Coming up this week on Breaking Badness: First Bifrost of the Season, Do The Side Hustle? , and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
First Bifrost of the Season
- Palo Alto Networks recently found a new Linux variant of Bifrost which showcases a creative technique to evade detection
- What is Bifrost (or Bifrose)?
- This particular brand of malware has been around for a very long time – let’s call it going on 20 years
- This was originally designed for windows and at some point the 2010s gained Linux powers, so we’re seeing a Linux variant here
- In this instance, it’s getting distributed (and has in the past as well) via email links, though it’s been distributed in other ways as well
- Palo Alto found the latest sample of Bifrost and the sample of binary compiled for X86 and it seemed to be stripped – what does that mean?
- Stripping in a binary is fairly normal
- It’s where you pull out some of the information about the binary that would give you like debugging ability
- On the adversary side, they’re doing it for obfuscation that makes it tricky or to reverse engineer the malware
- Stripping in a binary could be done for performance reasons – to stream down the size of an executable file, but in this case we’re not looking at performance – here we care primarily about the ability to obfuscate what they’re up to inside of the file
- Now it’s compiled for x86 processors, which are very common – you’ll see those in most Windows and older MacBooks
- It’s easier to visualize things
- It’s also ARM-based which they found on a different server that was hosting the ARM version of this malware as well
- ARM is a different type of processor and more commonly found on your mobile devices because it’s generally low power
- But ARM has come a long way and from a performance perspective, you’re seeing it in new Apple hardware and of course all of the Android devices leverage it. IoT devices leverage it
- So, if you’re looking to spread malware far and wide, ARM is not a bad choice to compile your binary
- How can defenders actually detect a stripped binary?
- They can actually see it pretty easily
- Then it just makes the reversing job a little bit trickier, but on the defender side, they’ve been at this for quite some time, so this is nothing super new to them
- In this particular care, one of the interesting things and what brought our attention here is that the adversaries leveraging VMware look like domains to handle command and control (C2) for the malware
- It’s not a completely new tactic by any mean, but kind of hiding in what you might expect to see on the network traffic aka VMware domain – it’s a good way to potentially not get caught
- In this case, one thing Taylor finds interesting is that the domain was registered for almost a full year ago and then doesn’t look to have been weaponized until the October timeframe
- We didn’t see a lot of DNS activity on it until the August – October timeframe – that doesn’t surprise Taylor, but he thought it was an interesting play on top of the technique of looking like one thing and sitting on it before weaponizing it months later
- What are some of the mitigation strategies?
- Certainly, be vigilant on emails – continue to not click through and open things that seem suspicious
- For the defenders, there are signatures and behavioral details that they can take a look at from what the Palo Alto folks have put out there, but again, this is not incredibly new or novel, if anything, it’s interesting how old it is
Do The Side Hustle?
- In our 2023 Forecast webinar, we predicted that there would be an increase in cybercrime from those who had been laid off from cybersecurity positions
- We sat on that prediction, made it to our 2024 Forecast webinar and we revisited that assumption, and at that point we hadn’t seen any data to show that it came true, until now
- Tim was part of that webinar panel
- Tim fleets that this there has always been a baseline of this happening, but it’s clearly accelerated
- Has there been a moment like this before in our industry’s history?
- Tim stated that people have seen just how much money could be gained in cybercrime, unfortunately and it’s not hard to find statistics about it whether you’re looking at ransomware payoffs or data theft and sales thereof and so forth, so it’s been pretty clear for while that there’s a lot of illicit money to be gained as far as other times of seeing layoffs at a large scale
- He doesn’t recall seeing numbers like we’ve been seeing recently – if we go back a few more years to the Great Recession, that hit a lot of folks across all sectors including tech, but doesn’t believe the numbers are like what we’re seeing now
- But we’ve talked about it before on the podcast that it’s become easier than ever to start a career in cybercrime
- Did management of these organizations consider this when conducting these layoffs?
- IT and security governance is always a risk balancing game and so it’s probably not that many companies didn’t consider that the layoffs could lead to some some bad behavior, but they decided the financial risks were greater or the ROI was higher than the risks the security risks
- There’s enough knowledge of best practices that most of these companies probably took some care around shutting off access post layoff and also remember that there’s only maybe a subset of this where the laid former employees are targeting the organization that laid them off
- In some cases it’s just they’ve been laid off and now instead of going out and pounding the pavement and getting another job that’s advertised on LinkedIn they pound a different kind of pavement and go out and start doing some some crimes underground but not necessarily against their former employer
- This article makes a shift from legitimate cyber security work to cyber crime but then pivots to discussing how cyber needs to adapt to solve the skills gap – how do these play into one another?
- In Tim’s opinion, this article glosses over a really important point that the tech layoffs include a lot of non-technical folks like marketing
- So it seems like this article is sort of conflating two different things – one is layoffs and the other is burnout and the latter might be where more dangerous situations come from because you’ve got high skill high technical skill people and they might do exactly what Taylor was talking about like before they leave the company either because they’re burned out or because they think layoffs are coming or whatever or their job has become more stressful because other people who were burned out have left and therefore the workload has gotten bigger
- Tim had written a blog post – We Need More Roads To Infosec – and it seems like the industry is in agreement that burnout really affects the industry and the education, training, and certifications organizations are requiring are too much, but what is it going to take for these orgs to actually hear the practitioners and make a change?
- There’s a certain amount of companies that are always going to put the near-term bottom line ahead of all other considerations
- Tim thinks there needs to be more internal promotion wherever possible and better career paths for folks so filling that gap from within will be beneficial in a lot of cases
- There are cultural changes that seem like they’re positive and one of the things he wants to point out is it’s better when we talk about burnout and the things that make it hard to be in tech jobs – there’s much more conversation about mental health and that’s a positive development in the community – he’s seen really prominent people in the infosec community talking pretty openly about this about how we need better support for folks, so that has the potential to help the burnout problem
- We say “potential” because we don’t ultimately know, but resources and changes in hiring habits and cultures of companies at a large scale would be helpful, but he’s skeptical of it coming to fruition at scale, but we’ll see how it turns out
This Week’s Hoodie/Goodie Scale
First Bifrost of the Season
[Tim]: 3.5/10 Hoodies
[Taylor]: 3.5/10 Hoodies
Do The Side Hustle?
[Tim]: 4/10 Hoodies
[Taylor]: 4.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
