Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Diving Deeper Into Vulnerabilities

While the end of 2020 was dominated by Nobelium’s supply chain intrusions, 2021 closes with continued worry and response over vulnerabilities in the widely-deployed Log4j library. Starting in earnest on 10 December 2021 with public disclosure of CVE-2021-44228, information security practitioners and security program managers have subsequently dealt with a sequence of updates and patches to the framework since. Other than the 2.16 patch, which hardens the initial CVE-2021-44228 fix in 2.15 by disabling JNDI Read more…

By Joe, ago

Critical Commentary Considering the Zero Day

“Zero days” are popular items in cyber security discussions. They grab headlines, they often feature in high-profile conference presentations, they can even apparently spawn television shows. Yet for all the attention and frequent discussion in non-technical audiences, the term itself seems a bit slippery. Terms like “zero day attack” are thrown around without diving into what precisely makes these items stand apart from other intrusions, capabilities, and adversary actions. At its core, a zero day Read more…

By Joe, ago

Unpacking Vexing Vulnerabilities

On 13 September 2021, researchers from Citizen Lab  disclosed FORCEDENTRY: a zero-click vulnerability impacting pretty much all Apple operating systems based on a flaw in the CoreGraphics rendering application. As a zero-click (i.e., requiring no user interaction) vulnerability, FORCEDENTRY represents a deeply concerning technical problem. Yet based on Citizen Lab’s analysis, the only, known, discovered use for FORCEDENTRY aligns with actions linked to mercenary vendor NSO Group, apparently to enable follow-on deployment of the company’s Read more…

By Joe, ago

A Spectrum of State Ransomware Responsibility

Questions concerning responsibility for the current epidemic of ransomware events are common, and seek to identify some concrete party to hold accountable for incidents. Yet the immediate perpetrators – largely (but not exclusively) criminal gangs operating in Eastern Europe and Russia – either represent too remote an entity for blame, or remain inaccessible from any consequences for their behavior. The latter point is interesting, and gives rise to theories that state entities, especially Russian authorities, Read more…

By Joe, ago

Ransomware’s Unintended Consequences

The information security industry finds itself, as of this writing, in the midst of a ransomware pandemic. While Business Email Compromise (BEC) likely remains more financially successful overall, much of this success is due to far wider scope and selection of victims. Ransomware, while potentially less costly in a direct fashion, adds additional concerns such as operational disruption, data loss, and costly network rebuilds that amplify expenses beyond mere ransom demands. When combined with the Read more…

By Joe, ago

Mind the (Air) Gap

Following the ransomware incident impacting Colonial Pipeline operations in May 2021, many parties asked how such a disruption, impacting one of the main arteries delivering refined petroleum products to the Eastern and Southeastern United States, could occur. Based on information available, the intrusion did not directly impact Industrial Control Systems (ICS) within Colonial’s environment. Instead, the company itself initiated a controlled shutdown of operations as a precautionary matter to prevent critical ICS-related and product tracking Read more…

By Joe, ago

Understanding or Publicizing the Adversary?

In April 2021 the Babuk ransomware gang, already a concerning entity, gained additional notoriety for compromising the Washington, DC police department. As part of this incident, the criminals threatened to release confidential files relating to police operations to spur payment. The group in question earlier gained attention for the combination of a failed ransomware decryptor followed by a primitive public relations campaign to advertise a “fix” for their malicious software. This “flair” for public communication Read more…

By Joe, ago

Water, Water Everywhere – But Nary a Hacker to Blame

Note: On 21 March 2023, website GCN reported that the “hack” was actually an employee error. More worringly, statements from the city manager at the time indicate this was known from the outset, yet still resulted in several investigations from local and federal law enforcement. Interestingly, this story has not been picked up or reported by any other outlet. Nonetheless, if true, this would represent a nearly unfathomable act of “hyping” events for indeterminate reason. Read more…

By Joe, ago

Why Do We Fight?

One of the penultimate, and more poignant, episodes of the television series Band of Brothers was “Why We Fight.” The episode highlighted how, although the members of the unit followed through the series faced multiple trials and setbacks, the discovery of concentration camps emphasized the necessity for continuing the struggle against the Nazi regime. Within the realm of Cyber Threat Intelligence (CTI), we rarely face so stark and dire circumstances with respect to our work. Read more…

By Joe, ago

Terrorism or Information Operation?

On 09 December 2020, details emerged concerning network infrastructure I’d previously identified as suspicious on 07 December: Further research and investigation showed that the domains in question – which were relocated from “.org” to “.us” infrastructure – were hosting “kill lists” comprising politicians, civil servants, and employees of Dominion Voting Systems, including information such as home addresses. As seen in the following image, the intent of this page is not left to one’s imagination, thanks Read more…

By Joe, ago