SH1MMER and more: first officer's blog - week 37

SH1MMER, malware-as-a-service, and more. Here's the roundup of the biggest stories in cyber risk from the past week.

Mike Parkin | February 06, 2023

With the USS [REDACTED] in a non-standard orbit, we took a few more steps to see if our hunch was correct. We’d already established the incidents coincided with short blackouts in the planetary approach management system but we knew there had to be more. There had to be something correlated with the blackouts, and the common thread turned out to be something we’d never normally be looking for. 

Conventional crime. 

In our role as a support ship, we were normally looking at issues with a world’s communication and computational infrastructure. Getting all the parts working together to deal with whatever threats they had to face. We rarely knew, or really cared, what the threat’s motives were. Our mission was to help the locals make the most of their resources, doing what we do best so they could do what they did best. They knew who their adversaries were a lot better than we did. 

But this one was a little different, in that after some digging, we found a correlation between the approach blackouts and the something more we were looking for. Namely, thefts from various archeological sites across the planet. 

[REDACTED] had been home to an advanced civilization that had passed a millennium or three before the first colonist had arrived. Over the years, exploring the ruins had become something of a cottage industry with tourism and research. The race that had lived on [REDACTED] wasn’t spacefaring, so the artifacts were more of a cultural curiosity than a technological one, but there was still a fair demand from collectors. The demand was especially high with off-world collectors, and none more so than the [REDACTED] who really had a thing for “objects of value.” 

Every time there’d been an incident, and the corresponding lapse of visibility into a particular area, there had been a theft in the same area. The theory was that a ship was coming into the blacked-out area, beaming a team down, doing the heist, then beaming them back out, and breaking orbit before anyone was the wiser. 

And that was what we saw. 

With the [REDACTED] in an orbit that let us react quickly, and the new management systems in place, the next time there was an incident we were able to isolate which part of the approach system was being affected. That let us maneuver into position and lock on to a small ship that had swooped into the blackout area to beam an away team to the surface. 

Only this time, we, and the planetary authorities were ready. As the local law enforcement teams moved in to apprehend the away team, we locked on to the intruding ship with a tractor beam which both held them in place and prevented them from beaming their away team back up from the surface. 

All we had to do was hold them in place until a Frigate from the planetary authorities was able to join us and take control of the situation. 

Certainly not how we usually ended a mission, but it was an interesting change of pace. 

If ya’ got it, flaunt it, ‘cause you can get away with it 

What happened 

Threat actors offering Malware-as-a-Service have reached the point where their line between legitimate and malicious business models has become nearly indistinguishable, as exemplified by a report on the DuckLogs cybergang in an article by Security Intelligence. Their user experience and range of services are on par with many professional SaaS services, indicating a level of maturity akin to a mainstream business. 

Why it matters 

We’ve been saying for some time that cyber-criminal organizations have been borrowing liberally from legitimate business playbooks, and sometimes show a level of professionalism that can more than rival some commercial entities. What started with tech support hotlines to tell ransomware victims how to buy crypto currency has evolved to the point where they offer an entire range of a-la-cart services to their criminal, and probably State level, clients. 

That criminal organizations have matured to this point should be getting more attention from national Law Enforcement organizations than it seems to be receiving. The challenge though is managing to get cooperation when many of these criminal organizations operate out of areas that see them as more of an asset – at least as long as they’re not attacking their home turf. 

What they said 

Criminal organizations improving their processes is always a conversation-starter.

Because, you know, students always follow the rules. 

What happened 

A tool known as “Shady Hacking 1nstrument Makes Machine Enrollment Retreat”, or SH1MMER, has been identified and allows a threat actor with physical access to a Chromebook to unenroll it from its enterprise management system, effectively jailbreaking the device. SH1MMER’s user interface indicates it can reenroll compromised devices after the attacker has made whatever changes they desire to the device.   

Managed Chromebooks are widely used in education, with many school districts providing them to their student body. 

Why it matters 

There is an old adage that goes “if I have physical access, I can p0wn anything.*” and this tool requires the attacker to have physical access to the device. It is effectively a creative abuse of the recovery process, or shim, that the authorized administrator will use themselves. Only this one allows anyone with physical access to do it. 

The biggest worry with SH1MMER is probably a tech-savvy student using this to gain cred in their environment, or possibly to make some extra money, by jailbreaking their fellow students’ school-issued devices. There is some real risk to the environment, especially if it’s being used to deploy malware that could harm other students in the community. 

There is also a measurable risk for non-academic organizations, though these devices are not used extensively in most professional settings. Fortunately, it should be easy for administrators to contain the risk of SH1MMER by monitoring for unexpected unenrollment and doing some basic verifications to see that the devices aren’t running unauthorized applications or generating suspicious network traffic. 

What they said 


Unsurprisingly, SH1MMER is getting plenty of attention.

*: I’ve actually heard a 40-something penetration tester say “P0wned it!” after gaining access to a target system during an engagement. 

It’s still the users 

What happened 

A recent survey of IT professionals showed that a substantial number (77%) are concerned about a possible security breach sometime in the next three years. The main source of concern is their users, who remain the largest threat surface. 

Why it matters 

That so many IT decision-makers recognize the risk of a breach is ultimately a Good Thing™. It means they know the risk is real and the consequences that come with a breach are real. They’re also starting to recognize that the answer to “what’s the biggest risk factor in my organization?” has always been “your users.” Yes, there are a lot of other risks, but the users are the broadest and most diverse threat surface. 

The question is how best to mitigate the user risk along with managing all the other risk factors. A risk management tool like Vulcan Cyber can go a long way toward minimizing technical risks, and that’s where we do what we do. But I’m not sure there is a tool that can instill the required mindset. Training can help a lot, but a security-conscious culture takes more than just training. 

What they said 

With the survey results pretty significant, it’s no surprise to see this story getting people talking





Want to get ahead of the stories?

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy