Cybersecurity Newsletter, October 19 - 25
Qrator Newsletter

Greetings within weekly news round-up! This Sunday, we are again looking at the relevant articles and researches published between October 19 and 25, 2020.

Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

"Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers."

Ryuk in 5 Hours

"The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial phish. They used tools such as Cobalt Strike, AdFind, WMI, and PowerShell to accomplish their objective."

QAnon/8Chan Sites Briefly Knocked Offline,

And The Now-Defunct Firms Behind 8chan, QAnon 

"Some of the world’s largest Internet firms have taken steps to crack down on disinformation spread by QAnon conspiracy theorists and the hate-filled anonymous message board 8chan. But according to a California-based security researcher, those seeking to de-platform these communities may have overlooked a simple legal solution to that end: Both the Nevada-based web hosting company owned by 8chan’s current figurehead and the California firm that provides its sole connection to the Internet are defunct businesses in the eyes of their respective state regulators." - Brian Krebs.

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means

"You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when exposed to unintended parties? Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference." - Troy Hunt.

Penetration Testing and Low-Cost Freelancing

"I decided to run a little experiment to see how different the reports of different testers would be. I purposely created a vulnerable web application, and hired seven different freelancers to conduct penetration testing against it. I found this to be an excellent opportunity to evaluate the skills of freelancers that provide their services at an extremely low price in online marketplaces. While the cost of penetration testing can be pretty high (typically between $1,000 and $100,000+), these freelancers provide their security services for less than $100. Some of them claim to possess industry-accepted certificates, and I was curious to know the quality of their work, in particular when their services are reviewed positively by thousands of buyers."

Journeying into XDP: Augmenting the DNS

"In this post, we at NLnet Labs look at how eXpress Data Path (XDP) can augment existing DNS software. We share our experiences of implementing Response Rate Limiting in XDP."

AWS and their Billions in IPv4 addresses

"Earlier this week, I was doing some work on AWS and wanted to know what IP addresses were being used. Luckily for me, AWS publishes this all here When you go through this list, you’ll quickly see that AWS has a massive asset of IPv4 allocations. Just counting quickly I noticed a lot of big prefixes."

Lumen aka CenturyLink is generating routing incidents via former Level3 network, again

"AS203, belonging to what was formerly known as "Level3", acquired by "CenturyLink" in 2016, latter rebranded as "Lumen" in 2020, is a frequent visitor within the incident reports of the Qrator.Radar team. We are not here to blame anyone, but such occurrence of routing incidents for a single organization is worrying - we hope this article would help you to understand how even a small event could reach enormous impact with specific prerequisites met."

Trickbot—the for-hire botnet Microsoft attacked—is scrambling to stay alive

"In an update published on Tuesday, Microsoft Corporate VP for Security & Trust Tom Burt said the operation initially managed to take down 62 of the 69 servers Trickbot was known to be using to control its vast network of infected devices. Trickbot operators responded by quickly spinning up 59 new servers, and Microsoft was able to eliminate all of them except for one."

Papers of the week:

Looking Into the Eye of the Interplanetary Storm by BitDefender

"Some 9,000 devices—mostly running Android, but also the Linux and Darwin operating Systems—have been corralled into the Interplanetary Storm, the name given to a botnet whose chief purpose is creating a for-profit proxy service, likely for anonymous Internet use.
The finding is based on several pieces of evidence collected by researchers from security provider Bitdefender. The core piece of evidence is a series of six specialized nodes that are part of the management infrastructure." - ArsTechnica.

RFC 8937 - Randomness Improvements for Security Protocols

Repository of the week: 

MISP trainings, threat intel and information sharing training materials with source code


Thanks for reading!

For feedback or any suggestions, please write to us at