Security Leftovers
-
Even the Battlefield: Know More About Your Attack Surface Than the Adversary [Ed: Don't use Microsoft products. Use a stack you know and can control.]
Adversaries have a giant attack surface to discover when they target and attack your organization. To defend against these increasingly sophisticated threat actors, organizations must understand their digital footprint better than the adversary. This is easier said than done. It is a big challenge for defenders to know everything going on within the networks they’re charged with defending. Attackers know this and will seek out areas that commonly introduce risk, finding weaknesses to exploit that lead to compromise.
[...]
Assessing risk from third-party software includes taking inventory of the technologies leveraged around the organization and evaluating how the software is deployed. Suppose you are following the traditional software deployment model on your own systems. In that case, you need to have a complete understanding of the full number of additional packages and libraries necessary for that software to run. Information technology infrastructure operations (ITIO) often install library dependencies as part of their deployment methodology for the software. However, if your team is actively writing public-facing applications, you now must deal with the Open Source and other third-party libraries introduced as part of said application. This includes database middleware, application plugins, and microservices, web content distribution services, and other items included in the DevOps process. You also need to consider all the network devices themselves sitting out in front of the services you provide. So, you’ll need an accurate understanding of every domain, IP address, and software version exposed to the internet when you think about how an adversary will perform reconnaissance against you.
-
Turla: A Galaxy of Opportunity | Mandiant [Ed: This is about the mess that Microsoft Windows is]
In September 2022, Mandiant discovered a suspected Turla Team operation, currently tracked as UNC4210, distributing the KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware victims in Ukraine. Mandiant discovered that UNC4210 re-registered at least three expired ANDROMEDA command and control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022.
ANDROMEDA was a common commodity malware that was widespread in the early 2010’s. The particular version whose C2 was hijacked by UNC4210 was first uploaded to VirusTotal in 2013 and spreads from infected USB keys. Mandiant Managed Defense continues to observe ANDROMEDA malware infections across a wide variety of industries, however, Mandiant has only observed suspected Turla payloads delivered in Ukraine.
[...]
The version of ANDROMEDA that was installed to C:\Temp\TrustedInstaller.exe (MD5: bc76bd7b332aa8f6aedbb8e11b7ba9b6), was first uploaded on 2013-03-19 to VirusTotal and several of the C2 domains had either expired or been sinkholed by researchers. When executed, the ANDROMEDA binary established persistence by dropping another ANDROMEDA sample to C:\ProgramData\Local Settings\Temp\mskmde.com (MD5: b3657bcfe8240bc0985093a0f8682703) and adding a Run Registry Key to execute it every time the system user logged on. One of its C2 domains, “suckmycocklameavindustry[.]in,” which had expired, was found to be newly re-registered on 2022-01-19 by a privacy protected registrant using Dynadot as the registrar. UNC4210 used this C2 to profile victims before sending the first stage KOPILUWAK dropper if the victim was deemed interesting.
-
New Linux Malware Downloader for Compromised Servers Spotted in the Wild [Ed: Slashdot editors continue to stigmatise Linux as not secure... citing Microsoft sites as "sources"]
"A new Linux malware downloader created using SHC (Shell Script Compiler) has been spotted in the wild," reports the site Bleeping Computer, "infecting systems with Monero cryptocurrency miners and DDoS IRC bots...