“Agent of Betrayal, FBI Spy Robert Hanssen” – with CBS’ Major Garrett and Friends
This episode of SpyCast is a recording of a recent program held at the International Spy Museum in collaboration with our friends at CBS/Paramount. To accompany their new podcast, “Agent of Betrayal,” we hosted a panel of experts to discuss the story and historical significance of the Robert Hanssen case. They discuss how an FBI agent sworn to protect America’s most precious secrets instead became a damaging and deadly mole.
The panel features Major Garrett, host of Agent of Betrayal; Dr. David L. Charney, the psychiatrist who met with Hanssen for a year after he went to jail; Dr. John F. Fox, Jr., FBI historian; and David Major, retired FBI Supervisory Special Agent and Spy Museum Advisory Board Member who knew Hanssen as a colleague. Read More
Microsoft deprecates Windows NTLM authentication protocol
Microsoft has officially deprecated NTLM authentication on Windows and Windows servers, stating that developers should transition to Kerberos or Negotiation authentication to prevent problems in the future. […] Read More
Jennifer Addie, COO and CWO from VentureScope and MACH37 Cyber Accelerator sits down to share her incredible story, bringing creativity into the cyber community. Growing up Jennifer always loved the human side of things, and learning that she had a knack for computers helped her to realize what type of field she wanted to pursue as an adult. She started working jobs dealing in programming, database administration, product development, and it was there in the design of those products where she felt the deep need for security, emerging as critical in her consciousness. She shares how she likes to be on a personal level with the people she works with, always wondering where people came from and why they are passionate, being a very interactive leader. Jennifer also says that she believes bringing creativity into the field is what helps her solve any form of problem the best stating “I absolutely agree with the idea that, that creativity is far more than artistic capability. It is very much centered on problem solving and in fact, the master’s degree that I received in creativity focuses on creative problem solving as a process.” We thank Jennifer for sharing her story with us. Read More
APT Hackers Exploiting Ivanti Connect Secure VPN New Zero-Day Flaw in the Wild
Hackers exploit Zero-Day flaws in VPNs as these vulnerabilities are unknown to the software vendor, making them difficult to patch immediately.
This can be particularly lucrative for the threat actors seeking to exploit the growing reliance on VPNs (Virtual private networks) for secure online communication.
Recently, cybersecurity researchers at Google’s Mandiant discovered that APT hackers are actively exploiting the Ivanti connect secure VPNs’ new zero-day flaw in the wild.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Ivanti Connect Secure VPN New Zero-Day Flaw
Security analysts at Ivanti discovered the following two vulnerabilities affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances:-
Successful exploitation of these vulnerabilities may lead to authentication bypass and command injection that enables network compromise.
While the zero-day exploitation by UNC5221 began in Dec 2023, Ivanti, with Mandiant, is addressing issues and providing mitigations.
After exploiting the above-mentioned vulnerabilities, UNC5221 used custom malware in CS by trojanizing files. While the PySoxy and BusyBox enabled post-exploitation.
UNC5221 employed a Perl script (sessionserver.pl) to remount read-only sections by deploying THINSPOOL, a shell script dropper.
This writes the LIGHTWIRE web shell to a legitimate Connect Secure file, along with other tools.
THINSPOOL is a key tool for Mandiant that ensures persistence and evasion in UNC5221’s attacks. It serves as an initial dropper for the LIGHTWIRE web shell, which helps in post-exploitation.
LIGHT WIRE and WIREFIRE shells provide lightweight footholds for continued access to CS appliances, suggesting targeted persistence.
Custom Malware Discovered
Here below, we have mentioned all the custom malware that was discovered:-
ZIPLINE Passive Backdoor
THINSPOOL Dropper
LIGHTWIRE Web Shells
WIREFIRE Web Shells
WARPWIRE Credential Harvester
Security analysts at Mandiant couldn’t recognize the origin of this threat actor due to insufficient data. Besides this, targeting edge infrastructure with zero days is a common tactic, as Mandiant has already seen APT actors using appliance-specific malware.
UNC5221 shows that living on network edges is still an attractive target for spies, as the zero-days, compromised devices, and evading detection are espionage signatures.
As a recommendation cybersecurity experts strongly recommend users immediately apply the available security patches to mitigate threats like this.
IOCs
IoCs (Source – Mandiant)
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.