shift change 01-19-2024

Will

3 min read

Welcome to your shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.

COLDRIVER at the weekly staff meeting

1. Google’s Threat Analysis Group says Russian APT COLDRIVER is evolving at the top of the Pyramid of Pain from credential harvesting to delivering its first custom malware.

The pyramid of pain is an analytical framework for evaluating the value of indicators of compromise over time. At the top of the pyramid, the most “pain” inducing indicators to change (and by implication, the least likely to change—threat actors are rational even if you don’t understand the reason, they will avoid un-incentivized pain until properly incentivized), are the adversaries tactics, techniques, and procedures. At the bottom of the pyramid are the easy-to-change so likely-to-change indicators, like hash values, IP addresses, and domain names. A threat actor can change a hash with almost no effort, and changing an IP address or domain name are not much more time or effort intensive.

But moving from credential harvesting to socially-engineered malware delivery is a change at the top of the pyramid, and Google’s TAG says that is what they are observing in COLDRIVER’s activity.

Here’s how COLDRIVER gets the malware on target:

  • Send a non-malicious pdf asking the target to open/read/review the file. 
  • The file, while non-malicious, appears encrypted—which hopefully gets the target to ask for help from the sender to open/read/review the file.
  • The threat actor sends a link to a supposed decryption tool.
  • The target clicks on the link for the “decryption tool” gets shown a decoy document, while custom COLDRIVER malware “SPICA” drops a backdoor on the system and waits for commands.

The TAG update provides hashes of the associated files, the C2 IP address, and YARA rule for SPICA—which is fantastic. But—what does the pyramid tell us about hashes, and IP addresses? Can we expect COLDRIVER to change those easy-to-change indicators, now that it has shown it has the incentive to change at the top of the pyramid as well?

And the most important question, what was the shift in incentive for COLDRIVER? 

2. Friendly reminder that Macs have malware, and the myth they don’t is dangerous.

Mac hacks.

3. Privacy by design in Apple’s Vision Pro—how Apple tries to get off on a good foot with new tech.

You almost cannot tell it's Jack Nicholson, privacy-by-design ftw.

4. The Markup recommends: private browsing. I recommend a deeper dive into what private browsing does and does not offer, here. Mozilla notes private browsing is not really private, it provides privacy from certain layers of the technology you are using (between you and your browser) and recommends further layers to cover (a VPN, to encrypt the data your internet service provider can see with ease). Security professionals talk defense-in-depth, this is privacy-in-layers. It is also critical to understand what private or incognito browsing is even claiming to offer, as Google and it’s Chrome users continue to find out. 

...absolutely not how that works.

## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.

Read more