SecPro#41:Understanding WhisperGate, Applying the MITRE ATT&CK framework, Analyzing Password Strength
In an effort to help people understand how to use the framework to improve their security posture, we’re going to run a series on the Top 10 MITRE ATT&CK procedures that were logged in 2021.
Beginner’s corner is also being redubbed “CyberSec Fundamentals”. The SecPro team will be helping you explain the fundamentals of good cybersecurity practices and give you resources to make sure your organization is doing the basics right. That way, you can cut down on the weakest part of any cybersecurity system – the human aspect! Also with an insight on Understanding WhisperGate.
- Implementing the MITRE ATT&CK Framework
- Understanding WhisperGate: Are Wipers the New Weapon of the Adversary?
- CyberSec Fundamentals: “Why should I care about password strength?”
- News Bytes: Chinese APT & RagnarLocker attacks the US
- Secret Knowledge: Mobile, IoT & Data Security Tools
MITRE ATT&CK Implementing the MITRE ATT&CK Framework
By Austin Miller
I recently attended a conference concerning the implementation of the MITRE ATT&CK framework and something became very clear to me – it’s all well and good understanding what it is, but how easy is it to actually implement the framework in the average cybersecurity day-to-day workflow? It is easy to browse the content, but is it as easy to use it effectively to build solid defences?
Turning the MITRE ATT&CK framework from theory into practice is difficult, especially for organizations that are still in the process of building their security infrastructure. That’s why the SecPro team will be dealing with how to implement simple solutions to the problems that the framework brings up.
Of course, we can’t examine every single entry. Instead, I’ll be referring to The Red Report by Picus Security, the latest update in their research on adversarial techniques, tactics, and procedures (TTPs). You can read the report yourself here or eagerly await the weekly edition of SecPro.
T1497 – Virtualization/Sandbox Evasion
To build an effective security posture, someone needs to understand how the adversary is exploiting defenses in your arsenal. But a recent trend in malware creation is causing security researchers a real headache – evasive action to escape virtualization or sandboxing that a researcher put in place to protect themselves and analyze the content. Want to read the rest? Click the button below to find the full article.
Understanding WhisperGate: Are Wipers the New Weapon of the Adversary?
By Austin Miller
Despite the enduring popularity of ransomware attacks among adversaries over the last few years, there has been an increase in the usage of a new kind of malware – wipers, also referred to as wiper viruses. Unlike ransomware, wipers aren’t created with the intention of extorting a payment from a victim. Instead, the adversary is only intending to cause harm through data destruction, system corruption to the point of inoperability, and reputational damage that comes from these attacks which lay waste to entire companies.
Understanding WhisperGate: What is a Wiper?
As the name suggests, wiper malware is only concerned with destroying information and rendering systems incapable. If the adversary does intend to simply wipe information from the victim’s computer or server, there is a distinct possibility that there is no way to retrieve the data.
This makes understanding WhisperGate the kind of malware quite different from other adversarial favorites such as ransomware or Trojans in that they do not intend to capture information that can be used against the victim e.g., as a ransom.
Understanding WhisperGate: Why would the adversary use a wiper?
Despite there being no way to restore data to a wiped system, the malware delivers an error message to the victim:
This error message displays a bitcoin wallet address and a demand for $10k (0.25BTC) to restore “all hard drives of [the] organization”. In mimicking the tactics of a ransomware gang, the wiper virus still has possibility of harvesting “ransoms” from people desperate to get their data back. Of course, there is no way – the virus writes over the data and deletes it all. Want to read our deep dive into Understanding WhisperGate? Click the button below to find the full article.
CyberSec Fundamentals “Why should I care about password strength?”
By Austin Miller
Credential stuffing is on the rise and the effects of these attacks are costing businesses $6 million a year. Brute force attacks are becoming quicker than ever thanks to next gen GPUs. The adversary’s tried and tested methodology is only getting better – for network administrators and security professionals, these numbers should be alarming.
HiveSystem’s Password Matrix
We know that strong passwords are important. Gathering tools to crack weak passwords really isn’t that difficult – anyone can access Jack the Ripper to try their hand at breaking down password-guarded defenses. But the average end-user doesn’t see it that way.
The time comes around for staff to refresh passwords and you might have heard some of these comments:
- I just change one number at the end of my password every time.
- I try to get around the “too similar to a previous password” thing by changing it until the system forgets.
- I can never remember what my password is – why can’t you just let me have the one I can remember!
- Why do I have to use “special characters”? It’s only a password!
The next time that employee education comes around, show them this matrix:
All passwords tested by Hivesystems were MD5 hashed passwords.
Understanding the password matrix
As we can see from Hivesystems’ research, simple passwords aren’t even a minor concern for would be adversaries. For the employee that uses <Un1ted> (one capital letter, one number), it will take the adversary all of one (1) second to gain access to the account. Because a fan of the red team in Manchester only put in the bare minimum to reset their password, the adversary has an easy way in.
As we move to the bottom-right of the matrix, you will see that passwords start to enter the green zone – this is where a password is so uncrackable that you can almost stop worrying about the risk of a pure brute force attack. Where you set your threshold for password strength is really up to you – would the 7 months that 10 characters, numbers, upper and lowercase deliver be enough for you? Or do you want to convert your team to password managers and insist on 18+ characters including numbers, upper and lowercase letters as well as special characters/symbols? That depends on your organization’s needs and willingness to adopt new software. Want to read the rest? Click the button below to find the full article.
Another busy week! The threat landscape has changed so much over the last week that it’s difficult to keep up. Breaches that aren’t breaches, leaks of data we already had, and a variety of ransomware attacks mean that the world of cybersecurity is changing more than ever and we all need to be shielded up!
Kaspersky source code leaked… or was it?
Russian-based antivirus provided Kaspersky reportedly suffered a breach that meant the entire source code for the software was leaked earlier this week. Although people were keen to explore the code and confirm suspicions that Kaspersky had been working with the Russian government on a large-scale data harvesting program, there are only two conclusions to be drawn at the moment:
- There is no evidence that has been a leak at all, evidenced by numerous big names in cybersecurity – including @campuscodi and @SosIntel – finding no documents relating to the Kaspersky source code.
- There is no evidence that Kaspersky is working on covert data harvesting for any government. Although Kaspersky does work with the Kremlin, their relationship seems to be no more incriminating than the US government working with their security providers.
The only data that has been found from this supposed leak is a crawler dump of the Kaspersky Labs pages, something that was already publicly available. If you’re a Kaspersky subscriber, there is no reason to expect that the antivirus company has been compromised.
Anonymous continues attacks against the Russian government
After the initial influx of DDoS attacks from hackers working under the Anonymous name, it seems that they have upgraded their tactics, techniques, and procedures this week. While the internet was referring to Anonymous as skiddies, it seems that they have launched a successful attack against the Bashkortostan oblast and leaked 340,000 files onto the internet.
Although a majority of these files were already leaked in previous attacks, there is definitely escalation in the tools and tactics that Anonymous is using. As Anonymous is literally anyone wants to hide their identity from the wider world, there have been some voices on the internet assuming that professional security analysts and nation state security professionals are now contributing to the cause.
Cyber warfare spreads far and wide
We always knew it was happening, but now countries all over the world are pointing fingers at the possibility of large scale, nation state attackers. Not only are we seeing this from nations involved in the Ukrainian-Russian conflict, but we are also seeing accusations thrown against the US government.
The Chinese government has criticized the NSA for continued cyberattacks against Chinese infrastructure and reportedly more than 45 other countries. The NSA has been referred to as APT-C-40 and has reportedly played a part in the creation and distribution of the backdoor program UnitedRake, the QUANTUM attack system, and fake server FOXCID.
Although this is still unconfirmed, accusations of long-term cyber warfare are becoming more public and the potential for retaliation on both sides is growing.
Want to read about Anonymous’ continuous attacks against the Russian government, the growth in cyber warfare, and a Chinese APT attack against the US? Click the button below to find the full article.
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
m0bilesecurity/RMS-Runtime-Mobile-Security: Runtime Mobile Security (RMS) – is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
OWASP/owasp-mstg: The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
firmadyne/firmadyne: Platform for emulation and dynamic analysis of Linux-based firmware.
NationalSecurityAgency/ghidra: A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.
radareorg/radare2: UNIX-like reverse engineering framework and command-line toolset.
rustsec/advisory-db: Security advisory database for Rust crates published through crates.io.
sqlcipher/sqlcipher: SQLCipher is a standalone fork of SQLite that adds 256 bit AES encryption of database files and other security features.
arkime/arkime: Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.