TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #28
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to volume number 28 of TRIAGE Tuesday! First we look at a MacOS sandbox escape vulnerability that is an excellent piece of technical research by the Microsoft security team. It comes as no surprise we then pivot over to a new ransomware group and a discussion on current techniques. Nation state backed APT groups are a big topic this week and we have three big stories in that realm all packed into one “story” this week so everyone had a chance to stay current. Our fourth story this week is a great new feature added to Tor for safer dark web browsing by default. We finish off the week with a look at more nation state APT activity and journalist targeting that serves as an update on new techniques and should be very concerning to everyone who reads about it! Enjoy a closer look at all 5 stories below!
Technical issues led to a gap last week a delay this week, please enjoy both versions of the newsletter covering the last two weeks of activity!
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!
1.?Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706
Overview: Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in October 2021. A fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates released by Apple on May 16, 2022. Microsoft shares the vulnerability disclosure credit with another researcher, Arsenii Kostromin (0x3c3e), who discovered a similar technique independently.
TRIAGE: Sandbox escapes are very bad news and here is an awesome breakdown of the technical details behind this vulnerability. This is another reminder of why we all need to be vigilant on patching all systems, but especially for any security researchers where MacOS is a very popular option because of the Linux underpinnings of MacOS. These kinds of vulnerabilities can and will take out entire systems by giving an attacker free reign to run anything they want on a system.
2.?New Lilith ransomware emerges with extortion site, lists first victim
Overview: A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks. Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices. According to a report by researchers at Cyble who analyzed Lilith, the new family doesn't introduce any novelties. However, it's one of the latest threats to watch out for, along with RedAlert and 0mega that also recently emerged.
TRIAGE: This is important not because they are doing anything new, but to keep current on the changing face of ransomware attack groups and the moves being made. As groups get larger, fall apart and new groups emerge, it is on all of us in the defensive realm to stay up to date on changes made by the current threat actors out there, as well as their techniques such as everyone moving to at least double extortion attacks.
3.?Nation State APT group activity news
领英推荐
Overview:
Holy Ghost: For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries. The group has been active for quite a while but it failed to gain the notoriety and financial success of other gangs even if the operation followed the same recipe: double extortion combined with a leak site to publish the name of the victims and stolen data.
Belgium: The Minister for Foreign Affairs of Belgium says multiple Chinese state-backed threat groups targeted the country's defense and interior ministries. "Belgium exposes malicious cyber activities that significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," the foreign minister said.
Russian SVR: State-backed hackers part of Russia's Federation Foreign Intelligence Service (SVR) have started using Google Drive legitimate cloud storage service to evade detection. By using online storage services trusted by millions worldwide to exfiltrate data and deploy their malware and malicious tools, the Russian threat actors are abusing that trust to render their attacks exceedingly tricky or even impossible to detect and block.
TRIAGE: Too much nation state APT group to only limit ourselves to one this week. These are all for awareness depending on your vertical/area of focus but I wanted to make sure everyone had the links to stay up to date on this current activity. State backed attacker groups are still going strong and using advanced methods to get results, usually financial gain for their funding country lately, but always present and trying to hide into the background noise of commercial attacks.
4.?Tor Browser now automatically avoids internet censorship
Overview: Tor Project team has announced the availability of Tor Browser 11.5, a significant update that adds new functionality to make it easier for users to circumvent censorship. To provide users with anonymity and privacy when accessing the information on the internet, the Tor Browser was developed specifically for using websites through The Onion Router (Tor) network. This is accomplished by encrypting all traffic as it travels through network nodes to achieve this goal. An exit node is used to send the data back to the user after the connection has reached the destination.
TRIAGE: Everyone in the community needs to be aware of basic OSINT technology and toolsets out there, and Tor still remains the browser option of choice for anything related to dark web searches. This is a great feature add and also serves as a reminder to use the latest and greatest versions of software when doing OSINT research if at all possible, as those features are hopefully added to keep anyone doing research a bit safer in the end.
5.?Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media
Overview: Journalists and media organizations are well sought-after targets with Proofpoint researchers observing APT actors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting journalists and media organizations because of the unique access and information they can provide. The media sector and those that work within it can open doors that others cannot. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification. A compromised account could be used to spread disinformation or pro-state propaganda, provide disinformation during times of war or pandemic, or be used to influence a politically charged atmosphere.
TRIAGE: Another general awareness topic and activity we have seen many times in the past. This is new research by one of ProofPoints threat intel teams on current targeting and tactics, techniques and procedures of those attackers against people in the civilian community. Many of the attackers are APT groups, which are mainly funded criminals backed by nation states as discussed above, and that greatly increases the real concerns of them targeting members of the press and other non-governmental organizations.
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!