Intel Reports

Activity Summary - Week Ending on 27 April 2023:

• Red Sky Alliance identified 29,549 connections from new IP’s checking in with our Sinkholes
• Descapital[.]com in the US hit 397x
• 22 ‘new’ Botnets hits
• Multiple Vulnerabilities in Google
• Gulf of Guinea   
• Singapore Straits
• Naming Conventions
• MITRE ATT&CK

Red Sky Alliance Compromised (C2) IP’s  

On 19 April 2023, Red Sky Alliance identified 29,549 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 19 April 2023, analysts identified 22 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

 MALICIOUS CYBER TRENDS:

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER: 2023-043;  DATE(S) ISSUED:04/19/2023

Overview:  Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution.  Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user.  Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.[1]

Threat Intelligence: Google is aware that an exploit for CVE-2023-2136 exists in the wild.

Systems Affected:

• Google Chrome versions prior to 112.0.5615.137/138 for Windows.
• Google Chrome versions prior to 112.0.5615.137 for Mac and Linux

Risk: Government:

Large and medium government entities - HIGH

Small government - MEDIUM

Businesses:

Large and medium business entities - HIGH

Small business entities - MEDIUM

Home Users: Low Risk

Technical Summary:  Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution.  Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

• CVE-2023-2133: Out of bounds memory access in Service Worker API.
• CVE-2023-2134: Out of bounds memory access in Service Worker API.
• CVE-2023-2135: Use after free in DevTools.
• CVE-2023-2136: Integer overflow in Skia.
• CVE-2023-2137: Heap buffer overflow in sqlite.
• Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Recommendations: MS-ISAC recommends the following actions be taken:

• Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
• Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
• Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
• Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
• Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
• Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
• Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

References:  Google - https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html

GLOBAL TRENDS:   

Gulf of Guinea & Singapore Straits - The ICC International Maritime Bureau (IMB) has released the first quarterly report on piracy in 2023, which has recorded the lowest level of reported global piracy and armed robbery incidents since 1993.  Despite the encouraging statistics, IMB calls for continued, robust and coordinated regional and international naval presence to act as a deterrent to prevent and respond to piracy.  The report reveals 27 incidents were reported in the first quarter of the year, representing a marked decline from 37 incidents for the same period in 2022.[2]

Gulf of Guinea - of the 27 incidents, perpetrators boarded the victims’ vessels in 24 cases, two vessels reported attempted incidents and one vessel was hijacked.  Despite the drop in numbers, the threat of violence remains – six crew kidnapped, two taken hostage, two threatened and one assaulted.  Pirate and armed robbery activity continues to decrease in the Gulf of Guinea, an area which had become a relative hotbed for this crime in recent history. Just five incidents were reported in Q1 2023 compared to eight in 2022 and 16 in 2021.

Despite these improvements, the IMB Piracy Reporting Centre is calling for coastal response agencies and international navies to maintain efforts in the region. On 25 March, a product tanker was hijacked 140nm WSW of Pointe Noire, The Congo.  The vessel effectively lost all communications for nearly five days and when located by a French naval asset, six crew were reported as kidnapped.  This highlights the continued need for vigilance and swift naval responses when incidents are reported.

To remind, last week pirates boarded the chemical/product tanker Success 9, 300 miles off the of Ivory Coast a few weeks after Monjasa Reformer tanker was also attacked in the area.  Experts emphasize the need for continued, robust and coordinated regional and international naval presence to act as a deterrent to prevent and respond to piracy, especially considering nearly 85% of international trade is transported via the sea and it is the seafarers who need to be safeguarded.

… said IMB Director Michael Howlett

Singapore Straits - Almost 30% of Q1 2023 incidents occurred in the Singapore Straits, with eight recorded cases; a decrease from the 15 incidents reported in Q1 2022.  While incidents in this region tend to be cases of petty theft, the threat of violence remains a worrisome possibility, with knives sighted and reported in two of the incidents.

South America - About 33% of global incidents occurred in South America, with Callao anchorage, Peru remaining an area of particular concern.  Five reported incidents occurred there in Q1 2023, a number which has remained steady in recent years.  Crew however continue to be at risk with two crew taken hostage and one each assaulted and threatened.

IMB Piracy Reporting Centre - IMB’s Piracy Reporting Centre continues to serve as a crucial, 24-hour point of contact to report crimes of piracy and lend support to ships under threat.  Quick reactions and a focus on coordinating with response agencies, sending out warning broadcasts and email alerts to ships have all helped bolster security on the high seas.  The data gathered by the Centre also provides key insights on the nature and state of modern piracy.

US - What’s in a Name?  Cybersecurity specialists may find it hard to remember all the different names companies use to refer to threat actors; some use a number system, while others use colors, animals and adjectives like “fancy” and “charming.”  Now they have one more naming scheme to remember:  Last week, Microsoft announced that it’s switching from a taxonomy based on chemical elements to one that uses weather-themed names to classify hacking groups.[3]

In a blog post, Microsoft outlined how its new naming scheme will work, explaining that countries will be assigned certain weather conditions; like blizzard for Russia, sleet for North Korea, Typhoon for China and Sandstorm for Iran, while specific groups within nations will be classified with an adjective like a color.  As an example, Microsoft said that in its most recent report about a nation-state group from Iran, they will rename the group involved as “Mint Sandstorm” after previously calling them Phosphorus.  “The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity,” Microsoft said.  “With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data.”

The new system will allow them to better organize the threat groups they track and provide simpler ways of classifying actors.  Researchers and security teams will “instantly have an idea of the type of threat actor they are up against, just by reading the name.”  Microsoft currently tracks more than 300 unique threat actors including 160 nation state groups, 50 ransomware gangs and hundreds of other types of attackers.   Microsoft has reclassified all the actors it tracks using its new naming taxonomy.   Microsoft acknowledged that several other security giants use different naming taxonomies and plan to include those in their reports.

In addition to specific weather event “family” names for actors from specific governments, Microsoft will use "tempest" for financially motivated actors, "tsunami" for private sector actors and "flood" for influence operations.   The term "storm" will be used for groups in development, previously tagged with the letters DEV, alongside a four-digit number.  This will be used until more information is learned about the actor.  “To meet the requirements of a full name, we aim to gain knowledge of the actor’s infrastructure, tooling, victimology, and motivation. We expand and update the definitions supporting our actor names based on our own telemetry, industry reporting, and a combination thereof,” Microsoft explained.

The new names will be accompanied by a symbol that Microsoft believes will make it simpler to identify for defenders.  The entire process of switching over to the new system will be completed by September, Microsoft explained.  

A reference guide was created to help with the transition.

Naming Confusion - Cybersecurity experts were mixed on the move, with some explaining that the move would only confuse defenders while others said it was a good idea.  The chief marketing officer at cybersecurity firm CardinalOps, said Microsoft’s previous naming system made it difficult to search for information about specific threat actors.  CardinalOps used the example of Nobelium, Microsoft’s term for APT29 or Cozy Bear from Russia, noting that multiple articles online focused on the radioactive metal and not the hacking group.   “Microsoft is an important driving force behind both identifying threat actor groups and working with law enforcement and government agencies worldwide to disrupt their activities,” CardinalOps said. “I'm not sure the new naming scheme will address this issue, but in any case, most organizations currently use the MITRE ATT&CK framework, which has its own naming scheme, as the de facto standard for sharing information about adversary groups and their playbooks.”

Vulcan Cyber, said that on the surface the switch is a good idea, but he questioned whether the trend would catch on outside of Microsoft’s ecosystem.  In general, he explained, defenders have to deal with a confusing array of names used for government hacking groups because every major security company uses different names.  Vulcan also questioned how Microsoft’s approach would work with groups that straddle the line between being financially-motivated and government-backed.  “Which takes priority?  Is a ransomware group in Iran named as a nation-state actor, or as a financially-motivated threat?  And will they be including information on how other organizations track it?” it asked. “A common naming convention is not a bad idea at all. But it doesn't solve the ‘they call it something else’ issue.”

KnowBe4 added that he was generally not a fan of vendor-created threat names because it makes it harder to know if the same groups are being discussed.  It would be far wiser, he said, for every vendor in the world to agree on a single threat name taxonomy and apply those to every discussion of the same threat group.

The assortment of naming nomenclatures makes it harder for defenders, KnowBe4 explained, adding that it’s difficult to get competitors to agree on a single taxonomy.  “Still, this is one of those times that I wish we had a kumbaya moment. We are decades past when it made sense to have globally agreed upon threat names,” it said.  “Why can't the good side get its act together?  Why make it knowingly harder?"

 [1] https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2023-043

[2] https://safety4sea.com/imb-calls-for-piracy-awareness-despite-low-number-of-incidents/

[3] https://therecord.media/denim-tsunami-mulberry-typhoon-microsoft-changes-hacking-group-name-taxonomy/