I was on the road until yesterday, but I wanted to get back on the blog and update horse. So here we are! After learning about and supporting the launch of a new solution, I got sucked into some saved news articles and blogs on the trip home that convinced me we need to rethink a lot of things to get caught up with adversaries. Ransomware operators are constantly evolving, we should too! And no one has it figured out, as we’ll see in a couple of paragraphs. So let’s think outside of the magic quadrants and waves about new ways to solve our problems.

Ransomware re-spins show resilience where we don’t need it

The sheer number of ransomware operations is growing exponentially. Ransomware-as-a-Service (RaaS) certainly drives this, but the options attackers can use is also growing. While Lockbit and Emotet garner a lot of law enforcement attention, other ransomware operators are evolving to fill the void and capture market share. Yep, RaaS is a market all its own – stand by for an evil version of Gartner to pop up and start ranking them!

It seems that HelloKitty – the folks who attempted to ransom/extort Cisco in 2022 – have relaunched as HelloGookie. As part of this “news release” they released source code from previous hacks of CD Projekt (a game developer) and information they claim was related to that Cisco breach. Tracked since 2020 and covering hypervisors like ESXi, both Windows and Linux OSes, and using other tactics, it seems they are looking to branch out.

And then there is Akira, who is now extorting Linux and racked up $42M in total proceeds as of January.

One of the O.G. criminal actors, FIN7, has even revived Carbanak to offer a backdoor auto industry players through a new “free IP scanner” ruse. Stay vigilant, and for goodness sake don’t use free tools you don’t understand!

Even thought leaders have bad days

MITRE, the non-profit organization that brings us awesome projects like the Common Vulnerabilities and Exposures (CVE) Database, or the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Database was recently hit by a supply chain attack. Lest we think they only operate in these tools, keep in mind that they do a ton of research and policy development for the US Government. Lots of sensitive stuff! So when we find out that the notorious Ivanti VPN issues impacted them as well, it raises some alarms.

So far, they have only announced this breach impacting the Networked Experimentation, Research, and Virtualization Environment (NERVE), which is a shared R&D network. This is good – MITRE also contributes heavily to energy, transportation, telecommunications, and other critical areas.

  • Want to read more? MITRE’s official release of the breach notification is here. It openly affirms that they plan to disclose more as time goes on. Openness is key, folks!
  • Want to get nerdy? MITRE CTID’s own post sharing the process is fascinating and well-written, and is firmly in the “well done” category of honest disclosure! And it is very instructive to see CTID using their own creation (ATT&CK) to detail the entire picture, including the under-utilized Data Sources and Mitigations categories, as well as related efforts like Engage. Not to be too self-possessed, they also point to great resources from CISA, the US Executive Branch, and multiple 3rd party intelligence sources. Nicely done folks!

This week in AI

AI continues to advance at a rapid clip, and it feels like we’re well past controlling its evolution. A couple of interesting, fascinating, and deeply concerning articles hit me this week while I was on the road. Meta announced the newest version (3) of its Llama LLM this week. Almost buried in the story? The LLM continued to learn even after Meta stopped training it. I am no AI guru, but it would seem we need fail-safes in LLMs. This is to ensure that they abide by boundaries. Especially when a sobering report by the folks at UIUC show that adversaries are quickly weaponizing LLMs like GPT-4. Armed with only threat advisories, threat actors enlisted GPT-4 to automatically carry out exploits against the posted vulnerabilities.

And if you’re worried about influence campaigns leveraging AI, it is only getting easier. China’s APTs are scary enough, but their branching into AI scares the crap out of me. And this just compliments their adjacent activity in compromising critical infrastructure.

Thank goodness we have regulations and laws coming to help contain the risk, right? Think of all the gaps we discuss around cybersecurity. Open positions, pay vs. responsibility, lack of entry level, poor budgets, insufficient or non-existent processes. One we need to address pronto? The knowledge gap in government policy makers. Governments of all sizes and levels are proving woefully inadequate in addressing these critical questions. I fear they’re too far behind to ever have a meaningful impact. The toothpaste is already out of the tube.

Things I am keeping an eye on

  • Cisco announced best practices for preventing password spraying attacks on VPNs. This was immediately followed by a massive uptick in those attacks.
  • CISA has been stepping up its proactive alerts on ICS and critical infrastructure. This week, they warned of swaths of ICS controllers being vulnerable and without patches available. Step up your compensating controls, folks!
  • LastPass continues to suffer a lot of setbacks, including this report of users being scammed out of their master passwords.
  • Jim Clausing from SANS ISC released a pretty slick tool that helps to pull down an SBOM from a Linux image. There a lot of paid tools that do this, but this freebee is a really cool idea.
  • We get myopically focused on the endpoint as the predominant entry objective for an adversary. This article makes a great case for how the new identity-driven attacks on SaaS apps. This makes it easy to do damage without ever touching endpoints.
  • BlackHat Asia really started up the conference season with a bang. One of the very concerning reports was of adversaries using PAN’s Cortex XDR agent (an EDR agent with more SaaS-supported features) as an Evil XDR offensive tool.
  • I plan to stand up MISP again soon – its been a few years. This tutorial is looking promising for helping me out with that!
  • This certification graph tool seems interesting – going to see what it says and what I think about it.

Good Reads

  • Folks know by now I love talking about MITRE ATT&CK and its associated projects. I learn so much more when the story of an adversary is broken down into consumable steps. The new Kubenomicon Threat Matrix takes the concept into a really cool direction. It not only shows how adversaries might hit a ccontainer-based application, but reinforces the learning I am doing on that front from a cloud and container fundamentals perspective. This is awesome!
  • In trying to continue on this CTI learning path, I came across a great post by Joe Slowik. Here he is covering CTI as a mindset and function. It is an eye-opening look at where CTI fits and why we’re (mostly) doing it wrong. Take a look, it’ll make you reevaluate how we treat the need!

I hope this entry – late as it was, was helpful and engaging. If you have any inputs, recommendations, or criticism, please send them my way! Have a great rest of the weekend!