October is Cyber Security Awareness Month and that means we can express our anxieties and fears over strange mouse movements on our screen! But in all seriousness, this is a good opportunity for experts to take a step back to evaluate our state of affairs, and figure out the best ways to communicate current issues and remedies to non-experts, whether they are in positions of power or not.
We have leaks of massive databases of sensitive personal data that somehow keep getting worse, malware that is getting nastier every week, and seemingly no major institution is without some kind of breach. We also constantly find more commodities we own and aspects of our lives to digitize, placing networked computers microphones and cameras places they’d never been before, and often shouldn’t be in the first place. We do all of this while repeating the same security mistakes we’ve been making for decades. Quite a spooky problem indeed.
It’s not all bleak, however. There have been significant improvements in the world of cyber security, but the challenges just seem to shapeshift, instead of disappearing – morphing from old problem to new problem.
Now is a great opportunity for us to evaluate our own security postures and ask how we can best improve them. New-fangled technologies like two-factor authentication or our own AI-based solutions can help, but so will basics like log monitoring, system hardening, timely software updates, and user education programs.
Last month, CCleaner, the popular registry cleaning software, was compromised. Attackers inserted malicious code into the CCleaner installer, taking advantage of the legitimate software as a delivery mechanism.
What at first seemed like a benign and untargeted attack quickly became more nefarious, as it was discovered that the malware would download and run a second-stage payload, if the infected computer belonged to specific domains which included many well-known large technology companies.
Intezer has done some more research into the CCleaner supply-chain breach, reporting links to Chinese state actors. By analyzing the second-stage payload, they’ve noted many similarities with tools previously used by Axiom group/APT 17.
Overall, with encrypted payloads and steganography tricks to dynamically communicate a C&C server address, this has the features of a skilled and resourced attacker.
Bears, pandas, kittens, tigers, and spiders! Oh, my! It’s only appropriate that October is Cyber Security Awareness Month. After all, when else do you see people roaming the streets dressed up as their favorite characters to plunder their neighborhood for treasure?
The world of information security is no different, as researchers discovered a mysterious tracking pixel installed on the control panel of a known CROUCHING YETI command and control server.
CROUCHING YETI had originally hacked the unsuspecting website to use as a listening post for compromised computers to beacon back and receive tasking. However, they weren’t the only ones listening. An unidentified actor also hacked the same server and inserted a 1x1 tracking pixel which would send visitor information to a server based in China.
In this wonderful game of matryoshka doll servers, that server in China was also hacked. Which APT is it anyways when there are multiple actors controlling the same hacked infrastructure?
This isn’t the first case of “Crouching APT, Hidden APT” and it surely won’t be the last. Every APT actor might as well be a red herring. Each actor may as well be wearing the mask (read: indicators of compromise) of another actor.
Moral of the story? Attribution ain’t easy.