The Good, the Bad and the Ugly in Cybersecurity – Week 39

The Good | CISA Launches Public Cyber Hygiene Campaign

This week, CISA launched “Secure Our World”a new campaign aimed at improving the digital security of all by promoting awareness of cyber hygiene.

As part of its wider Cybersecurity Awareness Program, the agency kicked off the campaign on Tuesday with a PSA promoting simple ways to protect against online threats, including avoiding phishing, using strong passwords, requiring MFA and updating software. Many cyber attacks, from individual scams to high-profile business compromises, involve taking advantage of users who failed one or more of these simple cyber hygiene tasks.

Increasing public awareness of cybersecurity is a mission that CISA is undertaking alongside the National Cyber Security Alliance. The campaign reflects the Biden administration’s wider U.S. cybersecurity policy to make structural reforms across public and private domains to better defend the nation against online attacks and cybercrime.

CISA Director Jen Easterly told the media that it was critical for everyone to take responsibility for keeping themselves safe online. While employers can and should do more to enforce cyber hygiene among their staff, CISA recognizes that getting the message across to the public at different levels is an important pillar of the nation’s digital security strategy.

The Bad | Threat Actor Hot Patches Enterprise Routers to Evade Detection

China-linked threat actors are compromising routers belonging to organizations in the U.S. and modifying the devices’ firmware in order to stay undetected. The attacks, also observed targeting Japanese firms, are attributed to a group CISA called “BlackTech”.

According to a CISA advisory, BlackTech uses custom malware payloads and RATs (remote access trojans) to infect router operating systems, often deploying legitimate code-signing certificates stolen from vendors to help their malware sneak past security software.

After gaining access to a victim network and achieving administrator privileges on a router, the threat actors disable logging, make configuration changes, and modify the firmware for evasion and persistence. The actors first install old, legitimate firmware and then ‘hot patch’ it – modify it in memory – to bypass firmware signature checks that run on boot. They then install a modified version of the firmware that contains a built-in SSH backdoor.

Post-compromise, the device is used to proxy traffic and pivot to other victims on the same network. Crucially, the compromise of such edge devices allows malicious traffic to easily blend in with legitimate corporate network traffic.

Top network device CVEs exploited by PRC state-sponsored cyber actors
Top network device CVEs exploited by PRC state-sponsored cyber actors (Source: CISA)

BlackTech has been active since 2010 and involved in breaches of both government organizations and media, electronics, and telecommunications companies. CISA says the group has also attacked entities supporting the U.S. and Japan militaries. A comprehensive list of mitigations can be found in the advisory here.

The Ugly | State Department Rues Reliance on Single Vendor After Leak of 60000 Emails

A breach of U.S. government agencies through Microsoft Office 365 initially reported last July leaked some 60000 emails from 10 State Department accounts, according to new information revealed this week. The Chinese state-linked attack compromised at least 25 organizations, but it appears State Department individuals working on Indo-Pacific diplomacy were specifically targeted.

New information about the attack was provided to Reuters from an unnamed Senate staffer who attended a briefing by State Department IT officials in the wake of the breach. Ten State Department accounts were compromised, nine of which belonged to victims working on East Asia and the Pacific and one to an individual working on Europe.

The breach and new revelations have thrown light on the inherent risks involved with relying on a single vendor to provide all IT services. Microsoft in particular has a history of software products with thousands of known vulnerabilities over the years, a situation complicated by the OS and office software vendor also acting as a security solutions provider.

In the wake of the attack, the State Department has begun moving to hybrid environments and diversifying its software stack to include multiple vendors in order to avoid a ‘single point of failure’ scenario in the future. Following the government’s own best practices, it has also improved uptake of MFA, according to Reuters.