Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

RCE Vulnerability in Spotify Backstage

Back in early October, we reported on a vulnerability which allowed an attacker to escape from the popular Node.js Javascript sandbox, vm2, and execute code on the underlying server. Now the same researchers have found that the same underlying vulnerability in a popular DevOps toolbox.

In a DevOps environment, especially one using microservices architecture, developers need a central portal where they have easy access to share the tools, services and documentation that they need to integrate services. Initially developed by Spotify and then donated to the Cloud Native Computing Foundation, Backstage is a toolbox for building such portals from a few core services and plugins, and allows easier integration of projects with existing enterprise platforms and tools like Jira, ElasticSearch, Prometheus and others.

One of the more privileged components of Backstage is the Scaffolder, which executes tasks like creating Github repositories, and because this exposes the possibility of remote code execution attacks, tasks like string templating are executed in a vm2 sandbox. However, Backstage's threat model only provides authentication in order to identify the user, not for access control, and implementors are advised to protect their deployment from unauthorized access by placing it behind an authenticating proxy like Amazon's Application Load Balancer or the Google Cloud Platform Identity-Aware Proxy.

What researchers at Oxeye discovered was that their previously-discovered vm2 sandbox-escape vulnerability was present in the Backstage Scaffolder and could be exploited through the template engine, and - quelle horreur - many of the 500 Backstage servers they found by a simple Shodan search were running with no authentication or authorization protection, allowing unauthenticated remote code execution. They disclosed the resultant CVSS 9.8 vulnerability to Spotify, and a patch has been released; users should not only apply it, but check they have appropriate authentication and authorization around their deployment.

Goldstein, Gal, Yuval Ostrovsky and Daniel Abeles, Remote Code Execution in Spotify's Backstage via vm2 Sandbox Escape (CVSS Score of 9.8), blog post, 15 November 2022. Available online at https://www.oxeye.io/blog/remote-code-execution-in-spotifys-backstage.

Lazarus Group Deploys New DTrack Variant

North Korean cybercrime group Lazarus (APT38, associated with the DPRK Reconnaisance General Bureau) has long used the DTrack backdoor to deploy keyloggers, screen capture and other tools in campaigns against a range of targets. Now Kaspersky has produced a report on a new variant of DTrack which is spreading around the world.

Delivered as part of what looks like a legitimate executable, this variant performs multiple stages of decryption before activating the malware payload. First, the second stage is extracted from either an offset location or a resource within the PE executable and then decrypted, using a modified version of RC4. This second stage consists of heavily obfuscated shellcode which reads and decrypts the third stage. This shellcode has to find the decryption key by searching for the first occurrence of a string, then uses it to decrypt a configuration block which follows it and gives the final location of the payload, which may be encrypted with  a modified version of either RC4, RC5 or RC6.

The decrypted third stage is a DLL which is loaded into explorer.exe (replacing some of its code, to become the final backdoor, and contacts any of three C2 servers. Kaspersky has detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, the US and elsewhere, indicating that the Lazarus group is expanding its operations to Europe and Latin America.

Zykov, Konstantin and Jornt van der Wiel, DTrack activity targeting Europe and Latin America, SecureList blog, 15 November 2022. Available online at https://securelist.com/dtrack-targeting-europe-latin-america/107798/.

Magento TrojanOrder Attacks Grow Rapidly

Specialist merchant server malware security scanning firm Sansec is warning of a rapid increase in attacks on sites which use Adobe's popular Magento 2 ecommerce server. The attacks exploit an email template vulnerability, CVE-2022-24086, which dates back to February of this year - but Sansec estimates that at least one third of all Magento and Adobe Commerce stores have not been patched to date.

The attack begins with some manual interaction by the threat actor on the site - this is because the Magento order flow is highly flexible and customisable. - intended to trigger the system to send an email with the exploit code in one of the fields. This can be achieved by any of several actions, including placing an order, signing up as a customer or sharing a wishlist. If this is successful, the attacker gains access to the site and will then typically install a remote access trojan. This means that, in many cases, patching the Magento code after the site has been exploited, will not remove the attackers.

In many cases, the backdoor is hidden in the normally legitimate Magento component, health_check.php, and an observed big increase in active scanning for this file suggests that different attacker groups are trying to take over sites which had previously been pwned by another group. As of November 2022, Sansec has identified seven different initial attack vectors, suggesting that at least seven different Magecart groups are actively running these attacks on Magento 2 web sites, probably using exploits they have bought via hacker forums.

Obviously, the first order of business for Magento and Adobe Commerce users is to patch their systems, but this may not stop an attacker who is already present in the system. Sansec is offering a free scan to determine whether the site has been compromised.

Sansec Threat Research, Adobe Commerce merchants to be hit with TrojanOrders this season, blog post, 15 November 2022. Available online at https://sansec.io/research/trojanorder-magento.

Amazon RDS Snapshots Leak PII

A report from cloud incident response company Mitiga sounds the alarm on an often-misused feature of Amazon Web Services' Relational Database Service (RDS), which they discovered can - and does - leak personally indentifiable information.

The RDS snapshot feature is, as you might expect, primarily used for backing up databases. However, a public RDS snapshot is also useful for sharing database templates, or even database content which is meant to be publicly accessible, and occasionally it is used as a quick mechanism for sharing data with colleagues without having to deal with the complexities of database accounts, roles and policies. Once the colleague has the data, the snapshot can be deleted or access withdrawn.

However, by developing a scanner using AWS's Lambda Steo Function and boto3, Mitiga found a lot of snapshots that were shared publicly for a few hours, days or even weeks and were able to clone them, extracting potentiall sensitive information.

There are several lessons here, not all of them obvious; Mitiga's report provides a comprehensive write-up with actionable recommendations for Amazon RDS customers.

Szarf, Ariel, Doron Karmi and Lionel Saposnik, Oops, I leaked it Again - How Mitiga Found PII in Exposed Amazon RDS Snapshots, blog post, 16 November 2022. Available online at https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Chinese Threat Actor Runs Massive Phishing Campaign

A new report by UK threat intelligence company Cyjax details a sophisticated, large-scale phishing campaign that trades on the reputation of internationally-trusted brands, targeting businesses in multiple segments including retail, travel, pharmaceuticals and energy. The group, which Cyjax has christened "Fangxiao", has controlled at least 42,000 domains since 2019, driving victims to them via links send through WhatsApp. The link takes them to a landing domain impersonating any of over 400 well-known and trusted brands including Emirates, Unilver, Singaporean shopping site Shopee, Coca-Cola and others.

A complex redirection chain brings the victim to an online survey page with a timer to add urgency; once the victim has completed the survey, the site appears to "validate" their answers and incites them to play a simple animated game, which they will "win" after two or three clicks. But to claim their prize, they must share the phishing campaign via WhatsApp, to five groups or 20 friends. At the end of this process, the page delivers any of many dodgy advertisements, affiliate scams, micropayment scams or the Triada Android malware. In short, it's a cesspit.

Cyjax has extensively documented the various redirection chains, but many are so convoluted and complex, and so constantly changing, that there is no certainty how any particular victim might be exploited. Fangxiao hides itself quite well, protecting its infrastructure behind Cloudflare and rapidly cycling the domain names it uses - over 300 new unique domains appeared in just one day in October. Cyjax's report gives a lot of detail, and IOC's can also be downloaded.

Witten, Alana and Emily Dennison, Fangxiao: a Chinese threat actor, technical report, 14 November 2022. Available online at https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/.

VMware Warns of BatLoader

VMware's Carbon Black Managed Detection and Response (MDR) analysts have tracked increasing usage of a malware loader called Batloader. This new loader shares many similarities with the earlier Zloader, which is thought to be derived from the Zeus banking trojan of almost two decades ago - it is also distributed using malicious advertisements which lure victims to download signed Windows installer (.msi) files, which are disguised as installers for legitimate software such as Zoom, TeamView, Discord and others. Although much larger, Batloader seems to be an enhancement of Zloader.

Once the installer is running, Batloader uses a PowerShell inline script to download and run a chain of batch files and PowerShell scripts, as well as the necessary tools such as nircmd.exe (a command-line utility which gains admin privileges), Gpg4win (which it uses to decrypt payloads) and Nsudo.exe (used to launch programs with elevated privileges). Towards the end of the chain, Batloader adds registry entries which restrict user access on the infected machine, in order to block remediation attempts, and sometimes installs some remote management and monitoring software which the attackers will use as a backdoor.

Various final payloads can be dropped, including a banking trojan from the Ursnif/Gozi family, the Arkei/Vidar infostealer and, in some cases, a Cobalt Strike stager. Throughout all these stages, Batloader is very stealthy and persistent, and would prove difficult to remove from an infected system. Some IOC's, such as an IP address, indicate that the actor running this campaign may be Conti or one of its affiliates.

Hardin, Bethany, Lavine Oluoch and Tatiana Volbrecht, BATLOADER: The Evasive Downloader Malware, blog post, 14 November 2022. Available online at https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html.

BEC Scammer Hushpuppi Goes Down

In the "score one for the good guys" department: business email compromise scammer Ramon Olorunwa Abbas - much better known by his nickname of "Ray Hushpuppi", a.k.a. "The Billionaire Gucci Master!!!" - has been sentenced in a United States District Court to 135 months (11 years and 3 months) in a federal penitentiary, although the sentence probably includes over two years already served since his arrest in Dubai and extradition to the US.

An entertaining article in Sophos' Naked Security blog highlights the Nigerian scammer's colourful lifestyle, with pictures from his Instagram account where he shows off gangsta-style bling and private jet travel. The article becomes seriously informative, however, when it turns to extracts from Hushpuppi's correspondence with his co-conspirators, giving insights into how these whalers work around the fraud prevention measures put in place by banks.

Their process involves using money mules (themselves victim/beneficiaries of work-from-home scams) to open accounts in person at a branch, thereby passing "know your customer checks" - but in many cases the new accounts are quickly linked to criminal activities, forcing the scammers to move on. They also discuss the fact that fraudulent transfers within a country are subject to less scrutiny than overseast transfers, and therefore less likely to be blocked. However, the blocks are at least partially effective; while Abbas admitted to conspiring to launder over $US300 million, much of it did not, ultimately, end up in his - probably gold-encrusted - fingers.

Naked Security writer, "Gucci Master" business email scammer Hushpuppi gets 11 years, blog post, 14 November 2022. Available online at https://nakedsecurity.sophos.com/2022/11/14/gucci-master-business-email-scammer-hushpuppi-gets-11-years/.

Google's Android Location Tracking Burns Them Again

Australian readers will doubtless remember the action brought against Google LLC and Google Australia Pty Ltd by the Australian Competition and Consumer Commission in the Federal Court, alleging that Google had breached Australian consumer law by representing to some Android users that the setting titled "Location History" was the only Google account setting that affected whether the company collected, kept and used personal location information. In fact, the "We & App Activity" setting, which defaulted to on, also enabled Google to collect that information, and in August the Federal Court ordered Google LLC to pay $A60 million for making misleading representations.

A group of 40 State attorneys general in the US brought a similar action, and have announced that, in an out of court settlement, Google will pay these states a total of $US391.5 million. The US investigation - and probably the Australian action, too - was triggered by a 2018 Associated Press article which revealed that Google "records your movements even when you explicitly tell it not to", and detailed the two Google account settings described above. The attorneys general found that Google had violated state consumer protection laws by misleading consumers since at least 2014.

The settlement requires Google to be more transparent with consumers, and requires the company to show additional information when they turn a location-related account setting on or off, make the key information about location tracking unavoidable for users (i.e. not hidden), and give users detailed information about the type of location data collects and how it is used at an enhanced "Location Technologies" web page.

Media Team, Google LLC to pay $60 million for misleading representations, media release, 12 August 2022. Available online at https://www.accc.gov.au/media-release/google-llc-to-pay-60-million-for-misleading-representations.

AG Press, 40 Attorneys General Announce Historic Google Settlement over Location Tracking Practices, press release, 14 November 2022. Available online at https://www.michigan.gov/ag/news/press-releases/2022/11/14/40-attorneys-general-announce-historic-google-settlement-over-location-tracking-practices.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Plausibly Deniable Hidden Linux Filesystems

One of the nice features of the old TrueCrypt encrypted filesystem (and its replacement, Veracrypt) was its ability to create hidden volumes - a feature of great value to journalists, human rights activists and others who need to transit borders where their computers could come under scrutiny. Now a new tool fom Kudelski Security Research introduces a new open-source tool for Linux which provides further improvements.

Shufflecake allows the creation of multiple hidden volumes on a storage device, with each volume encrypted with a different secret key, scrambled across the empty space of the underlying storage medium and indistinguishable from random noise. Because the software can manage up to 15 volumes per device, with hiddent volumes nested under other hidden volumes, it proves a high level of plausible deniability, whereby a user can, under pressure, surrender a password to decrypt a less sensitive "decoy" volume while the really sensitive volume remains undetectable, even under forensic investigation. (Image © Randall Munroe, licensed under CC BY-NC 2.5.)

Despite the multiple layers of encryption, Shufflecake remains reasonably efficient; the performance penalty is roughly double that of a conventional LUKS encrypted volume and barely noticeable. The space overhead is also less than 1% of the available disk space. The code is based on the M.Sc. thesis of Elias Anzuoni at EPFL.

Gagliardoni, Tommaso, Introducing Shufflecake: Plausible Deniability for Multiple Hidden Filesystems on Linux, blog post, 10 November 2022. Available online at https://research.kudelskisecurity.com/2022/11/10/introducing-shufflecake-plausible-deniability-for-multiple-hidden-filesystems-on-linux/.

Data Breach at Russian Scooter Service

Russian scooter rental service Whoosh has confirmed a data breach which has seen the theft of over 7.2 million customer numbers and 6.9 email addresses. On Monday, chat about the publication of the data set appeared in Telegram channels and the conpany has now revealed that it is carrying out an internal investigation and working with law enforcement to try to stop distribution of the data.

The company claims that no sensitive data, such as transaction information, credit card numbers or travel details, was stolen.

Uncredited, В Whoosh подтвердили утечку данных клиентов, RIA, 14 November 2022. Available online at https://ria.ru/20221114/whoosh-1831302705.html; English translation at https://ria-ru.translate.goog/20221114/whoosh-1831302705.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp.

CSRF Vuln in Plesk Web Hosting Dashboard

Many SME web sites are hosted with retail hosting providers and managed via the Plesk administration dashboard, which accounts for 86.7% of such dashboards and 4.4% of all websites. Overall, Plesk is well secured, but researcher Adrian Tiron at Fortbridge managed to find a cross-site request forgery vulnerability which affects most of the Plesk RESTful API's, which are intended to allow third-party programs to access Plesk services.

The vulnerability flows from a misconfigured CORS (Cross-Origin Resource Sharing) policy. CORS, which is layered on top of HTTP, allows HTTP responses to declare that they can be shared with other origins, and in the case of the Plesk API's, was completely open, having been set to a wildcard '*' and allowing access from any origin.

Tiron was able to abuse several API endpoints, adding a database user that can connect to any database from any remote host, and most importantly, changing the admin password and gaining full control of the site. Other possible exploit techniques include adding an FTP user and adding malicious Plesk extension, which could be a web shell.

Fortbridge responsibly disclosed the vulnerability, and Plesk users should check for a patch.

Tiron, Adrian, Compromising Plesk via its REST API, blog post, 10 November 2022. Available online at https://fortbridge.co.uk/research/compromising-plesk-via-its-rest-api/.

Is Functional Programming the Way of the Future?

We wrote yesterday of the NSA's promotion of memory-safe programming languages such as Java and Rust, with the latter rapidly growing, according to usage statistics. But memory management is only one - admittedly large - class of bugs and hence vulnerabilities; there are many others, including time-of-check/time-of-use, null references and side effects caused by shared state.

An article in IEEE Spectrum suggests that many of these problems are addressed by functional programming languages such as Haskell, Elm and PureScript. Functional programming is characterised by a number of constraints:

• Functions cannot access any variables other than their arguments and local variables, eliminating side effects
• System state can only be affected via composed functions
  
• Variables are immutable (this can be somewhat mind-bending for programmers transitioning from the traditional imperative programming paradigm)
• Null references are not allowed and dealt with via Maybe or Option constructs

The result is claimed to be much more reliable and easily-maintained code, but the first two of these restrictions also provide thread-safety which will allow higher performance on modern multi-core processors. I guess that if you are re-tooling and moving to a language anyway, this may be worth considering.

Scalfani, Charles, Why Functional Programming Should Be the Future of Software Development, IEEE Spectrum, 23 October 2022. Available online at https://spectrum.ieee.org/functional-programming.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

NSA Wants to Finally Kill Buffer Overflows

The National Security Agency has produced a very useful information sheet with guidance for software developers to prevent and mitigate memory safety issues, which underlie the majority of exploitable vulnerabilities.

The most well-known memory safety problem is the buffer overflow, which can be used to place an attacker's code onto the stack and get it executed. But there are other problems, such as failing to balance the allocation and freeing of memory, leading to memory leaks, memory corruption via double-freeing or attempts to use memory after it has been freed.

The NSA wants to drive the adoption of memory safe languages which protect programmers (and their users) from these issues. Many of these languages, such as Java, C#, Ruby and Swift, are already popular for application programming, but we are now seeing the adoption of systems programming languages which offer similar advantages, such as Go and Rust. They also recommend the use of both static and dynamic application security testing tools.

The NSA's information sheet is written at a suitable level for senior managers and project managers - the people who are able to drive the selection of languages for development projects. Developers really should already know this stuff.

NSA Media Relations, NSA Releases Guidance on How to Protect Against Software Memory Safety Issues, press release, 10 November 2022. Available online at https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/.

Alleged Lockbit Ringleader Arrested

The US Department of Justice has unsealed a criminal complaint filed in the District of New Jersey, charging a dual Russian and Canadian national for his alleged participation in the Lockbit global ransomware campaign. Mikhail Vasiliev, 33, of Bradford, Ontario, is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands, and if convicted, faces a maximum of five years in prison.

According to court documents, Lockbit first appeared around January 2020, and has become one of the most active and destructive ransomware variants, having been deployed against as many as a thousand victims in the US and around the world. The Lockbit members have made at least $US100 million in ransom demands.

Vasiliev is currently in custody in Canada, awaiting extradition to the US, following a long investigation by the FBI Newark Field Office, Newark Cyber Crimes Task Force, with assistance from the FBI Atlanta Field Office, the FBI Pittsburgh Field Office, the FBI Miami Field Office, the FBI’s Legal Attaché-Ottawa, the Jersey City Police Department, the New Jersey State Police, the New Jersey Office of Homeland Security and Preparedness and the DoJ's Office of International Affairs.

DoJ Office of Public Affairs, Man Charged for Participation in LockBot Global Ransomware Campaign, press release, 10 November 2022. Available online at https://www.justice.gov/opa/pr/man-charged-participation-lockbit-global-ransomware-campaign.

Three Vulns in Popular Web Server

Palo Alto Networks' Unit 42 researchers have discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server, and confirmed that these also affect the enterprise version, LiteSpeed Web Server. Together, these medium and high severity vulns can be chained to gain root privileges and remote code execution on the server - and with approximately 1.9 million instances of LiteSpeed Server on the Internet, the impact could be high.

The three vulnerabilities are

• Remote Code Execution (CVE-2022-0073) rated High severity (CVSS 8.8)
• Privilege Escalation (CVE-2022-0074) rated High severity (CVSS 8.8)
• Directory Traversal (CVE-2022-0072) rated Medium severity (CVSS 5.8)

Unit 42 disclosed the vulnerabilities to LiteSpeed Technologies, which has released patches: version v1.7.16.1 for OpenLiteSpeed and version 6.0.12 for LiteSpeed. The fixes mainly improve some sanitization regular expressions as well as correct the setting of a PATH environment variable.

Avetisyn, Artur, Aviv Sasson, Ariel Zelivansky and Nathaniel Quist, Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server, blog post, 10 November 2022. Available online at https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Most links within this post will lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study by our students. However, there are some references at the end.

Commentary

Rather than the usual short news items, today I intend to do a deep dive on the recent spate of ransomware breaches that has been reported in the media, with the intention of extracting lessons to be learned.

---

Optus, Medibank and Other Recent Australian Ransomware Breaches

Australian media has become super-sensitized to the various ransomware attacks that have occurred here recently, generating extensive reporting. We have reported on a number of breaches:

• Optus
• Medibank
• Harcourts Melbourne (a real estate agency)
• PNORS Technology Group (a provider of services to various Victorian Government departments)
• Medlab Pathology
• A political site run on behalf of Senator James Paterson

Politicians have also leapt on the bandwagon, announcing increased fines for breaches, and every media outlet has featured commentary from 'experts' - not all of it particularly helpful. In line with the objectives for this blog, it is time to extract a few 'Lessons Learned' (which my course attendees will recognise as the last phase of the incident response cycle).

Lessons for Enterprises

Governance

The first and most obvious lesson is for the C-suite and Boards: by and large, you need to invest more in cybersecurity. There's an old saying in the aviation safety field: "If you think air safety is expensive, just wait until you have your first accident!".

Incident response is expensive - you usually need to bring in outside specialists to perform forensics and understand the breach, and you may need to engage with government agencies, which can be difficult to manage and require a lot of time from senior managers. Further down the track, there may well be mandatory disclosure, communication with affected customers, the provision of credit protection services, payments for replacement of identity documents and - of course - fines and judgements, including damages awarded in shareholder actions or class actions.

Cyber insurance will lessen the pain of some of this, but it will not cover all the costs and losses. In its accounts, Optus has set aside $140 million to cover the expected costs of its breach - far in excess of the likely ransom demand and probably in excess of proposed fines.

We have also seen a lot of cost-cutting over the last decade or more, as management and boards have sought increased efficiency and therefore profits (not to mention bonuses). The result, inevitably, is brittleness and especially a lack of resilience, as companies have found themselves severely stretched in responding to cybersecurity incidents, due to a lack of skilled staff and other resources. And of course, cost-cutting leads to inadequate controls, inadequate security education, training and awareness, and inadequate risk management more generally.

Data Retention

It is also important for executive management and boards to realize that personal information that has been collected but is not being used is not an asset - it is a liability. This applies especially to personal identity information which was used to verify the identity of an individual as part of account enrollment and identity proofing; once these have been used to resolve a claimed identity, they are no longer required and should be disposed of. Of course, there is a tension here with national security and counter-terrorism legislation which has required telcos, in particular, to retain this kind of information; its value is something that government needs to consider in the light of recent events.

Technical Measures

It seems that the initial compromise, in many of these cases, is a spear-phishing attack. We run education and awareness campaigns, as well as simulated attacks to test its effectiveness, but this clearly is not enough. We need to improve our authentication techniques, specifically requiring multi-factor authentication using time-based one-time passwords or, better still, security keys (FIDO U2F authentication).

Customer Authentication

Medibank, in particular, has been issuing bad advice to its customers on its advice page at https://www.medibank.com.au/health-insurance/info/cyber-security/staying-safe-online/. They suggest, for example, "changing your passwords regularly with 'strong' passwords". However, current good practice on passwords - technically known as "memorized secrets" - is quite well defined in NIST SP 800-63B section 10.2.1, which states:

Simply put: we have long known that requiring or even suggesting frequent password changes just leads to users choosing weak passwords, such as using the same root word with an incremented number on the end.

Although it is awkward, I like the phrase "memorized secrets" for a number of reasons: first, many authentication protocols do not pass the secret (CHAP is a good example) but also because it takes the focus away from password. We should be thinking in terms of passphrases, which can be much longer, increasing the work factor for attackers, but also easier to memorize. A much better approach is to encourage users to come up with a good passphrase and then stick with it.

SP 800-63B also says:

A passphrase can be any personally-meaningful, -memorable or -valued phrase, such as a line from a poem or song, a book or movie title, or just a peculiar phrase such as "I wish I didn't have to go through this rigmarole just to change my Medibank password" (although the phrase "correct horse battery staple" should be blocked, for obvious reasons). Finally, Section 10.2.1 also says:

This is what is usually meant by the term 'strong password'. Unfortunately such rules simply make it hard or even impossible for users to select an appropriately memorable passphrase, encourage the selction of weak passwords and also reduce the brute-force attack space. Now, some off-the-shelf software might have these rules hard-coded, but most well-written software should allow customization, and internally-developed enterprise software should definitely comply with the NIST recommendations. This needs to be fixed.

There is a lot more detailed and useful guidance in NIST's four-volume Digital Identity Guidelines (see https://pages.nist.gov/800-63-3/); I am always amazed how many security professionals are not aware of them - or worse, are aware of them but have never read them.

Another way of reducing or eliminating the cognitive load of generating and remembering passphrases is to support federated identity management where appropriate. Allowing users to rely on Google, Microsoft and other identity providers eliminates the need for yet another passphrase, and also eliminates the need for a password hash to be stored which, if compromised, could be used for dictionary or rainbow tables attacks. We can also encourage customers to set up multi-factor authentication on their identity provider account, further increasing their security.

In the longer term, of course, we need to ensure that enterprise applications support multi-factor authentication - and by this I mean the use of a time-based one-time password (TOTP) token or FIDO U2F security keys, or, in some cases, biometric techniques, although these are more commonly used for physical access control. Note: the use of mTAN's - mobile transaction authentication codes, or SMS messages containing a six-digit number sent by SMS to the customer's phone - is now deprecated, because mobile phone numbers can be ported and the SMS messages can also be diverted by attacks on the SS7 protocol used in telco networks.

By using a second factor which has a much larger keyspace, we reduce the dependence on long, strong passphrases. Ultimately, of course, we should aim to eliminate the passphrase altogether through the use of cryptographic techniques such as FIDO authentication (commonly known as passkeys).

And yes - customers could use password safes to take care of all this, but the evidence is that most do not and we should not make it their problem.

Employee Authentication

While some of the above may not be feasible for customers, it is certainly so for employees - remember, it is the capture of employee credentials that give rise to most breaches - particularly when the enterprise can easily carry the cost of providing hardware tokens or security keys, as well as providing appropriate training.

For privileged levels of access to browser-based cloud-hosted applications, consideration should be given to the use of thin clients such as Chromebooks in order to reduce the risk of compromise by infostealers.

Of course, by enabling multi-factor authentication and transitioning to cryptographic techniques, we will simply encourage attackers to switch to cookie-stealing and Adversary-in-The-Middle attacks, so we will also need to lift our game there was well.

Access Control and Architecture

The other side of this particular coin is authorization, or access control. We need to pay closer attention to the principle of least privilege, so that we can limit the impact of information exfiltration to just a subset of customers, or a subset of their records. Security architects need to re-familiarize themselves with security models and access control models, in order to restrict access on a need-to-know basis. Healthcare information, for example, is often best dealt with by a role-based access control model, although I am not suggesting that that was, or was not, the case in the breaches considered here.

We also need to do better in the transition to cloud-hosted systems. In at least one case here, it seems that data was obtained from inadequately-secured Amazon S3 buckets - a far too common occurrence. Architects should be making use of network segmentation and microsegmentation as well as functionality like cloud access security brokers to further secure cloud-hosted applications.

It is also obvious that in at least some cases, victims were unaware of information exfiltration, suggesting a need to improve network egress filtering and intrusion detection systems.

In short, we need to stop playing whack-a-mole with adversaries on a vulnerability-by-vulnerability and exploit-by-exploit basis and start engineering security into our systems via good security architecture and a culture which values secure programming and administration practices.

Crisis Management and Communications

The first phase of the incident response cycle is planning and preparation. This means having in place policies and procedures, including customized playbooks for incident response. These should provide guidance as to when an incident should be escalated to executive management, as well as what information should be disclosed, and when, in public communications.

It is clear that Medibank was caught wrong-footed here, initially believing that the breach was confined to simple encryption of records. Only when informed by the Australian Cyber Security Centre did they discover that information had been exfiltrated, and even then, they believed that the damage was limited to a subset of their customers. It is clear that the top priority in incident response should be the detection and analysis phase, executed simultaneously with containment, before any measured public statements are made

Having to make a series of statements, disclosing increasing levels of severity in the breach, can look like incompetence or, even worse, a cover-up, and will damage consumer confidence leading to lost customers. Medibank may be counting on the high costs of switching health insurance providers to limit the damage here, but Optus has certainly seen the effect, despite having done a better job with their initial disclosure.

It is also important to be direct and clear in communication with customers. A good example is the letter which Medlab Pathology sent to their affected customers, which started out explaining in general terms the nature of the breach, the wonderful actions the company had taken, etc. However, the specific customer information which had been stolen was not revealed until a "Questions and Answers" page near the end of the letter. We know that reader attention flags as they read, and many readers are likely to completely skip an FAQ-style page which they expect to contain the usual platitudes about changing passwords, being aware of scams, etc.

It is understandable that managers may want to downplay the impact of a breach, but starting out by praising yourselves for your response before revealing the damage to the customer is not a good look. More planning and preparation for crisis communications would avoid this kind of error.

Lessons for Government

Immediate Response

The response by Australian Government agencies - specifically, the Australian Federal Police and Australian Signals Directorate - seems to have generally been effective, at least in terms of attributing the Medicare breach. As we learned from the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) via the recent International Counter Ransomware Initiative Summit, roughly 75 percent of the ransomware-related incidents reported during the second half of 2021 pertained to Russia-related ransomware variants, so the odds were always on it being a Russian ransomware operator here.

Attribution is one thing; prosecution is quite another. In the culture of Putin's Russia, it is seen as patriotic to commit cybercrime against Western countries; the payment of ransoms via cryptocurrencies bypasses banking sanctions and brings in cash to the Russian economy. Besides, this revenue can be used to further improve the country's offensive cyber capabilities, as we saw with the deployment of the NotPetya wiper against Ukraine, and if it uncovers information that might be strategically useful, so much the better. And so the Russian goverment turns a blind eye to the activities of ransomware and other cybercrime groups, and is unlikely to pay more than lip service to Australian requests for assistance in extradition and prosecution.

With this in mind, the Australian cybersecurity minister, Clare O'Neil, and the attorney general, Mark Dreyfus, have announced a joint standing operation against cybercriminal syndicates, which will involve around 100 officers from the AFP and ASD in an offensive security, 'hack back' operation against the ransomware operators. This approach is, of course, not available to other government agencies and private sector enterprises, who must focus on defensive techniques - but ASD has had considerable success in the past, particularly in counter-terrorism operations.

This approach is not without its risks, however. Russian strategic thinking, particularly its 'information confrontation' concept, means that "the Kremlin views control over its domestic information space as essential to their security - a threat to the information space might be perceived as a threat to state sovereignty" (Hakala and Melynchuk, 2021). An attack on Russian citizens could be met with an escalated response, with Australia becoming a favoured target for both directly state-sponsored and freelance groups within Russia. In other words, it's definitely time to batten down the hatches.

Another question is whether other countries will join in this response; I really cannot see Australia going it alone here.

Ransom Payment

There is no doubt that the increasing prevelance of ransomware attacks, and the increasing demands in each case (usually around $US 1.00 per record) have made the ransomware business an attractive one for criminals. Not only that, the exponentially increasing revenues have made it possible for ransomware groups to buy or develop 0day exploits and also to polish up their post-exploitation tools, in part to evade detection and also to make them easier to use. This has led to the development of the Ransomware-as-a-Service model, as well as the emergence of initial access brokers, who will perform the initial exploitation of a victim, drop a loader or backdoor, and then on-sell the victim to a ransomware operator (or someone else, if they can).

All of this makes it hard to argue against the proposition that one should never acquiesce to a ransom demand. This argument says that, for the common good, we should cut off the funding to the ransomware groups. If nobody pays, their business model is broken, their revenue stream will dry up, and they will move on (though where to remains an open question). Furthermore, the argument goes, we should unburden business of the ethical dilemma inherent in the payment decision by legislating to make ransomware payments illegal.

This is all true, but it breaks down in reality. Firstly, individual businesses may make a calculated - and quite rational - decision that the ransom payment is much less than the downstream damage that would be inflicted by non-payment. Furthermore, cyber insurance has a distorting effect in this market; not only will it cover the cost of the ransom, it will also take care of the logistics of payment. And historically, in many case, the ransomware operator, wishing to preserve their business model, will in return provide a key to unlock encrypted data and will delete exfiltrated data, rather than publishing it.

But more to the point, the common good will in many cases be far outweighed by the individual damage caused by disclosure of highly-sensitive personal information. Politicians, realising the potential public relations disaster here, have so far refrained from the blunt instrument of legislative prohibition of ransomware payments. I'm just glad it's not my decision.

Increased Fines for Privacy Breaches

Which brings us to the other legislative response to these breaches: an increase in fines for breaches of the Privacy Act. In a media statement Attorney-General Mark Dreyfus stated that

That might focus the attention of boards and C-suites, and will doubtless meet with the approval of the public. It might even result in CISO's getting a more sympathetic hearing when budget review time comes around, with increased spending in . . . well, some areas of security efforts.

However, while fines are an effective deterrent to bad behaviour, they do not encourage good behaviour. And it is doubtful whether they would have much effect at the lower levels of an enterprise. For example, one theory - and this is really speculation - about the Optus breach is that information was exfiltrated via an accidentally-exposed API endpoint which did not require authentication. Now, I doubt that a deep investigation into this would reveal a developer, security architect or network administrator who acted with criminal intent. Far more likely, it is the result of oversight, or one of the many varieties of human error.

There is a massive opportunity here to take the work of Prof. James Reason (1990, 1997) in aviation and industrial safety, and apply it to cybersecurity culture among IT professionals. Reason also has a lot to say which is applicable to security culture more generally.

Of course, my earlier comments about cost-cutting and brittleness apply here, too. Enterprises need to start investing in education in security for their architects and developers, in order to build resilient systems with far fewer vulnerabilities.

Lessons for Consumers

It's not your fault

It's as simple as that. In all the cases discussed here, the privacy breach was not a result of anything a customer did, or did not, do, and while the companies involved have contacted their customers with the usual advice, mostly consisting of platitudes such as watch for scams, change your passwords, change your passwords regularly, etc. that horse has well and truly bolted, leaving the stable door banging in the breeze. It's also a bit rich for such advice to be offered by companies who could not themselves prevent egregious breaches.

I do not intend to preach to consumers here. Those who have read this far already know what to do, better than the companies they trusted.

Summary

My concern here is with how companies can raise their game, as politicians, journalists and the public clearly expect them to do, and I have set out to provide some clear advice. But to summarize:

• Executive management and boards need to realize that an ounce of prevention is far better than a pound of cure
• Companies need to improve authentication practices for both their internal staff as well as for customers before lecturing the latter
• Companies need to invest more in good security architecture, specifically access control and resilience
• Companies need to respond faster to incidents, expect data to have been exfiltrated, and perform thorough analysis before making any public statements
• Politicians need to wield a big stick - but only as a last resort

References and Further Reading

Hakala, Janne, and Jazlyn Melnychuk, Russia's Strategy in Cyberspace, NATO Strategic Communications Centre of Excellence, June 2021. Available online at https://stratcomcoe.org/cuploads/pfiles/Nato-Cyber-Report_15-06-2021.pdf.

Reason, J., Human Error, Cambridge University Press, 1990.

Reason, J., Managing the Risks of Organizational Accidents, Ashgate Publishing Limited, 1997.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

IceXLoader Rapidly Evolves

Minerva Labs is reporting yet another new version of the ICeXLoader loader, which was first discovered last June by FortiGuard. That initial version (v3.0)seemed incomplete, but Minerva recently observed a much more polished version 3.3 which is fully functional and provides a multi-stage malware delivery chain to its criminal customers.

IceXLoader is delivered in the form of a ZIP file which carries a first-state executable as well as its configuration in the resources, When run, this creates a new folder and then drops the next stage, a .NET downloader called STOREM~2.EXE, into it. At this stage, the machine will reboot, execute the next stage and cleans up the folder it just used.

This stage downloads a .PNG file,converts it into a dynamic link library and then executes it in a new thread. This DLL then decrypts the IceXLoader itself, checks that it is not running inside the Microsoft Defender sandbox, delays briefly - again to evade sandbox detection - and finally injects the loader into a new process.

Once the loader is running, it enumerates some system information and uploads it to the C2 server, makes multiple copies of itself and creates registry entries to ensure it persists. Minerva's report provides further details, including IOC's.

Zargarov, Natalie, New updated IceXLoader claims thousands of victims around the world, blog post, 8 November 2022. Available online at https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/.

Cozy Bears Roaming Through Diplomatic Network

A new report from Mandiant describes how Russian state threat actor APT29, a.k.a. Cozy Bear, was able to compromise a European diplomatic organization, gaining initial access through a spear-phishing attack and then possibly pivoting within the organization by exploiting a little-known feature of Active Directory.

While observing the threat actors' behaviour on the victim network, Mandiant observed numerous very strange LDAP queries on the Active Directory domain. LDAP queries are often used for credential gathering, but these were querying an unusual property: {b7ff5a38-0818-42b0-8110-d3d154c97f24}, or the ms-PKI-Credential-Roaming-Tokens attribute. Credential Roaming was introduced in Windows Server 2003 SP1, in order to allow certificates and other credentials to 'roam' with the user. Without this, users would not be able to use features such as S/MIME email encryption, since logging in to multiple devices would generate multiple certificates.

By reverse-engineering the binary structure of the attribute and how it is stored when received, Mandiant was able to identify a directory traversal vulnerability, exposed by a failure to properly sanitize the file path. If an attacker can control the ms-PKI-Credential-Roaming-Tokens attribute, they can add a malicious Roaming Token entry and thereby write an arbitrary number of bytes to any file on the system, restricted only by the length of the pathname.

The vulnerability was reported to Microsoft and a patch released in September.

De Berlaere, Thibault Van Geluwe, They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming, blog post, 8 November 2022. Available online at https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming.

New Vulnerability Categorization Methodology

Readers will be familiar with the CVSS scheme for scoring the severity of vulnerabilities. However, a vulnerability management program needs to combine the CVSS (Common Vulnerability Scoring System) score - and elements of its string - with enterprise-specific information, such as the existence of mitigating controls, the value of impacted assets, the cost of possible disruption caused by the deployment of untested patches and other factors in order to prioritize the application of patches to systems or other defensive actions that could be taken.

The US Cybersecurity & Infrastructure Security Agency has released its approach to this problem, in the form of its Stakeholder-Specific Vulnerability Categorization (SSVC) methodology, which was developed in conjunction with the Software Engineering Institute at Carnegie-Mellon. This methodology is intended for use by all levels of government as well as critical infrastructure entities.

The metodology takes into account factors such as evidence of active exploitation, technical impact (already covered by CVSS), whether the exploit is automatable, vulnerability impact on mission-essential functions, mitigation status and the impact on public well-being. As these factors are assessed, they are used to select the appropriate branches of a decision tree, which will terminate in one of four vulnerability scores:

• Track - no action required at this time, but reassess as new information becomes available
• Track* - the vulnerability has characteristics that require closer monitoring for changes
• Attend - requires action from internal supervisory-level individuals, such as requesting assistance, publishing a notification or remediation sooner than the standard update timelines
• Act - requires action from supervisory-level and leadership-level individuals, including determination of remediation actions as soon as possible

CISA has developed an online SSVC calaculator, called Dryad, which will walk a user through the decision tree and can display it - useful for documenting decisions. A stored decision can also be updated later.

This methodology is not universally applicable, and does not provide particularly granular guidance in patch prioritization. However, it is an interesting approach which could be adapted by enterprises to suit their particular environment and circumstances.

Uncredited, Stakeholder-Specific Vulnerability Categorization, web page, November 2022. Available online at https://www.cisa.gov/ssvc.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Medibank Breach, Cont. . .

The Medibank saga continues to drag on; yesterday's posting of around 2.5 GB of data has been followed by more overnight. Yesterday's 'nice' list turned out to contain people who had received treatment for the usual conditions of old age, with the oldest being 105, while the 'naughty' list contained information about approximately 100 individuals who had undergone treatment for drug or alcohol abuse, or for mental health conditions. There has been at least one confirmation from an affected individual that the data is real.

The second upload seems to indicate that the cybercriminals involved are not interested in collecting individual ransoms, but are simply going to create as much damage as they can. We shall have much more to say on this and similar breaches. . .

Amadey Bot Distributes LockBit 3.0

The Amadey Bot infostealer and backdoor has been circulating since at least 2018, typically installing either GandCrab ransomware or the FlawedAmmyy remote access trojan. Now AhnLab Security Emergency Response Center reports that attackers are using it to install LockBit 3.0.

The Amadey Bot malware itself is being distributed in two ways: first via an infected Word file which downloads another file containing a malicious VBA macro, and second via a binary executable that carries the Word program icon.

For the first technique, if the user is duped into enabling content in Word, the VBA macros installs a malicious shortcut and then runs it, causing a PowerShell command to download and run Amadey Bot itself. The executable for the second technique masquerades as a file called Resume.exe (the default Windows behaviour of suppressing filetype extensions is a big problem here), which carries Amadey directly.

Once running, Amadey Bot connects to a C2 server, sends some system information and then waits for commands, which will usually download Lockbit as either a PowerShell script or as a binary. ASEC's analysis provides a description and IOC's.

Uncredited, LockBot 3.0 Being Distributed via Amadey Bot, blog post, 8 November 2022. Available online at https://asec.ahnlab.com/en/41450/.

New Branch of APT41 Targets Asia, Ukraine

Researchers at Trend Micro are reporting on a new subgroup of the Chinese state-supported APT41 (Double Dragon), which they have christened Earth Longzhi, and which is targeting government, defense, aviation, insurance and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan and Ukraine. APT41 divides its efforts between state-sponsored cyberespionage and financial crime for profit.

Earth Longzhi was initially identified in early 2022, but analysis of TTP's and code similarities suggest the group has been active since 2020. Their attacks start with a spear-phishing campaign, promising scandalous information about a person, to deliver their malware, either via a link or via a password-protected archive file. The first stage is a custom Cobalt Strike loader. Several generations of loaders have appeared; the first one was called Symatic Loader, and used a variety of antiforensics techniques.

The later campaign saw Earth Longzhi deploy several different customer loaders, which Trend Micro has christened CroxLoader, BigpipeLoader and OutLoader, and some of these have multiple variants, suggesting the group is actively developing their tools. Post-exploitation, they also use customized tools based on some open-source projects, such as a set of standalone binaries based on Mimikatz modules.

Hiroaki, Hara and Ted Lee, Hack the Real Box: APT41's New Subgroup Earth Longzhi, blog post, 9 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Exfiltrated Medibank Data Posted Online

As we expected, shortly after midnight the BlogXX ransomware group began posting what appears to be client data from the Medibank attack, in two lists titled "good-list" and "naughty-list" on their blog.

"Looking back that data is stored not very understandable format [table dumps] we’ll take some time to sort it out," the group said. "We’ll continue posting data partially, need some time to do it pretty."

The group also posted what seem to be screenshots of messages they had exchanged with Medibank representatives.

I expect the next shoe to drop will be extortion demands on individual Medicare customers, although it's possible the attackers might settle for just enjoying the drama they have created.

AAP, Group claiming to be Medibank hackers start posting client data on dark web, The Guardian, 8 November 2022. Available online at https://www.theguardian.com/australia-news/2022/nov/09/group-claiming-to-be-medibank-hackers-start-posting-client-data-on-dark-web.

Security Professionals As Bad As Everyone Else

At the RSA Conference each year, NetWitness and Cisco run a Security Operations Center (SOC) as an educational exhibit, with NetWitness monitoring the traffic on the wireless network and Cisco providing automated malware analysis, threat intelligence, DNS visibility and intrusion detection. The goal is to educate conference attendees about what happens on a typical wireless network, running daily SOC tours and a conference session.

Cisco has now published a report on their findings, and it does not make happy reading, with the SOC capturing 55,525 cleartext passwords from 2,210 individual accounts. While many of these would possibly be demo accounts used by systems on the trade show floor, and a lot of credentials were leaked by devices running SNMP versions 1 and 2, there was an alarming number of unencrypted authentication exchanges with mail gateways, primarily on the domains of small and medium enterprises. It seems the best thing many small business could do to secure their email is to outsource its operation to a service like Google Workspace or Microsoft Outlook - they can do a much better job.

Perhaps the most egregious failure was by the CISO of a public corporation who paid the annual maintenance fee of his CISSP certification and received the receipt over a completely unencrypted session to his open-source Android email client. The SOC personnel had to alert the CISO to the problem and walk him through TLS configuration for his email client. Tsk, tsk.

Bair, Jessica, RSA Conference® 2022 Security Operations Center Findings Report, blog post, 3 November 2022. Available online at https://blogs.cisco.com/security/rsa-conference-2022-security-operations-center-findings-report.

Microsoft Surveys Threat Landscape

With its Digital Defense Report 2022, Microsoft has provided an excellent CISO-level overview of the threat landscape, broken into five sections:

• The State of Cybercrime
• Nation State Threats
• Devices and Infrastructure
• Cyber Influence Operations
• Cyber Resilience

Key takeaways:

• Cybercrime is increasing as the availability of hacking tools and services lowers the skill barrier to entry, with ransomware and extortion growing more audacious
• Nation state actors are increasingly targeting critical infrastructure, either as a component of hybrid warfare or, as China is doing in SE Asia, to gain intelligence and competitive advantage
• Both cybercriminals and nation states are moving to take advantage of vulnerabilities in IoT and OT devices, with a five-fold increase in attacks on remote management devices over the previous year
• Russia, Iran and China employed sophisticated influence operations to distribute propaganda and impact public opinion to extend their global influence
• The move to hybrid work has required a pivot in security practices, but the vast majority of successful cyberattacks could be prevented by using basic security hygiene

There are lots of other useful snippets and more than a few lessons in the report.

Uncredited, Microsoft Digital Defense Report 2022, technical report, November 2022. Available online at https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Medibank Won't Pay; BlogXX Counters

Shortly before the ASX opened on Monday, health and general insurer Medibank, subject of one of Australia's largest ransomware attacks, announced that it would not pay a ransom to the attacker responsible. Citing advice received from experts, the company stated,

Whether that will turn out to be the case remains to be seen; in the similar Vastaamo case in Finland, the ransomware operator turned to extorting individual patients only after the company refused to pay. In any case, there is general agreement that paying ransomware operators only funds an expansion of their activity, while refusal to pay would destroy their business model.

In any case, this is not good news for any of the 9.7 million affected customers, for whom the ordeal now drags on - but perhaps not for much longer. A successor to REvil/Sodinokibi called BlogXX is apparently claiming credit for the breach and is now threatening to release the data, according to MalwareHunterTeam.

MalwareHunterTeam, "The BlogXX ransomware gang just listed Medibank . . .", tweet, 7 November 2022. Available online at https://twitter.com/malwrhunterteam/status/1589596026926923776.

Uncredited, Cyber event updates and support, information page, 7 November 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.

Useful Guide to Creating Incident Response Playbooks

Those who have been through the stress of responding to a cybersecurity incident know that planning and preparation is key; an effective response cannot tolerate the delays of figuring things out from first principles in the heat of the moment. While many incident response teams start off with a small set of canned playbooks, such as those available from the Incident Response Consortium at https://www.incidentresponse.org/playbooks/, these inevitably lag behind the latest developments in the threat landscape and, perhaps more importantly, do not reflect the network environment, assets and resources of a specific organization.

A new guide from Trend Micro provides a catalogue of example playbooks and templates to suit specific industries and different phases of the incident response cycle. The accompanying article also provides some tips on the selection of an incident response service provider.

LaFleur, Chris, Incident Response Services & Playbooks Guide, blog post, 7 November 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/i/incident-response-services.html.

Robin Banks Steals Cookies

MSSP IronNet first reported on the Robin Banks Phishing-as-a-Service (PhaaS) platform back in July 2022. At that time, the new group was selling phishing kits to other groups who would use them to run social engineering scams, primarily targeting the financial services sector in the US, UK, Canada and Australia. For somewhere between $US50 and $US300 per month, a customer got access to a customisable phishing front end which could detect bots and divert them to a CAPTCHA landing page, plus a user-friendly management interface where they could access captured credentials or have them sent immediately to their personal Telegram channel.

Following that initial report, Cloudflare terminated their services to Robin Banks, distupring their operations. But now the actor has retooled, shifting their infrastructure to DDOS-GUARD, a well-known Russuan provider which hosts a number of phishing sites and criminal content, as well as hosting content for Qanon and 8chan. They have also upped security, requiring their customers to use two-factor authentication in order to access captured credentials, and creating their own private Telegram channel.

The group has also broadened its targets slightly, making use of the evilginx2 Adversary-in-The-Middle reverse proxy engine to steal login session cookies, thereby bypassing 2FA. The initial release of this feature has front-ends for Google, Yahoo and Outlook. and costs customers $US1,500 per month. IronNet's analysts show that Robin Banks' systems are mostly adapted from existing open-source code.

IronNet Threat Research, Robin Banks still might be robbing your bank (part 2), blog post, 3 November 2022. Available online at https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2.

Flight Services Company Jeppesen Restores Services

On 2 November, aviation services company Jeppesen experienced a cyber incident which caused an outage affecting some of its services. Jeppesen and its sister company Foreflight, which are both owned by Boeing, provides instrument approach plates, en-route charts and other documentation which are used by airlines and general aviation worldwide for flight planning and in-flight navigation. One particularly important service which was affected was their NOTAM (Notices to Airmen) service, which distributes notifications of airspace restrictions, runway closures and other essential information; however, following a comprehensive scan and forensic investigation this service has now been fully restored, with other services to follow.

In days of old, Jeppesen shipped huge leather binders full of bible-thin chart pages which pilots lugged around in their flight bags, and which needed to be updated and re-collated on a fortnightly basis, a tedious and time-consuming process. Since the advent of tablets, these have been replaced by a continuously-updated app on an iPad; however, one can't help wondering if some pilots long for the bad old days now that the service has been shown to be vulnerable, like everything else in the cyber-world.

Uncredited, Statement re cyber incident, home page update, 5 November 2022. Available online at https://ww2.jeppesen.com/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Ransomware Strike on Vic Govt Service Provider

A ransomware group has breached tech services company PNORS Technology Group, which counts a number of Victorian government departments among its over 1,000 clients. Two of its businesses, Datatime and Netway, were victims of an attack on 3 November. "The impacted PNORS Technology Group businesses deal with document and data capture, digital conversion and managed IT support for a number of external clients, including government departments", said CEO Paul Gallo.

"Initial investigations by cyber security experts indicated this incident was limited to systems being encrypted and locked. However, overnight the criminals behind the cyber attack released to the company, in a private communication, a sample of what is believed to be stolen data".

Investigations by PNORS, the Victorian Department of Premier and Cabinet and their hired consultants are continuing, with further notifications expected as the extent of the breach is uncovered. A hint from Captain Obvious: the file encryption phase of a ransomware attack is impossible to miss; the exfiltration phase is easy to miss, especially since it often happens well before the encryption.

Murray-Atfield, Yara, Technology group providing services to Victorian government departments hit by cyber attack, ABC News, 5 November 2022. Available online at https://www.abc.net.au/news/2022-11-05/pnors-technology-group-data-security-incident/101620900.

UK Government Scans UK-hosted Systems

The UK's National Cyber Security Centre has instituted a program of scanning all internet-accessible systems that are hosted within the UK for common or high-impact vulnerabilities. The scan, which is regularly performed "using standard and freely available network tools", is fairly non-intrusive, looking at returned version numbers and the contents of HTTP response headers and payloads, and not delivering exploit code. The intention is to build an overview over time of the country's vulnerability exposure.

All scans are performed from just two cloud-hosted IP addresses:

• 18.171.7.246
• 35.177.10.231

which have both A and PTR records for scanner.scanning.service.ncsc.gov.uk. HTTP request headers will also contain the line

X-NCSC-Scan: NCSC Scanning agent - https://www.ncsc.gov.uk/scanning-information

System owners can opt out of being scanned, although I can't see much reason to do so. Typical home networks, behind NATting routers, will not be scanned, of course.

National Cyber Security Centre, NCSC Scanning information, information page, 1 November 2022. Available online at https://www.ncsc.gov.uk/information/ncsc-scanning-information.

Hacktivist DDoS Attacks More Bark Than Bite, Says FBI

According to a Private Industry Notification released by the FBI, the use of distributed denial of service attacks by hacktivists actually "have minimal operational impact on victims; however hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service".

According to the FBI, the targets of such DDoS attacks are selected precisely because of their greater perceived, as opposed to actual, impact; financial institutions, health and medical facilities, emergency services, airports and government facilities are common targets. DDoS attacks are popular with hacktivists because they require little technical knowledge, but allow the attackers to claim responsibility and 'talk up' the attack on social media, possibly recycling information that was exfiltrated in earlier attacks in order to build credibility.

FBI Cyber Division, Hacktivists Use of DDoS Activity Causes Minor Impacts, Private Industry Notification 20221104-001, 4 November 2022. Available online at https://www.ic3.gov/Media/News/2022/221104.pdf.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.