Newsletter

10.07.2021 | 7'' read

An incomplete nation-state APT landscape

by Ryan Naraine

* The most clicked link from last week’s newsletter was Kaspersky’s technical report on the infamous FinSpy surveillance toolset.  Report includes discovery of UEFI bootkit for persistence on Windows.

Personal note.

Monday blues. 

The NSA’s Rob Joyce is a bit of a rarity in .gov security circles.  Over the years, as the NSA’s hacker-in-chief, he embedded himself within the security research community, spoke candidly about nation-state hacking operations (watch the Enigma speech!) and developed a reputation for straight talk in an industry full of hot air.

Last week, Joyce was back at it during a fireside chat at the Aspen Cyber Summit (skip to 3:21) where he outlined the U.S. government’s “sand-and-friction” strategy (read my story) and shared blunt assessments on the capabilities of what he described as ‘the big four’ — China, Russia, Iran and North Korea.

On Russia: “They are the disruptive force. They are very active in the intelligence-gathering activities, still, both against governments [and] critical infrastructure. We’ve seen evidence of pre-positioning against U.S. critical infrastructure. All things that can’t be tolerated and we need to work against.”

On China: “Scope and scale, China is off the charts. The amount of Chinese cyber actors dwarfs the rest of the globe, combined. The high end of the Chinese sophistication is really good.”

On North Korea: “[They’re] very, very focused on creating wealth for the regime because there’s not many more sanctions that the world can put on North Korea. They found that stealing Bitcoin is often easier than stealing from the Bank of Bangladesh. They haven’t been hitting the biggest banks quite as aggressively, because they’re making their money in the crypto space.”

On Iran: “Iran’s still active. Still actively engaged in offensive cyber. But what we’re seeing is they’re often very focused on regional things right now. They haven’t been as focused on broader impact. But they’re capable and most importantly they’re dangerous because they’re less judicious in what they decide is a reasonable action. I think at times Iran doesn’t understand just how much they’ve gone up to, and even over, the line to the point where they’ve drawn the ire and concern of the greater greater community.”

While it’s refreshing to hear the NSA’s take on apex-actors, the session felt incomplete. While nation-state malware attacks from China, Russia, Iran and North Korea make for sexy CNN headlines, they’re not nearly the cream of the crop.

Here’s one of my favorite security conference slide decks from my friend and ex-GReAT colleague Vicente Diaz:

Notice those flags in the top right of the magic APT quadrant?  Exactly.

An honest and open discussion about nation-state capabilities and operations must include all the actors, including the U.S., Israel, France, South Korea and the growing list of European nations managing cyber-espionage campaigns.

As the supply chain hacks show, we are all victims and the infection of corporate networks is seen as accepted collateral damage. If we are to embrace sand-and-friction to disrupt adversaries, we can’t only be learning from a handful of “bad” countries.   That doesn’t make much sense.

A final thought — It’s tempting for the U.S and its allies to claim moral leadership in the cyber-espionage space but it’s not an entirely honest conversation when you’ve been caught circumventing Windows Update mechanisms (a terrible precedent) and you lost control of your own destructive worm attack.

_ryan

On to the newsletter…

 

An APT found in Russia.

Speaking of balkanized research disclosures, here’s a doozy from sanctioned Russian security vendor Positive Technologies:

[We] have identified a new, previously unknown APT group that has systematically attacked mainly the fuel and energy complex and aviation industry in Russia. Additional attacks have targeted institutions in nine other countries, including the United States, India, Nepal, Taiwan, and Japan, where in some cases, researchers discovered compromised government servers. Since the group has started exploiting ProxyShell vulnerabilities in attacks to infect Microsoft Exchange, it’s possible that vulnerable servers in the UK could be affected in the future as well. The group, known as ChamelGang, appear to be focused on stealing data from compromised networks, and its first trusted relationship attacks 1 were registered in March 2021.
Here’s a link to the full technical report on ChamelGang and its arsenal.

Advertisement — Symmetry Systems.

Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Get in touch today for a demo.


 

Offensive security research.

Here’s a handful of impressive security research projects making the rounds:
  • New from Runa Sandvik, accompanying a presentation at the OBTS conference: Made in America: Green Lambert for OS X.
  • Chrome in-the-wild bug analysis:  CVE-2021-30632 is a type confusion bug in the JIT compiler of Chrome that can be used to cause remote code execution (RCE) in the renderer of Chrome by a single visit to a malicious site. CVE-2021-30633 is a use-after-free bug in the IndexedDB API of the browser process that can be used to escape the Chrome sandbox once the renderer is compromised by CVE-2021-30632. Together, these two bugs allow a full remote compromise of Chrome (RCE + sandbox escape).
  • Hijacking iCloud credentials with Apple Airtags: “An attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field. A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page.”
  • Randori has released a detailed technical analysis of the nasty VMWare vCenter Server flaw and published indicators-of-compromise to help defenders spot signs of infections.
  • Abusing HTTP hop-by-hot request headers: A write-up of techniques that can be used to influence web systems and applications in unexpected ways, by abusing HTTP/1.1 hop-by-hop headers. Systems affected by these techniques are likely ones with multiple caches/proxies handling requests before reaching the backend application.

 

Phrack is back 

Supply chain of pain

Security at Redmond.

Last-minute leftovers.

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy