STAR Livestream Summary: October 2023, featuring Will Thomas
SANS Threat Analysis Rundown (STAR) livestream host Katie Nickels was joined by Will Thomas (aka BushidoToken), Cyber Threat Intelligence Researcher at Equinix, co-founder of Curated Intelligence, and co-author of the upcoming SANS course, FOR589 Cybercrime Intelligence. Leveraging Will’s perspective monitoring adversary chats and dark web forums, they discussed recent cyber threats that defenders should pay attention to.
As Will tweeted, a number of takedowns of adversary infrastructure happened in October, occurring in different ways. The first takedown was of Ragnar Locker, a ransomware group that has been active since 2019. This was notable because 11 different countries cooperated on this takedown. Will noted that several Ragnar Locker actors were arrested in 2021 by the Ukrainian Cyberpolice, and while researchers suspected they were affiliated with Ragner Locker, that was just revealed with certainty. You can read more about this takedown here and check out Will’s screenshot of the message on Ragnar Locker’s former infrastructure here.
In a different type of takedown, a hacktivist group calling themselves the Ukrainian Cyber Alliance took down Trigona ransomware infrastructure. A Trigona representative posted a message on the RAMP forum noting they would be back, but that remains to be seen. Katie and Will discussed how this presents a debate over whether “lone wolf” actors should be taking down infrastructure without law enforcement cooperation. Will noted that criminal actors do post about takedowns and arrests on forums, suggesting they notice when this happens, but Katie and Will discussed that it’s unclear if these actions will have a long-term deterrent effect.
War in Israel
The war in Israel and Gaza is important for cyber threat analysts to track because of its impact on how adversaries may target organizations with affiliations to the region. The collaborative analyst group Curated Intelligence, which Will is a co-founder of, published an overview of tracking cyber threats around the war. Curated Intelligence divided categories of actors to watch into three groups: hacktivists, cybercriminals, and APT groups. Will noted that many of the hacktivist groups are publishing false information about cyber attacks that didn’t actually happen or are historic, leading to the spread of disinformation. Multiple sources can help analysts track relevant groups based on their threat model, including Secureworks Threat Profiles and Malpedia. This graphic from CrowdStrike also provides a helpful overview of actors to watch surrounding this war. One example of a group allegedly associated with Hamas is AridViper, discussed in a blog post by Sekoia.
Identity management service Okta announced a breach of their support case management system. Notably, other companies, BeyondTrust, Cloudflare, and 1Password, identified the breach before Okta publicly announced it. While Okta has reportedly reached out to affected customers, you may want to consider contacting them if you use Okta. One recommendation out of this breach is for customers to sanitize HTTP Archive (HAR) files, which Okta support often asks customers to upload to help with troubleshooting. These HAR files often contain sensitive data, including cookies and session tokens, that enabled adversaries to impersonate valid users in this incident. Cloudflare released a HAR sanitizing tool that can assist with this, and Cloudflare’s blog post also has other security recommendations for Okta customers.
Cisco IOS XE software vulnerability
While software vulnerabilities are released daily, Will and Katie highlighted vulnerabilities that are being actively exploited and are worth paying attention to: CVE-2023-20198 and CVE-2023-20273, which are vulnerabilities in the Web User Interface feature of Cisco IOS XE software. These vulnerabilities were two zero-days exploited by the same adversary with up to 30,000 devices being compromised. Due to this widespread exploitation combined with the fact that many adversaries have shown previous interest in exploiting Cisco devices, if you use this software, it’s worth upgrading immediately to avoid possible exploitation. Cisco Talos and GreyNoise provide additional reading on these vulnerabilities.
Microsoft recently published a blog post on the threat group Octo Tempest, which overlaps with activity tracked under the group names 0ktapus, Scattered Spider, and UNC3944. Microsoft assesses this is one of the most dangerous criminal groups, and these adversaries are known to use social engineering campaigns with a goal of financial extortion. Will previously published a blog post on this group and also shared a presentation, which are worth checking out as you consider how your organization could protect, defend, and respond to this group’s activity.
As the livestream closed, Will gave a short preview of the upcoming SANS course, FOR589: Cybercrime Intelligence, which is coming in 2024. He discussed how he and his co-authors are developing material that will help students understand the cybercriminal underground, including how to safely monitor dark web forums and other valuable collection sources that are unfamiliar to many analysts. Katie also reminded viewers about the upcoming SANS OSINT Summit and SANS CTI Summit, which are open for both Live Online and in-person registration.