This month’s highlights included two nation-state cyber espionage events orchestrated by Chinese threat actors and Russian security services utilizing sophisticated tools and techniques to evade detection for months. Other relevant news include, the addition of new ransomware groups into the threat landscape and the mention of deception at RSA by the Mandiant CEO as a cyber defense must. Read on to find out more about what we’re talking about this month.
Mandiant CEO’s 7 tips for cyber defense
The CEO of Mandiant, a leading cybersecurity company owned by Google, has shared seven valuable tips for enhancing cyber defense capabilities. The tips aim to help organizations bolster their security posture and protect against the increasing sophistication of cyber threats.
At his RSA Conference 2023, Kevin Mandia said to “build honeypots” as one of the tips for effective cyber defense: “Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can’t stop, Mandia said.”
We hear you Kevin – use deceptive techniques – such as those proposed by the MITRE Engage framework to defeat, disrupt and delay attacks, and above all to stop the threats that other systems don’t catch. Mandiant (now part of Google Cloud) investigated over 1,100 threats in 2022, so they know what works and how to stop attacks.
Dan Brett, CPO & Founder
Source: Cybersecurity Dive, May 1
Cybersecurity firm Dragos discloses cybersecurity incident, extortion attempt
Dragos, an industrial cybersecurity company, disclosed that it suffered a “cybersecurity event” after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. The organization claims the attackers didn’t succeed in breaching their network or cybersecurity platform.
The attackers managed to gain access by exploiting the personal email account of a new hire, and proceeded to impersonate the employee throughout the initial steps of the onboarding process. The attacker could only access “general use data” and exfiltrated 25 intel reports that were usually only available to customers. The attacker tried to compromise several Dragos internal systems without luck. Dragos was able to timely disable the exploited email account preventing further lateral movement, right after the extortion message came out from that same email address. Dragos said “while the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation.”
Reasons to be very careful in the onboarding process for new employee hire. Even more so considering today’s remote work trend where new employees are hired without even having a face to face interview. Another take is that the adversary had 13.5hrs of unrestricted access to the Dragos contract management system before they were discovered… Hmm, imagine if they’d had a beaconing document in there, and got an alert of unauthorized activity… a mere 2.5 hours into the attack – they could have cut their response time by 13 hours.
David Brown, CRO
Source: BleepingComputer, May 10
Hunting russian intelligence “Snake” malware
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory highlighting Russia’s Federal Security Service (FSB) use of Snake, their most sophisticated cyber espionage tool, for long-term intelligence collection on sensitive targets.
Snake has been detected in over 50 countries across North America, South America, Europe, Africa, Asia and Australia. The use of the Snake malware by FSB actors enabled them to gain unauthorized access and extract highly sensitive international relations documents, along with diplomatic communications, from a target located in a country belonging to the North Atlantic Treaty Organization (NATO). Furthermore, the FSB has targeted various sectors within the United States, including education, small businesses, media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing, and communications.
Snake, as a cyber espionage tool, stands out for being a highly customized tool that operates at a low level with the objective of covertly extracting information without being detected. It focuses on the encryption and obfuscation of its components as well as its customization in network communication.
Another aspect that draws attention is its use of a driver to hide its components from the system’s lists, thus making it possible to go unnoticed in the operating system. Despite its high sophistication in its components, there are also techniques that can make this implant easily detectable, such as the use of a non-legitimate service for persistence or the use code injection to allocate the user space component in a memory area (PAGE_EXECUTE_READWRITE) that can be easily identified and should raise alarms.
A member of the development team
Source: CISA, May 09
Microsoft warns that China hackers attacked U.S. infrastructure
Microsoft discovered Chinese state-sponsored hackers had compromised critical infrastructure organizations in both the continental United States and Guam across multiple verticals (communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education).
The hacker group known as Volt Typhoon used Living off the Land (LotL) techniques to infiltrate evading detection. The objective of the threat actors is not to create disruption yet, but to “perform espionage and maintain access without being detected for as long as possible”, Microsoft said. CISA Director concludes saying that “for years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe”. On the other hand, Chinese-backed editorials dismissed Microsoft’s analysis and claimed this news as “political propaganda.”
These LotL attacks constitute a huge security challenge, as they utilize common system administration tools that are often part of operating system builds. The normal, benign, use of these tools drowns out any malicious activity. If defenders alert on use of these tools they would be swamped in false positives. A deception environment is very good at detecting malicious behavior, since it immediately investigates any activity on decoy machines and quickly analyzes it for malicious intent.
Fernando, Head of Development and Founder
Source: CNBC, May 24
Meet Akira — a new ransomware operation targeting the enterprise
The new ransomware group called Akira claims to have already conducted 16 successful attacks on organizations from various industries in the US since its first appearance back in March 2023. Experts say it is not to be confused with another ransomware group that goes by the same name.
Its modus operandi is similar to that of other ransomware operations. Akira typically breaches a corporate network and spreads laterally to other devices. Once the threat actors gain Windows domain admin credentials, they deploy the ransomware. MalwareHunterTeam and Bleeping Computer have analyzed a sample of the Akira ransomware. When executed, Akira deletes Windows Shadow Volume Copies on the device and encrypts most of the files in the system, adding .akira extension. The infected computer will include a ransom note named akira_readme.txt with the victim’s files and links to the Akira data leak negotiation website. From negotiations seen by BleepingComputer, the ransomware gang demands ransoms ranging from $200,000 to millions of dollars.
According to ReliaQuest, in Q1 2023, close to 850 organizations were named on ransomware and data-extortion websites on the dark web. This was a 22.4% jump from the previous quarter. This just shows how active ransomware groups are nowadays and the incorporation of new players like Akira into the threat landscape are making things worse. It’s not just me, it’s TechTarget that recommends incorporating advanced technologies such as deception, zero trust and behavioral analysts technologies to prevent and detect these zero-day novel attacks.
Shunta Sanders, Director of Global-Pre Sales Engineering
Source: BleepingComputer, May 24
Don’t miss next month’s roundup. Follow us on LinkedIn, Twitter, or sign up for our newsletter to stay in touch.