Threat Source newsletter (May 12, 2022) — Mandatory MFA adoption is great, but is it too late?

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Mandatory multi-factor authentication is all the rage nowadays. GitHub just announced that all contributors would have to enroll in MFA by 2023 to log into their accounts. And Google announced as part of World Password Day that it would soon be making MFA compulsory for all users.  

But is it too little, too late? 

Don’t get me wrong, MFA is one of the best first lines of defense for preventing a cyber attack or any other type of network intrusion. It comes up in pretty much every Talos blog post and Talos Takes episode I record.  

However, if we keep pushing off the deadline for making this step mandatory, it only gives attackers more time to catch up to us. Adversaries have already figured out ways to intercept MFA codes that are sent via SMS message, as. I talked about with Wendy Nather last year. 

And on the latest Beers with Talos episode, Nate Pors from Talos Incident Response talked about “prompt bombing” users, essentially annoying them to the point that they click “yes” on an MFA prompt and let a bad guy in.  

By the time MFA becomes mandatory on major sites and for some of our most important accounts on the internet, what other types of attacks will threat actors come up with to get around it. Already, one-time codes are starting to become out-of-fashion in favor of FIDO or certificate-based PKI authentication. Rather than adopting what should have been standard practice several years ago, is it time to start thinking about what the future of MFA is? 

It might be best for us to all look forward to zero-trust as our security future. It’s something the federal government is already looking at, but it goes without saying that things don’t happen quickly within the government at any level.  

In the meantime, everyone should work toward making MFA mandatory as quickly as possible. Yes, it can be a pain, but it will save many future headaches. If you do have MFA already, rely on app push notifications rather than SMS-based authentication. And, as always, user education is important. It should go without saying but tell users that unless they know they initiated an MFA push, they should never click on it. Even if it’s 3 a.m. 

The one big thing 

The MustangPanda threat actor is breaking with what many would think to be protocol, and recently started targeting Russian organizations. MustangPanda has long thought to be a Chinese state-sponsored actor. Thus far in Russia’s invasion of Ukraine, China has been slow to criticize Russia and hasn’t taken part in many of the Western-backed sanctions levied against Russia over the past few months. This seems to break MustangPanda’s attack pattern, but also illustrates that this longstanding actor isn’t going anywhere.  

Why do I care? 

Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia and pseudo allies such as Russia. By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft. 

So now what? 

We’ll keep following MustangPanda’s choice of targets, especially as a continued wave of big game hunting ransomware attacks continues. They’ve shown that pretty much no one is off limits. We have new Snort rules available to protect users against the download and execution of their signature PlugX malware, plus many other forms of protection against their attacks and known exploits.  

 

Other news of note

A critical vulnerability in F5’s BIG-IP software is being exploited actively in the wild, taking the security community by storm. BIG-IP is a line of appliances that act as load balancers, firewalls, and can inspect and encrypt data going in and out of networks. This particular vulnerability has a severity score of 9.8 out of 10, but what’s more notable is that there are more than 16,000 instances of this software discoverable online, and it’s used by some of the world’s largest companies. This software has a close proximity to network perimeters and often looks at the decrypted version of HTTPS-protected traffic, so if an attacker exploits this, it opens several avenues for further attacks.  (Talos blog, ZDNet, Ars Technica) 

Multiple Western governments publicly blamed Russian state-sponsored actors for launching a cyber attack against an American satellite communications company in the weeks leading up to Russia’s invasion of Ukraine. The E.U., U.K. and U.S. all released separate reports saying attackers hit the European networks belonging to Viasat, just as the invasion started on Feb. 24. A statement from the U.S. State Department said “The activity disabled very small aperture terminals in Ukraine and across Europe” that, “among other things, support wind turbines and provide Internet services to private citizens.” (State Department, NBC News) 

Microsoft released more than 70 vulnerabilities as part of its weekly security update. May’s Patch Tuesday includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows. There’s also a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver that affects the Windows self-hosted integration runtime service. Adobe also issued five security bulletins on Tuesday, covering 18 vulnerabilities across Adobe CloudFusion, InDesign, Character Animator, Framemaker and other software. However, none of these issues have been actively exploited in the wild, according to Adobe. (Talos blog, Adobe) 

Can’t get enough Talos? 

• Celebrating 20 years of ClamAV
• Bitter APT adds Bangladesh to their targets
• Vulnerability Spotlight: Vulnerability in Alyac antivirus program could stop virus scanning, cause denial of service
• Talos Incident Response added to German BSI Advanced Persistent Threat response list
• Threat Roundup for April 29 - May 6

Upcoming events where you can find Talos 

NorthSec 2022 (May 19 – 20, 2022)
Montreal, Canada 

REcon (June 3 – 5, 2022)
Montreal, Canada 

RSA 2022 (June 6 – 9, 2022)
San Francisco, California 

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.33515991  

SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426  
MD5: a841c3d335907ba5ec4c2e070be1df53  
Typical Filename: chip 1-click installer.exe  
Claimed Product: chip 1-click installer   
Detection Name: Win.Trojan.Generic::ptp.cam  

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201  

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
MD5: a087b2e6ec57b08c0d0750c60f96a74c  
Typical Filename: AAct.exe  
Claimed Product: N/A    
Detection Name: PUA.Win.Tool.Kmsauto::1201