NCSC Threat Report Poster

NCSC Threat Report – 25th November 2022

PWC has published a report on the Iranian cyber security company Ravin Academy, against which the US authorities has recently issued sanctions.

The report details the likely links between Ravin and the Iranian actor MuddyWater (Yellow Nix) including the group’s exploitation of known vulnerabilities. Earlier this year the NCSC, CISA and other US partners attributed MuddyWater to the Iranian government in a joint advisory which described how the actor has targeted government and commercial organisations globally.

Large organisations are encouraged to put in place the mitigations recommended in the advisory which will help prevent compromise by a range of actors.

Microsoft report on attackers’ increasing use of token theft

The Microsoft Detection and Response Team (DART) has published a report which describes the increased use of token compromise and replay, to an identity that has already carried out multi-factor authentication (MFA). This effectively ‘bypasses’ the MFA step, making it easier to carry out an attack.

With it also comes an increase in adversary-in-the-middle techniques to steal tokens rather than passwords.

The report describes in detail how the attacks work, and crucially how to mitigate and detect them. Here it recommends that organisations understand how their users are authenticating, and provides specific steps to manage staff using unmanaged devices on their networks. The NCSC also has guidance on enterprise authentication: Enterprise authentication and Authenticate and authorise everywhere

But Microsoft also emphasises the continued importance of MFA, which can still prevent the majority of attacks. The NCSC has guidance on MFA best practice for organisations: Multi-factor authentication for online services.

Google share YARA rules to help identify malicious Cobalt Strike use

Security researchers at Google have created and shared 165 YARA rules to help network defenders identify use of Cobalt Strike that may be malicious.

Attackers’ misuse of the pentesting tool Cobalt Strike to gain unauthorised access to networks is well documented but must be balanced against its legitimate use. 

In the security blog, Google explains how researchers analysed the different versions in use to create a set of YARA rules to help network defenders identify versions more likely to be used maliciously.

The NCSC also has guidance on logging and protective monitoring.

Recent posts