8. Too Big For Our Breaches
Coming up this week on Breaking Badness. Today we discuss You Got Served…The Sequel, Cat Got Your Websites and, How the Center for Advanced Defense is Putin Russia on the Map.
Developing News: WinRAR: The Saga Continues…
Here are a few highlights from each article we discussed:
- ASUS official update servers delivered a backdoored version of an ASUS application.
- Kaspersky is calling it “Operation ShadowHammer”.
- The backdoored update was pushed between June and November 2018.
- The threat actors targeted ASUS Live Update Utility as the first stage.
- This is a pre-installed utility in most new ASUS computers, for automatic BIOS, UEFI, drivers and application updates.
- The attackers used stolen certificates from older updates in order to include their own malicious code.
- These malicious versions were then hosted on and distributed by ASUS.
- There’s actually a hard coded table of ~600 MAC addresses.
- The second stage of the malware was only downloaded if the victim machine matched one of those MAC addresses.
- Kaspersky actually identified ASUS and 3 other vendors were affected. The three other vendors haven’t been released yet.
- Kaspersky has tentatively linked this attack to the Barium (Wicked Panda) group, which also conducted the CCleaner supply chain incident.
- CCleaner was Sept 2017 supply chain attack that also used a hard coded list of targets, but IP addresses rather than MAC addresses.
- Court documents were unsealed last week that show Microsoft sinkholed 99 domains purported to belong to APT35 (charming kitten, NEWSCASTER).
- They’ve done this before with Fancy Bear/APT28 (they call “Strontium”), but this was the largest takedown at one time (the APT28 ones were 91 domains over 15 different takedowns).
- The domains they took down were all spoofed Microsoft products, such as fake Outlook login pages.
- Which means this didn’t exactly wipe APT35 off the map, it only wiped out their Microsoft-based campaigns.
- They’re known for using fake LinkedIn profiles and sending malicious resumes to companies.
- They’re an Iranian group known for targeting US government.
- The Center for Advanced Defense (C4ADS) analyzed 9883 incidents of GPS spoofing conducted in and around Russia in the last 3 years.
- 1311 civilian ships affected since 2016.
- GPS spoofing is when fake GPS signals are used to trick equipment into relaying incorrect geolocation data and coordinates to GPS devices.
- GPS is created and owned by the US government, GNSS (Global Navigation Satellite System) is the more general term used to describe all types of GPS.
- GPS spoofing has been possible for a while but used to be a less viable tactic, as it was expensive and complicated.
- Now, thanks to SDRs (software defined radios), it is much easier and cheaper (as low as $300).
- C4ADS analysis showed that Russia seems to be using this tactic more in war, as many of the incidents took place around Ukraine and Crimea.
- Example: boats in the Kerch Strait were seeing coordinates for the cities of Tsibanobalka or Gelendzhik.
- This was a few years ago and over 20 ships all reported problems.
- First major incident.
- There may be a way to identify such attacks thought: The collaboration between C4ADS and UT Austin researchers shows how GNSS receivers based on low-Earth-orbit satellites can be used to detect and geolocate interference signals worldwide.
This Week’s Hoodie Scale
You Got Served…The Sequel
[Tim]: 5.5/10 Hoodies
[Emily]: 5/10 Hoodies
Cat Got Your Websites?
[Tim]: -5/10 Hoodies
[Emily]: -6.5/10 Hoodies
How the Center for Advanced Defense is Putin Russia on the Map
[Tim]: 7/10 Hoodies
[Emily]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!