Using a famous idiom, it looks like the shoe is on the other foot as BreachForums has found themselves the victim of a data breach and release of data. The breach took place in November of 2022 and culminated with the arrest of one of the owners of the forum. The responsible parties were able to attack and exfiltrate data from the site including user information, IP addresses and internal messages sent between users and the forum.

Supply chain attacks are all the rage right now (although certainly not new). These attacks are part of what appears to be a multi-pronged shift in the threat landscape. While attacks on the endpoint and users are still happening, we are also seeing expanded efforts in targeting edge devices, networking equipment, and an increased focus on open-source repositories. Recently a new campaign was discovered that is leveraging open-sourced software supply chain attacks in an effort to target the banking sector.

After a recent attack on Federal Civilian Execute Branch (FCEB) Agencies by an APT (Advanced Persistent Threat) group currently suspected of being a nation-state group from China, (whew that was a long start), It has come to the attention of some cloud researchers that these signing keys are not just useful for attacking Exchange Online. According to cloud security company Wiz these MSA Keys can be used to forge tokens for anything that relies on Microsoft Azure AD (Entra ID) Identity services.

When I was in the military, one of the things that I noticed was a massive reluctance to create new and unusual scenarios for war games. Instead, we always seemed to train for the last major combat theater. When going to the National Training Center the OpFor (opposing force) team would just run circles around the visiting units. This is because they were always looking at new strategies, tactics, and logistical methods to support them. The visitors would come in with ideas that things would be the same as last time and just get their asses handed to them. There were rare occasions when the visiting units won, but they were the exception and not the rule.

One of the most frustrating things is to sit in on a C-Suite meeting and hear the lofty strategic goals presented for the company and for cybersecurity only to have them torn to pieces when you explain what those goals will actually take and cost. The sticker shock that comes from understanding the moving pieces of a “Risk Intolerant” stance can be amusing, but in the end, it is more of an annoyance than anything. So, with that in mind I am going to discuss how to turn breakdown strategic goals into realistic tactical and logistical steps. I will not be focusing on anything specific but will follow some common guidelines and practices that can help bride the gap between ideals and reality It might also help inform future strategic statements by understanding the moving pieces involved in making them.

One of the most commonly asked questions in cybersecurity is “where do I start?” This common question shows just how overwhelmed many organizations are when faced with the reality of the threats that are out there. From ransomware to business email compromise, the threat actors certainly seem to be ahead of the implementations when it comes to securing the data that organizations are responsible for. So where should an organization start when it comes to building or optimizing their cybersecurity program?

Last week Microsoft, the FBI, and CISA made disclosed several attacks on Federal Civilian Executive Branch agencies and other targets of a campaign that appeared to be driven by a new threat group out of China. The attack we detected and tracked down using internal logging available to the GCC low-side tenants and with the help of Microsoft. Fortunately, GCC (Government Cloud Computing) Low Side is not supposed to contain or pass any classified information. It is intended to be used by government agencies and contractors that do not need or have authorization to access anything more than routine sensitive information. This does not reduce the seriousness of the attack and does beg the question on how well the tenants were secured by the cybersecurity teams involved, but at least nothing National Security related was compromised.

The UEFI (Unified Extensible Framework Interface) was the replacement for the old BIOS (Basic Input Output System). It was intended as an improvement to the underlying systems on a motherboard (also called mainboard) the motherboard controls communication between all components connected to it from CPUs, to memory, to GPUs, disk or solid-state drives, network cards… you get the picture. The old BIOS was limited and also susceptible to compromise in a number of rather simple ways. By moving to UEFI systems could become more complex without issues potential hardware conflicts, the UEFI structure was also much faster than the BIOS system meaning that as overall computing increased in speed the underlying controls for different components was up to the task.

It seems that an unnamed FCEB agency had their Outlook Web Access (Exchange Online) environment compromised by a new threat group that is current being attributed to China. The attack and the group were disclosed by CISA and the FBI. With the detection of the FCEB email compromise, Microsoft also identified a much larger espionage campaign involving the newly identified group which includes some 20+ organizations. The timing of the attack is concerning due to it coinciding with a recent NATO meeting.

If I have said it once, I have said it a thousand times; attackers are cunning. The adage that attackers are lazy has nothing to do with strategic, tactical, or technical knowledge. They understand the landscape and, in many cases, better than the organizations they are attacking do. Because of this deep understanding of their target environment, they also know to be on the lookout for special purpose entities. In this case we are talking about Security Researchers. Security researchers are a special target for attackers and when they can leverage an existing opportunity to target and potentially compromise them, they are going to take it.