This week in security has seen some new moves from the federal government on zero trust, tighter collaboration with the private tech sector, and more than a few new attacks from groups operating in China and Iran. With that said, here’s the security news in review.
The push to accelerate the government’s zero trust journey using cloud-native security
We’re not the only ones pushing for extending zero trust beyond the network and identity. Listen to this podcast, featuring Dan Prieto, former White House security advisor. “Every agency already has many of the ingredients [for zero trust],” he says, “including network security, endpoint and application security, malware protection, identity protection and more...the executive order is really an inflection point. What zero trust demands is coordinating, integrating and orchestrating those [siloed] solutions to really drive [better outcomes].” If you’re an agency leader who is looking for ways to protect your data with zero trust click the link here.
GhostEmperor active in Southeast Asia
Kaspersky has announced its discovery of a unique, long-running operation, called GhostEmperor. The campaign used Microsoft Exchange vulnerabilities to target high-profile victims with an advanced toolset and bore no similarity to any known threat actor. The findings are part of Kaspersky’s APT Trends Q2 2021 report. GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. To learn more about GhostEmperor, click here.
There’s a new FatalRat in town
According to AT&T Alien Labs, "The newly identified FatalRat malware has been using techniques like obfuscation, anti-sandbox and antivirus evasion, encrypted configurations, logging user keystrokes, system persistence, login brute force, collection of system data, and encrypted communications with command and control server. Alien Labs has discovered multiple samples in the past few months, with a slight dip in July. However, we expect to continue to see the presence of FatalRat and its variants in our samples in the near future." For a full analysis of FatalRat, click here.
Chinese Threat Actors Target Telecom Companies
This Cyberwire summary outlines the latest threat, discovered by Cybereason. Their research states three cyber espionage campaigns by Chinese threat actors against telecommunications companies have recently occurred. The researchers say that the actor is targeting "high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.
As mentioned, the campaign is broken down into three clusters. Cluster A has been assessed to be operated by Soft Cell, Cluster B has been assessed to be operated by the Naikon APT, and Cluster C has been characterized as a mini-cluster and a unique OWA backdoor that was deployed across multiple Microsoft Exchange and IIS servers. Click here for the full report of the Chinese espionage campaign.
Black Hat: Security Bugs Allow Takeover of Capsule Hotel Rooms
In a Wednesday session at Black Hat 2021, “Hacking a Capsule Hotel – Ghost in the Bedrooms,” Kya Supa, security consultant at LEXFO, explained that an iPod touch given at check-in in various capsule hotels allows customers to pester other hotel guests, and possibly commit cybercrime, by exploiting a security vulnerability. In total, Supa found six different bugs or vulnerabilities: guided Access bypass, usage of WEP, simple router interface with default credentials, nasnos service available without authentication, read/write access to remote configuration capability for the router, and use of non-random AP keys.
The takeaway? Hotel infrastructure must be updated so that easily preventable data breaches do not occur. To learn more about security bugs and hotels, click here.
Several Malware Families Targeting IIS Web Servers With Malicious Modules
According to The Hacker News, “A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years.” The findings were presented at the Black Hat 2021 security conference. For a full breakdown of the malware families and their modes of operation, click here.
“Joint Cyber Defense Collaborative” is created after high-profile cyberattacks on U.S. infrastructure
The U.S. government is enlisting the help of tech companies, including Amazon, Microsoft, and Google, to bolster the country’s critical infrastructure defenses against cyber threats after a string of high-profile attacks. Called the Joint Cyber Defense Collaborative, the effort will initially focus on combating ransomware and cyberattacks on cloud-computing providers. Other Joint Cyber Defense Collaborative participants include telecommunications vendors AT&T Inc., Verizon Communications Inc., and Lumen Technologies Inc. This is a massive deal for the private, cyber defense sector, and government agencies. Read more about the new collaboration here.
HTTP/2 Implementation Errors Expose Websites to Serious Risks
Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, according to a researcher at Black Hat. James Kettle, director of research at PortSwigger, said that nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1.
However, many security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server. This setup could lead to many attacks on high-profile targets like Netflix and other streaming services. Read more for the full summary of the risk to websites.
Charming Kittens and Black Hats
The suspected Iranian threat group that IBM Security X-Force calls ITG18, and which overlaps with the group known as Charming Kitten, keeps leaving prints behind. At a Black Hat 2021 presentation, researchers described “little looter” as an insidious threat to Android devices. LittleLooter is “functionally rich,” according to researchers, and provides ITG18 operators the ability to pull off this long list of stunts on an infected Android device including, but not limited to the following: record video, call a number, record live screen, upload/download/delete a file, record sound, list storage information, record voice call, and more. Make sure to read the very “charming” report.