Newsletter

• Dennis Fisher has a story on a security researcher finding several key pairs used to encrypt the traffic between rogue Cobalt Strike beacons and their command-and-control servers, enabling the decryption of the communications for several hundred beacons deployed by malicious actors.
• Threat hunters at BitDefender have identified a rootkit with a Microsoft-issued digital signature. The rootkit is used to proxy traffic to Internet addresses that interest the attackers.
• This detailed look at the “Initial Access Broker Landscape” is incredibly important to understanding the cybercrime ecosystem.
• Some data points on Secrets Sprawl on Github.

Ransomware everywhere.

• The New York Times is reporting on a rare win in the cat-and-mouse game of ransomware.
• Huntress Lab was called in to investigate a ransomware attack against an unnamed U.S. engineering company and found gaping holes in a little-known billing system software called BillQuick Web Suite iwth 400,000 users worldwide.
• From Florian Roth: “It’s not always possible to scan every device in your network for crypt mining malware (Linux boxes, IOT, App containers) but you could check your DNS & firewall logs for connections to the limited number of mining pools on this list.

NYTimes reporter hacked by Saudis

Citizen Lab has a head-scratcher of a report on a New York Times reporter Ben Hubbard’s devices hacked by Saudi Arabian operators using the Pegasus spyware tool.  The raw details:

• Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
• The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.
•  Some forensic artifacts connected to NSO Group are present on Hubbard’s device as early as April 2018.
• A phone number belonging to Hubbard also reportedly appeared on the Pegasus Project list in July 2019.

Hubbard wrote a first-person account of the compromise.

Leftovers.     

Danny Moore’s upcoming talk at CyberWarCon is all kinds of fascinating:

This talk will explore how the modern military is information security’s worst nightmare. In particular, we will focus on the US military and its decades-old, globe-spanning operational networks powering weapons designed by a dozen low-bidding contractors with enormous supply chains. Weapons must be remotely targeted, operated and maintained thousands of miles from home, and potentially work both over civilian and military infrastructure. For an attacker, that is an incredible playing field.

The talk tackles specific examples such as the US Navy’s Littoral Combat Ship, the F-35, and military satellite comms. We will explore their design vulnerabilities, opportunities for compromise, and how they may be attacked for operational gain during – or right before – conflict.

This makes Danny’s book on Offensive Cyber Operations a must-read.

Tangentially.

From the ISC SANS diary:

A bug in the GPSD project that could cause time to rollback in October 2021. Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038, but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021 . This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.

 Beautiful bug.