Attaining Focus: Evaluating Vulnerabilities In The Current Threat Environment

Information security space observers may have encountered a phrase born out of both frustration and levity in 2023: “Hot Zero Day Summer.” While nearly two months remain as of this writing for Summer 2023, anecdotal evidence suggests that adversaries increasingly leverage vulnerabilities in external-facing applications and appliances to drive intrusions. Certainly, other intrusion vectors remain relevant and popular, such as phishing and related activities. But the list of vulnerable applications and services leading to widespread breaches, whether Read more…

What Have We Learned?

Background Almost a year ago as of this writing, the Russian state initiated a new and astoundingly brutal campaign against Ukraine. While Russia had effectively been at war with Ukraine since not long after the Revolution of Dignity, late February 2022 initiated a far wider, nastier, and inhumane phase of this long-running conflict. During most of the period between 2014 and 2022, outside of low-level (but still nasty) conflict in Donetsk and Luhansk, much of Read more…

Embedded System Ransomware and the Meaning of Criminal Operations

On 11 January 2023, the “Ghost Security Group” (commonly referred to as “GhostSec”) issued a bold claim (captured on Twitter, among other places) that they “encrypted the first RTU in history.” The claim rapidly came under scrutiny from several directions – for an excellent analysis of this specific case and claim, check out SynSaber’s blog on the subject. Yet the claim of “industrial ransomware” is hardly new – researchers have claimed (without providing specific details) Read more…

Detailing Daily Domain Hunting

Updated 23 Nov 1355 MST: Added some additional observations related to logon spoofing infrastructure. Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and patterns associated with adversary infrastructure creation and management. This is especially effective when viewing individual network observables – or indicators – as natural composite objects, Read more…

Industroyer2 in Perspective

Background On 12 April 2022, the Ukrainian CERT and ESET disclosed the existence of Industroyer2, a successor to the malware targeting Ukrainian electric distribution and transmission operations in 2016. Industroyer2 arrived after multiple disruptive cyber incidents of varying degrees of success surrounding Russia’s brutal invasion of Ukraine, as presented in the following timeline: Overall, cyber operations targeting Ukraine have ranged from the “merely annoying” (DDoS) to “quite concerning” (Industroyer2). Fully contextualizing events will take time Read more…

Considering Closeness of Concern in Conflict Scenarios

Since late February 2022, the world has been transfixed by Russia’s increasingly brutal invasion of Ukraine. Among other items, the conflict represents the largest of its kind in Europe since the Second World War. Along with hostilities, Russia’s invasion induced significant outflows of refugees fleeing conflict in targeted urban areas. While thus far smaller in aggregate than total outflows from the former Yugoslavia during that civil war, numbers are astounding for the brief period – Read more…

Contextualizing Cyber Components in Conventional Conflict

In the early hours of 24 February 2022, Russian forces initiated offensive, kinetic action against multiple targets across Ukraine. While shocking given the naked brutality of these strikes, this invasion represented the culmination of a months-long build-up, and arguably the final phase of a conflict that started in 2014. As I write this, Russian forces are attempting to encircle and cut off Ukraine’s capital, Kyiv, from the rest of the country, potentially as part of Read more…

Lights Out in Isfahan

Iranian security company Amnpardaz Soft published an intriguing report on 28 December 2021 concerning a firmware-level rootkit in HP Integrated Lights Out (iLO) products. While frustratingly containing no Indicators of Compromise (IOCs) – not so much for defensive purposes, but for validating research and independently analyzing artifacts – the report does offer sufficient technical detail to indicate something was discovered, and that it appears designed to repeatedly wipe infected systems for a disruptive effect. The Read more…

Diving Deeper Into Vulnerabilities

While the end of 2020 was dominated by Nobelium’s supply chain intrusions, 2021 closes with continued worry and response over vulnerabilities in the widely-deployed Log4j library. Starting in earnest on 10 December 2021 with public disclosure of CVE-2021-44228, information security practitioners and security program managers have subsequently dealt with a sequence of updates and patches to the framework since. Other than the 2.16 patch, which hardens the initial CVE-2021-44228 fix in 2.15 by disabling JNDI Read more…

Critical Commentary Considering the Zero Day

“Zero days” are popular items in cyber security discussions. They grab headlines, they often feature in high-profile conference presentations, they can even apparently spawn television shows. Yet for all the attention and frequent discussion in non-technical audiences, the term itself seems a bit slippery. Terms like “zero day attack” are thrown around without diving into what precisely makes these items stand apart from other intrusions, capabilities, and adversary actions. At its core, a zero day Read more…