Cybersecurity history books will have at least one chapter covering the events of this week. If you’re a CISO, you’re probably well aware of what I’m talking about, but for everyone else, let me explain what’s going on.   In 2016, the ride-sharing company Uber fell victim to a data breach that exposed the personal information of 600,000 drivers and 57 million riders. It was a big breach but otherwise unremarkable. The attackers did not deploy any particularly novel techniques or do much damage with the stolen data. The attack was ordinary; the response was not (allegedly).   Joe Sullivan, a former federal prosecutor and something of a celebrity in cybersecurity circles, was Uber’s CISO at the time. He led the response to the 2016 data breach…and now he’s on trial for his actions.   I will reserve as much judgment as possible as I outline what happened. My goal is not to root for one outcome or another. No, my goal is only to call attention to a fascinating situation in progress that will have repercussions for the entire cybersecurity community and beyond. No matter what happens, cybersecurity will not be the same after this trial.   A Fixer or a Fall Guy?   Joe Sullivan’s trial for obstruction and failure to report a felony began this week. The government essentially accuses Sullivan of failing to report the 2016 data breach to the Federal Trade Commission (FTC) and hiding it from his employers.   That accusation stems from the fact that Sullivan, upon learning about the breach, made contact with the two hackers responsible and offered them each a payment of $100,000 in exchange for signing a non-disclosure agreement. Those payments came through Uber’s bug bounty program.   Government lawyers accuse Sullivan of using these payments to essentially hide the attack from both regulators and his bosses at Uber. At the time, Uber was under strict scrutiny from the FTC because of a previous data breach in 2014. Framing the payment as a bounty (something minor) rather than a payoff (something major) allowed Sullivan to keep the existence of the data breach a secret, according to prosecutors, and avoid the ire of the FTC.   Sullivan sees things differently. He alleges that payments through bug bounty programs and enhanced secrecy following an attack are not unusual. He also claims the breach was widely known about within Uber’s security team, and that responsibility for disclosing the attack to the FTC fell on Uber’s legal team. Sullivan believes he’s become the fall guy for an organization eager to make excuses for past failures instead of making improvements.   Did Joe Sullivan cover up the attack of follow standard operating procedure? That’s the question at the heart of the trial, and it’s sparking heated debates across cybersecurity. Some see Joe Sullivan as a dedicated defender using clever and necessary tactics to deal with the attackers (who were both eventually arrested and prosecuted). Others think Sullivan exemplifies the worst instinct in cybersecurity: to sweep attacks under the rug rather than strive to be transparent and accountable.   There’s more grey area here – much of it about the letter of the law rather than cybersecurity best practices – than either side would probably like to admit. But, to me, what’s even more interesting than the outcome of the trial is the fact that it’s happening at all.   CISOs in the Hot Seat   The government accuses Sullivan of violating federal and state laws mandating breach notifications. But the penalty for breaking those laws is to pay a fine, not to have the CISO stand trial, so why is Joe Sullivan in court?   Prosecutors are applying several legal theories that are interesting and worth diving into (but also long, complex, and densely argued). Rather than rehashing those arguments here, suffice it to say that the government has concocted an argument that could, from here out, expose CISOs to criminal charges and sweeping legal liabilities for attacks (successful or otherwise) against their employer.   This obviously raises the stakes for being a CISO. And given the worsening state of cybersecurity, it could make serving as a CISO an extremely risky job, certainly compared to any other member of the C-Suite. Will that risk prompt companies to take cybersecurity extremely seriously? Or will it just make it extremely hard to recruit CISOs? I’m not sure, but I’m confident it will change the character of cybersecurity as we know it.   Provided it comes to fruition. Joe Sullivan’s trial is a test of the government’s legal arguments, and whether the court finds them convincing remains to be seen. A not guilty verdict could restore the status quo – but I think change is coming, either now or later.   In many ways, the prosecution of Joe Sullivan is punishment for Uber’s repeated and often egregious disregard for data security. They poked the bear one too many times. I think this prosecution, no matter how it plays out, signals a desire on the part of the FTC specifically and the government more broadly to enforce strong cybersecurity standards. Whether that results in CISOs going to jail or something else, I think the era of hiding or excusing cyber attacks is over. The risk far outweighs the reward. What’s the fate of Joe Sullivan? I don’t know. No matter what, he’s cemented his place in cybersecurity history.

Twitter’s former head of security, Peiter “Mudge” Zatko gave damning testimony regarding Twitter’s alleged lack of cybersecurity measures to the Senate Judiciary Committee last Tuesday. Of course, it remains to be seen if lawmakers will do more than grumble about such inexcusable vulnerabilities.

Among the two hours of testimony, Zatko describes a disturbing unwillingness on the part of Twitter’s execs to secure the data of its 400 million users in a meaningful way.

After the embarrassing social engineering hack back in 2020 which led to the takeover of several high-profile accounts, Twitter hired Zatko to oversee security operations. He was brought on to control what he describes as a “ticking time bomb of security vulnerabilities” created by “10 years of overdue critical security issues, [without] making meaningful progress on them.”

The allegations made by Zatko would paint a comical picture if the implications weren’t so dire. Beyond the lax cybersecurity measures, we learn that Twitter possibly had a Chinese agent from the Ministry of State Security on the payroll. After notifying an executive about the possibility of foreign agents in the ranks, Zatko recounts that the executive responded with “Well, since we already have one, what does it matter if we have more?”

We also learn from the hearing that the cause of this debacle, in Zatko’s opinion, is Twitter’s utter lack of understanding in regard to the data it collects. “It doesn’t matter who has keys if you don’t have any locks on the doors,” he said.

In response to Zatko’s testimony, Twitter spokesperson Rebecca Hahn said that it “only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies.”

Twitter’s response is interesting given the swathe of inquiries into Zatko’s background reported by Ronan Farrow in an article for the New Yorker. Purportedly, a number of research-and-advisory companies have approached former colleagues and individuals in the far reaches of Zatko’s professional sphere looking for information to discredit him.

The whistleblower testimony along with Twitter’s subsequent actions point to much more than simple ignorance of cybersecurity best practices. There appears to be a criminal disregard among Twitter’s execs for the data security of the platform’s users in favor of profit and the status quo. Those implicated should be held accountable beyond corporate fines that amount to little more than a scolding.

At least things are looking good for billionaire Musk’s attempt to renege on his agreement to acquire Twitter.

Intro

In this article I will cover some basics about the types of threat actors, threat categories, and their possible impact on your organization.

Let’s get to it!

Threats

Before looking at the types of threat actors, let me give you a quick rundown of what is considered a threat and how it impacts businesses.

By definition, a threat is an event (unplanned/not controlled by you/your systems) that has for its goal to exfiltrate (exfil), manipulate, or access your organization’s resources. This is tightly coupled with the loss of integrity, confidentiality, and availability of the said resources (CIA triad).

This can impact your organization’s information systems, your network(s), and other resources.

Impact

The impact on your organization can vary, however, it should always be considered as a major concern since it can target anything, from your org’s assets to the financials, and for example personal info of your employees. There’s no list that’s set in stone, but usually, the impact is about:

• Loss of integrity and confidentiality – basically, your data or resources are less trustworthy, this further damages your org’s reputation, and business credibility
• Damage to the customer relationship – this would impact your org’s relationship with its clients, losing some of them, thus resulting in a drop in profits/sales
• Financial losses – your org is faced by financial losses, either directly (maybe you got ransomwared and are asked to pay up), or indirectly (the loss of manhours spent to repair and recover from the breach, etc.)
• Operational impact – disruption to your operations; could even affect your entire org’s network
• Business reputation – you take a hit to your org’s reputation, which can even result in losing existing clients and having troubles gaining new ones

Threat Actors

There are many different types of threat actors out there, however, the ones I am going to list here are what you will usually find in other resources on the Internet, handbooks, etc.

• Script kiddies
• Hacktivists
• State-sponsored hackers
• Insiders
• Cyber terrorists
• Industrial spies
• Recreational (hobbyist) hackers
• Organized/hacker groups
• Ransomware gangs
• APTs

Script kiddies – unskilled ‘hackers’ who usually run malicious scripts, and software in hopes of breaching a system/network. They don’t understand the tooling and its inner workings, they just acquire it and run it blindly against system(s). What you might call – spray and pray tactic.

Hacktivists – People who hack but are driven by political and/or ideological agenda. They are not novices and usually know what they’re doing, however, the whole motivation behind their attacks is driven by that agenda. This is usually manifested in the form of disabling or defacing websites, maybe even doxing and other similar stuff.

State-sponsored hackers – These guys are employed by their respective governments to breach and steal top-secret information, or to just damage the systems of other (competing) governments.

Insiders – These are YOUR employees, within your org, and are usually either terminated employees, disgruntled employees, or just good ol’ untrained staff. Generally, its hardest to hunt for these since they are already inside (detection is useless since they are legitimate users). They can also do a lot of damage to the org for the same reason as above – they have authorized access to your systems. Imagine a disgruntled employee ‘sharing’ their credentials with a hacker group they found on the darkweb, or something along those lines. Nasty.

Cyber terrorists – These individuals are similar to the hacktivists as they are also driven by political, or, in this case, religious agenda, but their goal is a bit different. As we all know their currency is fear, thus cyber-terrorists aim to create fear and/or larger disruptions to your systems/network(s).

Industrial spies – They attack companies for commercial purposes, they are usually hired by competing companies with the idea of attacking their competitors to steal confidential data such as financial records, employee information, your business strategy, or your proprietary data.

Recreational hackers – These hackers are the ones who hack systems so they can learn more, they don’t care about financial gain. They mostly exploit stuff they can for the said learning purposes.

Organized/group hackers – A merry band of hacker friends with a goal to exploit and hack stuff for pure profit. They will go for your SSNs, PIIs, health records, financials, credit card information, etc. Anything they can use for leverage to get their payout or steal directly.

Ransomware gangs – These guys are also an organized group of hackers, but they will usually deploy some kind of ransomware, once they breach you and enter your systems. After encrypting your data, they will ask for you to pay the ransom in order to get the data back. Typically, they focus on using compromised credentials to enter your systems. After that, they drop their payloads in form of specially crafted encrypting malware – ransomware. Some well-known ransomware groups include: Conti, Lapsus, Hive, LockBit, AlphV/BlackCat. (Try not to pay the ransom! Instead have backups and a recovery plan. Disconnect network-based devices where you can – I talked about this in previous articles, and even contact authorities.)

APTs or Advanced persistent threats – These are the stealthiest threat actors out there, and are typically a nation state itself, nation-state sponsored groups, or organized crime groups. They aim to breach your systems silently and establish themselves inside while being unnoticed by your detection systems. Their motivations are typically political or economic. The definition may vary from source to source, but the main thing for these groups is the fact they try to remain inside your systems undetected for as long as they can. Mean dwell-time for APTs (2018 data) is 71 days in the Americas, 177 days in the EMEA, and 204 days in the APAC region! APTs – Wiki

Both ransomware gangs and APTs might be grouped within the organized/group hackers, but I wanted to accentuate the distinction here. My article may not have the structure and strictness of a (hand)book, as my goal was not to bore you or enter a scholarly polemic, just provide you with the info straight on, so you can familiarize yourself with it and even take it further from here.

Threat Categories

Again, this might be structured differently in different sources, but I feel the following categorization is a good starting point, as a loose guideline of sorts.

Categories I included here are:

• Network-based threats
• Host-based threats
• Application-based threats

Network-based Threats – This can pertain to: Information gathering/recon, Sniffing (eavesdropping), Spoofing, MITM – Man in the Middle attacks and session hijacking, DNS and ARP poisoning, Password-based attacks, DOS attacks, Firewall and IDS attacks

Host-based Threats – These would include: Malware attacks, arbitrary code execution, unauthorized access, privilege escalation, backdoors, physical security threats, footprinting

Application-based Threats – These can be (but are not limited to, of course – as the above examples too!): Improper input validation, authentication attacks, security misconfiguration, information disclosure, broken session management, buffer overflow attacks, SQLi, phishing, improper error handling and exception management

Conclusion

Think of this article as an extremely compact explanation on threat actors and categories. I hope it provides enough initial info that you can further build on! In the future articles, I will circle back to this topic and cover some of the stuff that’s mentioned here – or is related too – in more depth.

Until next time! Stay tuned.

Useful Links

https://nvd.nist.gov

https://cve.mitre.org

https://www.vulnerability-lab.com

https://cyber.gc.ca/en/guidance/introduction-cyber-threat-environment

advanced persistent threat – Glossary | CSRC (nist.gov)

Cover image by Martin Sanchez

 #threat-actors #threat-categories #impact

Coming off a spectacular run last week with a dozen vulnerabilities, CISA has come back down to Earth, adding a pair of vulnerabilities to the Known Exploited Vulnerabilities Catalog. It’s a peculiar predicament for sworn enemies and strange bedfellows Apple and Microsoft——two peas in a pod….or shall I say, kernel 😜.

First up, Apple

The flaw in Apple iOS, iPadOS, and macOS allows malicious apps to “promote” themselves to kernel level privileges. What does kernel privileges give you? Everything. Full, unrestricted access to all machine resources——hardware, software, you name it. CISA is typically behind when it comes to cataloging, but they are not taking a Sunday stroll with this one. Apple disclosed the vulnerability on Sep 12 and two days later——bam!——it’s listed. Kudos, CISA, particularly when there is active exploitation and exploit code swirling on the black market.

Microsoft: we’re twinning

The twin flaw is in Windows Common Log File System Driver. Why the twin label? Because with a successful exploit, you get system privileges, which are analogous to kernel on Mac. So you get the whole kit and caboodle. This zero-day is being actively exploited in the wild, so you better get your bug spray out and go to town, stat.

Popcorn is great for a date night at the movies. But you don’t want these kernel(s) to explode 💥. Apply the vendor updates immediately.

#cisa #cisanalysis #apple #microsoft #zeroday

I am a digital hoarder of sorts. Well, maybe not exactly a hoarder, as I don’t have a NAS with petabytes worth of files, but I do like to collect some good resources. Of course, those are all about Infosec/Cyber.

Thus, I’ve decided to share them with you! I am leaving a link to a shared Google Drive folder where I will be adding them. My idea here is to make them somewhat organized at least, as I don’t really want to dump ALL of them on you. The stuff in the drive is either collected by me, or other fellow collectors, and all the .pdfs and other stuff you will find there is free, and shared by their respective creators/owners!

I have to say that in my efforts to collect, I’ve had to rely on other such enthusiasts too, and what I’m sharing here was actually collected by Joas A Santos – a red teamer and an Infosec leader. Big shoutout, and thanks for allowing me to share, to Joas and also for his unceasing efforts to share the knowledge and resources with the community. All of the presentations and papers found in the drive are available online (and shared by their respective authors – I don’t want to infringe on anyone’s IP), I am just trying to curate them and organize them for a bit.

Stuff that’s currently in the gdrive:

• Why Did You Lose the Last PS5 Restock to a Bot
• Internal Server Exploitation With New Desynchronization Primitives
• Taking A Dump In the Cloud
• No Code Malware: Windows 11 At Your Service
• Running Rootkits Like a Nation-State Hacker
• The Darknet OpSec By a Veteran Darknet Vendor
• Weaponizing Windows Syscalls as Modern 32-bit Shellcode
• OopsSec – The Bad, the Worst, and the Ugly of APTs Operations Security
• The Evil PLC Attack – Weaponizing PLCs
• Phreaking 2.0 – Abusing Microsoft Teams Direct Routing
• Let’s Dance In the Cache – Destabilizing Hash Table on Microsoft IIS
• Trace Me If You Can – Bypassing Linux Syscall Tracing
• How Russia Is Trying to Block TOR
• Reversing the Original XBOX Live Protocols
• Save the Environment (Variable) Hijacking Legitimate Applications With a Minimal Footprint
• Android Universal Root- Exploiting xPU Drivers
• Devils Are In the File Descriptors: It Is Time To Catch Them All
• ELF Section Docking – Revisiting Stageless Payload Delivery
• Better Privacy Through Offense: How To Build a Privacy Red Team
• A Journey Into Fuzzing WebAssmebly Virtual Machines
• Glitched on Earth by Humans: A Black-box Security Evaluation of the SpaceX Starlink User Terminal
• Invisible Finger: Practical Electromagnetic Interference Attack on Touchscreen-based Electronic Devices
• Trust Dies In the Darkness – Shedding Light on Samsung’s TrustZone Cryptographic Design
• Broken Mesh: New Attack Surfaces of Bluetooth Mesh
• Human or Not: Can You Really Detect the Fake Voices?
• A New Trend For the Blue Team – Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware
• Tunable Replica Circuit For Fault-Injection Detection
• Scaling the Security Researcher to Elminate OSS Vulnerabilities Once and for All
• AAD Joined Machines – The New Lateral Movement
• The Growth of Global Election Disinformation: The Role and Methodology of Government-linked Cyber Actors
• Blasting Event-Driven Cornucopia: WMI-based User-space Attacks Blind SIEMs and EDRs
• Dragon Tails: Preserving Supply-side Vulnerability Disclosure
• IAM Whoever I Say IAM: Infiltrating Identity Providers Using 0Click Exploits
• Attacks From a New Front Door in 4G & 5G Mobile Networks
• Process Injection – Breaking All macOS Security Layers With a Single Vulnerability
• Less SmartScreen More Caffeine – ClickOnce (Ab)Use for Trusted Code Execution
• One Bootloader to Load Them All
• Crossing the KASM: A Webapp Pentest Story

One last disclaimer, this time from me personally: I don’t have any political affiliations nor any sort of ideologically-driven agenda; I only care about the research/technical aspects of the linked resources, also, as mentioned before, these are shared freely.

Finally, here’s the link where you can find the above documents. Enjoy!

(I might also be uploading new stuff there, that’s currently not listed, so feel free to check it out from time to time, and if something’s not working for you feel free to ping me for access, or for me to send you the files)

Cover image by Sincerely Media

#infosec #black-hat #defcon #resources