At a glance.
- Actions against Chinese firms show US willingness to employ sanctions as a foreign policy tool.
- Iranian contractors run a side hustle.
- The Five Eyes offer guidance for detection and remediation.
Sanctions as a foreign policy tool.
The Wall Street Journal draws a lesson from the recent expansion of Commerce Department administered sanctions against Chinese companies: the US is increasingly willing to use sanctions as a tool of foreign policy, as opposed to merely a law enforcement tool.
Iran's apparent willingness to allow cyber contractors to profit in criminal markets.
CrowdStrike researchers have released a report on Pioneer Kitten (also known as “Fox Kitten” or “Parisite”), an Iranian threat actor believed to be a contractor providing cyberespionage support to the government of Iran. Last month Pioneer Kitten was observed in various black market souks offering to sell access to compromised networks. CrowdStrike thinks this represents an attempt on the group’s part at “revenue diversification.”
The researchers say Pioneer Kitten’s operations are marked by “a pronounced reliance on exploits of remote external services” that attack their targets’ Internet-facing assets for initial access. They also see “an almost total reliance on open-source tooling during operations.” The threat group is especially interested in VPN and network appliance exploits, notably CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902. CrowdStrike thinks that this particular bent lends itself to opportunistic attacks. Finally, Pioneer Kitten relies on SSH tunneling achieved with open-source tools like Ngrok and a custom tool SSHMinion to establish communication with implants and keyboard activity through Remote Desktop Protocol.
Pioneer Kitten’s espionage targets have for the most part been in Israel or North America. The sectors they’ve been seen hitting include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance, and retail. The network access they’re selling appears to be just bycatch of their espionage take, which is to be expected given the threat group’s opportunistic mode of operation. ZDNet observes that the biggest customers of such initial access brokers tend to be ransomware gangs.
International cooperation as a way to establish deterrence in cyberspace.
An op-ed in Defense One argues that a "layered" deterrence strategy involving close cooperation among nations could put the fear of the law into cyberspace bad actors. The strategy would have three layers:
- "Shaping Behavior," with the prospect of takedowns and extradition.
- "Denying Benefits," which would prevent criminals from profiting from their activities.
- "Imposing Costs," that is, cooperation to facilitate prosecution of cybercriminals wherever they can be found.
The Five Eyes' guidance on detection and remediation.
The cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States have issued some guidance on how to detect and remediate cyber incidents. Alert (AA20-245A), "Technical Approaches to Uncovering and Remediating Malicious Activity," offers a brief compendium of best practices any organization might use. Of particular interest is its treatment of mistakes to avoid. Most such mistakes fall into one of two categories:
- "Modifying volatile data that could give a sense of what has been done; and
- "Tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware)."