First Officer’s log, Terrestrial date, 202200713. Officer of the Deck reporting. In spite of the ship being in port for a major conference, we were able to continue with our duty to log the mission. As expected, the conference brought specialists in from other crews to share insights, techniques, and comradery, along with some friendly competition. While we may be rivals on some levels, we all share the same mission, be it overcoming the latest Linux vulnerability, or countering those pesky ransomware attacks.
It was also gratifying to see most of our senior command staff take the floor to promote the mission. You know you can count on your leadership when they are working with you shoulder to shoulder.
However, spending time in port does not mean the mission was paused. Hostile activity continues as it always does.
There is no honor among thieves
What happened
Ransomware attackers have often claimed that if an organization just pays the ransom, the attackers will leave them alone. The reality is that ransomware victims are quite likely to be attacked again, whether by the same threat or another. Even when a threat actor keeps their word and honors their promise, there is nothing stopping other ransomware groups from identifying the victim as someone willing to pay, and thus ripe for further attack.
Why it matters
It’s hard to tell how many organizations actually pay the ransom and then keep things quiet when they are attacked. But the fact is that threat actors have an entire ecosystem out there, and they talk to each other about who they’ve attacked and how much they made. Paying up may, if you’re lucky, get one threat off your back, but there are others waiting to take their cut.
What they said
Ransomware attacks always get people talking. Read what people had to say here.
Enemies of the state
What happened
SentinelOne released a report highlighting a Advanced Persistent Threat (APT) they’ve named Aoqin Dragon, likely named for the mythological dragon Ao Qin, king of the South Sea. Apparently, they found evidence that this group has been operating for almost a decade, primarily targeting telecoms in Southeast Asia and Australia.
Why it matters
State and state-sponsored threat actors can be some of the most challenging to conclusively identify as such, since they often mimic the behaviors, and use the same tools, as common cybercriminal gangs. The usual difference is in their agenda, but that’s easily concealed by adding some ransomware or simple data theft and extortion to the mix.
It’s unclear from the report how long SentinelOne has been tracking this APT, or whether it’s mapped to an existing threat actor in MITRE’s ATT&CK framework.
What they said
After nearly a decade under the radar, it’s no surprise that this has got people talking now that it’s out in the open.
It’s not symbiosis when it harms the host – a rare Linux vulnerability
What happened
A recently discovered Linux malware strain called “Symbiote” by its discoverers at Blackberry Cylance, leverages multiple techniques to hide itself from on-system detection. Though a more apt description would be Parasite, as this Linux vulnerability only harms the infected host and there’s no real symbiotic relationship. The malware’s mostly been seen targeting financial services organizations in Latin America.
The malware hooks into multiple libraries, including libc and libpcap to hide itself, which can make it very stealthy unless a sysadmin or forensic analyst knows specifically what to look for.
Why it matters
Compared to malware targeting Microsoft Windows systems, malware targeting Linux is relatively uncommon. However, this Linux vulnerability shows a level of sophisticated stealth that makes it much more difficult to detect. Fortunately, there are some indicators of compromise (IOCs) that can reveal its presence, and there are multiple signatures that network monitoring tools can flag if an environment is compromised.
What they said
This Linux vulnerability may be stealthy but it’s caused a lot of noise.
Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel