Over the next two weeks, two of the largest cybersecurity conferences in the world will take place in Las Vegas: Black Hat and DEF CON.
That means product announcements, buzzwords and stories about “X smart appliance could burn your house down!” or something like that. Over the next two weeks, I’ll be using this space to catch readers up on the top stories, trends and talking points to come out of Hacker Summer Camp. If you’re on the ground in Vegas, follow along with us on Twitter to keep track of our talks and events.
To no one’s surprise, AI is likely going to be in the spotlight all week, especially generative AI. Many companies will use these tools to spin up new cybersecurity products and protections, and other researchers are sure to point out the potential security pitfalls of emerging technologies.
There is a dedicated full-day workshop to discuss holding generative AI accountable, including potential legislation that outlines how generative AI models are trained and using whose content. And AI Village at DEF CON is sure to turn up a slew of vulnerabilities in AI tools while highlighting how researchers can best disclose and help patch these security issues.
In the vein of “how to hack X” headlines that I mentioned before, Talos’ own Dan Mazzella is presenting research on how an attacker could take over some cars’ Android-based infotainment systems to steal user data.
Some of the systems used in Ford, Honda and GM cars could be exploited to steal data that is being transferred between the so-called “head unit” and a mobile device connected to the car, including text messages, contacts, photos and other private user information.
And as with everything nowadays, politics are sure to come into play. With the recent news that Kamala Harris is taking over as the Democratic Party’s likely nominee for the upcoming U.S. presidential election, experts and regulators are trying to figure out what a potential Harris presidency would mean for cybersecurity and AI policy.
Hackers are also hosting the year’s first cybersecurity-focused fundraiser for a presidential candidate with DEF CON organizers taking the lead on supporting Harris after she was supportive of the election security community in past years.
Other elections around the globe also have cybersecurity implications, as Black Hat’s keynote will cover with (among others) Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency. Disinformation and fake news are always swirling online about any political candidate, regardless of country, and AI and deepfakes have only worsened the problem.
And that’s before you get into any actual attempts to change votes or hack voting systems.
The one big thing
Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. These campaigns evade detection through obfuscation and updates. Talos researchers identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign.
Why do I care?
NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. Thankfully, Snort can provide a strong defense before this malware reaches endpoints.
So now what?
Talos’ first entry in our new series, “The Deep Dive with NDRT,” we dive into how our analysts craft protection against NetSupport RAT and the newest Snort rules to keep users safe from this threat.
A French Olympic site and cultural institution was targeted with a cyber attack over the weekend, though the effects appear to be limited. Security experts and Olympics organizers largely expected there to be several efforts to try and disrupt the games. Despite false reports that adversaries had encrypted data belonging to the Grand Palais Réunion des musées nationau, the venue said in a statement that as of Monday morning, “no data extraction has been detected.” The institution most famously oversees the Louvre, one of the most famous art museums in the world. Its venues hosted several Olympics-related exhibitions and events over the past week, including fencing and Taekwondo competitions. The attack appears to be attempted ransomware, though an investigation with the ANSSI, France’s cybersecurity agency, is still underway. "This only concerns our internal network of shops, and not even the other activities of the RMN-Grand Palais. We immediately disconnected everything that was vital and called on the special state unit that deals with this type of problem, the French Computer Security Agency,” the Grand Palais director said in a statement after the attempted attack. (CyberScoop, Dark Reading)
A cyber attack knocked out Mobile Guardian, a U.K.-based mobile device management software used in the U.K. The event largely affected students and schools in Singapore, which the Ministry of Education says led to thousands of students having their devices completely wiped. Mobile Guardian advertises itself as a cross-platform solution for K-12 schools to monitor and manage their devices. “Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator,” the Singaporean education ministry said in a statement. Adversaries seemed to have removed some targeted devices from Mobile Guardian’s network and completely wiped the devices. The company said in a statement this week that the outage affected instances in North America, Europe and Singapore. The incident appears to stem from a misconfiguration that caused an IT outage on July 30. (TechCrunch, Bleeping Computer)
A ransomware attack on a blood donation non-profit forced many hospitals to tap into their emergency blood supplies and host last-minute drives. OneBlood, which provides blood samples to many hosptials in the Southeastern U.S., was hit with a ransomware attack that forced most of its network offline. The non-profit had to switch to manual processes for several days, including printing out its own labels and having donors fill out paper forms to donate blood, which delayed their usual supply chain to hospitals. Some health care facilities had to delay non-emergency procedures until after the blood donor supply had returned to normal. Late last week, OneBlood told its more than 250 hospital partners to activate their critical blood shortage protocols, which included holding last-minute drives and calling for volunteers to donate blood asap. As of Wednesday, OneBlood says its software is returning to normal. The process was made even more difficult by the presence of Hurricane Debby, which moves through Florida and Georgia, dumping inches of rain and causing flooding in states that were heavily affected by OneBlood’s outage. (Axios, CBS News)
Defcon (Aug. 8 – 11)
Las Vegas, Nevada
BSides Krakow (Sept. 14)
Krakow, Poland
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent
SHA 256: 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
MD5: 49ae44d48c8ff0ee1b23a310cb2ecf5a
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd