporting is pretty solid, and falls well into the “sharing is caring” category. Kudos to them for explaining it in great detail!
And Microsoft, in a busy time, is also reporting that Mint Sandstorm, an Iranian APT has been targeting high-profile leaders researchers and academics who work in or around Middle Eastern affairs. Someone please buy those MS Threat Researchers and IR folks a drink!
Chinese threat actors have been playing the long game
Chinese threat group UNC3886 has been using a recently-announced doozy of a VMWare vulnerability for at least 2 years! While this group tends to focus on targeting systems that are incapable of running an EDR (like a hypervisor) what is notable is just how well they stayed undetected. Mandiant’s reporting on this is pretty insightful, and well worth a look. Hard to see what the bigger threat to confidence in VMware is right now: this vulnerability or Broadcom’s rash reset of licensing? Time will tell…
- Want to read more? Here is the CVE write-up for the vuln in question, a massive 9.8 CVSS folks!
- Want to get nerdy? Mandiant’s report on how this has been exploited and gone undetected is both scary and interesting.
Ivanti VPN… again…
“CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions…” As such, CISA has directed all agencies (and thus the contractors and partners adjacent) to take all legal actions to secure systems and apply the recommended actions ASAP. This is notable in that it will definitely cause some work (cert and credential rotation, etc.) but acknowledges that without the Emergency Directive, the impacted orgs might be tempted to sit on it. Good to see more urgency, and I hope this becomes a more common approach. There are still a lot of vulnerable log4j instances out there folks!
- Need a primer? Veloxity put together a pretty good explainer.
- Want to know more? Mandiant’s own in-depth report is chock-full of awesome insight as to how this has been used.
- Want to be secure? Follow CISA’s Emergency Directive 24-01 for a combined Ivanti/CISA playbook.
Atlassian is back!
Altassian’s Confluence solution, brutalized for much of 2022 and 2023, is back in the news. Shortly after a new flaw was announced in the self-hosted version (Atlassian-hosted stuff is clean!), folks have been probing the heck out if it.
This week in AI:
If you’ve been in security for a while, you have probably been well acquainted with CVEs (Common Vulnerabilities and Exposures). Given the sheer number of folks tackling all-things AI, it is no surprise that a new project has risen to take on the mantle of being the CVE-of-AI, and this is the LVE (Language model Vulnerabilities and Exposures) database. Expect this to become fertile ground and something we all need to track soon! Speaking of vulnerabilities, it may be some time before we should trust AI to write anything of real importance. Bruce Schneier writes that software engineers who were more involved and drove the prompts helped generate better, more secure code. This reinforces theories that AI is another skill that we all must learn to make it impactful. And it probably indicates that we have a while before Skynet is taking our gigs.
Things I am keeping an eye on myself
- Hot on the heals of our discussion on how Github and other important tools can be misused, GitHub is rotating credentials and certs due to recent events. Good idea!
- IBM released their 2023 Cost of a Breach study, and it has a lot of good insights in there. If you are struggling to justify the right security projects or quantify risk for the C-Suite, check it out!
- Microsoft is certainly getting practice at performing IR on their own stuff. To help us, they released some awesome guides for M365 and Entra IR.
- SANS just released a sweet cheat sheet that shows where in each of the major Cloud Service Providers critical security functions reside.
- Every organization (or family) struggles with the nuisance of security. The SEC says their recent embarrassment was caused by a SIM swap that MFA could have prevented. MFA was enabled, but removed because the SEC staff thought it was too much work. Well, that lapse saw their hacked Twitter account post false support for Bitcoin. Don’t give in to users, find ways to remove friction, not security.
- I missed this in late fall 2023, but if you are in security sales, DON’T BE THIS GUY. The dude gives us all a bad rap!
Good reads!
- In addition to tackling “Gengis Khan and the Making of the Modern World“, I have a new book on Viking history (“Children of Ash and Elm“) that I have lined up and ready to go. So many good reads, so little time!
- I have also (finally) embarked on some real cloud learning. Adrian Cantrill’s stuff is proving to be awesome, and I am looking forward to having some good certs and know-how soon. All to justify my Cisco Multicloud Defence addiction 😛
Please reach out if you want to talk shop or have any questions – I learn a ton from what you folks are seeing!