Threat Source newsletter (Sept. 15, 2022) — Why there is no one-stop-shop solution for protecting passwords

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

Public schools in the United States already rely on our teachers for so much — they have to be educators, occasional parental figures, nurses, safety officers, law enforcement and much more. Slowly, they’re having to add “IT admin” to their list of roles.

Educational institutions have increasingly become a target for ransomware attacks, an issue already highlighted this year by a major cyber attack on the combined Los Angeles school district in California that schools are still recovering from.

Teachers there reported that during the week of the attack, they couldn’t enter attendance, lost lesson plans and presentations, and had to scrap homework plans. Technology has become ever-present in classrooms, so any minimal disruption in a school’s network or software can throw pretty much everything off.

The last thing teachers need to worry about now is defending against a well-funded threat actor who may live thousands of miles away — but we’re not making it easy on them.

I asked my mom about this, who is a paraeducator for kindergarten students, and she told me each of her students (keep in mind these are mostly 5- and 6-year-olds) has their own Chromebooks that they bring to and from home and use for homework assignments. The elementary school she works at has more than 500 students enrolled across six grades, and yet there’s only one person for the whole school who acts as their overall IT and network administrator. That’s one person to manage 500-plus laptops and even more devices like iPads and smartboards as you get into the older grades. Many working adults still need to be educated about the dangers of cyber attacks or how to spot a spam text, how can we have the same expectations from kindergarteners?

I’m not saying this is a simple issue to fix — it would cost millions of dollars to invest in security infrastructure at schools across the U.S. and hire the necessary staff to manage these devices. But I do wonder if it’s a bridge too far for the burden we’re already placing on teachers.

Many of my friends who are educators are great teachers but would be far from computer experts, and I’m confident they’ve never thought about how secure the passwords that their students need to log into their laptops are.

The FBI released a warning last week that the Vice Society ransomware group has increasingly been targeting schools across the U.S. and expects those attacks to continue as the school year ramps up. In the advisory, they said, “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.” If that’s the case, what happens if one of these underfunded districts is hit by a cyber attack? Rather than spending the year trying to beef up their security or implement new policies, they’ll instead just have to use up all their time and resources recovering from the attack and returning to square one.

The teachers, IT admins and school leaders who are already stretched too thin will only be stretched further in the event of a cyber attack. So, before we start investing more money into getting technology into students’ hands in the classroom, it may be worth considering how those devices are meant to be protected and who will oversee protecting them.

The one big thing

Continuing our research into the well-known Lazarus Group, we have new details on a malware campaign with three different trojans targeting energy providers in the U.S., Canada and Japan. The newest malware is MagicRAT, which is deployed alongside two other RATs the Lazarus Group is known for. All three malware tools are being delivered via a targeted campaign that starts with the exploitation of the Log4j vulnerability in VMware Horizon.

Why do I care? As we outlined in the newsletter last week, anything the Lazarus Group does is not to be taken lightly. And it’s particularly notable since they are targeting energy suppliers, highlighting the dangers that critical infrastructure faces from state-sponsored threat actors. Our research also shows the Lazarus Group is continually updating its malware and finding new ways to avoid detection.
So now what? We’ve said this a thousand times already, but patch for Log4j in all software if you haven’t already since this is the primary infection method used in this campaign. Talos also released several new solutions for Cisco Secure to detect and prevent the malware used in these attacks.

Top security headlines from the week

Twitter’s former head of security warned Congress about several potentially dangerous security practices at the social media giant. Peiter “Mudge” Zatko, one of the first “hackers” to enter mainstream culture, said in testimony that about 50 percent of Twitter’s employees could have access to sensitive user information, something he says he tried to prevent during his time at the company but was stopped. Zatko went as far to directly tell U.S. Senators that their personal data could be at risk because of these practices, adding that the company is “misleading the public, lawmakers, regulators, and even its own board of directors.” The testimony came under additional scrutiny because of its potential influence on the ongoing battle regarding Elon Musk’s failed offer to buy Twitter. (Vox, Politico) Montenegro’s government continues to grapple with a massive cyber attack, forcing many services offline at government offices and putting the country’s essential infrastructure, including banking, water and electrical power systems at risk. Government officials stated that the attack resembles others from well-known Russian state-sponsored actors. The FBI even deployed a special cybersecurity team to the country to help with the recovery and remediation process. The Cuba ransomware group claimed responsibility for the attack, going as far as to say they created a special malware just for this campaign. Recent cyber attacks against NATO nations like Montenegro and Albania have raised questions around NATO’s Article 5 could be triggered over offensive cyber attacks. (Associated Press, NPR) Apple released security updates for its mobile and desktop operating systems this week to patch zero-day vulnerabilities that attackers have actively exploited in the wild. CVE-2022-32917, according to Apple, could allow an attacker to execute arbitrary code with kernel privileges. This is the eighth zero-day vulnerability Apple disclosed this year. When updating iOS, users can upgrade to iOS 16, which also comes with several new security features. The new operating system includes a centralized privacy dashboard, safety checks for users who could be at risk of having their devices infected with spyware, and password-free logins on some sites. (9to5Mac, New York Times Wirecutter)

Can’t get enough Talos?

Energy providers hit by North Korea-linked Lazarus exploiting Log4j VMware vulnerabilities Talos Takes Ep. #112: Back to school advice for teachers, students, parents, admins and everyone in between North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies Cisco Talos traps new Lazarus Group RAT Microsoft Patch Tuesday for September 2022 — Snort rules and prominent vulnerabilities Talos EMEA Monthly Threat Update: How do you know if cyber insurance is right for you?

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2 Typical Filename: AAct.exe Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 MD5: f1fe671bcefd4630e5ed8b87c9283534 Typical Filename: KMSAuto Net.exe Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7 MD5: 0e4c49327e3be816022a233f844a5731 Typical Filename: aact.exe Claimed Product: AAct x86 Detection Name: PUA.Win.Tool.Kmsauto::in03.talos