Remote work devices are being used to watch porn by over 51% of employees

The CyberWire
|

Automatic TRANSCRIPT

Microsoft yesterday offered more details on. How the salora gate threat actors worked and why. They're infiltration of their targets was as quietly effective as it proved to be it had for example been unclear how the handover from the sunburst de l. l. back door to the cobalt strike loader was accomplished and microsoft details how the threat actor obscured that handover as they accomplished it. Redmond's assessment of the salon gate crew is that they're quote skilled campaign operators who carefully planned and executed the attack remaining elusive while maintaining persistence unquote accomplished in operational security and adept at minimizing their footprint. In looking at the salon gate operation microsoft identified six techniques. Laura gate operators used to escape detection. They're worth reviewing first. They took care to avoid putting up the same indicators for each compromised host every cobalt strike de l. l. implant was designed to be unique to each affected machine. One of the tells the threat. Actors scrupulously avoided was the use of folder. Name file name. Export function names c two domain in ip http requests time stamp file meta data configure in child process launched. They also varied such non. Executable says w. m. i. persistence filter name w. m. i. Filter query passwords used for seven zip archives and names of output log files that says took a lot of effort and a whole lot more effort than the typical threat. Group finds it worth expending second the salora gate actors took care to camouflage themselves to blend into targets environments the tools and binary they used were named and put in folders that appeared to belong in the affected machine they mimicked existing legitimate files and programs that they found in the victim's environment third before they ran their hands on keyboard activity which would raise the risk of detection the threat actors disabled event logging using audit poll. They re enabled logging once they were finished similarly. They installed special firewall rules before they ran. Unavoidably noisy network reconnaissance. The rules were designed to minimize outgoing packets for certain protocols once the reconnaissance was complete. They systematically removed those firewall rules. It's also noteworthy. Microsoft says the salora gate operators executed lateral movement. Only after careful preparation they began by enumerating any remote processes and services running on target host and they moved laterally across the network only after they disabled security services that might detect them. Finally microsoft believes they timestamped the timestamps various artifacts altered them that is and also used professional wiping procedures and tools with a view to complicate the defenders problem of finding and eliminating the dl implants from the affected systems. So whoever they were and the smart money is still on russian intelligence services. The salora gay threat actors showed rare. Patients sophistication and attention to detail. Far beyond what organized crime normally attempts security week describes research by media trust into a cross platform malvern campaign lucky boy that's afflicting users of ios android and xbox systems it checks for blockers test environments and debugger before it runs once it does execute lucky boy uses a tracking pixel to redirect victim to militias sites like fishing pages or bogus software updates the campaign which surfaced last week appears to be in its early testing phases. It's another instance of malware using relatively complicated means of skating itself. It's not as complex as what. The solarge operators used but even criminals try to stay undetected. Proof point is found a business email compromise campaign that uses google forms bypass keyword based email content filters the researchers see the campaign as a hybrid combining social engineering with exploitation of the scale and legitimacy of google services the messages themselves relatively primitive with the poor idiomatic control so often found in criminal communications but proof points suspects. They'll find takers. Not the researchers. Think that the bbc effort represents an email reconnaissance campaign to enable target selection for undetermined follow on threat activity. The increase in remote work during the pandemic has of course greatly increased most organizations attack surface. Yes yes we know. This is old news but bear with us or rather bear with one dera. Who's twenty twenty. One cloud security report has some interesting findings on the extent to which the criminal underworld has embraced. the opportunities remote. Work affords your remote work. Not there's oh and remote workers could behave better to one dera says that accessing what they primly call inappropriate content and we leave it as an exercise for the listener what counts as inappropriate content has at least doubled since the onset of the pandemic. Did you know that websites in the adult gambling. Extreme and illegal content categories are more likely to leak data than nice sites while they are you know. Avoid the near occasion of compromise

Coming up next