As per another Black Hat talk by a reporter:
“IT industry guilty of ‘lack of imagination’ in failure to anticipate cyber-attack evolution”
Kim Zetter gave a talk at BlackHat USA on August 11 about how the new attacks by cyber adversaries have caught the security community flat-footed.
Zetter told Black Hat USA: “[Operation Aurora] was a widespread espionage campaign by China that hit 34 companies and targeted source code repositories at Google, Adobe, and Juniper and included one of the first significant supply chain operations targeting the RSA seed repo, the engine for its multifactor authentication system.”
Zetter continued: “Aurora introduced the public to APTs [advanced persistent threats] and the growing capabilities of nation state hackers.
“The security community, which had largely been focused on cybercriminals until then, began to focus more on nation state actors and the sophisticated techniques that made the actions of cybercriminals feel kind of quaint [while] hacking operations became more aggressive and more consequential.”
After this Aurora attack more major breaches happened (DNC breach, NotPetya, and SolarWinds ).
I have discussed the Solar Winds debacle (following from my blogpost)
- Compromising multiple accounts within an environment and using each of those accounts for different functions to limit exposure,
- Using a combination of Tor, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments,
- Hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and
- Using residential IP address ranges to authenticate to victim environments.
the CISA directive mentions a list of vulnerabilities with the most commonly exploited within a larger list of known vulnerabilities. And some of the vulnerabilities are quite old.
The relevant list updated as of today:
As we all know the patch cycle is such that August 9 was patch Tuesday for Microsoft, whereas other manufacturers released their August patches near that date: Apple, SaP, Google Chrome, and Palo Alto – 8/18
Zimbra was on the 11th of August.
The problem with these patches is that the fixes have been in the works for some time now as for example the patch for Microsoft actually started on 5/10 (3 months ago).
Active Directory Domain Services Elevation of Privilege Vulnerability.
As I have mentioned before by the time you are actually patching your devices, the patch has been around for at least 75 days. (in this case it is 90). In the meantime the hackers are busy devising attacks to take advantage of this vulnerability. everyone who has not patched this yet is vulnerable until the patch is installed.
In some sense we will always be behind the cyber attackers. And this is due to the nimbleness of the attacker and general creativity whereas the defender has to protect the marbles and thus seems constrained in this thinking.
Contact us to discuss
Check out my book to review the challenges within the cybersecurity industry.