Dragonbridge and more: first officer's blog - week 36

Dragonbridge, mobile application attacks, and more. Here are the latest stories from the world of cyber risk.

Mike Parkin | January 30, 2023

First Officer’s log, Terrestrial date, 20230130. Officer of the Deck reporting.  

Integrating the communications system on [REDACTED] was going according to plan. We had mission teams deployed to the major communications centers across the planet, working with the local specialists. 

Ultimately the challenge has been that the various systems, on a planetary scale, weren’t always showing the same data in the same way. Like many networks they’d grown organically over time, which meant different vendors from different worlds with different priorities and ways to communicate. The local teams in each region generally knew what they were seeing, but they were often seeing different things. 

Dealing with that was our specialty. As we brought their disparate systems together and helped them to consolidate the data, and train them on how to use it, we started to notice patterns emerging from the noise. This just confirmed the Minister of Communications suspicions that the events that had appeared random at first were anything but. 

Something was definitely going on, but it was hard to isolate exactly what.   

Our team worked with the local specialists to, first, try and understand the data they had already gathered and, second, to get all of the different systems speaking the same language. Ultimately, to extract meaning from the seemingly random noise. 

It did confirm the Minister of Communications’ suspicion that the events weren’t entirely random. Once we had all the systems delivering coordinated data, we were able to extract some useful information and patterns from the noise. And what those patterns showed was that the lapses in communication coordination correlated with brief blackouts in their approach management systems. 

As individual incidents, they were just confusing, but with coordination a pattern started to emerge, and with that pattern a way to check and see if the suspicions panned out. To see if we were right, the captain ordered the [REDACTED] into a different orbit that would potentially prove our suspicions. 

Now, it was just a matter of waiting to see if the hunch was confirmed within the time we had. 

Yes, mobile devices can be a risk factor 

What happened 

Samsung has patched vulnerabilities in their Galaxy Store, the company-specific marketplace for Android applications that is standard on their Galaxy line of phones and tablets. Utilizing the vulnerability, a threat actor could install applications from the Galaxy Store onto a victim’s device without their authorization or knowledge. The vulnerability exists in devices running Android 12, while Android 13 devices are unaffected. 

Why it matters 

While mobile application vulnerabilities may not be a priority in a lot of organizations, they probably should be. With the shift to remote work over the Pandemic being so pervasive, and people doing so much work from their mobile devices, the risk from mobile device vulnerabilities is real. 

While this specific issue appears to be more of an annoyance than a serious threat, since an attacker would need to get their eventual payload onto the Galaxy Store, which is curated by Samsung, before exploiting the vulnerability, it’s still worthy of attention. Why? Well, when was the last time someone made sure the big touchscreen on the fridge in the breakroom was updated? You know. The Samsung one with the massive Galaxy tablet running Android and connected to the internet.  

What they said 

The mobile threat is real, and it’s thankfully getting some attention in the news.

Microsoft moves to get ahead of feature abuse. Again. 

What happened 

Microsoft has announced plans to block XLL files downloaded from the internet for all of their Office 365 customers. The move is being done to mitigate phishing attacks that utilize these files. Threat actors have a long history of using Microsoft Office files as an attack vector, abusing existing functionality for their malicious ends. This is another example of that “unintended use” abuse, and Microsoft reacting to it. 

Why it matters 

While the announcement didn’t say exactly how Microsoft planned to implement this change, whether it was going to be a full block on downloading, stopping execution, or simply popping up an “Are you sure you want to do this?  It might be dangerous.” warning is unclear. But they are reacting, which is a Good Thing™ for all involved.  

Threat actors have been abusing functionality in Office docs for years and Microsoft wasn’t always quick to respond. The obvious challenge was that these were genuinely useful features that were being abused, and the users liked the functionality they delivered. That put MS in the difficult position of finding a way to prevent abuse while keeping the functionality their users expected. 

What they said 

This has gotten a lot of coverage, with the likes of Infosecurity Magazine and DarkReading addressing it.

Google vs Dragonball, no, wait, that’s Dragonbridge 

What happened 

Google has taken steps to shut down a misinformation operation known as Dragonbridge across multiple platforms. While the content was prolific, it was largely of low quality with no clear motivation and often little or no interaction. The Dragonbridge content was often pro-China with anti-US criticisms. 

Why it matters 

It is difficult to know the motivations behind the Dragonbridge activity. While it appears to be script-kiddie level stuff, it’s possible it is serving as a cover for something more subtle. A small group could programmatically generate all the traffic Google saw, but it is just as likely to be part of a larger State sponsored program. 

The sheer volume of Dragonbridge activity could be designed to waste Google’s resources, but there are other possibilities. For example, it could be part of a machine learning training system to identify ways to get past moderation and see what’s the most outrageous misinformation people will accept. 

And let’s not forget there are people out there who will believe some outrageous stuff. 

What they said 

There’s been plenty of (legitimate) coverage of this story.

And then we said things, about stuff 

What happened 

Vulcan’s Gal Gonen, Tal Morgenstern, and myself, did a BrightTalk presentation exploring Vulcan’s recently released 360° report covering risk trends from 2022 and what to expect in 2023. 

Why it matters 

This stuff matters, and we rock, that’s why! But seriously, it was a chance for us to have a conversation about the trends we’ve seen and what we can expect to see going forward into 2023. If you have the time, I think it’s worth a view. And check out the report that inspired it. 

What we said 

You can watch the presentation here. 


Want to get ahead of the stories?



Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy