Site blog

Les Bell
by Les Bell - Wednesday, 30 November 2022, 6:44 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Crypto Exchange Breached

I've been ignoring the litany of bad news surrounding cryptocurencies: declining values, rugpulls, collapsing exchanges and all the rest - but I couldn't resist this one.

Canadian crypto exchange Coinsquare, which claims to be "Canada's trusted platform to securely buy, sell and trade Bitcoin, Ethereum, and more", has emailed customers to notify them that it had discovered a "data incident" in which an unauthorized third party accessed a customer database which contains customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances".

Coinsquare's email stated - just as many other recently-breached companies have - that "No passwords were exposed. We have no evidence any of this information was viewed by the bad actor". If we have learned one thing from all the recent breaches, it is that many companies have inadequate monitoring of the traffic exiting their networks, so that information exfiltration goes undetected.

I'd suggest taking a wait-and-see approach on this one.

Munawa, Frederick, Major Canadian Crypto Exchange Coinsquare Says Client Data Breached, Coindesk, 27 November 2022. Available online at https://www.coindesk.com/tech/2022/11/26/major-canadian-crypto-exchange-coinsquare-says-client-data-breached/.

CISA Adds Two New Exploited Vulnerabilities

On Monday, the US Cybersecurity & Infrastructure Security Agency added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating that they were now being exploited in the wild.

One is the heap buffer overflow vulnerability in the Google Chrome GPU process (CVE-2022-4135) which we covered last Saturday, and for which Google rushed out an update.

The other is an as-yet-unspecified vulnerability in Oracle Fusion Middleware Access Manager; the OpenSSO Agent can easily be exploited to grant an unauthenticated attacker network access and take over the Access Manager. The vulnerability (CVE-2021-35587) has a CVSS 3.1 base score of 9.8 (CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability impacts versions 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0, which should be updated as soon as possible - it already should have been, since Oracle issued a Critical Patch Update in January 2022, following disclosure by Jangggg of VNPT and peterjson - Security Engineering - VNG Corporation. Which raises the question: why, one year on, is CISA seeing active exploitation?

CISA, Known Exploited Vulnerabilities Catalog, web page, 28 November 2022. Available online at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

Killnet Brags of Starlink and whitehouse.gov DDoS Attacks

Trustwave reports that the Russian state-linked threat actor, Killnet, claims to have launched successful DDoS attacks against a number of targets in the US and UK.

The group claims that on November 18, it, along with several other hacker groups, ran a DDoS attack against Starlink, the SpaceX-operated satellite Internet access provider - presumably as retribution for the company's provision of ground stations to Ukraine. Starlink's 3,00 low-earth orbit satellites provide high-bandwidth, low-latency Internet access - ideal for use by Ukrainian defending forces. The claim is supported by a Reddit thread in which users complained that they could not log in to their Starlink accounts.

The previous day, the group also claims, they ran a 30-minute attack on the official site of the White House, whitehouse.gov (which they claimed had 'military state protection against DDOS'!), and a few days later they DDoS'ed the site of the Prince of Wales, princeofwales.gov.uk, promising future attacks against other UK government, financial and healthcare sites. Again,the motivation appears to be those countries' support for Ukraine

SpiderLabs Research, Killnet Claims Attacks Against Starlink, Whitehouse.gov and United Kingdom Websites, blog post, 23 November 2022. Available online at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/killnet-claims-attacks-against-starlink-whitehousegov-and-united-kingdom-websites/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Tuesday, 29 November 2022, 8:48 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


GitHub, PyPi Used to Spread Malicious Python Packages to Naive Users

We have previously reported on attempts to poison the software supply chain via the creation of trojaned Python packages on GitHub and promoted via the PyPi package repository. Generally, this method relies on naive developers making use of the packages in their projects and thereby infecting unsuspecting victims.

However, a new campaign is attracting the victims directly, targeting the victims via a viral TikTok craze. A TikTok filter called "Invisible Body" removes the body of a video's subject, replacing it with a blurred contour image, and a trending craze, "Invisible Challenge", dares people to film themselves naked, then post the resultant "Invisible Body"-processed video.

This is where the cunning attacker comes in: via TikTok videos, he offers some software called "unfilter" which claims to be able to remove the "Invisible Body" filter effect. His videos have attracted over a million views inside just a few days, and over 30,000 people have responded by following the instructions to join a Discord server which, in turn sends an automated message asking the victim to 'star' a GitHub repository (boosting its apparent popularity) and download the malicious Python package. This carries the WASP stealer, which will plunder Discord accounts, passwords, crypto wallets, credit cards and other files from the victim's computer.

Be careful what you ask for; if it seems too good to be true . . .

Nachson, Guy and Tal Folkman, Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package, blog post, 28 November 2022. Available online at https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package/.

Baseboard Management Controllers Bring Vulnerabilities to Internet of Things

Basedboard management controllers are system-on-a-chip devices originally intended for remote monitoring and management of computers; they have long been a feature of mainframes (where they were much larger boards) but over the last decade or so have made their way into server motherboards, where they provide low-level functionality such as network access to a hardware console, BIOS reflashing, power control, etc.

However, these chips are now finding their way into Internet of Things (IoT) and Operational Technology (OT) devices, where they are used to provide network services such as a web-based management dashboard.  Taiwanese manufacturer Lanner Inc., which specialises in embedded applications, sells the IAC-AST2500A, a BMC-based expansion card with firmware based on AMI's MegaRAC SP-X, which is also used in popular servers.

A new report from network security specialist Nozomi Networks details thirteen vulnerabilities in the web interface of this card, not all of them remediated as of this date. They include command injections, stack-based buffer overflows, broken access control, session fixation, username enumeration and others, and several of them can be chained to permit remote code execution.

Uncredited, Vulnerabilities in BMX Firmware Affect OT/IoT Device Security - Part 1, blog post, 22 November 2022. Available online at https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/.

Meta Cops Large Fine for Facebook Data Scraping Breach

The Irish Data Protection Commission (DPC) has announced the conclusion of its investigation of Meta Platforms Ireland Limited (MPIL) in relation to the release of the personal information of 533 million Facebook users. The DPC has imposed a fine of €265 million, along with a range of specific corrective measures.

The breach, which occurred in early 2020, exposed personal information such as the Facebook ID, name, gender, relationship status, occupation, email addressand phone number of each user, and was accomplished using a data scraper to mine and then correlate data from Facebook Search, the Facebook Messenger Contact Importer and the Instagram Contact Importer between May 2018 and September 2019. The data was then made available via a hacker forum.

The DPC found that MPIL had infringed two clauses of Article 25 of the EU General Data Protection Regulation:

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 2That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

The Data Protection Commission is a key enforcement agency for the GDPR, since so many multinational tech companies base their European operations in Ireland.

Uncredited, Data Protection Commission announces decision in Facebook "Data Scraping" Inquiry, press release, 28 November 2022. Available online at https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Monday, 28 November 2022, 8:30 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


EUROPOL Coordinated Action Brings Down Caller ID Spoofing Site

Caller ID spoofing isn't particularly difficult, but it was made even easier by a site called iSpoof wihch allowed criminals to anonymously make spoofed calls impersonating banks, government agencies and retail companies, send recorded messages and - perhaps most significantly - intercept time-based one-time passwords or mTAN's. Now, following an investigation initiated by the Metropolitan Police in the UK, police forces in Europe, Australia, the US, Ukraine, Canada and other countries have simultaneously arrested 142 suspects, including the main administrator of the web site, and shut it down.

The investigation revealed that the website had earned over €3.7 mllion from its fee-paying criminal customers in just 16 months. However, victims in the UK alone had lost £43 million to the scams operated through the site, and worldwide losses were in excess of £100 million (€115 million).

Said Europol Executive Director, Ms Catherine De Bolle:

The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located.  Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.

Uncredited, Action against criminal website that offered 'spoofinf' services to fraudsters: 142 arrests, press release, 24 November 2022. Available online at https://www.europol.europa.eu/media-press/newsroom/news/action-against-criminal-website-offered-%E2%80%98spoofing%E2%80%99-services-to-fraudsters-142-arrests.

ConnectWise XSS Vulnerability Allows Scammers to Masquerade As Legit

Tech support scams are one of the banes of modern world. Often run out of call centres in India and targetting the elderly and more vulnerable, these scams work by convincing the victim to download and install a remote access tool (whether knowingly or via trojaned download), handing control to the scammer so they can 'fix a malware infection' - in practice, they will do anything from demanding payment to fix a concocted 'infection' to plundering the victim's bank account.

The scammers will use any of several remote access tools, including TeamViewer, AnyDesk, LogMeIn or ConnectWise. Rather than pay for licensed copies of the software, the scammers will rely on the free trial version - often a good indication that the operation is not legitimate: for example, ConnectWise adds a prominent advisory message on the main page of all trial or free accounts.

However, as revealed by Guardio Labs, the customization features of this page - used by legitimate companies to brand their tech support portals - contains a cross-site scripting vulnerability which allows the scammers to disable the trial version advisory that would warn victims, by adding some JavaScript code to set the advisory message visibility property to 'hidden'. In fact, not only can scammers hide the advisory, they can use the customization features to masquerade as a legitimate tech support portal.

Guardio notified ConnectWise, who fixed the XSS vulnerability and completely removed the customization feature for trial and free accounts.

Tal, Nati, XSS Vulnerability Found in ConnectWise Remote Acces Platform With Great Potential For Misuse by Scammers, blog post, 24 November 2022. Available online at https://labs.guard.io/xss-vulnerability-found-in-connectwise-remote-access-platform-with-great-potential-for-misuse-by-scammers-a0773da2aacf.

Preventing Remote Code Execution Vulnerabilities

The increased exposure of RESTful and other API's on the public Internet has led to an increase in exploits such as Log4Shell and WannaCry which are able to perform remote code execution. These exploits make use of inadequate input sanitization, bugs in parsing libraries and even buffer overflows, not so much in the developers' own code - although that happens - but increasingly in libraries and frameworks which programmers make use of for standard functionality.

An article in Dark Reading summarizes a number of useful techniques that developer and admins can make use of in DevSecOps environments to proactively reduce the risk of RCE vulnerabilities. The major techniques are:

  • Continuously run software composition analysis tools on your code base - for example, OWASP dependency-check for Java, or commercial tools like Snyk and Mend can report vulnerable third-party libraries
  • Use static analysis security test (SAST) tools - e.g. Bandit for Python, GoSec for Golang or cross-language tools like SonarQube and SemGrp
  • Avoid default error messages - these may provide useful linformation (such as stack traces) to attackers
  • Configure everything as code - and use tools such as KICS and Checkov to scan configuration files for vulnerabilities before deployment
  • Do not run code on native machines, and apply the Principle of Least Privilege - use containers and maintain a narrow set of permissions and privileges for each
  • Employ dynamic analysis security test tools - e.g. ZAP to scan API's for vulnerabilties

Many of these tools can be integrated into the DevSecOps pipeline. Of course, all the usual secure coding guidelines also apply.

Manor-Liechtman, Gabriel, How Development Teams Should Respond to Text4Shell, Dark Reading, 24 November 2022. Available online at https://www.darkreading.com/dr-tech/how-development-teams-should-respond-to-text4shell.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Saturday, 26 November 2022, 9:41 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Rushes Out Patch for Chrome 0Day Vulnerability

Google has released an update for the Windows, Mac and Linux versions of the Chrome browser in order to mitigate CVE-2022-4135, a heap buffer overflow in Chrome's GPU Process. This vulnerability is being exploited in the wild, but details are scarce, since Google will restrict access to the details until a majority of users have updated their systems, especially if other projects depend upon it.

Bommana, Prudhvikumar, Stable Channel Update for Desktop, blog post, 24 November 2022. Available online at https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html.

Interpol Cracks Down on Online Fraud

A major international operation stared by INTERPOL in late June has now culminated in the arrest of almost 1,000 suspects who were allegedly engaged in a wide range of online scams and money laundering. At the same time, virtual assets worth $US129,975,440 were seized.

Opeeration HAECHI III specifically targeted vishing (voice phishing), romance scams, sextortion, investment fraud and money laundering associated with illegal online gambling, and was coordinated by INTERPOL's Financial Crime and Anti-Corruption Centre, involving 30 countries: Australia, Austria, Brunei, Cambodia, Cote d’Ivoire, France, Ghana, Hong Kong (China), India, Indonesia, Ireland, Japan, Korea, Kyrgyzstan, Laos, Malaysia, Maldives, Nigeria, Philippines, Poland, Romania, Singapore, Slovenia, South Africa, Spain, Sweden, Thailand, United Arab Emirates, United Kingdom, and the United States.

The investigators saw several new trends in financial crime, such as an increase in fraudulent investment schemes committed via instant messaging apps combined with cryptocurrency payments. In another case, the Austrian and Indian National Central Bureaus of INTERPOL identified a group of scammers who had been impersonating INTERPOL officers, relieving victims of $US159,000 via financial institutions, crypto exchanges and online gift cards. The Indian authorities raided the scammers' call centre, seizing four cryptocurrency wallets and other evidence.

The operation highlights the international nature of online cybercrime, and the need for cross-border cooperation by authorities.

Uncredited, Cyber-enabled financial crime: USD 130 million intercepted in global INTERPOL police operation, news release, 24 November 2022. Available online at https://www.interpol.int/News-and-Events/News/2022/Cyber-enabled-financial-crime-USD-130-million-intercepted-in-global-INTERPOL-police-operation.

RansomExx Gets Rusty

The RansomExx ransomware has been around since 2018, operated by a threat actor called DefrayX or Hive0091. The same group is also behind the PyXie malware, Vatet loader and Defray ransomware.

Now, like many other malware developers, DefrayX has switched their development from the C++ programming language to Rust. Although the Rust programming language has garnered attention from systems programmers because it is memory safe, it is drawing increased attention from malware developers because it can produce statically-linked stand-alone binaries and - perhaps more importantly - it has much lower detection rates when scanned by antivirus tools. Its large and complex binaries also make them harder for malware analysts to reverse engineer.

The new variant of RansomExx, dubbed RansomExx2, has similar functionality to its C++ progenitor - it is a command-line program which requires a list of directories to encrypt, passed as command-line arguments, and then performs encyption with AES-256 and wraps the AES keys with RSA encryption. IBM X-Force Threat Researchers have provided a comprehensive write-up on a sample.

Hammond, Charlotte, RansomExx Upgrades to Rust, blog post, 22 November 2022. Available online at https://securityintelligence.com/posts/ransomexx-upgrades-rust/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Friday, 25 November 2022, 10:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Aviation Industry A Ransomware Target?

A few days ago we wrote about the Daixin Team's attack on AirAsia, whose network they dismissively complained was so badly managed they were embarrassed to exploit it. However, Cyble has compiled a list of recent ransomware attacks on airlines around the world. Although not naming the airlines, they seem to be generally smallish, domestic or budget carriers in several countries:

  • Malaysia
  • Thailand
  • Portugal
  • Kuwait

Doubtless there are others which have gone unreported. And even the larger carriers are not immune - British Airways suffered an embarrassing supply-chain attack which resulted in the theft of customer credit card details.

The aviation industry was badly affected by COVID lockdowns which required budgets to be slashed. However, airlines also are custodians of a lot of sensitive data - some of it personal, some of it operational - and some systems with real safety implications, all of it highly interconnected to external systems and contractors. The fact that times are tough is not a good reason to drop your guard, unfortunately.

Uncredited, Aviation Industry Facing Ransomware Headwinds, blog post, 23 November 2022. Available online at https://blog.cyble.com/2022/11/23/aviation-industry-facing-ransomware-headwinds/.

Microsoft Warns of IoT Supply Chain Problems

In a blog post, Microsoft's Security Threat Intelligence team warn of a threat affecting Internet of Things (IoT) devices and operational technology (OT) networks which they may expose.

As security professionals are aware, IoT devices are often manufactured at low cost for a mass market, designed by engineers who focus on electronics and sensor technology and who rely on pre-packaged software in the form of operating systems, subsystems and programming languages for the system-on-a-chip controllers embedded into their designs. Just take a look at online tutorials for Raspberry Pi and similar devices, which generally rely on high-level Python code to read sensor inputs and control outputs, with the assumption that the underlying layers of the stack are a) reliable and b) secure.

The latter assumption, especially, is often invalid. In the particular case which triggered the blog post, an intrusion into electrical grid critical infrastructure in India, the initial intrusion point was an IoT device, and specifically an embedded web server, which is commonly used to provide either a user interface or API for devices. In this particular case, the server was the Boa web server, supplied as part of a software development kit for IoT devices, such as those provided by RealTek. The problem is that development and support of the Boa web server ceased in 2005. While patches for the Realtek SDK are available, they may not get through the entire supply chain to the final, shipped devices - let along to network owners and oeprators who acquire them.

Microsoft's blog post provides a list of recommended mitigations, primarily aimed at network operators - the IoT device designers seem to be a lost cause. . .

Castleman, Adam, et. al., Vulnerable SDK components lead to supply chain risks in IoT and OT environments, blog post, 22 November 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/.

San Francisco Cops Seek Permission for Robots to Use Deadly Force

A little beyond the usual remit of security defenders, this story: the San Francisco Police Department is petitioning the city's Board of Supervisors for permission to deploy robots which are capable of killing suspects that officers believe are so dangerous that the "risk fo loss of life to members of the public or officers is imminent and outweighs any other force option available to SFPD".

Police forces now often use remote-controlled robots for tasks such as inspecting suspected explosive devices; as well as carrying cameras and manipulators, such robots can also fire a blank shotgun shell into a device in an attempt to harmlessly destroy the device, if not the robot as well. And such robots could also conceivably fire a live round. YouTube already has several videos which show robot dogs discharging automatic weapons at targets.

Unsurprisingly, this proposal is meeting with significant opposition. After all, what could possibly go wrong?

Tarantola, A., San Francisco police seek permission for its robots to use deadly force, Engadget, 23 November 2022. Available online at https://www.engadget.com/san-francisco-police-seek-permission-for-its-robots-to-use-deadly-force-183514906.html.

Fake VPN Apps Catch Android Users

Extensive advertising campaigns featuring masked, hoodie-wearing bad guys, coupled with the desire to access geo-restricted content, has motivated many individual consumers and SME operators to install virtual private network (VPN) client software, although for many cloud-hosted applications there is little to suggest that VPN's provide much additional security than the use of standard TLS everywhere.

Now ESET researchers warn of a campaign targeting Android device users with a fake SecureVPN web site which hosts a trojaned Android app. The threat actor behind this campaign is the Bahamut cyberespionage APT, which has been active since at least 2017, targeting victims in the Middle East and South Asia with spearphishing lures. This particular campaign and the associated malware appeared first in early 2022, hosted on a simple web site created with a free web template. The malicious domain was named thesecurevpn[.]com, playing on the legitimate product's domain at securevpn.com.

The fake VPN malware shares code with the earlier SecureChat campaign run by Bahamut; once it is installed it can exfiltrate a range of sensitive data from the victim's device, including contacts, SMS messages, device location, device accounts, recorded phone calls, device info including installed apps and a list of files on external storage. It can also extract information about cals made using a range of popular messaging apps including Facebook Messenger, Viber, WhatsApp, Telegram, WeChat and others.

ESET's report provides a full analysis including MITRE ATT&CK techniques and other IOC's.

Stefanko, Lukas, Bahamut cybermercenary group targets Android users with fake VPN apps, 23 blog post, 23 November 2022. Available online at https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Thursday, 24 November 2022, 8:58 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Defenders Gift Bad Guys Yet Another Tool

Beware the Law of Unintended Consequences, goes the old saying. In the early days of pen-testing, we used to develop our own exploits or collect them from 'underground' sites. Then came Metasploit, and suddenly the skill level required to perform the more routine testing dropped significantly. Newer tools like Cobalt Strike and Brute Ratel made post-exploitation red team activities easier, too. But the unintended consequence is that over the last few years, threat actors have got their hands on these tools, and they are making life easier for the attackers, too.

Now, a new report from Proofpoint Threat Research points out the risk of this happening again. In late 2021, UK-based consulting firm MDSec released Nighthawk, which they bill as "the most advanced and evasive command-and-control framework available on the market". According to Proofpoint's report, based on their observation of an initial deployment of the framework in September 2022, Nighthawk uses a variety of antiforensics and evasion techniques which make it particularly stealthy - for example, its loader is encrypted but even once running, embedded strings are encoded with a simple algorithm and decrypted on the fly, so that they exist in memory for only a very short period of time, making detection more difficult.

Similarly, the main Nighthawk payload uses a simple substitution cipher on its strings, but uses a much longer list of evasion techniques, some of them disclosed by MDSec, but others not. For example, the tool unhooks the DLL load notification registration of security products and other process instrumentation callbacks, and also self-encrypts in order to evade process memory scans.

Although it is - as with many of these tools - subject to client vetting and export controls, there is no way  that threat actors will not take a close interest in this and similar post-exploitation frameworks, making it likely that, sooner or later, we will see cracked versions fall into their hands. Proofpoint's analysis is a hint to detection vendors to start working on this threat now. - as we reported yesterday, Google has started doing this with Cobalt Strike.

Rausch, Alexander, et. al., Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice, blog post, 22 November 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice.

Russian Gangs Have Been Busy, Moving from Scams to Infostealing

Yesterday we reported on the evolution of the Aurora infostealer and now, a new report from Singapore-based Group-IB provides a high-level view of the groups that use this and other stealers.

Group-IB has tracked how low-level online scammers have shifted to a more dangerous - and, presumably, profitable - scheme of distributing infostealers. Their operations are coordinated via Telegram groups, where they are directed to drive traffic to sites which impersonate well-known companies and brands, and induce their victims to download malware.

The figures are impressive: 34 Russian-speaking groups are distributing a variety of stealers - primarily Racoon and Redline - under the stealer-as-a-service model, in order to obtain credentials for a range of services, mainly gaming accounts on Steam and Roblox, as well as Amazon and PayPal accounts and even crypto wallet information. In the first seven months of 2022. their roughly 200 members infected over 890,000 devices and stole over 50 million passports, mainly in the US, Brazil, India, Germany and Indonesia.

They also managed to acquire over two billion cookies, 113,204 crypto wallets and over 100,000 payment cards, representing a total value approaching $US6 million if sold on the cybercriminal underground.

Uncredited, Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries, press release, 23 November 2022. Available online at https://www.group-ib.com/media-center/press-releases/professional-stealers/.

Pro-Kremlin Group Brings Down EU Parliament Site

The English-language web site of the European Parliament (at https://www.europarl.europa.eu/portal/en) was disrupted earlier today by a distributed denial of service attack.

"The availability of @Europarl_EN website is currently impacted from outside due to high levels of external network traffic. This traffic is related to a DDOS attack (Distributed Denial of Service) event.", tweeted Jaume Dauch, Director General for Communication and Spokesperson of the European Parliament.

According to Roberta Metsola, President of the European Parliament, a pro-Kremlin group had claimed responsibility, likely as a response to the Parliament having proclaimed Russia as a state sponsor of terrorism.

The site is now operating normally.

Duch, Jaume, "The availability of @Europarl_EN website ...", Tweet, 24 November 2022. Available online at https://twitter.com/jduch/status/1595433790809284614.

Metsola, Roberta, "The @Europarl_EN is under a sophisticated cyberattack.", Tweet, 24 November 2022. Available online at https://twitter.com/EP_President/status/1595443471518777345.

Monero Mining Apparently Still Profitable

While sales of GPU chips have apparently tanked due to Ethereum's switch to proof-of-stake and the general collapse of cryptocurrency markets, it seems that there is still money to be made in mining the Monero cryptocurrency - especially if you are mining at no cost to yourself, using lots of other people's machines.

Cyble Research and Intelligence Labs reports on an a number of phishing campaigns which are targeting gamers and others who use tools like MSI Afterburner to overclock and tweak their GPU's. The phishing emails direct the victims to approximately 50 different fake Afterburner download sites from which they obtain a malicious installer. This drops and executes a file names browser_assistant.exe which injects itself and downloads an encoded XMR Miner binary from a GitHub repository, then injects it into explorer.exe.

Finally, the malware starts mining, using all the GPU resources of the victim's machine and degrading its performance, while depositing the coins it mines into the threat actor's wallet address - a nice little earner, as they say. Cyble's report provides a full breakdown, mapping to MITRE ATT&CK Techniques and IOC's.

Uncredited, Fake MSI Afterburner Sites Delivering Coin-Miner, blog post, 23 November 2022. Available online at https://blog.cyble.com/2022/11/23/fake-msi-afterburner-sites-delivering-coin-miner/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Wednesday, 23 November 2022, 9:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Helps Cobalt Strike Defences

As we have previously covered, the red team post-exploitation toolkit, Cobalt Strike, has been cracked by threat actors and is increasingly turning up in the wild as part of attacks. Cobalt Strike is packaged as a single Java .jar file, and a deployment starts with running the Team Server component, which sets up a command and control server which also acts as a hub for the red team to control infected systems. From there, Cobalt Strike clients can connect to the Team Server to deploy attack components which can infect systems with shellcode stagers which, in turn, connects to the Team Server over any of several protocols to download the final backdoor component called a Beacon.

Now, in order to assist defenders in detecting the use of Cobalt Strike components in the wild, Google's Cloud Threat Inteligence team has unpacked the .jar files for Cobalt Strike versions from v 1.44 through to v 4.7, and built YARA rules to allow their detection. To date, the Google researchers identified 34 different Cobalt Strike releases, each containing between 10 and 100 attack template binaries, culminating in a total of 275 different .jar files. The result was a minimum of 340 binaries to be analyzed and their signatures derived.

However, realizing that the ability to detect Cobalt Strike beacons and other components would somewhat devalue its use as a pen-testing tool, Google have decided not to include the latest version - probably a sensible decision since the leaked and cracked versions are usually at least one version behind. Google has released both YARA signatures and a VirusTotal Community Collection.

Sinclair, Greg, Making Cobalt Strike harder for threat actors to abuse, Google Cloud Identity & Security blog, 18 November 2022. Available online at https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse.

Daixin Team Hits AirAsia

Back in October, the US Cybersecurity & Infrastructure issued an alert on the activities of ransomware actor Daixin Team, who at that time seemed to be targeting the healthcare sector. However ransomware operators will take a profit wherever they can, and now DataBreaches.net reports that budget airline AirAsia has fallen victim to Daixin Team.

According to the web site, Daixin Team provided them with two files which contained passenger and employee information - the latter including name, date and country of birth, location, employment date, their authentication secret question and answer, and salt. The threat actor claimed to have the personal information of 5 million passengers.

Suggesting that there is honour among thieves, Daixin's spokesperson added that the group had avoided locking some VM's: "XEN, RHEL - hosts of flying equipment (radars, air traffic control and such)". In practice, airlines don't operate radars - that's the job of national air traffic control authorities - but the sentiment is doubtless appreciated. However, the spokesperson went on to cast shade, saying that the ransomware group did not pursue further attacks because they were apparently disgusted at the chaotic state of the airline's network. However, they will broker access via hacker forums, selling backdoors to any newbie hackers who want to "pick through the garbage" (their phrase, not mine).

Dissent, AirAsia victim of ransomware attack, passenger and employee data acquired, news article, 19 November 2022. Available online at https://www.databreaches.net/airasia-victim-of-ransomware-attack-passenger-and-employee-data-acquired/.

Australianised Incident Response Exercise

Management-level incident response simulation exercises are a useful tool for educating senior management and boards on what to expect when security personnel discover a material breach. While dedicated security personnel - especially blue teamers - routinely work these exercises and update their playbooks in light of their discoveries, the escalation of a material breach or high-impact event to senior management can be met with confusion and panic if they have not had previous exposure.

Now the Australian Cyber Security Centre has adapted the 'Exercise in a Box' series of cyber threat management exercises, initially developed by the UK's National Cyber Security Centre, to suit Australian enterprises in a range of sectors. A number of exercises are provided; some are discussion-based, allowing participants to understand the implications of events or issues such as ransomware attacks, loss or theft of mobile phones, or unmanaged reliance on the software supply chain, while other 'micro' exercises focus on a specific activity such as working securely off-site or securing video conferencing services.

The major simulation exercise is intended to allow a blue team and network administrators to deal with a simulated attack while a business stakeholder observes in order to gain understanding of the incident response process. This exercise involves some preparation, including the deployment of a harmless fake malware sample within the defenders' network prior to the exercise start. Fun for all ages, etc.

ACSC, Exercise in a Box, interactive web site, November 2022. Available online at https://exerciseinabox.cyber.gov.au/app/.

Evolving Infostealer Aurora is Spreading Rapidly

EDR form SEKIOA.IO is warning of a new Golang infostealer which, despite being widespread, is apparently evading detection.

Aurora initially appeared in the form of a general-purpose botnet around April 2022, advertised on Russian-speaking underground forums by a threat actor calling themselves Cheshire, and sold on the Malware-as-a-Service model. At that stage, the tool had infostealing, exfiltration and remote access capabilities, and by July SEKOIA.IO had identified around 50 samples, mostly belonging to two botnets. Then things went quiet, and at least one of the botnets has probably shut down.

However, in August, Aurora reappeared, this time advertised as an infostealer with its other capabilities either removed or de-emphasised. By November, at least seven different groups (called 'traffers') were distributing this malware via fake free software download sites, although a few of them use other stealers as well. Once installed by the victim, Aurora sets about searching for and stealing data from a range of cryptocurrency wallets as well as applications like Telegram. However, it can also deploy a next-stage payload via a PowerShell command.

The SEKOIA.IA write-up provides a full analysis of sample infection chains, IOC's and YARA rules.

Threat & Detection Research Team, Aurora: a rising stealer flying under the radar, blog post, 21 November 2022. Available online at https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Tuesday, 22 November 2022, 9:48 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Global Cyber Risk Slightly Increases

Trend Micro and the Ponemon Institute collaborate to produce the Cyber Risk Index (CRI), which surveys how organizations view their cyber risk. The survey covers North America, Latin/South America, Europe, and the Asia-Pacific regions, and in the first half of 2022 incorporated data from 4,100 business of all sizes.

The index calculation works by rating two factors:

  • Organizations' ability to prepare for attacks - the Cyber Preparedness Index, or CPI
  • Organizations' assessment of the threats they face - the Cyber Threat Index, or CTI

The final calculation subtracts the CTI from the CPI to produce the CRI (CRI = CPI - CTI), yielding a value between -10 and +10, with lower values representing more risk.

The current global CRI is -0.15, a slight increase in risk from the second half of 2021, when it stood at -0.04. The leaves the risk index in the Elevated rating level. Overall, organizations in North America and Asia-Pacific saw their risk increase, while it decreased for Europe and Latin/South America.

North America's CRI was the worst, at -0.33 - a result of a slightly lower preparedness index and a higher threat index.  Asia-Pacific saw their risk index move from the Moderate to the Elevated level (from +0.20 to -0.11), primarily due to a might higher threat index (from 5.15 to 5.44).

Clay, Jon, Global Cyber Risk at Elevated Level, research report, 17 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/cyber-risk-index-1h-22-snapshot.html.

Hacker One Improves Protections

Bug bounty program operator HackerOne has announced a new program to improve the protection of ethical hackers from liability when disclosing vulnerabilities they have discovered. The history of security is full of sad tales of innocent researchers who have fallen victim of an unfortunate tendency among the owners of vulnerable systems to shoot the messenger, rather than acting on useful intelligence. Unfortunately not every company has a generative security culture that actively seeks out problems and rewards those who identify them.

HackerOne's new Gold Standard Safe Harbor document is a short, broad, easily-understood statement that outlines the legal protections security researchers can expect, and can be simply adopted by HackerOne's customers. It also eliminates the need for ethical hackers to closely review all the fine print of different bug bounty program statements.

HackerOne's as-yet-unreleased Hacker-Powered Security Report apparently states that more than half of hackers have not reported a vulnerability they discovered. In 20%  of cases, they said it was because an organization had previously been difficult to work with, and 12% said t was due to threatening legal language. The new GSSH aims to improve this situation.

Uncredited, HackerOne Announces Gold Standard Safe Harbor to Improve Protections for Good Faith Security Research, press release, 16 November 2022. Available online at https://www.hackerone.com/press-release/hackerone-announces-gold-standard-safe-harbor-improve-protections-good-faith-security.

VenomSoftX: Malicious Chrome Extension Steals Victims' Cryptocurrencies

A report from Avast tears down a recently-discovered infostealer which takes the form of a malicious Chrome extension. VenomSoftX has a wide rangeof capabilities: it provides full access to every web page the victim visits, can perform man-in-the-browser attacks to interfere with API request data on popular cryptocurrency exchanges, can steal credentials and clipboard content, modify wallet addresses on visited pages, and much more. Its standalone capabilities are so extensive tha, although it is distributed by the previously-known Powershell-based infostealer, ViperSoftX, it has been given its own name.

ViperSoftX is mostly spread from torrent sites offering cracked copies of programs such as Adobe Illustrator, Corel Video Studio, Microsoft Office and others. Although this means potentially global distribution and infection, the most impacted countries are India, the US and Italy, with the cryptocurrency thefts alone having netted the threat actor behind the campaign just over $US130,000.

The downloaded binary that infects the system is actually a self-decrypting loader using AES-CBC encryption, which in turn extracts and decrypts a packed blob containing five files - the most interesting of which is a large log file which contains a single malicious line of obfuscated code. There are two variants, which either download the ViperSoftX infostealer or use a PowerShell script to decrypt it locally. This can then load any of several payloads, of which VenomSoftX is the newest and most interesting - it masquerades as a common browser extension such as Google Sheets (which is actually not a browser extension in reality).

VenomSoftX consists of modular JavaScript; a bootstrap loader always loads on every page, and if a crypto exchange site is being visited, it will load the appropriate "webpack" JavaScript module. Otherwise, it loads a generic webpack_content.js module. Several of the modules are capable of collecting data and sending it to a C2 server using the MQTT IoT messaging protocol.

Rubin, Jan, ViperSoftX: Hiding in System Logs and Spreading VenomSoftX, blog post, 21 November 2022. Available online at https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/.

Useful Guidance on Phishing Protection

A useful short report from Trend Micro summarizes the most common variants of phishing attacks, such as whaling, business email compromise, smishing and vishing, and offers some guidance on good practices to defend against them.

Clay, Jon, Email Security Best Practices for Phishing Prevention, blog post, 17 November 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/k/email-security-best-practices.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Monday, 21 November 2022, 9:09 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Proof-of-Concept Exploit Code Released for Microsoft Exchange Vulns

Microsoft released patches for two Microsoft Exchange vulnerabilities, CVE-2022-41040 and CVE-2022-41082, earlier this month. The two vulnerabilities, which affect Microsoft Exchange Server 2013, 2016 and 2019, are popularly known as ProxyNotShell and have been actively exploited in the wild by attackers who used them to deploy Chinese Chopper web shells.

Microsoft had advised that the vulnerabilities were being exploited since at least September 2022 and the Exchange team recommended that the patches be installed immediately.

Now Vietnamese security researcher Janggggg has released proof-of-concept code in Python, which will likely enable many more threat actors to exploit the remaining unpatched Exchange servers. In addition, Metasploit developer zeroSteiner has released an exploit for the popular pen test framework. Obviously, those who have not patched are now at increased risk.

Janggggg (testanull), ProxyNotShell-PoC, Github project, 17 November 2022. Available online at https://github.com/testanull/ProxyNotShell-PoC.

zeroSteiner, Add Exploit for CVE-2022-41082 (ProxyNotShell), Github merge, 18 November 2022. Available online at https://github.com/rapid7/metasploit-framework/pull/17275.

New Ransomware Targets Discord

Cyble Research and Intelligence Labs reports on three new ransomware families which exhibit some interesting characteristics.

Octocrypt is a new ransomware strain which targets all Windows versions. The ransomware builder, encryptor and decryptor are all written in the Go programming language, which as rapidly gained popularity among malware authors, and it is offered via a very polished web interface on the Ransomware-as-a Service model.

The Alice ransomware initially appeared on cybercrime forums as a project called "Alice in the Land of Malware" and seems more primitive, at this point. The builder creates two executables called Encryptor.exe and Decryptor.exe; successful execution of Encryptor.exe encrypts the victim's files, adding the extension .alice, and drops a ransom note file called How to Restore Your Files.txt into multiple folders.

Most interesting is AXLocker; the sample encryptor examined by Cyble encrypts only specific filetypes, but then goes on to search for Discord tokens in specific directories. It sends information such as the computer name, user name, IP address, system UUID and the Discord tokens to its operators via a C2 Discord server. This means that the attackers can take over the victim's Discord sessions - they should change their passwords, which will generate new session tokens, immediately upon discovering the infection.

Uncredited, AXLocker, Octocrypt and Alice: Leading a new wave of Ransomware Campaigns, blog post, 18 November 2022. Available online at https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/.

Google Ads Used to Distribute Batloader, Royal Ransomware

Last Wednesday, we reported on Batloader, a new malware loader which seems to have evolved from Zloader. Now comes a report from Microsoft that a threat actor which they track as DEV-0569 has been using Batloader to deploy the Royal ransomware, which was first observed in September 2022 and is also used by other threat actors.

DEV-0569 has traditionally relied on malvertising - phishing links that would be placed in front of the victim via spam emails, fake forum pages and blog comments - which pointed to the malware. However, the group's tactics have been evolving, with a number of new techniques:

  • Use of contact forms on targeted organizations' websites to deliver the links
  • Hosting fake installer files on legitimate-looking download sites and legitimate repositories
  • Using Google Ads in campaigs, to blend in with normal ad traffic

Between August and October, DEV-0569 used Batloader, masquerading as legitimate installers for applications such as TeamViewer, Adobe Flash Player (why is that still a thing?), Zoom and AnyDesk, all hosted on legitimate-looking domains created by the threat actor.

During September, they started using Batloader to deliver a Cobalt Strike Beacon implant and, after gaining access, used this to implant the Royal ransomware. And in October, they started using Google Ads which point to the legitimate traffic distribution system Keitaro, which filters ad campaigns via tracking and user- or device-based filtering before redirecting the victim to a download site - either legitimate or delivering Batloader. By using Keitaro, DEV-0569 is able to deliver their payloads to specific targets, which also avoiding some known security sandboxing products.

Microsoft's write-up suggests a number of mitigations.

Microsoft Security Threat Intelligence, DEV-0569 finds new ways to deliver Royal ransomware, various payloads, blog post, 17 November 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Saturday, 19 November 2022, 9:56 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Bluetooth Allowlist Allows Tracking

Researchers at Ohio State have found that Bluetooth Low Energy (BLE) devices are vulnerable to location tracking, due to a design flaw in the protocol.

Yue Zhang, a postdoctoral researcher at OSU presented the findings at the ACM Conference on Computer and Communications Security, receiving a "best paper" honourable mention. Zhang and his adviser, Prof. Zhiqiang Lin, proved the threat by testing over 50 available devices as well as four BLE development boards, and finding them all to be vulnerable. The Bluetooth SIG, who maintain Bluetooth standards, "was certainly made aware of the MAC address tracking threat, and to protect devices from being tracked by bad actors, a solution called MAC address randomization has been used since 2010", said Lin. Later, in 2014, the Bluetooth SIG introduced a new feature called the "allowlist", which allows connections from only recognised devices.

In their paper, Zheng and Lin show that the allowlist feature actually introduces a side channel for device tracking, since a device with an allowlist behaves differently even though it has used randomized MAC addresses. Worse, the randomization scheme itself is flawed and vulnerable to replay attacks. The two authors notified the Bluetooth SIG, as well as device manufacturers and OS developers, and were awarded a bug bounty by Google, who rated the vulnerability as of high severity. They have also proposed an improved protocol.

Woodall, Tatyana, Study uncovers new threat to security and privacy of Bluetooth devices, news release, 17 November 2022. Available online at https://news.osu.edu/study-uncovers-new-threat-to-security-and-privacy-of-bluetooth-devices/.

Zhang, Y., & Lin, Z. (2022). When Good Becomes Evil: Tracking Bluetooth Low Energy Devices via Allowlist-based Side Channel and Its Countermeasure, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 3181–3194. Available online at https://doi.org/10.1145/3548606.3559372.

Major Phishing Campaign Targets US, Canadian Shoppers

Akamai Security Research is reporting a new, highly sophisticated phishing kit which is mimicking several large retail brands in the runup to the holiday season. The kit uses a variety of antiforensics techniques to evade detection, including a novel approach of obfuscating URL's: the email which delivers the scam contains a token from which a redirection URL is constructed, and any attempt to access a scam page without the token will not reach the phishing landing page.

The campaign also uses URL shorteners, fake user profiles and testimonials, and CDN services to make its infrastructure resilient. It also makes use of sophisticated social engineering, offering victims the chance to win a prize, and requesting credit card details "only" to cover the cost of shipment - which, around this time of year, is a common marketing technique and will appear entirely legitimate to the victim. Whoever created these lures is familiar with US pre-holiday promotions, and in fact, the campaign is geo-targeted, with the sites being inaccessible from outside the US and Canada.

The Akamai report provides a full analysis, and IOC's are also available.

Katz, Or, Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment, blog post, 16 November 2022. Available online at https://www.akamai.com/blog/security-research/sophisticated-phishing-scam-abusing-holiday-sentiment.

APT Targets Governments World-wide, Especially Asia/Pacific

Trend Micro has been tracking a wave of spearphishing attacks which target the government, academic, think-tank and research sectors around the world, but particularly in Myanmar, Australia, the Philippines, Japan and Taiwan. Analysis of the malware families used point to a notorious advanced persistent threat group called Earth Preta, Mustang Panda or Bronze President, and likely of Chinese origin.

The campaign uses fake Google accounts to distribute the malware via spearphishing emails containing Google Drive links that point to compressed archive files which the user is lured into downloading and executing. The documents which are used to lure the victims show signs of some research into, and possibly earlier breaches of, the target organizations, as they showed signs of familiarity.

Some of the malware has been observed previously, but two malware families are new, and they all use a variety of techniques to evade detection through a multi-stage loading process, connection to C2 and final installation of a backdoor. The Akamai writeup provides a thorough analysis, and IOC's can also be downloaded.

Dai, Nick, Vickie Su and Sunny Lu, Earth Preta Spear-Phishing Governments Worldwide, research report, 18 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: