This entry marks the first in Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
The words threat intelligence do not mean what they used to. Lately, threat intelligence has transformed from actual intelligence about threats into a buzzy neologism for everything from endpoint protection to next-generation SIEM. Indeed, those buzzy products can deliver threat data.
However, there is a larger story being told here. At Anitian, we assess the trends going on in the world to chart a plausible impact on individual organization. This post represents some of the current topics (sometimes called campaigns) that we are tracking in August 2015.
Office of Personnel Management Fallout
WHAT: The OPM breach, revealed in June, has a steadily increasing causality count. The initial announcements listed 4 million affected, but that number has since climbed to over 18 million. There is ample evidence this was the work of nation-state actors as well. More info.
WHY: The full geopolitical ramifications are difficult to ascertain at this point. However, every dimension of the OPM hack is educational. By all accounts, OPM displayed a willful disregard for IT security fundamentals; patch management was lacking, critical data was unmonitored, and checkbox audits were used to present a façade of security. This reinforces the need to continuously check the health of basic security controls. Specifically, are patching, network monitoring and testing regimens followed correctly? Moreover, do those systems product meaningful and scientifically valid results?
Also, the OPM hack also correlates our intelligence that nation-states are targeting organizations with high-value data, such as healthcare information.
Hacking Team, Hacked
WHAT: The public got a media-circus view of the exploit market in early July. Exploit and “surveillance” firm Hacking Team found its precious insides spilled across the internet for everyone to sort through in an exceedingly public breach. This breach had an upside. As a result, several patches to Flash, Java and Windows were all released. We also got a detailed look at the company’s impressive (and rather frightening) surveillance software platforms, Da Vinci and Galileo. More info.
WHY: We are watching to ensure these patches are making it on to systems, since attackers are actively exploiting the vulnerabilities they fix. Specifically, we are seeking out older Java and Adobe installations, since those are venerable hacking targets. However, we are also dubious about this breach, as it also has the hallmarks of a stunt hack, which this blog has already written about many times.
WHAT: Macs got hit with a new and particularly nasty vulnerability to the Thunderbolt interface. ThunderStrike is extremely destructive and difficult to detect since it can embed itself directly into the systems’ firmware. More info.
WHY: Mac’s are often deployed into environments with minimal protections since there is a prevalent and unfounded belief that they are immune to attack. As such, we always pay close attention to these devices as they can be vectors of compromise. Moreover, our intelligence shows that executives, who typically have broad and unrestricted access to sensitive insider data, tend to prefer Apple products.
Practical RC4 Attack
WHAT: The RC4 cipher has been in production for almost 20 years. In that time it has always been susceptible to a small set of theoretical attacks. In July, a practical attack against RC4 was released. RC4 is used in TLS communication and can also break WPA-TKIP. The attack is presently complex and difficult to execute. More info.
WHY: Anitian has recommended disabling RC4 on web servers and TKIP in wireless for quite some time. This is exactly the kind of obscure attack vector that a savvy attacker might try to execute to gain a beachhead in an environment. This is a difficult vulnerability to detect, so the Sherlock team is putting a series of hunts into their campaigns to spot evidence of any RC4 attacks.
Keeping a pulse and perspective on everything that goes on in the Information Security sector can be tricky. We hope these highlights for the last month have been useful to you. We are always delighted to hear from you. Use the comments to add your thoughts.
Check back next month for our September Sherlock report.