thecyberwire.com – Iranian threat actor exploits N-day vulnerabilities. Threat actor nomenclature. CSC exposes subdomain hijacking vulnerabilities. The Discord Papers. An update on Russia’s NTC Vulkan.
The advanced persistent threat known as APT41 has pressed into service an open source, red-teaming tool, Google Command and Control (GC2), for use in cyber espionage attacks marking a shift in its tactics.
According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti, and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails which contained links to a password protected file hosted in Drive.
When the file was opened, it fetched the GC2 payload. As detailed in the TAG April Threat Horizons report, this tool gets its commands from Google Sheets, most likely to hide the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also enables the attacker to download additional files from Drive on to the victim’s system.
APT41 also previously used GC2 last July to target an Italian job search website, according to TAG.
TAG researchers noted that incidents such as this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the Go programming language, and the targeting of Taiwanese media.
Using Publicly Available Tools
Chinese APT groups have increasingly used publicly available (and legitimate) tools such as Cobalt Strike and other penetration testing software, which is available on sites like GitHub; there’s also been a shift to using lesser-known red teaming tools such as Brute Ratel and Sliver to evade detection during their attacks.
The use of such “living off the land” tactics is well known in financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Yet Christopher Porter, head of threat intelligence for Google Cloud, said in the report that it is “only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems.”
He adds, “A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware,” he says. He also flagged the use of cloud services for stealth and legitimacy: “Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control.”
Who Is APT41?
The group’s activities illustrate the “continued overlap of public sector threat actors targeting private sector organizations with limited government ties,” according to the TAG analysis.
Last year the same group was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as targeting multiple US government agencies using the Log4j vulnerability.
Bronze Atlas is “one of the most prolific groups we have been tracking for a long time,” says Marc Burnard, senior security researcher for Secureworks’ Counter Threat Unit, having tracked it since at least 2007. And during that time, the group “has been very prolific,” he says.
Burnard says APT41 has gone after a range of targets, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with China’s political and economic interests.
“They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well,” he notes.
Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a “destructive element” too.
APT41 Quiets Down Its Wall of Noise
As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a trusted cloud service don’t set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected.
However, since the 2020 indictment of seven alleged cybercriminals, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.
DNS server attackers don’t have it easy anymore, thanks to a new technology developed at USC Viterbi’s Information Sciences Institute (ISI).
ASM Rizvi, lead research engineer, Jelena Mirkovic, research team lead, John Heidemann, principal scientist, Wes Hardaker senior computer scientist, and Robert Story, research lead, were awarded the Best Paper Award at the IEEE (1) COMSNETS in January 2023.
The team’s paper, “Defending Root DNS Servers Against DDoS Using Layered Defenses,” describes the system they designed to successfully fight incoming attacks on DNS servers.
“We highlighted several real world attack events that we observed in the DNS root server and we showed that using our system, we could have successfully mitigated them,” Rizvi said.
These layered defenses include filtering for “spoofed” or disguised attacker traffic, identifying known-good traffic to let through, and detecting suddenly aggressive DNS clients.
Their paper was chosen for the award out of 34 papers that were accepted into the conference.
Distributed Denial-of-Service (DDoS) Attacks
The Domain Name System, invented at USC Viterbi ISI by Paul Mockapetris, translates website domain names (such as www.google.com) into numerical values (IP addresses) which are needed to route the user requests to the correct server.
Their job, helping a web browser parse a web page address, is crucial in making sure the right page pops up.
Without DNS servers, finding what we need would be a much more time consuming and difficult task.
Unfortunately, they may suffer from Distributed Denial-of-Service (DDoS) attacks, which overwhelm the targeted server with an influx in traffic to disrupt normal traffic flow–it’s like a deliberate highway traffic jam, preventing you from getting to work on time.
DDoS attacks “keep legitimate clients from gaining access to the server,” Rizvi says, because all of its resources are already allocated to fulfilling the attackers’ requests.
Mirkovic added that these DNS servers are “especially challenging to protect against attacks” because they are public servers that are accessed by a variety of customers with a wide range of behaviors.
“So there are some customers that send very little traffic sporadically, maybe a few queries per day and others that send tens of thousands of queries per second, so it’s a big range to be able to model,” Mirkovic explained.
Operation Defend those Servers!
A special role in the DNS operation is played by DNS root servers, which serve as a focal point for many requests.
These root servers direct DNS clients to more specialized DNS servers, which ultimately fulfill their queries, akin to the 411 service humans to find out contact information of various businesses and people.
USC Viterbi ISI is home to the first root server ever. There are only 13 DNS root servers globally, one of which is B-Root, operated exclusively by USC.
B-Root receives billions of requests each day, so the team was able to use its live traffic and data sets to design and test their defenses as a case study.
“Our system was certainly developed and formed from what we learned from B-Root,” Heidemann said.
Their system, called DDiDD–DDoS Defense In Depth for DNS, “contains a collection of defense modules, and when a DNS server is attacked, the system then picks which module to deploy” Heidemann added. It also “knows how and when to change if the original choice doesn’t work.”
The team’s concept of a layered defense. Heidemann says that “no single one of our different defenses will completely stop an attack, but together they minimize an attack’s effects.”
A successfully developed and proven defense, however, is not the end all be all. Attackers are constantly changing their methods and patterns, which means defenses must adjust accordingly.
“Like most security problems this is an arms race, and if we make it harder, they’ll make it harder still and so on. 5 years from now, what will the modules to defend be? I’m not sure,” Heidemann said.
Bringing Home the Prize
Even with the cyber-attack sphere constantly evolving, the team is proud of their contribution and its utility.
“One of the big goals of the paper was to show that it’s feasible to have an array of defenses and to select which one works best for each attack, and we have shown that it is possible and how to do it,” Heidemann said.
Mirkovic said she was “thrilled” when the paper took home the award.
“We put in a lot of work, and I think it’s an under researched area that doesn’t see a lot of attention, so I think that is part of what made our work stand out,” she added.
Next up is operationalizing the software so that the broader University community can implement it.
We are deploying the system in the real server, and trying to see when new attacks come, whether our system can handle it or not,” Rizvi explained. “Then we can work on enriching the system and making it stronger.”
(1) The IEEE is the largest global professional organization for the advancement of technology. COMSNETS is a conference dedicated to the discussion of innovative technologies in communication and networking systems.
Published on April 18th, 2023
Last updated on April 18th, 2023
With the cyberthreat landscape constantly evolving and growing numbers of businesses falling victim to attacks, the need for cyber insurance has never been higher. Craig Somerville, Managing Director and CEO of Somerville, shares 10 factors to consider when seeking cyber insurance coverage.
Designed to assist organisations to cope with the disruption and cost of an attack, cyber insurance policies come in many shapes and sizes. They cover a range of areas including the loss of data, ransomware attacks and the reputational damage caused by an attack.
Some policies extend even further and provide assistance with privacy liability, media liability, regulatory proceedings, and fallout from supply-chain attacks. All will provide vital support when an organisation needs it the most.
A variety of claims
Cyber insurance policies are regularly assisting organisations of all sizes when they suffer an attack. Recent examples have included:
Missing laptop: A company employee misplaced a laptop which contained a list of 1000 client records and credit card details. A total of $250,000 was paid for the cost of notifying the affected individuals and the Privacy Commissioner of the data breach.
Encrypted records: An insured company discovered that a hacker had gained remote access to a server and encrypted client records. The hacker then demanded a ransom of $100,000 in Bitcoin to decrypt the files. The cyber insurance policy led to the company being paid $300,000 for the extortion claim and loss of income, together with the cost of notifying the affected individuals and the Privacy Commissioner.
Fake email: A cybercriminal impersonated a client of an insured company using an identical email address. The hacker then redirected payments totalling $41,000 into a new fraudulent bank account. The company claimed against their cyber insurance policy and suffered no loss.
Securing appropriate insurance cover
There are a range of factors to consider when selecting and purchasing a cyber insurance policy. Each policy will have an impact on whether cover can actually be secured and whether it will provide the level of protection that is sought.
The top 10 factors to consider are:
Encryption: It is important to ensure that all sensitive and personal data is encrypted both at rest and in transit. This will reduce the chances of it being misused following an attack.
MFA: The deployment of Multi-factor Authentication (MFA) is likely to be a requirement of many insurers. MFA can significantly reduce the chances of unauthorised parties gaining access to corporate IT resources.
Endpoint protection: All endpoints on an organisation’s network should be protected by the use of firewalls and antivirus software. It is also important that these tools are regularly updated.
Data backups: All critical data needs to be regularly backed up to ensure recovery is possible should an attack take place. Backups should also be stored off-site and segregated from the main corporate environment.
Backup testing: Data backups should also be regularly tested to ensure their integrity and confirm that they are capable of restoring all core systems within the organisation.
Email scanning: All incoming email should be automatically scanned for malicious links and attachments. This will reduce the chances of a cybercriminal gaining access to centralised systems.
User training: Regular security awareness training should be conducted for all staff. This should include clear explanations of the risks being faced and the steps staff can take to ward off attacks.
Admin checks: Organisations should also have in place established procedures to verify requests for changes in customer and partner details. This will ensure only legitimate requests are actioned.
Financial checks: Rigorous checks should also be in place when it comes to authorising any financial transactions. This could include the need to at least two parties to authorise all transactions over a set amount.
Patch management: There needs to be in place a patch management policy that ensures all critical patches are installed as quickly as possible after their release.
By taking these factors into account, organisations will improve their level of cyber security while also making it more likely they will be able to secure an appropriate level of cyber insurance.
The threats posed by cybercriminals are going to continue to evolve and grow. Having a cyber insurance policy in place, backed by effective security procedures, will afford organisations the best possible levels of defence.
SaaS data protection provider Spin.ai has launched two new service modules — SaaS security posture management (SSPM) and SaaS data leak prevention/loss protection (SDLP) — along with a few new capabilities for existing modules, to its flagship SaaS security platform SpinOne.
The enhancements to the SaaS-based offering aim to protect SaaS applications, automate manual processes, and minimize business downtime for organizations.
Both SSPM and SDLP are being added as new subscriptions on the SpinOne platform and are generally available, along with the other capabilities released for existing modules.
The new capabilities for SpinOne’s existing modules include improvements for SaaS ransomware detection and response (SRDR), integration with Jira and ServiceNow, and support for Slack.
“Many organizations underestimate the risks associated with SaaS data or believe that their cloud provider has it covered,” said Davit Asatryan, director of product at Spin.ai. “The shared responsibility models for Google, Microsoft, Salesforce, and Slack note that they take care of the physical security of their data centers and underlying infrastructure, but your data is still your responsibility. SpinOne makes SaaS security easier and faster for SecOps teams.”
Managing SaaS data, access and security
SpinOne’s SSPM is designed to offer automated security controls to help companies detect and respond to misconfigurations, and provides an inventory of unsanctioned third-party apps and extensions.
The module is powered by SpinOne’s database of more than 300,000 apps and extensions assessed by an in-house AI algorithm, to reduce risk assessment time significantly according to Asatryan.
“SpinOne SSPM outperforms other offerings by providing a risk assessment for third-party applications and browser extensions using a thorough list of over 15 risk criteria to perform assessments and is also geared toward understanding compliance risks related to regulatory frameworks like GDPR, HIPAA, SOC, CCPA, and others,” Asatryan said.
The tool essentially offers visibility into SaaS apps, cloud apps, mobile apps and browser extensions and cross-references any suspicious posture with SpinOne’s historic database to arrive at a risk score of 0 to 100. This, the company claims, eliminates the heavy lifting of manual assessment, bringing total risk assessment time to minutes and seconds.
In addition, SpinOne’s new SDLP module offers SaaS access management, backup, and recovery capabilities.
“SaaS DLP complements existing identity management tools and helps control all unauthorized access to sensitive SaaS data using SpinOne’s configurable access management and advanced reporting,” Asatryan said.
SaaS backup aims for quick data retrieval
SpinOne has added an integrated SaaS backup offering which promises recovery of lost data within minutes and hours as opposed to conventional weeks and months.
Additionally, SpinOne’s SRDR module now supports 24-hours-a-day, seven days a week ransomware monitoring and automated incident alerts, designed to help customers recover from ransomware attacks with minimum downtime. This “in-progress” detection of ransomware attacks adds to SpinOne’s “within hours” recovery claim.
“Both Google and Microsoft have API and throttling limits, i.e., how much data can be recovered at once (10 I/O requests per second), to help avoid the problem of one tenant affecting the performance of other tenants. However, in the case of an attack, it can result in downtime and recovery times of weeks or months depending on the amount of data,” Asatryan said.
By stopping an attack in progress, the damage is limited, and the files can be recovered within the company’s two-hour service level agreement he added.
SpinOne supports JIRA, ServiceNow and Slack
SpinOne’s integration with Jira and ServiceNow allows for the creation of automated incidents alerts, eliminating the need for manual intervention by the security teams, the company said.
“With this integration, customers can create policies in SpinOne and select existing ticketing ecosystems such as Jira and/or ServiceNow as an output, where actionable tickets can be created. These integrations help streamline SaaS security operations by automatically creating real-time actionable tickets and maintain logs of such tickets to reduce and mitigate incidents,” Asatryan said.
Support for Slack has also been added on SpinOne to meet data protection and compliance requirements, ensure business continuity, and decrease recovery costs. This includes setting up an automated backup of Slack data three times a day on AWS, GCP, Azure, or other computing platforms.
Using 2FA to protect your accounts is a lot safer than using just passwords, especially if you use a separate authenticator app.
Phishing message sent to Richard LawlerImage: Richard Lawler