Welcome to this week’s edition of the Threat Source newsletter.
I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
That news led me to another discovery: Clinics like these are actually more common than you’d think.
Though UT Austin’s clinic is one of the newest ones to exist in the U.S., similar programs at the University of California Berkeley and the University of Indiana have been around for four-plus years. And in 2021, several universities got together to create the Consortium of Cybersecurity Clinics. Today, that Consortium has 14 members who have similar clinics that offer similar, free, services.
Maybe this is old news to many readers, but it’s all new to me, and it also seems like a no-brainer.
The cybersecurity world is always discussing the skills gap that exists and a high burnout rate among defenders, leading to a dearth of security practitioners in the private and public sectors. These types of clinics can help solve that gap by giving students on-hands training and experience they can eventually take into the field while helping to support organizations that are often most at risk for falling victim to a cyber attack. Small organizations don’t have the traditional resources to build a security program, and if they’re hit with a ransomware attack, they’re also more likely to do whatever allows them to return to “normal” as soon as possible, which often means paying the ransom.
Universities have long used clinic methods to train future professionals in the medical and legal fields, so they already have the infrastructure and funding in place to support these types of programs.
Reading about these clinics reminded me of working at my collegiate newspaper. Although writing about a student government association isn’t as high stakes as trying to recover from a ransomware attack, I can confidently say that gaining real-world experience is far more valuable than anything you can learn in a classroom.
Working at the paper taught me how to be a better communicator, and how to treat people fairly and it just made me a better writer in general by getting reps in.
I’m somehow already two years removed from going back to college for a cybersecurity education, but I would have relished the opportunity to work in a clinic like this as opposed to reading another textbook or going through one more coding exercise.
I’m assuming I’m not the only person late to the party on these clinics, so I only hope this serves as a PSA to someone that these options exist for students and organizations.
The one big thing
Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023. Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads. The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments.
Why do I care?
The exploitation of this vulnerability has already affected many organizations across the globe, including the BBC, British Airways, the government of Nova Scotia and U.K. pharmacy chain Boots. This clearly has wide-reaching implications, and security researchers are already discovering other vulnerabilities in MOVEit, though those aren’t being exploited in the wild.
So now what?
Talos has a list of recommendations over on our blog that potential targets should take. First and foremost, though, users should implement the patch that Progress Software released for CVE-2023-34362. Additionally, Talos released new ClamAV signatures and Snort rules to detect and prevent the exploitation of the MOVEit vulnerabilities.
Top security headlines of the week
Microsoft identified that a group of actors connected to Russia’s GRU is behind a recent wave of cyber attacks against Ukrainian government agencies and information technology vendors. The same report linked this actor, now known as “Cadet Blizzard,” to a series of data-wiping attacks that took place right before Russia’s invasion of Ukraine last year. Cadet Blizzard also appears to target NATO member countries who are supporting Ukraine during the military conflict and sending aid to the country. The actor typically uses stolen credentials to gain access to targets’ internet servers on the perimeter of their network. Then, it uses web shells to maintain persistence and carry out a variety of malicious actions. Outside of the wiper campaign in 2022, Cade Blizzard is largely considered to be less successful than other GRU-connected threat actors. (Microsoft, Yahoo! News)
The U.S. Department of Justice is adding a new unit to its organization that will specifically focus on prosecuting state-sponsored threat groups and individuals behind cyber attacks. The new National Security Cyber Section will be on the same footing as the organization’s three other sectors that also prosecute other types of crimes and terrorism. This new organization is “positioned to act quickly as soon as the FBI or an [intelligence community] partner identifies a cyber enabled threat and we will be in a position to support investigations and disruption,” according to a news release from the Department of Justice. The Department of Justice has taken a harder stance against cyber attacks in recent months and has specifically charged and arrested several high-profile threat actors during the Biden administration’s time in office. (Recorded Future, CyberScoop)
U.S. President Joe Biden convened a group of AI experts and companies to discuss the dangers the new technologies pose to privacy, the U.S. economy and more, this week. "My administration is committed to safeguarding America’s rights and safety, from protecting privacy to addressing bias and disinformation to making sure AI systems are safe before they are released," Biden said after the meeting. Vice President Kamala Harris is also expected to meet with civil rights leaders, consumer protection groups and AI experts to discuss the inherent biases in AI models and the rise of these technologies in mainstream culture. (NBC News, Politico)
Can’t get enough Talos?
- Talos Takes Ep. #143: The hidden threat to the software supply chain you may not be thinking about
- Threat Roundup (June 9 – 16, 2023)
- No Password Required: Threat Researcher at Cisco Talos and a Veteran of the Highest-Profile Cyber Incidents Who Roasts His Own Coffee Beans
- Cisco releases new security offerings at Cisco Live 2023
- Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
Upcoming events where you can find Talos
BlackHat (Aug. 5 - 10)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991