The IT Nerd

Cloudflare yesterday disclosed that at least 76 employees and their family members have been targeted by the Twilio phishing attack. The recipients received texts on personal and work phones, originating from four numbers associated with T-Mobile-issued SIM cards and was ultimately unsuccessful. The messages pointed to a seemingly legitimate domain containing keywords including ‘Cloudflare’ and ‘Okta’ in a campaign designed to get employees to hand over their credentials. 

Sidebar: If you need some advice about how to not be a victim of a phishing scam, Microsoft has some good advice.

Mark Bower, VP of Product Management of Anjuna Security had this comment:

     “Turning trusted employees into oblivious insiders is the perfect vector to bypass traditional controls and we can expect many more attacks of this nature. They are cheap, and effective. Once inside with high levels of privilege, coordinated attackers can launch mayhem and theft – manipulating data, stealing even highly sensitive data like keys from running applications. The most effective defense is to force attackers into attempting to break modern CPU-level hardware controls around sensitive data in the cloud, massively delaying impact and keeping blast radius to the absolute minimum, ultimately frustrating attackers who will move on to unprotected lower hanging fruit.”

I will also add that companies really need to step up the training of their employees as well as running phishing simulators to ensure that their employees aren’t unwitting participants in threat actors trying to gain access to a company’s resources.

Avanan, A Check Point Company, has published an analysis of its latest findings revealing how threat actors are using the site’s legitimacy, of Lucidchart, an intelligent diagramming application for visual communication and cross-platform collaboration, to embed phishing links into shareable documents for users to render personal credentials. 

In this attack, users are presented with an email requesting to verify an invoice that has been submitted for payment. The user is encouraged to follow a series of instructions that will direct them to open a Lucidchart document containing a fake phishing link leading to a credential harvesting website.

You can read the full analysis here.

The Transportation Security Administration on Thursday issued revised cybersecurity directives for oil and gas providers more focused on performance-based measures. This following extensive input from federal regulators and private industry stakeholders in the wake of the May 2021 ransomware attack on Colonial Pipeline.

Chris Clymer, Director & CISO, Inversion6 had this comment:

When a cyberattack took the Colonial Pipeline offline and caused gas shortages all up and down the east coast of the US, an inevitable question was “How can this happen?”  Even more perplexing for cybersecurity professionals was learning that rather than following under the well-established NERC-CIP security framework which covers most of the energy sector, the pipelines had actually been related to the authority of the TSA.  This is far from TSA’s area of expertise, but to their credit they had put some guidelines out before the incident…unfortunately, these were simply guidelines, not required.

It is extremely welcome news to see that the US’s most competent cybersecurity agency, CISA, has dove into the fray and helped TSA to establish new requirements…and that they have been made just that:  requirements.  As we’ve seen over and over unfortunately, cybersecurity investments are neglected in virtually every vertical without outside pressure.  Pipelines should be in better shape because of this attack.  The question now:  what other important infrastructure is sitting out there, falling into the political cracks and being neglected as a result?

Companies beyond the oil and gas sector should look at this guidance as it will provide a roadmap as to how they can protect themselves from attacks of all sorts. Because everyone these days is a target of cybercrime and cyberattacks.

In a new report from Palo Alto’s Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice. The post-exploitation toolkit, which evades detection by EDR and antivirus solutions, has been used for red team penetration testing since 2020. This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.

“While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated,” explains Unit 42’s report.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”

Dr. Darren Williams, CEO and Founder of BlackFog:

     “It has been known for several years now that AV software provides limited protection from modern ransomware and malware. New attack variants focus on techniques that are very difficult to detect with basic fingerprinting techniques these older solutions rely upon. State sponsored attacks are increasing at a rapid rate during 2022 and continue to focus on ways of launching custom payloads by traditional software and modified DLL’s.”

This report illustrates the need to have a layered defence to ransomware and malware. Thus if you’re responsible for defending against these sorts of attacks, this report from Unit 42 should be required reading.

According to a new report from Tetra Defense, the Root Point of Compromise (RPOC) for attacks against U.S. companies was external exposure.  Patchable and preventable external vulnerabilities were found to be responsible for the bulk of attacks:

In Q1 2022, the vast majority — 82% — of total incidents happened through external exposure of either a known vulnerability on the victim’s network or a Remote Desktop Protocol (RDP). Taking a deeper look into these external exposures, they are classified in two ways:

1. “External Vulnerabilities” which could have been mitigated through publicly available security patches and software updates. In these instances, a threat actor utilized a known vulnerability to gain access to the network before the internal organization was able to patch the system. In Q1 57% of total incidents were caused by the exploitation of external vulnerabilities.

2. “Risky External Exposures” which are IT practices such as leaving a Remote Desktop Protocol (RDP) port open to the public internet. These behaviors are considered “risky” because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time. In Q1, 25% of total incidents Tetra Defense handled were caused by risky external exposures.

That’s not good at all. Mark Bower, VP of Product Management of Anjuna Security had this comment:

     “The report once again highlights the simple fact that in an ideal world, enterprises would patch and monitor untrusted compute and networks to keep data safe from leakage, but in truth it’s impossible to continuously down tools and close all risk gaps that affect modern business success. Vulnerabilities exist because they are discovered – but until that point, they are also exploitable holes in systems or processes. However, modern computing today is beginning to provide fresh new approaches to address risks like this, and we will start to see that at scale and in short order with compute ecosystems that shrink attack surfaces inherently for data at rest, in motion and in use.”

Hopefully enterprises of all sizes read this report and take action to secure themselves. Otherwise, they are prime targets for threat actors who are out to make them the next headline.

UPDATE: Aimei Wei, CTO and Co-founder of Stellar Cyber adds this:

     “External vulnerabilities and risky external exposures accounted for 82% of the incidents responded by Tetra Defense in Q1 2022. This highlights the critical need for having a threat detection and response system that continuously detect the vulnerabilities and exposed risks (such as RDP port open to the public) and respond automatically. Patching definitely pays off for known vulnerabilities. It greatly reduces the attack surface. However, it is hard to guarantee that the patch is always immediately available for the software version you are using and can be applied in time. Organization’s continued security vigilance and enforcement of standards can dramatically reduce the chances for exploitation from exposed risks. However, the exposed risk, even for a short period of time, may still be exploited. Having a detection and response system that can continuously monitor the environment, detect the exploitation and stops the attack from progression to an incident covers the cases missed by not in-time patch or not consistent enforcement or short period of time for exposed risks.”

An APT group has been actively targeting Microsoft Exchange servers since at least December 2020, according the researchers at Kaspersky’s Global Research & Analysis Team (GReAT). Security researchers have also found a previously unknown passive backdoor they named Samurai and a new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims’ network. Which of course means that these malware strains are very dangerous.

Christopher Prewitt, CTO of Inversion6 had this commentary:

In March of 2020, Microsoft released patches to fix the Exchange exploit. It was thought that Chinese nation state actors were the ones who uncovered this vulnerability and were exploiting prior to discovery and disclosure. ToddyCat, likely linked to Chinese espionage activities, has been focused on Europe and Asia using the familiar China Chopper web shell.

The Samurai backdoor, in some cases has been used to deploy a post-exploitation toolkit dubbed Ninja. Ninja allows for full control of a system including shell access, and appears to have been developed by ToddyCat.

My thoughts go something like this. While these attacks are presently targeted towards high-profile entities in Europe and Asia, I can see this branching out to North America. Assuming that it hasn’t already. Thus I would make sure that your Exchange servers have all the patches needed to defend against this exploit.

UPDATE: Aimei Wei, CTO and Founder, Stellar Cyber added this commentary:

“When a vulnerability is discovered, it takes time for the patch to be available for all the impacted software releases. Usually, the newer releases get patched faster than older ones. It could take more than a year for patches to be available to earlier releases. The New ToddyCat APT group that has been actively targeting Microsoft Exchange servers since at least Dec. 2020 are still exploiting the vulnerability to attack even more entities from more countries. While actively patching the systems is critical to be protected from the attacks, it can’t always be achieved within short period of time, having a threat detection and response system that can effectively detect lateral movement and help to stop the attacks at the early stage is an important catch all mechanism.”

And Jake Williams, Executive Director of Cyber Threat Intelligence for SCYTHE had this to say:

The Samurai backdoor is a textbook example of a tool used to expand a beachhead access to an internal network. After the backdoor is deployed on an Internet facing Exchange server, network redirection modules are deployed that facilitate access by the threat actors to the internal network. Network redirection isn’t new, is especially useful when deployed on a server that is expected to communicate with many external and internal destinations. While zero-trust networking principles could limit some communication, threat actors will always execute actions on objectives on endpoints inside the network. A combination of network and endpoint controls, configured in alignment with the organization’s specific operational model, will be required to detect stealthy actors like ToddyCat after they gain access to a network.