Site blog

Les Bell
ASD Releases Cyber Threat Report for 2022-2023
by Les Bell - Wednesday, 15 November 2023, 7:51 AM
Anyone in the world

The Australian Signals Directorate has released its Cyber Threat Report for 2022-2023. While I haven't had a chance to read the 80-page report, there are a few standout points:

  • The top3 cybercrimes reported by businesses are:
  • Self-reported losses due to BEC fraud totalled almost $A80 million, with an average loss of over $A39,000 per incident
  • Ransomware comprised over 10 percent of all incidents, with the highest-reporting sectors, accounting for roughly one-third of reports being:
    • Professional, scientific and technical services
    • Retail
    • Manufacturing
  • The average self-reported cost of cybercrume to businesses increased by 14%:
    • $46,000 for small business
    • $97,200 for medium business
    • $71,600 for large business

A 'matrix-style' screen of text characters. Photo by Markus Spiske on Unsplash.State-sponsored actors focused on critical infrastructure, with their objectives being data theft and disruption of business. It is noticeable that cyber perations are increasingly the preferred vector for state actors to conduct espionage and foreign interference. ASD and international partners called out the Russian FSB for its use of the Snake malware for cyber-espionage, and  also highlighted activity associated with a People’s Republic of
China state-sponsored cyber actor that used ‘living-off-the-land’ techniques to compromise critical
infrastructure organisations.

The connection of operational technology and industrial control systems to the Internet via enterprise networks has provided increased opportunities for threat actors to attack them; ASD responded to 143 incidents related to critical infrastructure.

Proactive patching is increasingly important (today is Windows PatchDay - is your computer fully patched?) One in 5 critical vulnerabilities was exploited within 48 hours, despite patching or mitigation advice being available. Malicious cyber actors used these critical flaws to cause significant incidents and compromise networks, aided by inadequate patching.

Online scams and cybercrime continue to increase: individuals made almost 94,000 reports of cybercrime - an increase of 23% over the previous year. The top four cybercrimes reported by individuals are:

  • Identity fraud
  • Online banking fraud
  • Online shopping fraud
  • Investment fraud

The Australian Competition and Consumer Commission’s Targeting Scams report revealed Australians lost over $3 billion to scams in 2022. This is an 80 per cent increase on total losses recorded in 2021.

In short, we cybersecurity professionals are far from being out of a job.

Uncredited, ASD Cyber Threat Report 2022-2023, report, 14 November 2023. Available online at https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
ACSC, CISA Address BCP
by Les Bell - Tuesday, 14 November 2023, 8:06 AM
Anyone in the world

The Australian Cyber Security Centre, aided by the US's Cybersecurity and Infrastructure Security Agency, has released a guidance package aimed at ensuring continuity of operations for both email communications and critical business applications following a significant incident - the most obvious example being a ransomware attack, but physical disasters do happen, too.

A building fire. (Photo by Chris Karidis on Unsplash)

The package, entitled Business Continuity in a Box, is aimed at small and medium businesses and provides step-by-step instructions on how to deploy the necessary services in the cloud. It consists of three guidance documents plus a supporting PowerShell Script:

  • ACSC Business Continuity In a Box - Overview
  • ACSC Business Continuity In a Box - Communications
  • ACSC Business Continuity In a Box - Applications
  • ACSC Business Continuity In a Box - Automation Tool

The Communications document provides a detailed, step-by-step, plan for provisioning a replacement email service using a Microsoft 365 Business Standard Tenant (one can't help wondering if the focus on Microsoft's cloud is the first fruit of Microsoft's recent much-touted $A5 billion investment in cybersecurity and AI in Australia).

In stage 1, the user reviews the pack and verifies that they have the prerequisites (a Windows 10 or 11 computer, a phone, an email account, relevant information about the organisation - particularly access to its DNS configuration - and a credit card).

In stage 2, the guide walks the user through provisioning the MS 365 tenant, while in stage 3, they update the organisation's DNS entries, following provider-specific guidance supplied at the time by Microsoft. Stage 4 uses a PowerShell script to apply configuration settings to the MS 365 tenant and the associated Exchange Online instance. while the final stage validates the environment.

The guide seems to be well thought-out, with good explanations at an appropriate level for an only moderately technical user who is working quickly, under pressure, possibly somewhat panicked.

Despite my idle musings above, the guide does make the point that this MS 365 account can operate on a 30-day free trial, so it's not very profitable for Microsoft (but neither will it cost them much, either). But I wouldn't be surprised if Google and other SaaS providers produced similar guides for their own services.

The Continuity of Applications guide is, of necessity, much less detailed - there being so many different types of applications. It covers three stages - 1: determining the critical applications (essentially a crude Business Impact Analysis, described in a few paragraphs), 2: Determining a continuity path (selecting SaaS, PaaS or IaaS), and 3: deploying an IaaS application environment, IaaS being the fastest way to deploy an existing application, although some basic applications could be deployed on SaaS using low-code/no-code tools such as Microsoft PowerApps or Google AppSheet (unfortunately, not covered here).

The discussion for stage 3 covers the various architectural principles and patterns as well as relevant issues, and is more agnostic than the Continuity of Communications document, providing examples for MS Azure, AWS and Google Cloud. However, in all cases, a lot more preparation work will be required of the user, if they are to respond quickly to a business continuity incident.

Overall, this is a useful set of preparatory documents for SME's. What's more, we know from experience that at least some of the techniques described really work. Take, for example, the experience of Norsk Hydro, which suffered a targeted ransomware attack (Beaumont, 2019 and Clueley, 2019,) but quickly got on the front foot by deploying an interim web site in Azure and providing status updates to customers via email (which was unaffected since they were already using MS 365).

ASD and ACSC (with CISA), Business Continuity in a Box, documentation web page, 10 November 2023. Available online at https://www.cyber.gov.au/smallbusiness/business-continuity-in-a-box.

Beaumont, Kevin, How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business, DoublePulsar blog, 21 March 2019. Available online at https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880.

Clueley, Graham, In its ransomware response, Norsk Hydro is an example for us all, blog article, 3 April 2019. Available online at https://www.grahamcluley.com/in-its-ransomware-response-norsk-hydro-is-an-example-for-us-all/.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Australia's Torrid Week for Critical Infrastructure
by Les Bell - Monday, 13 November 2023, 7:45 AM
Anyone in the world

It's only been a week since Australia's Department of Home Affairs released its first Critical Infrastructure Annual Risk Review - November being Critical Infrastructure Security Month. And only a couple of days later, top-tier telco Singtel Optus suffered a major day-long outage - this one apparently not cybersecurity-related, but with some important lessons for us, nonetheless.

A container terminal with a crane over a container ship.And just when everyone thought it couldn't get any worse, ports operator DP World Australia has been hit with a 'cybersecurity incident' (I would say breach, rather than incident, as their defences failed) - this one quite likely the early phases of a ransomware attack.

Turning first to Optus, the firm started to experience a major network failure starting around 4 am on Tuesday 7 November. There's been no official word so far, but the signs point to a failed BGP-4 configuration change which propagated throughout the firm's systems, since other network operators reported a spike in BGP-4 routing advertisements from the company, beginning around then. This brought down the company's cellular network, since voice calls in this 4G/5G/6G world are no longer switched analog signals, but Voice over IP.

You might be thinking, "Hang on - the whole point of the packet-switched IP protocol which runs the Internet, and the dynamic routing protocols which control its routing, is precisely to deal with this by detecting outages and routing around them!". And you'd be right, except for a couple of things:

First, the days when telephone exchanges were huge sandstone or concrete buildings which were manned 24 x 7 by technicians are long gone. These days, the 'central office' switching centre gear is much, much smaller, and is remotely managed - which is great as long as your network lets you connect to those switches and fix any configuration problems. But if your network routing is b0rked, then you've just sawn through the branch you were sitting on, and are rapidly hurtling towards terra firma.

The switches that failed first were located in two Melbourne suburbs, and so a technician apparently had to be despatched with a laptop and cable to connect to the AUX port of the switches. Meanwhile, a domino effect had set in, with routes being dropped all over the place. There are other potential complicating factors, too - think about physical access control: a great big chunky key will always work, but a badge reader will need network connectivity.

Over 12 hours later, the network was gradually coming up again, mollifying customers who had suffered significant losses. Coffee shops, hairdressers and retailers of all sizes were unable to take payments, since their credit card terminals rely on the cellular and in this post-COVID era hardly anyone carries cash. The result was a clamor for compensation - to which Optus was slow in responding, offering many customers an extra 200GB of free data (on top of an unlimited data plan, in many cases!).

There are clearly lessons here about resilience by means of redundancy, cost-cutting, the importance of planned responses to material incidents, breaches and outages, including crisis communications, and the value of dual-SIM smartphones with a spare pre-paid SIM.

Turning to DP World: the UAE-based logistics firm is the largest port operator in Australia, handling one third of the country's maritime freight through its ports in Sydney, Melbourne, Brisbane and Fremantle. On Friday 10 November, the company detected a breach and responded by disconnecting from the Internet and calling in cybersecurity specialists, including the Australian Cyber Security Centre, this being critical infrastructure.

As a result of this containment effort the firm had to close down its port operations, including its connections with landside transport and logistics companies. This could lead to supply-chain disruption and product shortages in the pre-Christmas retail peak - so we can expect more unhappy retailers.

DP World remains offline as of 7 am on Monday 13 November 2023, but hopes to back online within days.

'They' say that bad things always come in threes, so I'm waiting with bated breath. . .

McKenzie, Parker, What caused the Optus outage and how it exposed Australia’s communications framework, The New Daily, 8 November 2023. Available online at https://www.thenewdaily.com.au/finance/consumer/2023/11/08/optus-outage-cause-resiliency.

AAP, Cyber attack shuts down major port operator, The New Daily, 11 November 2023. Available online at https://www.thenewdaily.com.au/news/2023/11/12/dp-world-cyberattack.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Torrid Week for Australia's Critical Infrastructure
by Les Bell - Monday, 13 November 2023, 7:43 AM
Anyone in the world
Tags:
Permalink
 
Les Bell
Quantum Cryptanlysis Breakthrough? Really?
by Les Bell - Wednesday, 8 November 2023, 8:56 AM
Anyone in the world

Photo by Michael Dziedzic on UnsplashOnline magazine Tom's Hardware is reporting a claimed breakthrough in quantum computing which can break RSA-2048 - that is, given an RSA public key with a 2048-bit modulus, it can derive the private key in polynomial time. Even better, it can do this without requiring a huge, expensive super-cooled quantum circuit - instead, it works on a smartphone or Linux desktop.

The claim is made in the abstract of a preprint posted to open-source publishing site, ResearchGate, by Ed and Ann Gerck, of Planalto Research.

Now, until last year, I was a university lecturer in Applied Cryptography, and I taught some aspects of quantum crptology - both the use of quantum key distribution (QKD) and quantum cryptanalysis. In particular, I taught the basics of quantum computing and the operation of Shor's Algorithm for factoring large composites (which is the way to break RSA crypto), including how the quantum computer is used to derive the periodicity of a function.

I've read the abstract in question, and it doesn't make much sense to me. A few points to bear in mind:

  • I cannot conceive of any way to run a quantum algorithm on a smartphone. Quantum computing just doesn't work that way.
  • A breakthrough of this magnitude would not be published on an open-source site - if I had come up with it, I'd submit it for one of the major cryptology conferences like IACR, CRYPTO or EuroCRYPT. What's more, if it passed muster, I'd get star billing.
  • Peer review, while important for academic publishing, could easily be dispensed with in a case like this: the claim can be verified by returning the private keys in response to a few public keys given as a challenge. For bonus points, show it actually running on a smartphone.
  • The abstract also reveals that "that we are working on a post-quantum, HIPAA compliant, end-to-end, patent-free, export-free, secure online solution, to replace RSA as soon as possible". This work is apparently based on an earlier proprietary crypto algorithm called ZSentry. Frankly, nobody cares whether crypto is HIPAA-compliant; the question is whether it is FIPS accredited. This is just hand-waving, with added buzzwords for the technically unsophisticated, and one can only wonder whether the claim to have broken RSA is an attempt to stimulate demand for post-quantum crypto - which can in any case be met by several other solidly-based algorithms already on the standards track.

I've been banging the drum pretty consistently for many years on the need for cryptographic agility - preparedness to replace existing public-key algorithms before it is too late. But I'd be very surprised if this was the expected quantum apocalypse.

As I've long told my students, in the world of cryptology, there's not a great distance between secret sauce and snake oil. And, as UTS researcher Chris Ferrie points out, the world of quantum physics has spawned a lot of BS.

Tyson, Mark, Scientist Claims Quantum RSA-2048 Encryption Cracking Breakthrough, Tom's Hardware, 4 November 2023. Available online at https://www.tomshardware.com/software/security-software/quantum-rsa-2048-encryption-cracking-breakthrough-claim-met-with-scepticism.

Gerck, Ed and Ann Gerck, QC Algorithms: Faster Calculation of Prime Numbers, preprint, August 2023. Available online at https://www.researchgate.net/publication/373516233_QC_Algorithms_Faster_Calculation_of_Prime_Numbers.

Ferrie, Chris, Quantum Bullshit: How to Ruin Your Life with Advice from Quantum Physics, Sourcebooks, 2023. Available in Kindle format via Amazon at https://www.amazon.com/Quantum-Bullsh-Ruin-Advice-Physics-ebook/dp/B0BQCGRT4V/.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Australian Critical Infrastructure Risk Review Released
by Les Bell - Tuesday, 7 November 2023, 5:56 PM
Anyone in the world

The Australian Department of Home Affairs and the Cyber and Infrastructure Security Centre has released the first Critical Infrastructure Annual Risk Review, to mark Critical Infrastructure Security Month.

The review found that foreign interference and espionage are principal threats to Australia's infrastructure, with foreign actors seeking everything from critical research and intelligence to details on production and service levels.

However, the review also pointed out that trusted insiders pose a significant threat to the critical infrastructure sector, since they can deliberately - or accidentally - disclose sensitive information to third parties, manipulate systems and networks to cause damage, or be recruited by foreign intelligence services. Dark web job ads targeting disgruntled employees are used as a recruitment tool, and are also used as a vector for delivery of malware via trojaned application forms.

The report also pointed to the effectiveness of cyber attacks such as the 2021 Colonial Pipeline incident, which started as a ransomware attack on corporate systems but led to a decision to shut down operational technology systems in order to mitigate cross-system compromise.

The 31-page report has short chapters on critical infrastructure risk and regulation, sector interdependencies, cyber/infosecurity, supply chain threats, physical threats, natural hazards and personnel risks. It concludes with a short section which looks to the future.

Industry Partnerships Branch, Department of Home Affairs, Critical Infrastructure Annual Risk Review, November 2023. Available online at https://www.cisc.gov.au/resources-contact-information-subsite/Documents/critical-infrastructure-annual-risk-review-first-edition-2023.pdf.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
QNAP Patches RCE Vuln in QTS, QuTS
by Les Bell - Tuesday, 7 November 2023, 8:39 AM
Anyone in the world

NAS Vendor QNAP has released fixes for two remote command execution vulnerabilities in their QTS, QuTS hero and QuTS cloud operating systems. The vulnerabilities are:

  • CVE-2023-23368 (CVSS 3.1 score: 9.8), a command injection vulnerability affecting:
    • QTS 5.0.x (fixed in QTS 5.0.1.2376 build 20230421 and later)
    • QTS 4.5.x (fixed in QTS 4.5.4.2374 build 20230416 and later)
    • QuTS hero h5.0.x (fixed in QuTS hero h5.0.1.2376 build 20230421 and later)
    • QuTS hero h4.5.x (fixed in QuTS hero h4.5.4.2374 build 20230417 and later)
    • QuTScloud c5.0.x (fixed in QuTScloud c5.0.1.2374 and later)
  • CVE-2023-23369 (CVSS 3.1 score 9.8), a command injection vulnerability affecting:
    • QTS 5.1.x (fixed in QTS 5.1.0.2399 build 20230515 and later)
    • QTS 4.3.6 (fixed in QTS 4.3.6.2441 build 20230621 and later)
    • QTS 4.3.4 (fixed in QTS 4.3.4.2451 build 20230621 and later)
    • QTS 4.3.3 (fixed in QTS 4.3.3.2420 build 20230621 and later)
    • QTS 4.2.x (fixed in QTS 4.2.6 build 20230621 and later)
    • Multimedia Console 2.1.x (fixed in Multimedia Console 2.1.2 (2023/05/04) and later)
    • Multimedia Console 1.4.x (fixed in Multimedia Console 1.4.8 (2023/05/05) and later)
    • Media Streaming add-on 500.1.x (fixed in Media Streaming add-on 500.1.1.2 (2023/06/12) and later)
    • Media Streaming add-on 500.0.x (fixed in Media Streaming add-on 500.0.0.11 (2023/06/16) and later)

These are all fairly old versions of the software, as revealed by the version numbers of the fixed updates, and so most well-maintained installations will be unaffected - and those that are should obviously update immediately.

The QNAP QTS control panel firmware update dialog.After all, the beauty of NAS appliances such as those from QNAP and Synology is that admins don't need to get down in the weeds with Linux command-line administration - but they do have to still follow good admin practices such as proactive patching. On the QNAP devices, this is as simple as logging in with an admin account, opening the Control Panel, selecting Firmware Update and clicking the "Check for Updates" button, which will kick off the update process (right). And it's not even necessary to log in regularly - the server can notify you or even automatically install critical updates. It's also possible to do this from your phone, via the Qmanager app.

Really, people, there are no excuses . . .

QNAP Inc., Vulnerability in QTS, QuTS hero, and QuTScloud, security advisory QSA-23-31, 4 November 2023. Available online at https://www.qnap.com/en-uk/security-advisory/qsa-23-31.

QNAP Inc., Vulnerability in QTS, Multimedia Console, and Media Streaming add-on, security advisory QSA-23-35, 4 November 2023. Available online at https://www.qnap.com/en-uk/security-advisory/qsa-23-35,

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Multiple Exchange0-Days - Lock That Server Down!
by Les Bell - Monday, 6 November 2023, 5:13 PM
Anyone in the world

Trend Micro's Zero Day Initiative has disclosed four new 0-day vulnerabilities in Microsoft's Exchange server. The vulnerabilities are:

The most serious of these is obviously ZDI-23-1578, which is described like this:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability.

The specific flaw exists within the ChainedSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

Trend Micro reported the vulnerability to Microsoft on 7 September; however Microsoft replied on 27 September:

The vendor states that the vulnerability does not require immediate servicing.

The company responded to the other vulnerabilities in the same way. I'm really not so sure about that. I'd be willing to be that a number of threat actors are sitting on Exchange user credentials which they have acquired via phishing, infostealers or other exploits, and they could make use of these credentials to authenticate and then run an exploit based on one or more of these vulnerabilities. After all, the vulnerable classes and methods are identified right there, in the advisories. And if a threat actor doesn't have the necessary credentials, this gives them motivation to go phishing.

A man fishing on a lake.

(Photo by Pascal Müller on Unsplash)

As the ZDI reports make clear, "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.". I'd also be making my Exchange users a bit more aware of the possibilities of phishing attacks, and watching Exchange servers like a hawk.

Bazydlo, Piotr, ZDI Published Advisories, advisories list, 2 November 2023. Available online at https://www.zerodayinitiative.com/advisories/published/.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Trojaned Trojan is Really a Striped Fly
by Les Bell - Monday, 6 November 2023, 9:55 AM
Anyone in the world

A wooden trojan horse on a wheeled platform.

(Photo by Tayla Kohler on Unsplash)

"Trojan Horse" is one of many cybersecurity terms that is overloaded with multiple meanings ("sandbox" is another). In the early security literature, a trojan horse was a pair of programs which could bypass the rules of a multi-level security system, sneaking information from a high security level (like TOPSECRET) to a low security level (like UNCLASSIFIED) which would allow it to be removed from the system and its secure environment.

Later, the term was reused for other purposes - one of them being a program that looks like it does one thing, but really does another. The stereotypical example is a program that emulates the login process on a UNIX system, but actually captures the user's credentials. Wait till the victim goes to lunch, having failed to log out, then run the program on their terminal session, and when they return from lunch, they'll assume they logged out, will log in again and voila! You've captured their password.

These days, the range of trojans is much greater. Many masquerade as mobile device apps, occasionally making it past static checks and into official app stores. Others pose as unlocked or free versions of popular programs - even open source programs that are free to download from their official sites only (Googling for software downloads is dangerous as threat actors will pay advertising fees to get their trojans inserted at the top of the results).

The additional functions of these trojans vary as well: some are infostealers, some are droppers, some are backdoors. Malware analysts routinely examine trojan code to figure out what they do, using static analysis, disassembly or running them in a sandbox to safely observe their behaviour.

And so it was with a malware sample which was first detected back in 2017, which analysts had classified as a Monero cryptocurrency miner. This kind of thing does not pose a major threat - mainly, it's stealing CPU cycles and eventually the user will notice, figure out what's going on, kill it and remove it. No big deal, and nobody took much notice.

The years passed, until Kaspersky researchers unexpectedly detected a signature within the WININT.EXE process of a malware sample associated with the Equation group. As they looked deeper, they traced back through previous examples, right back to this original suspicious code of 2017. Deciding to perform a detailed analysis revealed something completely unexpected: the cryptocurrency miner was just one component of something much larger.

They discovered that the malware used the EternalBlue SMBv1 exploit, which was first disclosed in April 2017 when the ShadowBrokers group tried to auction what they claimed was a library of exploits stolen from the NSA. But it was much more sophisticated than other malware that used the same exploit - much stealhier, and much more complex.

In fact, this malware family, which the Kaspersky researchers dubbed StripedFly, can propagate within a network using not only EternalBlue, but also the SSH protocol. Infection starts with injection of shellcode which can download binary files from bitbucket[.]org and execute PowerShell scripts. It then injects additional shellcode, deplying a payload consisting of an expandable framework with plugin functionality, including an extremely lightweight Tor network client.

The malware achieves persistence in various ways; if it can run PowerShell scripts with admin privileges, it will create task scheduler entries, but if running with user privileges, it inserts an obfuscated registry entry. Either way, it stores the body of the malware in another base64-encoded registry key. If it cannot run PowerShell scripts - for example, if it infected the system via the Cygwin SSH server - then it creates a hidden file with a randomized name in the %APPDATA% directory.

The download repository on Bitbucket was created in 2018, and contains updated versions of the malware. The main C2 server, however, is on the Tor network; the malware connects to it at regular intervals, sending beacon messages. The various modules which extend the malware register callbacks, which are triggered on initial connection to the C2 server, or when a C2 message is received - an architectural hallmark of APT malware.

The modules can be used to upgrade or uninstall the malware, capture user credentials (including wifi network names and passwords, SSH, FTP and WebDav credentials), take screenshots, execute commands, record microphone input, gather specific files, enumerate system information and - of course - mine Monero cryptocurrency.

In short, this is a very sophisticated piece of malware, and not the simple cryptominer it was originally believed to be. Somehow it has flown under the radar for many years, remaining largely undetected. Just who is behind it, and what their objectives may be, is far from clear.

The Kaspersky report provides a detailed analysis and IOC's, along with an amusing side-note concerning a related piece of malware called ThunderCrypt.

Belov, Sergey, Vilen Kamalov and Sergey Lozhkin, StripedFly: Perennially flying under the radar, blog post, 26 October 2023. Available online at https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/.

New Blog Format

Regular readers will notice the changed format of this blog; rather than aggregating several stories in one post, we have switched to posting individual stories with a more informative title. As before, links within a story mostly lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Upcoming Courses

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
[ Modified: Monday, 6 November 2023, 3:47 PM ]
 
Les Bell
Security News: 2023-11-03
by Les Bell - Friday, 3 November 2023, 9:24 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Site Maintenance

This site will be offline intermittently over the weekend of Saturday 4 and Sunday 5 November as we migrate to a new server. Normal, stable service will resume at 8 am AEDT (Sydney time) on Monday 6 November.

News Stories

FIRST Publishes CVSS v4.0

FIRST - the Forum of Incident Response and Security Teams - has published version 4.0 of the Common Vulnerability Scoring System (CVSS). A draft of the standard was previewed back in June at the FIRST Conference in Montreal, and this was followed by two months of public comments and two months of work to address the feedback, culminating in the final publication.

CVSS is a key standard used for calculation and exchange of severity information about vulnerabilities, and is an essential component of vulnerability management systems, particularly the prioritization of remediation efforts. Says FIRST:

"The revised standard offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity, simplifies threat metrics, and enhances the effectiveness of assessing environment-specific security requirements as well as compensating controls. In addition, several supplemental metrics for vulnerability assessment have been added including Automatable (wormable), Recovery (resilience), Value Density, Vulnerability Response Effort and Provider Urgency. A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups."

A key part of the update is new nomenclature which will enhance the usability of CVSS in automated threat intelligence, particularly emphasizing that CVSS is not just the base score which is the most widely quoted, The new nomenclature distinguishes:

  • CVSS-B: CVSS Base Score
  • CVSS-BT: CVSS Base + Threat Score
  • CVSS-BE: CVSS Base + Environmental Score
  • CVSS-BTE: CVSS Base + Threat + Environmental Score

The base score provides information about the severity of the vulnerability itself. But in order to assess the risk posed by potential exploitation, it is necessary to take into account information specific to the defender's environment, such as the existence of compensating controls, not to mention the value of exposed assets and likely impact of exploitation. Some of these are expressed in the Environmental Metric group, which encompasses the CIA security requirements of the vulnerable system along with modifications to the Base Metrics as appropriate for the environment. Similarly, it is up to the user to use information about the maturity and availability of exploits and the skill level of likely threat actors in deriving a Threat Score. I expect some risk management professionals are already busy mapping these to elements of the FAIR ontology, such as Threat Capability and Resistance Strength.

Additional Supplemental Metrics can now be used to convey additional extrinsic attributes of a vulnerability, such as safety impacts, lack of automatibility and the effectiveness of recovery controls,  that do not affect the final CVSS-BTE score.

CVSS 4.0 is extensively documented, and FIRST has even developed an online training course, which can be found at https://learn.first.org/.

Uncredited, FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0), press release, 1 November 2023. Available online at https://www.first.org/newsroom/releases/20231101.

Dugal, Dave and Rich Dale (chairs), Common Vulnerability Scoring System Version 4.0, web documenation page, 1 November 2023. Available online at https://www.first.org/cvss/v4-0/index.html.

CVSS v4.0 Calculator: https://www.first.org/cvss/calculator/4.0.

Still More AI Hallucination Embarassment

Regular readers might remember the scandal that erupted earlier this year when it was revealed that Big 4 consultancy PwC had been providing its clients with inside information about tax reforms which had been acquired in its role of advisor to the Australian Taxation Office. As we commented at the time, this would have been an egregious failure of the Brewer-Nash security model, better known as the Chinese Wall model, were it not for the fact that there was obviously no implementation of it in the first place.

That outrage surrounding this prompted a parliamentary enquiry into the ethics and professional accountability of the big audit and consulting firms more generally, with all the Big Four coming under sustained criticism for their practices. Now that enquiry has given us yet another example of how the uncritical use of large language models can give rise to major embarassment.

One of the public submissions to the parliamentary enquiry was prepared by a group of accounting academics who ripped into the several of Big Four, accusing KPMG of being complicit in a "KPMG 7-Eleven wage theft scandal" culminating in the resignation of several partners and claiming the firm audited the Commonwealth Bank during a financial planning scandal. Their submission also claimed that Deloitte was being sued by the liquidators of collapsed construction firm Probuild for failing to audit the firm's accounts properly, and also accused Deloitte of falsifying the accounts of a company called Patisserie Valerie.

Here's the problem: KPMG was not involved in 7-Eleven's scandal and never audited the Commonwealth Bank, while Deloitte never audited either Probuild or Patisserie Valerie.

So why did these academics accuse the firms? You guessed it: part of their submission was generated by an AI large language model, specifically Google's Bard, which the authors had used to create several case studies about misconduct.

The result was certainly plausible - the inquiry was, after all, instituted in response to similar, real cases - but the case studies it created were the result of classic LLM "hallucination", and the academics have now been forced to apologise and withdraw their work, submitting a new version.

It's going to be hard for their university to enforce their policy on academic integrity when even emeritus professors don't do their homework properly. We grade this paper as an "F" - failure to properly cite sources; possible plagiarism?

Belot, Henry, Australian academics apologise for false AI-generated allegations against big four consultancy firms, The Guardian, 2 November 2023. Available online at https://www.theguardian.com/business/2023/nov/02/australian-academics-apologise-for-false-ai-generated-allegations-against-big-four-consultancy-firms.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
[ Modified: Sunday, 5 November 2023, 10:41 AM ]