10. Who am I? That’s one secret I’ll never tell!
Here are a few highlights from each article we discussed:
- Private sector intel has been bad about tying threat actors to organizations on a one to one basis, which completely negates the possibility of multi-organization or multi-nation actors.
- The author wants to introduce the idea of a “supra” threat actor (multi-country).
- Slide from a CSEC – Cybersecurity Education Consortium Presentation – had a list of known threat actor names.
- A later slide had a screenshot of alerts window with signature names. From this slide, the author was able to discern the naming convention of the alerts and could see it included an acronym version of the threat actor names from the earlier slide.
- The alert of interest tied “GG” (likely GossipGirl) to Flame.
- Flame is a modular malware that was discovered soon after Stuxnet and Duqu.
- The author noted that in 2012, Kaspersky tied Flame to Stuxnet by finding that they had a shared plug-in. Because of the inclusion on Stuxnet, that brings both Duqu and Equation Group into the mix of possible supra threat actor group.
- Stuxshop (a component of Stuxnet) ties a fourth actor into the GossipGirl supra threat actor.
- Also discovered Flame “faked its own death”.
- Which makes GossipGirl a supra actor comprised of at least four other known actor groups.
- New type of DDoS attack using the tag ping in QQBrowser.
- Ping is a command that notifies the browser when a user has clicked on a hyperlink – useful for website owners to track clicks.
- Imperva just saw the DoS traffic and its sources, so they can’t know exactly how the cycle begins, but they hypothesize that a combination of social engineering and malvertising get the users to visit a site that has this hyperlink auditing and then in the background their browser starts “clicking” the link once per second. Multiply that by a few million users, and you have some DoS firepower.
- Targets mainly seemed to be gaming sites. And this is actually where a lot of DDoS-for-sale crime is aimed.
- In this attack, unsuspecting WeChat users (a popular messaging app in China) are tricked into opening malvertising on their QQBrowser, which then sets off a firestorm of ping requests, essentially DDOSing the site.
- Browsers to date have tended to include a setting to disable hyperlink auditing, upcoming versions of Chrome, Edge, Safari, and Opera are all planning to stop letting the user turn it off.
- Matrix is an open source end-to-end encrypted messaging protocol that allows anyone to self-host a messaging service on their own servers, powering many instant messengers, VoIP, WebRTC, bots and IoT communication.
- On April 4th, Matrix discovered that attackers had exploited a sandbox bypass vulnerability in Jenkins automation server on March 13th.
- The attackers gained access to production databases including those that contained unencrypted message data, password hashes and access tokens.
- Matrix logged all users out of the service, meaning that if they did not have backups, their encrypted conversation history was lost.
- In addition, the attacker used a Cloudflare API to redirect the DNS for matrix.org to a defacement website. The API key was known compromised in the original attack but hadn’t been changed, because everyone at matrix only rotated their personal keys.
- According to Matrix, everything is now fixed.
This Week’s Hoodie Scale
[Tim]: 7/10 Hoodies
[Emily]: 6/10 Hoodies
Pinging Down the House
[Tim]: 2/10 Hoodies
[Emily]: 3/10 Hoodies
The Matrix: Un-Loaded
[Tim]: 2.5/10 Hoodies
[Emily]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!