This month’s news includes desperate measures for desperate times, featuring some creativity from both the bad guys and the guys trying to stop cybercrime. Read on to find out what we’re talking about this month.
Utility Security Is So Bad, US DoE Offers Rate Cuts To Improve It
In a novel technique to promote cybersecurity, the US Department of Energy has proposed regulations to financially reward cybersecurity modernization at power plants by offering rate deals. These deals can be used for everything from buying new hardware to paying for outside help—any products and services, and information like plans, policies, procedures and other info related to cybersecurity tech. Utilities are at the highest risk of cyber attack, so until the US moves to more distributed forms of energy generation, power plants will continue to be large, tempting targets for infrastructure disrupting cyber-attacks, making any policy that incentivizes security a good idea. Cyber threat information sharing programs and reporting rules are also part of the initiative.
“We have talked before about how the US DoE is really worried about attacks to critical infrastructures. This is a sector where sometimes it is hard (or even impossible) to deploy old technologies such as EDRs, IPSs, IDSs, etc. and where deception technology — with its ability to mimic production networks without disturbing them — fits like a glove.” — Fernando, Founder
Source: The Register, October 7
Fake CISO Profiles on LinkedIn Target Fortune 500s
Phishing is all about creativity, and the bad guys have no shortage of that. Brian Krebs reports that someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs, but these fake identities are being indexed by various downstream data-scraping sources, even showing up as the first result in Google. It seems clear that they are targeting recruiters, more than likely, with the idea of deceiving them to gain access to the organizations for which they work.
“This is an important piece of news because it makes clear that threat actors are starting to take advantage of new AI-based tools such as GPT-3, DALL·E 2 or their free/open equivalents Bloom and Stable Difussion to create fake profiles aimed at deceiving humans. Everyone knows they are usually the weakest link in any organization.” — Member of the leadership team
Source: Krebs On Security, October 1
MSSQL, meet Maggie
This is the first news we have, from DCSO CyTec, about a novel backdoor malware targeting Microsoft SQL servers. The malware comes in the form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. It can be controlled remotely, solely using SQL queries, and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the infected server. In the article, 250 servers have been identified as being affected worldwide, with a clear focus on the Asia-Pacific region.
“Our technical team was all over this one. Maggie seems to be a very interesting backdoor piece of malware. Anytime a backdoor can brute force logins, we need to pay attention” — David, Founder & CEO
Source: Medium, October 4
OpenSSL Warns of Critical Security Vulnerability With Upcoming Patch
OpenSSL is key for literally everyone on Linux, Unix, Windows, and many other operating systems. And they recently warned of a critical security vulnerability, the likes of which no one has seen since 2016. OpenSSL is used to lock down pretty much every secure communications and networking application and device out there, so critical is BAD, meaning the vulnerability affects common configurations and is also likely exploitable remotely, to compromise server private keys or execute code remotely.
“This software vulnerability seems like a serious one. It will potentially affect tons of Linux servers and the vulnerability and the fix were just released.” — Fernando, Founder
Source: ZDNet, October 27
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
ESET researchers uncovered and analyzed a set of malicious tools that were used by the infamous Lazarus APT group in attacks during the autumn of 2021. This Lazarus campaign targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium. The attack included the first recorded abuse of the CVE‑2021‑21551 vulnerability, using a tool that disables the monitoring of all security solutions on compromised machines. This article features a detailed description of the campaign.
“The Lazarus group is a very skilled and well-known threat actor and they usually target high profile victims. The fact that the malware they used disables monitoring and uses new techniques against Windows kernel mechanisms are two pretty serious things.” — Member of the threat intelligence team
Source: We Live Security, October 1