Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Embedded System Ransomware and the Meaning of Criminal Operations

On 11 January 2023, the “Ghost Security Group” (commonly referred to as “GhostSec”) issued a bold claim (captured on Twitter, among other places) that they “encrypted the first RTU in history.” The claim rapidly came under scrutiny from several directions – for an excellent analysis of this specific case and claim, check out SynSaber’s blog on the subject. Yet the claim of “industrial ransomware” is hardly new – researchers have claimed (without providing specific details) Read more

By Joe, ago

Detailing Daily Domain Hunting

Updated 23 Nov 1355 MST: Added some additional observations related to logon spoofing infrastructure. Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and patterns associated with adversary infrastructure creation and management. This is especially effective when viewing individual network observables – or indicators – as natural composite objects, Read more

By Joe, ago

Industroyer2 in Perspective

Background On 12 April 2022, the Ukrainian CERT and ESET disclosed the existence of Industroyer2, a successor to the malware targeting Ukrainian electric distribution and transmission operations in 2016. Industroyer2 arrived after multiple disruptive cyber incidents of varying degrees of success surrounding Russia’s brutal invasion of Ukraine, as presented in the following timeline: Overall, cyber operations targeting Ukraine have ranged from the “merely annoying” (DDoS) to “quite concerning” (Industroyer2). Fully contextualizing events will take time Read more

By Joe, ago

Considering Closeness of Concern in Conflict Scenarios

Since late February 2022, the world has been transfixed by Russia’s increasingly brutal invasion of Ukraine. Among other items, the conflict represents the largest of its kind in Europe since the Second World War. Along with hostilities, Russia’s invasion induced significant outflows of refugees fleeing conflict in targeted urban areas. While thus far smaller in aggregate than total outflows from the former Yugoslavia during that civil war, numbers are astounding for the brief period – Read more

By Joe, ago

Contextualizing Cyber Components in Conventional Conflict

In the early hours of 24 February 2022, Russian forces initiated offensive, kinetic action against multiple targets across Ukraine. While shocking given the naked brutality of these strikes, this invasion represented the culmination of a months-long build-up, and arguably the final phase of a conflict that started in 2014. As I write this, Russian forces are attempting to encircle and cut off Ukraine’s capital, Kyiv, from the rest of the country, potentially as part of Read more

By Joe, ago

Lights Out in Isfahan

Iranian security company Amnpardaz Soft published an intriguing report on 28 December 2021 concerning a firmware-level rootkit in HP Integrated Lights Out (iLO) products. While frustratingly containing no Indicators of Compromise (IOCs) – not so much for defensive purposes, but for validating research and independently analyzing artifacts – the report does offer sufficient technical detail to indicate something was discovered, and that it appears designed to repeatedly wipe infected systems for a disruptive effect. The Read more

By Joe, ago

Diving Deeper Into Vulnerabilities

While the end of 2020 was dominated by Nobelium’s supply chain intrusions, 2021 closes with continued worry and response over vulnerabilities in the widely-deployed Log4j library. Starting in earnest on 10 December 2021 with public disclosure of CVE-2021-44228, information security practitioners and security program managers have subsequently dealt with a sequence of updates and patches to the framework since. Other than the 2.16 patch, which hardens the initial CVE-2021-44228 fix in 2.15 by disabling JNDI Read more

By Joe, ago

Critical Commentary Considering the Zero Day

“Zero days” are popular items in cyber security discussions. They grab headlines, they often feature in high-profile conference presentations, they can even apparently spawn television shows. Yet for all the attention and frequent discussion in non-technical audiences, the term itself seems a bit slippery. Terms like “zero day attack” are thrown around without diving into what precisely makes these items stand apart from other intrusions, capabilities, and adversary actions. At its core, a zero day Read more

By Joe, ago

Unpacking Vexing Vulnerabilities

On 13 September 2021, researchers from Citizen Lab  disclosed FORCEDENTRY: a zero-click vulnerability impacting pretty much all Apple operating systems based on a flaw in the CoreGraphics rendering application. As a zero-click (i.e., requiring no user interaction) vulnerability, FORCEDENTRY represents a deeply concerning technical problem. Yet based on Citizen Lab’s analysis, the only, known, discovered use for FORCEDENTRY aligns with actions linked to mercenary vendor NSO Group, apparently to enable follow-on deployment of the company’s Read more

By Joe, ago

A Spectrum of State Ransomware Responsibility

Questions concerning responsibility for the current epidemic of ransomware events are common, and seek to identify some concrete party to hold accountable for incidents. Yet the immediate perpetrators – largely (but not exclusively) criminal gangs operating in Eastern Europe and Russia – either represent too remote an entity for blame, or remain inaccessible from any consequences for their behavior. The latter point is interesting, and gives rise to theories that state entities, especially Russian authorities, Read more

By Joe, ago