Newsletters

The 3CX supply chain attack this March was enabled by a prior supply chain attack against a company named Trading Technologies. We're not that surprised that the supply chain hackers did other supply chain hacking. If anything, we think the real angle here is what this incident teaches us about North Korea's expansive targeting priorities and operations.

Trading Technologies, a company that facilitates futures trading, was compromised some time in 2021 and the firm's X_Trader software package trojaned. Even though X_Trader had already been discontinued, the malicious version remained available on the firm's website and a 3CX employee subsequently downloaded and installed it on their personal computer. The attackers/operators used this access to steal the employee's work credentials which granted them administrator-level access to 3CX systems.

Mandiant has attributed the activity to a financially-motivated North Korean APT group it calls UNC4736.

The vulnerability—tracked as CVE-2023-29552—allows an attacker to send a small request to an SLP server that is then bounced toward a victim's network at a much larger size.

This trick is used by threat actors to execute "reflected DDoS attacks," and in the case of SLP, researchers say the protocol's amplification factor is a whopping 2200x, which ranks SLP as the protocol with the third largest amplification factor ever observed.

Because of the protocol's huge output potential for DDoS attacks, both Cloudflare and Netscout expect " the prevalence of SLP-based DDoS attacks to rise significantly in the coming weeks" as threat actors learn to exploit it.

Eurocontrol DDoS attacks: Europe's air-traffic control agency Eurocontrol says pro-Russian hackers attacked and caused interruptions to its public website last week. The agency says the attacks have not impacted EU air traffic. Pro-Kremlin group Killnet took credit for the DDoS attacks. [Additional coverage in CNN]

Capita ransomware incident: Security researcher Kevin Beaumont has a blog post summarizing Capita's good efforts at containing a recent ransomware attack but ridiculously bad PR work.

Trust Wallet crypto-thefts: The operators of the Trust Wallet cryptocurrency wallet say a threat actor exploited a vulnerability in its product to steal $170,000 from two wallets last November. The company says that only its browser extension wallet is affected. Trust Wallet says the vulnerability was found in one of the extension's third-party libraries. The company says it released a security patch last year and has asked customers to generate new wallet addresses to mitigate attacks. Trust Wallet says it will reimburse users who lost funds as a result of the hack. A detailed technical analysis of the vulnerability is also available.

The European Commission says implementing the EU Cyber Solidarity Act would cost €1.1 billion, of which two-thirds will be provided from the EU's budget, while the rest will come from member states.

EU officials started work on the new regulation in March of last year, after Russia's invasion of Ukraine, when it became apparent Russia was using its cyber capabilities both inside and outside Ukraine.

The EU Cyber Solidary Act will now go to the European Parliament and the European Council for feedback and approval.

The CSC 2.0 project — which aims to continue the work of the US Government's Cyberspace Solarium Commission — has recommended that the US government designate space systems as critical infrastructure.

The project's report argues that the space sector is increasingly important but also increasingly under threat from adversary states:

On the importance side, the report notes that space underpins a variety of other critical infrastructure sectors. Space services such as positioning, navigation and timing are used across diverse critical infrastructure sectors such as energy, water, telecommunications, transportation, agriculture, and even financial systems.

Apple launched Lockdown Mode in the fall of last year for both iOS and macOS.

The company described Lockdown Mode as an "extreme and super-secure protection mode" where iOS and macOS turn off internal services and features that are commonly abused by threat actors.

In a call with Apple before the launch, the company's security team told Risky Business they designed Lockdown Mode specifically to protect high-risk individuals who are regularly targeted with zero-days and advanced spyware.

Per Microsoft and CitizenLab, KingsPawn is just one of the tool of QuaDream's main product, the REIGN surveillance platform, which also comes with similar Android hacking capabilities. Details about QuaDream's Android spyware are still unknown.

QuaDream also appears to have tested social media hacking capabilities as well. In December 2022 [PDF], Meta said it suspended 250 Facebook and Instagram that were operated by QuaDream to "test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation." Meta says that once the accounts were suspended, it saw no more malicious activity.

What we know so far is that Citizen Lab was able to identify operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan.

Microsoft told RiskyBizNews that its Defender security platform has detected around 1.5 million infected computers communicating with cracked Cobalt Strike servers over the past two years.

A 2020 Recorded Future report found that more than 1,400 malware C&C servers were using Cobalt Strike as their backend at the time. A Censys search currently returns ~540 Cobalt Strike servers hosted in the wild.

Microsoft, together with Fortra and Health-ISAC, say they now plan to use the recently-obtained court order to "notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs)" and have them assist in taking cracked Cobalt Strike servers offline.

The UK's National Cyber Force (NCF) has published its views on "being a responsible cyber power" and explained how it currently conducts offensive cyber operations (those that deny, degrade, disrupt). It's a great read, and what shines through very strongly is that for the NCF the goal of these types of operations is to mess with people's minds.

The NCF is the UK's equivalent of US Cyber Command and was established in 2020 to operate "in and through cyberspace to disrupt, deny, degrade and contest those who would do harm to the UK and its allies". It brings together personnel from UK defence and intelligence agencies such as GCHQ, boffins from the Ministry of Defence and the SIS (aka MI6, the UK's foreign HUMINT organisation).

So, not just a bunch of cyber geeks, then. This breadth of perspectives is evident in the human-centric way that the NCF talks about its goal, which is not about dominating cyberspace but is instead to mess with people:

WD breach: American data storage company Western Digital says hackers gained access and stole data from some of its internal systems. The incident took place on March 26, the company said in a statement. Western Digital says it shut down the affected system and is working with a security vendor to investigate the breach and restore the affected systems. Some of the company's cloud systems were down over the weekend as a result of the attack.

eFile compromise: The website of eFile.com, an IRS-authorised service for filing tax returns, has been compromised and used to deliver malware to visitors. According to researchers from the ISC SANS, the website was modified with a malicious JavaScript file that prompted users to update their browsers. These updates would download malicious Windows executables—labeled as trojans by the file-scanning service VirusTotal.

KNVB hack: The Dutch football (soccer) federation says that hackers have breached its servers and stolen the personal information of its employees. The incident took place on Saturday. The KNVB says it reported the breach to the Dutch Data Protection Agency.