Apple released a new update for nearly all its devices that provides an all-new type of encryption for its iMessages to the point that, in theory, iMessages are now protected against attacks from quantum computers.  

This is a little tricky because, as we’ve covered before, quantum computers don’t exist yet, and we don’t really know when they might. 

Apple’s newest encryption technology, called PQ3, now secures iMessages with end-to-end encryption that is quantum-resistant. Signal, the secure messaging app of choice for many, launched quantum-resistant encryption for its service in September with its protocol called PQXDH

In a blog post, Apple called this update the “most significant cryptographic security upgrade in iMessage history.” 

To the average user, it’s probably tough to fully understand what this means. Private companies and governments are still pouring billions of dollars into developing quantum computers, and it’s more of a theory than a reality. We still don’t know a lot about quantum computing, and whether it could eventually be deployed in a scalable and responsible manner. The second one is created, though, it’s a safe bet that it’s going to fall into the wrong hands. 

Having these protections in place now is a huge step toward the U.S. National Institutes of Standards and Technology’s goal of creating post-quantum encryption everywhere. But change, as we all know, is slow, and it’s too early to start celebrating the idea that we’re all safe from the downsides of quantum computing.  

Eventually, every service, product, etc. that relies on public key infrastructure like SSL and TLS will need to re-examine how they operate and start integrating quantum-resistant algorithms. Think about how long it’s taken our network infrastructure to move from IPv4 to IPv6, and how IPv4 still routes most of today’s internet traffic.  

Then, compare that to Apple and Signal, who get to roll out automatic updates to their users. It’s no guarantee that users are going to install these patches, but most will update their devices overnight without them even noticing, or they’ll just install the update to finally get the pop-up notifcation to go away. Others won’t have that same benefit. 

Deploying PQC to a messaging app is easy enough, next we’ll have to hope that vendors who support web browsers, email clients, wireless routers AND those messaging apps are all on the same page so we can hopefully avoid overwhelming IT teams when we do enter the age of quantum computing.  

The one big thing 

Cisco Talos researchers have uncovered new details about the tooling and command and control servers used by the Turla APT. The infamous Russian state-sponsored actors was recently spotted spreading the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. Talos also discovered the use of three other malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting. One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems. 

Why do I care? 

Turla is a well-known group that has most recently been seen targeting non-governmental organizations (NGOs) in Poland. Talos’ research found that Turla’s new backdoor code is different than its predecessors, which means defenders need to change up their detection methods, too. Our researchers partnered with Cert NGO, an incident response service in Poland, to disclose this information, so potential victims in Poland are now better protected and prepared for this activity.  

So now what? 

Talos has released new IOCs to provide defenders with new ways to block this actor. Turla also has tools for elevated process execution and credential harvesting, so ensuring that your organization utilizes the principle of least privilege can go a long way toward preventing these attacks. 

Top security headlines of the week 

The FBI and other international law enforcement agencies partnered to take down the LockBit ransomware gang’s leak site that it used to extort its victims. However, several days after the announcement, the group announced it was back online and launched what appears to be a new leak site. As part of the takedown effort, the agencies released new decryption software for victims of LockBit and arrested two suspected operators in Poland and Ukraine at the request of French authorities. The leak site’s page was replaced with information on the decryption key, press releases from the involved law enforcement agencies, charging documents and more. However, after the weekend, LockBit claimed it was back and invited affiliates to re-join its infrastructure. They even returned to extorting one of their current victims, Fulton County, Georgia. Representatives from the Fulton County government said on Monday that the group “re-established a site on the dark web and have once again listed Fulton County as one of their victims, with a renewed threat to release purportedly stolen data.” (CNN, SecurityWeek, WSB-TV

Microsoft expanded its free logging services last week to now provide offerings for all U.S. federal agencies. The move comes after Chinese state-sponsored actors stole a Microsoft signing key and used it to spy on the emails of U.S. lawmakers last year. Previously, the company charged its cloud services customers extra for access to security logs that could have detected these types of intrusions. Now, they’re available for free. It’s also increasing the default log retention period from 90 days to 180 days (the minimum that Cisco Talos Incident Response has recommended in the past) for logs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a statement that it worked with Microsoft, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) to roll this program out to select agencies over the past six months. CISA also released a new log management playbook for agencies that “provides further detail on each newly available log and how these logs can be used to support threat hunting and incident-response operations.” (CISA, CyberScoop

U.S. President Joe Biden signed an executive order on Wednesday designed to keep U.S. citizens’ personal information from being sold to companies and organizations in Russia and China, two of the U.S.’s largest opponents in cyberspace. The executive order identified so-called “countries of concern” where U.S. firms could face punishments for selling personal information to, even if it was collected legitimately. However, the enforcement mechanisms for this must be created and installed, which could take months or longer. The Biden administration hopes to limit foreign entities or foreign-controlled companies that operated in the U.S. from improperly collecting sensitive data. This data includes things like biometrics, health data and geolocation. American lawmakers have long expressed concern that data sold by brokers or even stolen in cyber attacks could be used to spy or blackmail sensitive targets in the U.S., such as government officials and military leaders. Data brokers are legal in the U.S. They usually collect and categorize personal information on users, usually building profiles on them that can be sold to advertisers, social media companies, and more for personalized targeting. (Associated Press, Bloomberg

Can’t get enough Talos? 

Upcoming events where you can find Talos 

BSides Sofia 2024 (March 23 - 24) 

Sofia, Bulgaria

S4x24 (March 24 - 27) 

Miami Beach, Florida 

To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine. 

RSA (May 6 - 9) 

San Francisco, California 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 
MD5: 93fefc3e88ffb78abb36365fa5cf857c 
Typical Filename: Wextract 
Claimed Product: Internet Explorer 
Detection Name: W32.File.MalParent 

SHA 256: 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc 
MD5: 4813fa6d610e180b097eae0ce636d2aa 
Typical Filename: xmrig.exe 
Claimed Product: XMRig 
Detection Name: Trojan.GenericKD.70491190 

SHA 256: a75004c0bf61a2300258d99660552d88bf4e1fe6edab188aad5ac207babcf421 
MD5: c44f8ef0bbaeee256bfb62561c2a17db 
Typical Filename: ggzokjcqkgcbqiaxoohw.exe 
Claimed Product: N/A  
Detection Name: Symmi:GenMalicious-tpd 

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf 
MD5: 2cfc15cb15acc1ff2b2da65c790d7551 
Typical Filename: rcx4d83.tmp 
Claimed Product: N/A   
Detection Name: Win.Dropper.Pykspa::tpd 

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201