Security: Microsoft Failures and More
-
UNC3890: Suspected Iranian Threat Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors [Ed: Windows TCO (CMD, PowerShell etc. mentioned)]
Over the last year Mandiant has been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. Mandiant assesses with moderate confidence this actor is linked to Iran, which is notable given the strong focus on shipping and the ongoing naval conflict between Iran and Israel. While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years.
Mandiant assesses with moderate confidence that UNC3890 conducts espionage and intelligence collection activity to support multiple Iranian interests and operations. Targeting patterns indicate a strong interest in Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare. We observed several limited technical connections to Iran, such as PDB strings and Farsi language artifacts.
[...]
UNC3890 has been operating since at least late 2020. Their focused targeting poses a threat to Israel-based organizations and entities, particularly those affiliated with the government, shipping, energy, aviation and healthcare sectors. While we are not aware of targeting outside Israel, it is possible such targeting has occurred, or will occur. UNC3890 utilization of legitimate or publicly available tools, in addition to their unique exfiltration method using Gmail, Yahoo and Yandex email addresses, may reflect their efforts to evade detection and to bypass heuristics or network-based security measures.
-
iTWire - More Medibank data leaked on dark web as standoff continues [Ed: Windows TCO]
More files exfiltrated from medical insurer Medibank Group during a ransomware attack have been released on the dark web site of the attacker(s). Ransomware generally attacks only systems running Microsoft's Windows operating system.
Three files that appear to contain details of people with mental health issues, HIV infections and viral hepatitis are among the material claimed to be released overnight.
Data has been released in small amounts since 9 November. Earlier this week, the attacker(s) indicated there would be a pause in the release of data until the company's annual general meeting was held.
That took place on Wednesday and the company announced that its chief executive David Koczkar and other top bosses would not lose any part of their annual bonuses, worth about $7.3 million.
-
Red Hat Enterprise Linux and Microsoft security update of November 2022 [Ed: Microsoft gives "Kerberos" a bad name; but it's actually a Windows problem.]
Both security issues aren’t documented in detail. The security advisories talk about “Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability” and a generic “Windows Kerberos Elevation of Privilege Vulnerability,” correspondingly. From the accompanying knowledge base articles we can see that these vulnerabilities affect use of the standard RC4-HMAC encryption type in the Active Directory Kerberos implementation. It has been known for some time that RC4-HMAC is an encryption type that might be broken, and a recommendation has been to disable RC4-HMAC use in Active Directory environment, enforced via various STIG and CIS profiles for Windows systems.
-
Smarter, Not Harder: How to Intelligently Prioritize Attack Surface Risk | Mandiant
There’s a common saying in cyber security, “you can’t protect what you don’t know,” and this applies perfectly to the attack surface of any given organization.
Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant. As a result, IT and security teams do not always have an up-to-date picture of the extended ecosystem they need to defend. Legacy tools often have static lists of the ‘known’ asset inventory but lack the capabilities to comb the internet for the ‘unknown’ assets that belong to the organization.
To close visibility gaps and uncover hidden risk, establishing and maintaining a comprehensive attack surface management program is critical. Benefits include removing sprawl, reducing environmental drift and fast remediation.