Radar #2: This week's topics include the Pacific Rim report, the Quantum Apocalypse, and the new MITRE ATTACK framework.
Learn more about The Radar here
Sophos X-Ops released an extremely detailed report, informed by details they obtained tracking a threat group performing vulnerability research on Sophos products. I highly recommend reading the full report and their more detailed timeline of events as there are some fascinating details about how Sophos tracked these threat actors that I’m shocked were approved by their legal team. Particularly interesting is that Sophos pushed their own malware “implant” to collect more telemetry for a Sophos device the company identified as being used by a threat actor for vulnerability analysis. Data collected from this “implant” was used to patch vulnerabilities the threat actors discovered and aid in threat-hunting activities by Sophos.
The report adds more data points to the picture of relationships between how PRC-related threat actors operate within China’s offensive security ecosystem (PDF). To the offensive security world the TTPs are nothing groundbreaking: Vulnerability research team -> automated “spray and pray” style attacks on a wide range of targets used to gain “Operational Relay Boxes” (infrastructure for future, typically more sophisticated, attacks can be launched from) -> moving to more surgical hands on keyboard operations at later stages of the campaigns.
Interestingly, Sophos noted there were multiple bug bounty reports disclosing zero-day vulnerabilities just before being used for the first time by these threat actors. This sounds like it could be a case of information leakage where the threat actor goes and talks to a buddy about vulnerabilities they’re working on and their buddy anonymously discloses it for a bug bounty reward, or the threat actor is double dipping: being paid to find a vulnerability during their day job then going home and disclosing it anonymously for extra cash.
How do you use this information (or any piece of threat intel) to affect change in your organization? It’s hard to make threat intel actionable when you’re an individual contributor. Threat intel is immensely useful when it’s used as a tool in your toolkit for crafting a narrative to get executive buy-in for driving security change. Saying “We need to patch X CVE” isn’t impactful. Instead, try to paint the picture of “This PRC-linked threat actor is actively performing vulnerability research and targeting devices we use therefore we need to do XYZ to mitigate the threat” which is much more likely to get executive attention.
I don’t know if it was intentional, but Sophos just performed a masterclass on how to effectively market to technical professionals. If your company wants to be known for good security, publishing actual interesting reports/research/tooling/etc will help you attract both security talent and customers.
This lengthy post by Pascal Schärli goes into great detail about both the valid and unfounded fears we have about quantum computing in regard to the encryption algorithms we use today. A few key takeaways are:
While this isn’t currently a massively pressing issue, if you’re working at a company (or on projects) that is building out new software, it is worth spending a little bit more cycles to make sure you get this right now so it doesn’t impact your software in the future. Remember, the threat of quantum computers is that eventually, they’ll likely be able to break weak encryption algorithms. Many entities are known to be collecting encrypted data they cannot decrypt now because they know in the future there is a high chance they’ll be able to decrypt it.
MITRE has updated the MITRE ATT&CK framework with plenty of updates, including a revamped Cloud Matrix, and even a contribution from myself regarding udev rules. If you work in offensive security, you can check out USP, a simple tool I wrote for automating persistence using this method. Personally, I’m really happy with the state of MITRE attack, I find it to be a high-value resource to point people to who don’t necessarily have a background in offensive security to easily explain a technique. I find that often people don’t know that MITRE also maintains other submatrices that are just as useful:
username+password
.Want this sent straight to your inbox? You can subscribe here to have it sent every Monday morning.