Mini-Netwars on Thursday; Ransomware Lessons Learned; Nation State Hackers Targeted COVID Drug Manufacturer

The FireEye report provides insight into how the various Maze teams operate as well as indicators of compromise. The affiliate model of Maze distribution suggests the TTPs will continue to change over time. It is worth noting that the initial compromise is not just users falling for a phishing attack, but also may be via exposed vulnerable services such as RDP or VDI services using compromised accounts. The call to action is ransomware protection, which includes both user awareness and due diligence, particularly for the security of internet facing services. At a minimum, enable multi-factor authentication and limit account access so compromised credentials cannot be readily used for maleficence.

Lee Neely

Several ransomware news items in this issue of NewsBites - the FireEye report around MAZE serves as a good summary of most ransomware incidents. Two major ways initial compromise was gained: (a) targeted phishing via email; and (b) exploitation of glaring lack of basic security hygiene in patching, server configuration and privilege management. The techniques used for lateral movement included sophisticated "living off the land" exploits but plenty of success from simple techniques like searching for files containing the text "password." SANS published a "2020 Threat Trends Report" with advice from SANS instructors Ed Skoudis, Heather Mahalik and Johannes Ullrich on this and related threat areas: https://www.sans.org/reading-room/whitepapers/threats/paper/38908

John Pescatore

One interesting finding is that the attacks are a team effort, involving multiple skilled parties, using a black market to cooperate, collaborate, and coordinate.

William Hugh Murray

Enterprises with significant intellectual property should be using strong authentication.

William Hugh Murray

Today's NewsBites could be called "The Ransomware Round-Up." Ransomware clearly is a preferred attack mechanism today, with attackers increasingly not only encrypting the data, but also stealing it and threatening public disclosure unless they are paid. Based on that evolution of these attacks, I found this quote from Lawrence Abrams of BleepingComputer really thought provoking: "Every ransomware attack has to be treated as a data breach now."

Ed Skoudis

We need to dramatically raise the cost of attacks, starting with strong authentication, "least privilege" access control, system to system isolation (think "zero trust") among other measures. We must not continue to fund this growing extortion cabal. We have known what to do more than a decade. If not now, when?

William Hugh Murray

The Qmage image format, developed by Quarmsoft, is Samsung-specific. While the exploit takes 50-100 messages to bypass ASLR, it is possible to send those messages without triggering device alerts, and requires no user action to exploit, making this a very stealthy attack. While the update applies to a wide range of devices, check Samsung's Android Security Updates page to make sure your device is in scope for updates, particularly if it is more than three years old.

Lee Neely

Safe operation of Android devices requires cooperation between vendors, carriers, and knowledgeable end users. Nice people do not give such devices to children or the elderly.

William Hugh Murray

It's interesting to see this comment come in the same issue as the Diebold ransomware story.

Ed Skoudis

The response to the Pandemic demonstrates the need for online voting. Surely we can do as good a job online with purpose-built apps as the banks do. Surely we can do as good a job as is done with paper, rubber stamps, and double envelopes. We cannot continue to allow the perfect to be the enemy of good enough.

William Hugh Murray

This is worth reading, not necessarily to determine how the various products fared in the testing, but to get an understanding as to how threat actors attack your network and how to prevent that happening.

Brian Honan

To exploit this vulnerability, an attacker has to have access to your laptop, needs to open it, and then apply new firmware. Exploitability depends on how easy it is to open the device and how easy it is to reach the respective components that need to be patched. With current travel restrictions, attacks are unlikely. But if you ever get to travel again, you could cover your laptops screws in glitter nail polish to make it easier to detect tampering. And as a reminder: There are about 6 or 7 ransomware attack stories in this edition of NewsBites alone. Once you got ransomware under control, this may be an attack worth worrying about.

Johannes Ullrich

While this attack does require physical access to a system, it's still a fascinating approach to undermining the security levels that were... bolted on... to Thunderbolt. Direct Memory Access (DMA) attacks have been around for many years and are based on the idea that, to achieve high speeds, we can have devices and even peripherals talk directly to memory with little involvement of the CPU. That's hard terrain to defend.

Ed Skoudis

While the exploit requires physical access, the Thunderbolt bus still needs to be active, so the best mitigation is to not leave systems sleeping, but instead have them powered off or hibernating, particularly when left in a hotel room or vehicle.

Lee Neely

While this reads like an exciting vulnerability, it requires the attacker to have unfettered physical access to the device. It is probably a technique that will be more useful for forensic investigators rather than attackers.

Brian Honan