The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- CISA’s Krebs fired via tweet. US President Trump has fired Chris Krebs, Homeland Security’s top cyber official, who had publicly rejected allegations of election fraud peddled by the president.
- New Chinese state-sponsored hacking group. With more than 200 systems across Southeast Asia infected by the new group named FunnyDream, this feels less like a dream and more like a nightmare.
- In other news this week, new information regarding a global campaign exploiting the ZeroLogon vulnerability, Firefox released a fix for a zero-day vulnerability and Linux security is back in the spotlight.
- Plus, informational spotlight: CMMC – what to expect if you hold a DoD government contract?
CISA’s Krebs fired for rejecting election fraud conspiracy theories
- US President Trump this week fired Christopher Krebs, director of the agency responsible for cyber security within the Department of Homeland Security. Krebs has been at the helm of the Cybersecurity and Infrastructure Security Agency (CISA) since November 2018, widely credited for the agency becoming a force to be reckoned with and an influential public sector body, paving a strong public-private security partnership.
- The outgoing president’s action appears to be linked to Krebs’s refutation of theories alleging election fraud, widely touted by Trump and his supporters.
- Krebs promoted a statement via Twitter last week from a coalition of election officials and bodies, including CISA, that advised the public that “the November 3rd election was the most secure in American history.”
- CISA, under the auspices of Krebs, has been dedicating its efforts throughout the course of the election process to curtailing election misinformation, debunking election rumours via the website Rumor Control.
So what? The firing has come as little surprise – Krebs himself was reportedly stating in private last week that he expected to be fired by the president. Its impact on the future of CISA remains to be seen. The move is widely regarded as yet another example of President Trump replacing top officials with loyalists, as he continues to refuse to accept the results of the US presidential election.
Chinese state-sponsored hacking group FunnyDream responsible for infecting more than 200 systems
- A report published by security vendor Bitdefender has detailed that a new potential Advanced Persistent Threat (APT) group, which they have named FunnyDream, has been targeting Southeast Asian governments.
- The attacks have been happening over the last two years, infecting more than 200 systems in Malaysia, Taiwan, the Philippines, and Vietnam. The group is primarily interested in cyber-espionage, stealing confidential documents.
- The attacks predominantly followed a pattern of combining malware payloads – Chinoxy, which acts as a backdoor for initial access, PCShare, a remote access Trojan for obtaining information about the host, and FunnyDream, which collects information and exfiltrates it.
So what? Companies with a global footprint and operations in Southeast Asia should pay attention to this threat, particularly if they process significant amounts of sensitive information. While detecting APT beaconing activity may be beyond the capabilities of many companies, implementing a robust information classification process that is supported by Data Loss Prevention (DLP) policies and rigorous reporting, is achievable. All sensitive information that could negatively impact the business, if lost, should be classified and protected with commensurate controls.
Linux security back in the spotlight
- On 17 November, Microsoft showcased its endpoint detection and response (EDR) capabilities for users of Linux operating systems running Microsoft Defender for Endpoint. The capacity to detect and alert on malicious activity in real time on Linux servers is a significant improvement for an underappreciated attack surface.
- From a threat actor’s perspective, Linux is a natural target as it is often used by system administrators to manage enterprise networks, databases and web services. There are existing threats in this space, with Tycoon ransomware – a sophisticated strain seen in attacks since December 2019 – which contains Java modules designed to target both Windows and Linux systems.
So what? A common theme we have observed during incident response cases is that a forgotten user account or network device can often be the source of the infection. While ransomware and other attack strategies do usually target Windows systems, Linux is often a critical operating system used in complex enterprise environments. However, as threat actors will continue to diversify and innovate their attack strategies, including targeting Linux systems, security teams will need to consider whether their Linux systems are adequately secured.
Firefighting a Zero-day: Firefox issues patch for vulnerability and new security features
- Popular web browser Firefox issued a patch to mitigate a zero-day vulnerability as part of its Firefox 83 release.
- The patch fixes a zero-day vulnerability identified by Google in October called CVE-2020-15999 which affected Chrome and any other software that used Freetype, including Firefox. The vulnerability has been actively used in attacks and is considered an urgent priority to patch.
So what for security teams? CVE-2020-15999 received significant media attention for the vulnerability posed to users of Google Chrome browsers. However, this threat is as pertinent to users of Firefox, given the actual vulnerability is found not in the browsers themselves but the software Freetype that both use. As such, it is important to ensure that any Firefox browsers are updated to Firefox 83 to avoid potential malicious exploitation of this vulnerability.
ZeroLogon vulnerability exploited in global campaign
- New information released by security researchers discloses details of a global campaign, reportedly conducted by Cicada, allegedly a China-backed threat group, that has started to exploit the ZeroLogon vulnerability CVE-2020-1472.
- Cicada has been pursuing the campaign since at least October 2019 and has recently added the capability to exploit the ZeroLogon vulnerability to their toolset. The threat group has reportedly been focusing their attacks on companies operating in the automotive, pharmaceutical, engineering, and managed service provider sectors.
So what for security teams? Although they are certainly not the only threat group exploiting the vulnerability, Cicada reportedly has significant resources and access to sophisticated tools and techniques that make the group especially dangerous. The ZeroLogon vulnerability was disclosed and patched by Microsoft in August this year and it is vital that organisations install the patch to protect themselves against the ongoing campaign.
CMMC - What to expect if you hold a US Department of Defense government contract?
 Also tracked as APT10, Stone Panda, and Cloud Hopper.