Cyber Security: Oxymoron?
May 9, 2022
I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”
The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.
What caught my attention is this statement in the excellent write up:
One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.
I also noted:
“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”
With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?
My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.
Stephen E Arnold, May 9, 2022