Radar #2: Week of 11/4/2024

Radar #2: This week's topics include the Pacific Rim report, the Quantum Apocalypse, and the new MITRE ATTACK framework.
Learn more about The Radar here

Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats

Sophos X-Ops released an extremely detailed report, informed by details they obtained tracking a threat group performing vulnerability research on Sophos products. I highly recommend reading the full report and their more detailed timeline of events as there are some fascinating details about how Sophos tracked these threat actors that I’m shocked were approved by their legal team. Particularly interesting is that Sophos pushed their own malware “implant” to collect more telemetry for a Sophos device the company identified as being used by a threat actor for vulnerability analysis. Data collected from this “implant” was used to patch vulnerabilities the threat actors discovered and aid in threat-hunting activities by Sophos.

The report adds more data points to the picture of relationships between how PRC-related threat actors operate within China’s offensive security ecosystem (PDF). To the offensive security world the TTPs are nothing groundbreaking: Vulnerability research team -> automated “spray and pray” style attacks on a wide range of targets used to gain “Operational Relay Boxes” (infrastructure for future, typically more sophisticated, attacks can be launched from) -> moving to more surgical hands on keyboard operations at later stages of the campaigns.

Interestingly, Sophos noted there were multiple bug bounty reports disclosing zero-day vulnerabilities just before being used for the first time by these threat actors. This sounds like it could be a case of information leakage where the threat actor goes and talks to a buddy about vulnerabilities they’re working on and their buddy anonymously discloses it for a bug bounty reward, or the threat actor is double dipping: being paid to find a vulnerability during their day job then going home and disclosing it anonymously for extra cash.

How do you use this information (or any piece of threat intel) to affect change in your organization? It’s hard to make threat intel actionable when you’re an individual contributor. Threat intel is immensely useful when it’s used as a tool in your toolkit for crafting a narrative to get executive buy-in for driving security change. Saying “We need to patch X CVE” isn’t impactful. Instead, try to paint the picture of “This PRC-linked threat actor is actively performing vulnerability research and targeting devices we use therefore we need to do XYZ to mitigate the threat” which is much more likely to get executive attention.

I don’t know if it was intentional, but Sophos just performed a masterclass on how to effectively market to technical professionals. If your company wants to be known for good security, publishing actual interesting reports/research/tooling/etc will help you attract both security talent and customers.

Quantum Apocalypse? Demystifying the Doomsday of Encryption

This lengthy post by Pascal Schärli goes into great detail about both the valid and unfounded fears we have about quantum computing in regard to the encryption algorithms we use today. A few key takeaways are:

  1. If you’re an everyday consumer of technology, you don’t need to do anything.
  2. If you build technology or influence those who do, you should be looking into moving to quantum-resistant algorithms released by NIST sooner rather than later. Apprehensive about these new algorithms? Use hybrid mode which requires both quantum-resistant and existing algorithms to be broken. This is what Signal did in 2023.
  3. Asymmetric algorithms are more vulnerable to quantum computing attacks as they rely on computational difficulty for security. Symmetric algorithms and hashes can be “shielded” by using much higher key and hash lengths, respectively.

While this isn’t currently a massively pressing issue, if you’re working at a company (or on projects) that is building out new software, it is worth spending a little bit more cycles to make sure you get this right now so it doesn’t impact your software in the future. Remember, the threat of quantum computers is that eventually, they’ll likely be able to break weak encryption algorithms. Many entities are known to be collecting encrypted data they cannot decrypt now because they know in the future there is a high chance they’ll be able to decrypt it.

MITRE releases MITRE ATT&CK v16.0

MITRE has updated the MITRE ATT&CK framework with plenty of updates, including a revamped Cloud Matrix, and even a contribution from myself regarding udev rules. If you work in offensive security, you can check out USP, a simple tool I wrote for automating persistence using this method. Personally, I’m really happy with the state of MITRE attack, I find it to be a high-value resource to point people to who don’t necessarily have a background in offensive security to easily explain a technique. I find that often people don’t know that MITRE also maintains other submatrices that are just as useful:

Caught My Eye

  • NTLM Fully Explained for Security Professionals: I would consider this the gold standard for both how NTLM works and also what a high-quality blog post looks like.
  • An Analysis of the Keycloak Authentication System: Very interesting write-up detailing multiple vulnerabilities in Keycloak. Interestingly, the author’s note at the end discusses the difficulties they had working with maintainers which is demonstrated by the 10 months it took to get a fix for a MFA bypass.
  • Isecjobs Salary Data: Interesting roundup of infosec related salaries. These are never great for exact salary data but are good indicators. For example, the median salary for a Malware Reverse Engineer is $179,000. Is this useful? Maybe. If you have the same job role and you’re making $79,000, it’s worth doing more research. Levels.fyi has much more data but is typically more for SWE roles.
  • Okta Had An Authentication Oopsie: It looks like Okta had a small bug where if your username is longer than 52 characters, you may be able to authenticate to your account using only your username. This tweet from @bcrypt explains why this might be the case. TLDR; don’t just hash username+password.
  • The Many IP Addresses of Kubernetes. A wonderful read from Rory McCune shedding some light on the IP addresses you’re likely to run into when working with Kubernetes.

Newsletter

Want this sent straight to your inbox? You can subscribe here to have it sent every Monday morning.