Cyber Intelligence Weekly

Cyber Intelligence Weekly (May 14, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Before we get started on this week’s CIW, I’d like to highlight a new article from by Jake Murphy, "Hacker's Perspective: A Modern Approach to Cross-Site Request Forgery." In this article, Jake explains how to locate and exploit CSRF within modern web applications. Jake details three occurrences to look for when testing: finding an application that does a state-change within a GET request, finding an application with a CORS misconfiguration and a session cookie explicitly set with SameSite=None, and finding a Cross-Site Scripting vulnerability. Jake emphasizes that conducting a thorough penetration test of your application is highly recommended to ensure you are not vulnerable to these methods.

Link to Article:

No alt text provided for this image

Away we go!

1. Dragos Overcomes Ransomware Extortion Attempt by Threat Actor

According to several reports, and their own website, industrial cybersecurity firm Dragos was targeted by an extortion attempt by a known threat actor. The hackers gained access to certain company resources by compromising the personal email of a new sales employee before they started working at the firm.

The threat actors impersonated the employee during the onboarding process and gained access to certain parts of the company’s SharePoint and contract management resources. The company said the hackers accessed a report with IP addresses associated with one of its customers, who has since been alerted.

No alt text provided for this image

Thankfully, Dragos was able to block the compromised account after investigating alerts from its security information and event management (SIEM) system. The company activated their incident response retainer with CrowdStrike, as well as a third-party monitoring, detection, and response provider. The hackers were unable to move laterally, escalate privileges, establish persistence, or make any alterations to Dragos' infrastructure.

After failing to achieve their primary objective of deploying ransomware, the hackers escalated their threats by contacting family members and acquaintances of Dragos executives. The limited stolen data is likely to be made public, Dragos said, because it did not give in to extortion demands. Dragos says the incident should have a limited impact on the company, although it could harm its reputation.

The use of stolen data for extortion is increasing, with some groups abandoning encryption altogether to focus solely on data theft. Organizations need to account for this secondary level of data extortion in today’s modern threat landscape.

2. FBI Disrupts Snake Malware Network Controlled by Russia's Federal Security Service

The Department of Justice recently announced a major victory in the fight against Russian cyber espionage, stating that it has dismantled a long-running malware network known as "Snake." This network was operated by “Turla”, a hacking group linked to Russia's Federal Security Service (FSB). According to the US Department of Justice, Snake is the "most sophisticated cyber espionage tool in the FSB's arsenal." This malware has been used by Turla to steal sensitive information from US and NATO governments for almost two decades.

The FBI operation to dismantle the network took several years, and the agency developed a tool called "PERSEUS" that allowed its agents to identify network traffic that the Snake malware had tried to obfuscate. The FBI then used PERSEUS to mimic Snake's built-in commands, which would terminate the malware and permanently disable it by overwriting vital components of the implant without affecting any legitimate applications or files on the subject computers. The FBI's success in dismantling the network is a significant victory in the ongoing battle against state-sponsored cyber espionage.

No alt text provided for this image

Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” stated Deputy Attorney General Monaco. “By combining this action with the release of the information victims need to protect themselves, the Justice Department continues to put victims at the center of our cybercrime work and take the fight to malicious cyber actors.

While this victory is significant, the DOJ warns that Russian hackers could still have access to compromised machines, as the operation did not search for or remove any additional malware or hacking tools that the hackers may have placed on victim networks. It's also important to note that Turla frequently deploys a "keylogger" on victims' machines to steal account authentication credentials from legitimate users. Nonetheless, the operation serves as a reminder that state-sponsored cyber espionage is a serious threat, and it's essential that governments and private organizations remain vigilant in their efforts to detect and neutralize these threats.

3. MSI UEFI Signing Key Leak Triggers Supply Chain Security Concerns

Taiwanese Hardware manufacturer Micro-Star International (MSI) was hit by a ransomware intrusion in April 2023, during which two private encryption keys were stolen. When MSI was first attacked they advised their customers to only use firmware images obtained from their official website.

Following the company's decision not to pay the ransom demands, the attackers released some data that they had stolen from MSI a few weeks later. Upon investigating the data dump, researchers found out that it contained not only typical company information but also highly confidential data like firmware signing keys and Boot Guard keys for manufacturers. The first key digitally signs MSI firmware updates and verifies they are genuine. The second is a private encryption key used in a version of Intel Boot Guard that MSI distributes.

No alt text provided for this image

The keys were listed on the dark web by the Money Message ransomware group, raising fears of a supply chain attack, which could inject malware into devices that had downloaded the legitimate firmware update from MSI. Such an attack would be devastating, since the signing keys are trusted by a huge base of end-user devices. Furthermore, MSI doesn't have an automated patching process or provide the same kind of key revocation capabilities as Dell, HP and many larger hardware makers. This presents major challenges for updating the devices simultaneously, meaning they will still have to likely use the old key for authentication for some time.

Supply chain attacks have become increasingly common, and a compromised signing key significantly reduces the effort and resources required to pull off such an attack. Cybersecurity experts have urged MSI to act swiftly on this incident. With control of the private key, an attacker can infect a computer's system without triggering a warning, leading to serious security implications.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.