Welcome reader to your CybersecurityHQ report

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

In the wake of Israel’s spy agency Mossad exploding pagers and walkie-talkies in the hands of Hezbollah, Iran’s Revolutionary Guards Corps (IRGC) is no longer using any communication devices. Security officials in the organization are first inspecting all electronic devices to prevent similar attacks.

This is despite recent reports that Hezbollah checked the pagers and handed them out mere hours before the explosions.

The new, though temporary, measure is presenting difficulty as the 190,000-member IRGC has moved communication to other systems that it is not disclosing at this time. The IRGC is also ramping up scrutiny of members, especially those in mid and high-ranking positions.

The IRGC is an elite group formed in 1979 to protect the clerics at the top of the Islamic Republic. Today, they operate a network of ground forces, air force, and navy. Abroad, their Al Quds Force supports allied groups in the region, including Hezbollah in Lebanon, Hamas in Gaza, Houthis in Yemen, and various militias in Iraq.

The attacks last Tuesday killed 39 people and injured over 3,000. Israel has not denied or claimed responsibility for the attack.

For the IRGC and the Iranian government in general, the highest priority is protecting nuclear facilities and missile sites.

In other Iranian cybersecurity news, UNC1860 has been identified by Mandiant as an APT tied to the country’s Ministry of Intelligence and Security (MOIS). It operates by providing initial access for other state-backed groups (including Scarred Manticore and OilRig) by setting up passive implants and dropping backdoors.

It has created a wide range of tools—including Stayshante and Sasheyaway—that use undocumented system calls. Detection can be difficult because it doesn’t use outbound communication.

For the most part, UNC1860 focuses on government and telecommunications systems.

The identification of this APT adds another dimension to the ongoing cyberbattlefield in the region—one currently characterized by exploding pagers and highly sophisticated hacking systems.

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

Another week, another cause for an election update—this time with both campaigns suffering cyber issues. For the Trump campaign, the hack they disclosed in August appears to be ongoing. An Iranian hacker going by “Robert” shared stolen non-public material from the campaign with media outlets like Politico, The Washington Post, and The New York Times. They refused to publish it.

In messages to the newsletter Popular Information, “Robert” said that the operation is still going strong. As proof, the hacker sent a 271-page dossier vetting JD Vance as a Vice Presidential pick, as well as similar documents made for potential running mates North Dakota Governor Doug Burgum and Florida Senator Marco Rubio. “Robert” assured the newsletter that there was more where that came from.

In other election news, the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) briefed reporters (PDF) about the persistence of Russian, Iranian, and Chinese operations to sway the US presidential election.

The document gives examples, like claiming that “Russian influence actors were responsible for staging a video in which a woman claims she was the victim of a hit-and-run car accident by the Vice President and altering videos of the Vice President’s speeches.”

Along those same lines, a recent indictment alleges that Russian gave $10 million to a right-wing Tennessee media company to promote the country’s interests and sway the election’s outcome.

On Tuesday, a senior executive at CrowdStrike appeared before a US House of Representatives subcommittee and apologized for a software update in July that led to the largest global IT outage in history.

Senior Vice President of Counter Adversary Operations Adam Meyers answered questions by the Homeland Security Committee, describing a “perfect storm of issues” that led to the July 19th outage. The problems caused in the company’s Falcon Sensor endpoint protection system crashed systems across multiple industries, including airlines, hotels, banks, media, healthacre institutions, and even emergency services.

Chairman of the committee Representative Mark Green (R-TN) wrote a letter to CrowdStrike CEO George Kurtz in the immediate aftermath of the outage to send someone to appear on Capitol Hill.

In his comments (PDF), Meyers reiterated the company’s regret, “We are deeply sorry this happened and we are determined to prevent this from happening again.”

He went on to say:
CrowdStrike’s Falcon platform is a cloud-native, AI-powered platform that protects customers with a combination of cloud (the CrowdStrike Security Cloud) and on-device security (the Falcon sensor). The CrowdStrike Security Cloud regularly communicates with Falcon sensors installed on customers’ endpoints, such as laptops, desktops, and servers. The Falcon sensor leverages AI, detection and prevention engines. The detection engine includes the ability to collect threat-related data by following a predefined set of configurations. New configurations are regularly sent to the sensor’s detection engine to help protect customers against emerging threats, such as malicious code, ransomware, and data breaches. These threat detection configurations are validated before being sent to the Falcon sensor. Upon receiving new configurations, the Falcon sensor follows a predefined set of rules to enhance detections.

On July 19, 2024, new threat detection configurations were validated through regular validation procedures and sent to sensors running on Microsoft Windows devices. However, the configurations were not understood by the Falcon sensor’s rules engine, leading affected sensors to malfunction until the problematic configurations were replaced.

AI-generated malware has been a major concern for a few years, and now, researchers have discovered an example of it being used in a phishing scam. In June of this year, HP found a phishing email posing as an invoice. If all went according to plan, an encrypted HTML attachment would then execute an AsyncRAT infostealer through a VBScript dropper. When looking more deeply, researchers found the structure, comments, and function names used in the coding pointed to AI.

Typically, malware has no comments, one way it tries to conceal itself. It was also written entirely in French, which is not the lingua franca of malware writers.

While GenAI is often used to create lures for malware operations, this is an example of it being used to create the payload itself. That reduces the barrier to entry dramatically for threat actors. We could potentially see it empower people who otherwise would not have the ability to create malware.

And because this coding seems so naively delivered—with comments intact—it appears that this was the case here. Someone created the dropper in GenAI and was not aware of what these kinds of programs typically look like.

There is, of course, no way to definitively prove the origin. But it is likely the best evidence we have that the age of AI-generated malware has arrived.

Interesting Read

It’s no secret that Microsoft has been prioritizing cybersecurity in 2024. Now, the company has launched the Secure Future Initiative (SFI)—powered by 34,000 full-time engineers to cybersecurity, the largest such effort in the company’s history.

The full report (PDF) on the move is well worth reading, highlighting just how massive this undertaking is.

Every employee is now evaluated on their security contributions, and recent improvements include enhancing access token security, eliminating inactive tenants, and centralizing physical network tracking.

Microsoft has introduced a "Start Right, Stay Right, and Get Right" framework for maintaining security standards across its projects and has formed a Cybersecurity Governance Council with 13 deputy CISOs. Additionally, personal access tokens have been shortened, and access to engineering systems has been reduced. The company enhanced protection through tools like the Azure Managed Hardware Security Module (HSM) and streamlined lifecycle management for apps and tenants. They also centralized inventory and logging systems, improving threat detection and response.

Microsoft now publishes CVEs for transparency, even when no customer action is required. To ensure long-term success, a security skills academy was created to train all employees.

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team