Newsletter
03.08.2021 | 5'' read
The sudden explosion of zero-day attacks
Hello friend, if you were forwarded this newsletter from someone, consider joining the party. The newsletter is a lovingly curated collection of the things you need to know to keep pace with the business of cybersecurity. For regular chit-chat, daily updates and announcements, follow me on Twitter and LinkedIn ]
Monday blues, 3/8/2021.
In my 20+ years writing about hackers and tracking advanced threats, I’ve never seen this volume of in-the-wild zero-day exploitation happening at the same time. Last week alone, we saw five 0-days exploited in the wild, including a mysterious Chrome attack and Chinese cyberspies hitting tens-of-thousands of companies globally via Microsoft Exchange server vulnerabilities.
Google’s 0-day tracker spreadsheet has so far flagged 12 in-the-wild 0day attacks in 2021 (there were 24 total last year) and I know they’re missing at least two — the Sonicwall firewall attacks and the the Accellion incident that’s also causing a world of hurt downstream.
Let that sink in: we’re not yet done with Q1 and defenders are in scramble mode to deal with 14 zero-day attacks across a range of platforms, products and operating systems.
This sudden surge in 0day incidents is a massive strain on scarce resources, especially at those smaller shops without dedicated security teams. These companies must all assume compromise at this point, which means that patching alone isn’t going to get rid of the Exchange backdoor mess. [Shoutout to all the defenders in the packet mines cleaning up from this disaster. I feel you ✊]
But, zooming out, there’s also a sliver of good signs amidst the rubble. For starters, these aren’t just zero-day attacks. These are zero-day discoveries! As an industry, we should celebrate the availability of tech + skills + experience to actually find and expose these nation-state level threats.
Solarwinds was flagged by multi-factor authentication (MFA) tech. The MS Exchange backdoor barrage was found and outed by the incredible memory forensics tech at Volexity [props to Steven Adair and crew!). Kaspersky’s threat hunters routinely use clever technology traps to catch APT zero-days and it’s exciting to watch the real-time information of YARA rules and IOCs quickly help to blunt these attacks.
I’m not entirely sure what it all means, to be honest. It seems like a never-ending hamster wheel for defenders but I’m starting to see signs that innovation is catching up. I’ll leave you with the transcript [pdf] of this 2016 talk by the NSA’s Rob Joyce on why nation-state hackers always win [YouTube] and what you can do to limit the damage.
Pay attention to his advice of out-of-band network traffic capture and analysis. I’m convinced there’s treasure to be found in tech investments in his space. [ See Twitter thread ]
On to the newsletter…
Throwback podcast episode (Chaouki Bekrar).
By sheer luck, I stumbled upon this long-lost audio file of my interview with exploit broker Chaouki Bekrar back at the 2013 CanSecWest Pwn2Own contest. It’s the only known podcast recording with Bekrar and touched on some zero-day exploitation issues that remain very much alive today.
It’s an important part of cybersecurity history and I’m happy I was able to salvage the file for the public record.
Security people movements.
- Michael Oberlaender starts today as global CISO at LogMeIn, replacing Gerald Beuchelt, who moved to take the CISO role at Sprinklr.
- Dragos intel analyst Selena Larson is moving to Proofpoint. Catch my recent podcast with Selena here.
- Aviv Raff has joined Bloomreach as its new Chief Information Security Officer (CISO).
- Ex-Kaspersky/Chronicle malware hunter Juan Andres Guerrero-Saade has joined SentinelOne’s threat-hunting team.
- Laura Deaner is new CISO at Northwestern Mutual.
- Heather Gantt-Evans is Sailpoint’s new CISO.
Reports you should read this week.
- This will raise some eyebrows: How six APT-connected Chinese universities are advancing AI research (from Georgetown University’s Center for Security and Emerging Technology)
- Researchers from Google, Stanford, OpenAI, Harvard and Apple demonstrated an attack on GPT-2 and was able to extract hundreds of verbatim text sequences from the model’s training data. These extracted examples include (public) personally identifiable information (names, phone numbers, and email addresses), IRC conversations, code, and 128-bit UUIDs.
- In this paper, the Atlantic Council presents three case studies on three private “access-as-a-service” hacking groups (the NSO Group, ENFER, and DarkMatter). The ENFER description is particularly interesting.
- My former colleagues at Intel have put out a 2020 product security report that worth a few minutes of your time.
Threat-hunting goodies.
- The Microsoft Safety Scanner (TIL this exists) has been fitted with detections to look for signs of Exchange Server infections and backdoors. Microsoft recommends using the “full scan” option after installing the available patches.
- Supermicro has published mitigations in response to the nasty Trickboot functionality that exposes motherboard to BIOS read/white/erase attacks.
Redmond’s Exchange team has released a free tool to check for signs of exploit from CVE-2021-26855, 26858, 26857, and 27065 (the Exchange 0days).
My friends at Soteria released a PowerShell script to spot signs of Exchange server exploitation.
Tangentially.
Via Reddit: Not only is Marie Curie the only woman in this picture but also she’s the only human of all time to get two Nobel prizes in two different science fields – chemistry and physics.
Happy International Women’s day and shoutout to all the ladies in my network inspiring me to do great things everyday 👊❤
Have a fantastic week,
_ryan
PS: As usual, the podcast is available on all platforms (Apple, Google, Spotify and Amazon). If you enjoy the show, consider leaving a rating and review to help spread the word.
PPS: I welcome feedback. Don’t be shy ❤