Wow, I am so sorry folks! it has been 3 weeks between updates – as I mentioned on LinkedIn, things have been busy on the travel front! In that crazy time, a lot of interesting things have happened that are worth a good look! Much of the biggest news this week in the world of threats is on another one of our state sponsored threat actors, APT31, so let’s see what the buzz is about.
Zirconium – the stones on this group are real!
APT31 made a lot of news this week for what amounts to a lifetime achievement award for attacking. The Chinese state-sponsored threat actors, also known as ZIRCONIUM in the old Microsoft taxonomy, has certainly built quite a body of work! BTW…their new moniker from MS is Violet Typhoon. I actually like the Judgement Panda moniker they carry more. I digress…In the past week, they have been blamed for attacks on governments in no less than 11 countries. But wait – there’s more! They have also been very active working the critical infrastructure circuit too (pun intended). If we limit the news to just this past 10 days, it is a whole blog in its own right:
- US sanctions and indicts 7 members for attacks against foreign dignitaries, journalists, and more.
- US sanctioned more APT31 folks for hacking into places like the US Naval Academy, US War College and more.
- Finland has their own bone to pick with APT31 re: attacks on their own Parliament.
- The US has also attributed several attacks in critical infrastructure and the Defense Industrial Base (DIB) to APT31.
- The UK’s GCHQ asserted that their Electoral Commission and parliamentary systems were compromised by APT31.
Needless to say, the variety APT31’s portfolio is matched by their TTPs. Still, we can see that they tend to like phishing, stealing data (for both diplomatic and industrial espionage) and always with a focus on persistence. They tend to focus much less on DoS, ransom, and the like – but given Chinese APT’s success in hoarding vulns and maintaining persistence, they might just be waiting for the right moment. If you are in their sights, paying attention to CISA’s very good guidance on Chinese APTs is a great place to start.
Russian FUD Factory
It seems Russia’s activities are starkly different from those of China, but concerning in a whole different way. While Chinese APTs value stealth, Russian threat actors wield chaos like a TTP all its own. While targeting critical infrastructure with more immediate goals than China (like DoS, damage, and human collateral harm), they are also using their noise to destroy trust or impersonate institutions prior to US elections in November of 2024. They tend to use some of their more hybrid outfits for that (state-harbored might be a better term?). They do have some outfits that specialize in the long game, and Turla in particular is getting a lot of good attention from Cisco Talos. A recent report sheds a ton of light on how they have evolved, and it is riveting!
Almost as if to pour salt in the wounds, Microsoft announced termination of multiple cloud services for Russian customers to comply with sanctions. I thought everyone did that a LONG time ago, but alas, you can see several tools in the list that are important for all sorts of users (red and blue). I do worry that this is too narrow, and that allowing individual users is setting us all up for a bunch of sock accounts. Apparently Google, Oracle, AWS, and more are marching down the same path. I think that it is unlikely to shut down nefarious use, and with the advent of CSP-hosted attacker infrastructure this is worth watching.
And to top it off, the confounding folks at Meta have decided that they don’t need an important tool for tracking misinformation, because their record is spotless (/sarcasm).
This week in AI
The discussion around LLMs and how they’d change the world is being tempered by both practical and philosophical matters. While Nvidia’s CEO would like us all to believe that AI will be our coders from now on, it seems LLMs and their hallucinations may actually hurt security. By expanding the attack surface early in the supply chain phase, we now have more to protect. I would also argue, we probably also have zero folks who can unravel those mysteries and cover for those gaps!
Things I am keeping an eye on
- DDoS Guidance for Public Sector folks published by CISA and the FBI is well worth the read for all of us! What to read more? Want to get nerdy?
- Cisco published some really detailed recommendations for countering password spraying techniques across Remote Access VPNs terminated on Cisco firewalls. Slick stuff, and applicable lessons no matter the vendor!
- Cisco has been busy piling on since the Splunk close, and this 2024 Cybersecurity Readiness Index is insightful. It seems most companies are overconfident – I wonder what the biggest factors in that are?
- Ever since Broadcom began Musk-ing VMWare, Proxmox has become much more popular. I use it, and I am getting much more comfortable with it than I ever was with VMWare. Not a high bar, but I did have a VCP at one point 😛 Give it a look!
- PAN’s Unit 42 folks reported on a widely used info stealer called StretaStealer that they say has been used across over 100 organizations in the past couple of months.
Good Reads
- All of that travel keeping me away from blogging let me knock out some books – I finally wrapped on the Genghis Khan biography – well worth it!
- I also read Dave Grohl’s “The Storyteller” and got a great kick out of it. He is full of fun tales, and as a fan of the 90’s music scene it is wild to hear how it went down for him. Coolest part? He is self taught on anything he plays and doesn’t read music. That is pretty inspirational for those of us who want to tackle new things our way.
So there it is – the weekly(ish) threat update. Please feel free to reach out and shoot the breeze any time about this stuff. All feedback is welcome!
Mike