al3x@wannaCYbeR(security)~$ echo "Issue \x08"
Alessandra ?? Perotti
Malware Reverse Engineer + Cyber Threat Intel Analyst @ CVS Health | Threat Researcher | GREM | GCIH | GIAC Advisory Board
Greetings, fellow cyber people, and welcome to the eighth issue of wannaCYbeR, a weekly newsletter dedicated to those who are starting their cybersecurity journey. It’s been a week packed with leaks and threat intelligence news, so let's start.
The Big Leak
As part of an organized campaign against the Russian invasion of Ukraine, Anonymous released over 28 Gb of data stolen from the Central Bank of Russia , as the group had previously announced. As Hackread reports, the humongous amount of data includes “years’ worth of financial records with some documents going as far back as 1999. Furthermore, invoices, internal communication, documents, memos, bank statements, names of shareholders of various banks, bank licenses, names, addresses of apparently high-profile customers/clients, etc. are part of the leaked records.”
DDoSecrets , a nonprofit and collective of whistleblowers that some define as “the new WikiLeaks,” said they will take care of analyzing the data from the massive leak and release it in the coming days. But, in the meantime, the group has published “nearly 140,000 emails hacked by Anonymous from the Russian firm MashOil , which designs, manufactures, and maintains drilling, mining, and fracking equipment. MashOil has tested equipment with Gazprom and signed agreements with Gazprom subsidiaries,” as one of its founders, Emma Best, shared on Twitter.
LAPSUS$ Strikes Again
On Tuesday night, after about a week of "vacation" and arrests of a group of teenagers being reported in the U.K., the LAPSUS$ crew popped back up online, claiming yet another hack, this time hitting the IT and software company Globant. The group published a series of credentials along with a 70 Gb .rar archive that would contain data stolen from the Globant network. Yesterday, Globant has confirmed the breach saying that they recently "detected that a limited section of our company's code repository has been subject to unauthorized access."
And, speaking about how the extortion group has responded to the arrests, Greg Linares notes on Twitter that "Releasing data post bust to show a group is still active is a classic recruitment strategy."
Bye, Kaspersky
Following the example set by Germany and Italy, the U.S. FCC added Kaspersky, the notorious Russian cybersecurity company, to the "Covered List" of companies that pose an "unacceptable risk to the national security" of the country. FCC Commissioner Brendan Carr said the new designations "will help secure our networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests." This will forbid Kaspersky from receiving FCC funds through its Universal Service Fund.
Nation-State vs Independent Cyber Threats to Critical Infrastructure
This week, in the most timely fashion, the Center for Strategic and International Studies and Trellix have released a report that summarizes the status of independent vs nation-state threat actors with a special focus on groups who target critical infrastructure. The report is the result of a survey conducted on “800 IT security decision-makers” from companies with over 500 employees based in the United States, the United Kingdom, Germany, France, Japan, India, and Australia.
But allow me back up for a minute, before digging into the findings. In cybersecurity, we are used to hearing about the “CIA Triad,” an information security model that prioritizes “Confidentiality, Integrity, and Availability,” in this order, when it comes to designing and securing IT systems. Instead, for Industrial Control Systems and Operational Security (ICS/OT), experts tend to rely on a different model that can be better represented by either reversing the “CIA Triad” to “AIC” to prioritize the system’s availability or by “SRP,” which stands for “Safety, Reliability, Productivity/Business Continuity.”
“The line between state and non-state actors continues to blur. Eighty-six percent of respondents believe they have been targeted by a cyberattack by an organization acting on behalf of a nation-state,” is one of the main report findings. Although, why is this relevant, would someone new to cybersecurity and threat intelligence ask. Well, because, while independent groups tend to work towards immediate profit, nation-state actors may have other goals: at a strategic level, attacks can be mapped out to reveal broader objectives and, possibly, future targets. Goals tend to be more long-term when it comes to nation-state actors, they can stem from geopolitical factors, and focus on information gathering and data exfiltration rather than profit.
In fact, the 2021 Office of The Director of National Intelligence (ODNI) threat assessment reveals that nation-states use cyber operations to “steal information, influence populations, and damage industry, including physical and digital critical infrastructure.” In a nutshell, these cybercriminals are looking for sensitive data, especially material that could help sabotage, disrupt, and influence populations in advance of future campaigns.
In particular, when independent threat actors work on behalf of foreign governments, “it is common for there to be ‘leave behinds’ after an incident. The attackers use these to provide later access to a victim network and they can help point to the attacking nation-state actor.” This is what is called, in technical jargon, persistence: a mechanism that allows the attacker to maintain access to the compromised assets.
But how are attackers able to break into these assets, especially when it comes to critical infrastructure? “Survey respondents indicated that limited skills and outdated network technology and security tools increased vulnerability,” the report reveals.
领英推荐
Admin:Admin, Anyone?
While outdated technology certainly presents a big risk factor, so do poor security practices, such as using default or weak access credentials or unnecessarily leaving management interfaces exposed to the internet. The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) published an alert on how to mitigate risks around malicious actors trying to gain access to internet-connected uninterruptable power supply (UPS) devices – which provide emergency power when normal power sources are lost. The practices included in the document are about common sense and should be the ABC of any security practitioner: change default credentials, use strong passwords, and don’t expose assets to the internet when it’s not necessary.
But people and companies across all sectors seem to forget about these basic principles: as Zach Whittaker from TechCrunch reported, the extortion group LAPSUS$ – responsible for breaching Okta, Microsoft, and other organizations – found a spreadsheet of passwords as they breached Sitel , the third-party service provider that allowed them to subsequently access Okta. In Sitel’s private network, LAPSUS$ found a file “called ‘DomAdmins-LastPass.xlsx.’ The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager.”
Meme of the Week: Linux Cat
Special of the Week #1: Differences Between ICS/OT and IT Security - Poster
Since we’ve been talking quite a bit about ICS/OT this week, I thought to share this amazing poster created by the SANS Institute that explains the main differences between ICS/OT and IT security, going as in detail as comparing security controls for those systems.
Special of the Week #2: The Ultimate OSINT Collection
In my hunt for OSINT tools and resources, I stumbled upon this extraordinary collection compiled by hatless1der , an OSINT and investigation expert.
This amazing collection includes news sources as well as investigative tools, tutorials, podcasts, forums, and more. It's a must-see for anyone who's getting into OSINT and is looking for resources as well as for anyone looking to expand their set of OSINT tools.
Free SANS OSINT Summit on April 7
I know I highlighted this in last week’s issue too, but I really can’t help my excitement for this free event: the SANS Institute OSINT Summit, happening virtually on April 7, 2022.
As explained on the registration page, you can expect to “learn current, real-world methods from others in the OSINT community who collect information across the Internet, analyze the results, and utilize key data to reach their objectives.”
That's all for this week. If you enjoyed the newsletter, please feel free to share it with your connections. Do you know of a great piece of content I should include? Don’t be shy, reach out!
P.S. In case you were wondering, I don't receive any compensation or sponsorship for the content I share. I do it just because I love to nerd out with other people on topics of common interest.