August 30, 2023
In this Episode:
Marcel Brown: August 30th, 1963. A direct line of communication between the leaders of the US and the Soviet Union dubbed the Hotline, begins operation today. It was most famously represented as a red phone.
Edwin Kwan: Early this month, malicious libraries were discovered in the RUST programming language ‘s crate registry. It is suspected that the libraries were discovered in the early stages of a campaign. It is unclear what the goal of the attackers were.
Hillary Coover: Meta, the parent company of Facebook, has successfully dismantled a massive Chinese disinformation campaign known as Spamouflage. It was the largest cross-platform covert influence operation they’ve ever encountered.
Katy Craig: Let’s talk CollectionRAT. This one is the new kid on the block, but don’t underestimate it. It gathers data, reads and writes files, and even has its own tricks to avoid detection. This ain’t no one trick pony.
Mark Miller: One of the iconic scenes in Jerry McGuire is Cuba Gooding Jr. forcing Tom Cruise to scream, “Show me the money. Show me the money!” I was reminded of the scene as I was reading Hazel Burton’s update on how Cisco Talos found clues of post authentication adversaries who left tracks that said, “show” me. Yeah, literally, “show” me.
The Stories Behind the Cybersecurity Headlines
Data Stealing Libraries Found in Rust Registry
This is Edwin Kwan from Sydney, Australia.
Software developers are increasingly being targeted in supply chain attacks. The machines might have SSH keys providing access to other systems, they might have keys to production systems and company IP. Developers usually have full admin privileges on their machines, which makes them an extremely valuable target.
Early this month, malicious libraries were discovered in the RUST programming language’ s crate registry. It is suspected that the libraries were discovered in the early stages of a campaign. It is unclear what the goal of the attackers were. The libraries were found to have functionality to capture the operating system information and transmit that data to a telegram channel.
Supply chain attacks using malicious open source libraries have been increasing in recent years. Developers will need to be vigilant and make sure they only download reputable libraries and scan them for known open source vulnerabilities before using them.
Lazarus Group NK RATs
Fasten your seat belts because the Lazarus group, North Korea’s cyber elite advanced persistent threat, is back in action. They rolled out two new remote access trojans, QuiteRAT and CollectionRAT, that are turning heads and turning screws.
This is Katy Craig in San Diego, California.
According to Cisco Talos researchers, this is Lazarus Group’s third big gig in less than a year. Last time they were targeting energy providers in the US, Canada, and Japan, using a Trojan called MagicRAT. Now they’re back with a sleeker faster, and yep you guessed it, more dangerous remote access trojan dubbed QuiteRAT. And they have another one in the stash called CollectionRAT.
QuiteRAT is essentially MagicRAT’s, little leaner brother. It’s been slimmed down to four to five megabytes, but hasn’t lost an ounce of its mischief. It’s been wreaking havoc in healthcare and internet infrastructure sectors in the US and Europe by exploiting a vulnerability known as CVE-2022-47966.
Now, let’s talk CollectionRAT. This one is the new kid on the block, but don’t underestimate it. It gathers data, reads and writes files, and even has its own tricks to avoid detection. This ain’t no one trick pony.
Keep in mind, Lazarus isn’t just relying on their own malware. They’re also using third party tools like Putty and DeimosC2. That means they’re diversifying their attack methods, so we need to be looking at our defense methods as well.
This is Katy Craig. Stay safe out there.
Meta, the parent company of Facebook, has successfully dismantled a massive Chinese disinformation campaign known as Spamouflage. This campaign, a prime example of disinformation, involved purposefully spreading false narratives to manipulate public opinions.
The operation’s intent was to deceive and shape perceptions, highlighting the darker side of information warfare in today’s digital age. Unlike misinformation which involves sharing inaccurate information without the intent to deceive, disinformation is all about intentionally misleading others.
Hi, this is Hillary Coover in Washington DC.
The Spamouflage campaign wasn’t just a run of the mill attempt at spreading false news. It was the largest cross-platform covert influence operation they’ve ever encountered. The campaign’s tactics included posting positive commentary about China and criticizing the United States Western foreign policies and critics of the Chinese government. Their targets even extended to journalists and Chinese medical researchers focused on Covid-19.
Meta’s response was swift and impactful.
In their threat report, the company revealed that it had removed thousands of accounts, pages, groups, and Instagram accounts involved in coordinated inauthentic behavior, demonstrating its commitment to combating disinformation on the platforms.
The disinformation campaign named Spamouflage had been active since 2019, targeting regions across the globe, including Taiwan, the US, Australia, the United Kingdom and Japan. The sheer scale of the campaign’s reach sheds light on the increasing sophistication of modern disinformation efforts.
From Facebook to smaller forums on the platforms, the campaign covered more than 50 online platforms, revealing the extent to which disinformation can spread in today’s interconnected digital landscape.
Experts are highlighting the importance of considering other strategies to counter disinformation effectively. Ideas like verification-for-profit schemes are being floated, aiming to make it harder for malicious actors to exploit social media platforms.
These efforts are crucial, especially during periods of geopolitical tension and upcoming elections, which tend to create fertile ground for such campaigns.
Adversaries say, “Show me the Money!”
One of the iconic scenes in Jerry McGuire is Cuba Gooding Jr. forcing Tom Cruise to scream, “Show me the money. Show me the money!” I was reminded of the scene as I was reading Hazel Burton’s update on how Cisco Talos found clues of post authentication adversaries who left tracks that said, “show” me. Yeah, literally, “show” me.
Here’s a quote directly from Burton’s article.
“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of first steps that someone who wants to understand and control your environment would take. Examples we have observed include threat actors performing a show configuration, show interface, show route, show arp table, and show CDP neighbor. All these actions give the attackers a picture of a router’s perspective of the network and an understanding of what foothold they have.” End the quote by Hazel.
Let’s slow down and think that through. Adversaries who gained access to your systems need to map those systems so they can determine where they are and what they have access to. It’s kind of like the old PC games from the nineties where you had to draw a map as you were exploring a cavern in order to remember where you were and what you had already done. It’s a little more sophisticated now, but the idea is the same; ‘show’ me so I know where I am.
According to the Talos study, this type of probing and mapping is particularly effective against end of life network hardware and software. I guess you can guess where the recommendations are headed at this one. Patch your shit. Use complex passwords and MFA. Encrypt your traffic. Yada, yada, yada.
What’s insightful here though is the consistency of the ‘show’ command to map a system. That’s the trigger warning that something’s amiss, that an adversary could be examining your systems for its weaknesses.
It’s as if they’re screaming, “Show me the money!”, because that’s exactly what they intend on having you do at the end of this game.
– Original Report from Hazel Burton: https://blogs.cisco.com/security/network-resilience-defending-against-sophisticated-attacks-targeting-network-infrastructure?utm_source=country-soc
– Network Resilience Coalition: https://blogs.cisco.com/security/it-is-time-to-harden-our-global-infrastructure
– Krebs on Security: https://krebsonsecurity.com/2023/08/tourists-give-themselves-away-by-looking-up-so-do-most-network-intruders/
– Jerry McGuire: https://en.wikipedia.org/wiki/Jerry_Maguire
This Day, August 30, in Tech History
August 30th, 1963. A direct line of communication between the leaders of the US and the Soviet Union dubbed the Hotline, begins operation today. It was most famously represented as a red phone.
August 30th, 1969. The first interface message processor IMP is delivered to Leonard Kleinrock’s Research Group at UCLA. The IMP was the device that would interconnect networks between research facilities on the developing ARPA, the precursor to the internet.
As a packet switching device, the IMP can be considered the first generation of what we now call network routers.
The second IMP was delivered to the Stanford Research Institute on October 1st, 1969, and the first message between the two IMPs was sent on October 29th, 1969, which is now considered the first message ever sent on the internet.
That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.