Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

The Normalization of the Unacceptable

On 04 June 2024, multiple hospitals in London declared a “critical incident” following a ransomware incident targeting a pathology services company called Synnovis. The incident resulted in multiple medical practices, including major hospitals, being unable to perform tasks such as blood transfusions or rapid testing of blood samples. Cascading impacts of this outage included cancelled surgeries and procedures, along with redirection of patients to other facilities. As analyzed previously, the increase in friction and time to care for Read more…

By Joe, ago

The CTI Mindset & The CTI Function

I recently came across a job posting for a cyber threat intelligence (CTI) analyst position. Given recent issues in the CTI marketplace with many individuals finding themselves in need of new roles, this at first glance appeared an excellent opportunity to pass on to those looking for work. However, with further scrutiny, the role appeared to be quite curious – a reasonably well compensated position for a critical infrastructure entity with fewer than 500 employees Read more…

By Joe, ago

Attaining Focus: Evaluating Vulnerabilities In The Current Threat Environment

Information security space observers may have encountered a phrase born out of both frustration and levity in 2023: “Hot Zero Day Summer.” While nearly two months remain as of this writing for Summer 2023, anecdotal evidence suggests that adversaries increasingly leverage vulnerabilities in external-facing applications and appliances to drive intrusions. Certainly, other intrusion vectors remain relevant and popular, such as phishing and related activities. But the list of vulnerable applications and services leading to widespread breaches, whether Read more…

By Joe, ago

What Have We Learned?

Background Almost a year ago as of this writing, the Russian state initiated a new and astoundingly brutal campaign against Ukraine. While Russia had effectively been at war with Ukraine since not long after the Revolution of Dignity, late February 2022 initiated a far wider, nastier, and inhumane phase of this long-running conflict. During most of the period between 2014 and 2022, outside of low-level (but still nasty) conflict in Donetsk and Luhansk, much of Read more…

By Joe, ago

Embedded System Ransomware and the Meaning of Criminal Operations

On 11 January 2023, the “Ghost Security Group” (commonly referred to as “GhostSec”) issued a bold claim (captured on Twitter, among other places) that they “encrypted the first RTU in history.” The claim rapidly came under scrutiny from several directions – for an excellent analysis of this specific case and claim, check out SynSaber’s blog on the subject. Yet the claim of “industrial ransomware” is hardly new – researchers have claimed (without providing specific details) Read more…

By Joe, ago

Detailing Daily Domain Hunting

Updated 23 Nov 1355 MST: Added some additional observations related to logon spoofing infrastructure. Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and patterns associated with adversary infrastructure creation and management. This is especially effective when viewing individual network observables – or indicators – as natural composite objects, Read more…

By Joe, ago

Industroyer2 in Perspective

Background On 12 April 2022, the Ukrainian CERT and ESET disclosed the existence of Industroyer2, a successor to the malware targeting Ukrainian electric distribution and transmission operations in 2016. Industroyer2 arrived after multiple disruptive cyber incidents of varying degrees of success surrounding Russia’s brutal invasion of Ukraine, as presented in the following timeline: Overall, cyber operations targeting Ukraine have ranged from the “merely annoying” (DDoS) to “quite concerning” (Industroyer2). Fully contextualizing events will take time Read more…

By Joe, ago

Considering Closeness of Concern in Conflict Scenarios

Since late February 2022, the world has been transfixed by Russia’s increasingly brutal invasion of Ukraine. Among other items, the conflict represents the largest of its kind in Europe since the Second World War. Along with hostilities, Russia’s invasion induced significant outflows of refugees fleeing conflict in targeted urban areas. While thus far smaller in aggregate than total outflows from the former Yugoslavia during that civil war, numbers are astounding for the brief period – Read more…

By Joe, ago

Contextualizing Cyber Components in Conventional Conflict

In the early hours of 24 February 2022, Russian forces initiated offensive, kinetic action against multiple targets across Ukraine. While shocking given the naked brutality of these strikes, this invasion represented the culmination of a months-long build-up, and arguably the final phase of a conflict that started in 2014. As I write this, Russian forces are attempting to encircle and cut off Ukraine’s capital, Kyiv, from the rest of the country, potentially as part of Read more…

By Joe, ago

Lights Out in Isfahan

Iranian security company Amnpardaz Soft published an intriguing report on 28 December 2021 concerning a firmware-level rootkit in HP Integrated Lights Out (iLO) products. While frustratingly containing no Indicators of Compromise (IOCs) – not so much for defensive purposes, but for validating research and independently analyzing artifacts – the report does offer sufficient technical detail to indicate something was discovered, and that it appears designed to repeatedly wipe infected systems for a disruptive effect. The Read more…

By Joe, ago