Attackers moving off Cobalt Strike
Cracked versions of the Cobalt Strike attack toolkit have become a staple of threat actors’ arsenal over the years, letting attackers quickly spread laterally across a breached network. However, Palo Alto Networks researchers found that the Brute Ratel toolkit is quickly becoming a popular replacement. Like Cobalt Strike, this was developed as a red team pen testing tool by a former researcher at Mandiant and CrowdStrike, letting a user deploy so-called Badger beacons to remote hosts that connect back to a C2 server for commands. Brute Ratel was specifically designed to evade detection by EDR and antivirus services, making it particularly hard to deal with. Researchers found the new tool particularly popular with the Russian-back group APT29, aka CozyBear, but has also seen growing use by ransomware groups.
Cyberattacks against law enforcement on the rise
A new report from the security firm Resecurity found that attacks against law enforcement agencies saw a notable rise in Q2. These attacks typically see actors sending faked subpoenas or Emergency Data Requests (EDRs) using a hacked email account belonging to a law enforcement agency. This typically yields sensitive details that can either be used for extortion or further cyberespionage. This appears to be an international phenomenon, impacting law enforcement in the US, Peru, and Bangladesh recently.
Apple announces lockdown mode
The company plans to introduce this new security feature in the autumn. When activated it blocks attachments and link previews in messages, certain attackable web browsing features and incoming FaceTime calls from unknown numbers. It also requires the device to be unlocked to accept accessory connections, like headphones, and blocks installation of remote management software. The mode is only meant for users who feel they may be the target of a sophisticated attack, like the Pegasus spyware from NSO Group, that can infect phones with little or no action required but the target. A developer version is being tested now and Apple plans to expand lockdown mode over time.
Marriott confirms data breach
The hotel chain confirmed that unknown threat actors breached its BWI Airport Marriott location and stole 20GB of data. The actor only had access to its network for roughly six hours and “did not gain access to Marriott’s core network.” Marriott described the breach as a social engineering attack that tricked an associate into giving access to a hotel computer. Stolen data included internal business files and some credit card information, impacting about 300-400 people. The company said the attacks tried to extort it to not leak the data, but that it did not make any payment.Â
Thanks to today’s episode sponsor, Votiro
New details on the Axie Infinity hack
We’ve covered some of the details of the hack of the Ronin Bridge used by the game Axie Infinity that stole $540 million in cryptocurrency assets. In terms of who is behind the attack, the US government tied the incident to North Korea’s Lazarus group. However The Block’s sources say the vector to that attack was a fake job ad. A senior engineer at Axie Infinity clicked to apply for the fictitious job, and downloaded a malicious PDF offering employment details. This installed spyware which ultimately allowed the attacks to take over a significant number of validators on the Ronin network. The attackers went so far as to put this engineer through several rounds of interviews before sending the faked “job offer.” This was combined with gaining access to a signature from the Axie DAO validator to give the attackers access to the bridge.
Chinese database exposed for a year
Yesterday we covered the supposed leak of information on 1 billion Chinese citizens. This was tied back to Shanghai police setting up a dashboard on the public internet without a password. Someone listed this trove of data for sale online, but it hasn’t been fully confirmed to be legitimate. We at least have confirmation now that the data was exposed online for some time. The web intelligence firm Shadowbyte reports that it found the unsecured database from Shanghai police all the way back in January. They found that it was originally put online back in April 2021. Security researcher Bob Diachenko said that in mid-June, he saw the data suddenly taken offline and replaced with a ransom note for police.
(WSJ)
NPM hit with supply-chain attack
Researchers at ReversingLabs discovered the attack, with threat actors using typosquatting to target developers looking for popular packages. This campaign began in December 2021 with the attackers using dozens of malicious modules. Simply using a very similar naming scheme, the malicious packages were designed to steal data from embedded forms. The researchers warned NPM of the modules on July 1st. While some were removed, the researchers say many are still available at the time of this writing. They estimate these packages were used by at least hundreds of downstream apps and websites based on downloads.
TikTok CEO tries to assuage US lawmaker concerns
Last month, BuzzFeed News reported that according to leaked audio from internal meetings at TikTok, the company began work on “Project Texas” designed to stop engineers in China from retrieving US data, indicating that Chinese engineers were already doing so. In a letter addressing question from Republican Senators on the report, TikTok CEO Shou Zi Chew said the goal of Project Texas was to improve its systems and controls in order to “ build trust with users and key stakeholders” as well as make progress toward compliance with a final agreement with the US government that will full safeguard US user data and resolve any lingering national security concerns.Â