SecPro#39: Ukrainian-Russian Tensions Spill Over into Cybersecurity, BlackByte Back, Threat Hunting within 0365
After a week that has seen increasing tensions in both the real world and cybersecurity spaces, there has been plenty of cutting-edge news and analysis to deliver to the SecPro community. Threat intelligence, incident response, and malware analysis have been the main themes of our office and we wanted to share our insights into how you can improve your security posture in these trying times.
Make sure to check out the practice advice that’s included in this newsletter as well as new books available through the Packt Free Learning program. All four of the following titles are free right now for anyone wanting to learn more about defensive strategies that will protect your organization:
- Adversarial Tradecraft in Cybersecurity
- Cybersecurity Attack and Defense Strategies, 2nd edition
- Cybersecurity Attacks – Red Team Strategies
- Industrial Cybersecurity
If you want my advice, Adversarial Tradecraft in Cybersecurity, Cybersecurity Attack and Defense Strategies, and Cybersecurity Attacks – Red Team Strategies are some of the popular books that Packt has to offer and they’d be my first choices if you’re planning on upskilling!
TL;DR
- Ukrainian-Russian Tensions Spill Over into Cybersecurity
- BlackByte Back – the Ransomware that Took Down the 49ers
- Threat Hunting Within 0365
- Beginner’s Corner – Using STRIDE After Threat Modeling
- Secret Knowledge: Popular Tools & Cloud Security
Cybersecurity News & Analysis News Byte: Ukrainian-Russian Tensions Spill Over into Cybersecurity
By Austin Miller
After a highly controversial week on the Ukrainian-Russian border, it didn’t take long for warfare to spill over into cyberspace. Many of the largest ransomware attacks that organizations all around the world face on a day-to-day basis have been designed to “pass through” systems that have CIS-aligned language packages installed, so it’s probably a surprise to no one that Ukraine and NATO-aligned nations have already started to face cyberattacks.
Cyberattacks on Ukraine and Russia – what we know so far
In the media storm that has occurred over the last few days, numerous reports of targeted DDoS attacks have been identified. While this is obviously concerning for Ukrainian organizations, cybersecurity and IT teams should familiarize themselves with the known dangers that they could be facing too.
The first known large-scale cyberattack in the region was a joint takedown of the websites for:
- The Ukrainian Ministries of Foreign Affairs, Defense, and Internal Affairs
- The Ukrainian Security Service
- The Ukrainian Cabinet of Ministers
- The Armed Forces of Ukraine
- Privatbank, the largest bank in Ukraine
- Oschadbank, the State Savings bank
The State Service of Special Communication and Information Protection of Ukraine stated that these were massive DDoS attacks and the White House linked the DDoS attacks to Russia’s General Staff of the Armed Forces.
In retaliation (but from an unknown source), Russia is also experiencing DDoS attacks against:
- kremlin.ru
- doma.gov.ru
Although it may be easy to presume that Ukraine is behind the attacks, some commentators have also pointed fingers in the direction of the US, a Ukrainian ally such as Germany, Anonymous, or possibly even a would-be hacktivist (much like P4x in the case of North Korea).
Understanding the CISA advice
In reaction to the conflict on the Ukrainian-Russian border, the American Cybersecurity and Infrastructure Security Agency (CISA) has released two documents to help IT teams to harden their cybersecurity defenses.
Shields Up
The American government’s position now is that all organizations which have the capability to do more should be going shields up. The suspected threat of cyberattacks to essential services is a real concern and that’s why the US government has presented a four-point plan to follow.
Shields Up Guide for All Organizations:
- Reduce the likelihood of a damaging cyber intrusion.
- Take steps to quickly detect a potential intrusion.
- Ensure that the organization is prepared to respond if an intrusion occurs.
- Maximize the organization’s resilience to a destructive cyber incident.
Best practices include creating and testing backups as regularly as possible and (if using industrial control systems/operational technology) running tests on the manual controls. If you want to read the full report, click this link.
Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure
Although the calls to go shields up are mostly concerned with best practices and defensive posture, the supporting document has a broader scope. Within the threat overview, CISA notes that misinformation, disinformation, and malinformation (MDM) is a tool used by many threat actors. Recognizing MSM is important for organizations to avoid undermined security, potential unrest, and disrupted markets.
The rest of the CISA Insights document then deals with the best ways for leaders in organizations to coordinate and communicate accurate and trusted information.
- Assess the information environment
- Identify vulnerabilities
- Fortify communication channels
- Engage in proactive communication
- Develop an incident response plan
For a deep dive into the content, check out the Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure document here.
What should cybersecurity professionals do?
If you find any cybercriminal activity on your network, reporting it to the authorities is always the best course of action. But the MISP is also a fantastic resource for quickly spreading information about cyberattacks and offering ideas for effective defenses. Check out https://www.misp-project.org/ for more information.
Want to read the rest? Click the button below to find the full text.
Malware Analysis BlackByte Back – The Ransomware That Took Down the 49ers
By Austin Miller
Every year the Superbowl rolls around and America celebrates with a larger-than-life occasion. But this year, a ransomware gang came back from almost a year in the wilderness to throw the celebrations into disarray. The BlackByte ransomware (known primarily as a RaaS that was first noticed in July 2021) took down the San Francisco 49ers network systems on Superbowl Eve, casting a grim shadow on the American government’s plans to make 2022 the year that the ransomware gangs get what’s coming to them.
In truth, the attacks have been further reaching than an isolated server attack on a football team. The US government has confirmed that at least three attacks were launched against critical infrastructure sectors, one of which was the government.
Wait, wasn’t BlackByte already stopped?
Whereas most ransomware gangs would use a variety of encryption methods to lock down a variety of targets, it quickly became apparent that the BlackByte gang had only used one. This meant that when a victim had paid the ransom and received the decrytion key, everyone was able to decrypt their systems by using the same tool. To say the least, this was a massive oversight by the cybercriminals.
But now that BlackByte is back, I’m sure that we will see attacks that aren’t so easily circumvented.
Do I need to worry about BlackByte?
BlackByte is a distinctly less threatening form of ransomware. Other ransomware gangs usually have a plan of attack that plays out as such:
- The ransomware infects an endpoint, spreads around the network, and encrypts critical and sensitive aspects of the network.
- Data is stolen and held by the ransomware gang on the threat of leaking the details, potentially causing millions of dollars in damage in terms of data protection.
- The infection may also have a tertiary attack built into the code or launched manually by the gang on failure to pay – the most notable example of this addition attack is BlackCat’s DDoS threats for anyone who doesn’t give in to their commands.
What are the Indicators of Compromise (IOCs) for BlackByte?
Although most organizations should have adequate defenses against the first iteration of BlackByte (namely in the form of updates to close the Microsoft Exchange Server vulnerabilities), it has become apparent from the new Indicators of Compromise (IOCs) that BlackByte has changed its tactics, techniques, and processes (TTPs).
Suspicious files discovered after infection
| Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946 |
| inetpub\wwwroot\aspnet_client |
| Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth |
| %AppData%\BB.ico |
| %AppData%\BlackByteRestore.txt [the ransom note left in all folders with encrypted files] |
| %AppData%\dummy |
| %HOMEPATH%\complex.exe [the ransomware executable] |
| Users\tree.dll [contains the message “Your HACKED by BlackByte team. Connect us to restore your system.”] |
Want to read the rest? Click the button below to find the full text.
Threat Hunting within 0365
By Ricoh Danielson
Security operations and incident response teams need to be constantly on the lookout for new threats. Moreover, you need to be able to identify the specific activity spanning thousands of endpoints, the interconnections between the various log sources, and how this information can be used to react and respond appropriately. Today’s SecOps teams need tools that make it easy to spot out of the norm activity. Detecting out-of-the-ordinary behavior as quickly as possible is the challenge for security operations centers (SOCs). That’s very challenging!
Let’s face it, all security teams want to stay ahead in their game. We help them gain visibility into their environment and find threats that are causing issues before they are a problem. Put your mind at ease. Whether you have a small team or thousands of users, we’ll provide you with the information you need.
In 0365, performing an advance threat hunt is a critical part of securing the system
The majority of the world has migrated to 0365 or a hybrid version of 0365. Threats can, therefore, be hunted and mitigated within the 0365 environment and settings. Most businesses either have the expertise of how to mitigate these threats in-house or utilize a third-party source like an MSSP.
In any case, more research into how, why, and what to look for in these data elements can greatly help us mitigate these threats. What we’re looking for is a magical question. So, the first step to hunting for security incidents is to know what to look for.
What is required to conduct threat hunting in 0365?
To run threat hunting in 0365, the technical researcher will need access to an instance of 0365. Depending upon how it is configured, there might be different viewpoints; however, here’s an example of a fully set up dashboard.
Want to read the rest? Click the button below to find the full text.
Beginner’s Corner Using STRIDE After Threat Modeling
Although understanding the basic principles of threat modeling and how to use modeling tools is useful, threat modeling is nothing if there is no reaction! That’s why we’re going to look at the STRIDE Threat and Mitigation techniques.
Although we have looked at STRIDE in the past, we still need to understand how to implement the threat list and implement useful practices to complement your investigations.
What is STRIDE?
STRIDE gives us a way to identify threats and classify attacks that the adversary uses against us. Broadly speaking, all threats can be sorted into one of STRIDE’s six categories. In case you’ve forgotten, STRIDE stands for:
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
Lateral movement is often included in the STRIDE threat model, rendering it STRIDE-LM. Because of that, the advice below also contains advice for dealing with opportunities for lateral movement in your applications. From this acronym, we can develop toolkits that help find and treat problems in our software.
How do I implement STRIDE?
After you gain a full understanding of your application’s threat model and identify the risk present in your software, we need to find a way to address these issues. Thankfully, we can turn to the NIST Cybersecurity Framework (CSF) for advice.
Want to read the rest? Click the button below to find the full text.
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test AI and IoT devices. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Recent & Popular Tools
nightwatchcybersecurity/gitbleed_tools : This repo contains shell scripts that can be used to download and analyze differences between cloned and mirror Git repositories.
Cache-Money/chronorace : It is a tool to accurately perform timed race conditions to circumvent application business logic.
jfrog/jfrog-npm-tools : A collection of tools to help audit your NPM dependencies for suspicious packages or continuously monitor dependencies for future security events.
ahmetb/serverless-registry-proxy : This project offers a very simple reverse proxy that lets you expose your public or private Docker registries (such as Google Container Registry gcr.io, Google Artifact Registry (*.pkg.dev) or Docker Hub account) as a public registry on your own domain name.
Container Security
antitree/keyctl-unmask : This tool “Goes Florida” on container keyring masks. It is a tool to demonstrate the ineffectivity that containers have on isolating Linux Kernel keyrings.
genuinetools/amicontained : Container introspection tool. Find out what container runtime is being used as well as features available.
brompwnie/botb : A container analysis and exploitation tool for pentesters and engineers.
