A call to standardize threat group naming
Last week, Microsoft’s security division announced changes to its name taxonomy for threat groups, moving from names of elements to a two-word scheme. It designed the system to use a weather-based term to indicate suspected country of origin, and whether it operated as a criminal enterprise or state-sponsored. Wired’s Andy Greenberg noted this now makes dangerous threat groups sound almost whimsical with names like Periwinkle Tempest, Pumpkin Sandstorm, and Seashell Blizzard. This joins common names for other threat groups used in the industry, like the Russian-military intelligence group often going by Fancy Bear. Sources in the industry says Microsoft’s new scheme not only requires updating threat databases, but also locks in national origin assumptions with no transparency about a level of confidence. Greenberg reiterated calls from Mandiant and others in the industry for NIST to come up with a consistent threat group designation for the industry.
Threat actors using new tool to disable EDR
Researchers at Sophos published a report detailing an undocumented “defense evasion tool” called AuKill. This effectively uses a Bring Your Own Vulnerable Driver attack on Process Explorer to disable endpoint detection and response processes. From there attacks deploy a backdoor or ransomware. Attackers used AuKill since the start of 2023 to launch Medusa Locker and LockBit ransomware, with six different AuKill variations seen in the wild. AuKill requires admin privileges to work, so it limits the utility of the attack to already significantly compromised organizations.
North Dakota turns to AI for cyber
In an interview with CSO Online, North Dakota’s chief information security officer, Michael Gregg, said the state is already using AI to assist in dealing with cybersecurity threats more efficiently. The state partnered with Palo Alto Networks on an autonomous security operations center, using machine learning to automate low-level security incidents. Gregg said his team dealt with 50,000 incidents last year, with roughly half related to phishing. The new system was trained on these low level phishing events and can now handle a large volume of them. Gregg says this leaves his analysts with more time for forensics, malware analysis, and red-team training.
Outdated WordPress plugin becomes a backdoor
Security researchers at Sucuri observed threat actors using the legitimate WordPress plugin Eval PHP to backdoor websites. Stats show this plugin used on over 8,000 sites, despite not being updated in over 11 years. The campaign spiked downloads, up from a handful per week to over 23,000 in the last week. The plugin allows admins to insert PHP code pages that’s executed when a post is opened in a browser. Malicious actors use this to launch a specified remote code execution backdoor. Since the plugin isn’t malicious in itself, it made it harder to identify.
And now a word from our sponsor, Tines
New “all-in-one” infostealer on the market
Researchers at Fortinet discovered a new modular infostealer malware available for sale on cybercrime forums. A company called Kodex developed the tool, which claims it’s intended for educational use. Researchers noticed a surge in usage of the tool last month, largely in Europe and the US. The malware can steal data from endpoints, record keystrokes, activate peripherals like webcams, and capture a screen. Generally its used as part of a phishing campaign as a malicious attachment. The tool is under active development, increasing its stability and adding new features. Fortinet issued a report on the Kodex tool including indicators of compromise.
Tomiris targets Asia for intel
A new report from Kaspersky found that the operators behind the backdoor Tomiris have been focusing operations on gather intelligence from Central Asia. The Russian-speaking threat actors seems focused on government and diplomatic targets, looking to steal internal documents. The group first appeared online in September 2021, potentially linked to the Nobelium group. The group uses spear-phising attacks using a variety of low-sophistication attack methods, repeatedly hammering the same targets. These attacks sometimes overlap with the Turla threat group, but show significant differences in tactics and sophistication. Researchers found the group very agile and open to experimentation with new attack methods.
Twitter verification somehow more confusing
Twitter appears to have reinstated some blue verification check marks to higher profile users. Many of those users claim they haven’t paid for a Twitter Blue subscription, and some of the accounts belong to deceased individuals. All checkmarks indicates these accounts paid for a Twitter Blue subscription. This isn’t consistent, and some previously verified accounts with millions of followers remain unchecked. CEO Elon Musk confirmed he “personally” paid for Blue on three accounts. The BBC also reports its Gold checkmark, used for company verification, was reinstated, but it didn’t pay for it. Variety reported that a fake Disney Junior account received a gold verification badge over the weekend. The account had a small number of followers and used a racial slur in its pinned tweet. Twitter subsequently suspended it after Variety reported the account to Disney.
Google Authenticator adds 2FA syncing
In the security versus convenience spectrum, Google took a big step toward the latter. It updated Google Authenticator to allow users to sync two-factor authentication codes with a Google account. Other authentication apps offer similar feature, and Google says it had been a top feature request. Google says this should make access to two-factor codes more durable and prevent service lockouts if a device is lost or stolen. As part of this major feature rollout, Google also refreshed the app logo.