27th April, 2023
Capita Ransomware Attack
Over 4% of Capita's infrastructure was exfiltrated by the BlackBasta ransomware group. This exfiltration took place one week prior to an outage that was caused by the threat-actor group in order to negatively affect their availability. Capita themselves handle almost £6.5 billion in value of government contracts and host multiple business units that operate at a national security level; this attack had the potential to cause the leak of important and sensitive information to a threat-actor group with nation-state sympathies. Telesoft is capable of monitoring customer infrastructure and help to ensure the security of sensitive information, whilst also providing a quick response and report time for data-exfiltration.
New SLP Vulnerability Could Let Attackers Launch Incredibly Powerful DDoS Attacks
A new high-severity security vulnerability in Service Location Protocol (SLP) could be used to launch volumetric denial-of-service attacks against targets. Researchers have found that over 2,000 organizations and 54,000 SLP instances are vulnerable, including popular devices such as Konica Minolta printers and Planex routers. Attackers can register a fake service and spoof a request with the victim's IP as the source address, resulting in an amplification factor of up to 2,200. To mitigate the risk, users are advised to disable SLP or filter traffic on UDP and TCP port 427. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of possible attacks using SLP to conduct high amplification factor DoS attacks. Preventative measures for these types of attack are at the fabric of a dedicated SOC team, which can detect denial-of-service attacks by monitoring network traffic, anomalies in traffic, unusual amounts of traffic from specific IP’s and sudden spikes in overall network traffic.
Trigona Ransomware and MS-SQL Servers
The Trigona ransomware is being found on poorly managed MS-SQL servers, making them vulnerable to brute force and dictionary attacks. Threat actors install the CLR Shell malware before installing Trigona, a type of CLR assembly malware that allows them to exploit privilege escalation vulnerabilities, which then enables them to perform malicious actions such as information gathering, and user account configuration. Afterward, the Trigona ransomware is installed, which deletes volume shadow copies and disables the system recovery feature, making it impossible to recover from the ransomware infection. Mitigation for such attacks can include implementing frequent vulnerability scans, providing Incident response plans and using a SIEM and EDR to monitor any anomalous behaviour.
AI and Cyber-Security, ChatGPT and CTF
Micah Lee, a renowned security technologist, and privacy-focused journalist recently published a captivating blog post titled "Capturing the Flag with GPT-4." In the post, Lee delves into how he used GPT-4 to generate a challenge for a Capture the Flag (CTF) competition. He walks readers through the process of creating a dataset and fine-tuning the model to generate realistic and challenging problems for the CTF. The post provides an insightful look at the potential applications of GPT-4 in the field of cybersecurity and how it could be used for generating security assessments and identifying vulnerabilities. Lee's blog post is a fascinating read for anyone interested in the intersection of AI and cybersecurity. GPT-4 possibly presents a valuable tool for advancement in machine learning capabilities. While machine learning and automation are becoming increasingly used in cyber security, a human-led dedicated SOC team can detect known and unknown threats and offer various robust methods for detection and response.
The article can be found here: https://micahflee.com/2023/04/capturing-the-flag-with-gpt-4/