While Chinese, North Korean, and Russian state-sponsored cyber threat activity has recently surged, MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has consistently targeted Israel and its allies with a barrage of cyberattacks since the onset of the Israeli-Hamas War. The threat group typically uses phishing campaigns, often sent from compromised business email accounts, to deploy legitimate Remote Management Tools (RMM) such as Screen Connect and Atera Agent. However, recent campaigns targeting Israel were observed delivering a new custom backdoor identified as BugSleep marking a notable change in TTPs. BugSleep appears to be in a perpetual development state, undergoing continuous improvement for functionality and bug fixes.
In addition, MuddyWater often uses Egnyte, a legitimate file-sharing service enabling organizations to conveniently share files via a web browser. They typically focus on specific sectors of interest, such as Israeli municipalities, airlines, travel agencies, and journalists; however, recent targets include the education, logistics, and healthcare sectors. Themes used in these campaigns include invitations to webinars and online courses allowing the threat actor to recycle the phishing template across different sectors and regions. The phishing emails are delivered to targets in the locally spoken language, though English is now used more frequently.
MuddyWater’s new infection chain. Image Source: Checkpoint
The malware can perform several commands to write, run, establish persistence, delete tasks, and other evasion techniques. One analyzed sample resulted in a custom loader that injects a shellcode to deliver BugSleep in-memory into specific processes. These processes include msedge.exe, opera.exe, chrome.exe, anydesk.exe, onedrive.exe, and powershell.exe, depending on whether they are already running. Cyberattacks using this new malware are targeting a wide range of global entities, with a particular focus on Israeli and Saudi Arabian targets. This Iranian threat group is highly active and has historically targeted various industry sectors worldwide, including telecommunications, government, IT services, and oil industry organizations. Over time, it has expanded its cyber-espionage operations to focus on governmental and defense institutions in Central and Southwest Asia, along with businesses in North America and Europe. Although MuddyWater is currently targeting Israel, the group often reuses newly developed and successfully tested malware to attack Western countries and Israeli allies.
Recommendations
Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.Keep systems up to date and apply patches after appropriate testing.Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.Implement email filtering solutions, such as spam filters, to help block messages.Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.
CRYSTALRAY, a newly discovered threat actor, utilizes multiple open-source software (OSS) to grow its credential stealing and cryptomining operations. Researchers first identified this threat actor in February by tracking their use of the OSS SSH-Snake penetration testing tool to exploit vulnerabilities in the Atlassian Confluence platform. CRYSTALRAY has since expanded its arsenal using OSS tools such as ASN, ZMap, Httpx, Nuclei, and Platypus. CRYSTALRAY has targeted over 1,800 IPs, which will likely continue to grow.
CRYSTALRAY takes advantage of a mix of legitimate and malicious OSS tools during its attack chain. Many of these tools are sourced from ProjectDiscovery, a security platform that produces tools used by defenders. They begin their attack with ASN to receive a complete account of open ports, known vulnerabilities, and a listing of both software and hardware utilized by the system. ASN’s other benefit is that it can discover this information without sending packets that could potentially alert a target to an upcoming attack. This activity is followed by the use of ZMap, which scans specified ports for vulnerable services. Httpx is used to verify if a domain is live, followed by Nuceli to identify exploitable weaknesses in the attack surface.
Once an exploit is discovered, CRYSTALRAY uses a public proof-of-concept exploit to drop its malicious payload. The payload is often Sliver, a red team framework that allows CRYSTALRAY to connect to a command and control (C2) network, or Platypus , a web-based manager that can handle up to 400 reverse shell sessions on a breached system. The threat actors use SSH-Snake to discover SSH keys and credentials, which are used for lateral movement. The stolen credentials, especially those associated with cloud platforms and software-as-a-service email platforms, are often sold in underground marketplaces for a profit. Additionally, CRYSTALRAY typically loads cryptominers into a victim’s system using the stolen resources for further profit.
Recommendations
Keep systems up to date and apply patches after appropriate testing.Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).Establish a continuous monitoring and audit process to monitor existing SSH keys.Maintain robust and up-to-date endpoint detection tools on every endpoint.Consider leveraging behavior-based detection tools rather than signature-based tools.Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.
Data and analytics are the foundation of successful AI deployment. Learn how to maximize the value of your AI by providing the right data using the data and analytics best practices in this Forrester report. Read the Predictions 2024: Data and Analytics report on the future of data and analytics in the AI era to: Explore five predictions about the future of data and analytics that’ll help you prepare for changes coming to the AI landscape.Learn how to optimize your data management strategy to ensure your org is ready to scale for generative AI data.Discover how improving data quality will enhance the accuracy of AI and machine learning models by 20% and improve decision-making.
Microsoft Security Virtual Training Day: Configure Security Operations Using Microsoft Sentinel Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Configure Security Operations Using Microsoft Sentinel to learn best practices for hunting, detecting, and investigating threats and managing incidents with Microsoft Sentinel. You’ll also learn how to deploy an instance efficiently and how to work with data connectors, analytic rules, and workbooks more effectively. You will have the opportunity to: Learn how to plan and configure a Microsoft Sentinel instance. See how to deploy and configure Microsoft Sentinel content hub solutions. Discover how to automatically search for threats across your infrastructure by creating Microsoft Sentinel analytics rules. Explore Microsoft AI capabilities. Join us at an upcoming Configure Security Operations Using Microsoft Sentinel event: Delivery Language: English Closed Captioning Language(s): English August 08, 2024 | 12:00 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada)August 22, 2024 | 12:00 PM – 5:15 PM | (GMT-05:00) Eastern Time (US & Canada)
Stay ahead of modern threats with new unified solutions Cybercriminals have embraced emerging technologies like AI as quickly as the rest of the world. In today’s rapidly evolving threat landscape, your Zero Trust strategy has become more essential than ever. In this blog, you’ll learn how to bolster your Zero Trust strategy with innovative solutions that’ll help you stay ready for changes to the threat landscape—like the tenfold increase in password attacks in 2023.1 Read the blog to learn: New approaches to Zero Trust that protect against emerging threats.How to proactively secure access to any application or resource from any location.How Microsoft helps organizations extend Zero Trust requirements to all endpoints, apps, and data. 1Microsoft Digital Defense Report 2023, Microsoft Threat Intelligence, October 2023.
This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Responsible Technology Adoption Unit (RTA), previously known as the Centre for Data Ethics and Innovation.
The last two posts in our series covered techniques for input privacy in privacy-preserving federated learning in the context of horizontally and vertically partitioned data. To build a complete privacy-preserving federated learning system, these techniques must be combined with an approach for output privacy, which limit how much can be learned about individuals in the training data after the model has been trained.
As described in the second part of our post on privacy attacks in federated learning, trained models can leak significant information about their training data—including whole images and text snippets.
Training with Differential Privacy
The strongest known form of output privacy is differential privacy. Differential privacy is…
In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) credentials, including those on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201.
SP 800-73-5: Parts 1–3 SP 800-73-5: Parts 1–3, Interfaces for Personal Identity Verification, describe the technical specifications for using PIV Cards. The three parts cover the PIV data model (Part 1), the card edge interface (Part 2), and the application programming interface (Part 3). Major changes to the documents include:
Removal of the previously deprecated CHUID authentication mechanism
Deprecation of the SYM-CAK and VIS authentication mechanisms
Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for facility access applications
Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
Addition of an optional Cardholder identifier in the PIV Authentication Certificate to identify a PIV credential holder to their PIV credential set issued during PIV eligibility
Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement
SP 800-78-5 SP 800-78-5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for the cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It has been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing, including:
Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
Removal of the retired RNG from CAVP PIV component testing where applicable
Removal of retired FIPS 186-2 key generation from CAVP PIV component testing where applicable
Accommodation of the Secure Messaging Authentication key
Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031
ln the last two posts of our Privacy-Preserving Federated Learning (PPFL) blog series, we covered techniques for input privacy in PPFL in the context of horizontally and vertically partitioned data. However, to complete a PPFL system, these techniques must be combined with an approach for output privacy to limit what can be inferred about individuals after model training. Want to learn more about output privacy and training with differential privacy? Found out more in this new post, Protecting Trained Models in Privacy-Preserving Federated Learning!
Protecting Trained Models in Privacy-Preserving Federated Learning by Joseph Near and David Darais Read the post.
Ransomware is a very serious and increasingly common threat to organizations of all sizes, and it is particularly devastating to smaller organizations that have limited resources. A successful ransomware attack can stop your business in its tracks.
During this NIST small business cybersecurity webinar, we will convene a panel to highlight:
Common ways ransomware is delivered to businesses.
Challenges small businesses face with ransomware.
Common signs of a ransomware attack.
What steps to take if your business falls victim to a ransomware attack.
What role cyber liability insurance plays in ransomware risk management.
Steps small businesses can take, and free resources you can use, to reduce your likelihood of falling victim to ransomware.
Panelists:
Bill Fisher, Security Engineer, NIST
Nick Lozano, Director of Technology, The Council of Insurance Agents & Brokers
Stephanie Walker, Assistant Section Chief of the Cyber Engagement and Intelligence Section, Federal Bureau of Investigation (FBI)
Ann Westerheim, Ph.D. Founder and President, Ekaru
Moderator:
Daniel Eliot, Lead for Small Business Engagement, NIST
WPEC 2024, the NIST Workshop on Privacy-Enhancing Cryptography 2024, will bring together multiple perspectives of PEC stakeholders. The three-day virtual workshop is organized for sharing insights about PEC capabilities, use cases, real-world deployment, initiatives, challenges and opportunities, and the related context of privacy and auditability. The program will cover the following two themes:
Private Set Intersection (PSI): for a deep dive into this specific technique, exploring its technicalities, readiness, feasibility, applicability, variants, and broader context.
Other PEC techniques: Other PEC techniques: for a broader perspective of PEC (including FHE, MPC, and ZKP, and possible combinations with other privacy-enhancing technologies).