APT41 Taps Google Red Teaming Tool in Targeted Info-Stealing Attacks

The advanced persistent threat known as APT41 has pressed into service an open source, red-teaming tool, Google Command and Control (GC2), for use in cyber espionage attacks marking a shift in its tactics.

According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti, and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails which contained links to a password protected file hosted in Drive.

When the file was opened, it fetched the GC2 payload. As detailed in the TAG April Threat Horizons report, this tool gets its commands from Google Sheets, most likely to hide the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also enables the attacker to download additional files from Drive on to the victim’s system.

APT41 also previously used GC2 last July to target an Italian job search website, according to TAG.

TAG researchers noted that incidents such as this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the Go programming language, and the targeting of Taiwanese media.

Using Publicly Available Tools

Chinese APT groups have increasingly used publicly available (and legitimate) tools such as Cobalt Strike and other penetration testing software, which is available on sites like GitHub; there’s also been a shift to using lesser-known red teaming tools such as Brute Ratel and Sliver to evade detection during their attacks.

The use of such “living off the land” tactics is well known in financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Yet Christopher Porter, head of threat intelligence for Google Cloud, said in the report that it is “only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems.”

He adds, “A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware,” he says. He also flagged the use of cloud services for stealth and legitimacy: “Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control.”

Who Is APT41?

The group’s activities illustrate the “continued overlap of public sector threat actors targeting private sector organizations with limited government ties,” according to the TAG analysis.

Last year the same group was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as targeting multiple US government agencies using the Log4j vulnerability.

Bronze Atlas is “one of the most prolific groups we have been tracking for a long time,” says Marc Burnard, senior security researcher for Secureworks’ Counter Threat Unit, having tracked it since at least 2007. And during that time, the group “has been very prolific,” he says.

Burnard says APT41 has gone after a range of targets, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with China’s political and economic interests.

“They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well,” he notes.

Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a “destructive element” too.

APT41 Quiets Down Its Wall of Noise

As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a trusted cloud service don’t set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected.

However, since the 2020 indictment of seven alleged cybercriminals, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.

ISI Researchers Win Best Paper Award at IEEE COMSNETS 2023

ISI Researchers Win Best Paper Award at IEEE COMSNETS 2023

protecting against web attacks

DNS server attackers don’t have it easy anymore, thanks to a new technology developed at USC Viterbi’s Information Sciences Institute (ISI). 

ASM Rizvi, lead research engineer, Jelena Mirkovic, research team lead, John Heidemann, principal scientist, Wes Hardaker senior computer scientist, and Robert Story, research lead, were awarded the Best Paper Award at the IEEE (1) COMSNETS in January 2023. 

The team’s paper, “Defending Root DNS Servers Against DDoS Using Layered Defenses,” describes the system they designed to successfully fight incoming attacks on DNS servers. 

“We highlighted several real world attack events that we observed in the DNS root server and we showed that using our system, we could have successfully mitigated them,” Rizvi said. 

These layered defenses include filtering for “spoofed” or disguised attacker traffic, identifying known-good traffic to let through, and detecting suddenly aggressive DNS clients.  

Their paper was chosen for the award out of 34 papers that were accepted into the conference. 

Distributed Denial-of-Service (DDoS) Attacks  

The Domain Name System, invented at USC Viterbi ISI by Paul Mockapetris, translates website domain names (such as www.google.com) into numerical values (IP addresses) which are needed to route the user requests to the correct server.  

Their job, helping a web browser parse a web page address, is crucial in making sure the right page pops up.  

Without DNS servers, finding what we need would be a much more time consuming and difficult task. 

Unfortunately, they may suffer from Distributed Denial-of-Service (DDoS) attacks, which overwhelm the targeted server with an influx in traffic to disrupt normal traffic flow–it’s like a deliberate highway traffic jam, preventing you from getting to work on time.  

DDoS attacks “keep legitimate clients from gaining access to the server,” Rizvi says, because all of its resources are already allocated to fulfilling the attackers’ requests. 

Mirkovic added that these DNS servers are “especially challenging to protect against attacks” because they are public servers that are accessed by a variety of customers with a wide range of behaviors.  

“So there are some customers that send very little traffic sporadically, maybe a few queries per day and others that send tens of thousands of queries per second, so it’s a big range to be able to model,” Mirkovic explained. 

Operation Defend those Servers! 

A special role in the DNS operation is played by DNS root servers, which serve as a focal point for many requests.  

These root servers direct DNS clients to more specialized DNS servers, which ultimately fulfill their queries, akin to the 411 service humans to find out contact information of various businesses and people. 

USC Viterbi ISI is home to the first root server ever. There are only 13 DNS root servers globally, one of which is B-Root, operated exclusively by USC.  

B-Root receives billions of requests each day, so the team was able to use its live traffic and data sets to design and test their defenses as a case study.  

“Our system was certainly developed and formed from what we learned from B-Root,” Heidemann said.  

Their system, called DDiDD–DDoS Defense In Depth for DNS, “contains a collection of defense modules, and when a DNS server is attacked, the system then picks which module to deploy” Heidemann added. It also “knows how and when to change if the original choice doesn’t work.” 

cyber attack defenses

The team’s concept of a layered defense. Heidemann says that “no single one of our different defenses will completely stop an attack, but together they minimize an attack’s effects.”

A successfully developed and proven defense, however, is not the end all be all. Attackers are constantly changing their methods and patterns, which means defenses must adjust accordingly. 

“Like most security problems this is an arms race, and if we make it harder, they’ll make it harder still and so on. 5 years from now, what will the modules to defend be? I’m not sure,” Heidemann said. 

Bringing Home the Prize 

Even with the cyber-attack sphere constantly evolving, the team is proud of their contribution and its utility.  

“One of the big goals of the paper was to show that it’s feasible to have an array of defenses and to select which one works best for each attack, and we have shown that it is possible and how to do it,” Heidemann said. 

Mirkovic said she was “thrilled” when the paper took home the award. 

“We put in a lot of work, and I think it’s an under researched area that doesn’t see a lot of attention, so I think that is part of what made our work stand out,” she added. 

Next up is operationalizing the software so that the broader University community can implement it.  

We are deploying the system in the real server, and trying to see when new attacks come, whether our system can handle it or not,” Rizvi explained. “Then we can work on enriching the system and making it stronger.” 

(1) The IEEE is the largest global professional organization for the advancement of technology. COMSNETS is a conference dedicated to the discussion of innovative technologies in communication and networking systems. 

Published on April 18th, 2023

Last updated on April 18th, 2023

10 factors to consider when seeking cyber insurance coverage

10 factors to consider when seeking cyber insurance coverage

With the cyberthreat landscape constantly evolving and growing numbers of businesses falling victim to attacks, the need for cyber insurance has never been higher. Craig Somerville, Managing Director and CEO of Somerville, shares 10 factors to consider when seeking cyber insurance coverage.

Designed to assist organisations to cope with the disruption and cost of an attack, cyber insurance policies come in many shapes and sizes. They cover a range of areas including the loss of data, ransomware attacks and the reputational damage caused by an attack.

Some policies extend even further and provide assistance with privacy liability, media liability, regulatory proceedings, and fallout from supply-chain attacks. All will provide vital support when an organisation needs it the most.

10 factors to consider when seeking cyber insurance coverage

A variety of claims

Cyber insurance policies are regularly assisting organisations of all sizes when they suffer an attack. Recent examples have included:

Missing laptop: A company employee misplaced a laptop which contained a list of 1000 client records and credit card details. A total of $250,000 was paid for the cost of notifying the affected individuals and the Privacy Commissioner of the data breach.

Encrypted records: An insured company discovered that a hacker had gained remote access to a server and encrypted client records. The hacker then demanded a ransom of $100,000 in Bitcoin to decrypt the files. The cyber insurance policy led to the company being paid $300,000 for the extortion claim and loss of income, together with the cost of notifying the affected individuals and the Privacy Commissioner.

Fake email: A cybercriminal impersonated a client of an insured company using an identical email address. The hacker then redirected payments totalling $41,000 into a new fraudulent bank account. The company claimed against their cyber insurance policy and suffered no loss.

Securing appropriate insurance cover

There are a range of factors to consider when selecting and purchasing a cyber insurance policy. Each policy will have an impact on whether cover can actually be secured and whether it will provide the level of protection that is sought.

The top 10 factors to consider are:

Encryption: It is important to ensure that all sensitive and personal data is encrypted both at rest and in transit. This will reduce the chances of it being misused following an attack.
MFA: The deployment of Multi-factor Authentication (MFA) is likely to be a requirement of many insurers. MFA can significantly reduce the chances of unauthorised parties gaining access to corporate IT resources.
Endpoint protection: All endpoints on an organisation’s network should be protected by the use of firewalls and antivirus software. It is also important that these tools are regularly updated.
Data backups: All critical data needs to be regularly backed up to ensure recovery is possible should an attack take place. Backups should also be stored off-site and segregated from the main corporate environment.
Backup testing: Data backups should also be regularly tested to ensure their integrity and confirm that they are capable of restoring all core systems within the organisation.
Email scanning: All incoming email should be automatically scanned for malicious links and attachments. This will reduce the chances of a cybercriminal gaining access to centralised systems.
User training: Regular security awareness training should be conducted for all staff. This should include clear explanations of the risks being faced and the steps staff can take to ward off attacks.
Admin checks: Organisations should also have in place established procedures to verify requests for changes in customer and partner details. This will ensure only legitimate requests are actioned.
Financial checks: Rigorous checks should also be in place when it comes to authorising any financial transactions. This could include the need to at least two parties to authorise all transactions over a set amount.
Patch management: There needs to be in place a patch management policy that ensures all critical patches are installed as quickly as possible after their release.

By taking these factors into account, organisations will improve their level of cyber security while also making it more likely they will be able to secure an appropriate level of cyber insurance.

The threats posed by cybercriminals are going to continue to evolve and grow. Having a cyber insurance policy in place, backed by effective security procedures, will afford organisations the best possible levels of defence.

SpinOne adds new capabilities to secure SaaS applications and data

SaaS data protection provider Spin.ai has launched two new service modules — SaaS security posture management (SSPM) and SaaS data leak prevention/loss protection (SDLP) — along with a few new capabilities for existing modules, to its flagship SaaS security platform SpinOne.

The enhancements to the SaaS-based offering aim to protect SaaS applications, automate manual processes, and minimize business downtime for organizations.

Both SSPM and SDLP are being added as new subscriptions on the SpinOne platform and are generally available, along with the other capabilities released for existing modules.

The new capabilities for SpinOne’s existing modules include improvements for  SaaS ransomware detection and response (SRDR), integration with Jira and ServiceNow, and support for Slack.

“Many organizations underestimate the risks associated with SaaS data or believe that their cloud provider has it covered,” said Davit Asatryan, director of product at Spin.ai. “The shared responsibility models for Google, Microsoft, Salesforce, and Slack note that they take care of the physical security of their data centers and underlying infrastructure, but your data is still your responsibility. SpinOne makes SaaS security easier and faster for SecOps teams.”

Managing SaaS data, access and security

SpinOne’s SSPM is designed to offer automated security controls to help companies detect and respond to misconfigurations, and provides an inventory of unsanctioned third-party apps and extensions.

The module is powered by SpinOne’s database of more than 300,000 apps and extensions assessed by an in-house AI algorithm, to reduce risk assessment time significantly according to Asatryan.

“SpinOne SSPM outperforms other offerings by providing a risk assessment for third-party applications and browser extensions using a thorough list of over 15 risk criteria to perform assessments and is also geared toward understanding compliance risks related to regulatory frameworks like GDPR, HIPAA, SOC, CCPA, and others,” Asatryan said.

The tool essentially offers visibility into SaaS apps, cloud apps, mobile apps and browser extensions and cross-references any suspicious posture with SpinOne’s historic database to arrive at a risk score of 0 to 100. This, the company claims, eliminates the heavy lifting of manual assessment, bringing total risk assessment time to minutes and seconds.

In addition, SpinOne’s new SDLP module offers SaaS access management, backup, and recovery capabilities.

“SaaS DLP complements existing identity management tools and helps control all unauthorized access to sensitive SaaS data using SpinOne’s configurable access management and advanced reporting,” Asatryan said.

SaaS backup aims for quick data retrieval

SpinOne has added an integrated SaaS backup offering which promises recovery of lost data within minutes and hours as opposed to conventional weeks and months.

Additionally, SpinOne’s SRDR module now supports 24-hours-a-day, seven days a week ransomware monitoring and automated incident alerts, designed to help customers recover from ransomware attacks with minimum downtime. This “in-progress” detection of ransomware attacks adds to SpinOne’s “within hours” recovery claim.

“Both Google and Microsoft have API and throttling limits, i.e., how much data can be recovered at once (10 I/O requests per second), to help avoid the problem of one tenant affecting the performance of other tenants. However, in the case of an attack, it can result in downtime and recovery times of weeks or months depending on the amount of data,” Asatryan said.

By stopping an attack in progress, the damage is limited, and the files can be recovered within the company’s two-hour service level agreement he added.

SpinOne supports JIRA, ServiceNow and Slack

SpinOne’s integration with Jira and ServiceNow allows for the creation of automated incidents alerts, eliminating the need for manual intervention by the security teams, the company said.

“With this integration, customers can create policies in SpinOne and select existing ticketing ecosystems such as Jira and/or ServiceNow as an output, where actionable tickets can be created. These integrations help streamline SaaS security operations by automatically creating real-time actionable tickets and maintain logs of such tickets to reduce and mitigate incidents,” Asatryan said.

Support for Slack has also been added on SpinOne to meet data protection and compliance requirements, ensure business continuity, and decrease recovery costs. This includes setting up an automated backup of Slack data three times a day on AWS, GCP, Azure, or other computing platforms.

The Verge

The Verge

/

Using 2FA to protect your accounts is a lot safer than using just passwords, especially if you use a separate authenticator app.

2FA phishing message reading - Twitter: We have noticed an unusual Login attempt from Dallas, Texas to your Twitter Account (@rjcc). We have sent you an 8 Character Confirmation Code to the E-mail Address connected to your Twitter Account (************@*****.***). Reply with the 8 Character Confirmation Code to block this login and set-up a new passcode. Reply with “YES” to authorize this login attempt.

Phishing message sent to Richard Lawler
Image: Richard Lawler

This is despite the fact that Twitter now offers SMS-based two-factor authentication only to its Twitter Blue members (costs begin at $8 a month). In fact, many of The Verge staffers have moved to Mastodon and other social networks, but no matter where you’re hanging out these days, it’s not a good idea to give someone access to your account. And if you want to use 2FA to secure your social media or other services, using text messaging is not the way to go. You’re much better off using either a third-party authenticator app or a hardware security key.

What are security keys?

Security keys, such as the ones sold by Yubico, are the safest method to use. They can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s YubiKey 5C Nano, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.

When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access (which prevents you from accidentally logging in to a phishing site). The key then cryptographically signs and allows the challenge, logging you in to the service.

Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, and others. The best thing to do is check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.

What are authenticator apps?

But while physical security keys are the safest method, they are not the most convenient. If you don’t want to carry around (and possibly lose) a physical key, using an authentication app on your phone is the best way to go.

Authentication apps generate one-time numerical passcodes that change approximately every minute. When you log in to your service or app, it will ask for your authenticator code; you just open up the app to find the randomly generated code required to get past security.

Popular options include Authy, Google Authenticator, and Microsoft Authenticator. These apps mostly follow the same procedure when you’re adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.

Here is how to set up 2FA on some of the more popular online accounts. Not all of them allow for authenticator apps; in that case, we list what is available. (If you’re just interested in using an authenticator app for your Twitter account, you can go directly to this article, which gives you all the steps needed — however, just to be convenient, we’ve included Twitter with the others here.)

Note: most of the following directions are for websites; if you can use a mobile app, directions will be given for that as well.

  • Log in to your Amazon account.
  • Hover over Accounts & Lists (in the upper-right corner) and go to Account > Login & security. (You can also simply follow this link.)
  • Scroll down to 2-step verification and click the Edit button. (You may be asked to reenter your password.)
  • Click Get Started, and Amazon will walk you through the process of registering your preferred authenticator app by syncing it through a QR code.

If you wish, you can also register a phone number to use as a backup text 2FA. Amazon also lets you opt out of 2FA for any specific devices.

Twitter page with main menu at left, settings menu in the center, and two-factor authentication menu at right.

Twitter lets you use a text message, an app, or a security key for authentication.

As with other services mentioned above, you can generate a backup code to use when you’re traveling and will be without internet or cell service. You may also see an option to create a temporary app password that you can use to log in from other devices. This can be used to log in to third-party apps if you have them linked to your Twitter account. Note that the temporary password expires one hour after being generated.

  • Open WhatsApp and find the Settings menu under the upper-right dots icon.
  • Look under Account > Two-step verification > Turn on.
  • The app will ask you to enter a six-digit PIN to use as verification; after that, it will request it the next time you register your phone number and also every once in a while (so you don’t want to forget it). You can optionally add an email address in case you forget your PIN.

Having an email associated with your WhatsApp account is important — if you don’t have one and forget your PIN, you’ll have to wait seven days before you can reset it. In the same vein, be cautious of emails encouraging you to turn off 2FA if you didn’t request it yourself.

Did we miss your favorite apps?

For more information, check out the 2FA Directory, which categorizes and lists companies that support 2FA and gives you the option to message a company on Twitter, Facebook, or email to request that 2FA be added.

A final note: while adding 2FA is great for an extra layer of security on all your accounts, remember that you should be changing and updating your passwords regularly even with 2FA enabled just to stay in tip-top shape. If that’s not your style, you can also use a password manager to automatically take care of it for you.

Update April 18th, 2023, 4:00PM ET: This article was originally published on February 28th, 2023, and has been updated to add the fact that Apple now offers 2FA with security keys and to warn about new phishing attempts.