“There is no security on this earth; there is only opportunity.“
Douglas MacArthur
Man oh man has it been some time since I last wrote an article. I apologize for being away for so long but I am back. Since the last time I wrote I was laid off from my job of 9 years, my roof leaked and flooded my office, the repair job to fix the leak, leaked, and finally my office was fixed and power was restored. Obviously, with more time I on my hands I hope to be pumping out more articles. Time will tell but lets get started!
AI Will Increase Ransomware
The National Cyber Security Centre (NCSC), a part of GCHQ, has warned that artificial intelligence (AI) is expected to increase the global ransomware threat over the next two years. The report concludes that AI is already being used in malicious cyber activity and will likely increase the volume and impact of cyber attacks, including ransomware, in the near term. The use of AI lowers the barrier of entry for novice cyber criminals, enabling relatively unskilled actors to carry out more effective access and information-gathering operations. This, combined with improved targeting of victims afforded by AI, is expected to contribute to the global ransomware threat in the next two years. Ransomware continues to be the most acute cyber threat facing UK organisations. The government has invested £2.6 billion under its Cyber Security Strategy to improve the UK’s resilience, with the NCSC and private industry adopting AI to enhance cyber security resilience. The report suggests that cyber criminals have started developing criminal Generative AI (GenAI) and offering ‘GenAI-as-a-service’. The report emphasizes the importance of secure-by-design AI systems and encourages organisations and individuals to follow ransomware and cyber security hygiene advice to strengthen their defences.
My Thoughts:
No kidding! During my stint handling email security in my previous role, there was a noticeable surge in high-quality phishing emails right after the release of ChatGPT’s version 3 of their Large Language Model (LLM). These AI models significantly streamline the process of crafting sophisticated emails, devising malicious code, and generating various forms of ransomware or payloads. With minimal technical expertise, practically anyone can leverage an LLM to execute malicious actions. While many of these services implement safeguards to thwart nefarious requests, circumventing them isn’t as challenging, as numerous car dealerships have unfortunately discovered. I’ve emphasized this point repeatedly, but it’s worth underscoring — AI is poised to intensify the complexity of the security landscape.
Microsoft’s Senior Exec’s Email Compromised
Microsoft has disclosed a nation-state attack on its corporate systems carried out by the Russian state-sponsored hacking group Nobelium, the same group behind the SolarWinds attack. The attackers, also known as Midnight Blizzard, accessed email accounts of some members of Microsoft’s senior leadership team starting in late November 2023. The attack was detected on January 12, 2024, and Microsoft’s security team activated response processes immediately. The attackers used a “password spray attack” to compromise a legacy non-production test tenant account initially and then used the account’s permissions to access a small percentage of Microsoft corporate email accounts. Microsoft states that the attack was not the result of a vulnerability in its products or services, and there is no evidence that the threat actor had access to customer environments, production systems, source code, or AI systems. The investigation is ongoing, and Microsoft is working with law enforcement and regulators.
My Thoughts:
I recently defended Microsoft amidst a series of compromises to their Azure tenets during a highly sophisticated and distinctive attack sponsored by the Chinese government. However, the frequency of such incidents is making it increasingly challenging to maintain a defensive stance. With a market cap surpassing a trillion dollars, one would expect the capacity to allocate resources for teams dedicated to automating key rotation and decommissioning obsolete legacy environments.
The revelation that a non-production test account was accessible via the public web raises questions, though it’s plausible that we might not have the complete picture. A former security manager I collaborated with consistently emphasized that without robust security policies reinforced by stringent enforcement, developers and engineers are prone to jeopardize systems. In a climate where the mantra is to “move fast and break things,” security often becomes the initial casualty.
HPe has an Email Breach
Hewlett Packard Enterprise (HPE) has disclosed that it was targeted by a cyberattack believed to be sponsored by the Russian government. The company was notified on December 12, 2023, that the threat group Midnight Blizzard and Cozy Bear had hacked into its cloud-based email environment. HPE said it expelled the attackers, but its investigation revealed that the threat actor gained access to its systems and began exfiltrating data in May 2023. The attackers targeted “a small percentage of HPE mailboxes” used by staff in cybersecurity, go-to-market, business segments, and other departments. HPE believes the incident is likely related to earlier activity by the same threat actor, of which it was notified in June 2023.
My Thoughts:
Russian cyber actors remain highly active, with the same group (Cozy Bear) responsible for the Microsoft breach now targeting other U.S.-based tech companies. HP, has not provided comprehensive details on the initial breach method, but my speculation aligns with the notion that they may have exploited employee accounts through password spraying, mirroring the tactics used in the Microsoft incident. It’s noteworthy that SEC disclosures have become a primary source for insights into cybersecurity breaches, yet it’s a wish shared by many that such disclosures would mandate a more thorough exposition of the intrusion techniques employed. If Russian attackers could breach two major companies using a similar approach, it raises concerns about the potential extent of undiscovered breaches across various organizations.
Crypto Holders are Getting Better at Securing their Funds
In the Chainalysis 2023 Crypto Crime Report, findings reveal a notable decline in overall cryptocurrency theft, decreasing by 54.3% from $3.7 billion in 2022 to $1.7 billion in 2023. The significant drop is primarily attributed to a 63.7% decrease in stolen funds from decentralized finance (DeFi) hacking, which totaled $1.1 billion in 2023. The report classifies DeFi attack vectors into on-chain and off-chain categories, emphasizing a shift in vulnerabilities over the year, with compromised private keys becoming more prominent. Additionally, the report highlights the persistent threat of North Korea-affiliated hackers, who stole over $1.0 billion in 2023 across 20 recorded hacks. A case study on the Atomic Wallet exploit illustrates North Korean hackers’ tactics and fund laundering methods. The report suggests that while attackers are becoming more sophisticated, improved security measures and prompt responses from crypto platforms contribute to a decline in funds stolen from cryptocurrency hacks.
My Thoughts:
I’ve been a part of the crypto community since the days when Mt. Gox was the go-to platform for converting crypto into cash, and Bitcoin was a mere $20 per coin. While I wasn’t a major investor and missed out on some spectacular gains, I did experience the downside of the Mt. Gox hack. The absence of regulatory and security frameworks, typical of traditional banks, in the early days of cryptocurrency paved the way for exploitation. Over the past year, many in the crypto space, both users and companies, have come to realize that image and trust are synonymous. The prevalence of fraud and hacking incidents has made the adoption of a new form of currency less appealing. However, I remain optimistic that cryptocurrency will find its place in modern society. It’s absorbing the lessons from other forms of currency, adapting, and evolving in the right directions.
Japan’s Endless Struggle Against APT10: LODEINFO
LODEINFO is a fileless malware first identified in spear-phishing email campaigns since December 2019, often targeting Japanese media, diplomacy, public institutions, defense industries, and think tanks. Associated with the APT10 group, LODEINFO’s infection involves users opening a malicious Word file attached to phishing emails. The malware has evolved with multiple versions, the latest being v0.7.3 as of January 2024. The infection flow begins with a Maldoc that injects LODEINFO into memory. Updates include VBA code changes, adoption of 64-bit architecture support, and the introduction of Remote Template Injection. The Downloader Shellcode decrypts a Fake PEM file, with the malware featuring a unique structure and self-patching mechanisms. LODEINFO’s Backdoor Shellcode, allowing remote access, shows changes in hash calculation algorithms and additional backdoor commands in recent versions. The attacker’s infrastructure consistently utilizes AS-CHOOPA. Detection remains challenging, emphasizing the importance of in-memory scanning and ongoing research to counter LODEINFO’s evolving tactics.
My Thoughts:
The aforementioned report originates from ITOCHU Cyber & Intelligence Corporation in Japan, a significant player in the realm of general trading and investment. Renowned for its robust textile business and successful ventures in China, ITOCHU mirrors the diversified approach of companies like General Electric in the early 2000s. In 2023, the company ventured into the cybersecurity domain, establishing a dedicated entity. Since then, they’ve embarked on sharing insights through a blog, detailing their detection efforts.
As previously emphasized, email remains one of the most accessible avenues for infiltrating a company, often second only to password spraying. It serves as an open door susceptible to a variety of messages. A notable tactic observed in their report involves the use of a backdoor embedded in a Word document, cleverly exploiting the widespread acceptance of such files. This particular backdoor stands out not only for its persistence but also due to consistent updates by its authors. Moreover, the perpetrators ingeniously utilized Microsoft’s features against them by incorporating a malicious Word template file within the document, effectively concealing it from detection. Adding to the intrigue, the entire attack operates in the system’s memory, further complicating detection and mitigation efforts.
Conclusion
With my office now repaired and a little more time to write, look out for a lot more articles! Good luck to all the engineers out there, and until next time, stay safe!
