Les Bell and Associates Pty Ltd
Site blog
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Who Should Attempt the CISSP Exam?
I'm often asked who the CISSP certification is aimed at; my university students typically ask whether they should attempt the certification before or while in their first job, for example (almost certainly not, for the undergraduates - they usually could not meet the experience requirements, while some of the Masters students could).
Primarily, the CISSP is for those who are moving upwards from a technical background in one or a few of the CBK Domains (e.g. network security, security architecture, etc.) into a management or supervisory position where they will need to:
- utilise a broad understanding of the other domains, to which they may already have had some exposure
- supervise technical professionals across all or most domains
- understand how *all* aspects of security need to be covered in balance, and
- communicate - in *both* directions - with senior management, that is, not just advise management.
The last point is probably the key one. Communication to management will mainly involve translating technical assessments of threats, vulnerabilities, etc. into business risk which management can relate to their existing understanding of risk, and this is a key reason why cybersecurity risk assessment processes and risk matrices, etc. should be aligned with the existing risk management processes across the rest of the enterprise.
But it also works the other way: translating senior management business concerns and requirements into technical security requirements. Once managers understand the risks posed to the assets they own, in part due to the business processes they rely upon, it is up to them to decide the level of risk they will accept. This is a business decision, and not one that security professionals are equipped to make.
Although some of this operates at the level of C-suite and board concerns with governance and policy, some of it involves other managers' specific concerns with opportunities presented by new technologies (cloud, apps, machine learning, related privacy issues), etc. as well as managing risks associated with specific business processes or information assets as they change.
In any case, I have found a security governance and management course is of benefit to students and practitioners who are still in the early stages of their career. Many tend to focus tightly on their particular interests or immediate job concerns - typically penetration testing, which is always an attractive aspect of cybersecurity for novices (something I don't understand - long hours, lots of reverse engineering and disassembling code, keeping on top of the latest vulnerabilities and exploits; I'd burn out).
However, a governance and management course helps them put it all in perspective and realise a) that their particular role is far from the only one needed in any large enterprise, let alone the most important one, and b) how their role fits in and the factors which influence the demand for their services. It certainly rounds them out as a professional.
For undergraduate students in cybersecurity, governance, risk and management is sometimes offered as a third-year subject; it's usually found in Masters programs. But for those already in the workforce, or who have not completed a specialist cybersecurity degree, tackling the CISSP - whether by self-study or a course - is probably the best way to get a comprehensive overview of the other areas of the field, how they all fit together, and how they are managed.
All this leads me to conclude that, right now, the CISSP is not of value just to the CISO level, especially in larger enterprises.
A Look Inside the Bulgarian 'Virus Factory'
A fascinating read in The Guardian last week provides an insight into the minds of competitive young virus authors in Bulgaria in the 1980's. These were the heady days of virus development, where curiosity was the driving force, in a search for new techniques to infect the MS-DOS systems of the era. It was a kinder, gentler time, when the massive profits provided by ransomware had not yet become a factor.
Shapiro, Scott J, On the trail of the Dark Avenger: the most dangerous virus writer in the world, The Guardian, 9 May 2023. Available online at https://www.theguardian.com/news/2023/may/09/on-the-trail-of-the-dark-avenger-the-most-dangerous-virus-writer-in-the-world.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Lithium-Ion Battery Fires Increasingly Common
A CBS News report points to the rising incidence of fires caused by lithium-ion batteries, particularly in dangerous environments such as on board passenger aircraft. According to the CBS News investigation, the FAA verifies that the number of lithium-ion battery fires has jumped by over 42% in the last five years, and since 2021 there has been at least one such incident on a passenger plane somewhere in the US, on average, every week.
However, the article points to a common source of confusion - it is lax in making the important distinction between lithium batteries and lithium-ion batteries - the two terms are used apparently interchangeably in the article. The CISSP examination tests the candidate on physical and environmental security, including fire detection and suppression, and while I cannot say whether the exam question bank has any questions on this particular topic, the increasing prevalence of mobile devices which contain these batteries surely mean that it can only be a matter of time. So here's some key information from the Fire Detection and Suppression page of our CISSP Fast Track Review course wiki.
The first key point is to distinguish between the two types of battery:
- Lithium batteries are long-life, non-rechargeable batteries commonly used in wireless burglar alarm sensors, smoke detectors (usually in AA and AAA cell sizes), and in cameras, some remote controls and key fobs (usually in button-cell sizes such as CR-2032).
- Lithium-ion batteries are rechargeable batteries, commonly used in a variety of sizes and form factors, in mobile phones, tablets, laptops, Bluetooth earbuds and headphones, vapes and many other devices.
Let's dispose of (if you'll pardon the expression) the lithium batteries first. The first, and key, point is that lithium batteries are not rechargable and any attempt to recharge them may well start a fire. They will also overheat and may catch fire if short-circuited, or if exposed to water. In fact, lithium (like potassium) is a combustible metal that burns when exposed to air or even water - readers may remember high-school chemistry demonstrations in which a small pellet of potassium fizzes and burns when dropped into water - it is commonly stored in a jar of mineral oil as a safeguard, as is refined lithium metal.
Obviously, water therefore cannot be used as a suppressant for a lithium battery fire - in fact, adding water will result in a bigger fire - and so a large lithium battery fire should be tackled with a Type D (combustible metals) extinguisher. Unfortunately, these are not commonly found in office environments (yet?).
By contrast, a lithium-ion battery fire should be suppressed using a conventional ABC dry-powder extinguisher, although it may not be fully extinguished if thermal runaway continues. If one is available, a fire containment bag can also be used. Immersion in water may also be used - the battery may continue to burn, but the heat will be conducted away and the fire contained. In fact, it is not lithium that is the problem - it is the flammable electrolyte solution in the battery. Where the volume of Li-Ion batteries justify it - e.g. large quantities of Li-Ion batteries are stored in a warehouse - then a specialized F-500 Li-Ion Fire Extinguisher may be installed.
There are several causes of Li-Ion batteries fires. The first is mechanical damage to the battery - i.e. it is bent and broken, for example by being caught in the electrically-driven adjustment mechanisms of an aircraft seat. This is why airline staff warn passengers to ask for help in retrieving phones which have been lost in aircraft seats.
The second cause is a short-circuit, possibly caused by equipment failure, and the fix is to remove the battery from the device before thermal runaway starts. The third cause is overheating - this can be caused by laptop fan failure, an internal dust buildup or operating a laptop on a surface which blocks airflow. For phones, it can be as simple as using navigation functions, which continuously illuminate the screen, while the phone is in direct sunlight on top of a car dashboard.
The final cause is overcharging. Unlike the earlier nickel-cadmium (Ni-Cd) batteries, Li-Ion batteries are very sensitive to overcharging and require the correct charging circuit, which must provide overcharge protection. In general, laptop and cellphone or tablet batteries always contain a charging control circuit which deals with this, but small AA-size Li-Ion cells do not, and nor do some low-cost consumer devices and toys. These, in particular, should never be left to charge unattended, nor in a place where fire could rapidly take hold and spread, e.g. on top of soft furnishings or beneath fabric curtains.
Chase, The Best Fire Extinguisher for Lithium-Ion Batteries - 2022, Firefighter Inside, 2022. Available online at https://firefighterinsider.com/the-best-fire-extinguisher-for-lithium-ion-batteries/.
Martin, Neil, Seven things you need to know about lithium-ion battery safety, UNSW news release, 20 March 2023. Available online at https://newsroom.unsw.edu.au/news/science-tech/seven-things-you-need-know-about-lithium-ion-battery-safety.
Stock, Stephen, Amy Corral, Jose Sanchez and Dilcia Mercedes, Rising number of lithium battery incidents on airplanes worry pilots, flight attendants, CBS News, 8 May 2023. Available online at https://www.cbsnews.com/news/hazardous-materials-airplanes/.These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Insider Gets Six Years for Extortion Attempt
Developers and especially ecurity professionals are among the most highly privileged insiders in most enterprises, with both high levels of access to many, if not all, systems - including logging and monitoring systems, in the case of secrity pros - plus the skills to both use and abuse them. It makes sense, therefore, to monitor their actions, taking a close look at their activities from time to time, rather than simply assuming they are trustworthy. Because sometimes, it turns out, they aren't.
A case in point is that of Nickolas Sharp, who we reported on back in February. Sharp misused his admin privileges to access his employer's AWS and GitHub accounts, stealing gigabytes of confidential data. To cover his tracks, he changed the log retention policies, altered other files and used a Surfshark VPN service in a failed attempt to conceal his IP address.
Worse, once the breach was discovered, Sharp sent the company an extortion demand for BTC50 and when they refused to pay, he leaked some of the data. However, by now the FBI had raided his home, confiscated his laptop and amassed a lot of evidence but - determined to prove the truth of the old adage that when you're in a hole you should stop digging, Sharp then went on a PR campaign, posing as a whistleblower and causing his employer's stock price to fall by 20% - that's more than a $US4 billion drop in market capitalization.
Sharp eventually pleaded guilty back in February, and his sentence has now been handed down.
U.S. Attorney Damian Williams said: “Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe. He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack, extorting his employer for ransom, obstructing law enforcement, and spreading false news stories that harmed the company and anyone who invested into the company. Sharp now faces serious penalties for his callous crimes.”
US District Judge Katherine Polk Failla agreed, handing down a sentence of six years imprisonment, plus three years of supervised release. She also ordered Sharp to pay restitution of $US1,590,487 and to forfeit personal property used, or intended to be used, in connection with these offences. I don't think Sharp's pay in the prison laundry will allow his employer (coyly referred to as "Company-1" in the press release, but we all know who they are . . .) to ever see that $US1.5 million, though.
Biase, Nicholas, Former Employee Of Technology Company Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company For Ransom, press release, 10 May 2023. Available online at https://www.justice.gov/usao-sdny/pr/former-employee-technology-company-sentenced-six-years-prison-stealing-confidential.
CISA Issues Papercut Advisory
Last month we brought you news of two critical vulnerabilities, discovered by Trend Micro, in the Papercut print management software. Now, the US Cybersecurity and Infrastructure Security Agency and the FBI have released a joint Cybersecurity Advisory (CSA), providing details of active exploitation of CVE-2023-27350. The FBI observed malicious actors exploit CVE-2023-27350, starting in mid-April 2023 and continuing through the present. In early May 2023, FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers in the Education Facilities Subsector. The advisory further provides detection methods for exploitation and details known indicators of compromise (IOCs) related to the group’s activity.
Cybersecurity and Infrastructure Security Agency and FBI, Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG, Cybersecurity Advisory AA23-131A, 11 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Tutorial Covers Three Types of XSS Attack
A rather nice little piece from Trend Micro's DevOps Resource Center provides an introduction to the three types of cross-site scripting (XSS) attacks:
- Reflected cross-site scripting attack
- Stored cross-site scripting attack
- Document Object Model (DOM) cross-site scripting attack
Each of these works on the same basic principle: the threat actor inserts a malicious script into a web site - something that should be impossible if the site was performing rigorous sanitization of untrusted user input. When a victim visits the site, the script is triggered, usually downloading some malware which can then perform malicious actions on the victim's computer.
A good introduction for web developers, and about the right level of detail for CISSP exam candidates.
Trend Micro DevOps Resource Center, 3 Types of Cross-Site Scripting (XSS) Attacks, web page, 11 May 2023. Available online at https://www.trendmicro.com/en_us/devops/23/e/cross-site-scripting-xss-attacks.html.
Multiple Groups Target VMware ESXi With Ransomware
Researchers at SentinelLabs have identified 10 (yes, you read that right - ten) ransomware families, all based on the source code for Babuk, which was leaked in September 2021. Babuk was one of the earliest ransomware programs to target VMware ESXi, and when one of its developers leaked the source code for its different versions - a C++ version to attack Linux systems including ESXi, a Go language version for NAS devices and a C++ version for Windows - it allowed less skilled threat actors to adapt the code for use in their own campaigns
At first, few groups did this, however, although a few Windows derivatives did appear. But during the second half of 2022 and the beginning of 2023, things heated up, and SentinelLabs has now identified ten different ransomware families based on the Babuk source code, based on the reappearance of grammatically odd strings in the code, as well as similar file naming conventions.
SentinelLabs identified overlap between the Babuk code and ESXi lockers attributed to Conti and REvil, and also found they shared unique function name and features with the leaked Conti Windows locker source code. Apart from these two major ransomware players, smaller operators such as Ransom House's Mario have also made use of the Babuk code. This code reuse makes attribution of captured malware samples much more difficult.
The SentinelLabs report provides a full run-down of the various different derivatives, complete with comparisons of code segments. It is likely to be of most interest to malware analysts, but also provides some indicators of compromise.
Delamotte, Alex, Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers, blog post, 11 May 2023. Available online at https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/.
Concerns Ramp Up Over Supply Chain Attacks
The recent breach of motherboard manufacturer MSI, together with previous high-profile supply chain attacks such as SolarWinds, 3CX and others, has led to increasing concern on the part of CISO's. The Money Message ransomware gang has leaked private keys it obtained from MSI, allow malware developers to sign malicious firmware updates; if these could be inserted into the supply chain and pushed to customers, the result would be undetected very-low-level infections of millions of systems. Although there is no evidence that this has happened - so far - the possibility is concerning, if not alarming.
This concern is reflected in several recent surveys of security and IT professionals, and the message is clear: although the sky is not falling, we need to escalate efforts to secure the software supply chain.
Goodin, Dan, Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack, Ars Technica, 11 May 2023. Available online at https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/.
Roberts, Paul, The surveys speak: supply chain threats are freaking people out, The Security Ledger, 10 May 2023. Available online at https://securityledger.com/2023/05/the-surveys-speak-supply-chain-threats-are-freaking-people-out/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Five Eyes, NATO, Take Down Snake P2P Cyber-espionage Network
Multiple agencies around the Western world have announced the dismantling of a massive peer-to-peer spyware network which has been operated for the last 20 years by the Russian FSB (Federal Security Service). The Snake malware was operated by the FSB's Center 16, better known as the APT group Turla or Venomous Bear, and has been detected in over 50 countries across North and South America, Europe, Africa, Asia and Australia, infecting systems in education, media and small businesses to act as relay nodes for encrypted traffic while the main targets for information-gathering implants were government networks, research facilities and journalists as well as some critical infrastructure sectors (government, financial services, critical manufacturing and telecommunications).
Snake is probably the most sophisticated cyber-espionage tool in the FSB's arsenal; it is extremely stealthy - both in the way it infects systems and in its obfuscated communications - and has an extremely elegant modular architecture which allows development and interoperability of new and updated components across multiple operating system platforms. It also demonstrates high-quality software engineering design and implementation, containing surprisingly few bugs given its complexity.
Development of Snake began in late 2003, with initial operations conducted in 2004; its initial name, "Urobouros", is particularly appropriate as since then it has undergone many cycles of redevelopment and upgrade. It is run from an FSB facility in Ryazan, Russia - as indicated by activity increasing during working hours there - as well as from an FSB Center 16-occupied building in Moscow. Over the last 20 years, however, various agencies have been monitoring its operations and collecting samples and have seen it evolve and spin off a range of other implants and related tools such as Carbon (a.k.a. Cobra) and another implant called ComRAT or Chinch.
As cybersecurity and incident response companies have reported on Snake's tactics, techniques and procedures (TTP's), so its developers have implemented new techniques to evade detection, such as fragmenting and encrypting its network traffic, making it challenging for intrusion detection systems - both host- and network-based - to spot.
The FSB operators typically obtain initial access to external-facing infrastructure nodes on a network, and from there pivot to the internal network, using other tools and TTP's to conduct additional exploitation operations. After establishing a foothold on a target network, they typically enumerate the network and use a variety of tools such as keyloggers and network sniffers to obtain user and administrator credentials and access domain controllers, as well as spreading laterally to other networks.
After mapping out a network and getting admin credentials for various domains, the operators generally commence regular data collection operations, mostly using lightweight remote-access tools. They sometimes deploy a small remote reverse shell to enable interactive operations and function as a backup access vector, maintaining a minimal presence while avoiding detection.
The main heavyweight implant comprises stacks of loosely-coupled components which connect via well-designed interfaces; for example its network protocols separate its encryption layer from its transport layer, which could be its custom HTTP protocol or its raw TCP socket protocol. This way, the operators can choose the best network transport protocol to fit into the target environment without detection, yet still preserve the full functionality of the implant, as all the other layers, right up to its command processing code - the 'application' layer - are completely agnostic to what transport is used.
Despite being implemented in the C programming language, the code exhibits very few of the memory management and other bugs common to development in that language, as well as selection of good algorithms. This not to say that it is perfect, however, and a basic error - creating a prime number of only 128 bits in size - signficantly weakened the Diffie-Hellman key agreement component of its encryption layer, while rushed deployment led developers to sometimes compile and link its binaries with debugging symbol tables included - allowing researchers to identify function names, strings and developer comments, thereby gaining insights into its communications protocols and inner workings.
From this initial foothold, various agencies were able to monitor Snake, decrypting and decoding its C2 communications. Ultimately the FBI was able to develop a tool called PERSEUS which establishes a session with the Snake implant on a particular computer and issues commands that instruct the implant to disable itself, effectively overwriting its own components, without affecting the infected host or its legitimate applications. Having obtained authorization from a Federal court, the FBI commenced Operation MEDUSA, which dismantled the Snake network on infected systems within the US.
The US agencies involved - the FBI, the NSA, US Cyber Command's Cyber National Mission Force and the Cybersecurity & Infrastructure Agency - have collaborated with the UK's National Cyber Security Centre, Canada's Centre for Cyber Security abd Communications Security Establishment, the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre, and those agencies will presumably take appropriate actions in their own jurisdictions. In addition, the FBI and US State Department are also providing information to local authorities in other countries where Snake-infected computers have been located.
The agencies have also issued a 48-page joint cybersecurity advisory, which makes fascinating reading, as you might expect, with a full analysis of Snake's communication and application layers, as well as the implant operation. Of course, the advisory also contains suggestions for detection, mitigation and prevention, including a plugin for the Volatility memory analysis framework which will scan all processes, looking for the Snake user mode component having been injected into a process.
Marzulli, John, Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by Russia's Federal Security Service, press release, 9 May 2023. Available online at https://www.justice.gov/usao-edny/pr/justice-department-announces-court-authorized-disruption-snake-malware-network.
NSA Media Relations, U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide, press release, 9 May 2023. Available online at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3389044/us-agencies-and-allies-partner-to-identify-russian-snake-malware-infrastructure/.
Cybersecurity & Infrastructure Security Agency, Hunting Russian Intelligence “Snake” Malware, cybersecurity advisory AA23-129A, 9 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a.
Uncredited, UK and allies expose Snake malware threat from Russian cyber actors, news release, 9 May 2023. Available online at https://www.ncsc.gov.uk/news/uk-and-allies-expose-snake-malware-threat-from-russian-cyber-actors.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Research Shows Substantial Rise in NSW Cybercrime Reports
Research by the NSW Bureau of Crime Statistics and Research shows that reports of cybercrime have increased by 42% in the three years to June 2022. This is based on data from the Australian Cyber Security Centre's ReportCyber Application Platform (RCAP), which is only one of several different reporting systems, not counting direct reports to state police forces, suggesting that there is a pressing need to integrate these systems in order to permit more comprehensive analysis (but see below).
Based on the RCAP data, all cyber offense categories - cyber-enabled fraud, identity theft, cyber-enabled abuse, online image abuse, and device offences - increased, with the exception of abuse. The biggest increases were seen in device offences such as malware, especially ransomware (117%), followed by fraud (95% - no surprise there) and identity crime (35%). 89% of the reporting victims were individuals; 53% were male and 87% were over 25 years of age.
The majority (71%) of reports were closed by police in RCAP with no further investigation undertaken. Fraud and online image abuse (OIA) were the most likely offence categories to be referred to police for further investigation (at above 40%). Device offences were the least likely to be referred to police at 5%. This may well be because victims know the attackers are based overseas in countries where they are unlikely to be apprehended - if, indeed, any investigation is done at all.
Reports were more likely to be referred to police when the incident involved a victim aged 17 years or younger, the suspect was known to the victim, money was lost, or an online image abuse offence was indicated. Most OIA reports (84%) were referred to police within 7 days compared to just 42% of identity crime reports. In the vast majority of cases, victims do not know any details about the offender and many of those who do, report that the suspected perpetrator resides overseas. This makes it near impossible for local and federal police agencies to prosecute offenders and undermines the deterrent value of any criminal sanctions prescribed for these offences.
All in all, the report makes depressing reading in light of the high cost of police follow-up, coupled with the low probability of successful action, let alone restorative justice for victims. Add to this the wide range of exploits and vulnerabilities, coupled with the susceptibility of many people to social engineering, and the onus really has to remain on strengthening individuals and their systems in order to prevent their exploitation, rather than retrospective policing actions.
Klauzner, Ilya and Amy Pisani, Trends and Characteristics of Cybercrime in NSW, bureau brief, 9 May 2023. Available online at https://www.bocsar.nsw.gov.au/Pages/bocsar_publication/Pub_Summary/BB/BB165-Summary-Cybercrime-in-NSW.aspx.
Commonwealth Budget Adds $A85 Million for Anti-Scam Measures
Meanwhile, at the Federal level, the 2023 Budget released by Treasurer Jim Chalmers includes some allocations for tackling online scams and cybercrime. The major announcement is the establishment of a national anti-scam centre, at a cost of $A58 million, to share scam data across both government and private sectors, and to "establish public-private sector Fusion Cells to target specific scam issues" (I'm not sure what 'Fusion Cells' are, but they sound very cool and will doubtless eliminate all scamming 😉).
An additional $A17 million will be spent over four years to identify and take down phishing websites and investment scams (this sounds rather broad, and if not restricted in scope somehow, I suspect a lot more than $A17 million will be required).
Finally, $A10 million has been allocated for an SMS sender ID registry in an attempt to stop criminals impersonating government and industry names in smishing attacks. To be honest, I can't see that having much effect at all.
Visontay, Elias, Federal budget 2023: winners and losers summary, The Guardian, 9 May 2023. Available online at https://www.theguardian.com/australia-news/2023/may/09/budget-2023-winners-and-losers-summary-who-will-benefit-is-better-worse-off-federal-labor-australia-government-.
News from the World of DDoS
Quite a bit of action in the DDoS world this week, with Fortinet researchers providing details of two botnets and some good news from the US DoJ.
First, FortiGuard Labs has reported on a new version of a botnet first observed in February, but now infecting unpatched wireless access points via a vulnerability (CVE-2023-25717 - CVSS score 9.8) in the Ruckus Wireless Admin panel. The botnet, christened 'AndoryuBot', targets this remote code execution vulnerability to gain initial access, and then downloads a script for further propagation. After initialization, it connects to its C2 server via the SOCKS protocol and waits for commands to launch a DDoS attack, using any of 12 different methods.
Admins running Ruckus Wireless Admin Panel v 10.4 or older should apply the patches released several months ago; older versions which are beyond end-of-life will not get a fix.
In a second report, FortiGuard Labs describes new samples of the RapperBot campaign, which has been active since June 2022, primarily targeting IoT devices, primarily by brute-forcing weak or default SSH or telnet (!) credentials. Once compromised, the devices are used for DDoS attacks.
However, the new variant adds some new functionality, primarily in its C2 protocol, and also adds an SSH public key to compromised devices as a way of remaining persistent should the device be rebooted. Perhaps the most interesting twist is the addition of a Monero cryptomining capability into the bot, whereas previous versions would execute a separate cryptominer.
Finally, the US Department of Justice continues to make progress in shutting down DDoS-for-hire services, also referred to as 'booter' sites. This week, the DoJ seized 13 more Internet domains associated with these services, most of them reincarnations of domains which had been seized during a previous seizure back in December. For example, one of the domains seized this week, cyberstress.org, seems to be the same service as was previously operating as cyberstress.org.
In conjunction with these domain seizures, the Justice Department also announced that four defendants, who had been charged in late 2022 in Los Angeles, have now pleased guily to federal charges, admitting that they operated or participated in the operation of booter services. They will be sentenced this (northern) summer.
Lin, Cara, AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717), blog post, 8 May 2023. Available online at https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717.
Salvio, Joie and Roy Tay, RapperBot DDoS Botnet Expands into Cryptojacking, blog post, 9 May 2023. Available online at https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking.
Mrozek, Thom, Federal Authorities Seize 13 Internet Domains Associated with ‘Booter’ Websites that Offered DDoS Computer Attack Services, press release, 8 May 2023. Available online at https://www.justice.gov/usao-cdca/pr/federal-authorities-seize-13-internet-domains-associated-booter-websites-offered-ddos.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Brewer-Nash Missing in Action
Scandal has rocked the Australian arm of global consulting firm PwC, with chief executive Tom Seymour resigning after sustained criticism arising from allegations the firm shared confidential government tax policy with other clients. There being only a few large audit and consulting firms left, it is not unusual for them to have multiple clients sometimes with conflicting interests.
In this case, PwC had been retained by the government to consult on tax reforms, particularly rules to prevent multinational corporations avoid tax by using strategies such as transfer pricing to shift profits out of Australia to tax havens. However, PwC's former head of international tax, Peter-John Collins was subsequently deregistered for two years by the tax practitioners board for failing to act with integrity and sharing confidential government briefings with other staff. PwC was ordered to put training and procedures in place to ensure conflicts of interest are adequately managed.
Cybersecurity professionals already know how this is done: the Brewer-Nash security model, better known as the Chinese Wall security policy. This blocks access to documents by populating conflict-of-interest classes for employees like consultants working in firms where it is important that sensitive information about one client not be leaked to another. In essence, this is a form of privacy control, only the subjects are corporations rather than individual persons.
However, technical controls can always be bypassed outside the systems that implement them, and this is particularly the case where management lacks the ethical will to implement them in the first place.
Belot, Henry, Consultancy firms becoming ‘shadow public service’, expert warns, as PwC crisis deepens, The Guardian, 9 May 2023. Available online at https://www.theguardian.com/australia-news/2023/may/09/consultancy-firms-becoming-shadow-public-service-expert-warns-as-pwc-crisis-deepens.
Brewer, D. F. C., & Nash, M. J., The Chinese Wall security policy, Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp 206–214, 1989. Available online at https://doi.org/10.1109/SECPRI.1989.36295.
Job-Seeking By Hacking
In a novel approach to job-hunting, a budding 'security researcher' has advertised his skills and availability by 'hacking' some packages in the PHP language's Packagist distribution repository. In doing so, he has reinforced awareness of problems with the open-source software supply chain, which has previously seen malware introduced to repositories like PyPI for Python.
The Packagist repository does not store project code for distribution; rather it links to the project code on services like GitHub, simplifying maintenance for developers and ensuring that the repository always links to the correct version of the software. However, this opens up a second way in which the respository could be 'poisoned': rather than hacking the original source code or binaries, an attacker could simply change the links in Packagist.
And that's what one enterprising hacker did. Having somehow obtained the passwords to four old, inactive Packagist accounts, they copied 14 GitHub projects associated with this accounts, copied these projects to a new GitHub account and then changed the links in Packagist to point to the new GotHub repositories.
Having done this, they could have modified the PHP source code of the projects to insert backdoors or other malware, but instead confined themselves to editing the description field in each project's composer.json file to insert a short message (in Russian) with their email address and the fact that they were "looking for a job in Application Security, Penetration Tester, Cyber Security Specialist".
Hire them at your peril. . .
Ducklin, Paul, PHP Packagist supply chain poisoned by hacker "looking for a job", Naked Security blog, 5 May 2023. Available online at https://nakedsecurity.sophos.com/2023/05/05/php-packagist-supply-chain-poisoned-by-hacker-looking-for-a-job/.
MSI Breach: UEFI Secure Boot No Longer Secure
Following a breach of its systems in March, motherboard manufacturer MSI refused to pay the $US4,000,000 ransom demanded by the 'Money Message' threat actor. Now the group has started to release the 1.5TB of data they exfiltrated from MSI, including the source code for their motherboard firmware.
On Friday of last week, Alex Matrosov, the CEO of firmware supply chain security firm Binarly, revealed that the leaked source code contained the private keys used to sign the BIOS images for 57 different products and the Intel Boot Guard private keys for 116 products. These keys are unique to MSI, and are not Intel signing keys.
However, the Intel Boot Guard keys will allow an attacker to build malicious firmware updates and deliver them through a normal BIOS update process with MSI update tools, according to Matrosov. This will bypass Intel Boot Guard and allow attackers to load UEFI bootkits, rendering Windows UEFI Secure Boot invalid.
In a later tweet, Matrosov also revealed that "one of the leaked keys (bxt_dbg_priv_key.pem) is associated with Intel Orange or OEM Unlocked. Based on Intel documentation, it appears to be more power in comparison to Boot Guard Keys."
The implication is that this breach now affects not only MSI devices, but the entire Windows UEFI Secure Boot ecosystem.
Matrosov, Alex, Recently, @msiUSA accounced a significant data breach., tweet, 4 May 2023. Available online at https://twitter.com/matrosov/status/1653923749723512832.
Matrosov, Alex, Diving deeper into MSI leak ..., tweet, 9 May 2023. Available online at https://twitter.com/matrosov/status/1655744775063244800.
Ravie Lakshamanan, MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web, The Hacker News, 8 May 2023. Available online at https://thehackernews.com/2023/05/msi-data-breach-private-code-signing.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Resilience, Redundancy and Separation in Incident Response
The March breach of systems at storage vendor Western Digital has provided an interesting lesson for those who work in - or more importantly, plan for - incident response operations. Ransomware gang BlackCat/ALPHV has allegedly broken into an early morning videoconference held by the company's incdent response team and posted a screen grab on the gang's web site, dubbing the attendees, "the finest threat hunters Western Digital has to offer". Ouch!
(Image credit: Dominic Alvieri)
There's an important lesson here. Putting all your eggs in one basket with a monoculture (typically Microsoft, these days) can allow all those eggs to be compromised simultaneously. Separation of systems may be more complex and expensive to administer, but it can limit the impact of an attack, as Norsk Hydro showed when it dealt with a targeted ransomware attack on its on-prem systems by using its Microsoft 365 and Azure resources to keep communication channels open and some systems running. And once the bad guys are in your systems, using those same systems to coordinate defence will let the bad guys stay one step ahead.
Incidentally, BlackCat/ALPHV also last week claimed responsibility for a ransomware attack on Canadian software company Constellation Software, exfiltrating over 1 TB of both business and personal data which is now being ransomed on the group's web site.
Alvieri, Dominic, This is a black eye for Western Digital., tweet, 28 April 2023. Available online at https://twitter.com/AlvieriD/status/1652173436888784896.
Gatlan, Sergiu, ALPHV gang claims ransomware attack on Constellation Software, Bleeping Computer, 5 May 2023. Available online at https://www.bleepingcomputer.com/news/security/alphv-gang-claims-ransomware-attack-on-constellation-software/.
Former Uber CISO Sullivan Sentenced; Escapes Jail Time
A key concern for chief information security officers is the extent to which they may be found legally liable in the event of a breach. A case in point is that of former Uber CSO Joe Sullivan, who was found guilty obstructing justice by concealing a data breach from the Federal Trade Commission, which had been investigating the company's privacy protections, and also of actively hiding a felony (Menn, 2022). The charges arose from protracted negotiations Sullivan had undertaken with the hackers in an attempt to identify them and to minimise the extortion payment- allegedly with the knowledge and agreement of other company officers.
On 4 May, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years' probation and ordered him to do 200 hours of community service, along with a $US50,000 fine. Despite having received 186 letters from Sullivan's peers, friends and family, many of them arguing for leniency, the judge was scathing in his summary and stated that other security professionals would not be so fortunate if brought before him in future:
"If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. . . . When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off."
Menn, Joseph, Former Uber security chief convicted of covering up 2016 data breach, The Washington Post, 5 October 2022. Available online at https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/.
US Department of Justice, Former Chief Security Officer Of Uber Sentenced To Three Years’ Probation For Covering Up Data Breach Involving Millions Of Uber User Records, press release, 5 May 2023. Available online at https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data.
Vijayan, Jai, Judge Spares Former Uber CISO Jail Time Over 2016 Data Breach Charges, Dark Reading, 6 May 2023. Available online at https://www.darkreading.com/attacks-breaches/judge-spares-former-uber-ciso-jail-time-over-2016-data-breach-charges.
Meta (Facebook) Takes Down Malware Using ChatGPT As Lure
You might have noticed a rash of Facebook ads promoting desktop apps and browser plugins which act as a 'free' front-end for OpenAI's massively over-hyped (not their fault) conversational large language model. If these seemed too good to be true - or merely pointless - you were right, and Meta has now confirmed that it has taken down a massive campaign that was promoting these malware-infested tools via over one thousand different URL's.
It seems that the primary goal of the malware families - Ducktail, NodeStealer and others - is to compromise businesses with access to ad accounts across the Internet. In fact, ten different malware families have used ChatGPT and similar themes to compromise account.
The Ducktail malware has been evolving for several years since it first emerged, distributing malware via file-hosting services like Dropbox and Mega to infect browsers such as Google Chrome, Microsoft Edge, Brave, and Firefox in order to access victims' information on desktop systems. Meta issued a cease and desist letter to its Vietnam-based operators, referred the case to law enforcement and will take additional actions as appropriate.
The Meta analysts' report also provides a detailed breakdown of the NodeStealer malware.
In other Facebook-related news, the company has also disrupted nine different adversarial networks. Six of these were engaged in disinformation campaigns (what Meta calls 'Coordinated Inauthentic Behavior'), originating in the US, Venezuela, Iran, China, Georgia, Burkina Faso and Togo, and primarily targeting people outside of their countries.
However, the firm also disrupted three cyber-espionage operations in South Asia: an advanced persistent threat (APT) group we attributed to state-linked actors in Pakistan, a threat actor in India known in the security industry as Patchwork APT, and the threat group known as Bahamut APT in South Asia. Each of these groups relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information.
Nguyen, Duc H. and Ryan Victory, The malware threat landscape: NodeStealer, DuckTail, and more, blog post, 3 May 2023. Available online at https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/.
Rosen, Guy, Meta’s Q1 2023 Security Reports: Protecting People and Businesses, news release, 3 May 2023. Available online at https://about.fb.com/news/2023/05/metas-q1-2023-security-reports/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Cancer Centre Hit By Ransomware Attack
NSW Health has revealed that the Crown Princess Mary Cancer Centre, which is part of Sydney's Westmead Hospital, has been hit by a ransomware attack. NSW Health was alerted to the attack late yesterday afternoon, and states that the attack does not seem to have impacted other NSW health systems or the cancer centre's databases.
Ransomware group Medusa is apparently behind the attack, having added the cancer centre to its victim list with a countdown timer on its site giving the victim a week to pay up before sensitive information will be leaked. Medusa has been highly active in recent months, targeting the Minneapolis Public Schools as well as targets in Australia.
FalconFeedsio, Medusa #ransomware group added The Crown Princess Mary Cancer Centre..., tweet, 4 May 2023. Available online at https://twitter.com/FalconFeedsio/status/1653990479367749634.
Tran, Danny, Crown Princess Mary Cancer Centre in Westmead Hospital in cyber attack, hackers threatening to release stolen data, ABC News, 4 May 2023. Available online at https://www.abc.net.au/news/2023-05-04/crown-princess-mary-cancer-centre-being-hacked/102305996.
Google Adds Passkey Support
Google has added support for passkeys on personal Google accounts, allowing users to finally dispense with passwords.
Experience shows that passwords are problematic: users create weak passwords, share them with others, and accidentally disclose them to bad actors via phishing attacks. Worse still, people have trouble remembering them, and will routinely use the same password across multiple sites, increasing their exposure to credential stuffing attacks.
By contrast, passkeys operate by using public key cryptography - when the user generates a passkey the private key is stored locally, on a computer or mobile device, while the public key is uploaded to the authenticating site - in this case, Google. For subsequent logins, the authenticator will generate a challenge which is sent to the user's device; this will ask the user to authenticate themselves, by biometric techniques such as facial recognition or fingerprint recognition, or some other technique, and then use the private key to sign a response sent back to the authenticator, which can then verify the signature and grant the user access.
Each passkey is unique to a single account, so there is no reuse across sites; they do not need to be memorized, and are generally simpler to use than passwords, once set up. Furthermore, they can also be used on shared or borrowed devices without being stored on them - for example, a user can select the option to "use a passkey from another device" to use their phone to obtain a one-time sign-in on, say, a campus lab computer or library computer. And of course, passkeys can be revoked if the user suspects they are compromised.
Birgisson, Arnar and Siana K Smetters, So long passwords, thanks for all the phish, blog post, 3 May 2023. Available online at https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
seL4 Team Garners Major ACM Award
The Association for Computing Machinery (ACM) has awarded its 2022 Software System Award to the team behind seL4, a mathematically-proven secure implementation of the L4 microkernel. Back in 2009, a group from UNSW/NICTA (later, Data61 and CSIRO) used automated theorem proving to prove that seL4 is secure (Klein et. al., 2009); in order to allow automated reasoning, seL4 implements a capabilities-based access control model. In a DARPA study, hackers were able to break into the Linux-based OS of an autonomous helicopter, but after it was re-engineered to use seL4, the hackers were unable to break in, even after being given root access to a Linux VM hosted on the seL4 microkernel.
After a slow start, seL4 has seen increasing adoption by industry, particularly in US defense and aerospace, but increasingly in industrial control systems and embedded systems. A key industry project using seL4 is the development of a secure car operating system. seL4 is also used in the secure enclave of iOS devices.
Gernot Heiser, University of New South Wales; Gerwin Klein, Proofcraft; Harvey Tuch, Google; Kevin Elphinstone, University of New South Wales; June Andronick, Proofcraft; David Cock, ETH Zurich; Philip Derrin, Qualcomm; Dhammika Elkaduwe, University of Peradeniya; Kai Engelhardt; Toby Murray, University of Melbourne; Rafal Kolanski, Proofcraft; Michael Norrish, Australian National University; Thomas Sewell, University of Cambridge; and Simon Winwood, Galois, receive the Award for their work, which has fundamentally changed the research community's perception of what formal methods can accomplish, showing that not only is it possible to complete a formal proof of correctness and security for an industrial-strength operating system, but that this can be accomplished without compromising performance or generality.
seL4 has now been open-sourced under the auspices of the seL4 Foundation. More information can be found at http://sel4.systems/.
Klein, G., K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, et al., SeL4: Formal Verification of an OS Kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, 207–220, 2009.
Uncredited, About ACM Software System Award, ACM, May 2023. Available online at https://awards.acm.org/software-system.
Australian Law Firm Hacked by ALPHV/BlackCat
Commercial law firm HWL Ebsworth has apparently fallen victim to an attack conducted by an affiliate of one of the most prolific ransomware and data leak actors, ALPHV/BlackCat, which has posted the exfiltrated data on its dark web site. ALPHV/BlackCat operates as Ransomware-as-a-Service, and its affiliates typically target high-value targets; earlier this year it was responsible for attacks on real estate company, LJ Hooker, a medical practice in Lackawanna County, Pennsylvania and Amazon's Ring doorbell division.
The threat actor claims to have 4TB of data from HWL Ebsworth, including employee CV's, ID's, financial reports and accounting data, as well as a complete network map. Perhaps more concerningly, the data also includes client documentation and credit card information.
The law firm's privacy policy claims it takes "stringent measures to protect that information from misuse, interference and loss and from unauthorised access, modification or disclosure". To do this, it employs " broad range of security safeguards", stating that "all electronic databases incorporate strict password access and virus and firewall protection procedures" and "Physical and logical security measures are employed to deal with external threats and the possibility of internal ones". Regular readers will recognise that there is a lot more to information security and privacy than that.
Taylor, Josh, Australian law firm HWL Ebsworth hit by Russian-linked ransomware attack, The Guardian, 2 May 2023. Available online at https://www.theguardian.com/technology/2023/may/02/australian-law-firm-hwl-ebsworth-hit-by-russian-linked-ransomware-attack.
Chinese APT's Employee New DLL Sideloading Techniques
Researchers from both Trend Micro and Sophos have independently detected the use of sophisticated new DLL sideloading techniques by Chinese APT groups. In DLL sideloading, a malicious loader, typically carrying an encrypted payload, injects its code into an innocent, non-malicious application once it is running.
The Trend Micro team has discovered a campaign by Earth Longzhi (a subgroup of APT41), targetting organizations in Taiwan, Thailand, the Philippines and Fiji. The campaign abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys to disable security products on the target hosts in a 'bring-your-own-vulnerable-driver' (BYOVD) attack. Their report also describes an innovative technique for disabling security products which they have named 'stack rumbling' via Image File Execution Options (IFEO).
The campaign also evades security products' API monitoring by instead using remote procedure calls to install drivers as kernel-level services.
The Sophos researchers document a campaign, likely conducted by an APT variously known as "Operation Dragon Breath", "APT-Q-27" or "Golden Eye Dog", which is believed to specialize in attacks on online gambling participants. This campaign adds complexity and layers to the classic DLL sideloading attack. This variant adds a second stage to the attack: a first-stage 'clean' application 'side-loads' and executes a second 'clean' application, which in turn, sideloads the malicious loader DLL. Finally, the loader DLL executes the final malicious payload.
The two-step sideloading attack; 'clean' applications shown in blue with malicious payloads and steps shown in orange. (Image credit: Sophos)
Initial infection is accomplished via a malicious installer for what claims to be a Chinese-language version of the Telegram messaging application or via a trojanized installer for LetsVPN. Another variant claims to be a WhatsApp installer.
The two reports provide lots of technical detail for those of us who enjoy that kind of thing, as well as IOC's and other actionable information.
Lee, Ted and Hara Hiroaki, Attack on Security Titans: Earth Longzhi Returns With New Tricks, Trend Micro research report, 2 May 2023. Available online at https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html.
Szappanos, Gabor, A doubled “Dragon Breath” adds new air to DLL sideloading attacks, Sophos blog post, 3 May 2023. Available online at https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.