Category: Tiberium Tuesday

Tiberium Tuesday

The Swords Of a Thousand Men

…and women, possibly children too, if you believe the papers.

Even if you had spent the last 2 months trekking across the Mongolian Steppe https://en.wikipedia.org/wiki/Mongolian%E2%80%93Manchurian_grassland avoiding what is left of the Horde https://www.sciencealert.com/scientists-finally-know-what-stopped-mongol-hordes-from-conquering-europe, you will surely have heard about the sublime breach of Government departments, large software companies, and possibly some big Internationals via a supply chain infection, namely the deployment of a backdoor in SolarWinds network management software, which after being automatically deployed to SolarWindsCustomers enabled a quite beautiful, almost perfectly executed large scale compromise exercise https://www.tiberium.io/an-ill-wind-from-the-east/.

As more information of the full attack cycle and scale emerges, together with the usual ‘wasn’t us’, ‘look over there’ shizzle,, the plot thickens and becomes increasingly confusing.
.

This week we saw some pretty outrageous press headlines, many of which claimed that Microsoft (who were themselves breached, in some way, maybe, see below) “analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers.”https://www.theregister.com/2021/02/15/solarwinds_microsoft_fireeye_analysis/

What does that even mean? Well, let us have a think.

Clearly, the Nation State team executing the breach was not made up of 1000 developers. The personal experience of some of us at Tiberium is that this activity is typically executed by at least three small teams, very carefully managed. Perhaps an infiltration team (including at least some of the reconnaissance), an exploit team who use the initial infiltration and lateral infection to exfiltrate identified assets of the mark, and a cleanup team, who, you know, clean up.

Offensive procedures like this are used by security services the world over for not just cyber. Many probably go unnoticed. Being noticed is either a failure, a warning, or not giving a single foxtrot after the job is done. The Mossad assassination of Mahmoud al-Mabhouh, a senior Hamas commander in a Dubai Hotel room (using muscle relaxants and a pillow) by an assassination team of eleven is a case in point, being caught on camera, in this case, will be either not giving one or a warning, and it is even on YouTube https://www.youtube.com/watch?v=lyFwA1Teyfs.

Right, back to the subject. What Microsoft was probably trying to say is that at least a thousand developers were involved in not just the exploit, but in all the associated tooling, zero days, nifty little exploits (how we would like to see the library!), etc. And they are probably right.

What they also may be saying is that the Nation responsible for this has those resources. Step forward China https://en.wikipedia.org/wiki/Chinese_cyberwarfare# with just the 100,000 personnel https://www.theverge.com/2013/2/18/4003732/chinese-cyber-attacks-on-us-corporations-tied-to-army-base. Regular readers of this Blog (and others similar) will recall that we have always had a side bet on Chinese involvement from the outset, having seen the horde in action and trying to stop them in a David and Goliath scenario.

No surprise then, that this week Microsoft admitted that source code for some Azure components, Exchange and Intune were pilfered. No biggy! https://thehackernews.com/2021/02/solarwinds-hackers-stole-some-source.html. Seems much more reasonable if you know that over a thousand developers were behind it, doesn’t it, mwahahaha?

In the joint wash-up press conference of Microsoft and FireEye, Kevin Mandia revealed how his firm spotted the attack when an attempt at two-factor authentication raised suspicion:

“A FireEye employee was logging in, but the difference was our security staff looked at the login, and we noticed that individual had two phones registered to their name,” he said. “So our security employee called that person up, and we asked, ‘Hey, did you actually register a second device on our network?’ And our employee said, ‘No. It wasn’t, it wasn’t me.'”

Now, we really do not like to teach our grandmother to suck eggs or anything else for that matter, but in the very first SIEM/SOC deployment, which a number of us at Tiberium were responsible for way back in the day, the heady days of 2009ish, when you could still buy a pint, omelette and chips for a fiver in The North Pole (the now closed pub https://londonist.com/pubs/the-north-pole, not the place) had a use case for exactly this.

Out of disaster comes opportunity in the security industry. It thrives on pain. Microsoft are already making Zero Trust overtures https://www.scmagazine.com/home/security-news/apts-cyberespionage/microsoft-wraps-solarwinds-probe-nudges-companies-toward-zero-trust/ join by SASE vendors and blaggers https://www.scmagazine.com/perspectives/why-sase-makes-a-difference-for-security-teams-as-companies-move-to-the-cloud/and we can all expect to be marching to this drum later in the year. More on this in future blogs.

As we gloated about above (sorry but it is true), Tiberium’s team has a wealth of real world experience. We have seen it, have the hoodies, the scars, and a slightly nervous disposition when it comes to Nation State activity.

Tiberium’s managed security service platform not only has a distillation of this experience, but it is also build to automatically react, not just give you the bad news after the horse has bolted. We would love to show it to you. https://www.tiberium.io/#contact

Just in case you were paying attention. What did the assailants do wrong? Decided to infect one of the world’s finest security forensics and investigation outfits, Mandiant, sorry FireEye. It would be fair to say that it doesn’t look like the collar matches the cuffs, does it now?

In the words of the song https://www.youtube.com/watch?v=5AywIL5_eYM

When you hear our drums, hear them sound
We’re gonna fight until we have won this town
Hooray, hooray, hooray, yeah

Read More »
Tiberium Tuesday

Damned Details

We all know about patch Tuesday, the regular and often dreaded patches from Microsoft and other large vendors. Many of these patches are automagically deployed without testing, certainly in smaller organisations, and in the case of the recent SolarWinds snafu, large enterprises, large software companies, and critical government departments.

Read More »
Tiberium Tuesday

Cloudburst

A very long time ago, 2016 in fact, some of us spoke at or attended a security event which was themed on not letting a cloudburst rain on your parade, the premise being that leaping into Cloud deployment presented many risks including:

• Connectivity between legacy infrastructure and the Cloud
• Continuous management of the admin and configuration settings of a cloud environment
• The opportunity for security issues to be introduced by haste (Agile development for instance)
• The use of shared libraries and code without a full understanding of the resource set
• Development and production environments not effectively separated at all levels
• Wide open security controls between front/middle/back ends
• Lack of documentation or understanding of the entire system
• No security playbooks in the event of everything going the way of the pear (pear-shaped)

Read More »
Tiberium Tuesday

Don’t F**k With DemoCats

Before we get started this week, we would like to wish everyone well during these times of stress and turbulence. Of course, the hackers (mwahahaha) of the world have been preparing for lockdown nearly as much as the gamers since they realised that taking things apart is fun.

Read More »
Tiberium Tuesday

Announcement: We have big news!

This year is a huge year for Tiberium
I would personally like to thank Tiberium’s customers, partners, and colleagues who have supported the vision. You have put your cyber defence trust in us, and for that, we are humbled. We are growing fast, the year ahead will be like no other in my life.
Building trust takes time, and nothing establishes it faster than shared experiences working through an incident or rolling out cutting-edge services and problem-solving together. Over the past 15 years in this ever-evolving sector, I have seen vendors who have risen to be leaders by being honest, transparent, and sharing their expertise, and companies that have built respect, loyalty and success by doing the same. This is the foundation of Tiberium and the values we bring to the MSSP market.

Read More »
Tiberium Tuesday

WhatsApp Doc

Happy New Year from all of us at Tiberium !

As we plough head-long into 2021 with chaos everywhere, not least at the UK/European border and in the United States of America (curious isn’t it that the National Security machine of the USA didn’t anticipate a whiff of trouble at The Capitol or elsewhere from disturbed Trump supporters? They seem to have been well prepared for other recent protests!), the single biggest disruptive, difficult to manage and downright nasty issue has to be (for poorly prepared and/or managed countries at least) the lingering, deadly, Covid-19.

Read More »
Tiberium Tuesday

An Ill Wind From The East

The week before last we wrote about the announcement from FireEye claiming that a nation state with ‘top-tier offensive capabilities’ had stolen its stash of ‘Red Team assessment tools’.

The announcement raised more questions than it answered, however we were sure that with the impressive forensic capabilities of the former Mandiant part of FireEye, they would be right on it. We were also fairly sure that at the time they knew more than they were letting on and this appears to have been the case.

Read More »
Tiberium Tuesday

Burning Down The House

This week, none other than top-flight information security outfit FireEye announced that
It had been hacked, claiming that a nation-state with ‘top-tier offensive capabilities’ had stolen its stash of ‘Red Team assessment tools’.

Read More »
Tiberium Tuesday

Had a CIT0 Day?

This is a story that doesn’t appear to be going anywhere soon, is very intriguing and most importantly seems to be the work of cat stroking, possibly Eastern European or Russian master criminals (mwahahaha), so we thought we would try our best to explain it. Here goes…

Read More »