Good evening, folks! Sorry for the delay in getting back to normal cadence. The last couple of weeks have been a blur. Cisco Live EMEA was busy yet rewarding, but I managed to get sick on the way back. Perhaps most importantly, it was a rough week for some colleagues I deeply respect. If you need help I can offer, please let me know folks! For now, let’s round up some threat and vuln updates with supply chains, VPN devices, and AI taking center stage.

When last we left Microsoft…

They were under siege. It’s the burden of supplying OSes to a majority of endpoints, running most of the world’s business email, and having a ubiquitous identity provider under one roof. They recently teamed with the US DoJ to disrupt the infrastructure of “Forest Blizzard”. This APT used to be called STRONTIUM, both Microsoft’s names, by the way. The rest of the community uses APT28 or Fancy Bear. Either way, Microsoft witnessed the use of CVE-2023-23397 by these Russian actors to gain illicit access to Exchange servers. Forest Blizzard targeted a lot of high-profile email accounts, including corporate execs and government officials. This comes just a couple of months after a similar operation coordinated between Microsoft and the Polish Cyber Command. Good to see some actions taken!

  • Want to read more? Microsoft’s write-up, as usual, is pretty darn comprehensive and offers a history, investigation tips, and more.
  • Want to get nerdy? MITRE’s ATT&CK offers a collection of the TTPs APT28/Forest Blizzard/Fancy Bear use. T1114.002 Remote Email Collection looks like the TTP most implicated here.

Supply chain woes

Ivanti likes the classics…

Defenders have it bad enough trying to improve the things they have control over. It seems only fair that they should expect their vendors to do the same. Especially when those are security tools we’re talking about. All the compensating controls in the world are going to have a hard time with the issues in Ivanti Connect VPN. If you’ve been following my blog or anyone else who talks about threats and vulns, you probably have seen a lot of issues, US CERT directives, and even Executive Orders that have involved Ivanti. Well, Kevin Beaumont shows us why. In a box using the latest Ivanti image, he finds critical libraries that are old enough to drink and almost rent cars! C’mon folks! This is a ‘security’ solution?

Kevin “GossiTheDog” exposing the Ivanti mess’s roots.
  • Want to read more? The Hacker News has you covered.
  • Want to get nerdy? Eclipsium, a firmware security company, does a great methodical analysis and offers a masterful justification for Supply Chain Security.

Fortinet needs a break

Fortinet has had a rough couple of weeks themselves on the software front. They disclosed critical vulns like CVE-24-21762 which was possibly implicated in some very high-profile zero-day attacks against their SSL VPN capability in FortiOS. They had a slew of others (CVE-2024-23113, CVE-2024-23108, CVE-2024-23109) too, rated in the 9.8 CVSS range. But the big story here is how much difficulty they had in disclosing and explaining these vulns. I can’t track it all in my head, but needless to say, it’s a week they would love to forget. And another vulnerable security device. To be fair, every company, including my employer, has had their turn in the barrel. As always, customers need to be vigilant patching and demand transparency.

The kicker was that they generated a sensation with claims of a toothbrush botnet DDoS-ing the Swiss. A researcher apparently portrayed it as a real event for the press, and when they tried to deny it, the paper had the receipts. The Register does a great job with the escapade.

  • Want to read more? The Register’s response captures all of the exasperation I think we all felt trying to keep it straight. The Hacker News has a cleaner take on just the vulns.
  • Want to get nerdy? Tenable has a good history of flaws impacting FortiOS’s SSL VPN functionality.

This Week in AI

This is a two-for-one, folks! I was asked on a cool new podcast run by Eric Templeton whether I thought adversaries were using AI, and we sort of guessed that they must be. How can they pass up an opportunity to make their own playbooks more effective and dynamic? And almost like we planned it, Microsoft and OpenAI teamed to release a fascinating and troubling report about how a wide variety of nation-state APTs (from Russia, North Korea, China, Iran, etc.) are already using LLMs in their toolbox, each in their own ways. Uses in recon, scripting, content generation (for phishing) and even evasion were listed. Yeah, we better all get up to speed on this pronto – use it or lose it folks! Very fascinating stuff! This is going to add some serious difficulty in trying to summit David Bianco’s Pyramid of Pain.

Things I am keeping an eye on myself

  • Atlassian’s long string of issues keeps getting worse. Having a tool that was so pivotal in development across a wide variety of industries and sectors is hard. Now the GAO breach is being blamed on Confluence. Is there a secure SVN solution left?
  • Midnight Blizzard (APT29 or Cozy Bear), Forrest Blizzard’s buddies, decided that crafting specially formatted emails was for nerds. They accessed Microsoft’s own corporate exec email with an old-school password spray. Lots wrong here though. This got them access to a non-Prod tenant, which somehow they were able to pivot from into the corporate email accounts. Cyber hygiene, MFA, good password policies. None of this should be news, folks!
  • If you were hoping bio-metrics were a way out of this mess, I’m sorry. Hackers can apparently steal your face now too and use it to defeat FaceID with 3D deepfakes they harvest with imposter applications. Crap.
  • Broadcom is Musk-ing VMware as rapidly as they can. They recently turned off free home-use ESXi images in its latest move. I feel for the VMware marketing folks, who are still trying to hit numbers despite their new overlords’ “3 dimensional chess.”
  • Volt Typhoon is on a tear, and their relentless assault on infrastructure is not satisfied with just the US. African electric companies are now targets as well.
  • The social cesspool formerly known as Twitter turned account verification from a measure of authenticity to an easily bought excuse with Elon’s non-existent content moderation. Apparently the bad guys have caught on!

Good reads!

  • My Threat Intelligence path continues, albeit slowly this past couple of weeks with Cisco Live in Amsterdam and a packed workweek. I plan on hitting it hard this weekend though!

Please reach out if you want to talk shop or have any questions – I learn a ton from what you folks are seeing!