Cyber Threat Intelligence and the Law of the Jungle

-

Nowadays, the internet can be viewed as the closest thing humans have to a predator and prey food chain where it’s truly a free-for-all. One novel method of threat modelling could be to examine what threats prey face in the animal kingdom. 

 By evaluating what potential predators are out there we can identify vulnerabilities and risks, before they become a threat. The main aim of this blog is to explain clearly to non-technical people how certain persistent threats exist in the wild with memorable analogies.
All Artwork is from www.pexels.com

 The Law of the Jungle

 The Venus Flytrap is a good example of how prey can be lured in, away from safety, into the clutches of the predators. This carnivorous plant uses a special nectar that entices insects to fall for the trap and end up in its jaws. This process in nature is comparable to that of phishing lures with decoy documents, malvertising, free Trojanised apps, pirated games, films or eBook, fake competitions and many many other techniques that are used by millions of cybercriminals every day. The internet is full of virtual venus flytraps waiting to steal your sensitive information, spy on you, and install malware to take over your device.

 Flying insects can often be found embroiled in a sticky net belonging to a certain hungry arachnid. Virtual Spider Webs exist online in the form of very similar looking websites sitting on the internet, hoping someone mistakenly enters their credentials into a fake login page or downloads a piece of software which comes packed with malware. Cybercriminals set up typosquatting sites (websites with a typo in the URL, very similar to a legitimate domain names) to masquerade as a target site. If someone mistypes this in the browser they may visit the wrong site, effecting flying into the spider’s web. Legitimate websites can be also compromised and have files replaced with malware or redirect visitors with malicious URLs. It always pays to have decent antivirus software, with Windows Defender enabled at the very least.

 The Angler Fish is a perfect example of the dangers of phishing and business email compromise (BEC). The FBI’s IC3 2019 report recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses. All of which could have been prevented if the victims spotted the phishing lure or if it was picked up and remediated by detection systems and the security team. Spam emails are automated nowadays with millions of them sent per day, these are relatively simple to mitigate. The difficulty comes when the predators have done their research on the targets and craft bespoke spear-phishing emails, with typosquatting domains, real names, logos, and addresses. We can then clearly see how BEC is a widespread and costly problem.

 The ‘Internet of Things’ (IoT) is a good idea, until it has been corrupted by cybercriminals for their own maleficent activities. Bee hives or Ant colonies interact in a similar way many IoT devices might with a central command and control server (the Queen). Instructions are sent and received from along a communications channel. Uncovering the C2 server of a botnet can be difficult as these channels are usually encrypted, although it is the key to taking down large botnets. On their own a bee or an ant is nothing more than a nuisance, however, when together as a full swarm (like a DDoS attack) it can become an overwhelming force.

 The Jungle Cordyceps is an unusual type of fungus that has become renowned for corrupting the minds of insects into doing its bidding. This is comparable to a potential insider threat. When defending an organisation we often prepare for external attackers, however, those with access to everything from the inside are likely to do the most amount of damage, like the CapitalOne attack for example. Insiders can be extorted into committing actions on behalf of an external attacker. It is not uncommon, especially in the finance sector, for a member of staff to be blackmailed this way. This can be especially exacerbated after a large compromising data breach is released, such as the infamous Ashley Madison leak in 2015.

 A certain species of Crab molts once a year, all shedding their shells in unison. They do this all at the same time, however, which alerts any predators that the crab colony is vulnerable and many are in a compromised position, open to attack. Just like after a 0day vulnerability is publicly disclosed, many organisations are in the same precarious position as these crab colonies. The predators then come out and it is free pickings for those still vulnerable. 

 Sophisticated malware often uses code signing certificates to bypass detection systems. It blends in and poses as legitimate software, just like a Chameleon. Advanced persistent threat groups are known to even steal certificates from code-signing machines from large enterprises such as Asus. However, common cybercriminals constantly use leaked private keys from GitHub and other code repositories to sign their malware with, camouflaging it amongst the forest of internet traffic.

 Cannibalism plays as much of a part in the Chimpanzee world as it does in the world of cybercriminals and malware. Unbeknownst to average internet users, botnets and Trojans are constantly battling for control over IoT and server territory. Malware and botnets will cannibalise anything on a vulnerable device before locking out competitors and establishing control, just like Chimps constantly battling for areas of the jungle.

 Like a pack of wolves, cybercriminals work in complex organised crime groups that can efficiently take down an organisation, usually for financial gain. From ransomware groups such as the infamous REvil, Maze, or DoppelPaymer ransomware operators to Point-of-Sale system attacks from APTs like Silence, FIN6, FIN7, or FIN8. These are highly trained and professional cybercriminals that know every trick in the book to successfully infiltrate heavily defended networks for large sums of money. 

 Other organised cybercrime gangs, however, such as EvilCorp or TA505 behave like merciless Hyenas. They scavenge and attack the weak, going after any target they can make a meal out of. The most vulnerable often fall for the delivery techniques employed by banking Trojans and infostealers, like Dridex, AgentTesla, Remcos RAT, Formbook, and other malware used by these groups. This malware can clear out life savings and hijack any other accounts, without mercy. Any private and confidential information is to be sold to the vultures on darknet markets.

 Great White Sharks can detect one drop of blood in 25 gallons (100 liters) or water and they can sense even a little blood up to 3 miles (5 km) away, according to National Geographic. Cybercriminals can also use internet scanners and sensors to uncover your exposed cloud servers and databases containing thousands of user records. Opportunistic attackers from all over the world can look for misconfigured or even vulnerable instances which, with just the URL, can be accessed and have data stolen. Organisations must remember that the sharks are always circling.

 Another fun analogy which may demonstrate the spread of cybercrime across the internet could be a sardine bait-ball feeding frenzy filmed on Blue Planet. Many different predators travel from all over to target these sardines (internet users) which have been confined to a tight formation. Each predator takes it in turn to have at the sardines, splitting them up, working together - something that would not usually happen. However, when there is this much food to go around, the predators don’t waste time fighting amongst each other and just focus on the prey. Watch this video until the end!
Sources:
https://www.youtube.com/watch?v=tEYCjJqr21A
https://www.youtube.com/watch?v=al-f_WWoHI4
https://krebsonsecurity.com/tag/capital-one-breach/
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/

Hope you enjoyed this fun article and can refer back to some of these in your next meeting with upper management 😁

I'm continuing on with my new series called 'This Week in Malware' to help Blue Teams and SOCs keep up with the latest and greatest cyber threats challenging organisations worldwide. The most recent This Week in Malware for the week of 11 May can be found here.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more