Hey folks! After a busy week, I am finally sitting down to see what is new in the world of threat actors and trends. We’re barrelling into Friday with a lot of attention on probably THE key software vendor in the world (Microsoft), and more attention on Volt Typhoon. Yet even hardware vulnerabilities are a thing, and it just goes to show how our supply chain is riddled with dependencies. And those dependencies open doors to vulnerabilities. So let’s check in and see some of the more interesting threads!

Microsoft Email breach becomes more concerning by the day

As we’ve discussed in multiple prior updates, Microsoft has had a very difficult time with a breach of its ubiquitous Exchange Online email service by multiple threat actors, most notably Midnight Blizzard and Storm-0558. Well, it seems that the former’s efforts detected in January have been riling CISA and the US Government. CISA’s Emergency Directive is a pretty bad sign that this impacted serious government business.

It seems that emails between Microsoft and their customer (the Federal Civilian Executive Branch) were snooped on, and included authentication details. Whoops! ED-24-2 directs all agencies to take action, review emails, reset credentials, and more.

  • Want to read more? HPE looks like they were hit before MS, which goes to show how prolific this APT is.
  • Want to get nerdy? Wiz.io has a very interesting write-up on the “how” of the breach, based on publicly available information.

Chinese persistence in Critical Infrastructure

CISA created a High Risk Communities center on their website, and it is full of awesome guidance and resources. Maybe you’re tempted to ignore that – maybe that is out of scope? Adversaries certainly aren’t passing up opportunities to cross-train and reuse techniques, neither should you!

Chinese threat actors in particular have been honing their skills on western infrastructure for some time. In that spirit, CISA has released a fact sheet to help decision makers prepare for PRC-backed threats like Volt Typhoon. What is inside? Advice we should all heed: patch your stuff, harden OSes, monitor for LOLBins, train continuously, and update/rehearse IR and DR plans. These are all good advice we keep getting, but maybe your organization needs a name for the fear – well here you go! Volt Typhoon it is!

Diversity of skills and operations are a Chinese hallmark. Look at recent research by folks like Trend Micro, who have done a lot of work on malware families they call Earth Lusca and Earth Krahang, leveraged by an APT known as TAG-22. These threat actors are perfecting their skills in leveraging cross-organizational trust to pivot between victim organizations. Right now, the research is focused on operations in Southeast Asia. It is probably an objective to start replicating this in western governments and infrastructure soon, if they are not already.

This week in AI

I think we’re seeing so much AI painted on pretty much everything these days that it can desensitize us to a great use case. Toothbrushes with AI? Seriously? But I think we can all see some positive uses in helping get through more tedious tasks. One of the things that slows a lot of organizations down in cybersecurity is the collection and processing of intel. This write-up by Thomas Roccia offers a slick look at how LLMs might really help. And another wonderful person to follow, Roberto Rodriguez from Microsoft has done some awesome open experimentation with GenAI and Jupyter Notebooks. I think it is worth following along and potentially trying myself!

Things I am keeping an eye on

  • Software supply chains are rightfully a big focus, but don’t sleep on the hardware! Binarly released a research paper showing how server firmware for Intel, Lenovo, and Supermicro included vulns that bypass security controls. Patch it, you say? The Intel and Lenovo hardware in question is no longer supported – so it is eternally vulnerable.
  • DPRK threat actors have been actively using two new sub-techniques from the upcoming MITRE ATT&CK matrix. I think we all love innovation, but not by the bad guys.
  • Even security companies get hit once in a while. Lastpass admitted an employee fell victim to a voice phishing attack that used a deepfake of their CEO.
  • Apple warned a LOT of people from over 150 countries that mercenary spyware from folks like NSO Group is targeting them. If you are an NSO Group customer, we are not friends.
  • This research on alternate app-level protocols for carrying out DDoS attacks has my head spinning. Very insightful, and very concerning!
  • A bipartisan effort in Congress sees a serious attempt at tackling online privacy! This is a huge effort – the current state is rife with fractures, inconsistencies, and a lack of cohesion. Who knew Congress had it in them???

Good Reads

  • The folks at Active Countermeasures (who also count Black Hills Information Security and Antisiphon as sister companies) run an awesome blog chock-full of info, and this blog on tunneling C2 beacons by Fann Rossouw is very informative. They also have a slick place to see their upcoming training here.
  • Last week we touched a lot on the XZ supply chain open source attack, and this timeline looks like the outline for a multi-part mini-series. I think that Nick Offerman might make a good protagonist. Maybe vs. Amy Poeler? Parxz & Wreck folks! (it is late).

I hope that this week’s summary of things I found interesting is helpful. As always, please have a good and safe weekend and feel free to reach out and chat!