Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

RAT Threat Actor Impersonate Popular Software Download Sites

An increasingly common tactic by threat actors is creating fake download sites for popular software. Copying a web site can be done with just a few commands and a little editing, and a trojaned version of a popular program can easily be created by repackaging the original with the addition of an infostealer, backdoor or remote access trojan. From there, a small investment in Google advertising will ensure that the fake site appears at the top of a search for a software download.

Latest to adopt this tactic are the threat actors behind the RomCom remote access trojan, who have cloned the download sites for the KeePass password manager, PDF Reader Pro, and SolarWinds Network Performance Monitor. As for a previously-seen campaign, which spoofed versions of Advanced IP Scanner software, the primary target appears to be Ukraine, but this time it is possible that some English-speaking countries, including the UK, are also being targeted. As well as cloning the original download site, the threat actor also registers a similarly-named domain and obtains SSL certificates in order to appear legitimate, before running a spear-phishing campaign directed against the targets.

Blackberry Research & Intelligence Team, RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom, blog post, 2 November 2022. Available online at https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass.

Business Email Compromise Actor Targets Law Firm Clients

As reported yesterday, business email compromise attacks are growing rapidly, with the average value of fraudulent transactions also increasing quickly. Specialist email security service provider Abnormal has detailed the emergence of a new threat actor which they call Crimson Kingsnake, targeting companies in the US, Europe, the Middle East and Australia.

The group's tactic is to impersonate major law firms - the kind you really don't want to under-rate and ignore - or even debt recovery companies, sending fake invoices with a covering letter referring to an overdue payment for services performed a year or more ago. Typically, the email appears to be from a typo-squatted domain similar to that of a real law firm, with genuine logos or letterheads, address information and the name and phone number of a real attorney at the real firm. It seems possible that Crimson Kingsnake is using altered versions of legitimate invoices.

However, these emails are sent randomly, in the blind, rather than spear-phishing known clients of the law firms involved. The intention is to rely on social engineering techniques to trick an accounts payable person at the target company into approving payment of the invoice. One of these is to generate a fake email, apparently from an executive at the target company, clarifying the purpose of the invoice, referring to events that supposedly took place some months previously, and 'authorising' the AP person to proceed with payment.

Hassold, Crane, Crimson Kingsnake, BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks, blog post, 4 November 2022. Available online at https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

ACSC Annual Cyber Threat Report Released

The Australian Cyber Security Centre has released its annual threat report, covering the period from July 2021 to June 2022, and it makes predictably depressing reading and ideal fodder for TV news lead stories. Key trends:

• Cyberspace has become a battleground (No sh*t, Sherlock! [LB])
• Australia's prosperity is attractive to cybercriminals BEC has trended towards high-value transactions such as property settlements.
• Ransomware remains the most destructive cybercrime
• Worldwide, critical infrastructure networks are increasingly targeted
• The rapid exploitation of critical public vulnerabilities became the norm (Patch, patch, patch! [LB])

The ACSC has seen a cybercrime reported every 7 minutes, on average, slightly more frequently than last year, with the most reported types being fraud, online shopping and online banking. Losses due to business email compromises amounted to over $A98 million, with an average loss of $64,000 per report.

There are lots more facts and figures, along with the expected guidance, in the report.

Australian Cyber Security Centre, Annual Cyber Threat Report - July 2021-June 2022, Australian Signals Directorate, 6 October 2022. Available online at https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022.

YAPB (Yet Another Privacy Breach)

Yet another Australian business has been hit with a breach - or, more accurately, their customers/clients have been hit. In this case, the victims are tenants, landlords and tradespeople whose personal data was accessed by an unauthorized and unidentified third party via the rental property database of Melbourne real estate agency Harcourts.

Customers were notified via an email stating that the company became aware of the breach on 24 October. The breach apparently occurred via compromise of the account of a service provider, allegedly through the use of a personal device for work, rather than the more secure company-issued device - there's a lesson there about BYOD policy.

The impact for affected individuals could be severe, since the database contained full legal names, email and physical addresses, phone numbers and a copy of their signature. The database also contained photo ID's supplied by tenants, and the bank details of tradespeople. Debate is once again raging about the amount of possibly unnecessary personal data that business are requesting and storing.

Hall, Amy, Advocates had warned of the dangers of a real estate data breach. It just happened, SBS News, 3 November 2022. Available online at https://www.sbs.com.au/news/article/advocates-had-warned-of-the-dangers-of-a-real-estate-data-breach-it-just-happened/6mlieq0g0.

New Variant of Raccoon Stealer

In recent years, Raccoon Stealer has been one of the most successful infostealers offered by cybercriminals as Malware-as-a-Service, but it disappeared in March 2022. However, it re-emerged as a new variant in July 2022, and has reached new levels of activity.

An article from specialist malware analysis and hunting firm Any.Run breaks down the operation of Raccoon Stealer. The malware's operation kicks off with extensive antiforensics checks, with the goal of abandoning execution in a sandbox or under a debugger - Any.Run's analysts had to develop some workarounds to get it to run so they could examine its behaviour.

It starts by dynamically loading the Windows API libraries it will need, and then decrypts various strings and C2 server details. Next, it checks the system locale, and will terminate if it finds itself running in a Russian-affiliated (CIS) country. After checking whether it has System (or LocalSystem) admin privileges, it enumerates processes and connects to its C2 servers for instructions about what kind of data to collect.

Apart from basic system information, Raccoon Stealer will look for credentials saved in browsers, session cookies, banking data, cryptocurrency wallets, and credit card information, but it can also exfiltrate arbitrary files. The Any.Run article provides a full analysis of how it performs these actions, with decompiled code for we masochists who enjoy reading the stuff.

Uncredited, Raccoon Stealer 2.0 Malware Analysis, blog post, 30 August 2022. Available online at https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Insights into Initial Access Brokers and Ransomware Victims

A new report from strategic threat intelligence firm KELA provides some fascinating insights into the scale and operations of the top ransomware gangs, the industry sectors and countries they are targeting, and the role of initial access brokers in selling network access to the ransomware gangs.

The most prolific ransomware and data leak actors in Q3 2022 were LockBit, Black Basta, Hive, Alphv/BlackCat and the relatively new BianLian, and while they targeted the US most - with 40% of ransomware and extorion attacks - European countries were next in line. The explanation, presumably, is very simple: that's where the money is. It also makes sense that the most-targeted industry sector was professional services - that's where the sensitive data is.

During Q3 2022, KELA traced over 570 network access listings for sale, which would give the initial access brokers a total revenue of around $US4 million. The average price for access was around $US2800 and the median, $US1350. The number of listings was only slightly higher than Q2, but the prices are rising.

Borochov, Sarit, Ransomware Victims and Network Access Sales in Q3 2022, technical report, October 2022. Available online at https://ke-la.com/wp-content/uploads/2022/10/KELA-RESEARCH_Ransomware-Victims-and-Network-Access-Sales-in-Q3-2022.pdf.

Ransomware Impact on US Banks: $US 1.2 Billion

The US Department of Treasury's Financial Crimes Enforcement Network (FinCEN) has released it Financial Trend Anaysis of ransomware trends. The report, released in conjunction with the International Counter Ransomware Initiative Summit, is based on Bank Secrecy Act (BSA) data, and shows a significant increase in ransomware-related filings during the second half of 2021.

Among the notable findings:

• Reported ransomware-related incidents have substantially increased from 2020 levels.
• Ransomware-related BSA filings in 2021 approached $1.2 billion.
• Roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 pertained to Russia-related ransomware variants.

FinCEN identified 84 ransomware variants during the period of this review; all of the top five highest-grossing ransomware variants in this period are connected to Russian cyber actors.

Uncredited, FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021, news release, 1 November 2022. Available online at https://www.fincen.gov/news/news-releases/fincen-analysis-reveals-ransomware-reporting-bsa-filings-increased-significantly.

Webinar and FAQ on Cyber Insurance

Sticking with the theme of ransomware: one concern is that cyber insurance policies are distorting the ransomware market by incentivizing victims to simply pay the ransom, since the cost will be covered by an insurance policy. Some insight into this process can be found in an interesting webinar and FAQ provided by Trend Micro, in which their cyber risk specialist, Vince Kearns talks to the VP of Insurance at iBynd, an InsurTech broker that specializes in cyber insurance.

The top question is pretty obvious: What are the most important cyber insurance policy coverages for businesses? And here is the answer:

1. Notification and expense coverage
   After customer data is compromised, there are state-regulated notification requirements an organization must follow. Cyber insurance companies help navigate and handle the notifications and expenses associated with them such as hiring a forensics expert to identify the cause of the breach, monitoring the affected individuals’ credit score, and paying costs to restore stolen identities.
   
2. Business interruption
   Remember when Kaseya, a US ransomware attack, led to Swedish supermarket chain, Coop, shutting down 800 stores? If Coop had business interruption coverage, it would help recoup (no pun intended) some or all the lost revenue.
   
3. Liability
   In the event a group or individual decides to sue your business after a breach – for example, for negligence because you didn’t have the right security controls and procedures in place to stop sensitive data from being compromised — liability coverage would assist with legal expenses and/or settlement costs.
   
4. Funds transfer fraud
   The FBI estimates that since 2016, business email compromise (BEC) attacks have caused $43B in losses. If an unsuspecting employee falls victim to a BEC scam, funds transfer fraud covers helps cover losses.
   
5. Ransom/extortion
   If you find yourself being extorted after cybercriminals encrypt and potentially exfiltrate sensitive data, this coverage will help you attribute the threat actor, negotiate, and pay on the behalf of the business to regain access.

The FAQ continues, deliving into the factors that affect policy pricing, the role of risk rating services like Security Scorecard and Bitsight, the effect of cryptocurrency on ransomware policy coverage and other useful information.

Trend Micro staff, Cyber Insurance Market 2022: FAQs & Updates with iBynd, blog post, 5 August 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/h/cyber-insurance-market-2022.html.

OpenSSL 0day Patches Appearing - But No Big Deal

The expected patches for the widely-noised OpenSSL 3.0 vulnerabilities have now started to flow through the supply chain, but as also expected, there was a lot of smoke but not much fire, primarily due to the fact that OpenSSL 3.0.x is not yet widely deployed.

CVE-2022-3602 is a buffer overflow (in 2022?) in the code for name constraint checking in X.509 certificate verification, but its exploitation would require a certificate authority to sign a malicious certificate (or the verifying application to ignore the absence of a path to a trusted issuer), and could conceivably lead to remote code execution. CVE-2022-3786 is a similar buffer overflow (yes - in 2022) which could crash a system.

The update has now started to flow through software distribution channels - our only vulnerable machine, a dev/test server, updated its OpenSSL installation around 0330z on 2 November. The Dutch NCSC is running a Github page listing software which incorporates OpenSSL, along with vulnerability status, at https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md.

Uncredited, OpenSSL Security Advisory [01 November 2022], security advisory, 1 November 2022. Available online at https://www.openssl.org/news/secadv/20221101.txt.

Australia's Shadow Security Minister Embarrassed By Site Hack

Liberal Senator James Paterson, chairman of Parliament's Joint Committee on Intelligence and Security in the previous Liberal/National Coalition government, has been embarrassed by the revelation that the website of an organization he had founded had been overrun by for over a year by hackers posting thousands of pages touting illegal and dubious products, including "endorsements of graphic pornography, cryptocurrency schemes, apparently non-prescription use of steroids and an erotic, Russian version of poker".

The site also hosted pages promoting spyware, keystroke loggers and, for a litle over an hour after queries were sent to the Senator, a gateway for credit card payments (adult membership: $120.00).

Senator Paterson has been a strong proponent of increasing government powers to monitor the Internet to counter foreign threats, and to increase the powers of the Australian Cyber Security Centre, and so after the site was shut down, senior Liberals promptly referred the case to the ACSC.

There is no suggestion that Senator Paterson was directly responsible for the administration of the site, which had fallen into disuse. However, it was minimally maintained and secured, and there was a definite failure of governance in this case.

Robertson, James and Matthew Elmas, James Paterson's cyber hard line undermined as website is overrun by bots, The New Daily, 2 November 2022. Available online at https://thenewdaily.com.au/news/politics/2022/11/02/james-paterson-cyber-security-embarrassment/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

International Counter Ransomware Summit

The White House has brought together over 35 countries, the EU and multiple private sector firms for a two-day summit to discuss how best to counter ransomware attacks. US Government officials attending included FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman.

The administration was prompted to act by the increasing level of ransomware activity, citing recent high-profile attacks such as that on the LA Unified School District. The situation is doubtless being exacerbated by the amount of money being paid to ransomware operators, which allows them to buy and develop 0day exploits, which will, in turn, lead to even more money being paid, etc.

While the summit will focus on improving system reslilence and developing techniques to disrupt threat actors' activities, I dare say the idea of legislation to ban the payment of ransoms will be a hot topic.

Uncredited, White House invites dozens of nations for ransomware summit, news report, 31 October 2022. Available online at https://apnews.com/article/technology-european-union-business-christopher-wray-wally-adeyemo-aff98eba1c7470f9b0128c882971547d.

EdTech Company Chegg Earns Wrath of Federal Trade Commission

For many years, student-focused web site Chegg has been the bane of academics, with its support for sharing of exam questions, class assignments and solutions, etc. The growth of this and similar sites have forced educators to produce completely new exam papers and assignments each year, a heavy workload.

Now comes news that Chegg itself has let its users down, suffering multiple breaches over the last five years and exposing the personal data of millions of students. According to a complaint before the Federal Trade Commission, Chegg's scholarship search service collects sensitive personal information from its users, including 'religious denomination, heritage, date of birth, parents' income range, sexual orientation and disabilities', as well as videos of tutoring sessions that included users' images and voices.

This data is stored in AWS S3 buckets, which Chegg allegedly has failed to reasonably secure. The FTC complaint documents four breaches over a three-year period; in one case, the use of a single AWS access key that provided full administrative privileges over all data allowed a former contractor to access the data of millions of users which was later found for sale online. This dump included plaintext (!) passwords for 25 million accounts.

Other breaches, primarily via phishing attacks, gave access to both student and employee data which again was found for sale online. (I dare say some universities would be keen buyers, as they investigate cases of alleged plagiarism!)

Khan, Lina M., et. al., Complaint In the Matter of CHEGG, INC., a corporation, FTC Complaint docket 202-3151, October 2022. Available online at https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf.

News for CISSP's

(ISC)² Board Election Opens With Dubious Ballot Form

The election for the (ISC)² Board has opened today with an online voting form which provides the five candidates put forward by the current Board for the five open positions - in other words, not much of an election at all.

As regular readers will be aware, an alternate slate of five candidates is standing as write-in candidates (I have reprinted their information below). However, the online ballot form provides only one position for a write-in candidate; in the opinion of many members, a fair form would provide as many write-in slots as there are open positions.

Many members are irate; some are voting but writing in multiple candidates in the one field (which will possibly not be counted as a valid vote), while others are complaining to Member Services. Others are considering legal action, and at least one request for investigation of the organization's non-profit status has been raised with the IRS.

Overall, the mood is that the election should be cancelled and only restarted once the ballot form has been fixed to comply with the requirement to allow for multiple write-in candidates as stated in section IV.8 of the Bylaws. (ISC)² is unlikely to comply.

Alternative Slate for Upcoming (ISC)² Election

As those certified by (ISC)² should know by now, the election for the upcoming vacancies on the Board of the organization will open on 1 November. As previously discussed, the current Board has nominated only five candidates for the five vacancies - a move that renders the election moot - as well as proposing a set of contentious changes to the By-Laws which will further disenfranchise the membership.

Several members who had nominated for Board positions - some of them with previous experience and, more to the point, continued engagement with the members - have asked the voting members to consider them as write-in candidates. With the assistance of Stephen Mencik (one of those stepping forward) I have assembled the following information:

Here are the members asking for your support - and, I would suggest, offering you theirs:

• Wim Remes - Belgium - member number 97080
• Stephen Mencik - US - member number 10288
• Richard Nealon - Republic of Ireland - member number 4205
• Sami O. Koskinen - Finland - member number 54813
• Diana-Lynn Contesti - Canada - member number 5053

For those interested in more information about the five people asking for your write-in votes, here are their information pages:

• For Stephen Mencik - https://sites.google.com/view/smm-petition

The above site was used in an attempt to gain enough petitions to get on the ballot via that route. There are links to his resume and to the skillset questions and answers from the nomination process, and letters of recommendation. Mr. Mencik is ISC2 Member number 10288 and holds CISSP-ISSAP, ISSEP. Mr. Mencik also did most of the work on the counter-proposals for by-laws found at https://jsweb.net/isc2.

• For Diana-Lyn Contesti - https://sites.google.com/site/dlcpetitionboard/home

This site was used by Ms. Contesti in an attempt to gain enough petitions to get on the ballot. It contains a summary of her qualifications. Ms. Contesti is ISC2 member number 5053 and holds CISSP-ISSAP, ISSMP, CSSLP, SSCP.

• For Wim Remes - https://www.be-represented.org/

This site was used by Mr. Remes in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Remes is ISC2 member number 97080 and holds CISSP.

• For Richard Nealon - https://sites.google.com/view/RN-petition-isc2-board

This site was used by Mr. Nealon in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Nealon is ISC2 member number 4205 and holds CISSP-ISSMP, SSCP.

• For Sami O. Koskinen - http://www.linkedin.com/in/sami-koskinen-429624

The link is to Mr. Koskinen's Linked profile, which gives a summary of his qualifications. Mr. Koskinen is ISC2 member number 54813 and holds CISSP-ISSMP.

I would urge all those entitled to vote to visit the pages above and consider carefully before voting.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Finnish Police Identify Vastaamo Hacker

The National Bureau of Investigation in Finland has been making progress in its investigations of the massive privacy breach of mental health care provider Vastaamo.

For those who missed the original incident, Vastaamo suffered a breach which encrypted their patient records and held them ransom. When the company CEO refused to negotiate with the attackers, they responded by releasing sensitive patient records on a dark web server, and then turned to extorting payments from the patients themselves. It appears that the company's software was only minimally secured and did not comply with Finland's regulations for healthcare records systems. The CEO was terminated and has now been charged with a data protection offence, facing up to a year in prison. Prosecutors claim that infosec management at the company was in "absolute chaos when it comes to available resources, budget, using and utilising the necessary expertise, and training and skills". The company itself was subsequently liquidated.

On 27 October , the Helsinki District Court remanded a Finnish man, about 25 years old, in absentia on probable cause of aggravated computer break-in, attempted aggravated extortion, and aggravated dissemination of information violating personal privacy. The suspect was remanded in absentia, since police established that he lived abroad, and a European arrest warrant has been issued against him. He can be arrested abroad under this warrant, after which the police will request his surrender to Finland. An Interpol notice will also be issued against the suspect.

Teivanen, Aleksi, Prosecutors: Vastaamo's information security was in absolute chaos, Helsinki Times, 5 October 2022. Available online at https://www.helsinkitimes.fi/finland/finland-news/domestic/22293-prosecutors-vastaamo-s-information-security-was-in-absolute-chaos.html.

Poliisi, One person remanded in absentia for Vastaamo hacking incident, news item, 28 October 2022. Available online at https://poliisi.fi/-/yksi-vangittu-poissaolevana-liittyen-vastaamon-tietomurtoon?languageId=en_US.

SQLite Vulnerability Fixed, 22 Years On

The SQLite database engine project has released a fix for a format string parsing vulnerability that was originally introduced into version 1.0.12, back in the days of 32-bit systems in October 2000. CVE-2022-35737 was uncovered by researcher Andreas Kellas, and affects modern 64-bit systems; how it manifests depends on whether it is compiled with stack canaries enabled or not.

Essentially, the vulnerability can be exploited by passing large strings to the SQLite implementation of printf() when the format string contains the %Q, %q or %w format specifiers - any of these will cause the program to crash. But in the worst case, if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution, or at least cause the program to hang.

The impact of this vulnerability could be massive, since SQLite is used as a database in all kinds of systems, especially embedded systems. It is also disappointing since SQLite has a good security track record. Users are advised to update to version 3.39.2.

Kellas, Andreas, Stranger Strings: An exploitable flaw in SQLite, blog post, 25 October 2022. Available online at https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/.

Kaspersky Details APT10 LODEINFO Backdoor

Security company Kaspersky has published a new two-part report on the operation of the LODEINFO backdoor, which is being used by the Chinese Cicada group, APT10, in attacks against Japanese media groups, diplomatic agencies and government and public sector organizations.

APT10's intial access tactics have been continually evolving, and they have continued to obfuscate LODEINFO to make detection more difficult. They are now delivering LODEINFO via a spear-phishing malmail which carries a self-extracting RAR file containing the legitimate K7Security Suite executable, NRTOLD.exe. However, the RAR also contains a malicious DLL name K7SysMn1.dll, and when NRTOLD.exe is executed, rather than load the genuine DLL, the attackers rely on the Windows DLL search path vulnerability to load the malicious DLL from the same folder as the .EXE. Since the DLL is side-loaded and heavily obfuscated, it may not be detected by security applications.

Another variant uses VBA code in a password-protected Word file to download shellcode which is injected into the memory of the WINWORD.EXE process.

In fact, six different variants of LODEINFO appeared during 2022, the APT10's TTP's appear to be rapidly evolving.

Ishimaru, Suguru, APT10: Tracking down LODEINFO 2022, part 1, blog post, 31 October 2022. Available online at https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/.

Ishimaru, Suguru, APT10: Tracking down LODEINFO 2022, part 2, blog post, 31 October 2022. Available online at https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/.

Don't Forget That OpenSSL Patch!

A reminder that the OpenSSL Project team will release a patch for a significant vulnerability in version 3 today, November 1st, between 13:00 and 17:00 UTC. While many Linux distributions still use version 1 of OpenSSL, recent distributions have moved to version 3, and so users should monitor their upstream repositories for an update to version 3.0.7.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Google Issues Chrome Update in Response to 0Day

You should be aware of this by now, but Google has issued an update for the Chrome browser Stable channel in response to a 0day exploit. The new versions are 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/88 for Windows. The update fixes CVE-2022-3723, which is a type confusion vulnerability in V8, Google's high-performance runtime for JavaScript and WebAssembly.

You know what to do. . .

Bommana, Prudhvikumar, Stable Channel Update for Desktop, Google Chrome Releases blog, 27 October 2022. Available online at https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html.

More Trojan Droppers in Google Play Store

The idea of relying on mobile OS app stores to filter out malicious apps before they get to the public is getting less and less sustainable. Now comes a report of five more trojan droppers found on the Google Play Store, with a cumulative installation count of over 130,000 installs.

Since these apps are dropping banking trojans like Sharkbot and Vulture, which can steal online banking credentials and PII, perform keystroke logging and even (in the case of Vultur) run a VNC session to allow the attacker to perform any action on the infected device.

The droppers have been carefully designed to fit in with the security policies of the Play Store, and request as few permissions as possible on the victim's device - only three, and those so common as to not arouse suspicion. While the Sharkbot trojan seems to be interested only in Italian victims, Vultur has a long list of target instiations, including many Australian and European banks.

Uncredited, Malware wars: the attack of the droppers, blog post, 28 October 2022. Available online at https://www.threatfabric.com/blogs/the-attack-of-the-droppers.

How Not to Handle a Privacy Breach

See Tickets, a major event ticketing company, has disclosed a major data breach dating back to June 2019. I'm not sure if that is a record, but it ought to be.

According to See's consumer notification letter, a third party had obtained unauthorized access to event checkout pages on the See website; although they were alerted to the activity in April 2021, a later paragraph reveals that the pages may have been affected as early as 25 June 2019. We can only speculate, but this may have been some kind of supply-chain attack involving a JavaScript framework or subsystem - Ticketmaster suffered this type of breach in 2018 - or some kind of XSS attack. The data exposed includes name, address and credit card numbers, expiry dates and CVV numbers.

The firm engaged forensics consultants, but it took them until 8 January 2022 to fix the exposure and a further nine months before concluding, on 12 September 2022, that "the event may have resulted in unauthorized access to the payment card information of certain of our customers". Finally, in late October, they are notifying customers that their information may have been exposed - although "we are not certain your information was affected".

If that is an "abundance of caution", it's deeply unimpressive. The notification letter provides the obvious advice to affected consumers, but some evidence that See was raising its game would do a lot more to regain consumer trust.

Murphy, James, Re: Notice of Data Breach, letter template, October 2022. Available online at https://dojmt.gov/wp-content/uploads/Consumer-Notification-Letter-638.pdf.

Multiple Juniper JunOS Vulnerabilities

Researchers at Octagon Networks have revealed multiple vulnerabilities in Juniper's JunOS, including one (CVE-2022-22241) with a CVSS score of 8.1. This particular vulnerability allows an unauthenticated attacker to write an arbitrary file, which in turn leads to remove code execution. The exploit would merit a CVSS score of 9.8, were it not for the difficulty of finding a suitable object to make use of in the required deserialization code.

The researchers found five other vulnerabilities. The full list is:

1. CVE-2022-22241: Remote pre-authenticated Phar Deserialization to RCE
2. CVE-2022-22242: pre-authenticated reflected XSS on the error page
3. CVE-2022-22243: XPATH Injection in jsdm/ajax/wizards/setup/setup.php
4. CVE-2022-22244: XPATH Injection in send_raw() method
5. CVE-2022-22245: Path traversal during file upload leads to RCE
6. CVE-2022-22246: PHP file include /jrest.php

All were previously disclosed to Juniper and have been patched, so customers are advised to update to the latest release of the OS, or alternatively disable J-Web or at least, limit access to only trusted hosts.

Uncredited, Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities, blog post, 28 October 2022. Available online at https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Critical Vulnerability in OpenSSL - Patch Due 1 November

According to a tweet from Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Foundation's VP of Security, the OpenSSL team is preparing for the release of version3.0.7, which will fix a CRITICAL vulnerability which is present in versions 3.0.0 through 3.0.6. This is good news for many users, as the most widely-deployed production Linux distributions do not use it - Red Hat Enterprise Linux 8, for example, uses version 1.1.1k.

Admins who are testing more recent versions or have already deployed them will need to proactively patch, though - RHEL 9 runs version 3.0.1.

It's not clear what the underlying vulnerability is, and it will take a little time for threat actors to reverse-engineer the various fixes in 3.0.7 and work out what it is. But it's likely to be serious - by OpenSSL definition, a CRITICAL issue affects common configurations and is also likely to be exploitable.

Vaughan-Nichols, Steven, OpenSSL warns of critical security vulnerability with upcoming patch, ZDnet, 27 October 2022. Available online at https://www.zdnet.com/article/openssl-warns-of-critical-security-vulnerability-with-upcoming-patch/.

British Hacker Arraigned on Charges in US

British hacker Daniel Kaye, a.k.a. "Popopret", "Bestbuy", "TheRealDeal", "Logger", "David Cohen", "Marc Chapon", "UserL0ser", "Spdrman", "Dlinch Kravitz", "Fora Ward", and "Ibrahim Sahil", has been arraigned on charges of access device fraud and money laundering conspiracy in connection with his alleged operation of "The Real Deal", a dark web market for hacking tools and stolen credentials, and his laundering of profits from that market.

Nonetheless, it seems that the FBI did manage to trace the funds, and Kaye now has been arraigned before US Magistrate Judge Linda T. Walker following his extradition from Cyprus. The FBI was assisted by multiple European police forces.

DoJ US Attorney's Office, Northern District of Georgia, Hacker and Dark Market operator arraigned on federal charges, press release, 26 October 2022. Available online at https://www.justice.gov/usao-ndga/pr/hacker-and-dark-market-operator-arraigned-federal-charges.

Dutch Man Arrested for Healthcare Data Theft

The Dutch police have arrested a 19-year-old man from the town of Krimpen aan den IJssel, near Rotterdam, following a complaint from a healthcare software supplier. It is alleged that the man stole tens of thousands of documents, possibly containing personal and medical data.

The suspect's home was searched and various devices seized for forensic analysis, but until this is completed - a process which could take considerable time - police are unable to determine whether the stolen data was on-sold or distributed. The man was released after question but remains a suspect in the case.

Politie Nederland, Softwareleverancier gehackt, verdachte aangehouden, press release, 25 October 2022. Available online at https://www.politie.nl/nieuws/2022/oktober/25/hack-software-leverancier-verdachte-aangehouden.html.

Australian Privacy Breaches Provide Fodder for Satirists

It being the weekend, let us now turn to lighter topics. Holding to the old adage that if you didn't laugh, you'd cry, Australians have turned to humour as a way of coping with the recent round of data breaches (Optus, Energy Australia, Medibank, Medlab Pathology and others).

The latest offering, by Mark Humphries for ABC TV's 7:30 current affairs program, is presented here for your delight and delectation.

Humphries, Mark, Mark Humphries shares Medibank's apology after hacking scandal | 7.30, video, 28 October 2022. Available online at https://www.youtube.com/watch?embed=no&v=njlvSfuxJi8.

News for CISSP's

Alternative Slate for Upcoming (ISC)² Election

As those certified by (ISC)² should know by now, the election for the upcoming vacancies on the Board of the organization will open on 1 November. As previously discussed, the current Board has nominated only five candidates for the five vacancies - a move that renders the election moot - as well as proposing a set of contentious changes to the By-Laws which will further disenfranchise the membership.

Several members who had nominated for Board positions - some of them with previous experience and, more to the point, continued engagement with the members - have asked the voting members to consider them as write-in candidates. With the assistance of Stephen Mencik (one of those stepping forward) I have assembled the following information:

Here are the members asking for your support - and, I would suggest, offering you theirs:

• Wim Remes - Belgium - member number 97080
  
• Stephen Mencik - US - member number 10288
  
• Richard Nealon - Republic of Ireland - member number 4205
  
• Sami O. Koskinen - Finland - member number 54813
  
• Diana-Lynn Contesti - Canada - member number 5053
  

For those interested in more information about the five people asking for your write-in votes, here are their information pages:

• For Stephen Mencik - https://sites.google.com/view/smm-petition

The above site was used in an attempt to gain enough petitions to get on the ballot via that route. There are links to his resume and to the skillset questions and answers from the nomination process, and letters of recommendation. Mr. Mencik is ISC2 Member number 10288 and holds CISSP-ISSAP, ISSEP. Mr. Mencik also did most of the work on the counter-proposals for by-laws found at https://jsweb.net/isc2.

• For Diana-Lyn Contesti - https://sites.google.com/site/dlcpetitionboard/home

This site was used by Ms. Contesti in an attempt to gain enough petitions to get on the ballot. It contains a summary of her qualifications. Ms. Contesti is ISC2 member number 5053 and holds CISSP-ISSAP, ISSMP, CSSLP, SSCP.

• For Wim Remes - https://www.be-represented.org/

This site was used by Mr. Remes in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Remes is ISC2 member number 97080 and holds CISSP.

• For Richard Nealon - https://sites.google.com/view/RN-petition-isc2-board

This site was used by Mr. Nealon in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Nealon is ISC2 member number 4205 and holds CISSP-ISSMP, SSCP.

• For Sami O. Koskinen - http://www.linkedin.com/in/sami-koskinen-429624

The link is to Mr. Koskinen's Linked profile, which gives a summary of his qualifications. Mr. Koskinen is ISC2 member number 54813 and holds CISSP-ISSMP.

I would urge all those entitled to vote to visit the pages above and consider carefully before voting.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Yet Another Patient Data Breach

The string of highly-publicized breaches of personal health information in Australia has continued, with a pathology lab the latest firm to be hit.

Medlab Pathology has disclosed a breach which compromised the personal information of patients and staff. The breach occurred back in February 2022, and it would be interesting to know whether and at what point the Office of the Australian Information Commissioner was notified as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017.

According to their statement, Medlab engaged external experts, whose investigation "did not reveal any evidence that information stored in our systems had been accessed or downloaded". However, in June Medlab was contacted by the Australian Cyber Security Centre, which had detected the publication of some Medlab data on the dark web, whereupon the firm downloaded the dataset and "spent several months to analyse the data so it could determine what information was included ... and who it belonged to".

The company states, "This process took several months to complete, including locating current contact details for involved individuals ... so that we did not incorrectly notify anyone and cause undue alarm or distress".

That's all well and good, but not disclosing a breach for eight months sounds very much like closing the stable door after the horse has bolted; in particular, the company seems to have tried to avoid making a public disclosure, only to see it forced upon them before they have contacted the affected individuals (which will happen over the coming weeks, according to their statement). There's also an element of wishful thinking; the fact that "external experts" can find no evidence of information exfiltration is emphatically not evidence that no exfiltration occurred.

McGrath, Melinda, Medlab Cyber Incident, public statement, 27 October 2022. Available online at https://medlab.com.au/medlab-cyber-incident.

Medibank Cyber Insurance Comment

While we're on the topic of Australian privacy breaches: media eyes remain focused on Medibank's handling of the other big breach, with more reporting in mainstream media. One comment that caught my eye (no reference for this one, I'm afraid - it was a passing comment in a TV news report): apparently Medibank had not taken out a cyber insurance policy, on the grounds that it was "too expensive".

I'll pass over the fact that an insurance company thinks that cyber insurance does not represent good value. Perhaps it is appropriate for an insurance company to self-insure for this and other risks, provided it has the capital reserves to do this. But it ignores one key benefit provided by many cyber insurance policies: immediate access to incident response, crisis management and crisis communications experts who parachute in to assist or even take charge of incident response.

Fast access to these kinds of resources might well have done a lot to improve Medibank's image over the last few weeks.

GitLab Tightens Supply Chain Security

Source code management company Gitlab is taking concerns about supply chain security to heart, announcing several new security and compliance features and enhancements to assist with this. Among the new features are security policy management, compliance management, events auditing and vulnerability management. Also planned is a dependency management feature which will be able to track vulnerabilities in dependencies.

The enhancements will help developers manage risk by providing increased visibility into security findings and user activities, as well as performing proactive vulnerability scans, including static analysis, secret detection, container scanning, dependency scanning, infrastructure-as-code scanning and coverage-guided fuzz testing. The GutHub platform will also add access to actionable and relevant secure coding guidance.

This is a welcome step in the movement to 'shift left' by emphasizing security earlier in the development process. It is increasingly obvious that trying to deal with security in the operations domain is simply too late.

Dark Reading Staff, GitLab Adds Governance, Software Supply Chain Enhancements, Dark Reading, 27 October 2022. Available online https://www.darkreading.com/dr-tech/gitlab-adds-governance-software-supply-chain-enhancements.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

LV Ransomware Operator Buys Network Access, Uses ProxyShell

The LV ransomware seems to be based on REvil (a.k.a. Sodinokibi), although the relationship between the groups operating them is uncertain. However, LV breaches are surging, according to researchers at Trend Micro, who have provided an analysis of one particular intrusion.

Back in December 2021, a threat actor claiming to operate LV posted on a cybercrime forum seeking to connect to network access brokers in an attempt to buy access to networks in a range of industries. This seems to have been successful, with multiple breaches around the world. In the reported case, an affiliiate of the LV threat actor was able to use the ProxyShell vulnerability to drop a web shell and then execute a chain of PowerShell scripts, culminating in a backdoor.

From there, were able to use Mimikatz, NetScan and Advanced Port Scanner to harvest credentials and discover servers, including the domain controller. A compromised admin account was then used to access the domain controller, after which the ransomware code was uploaded and a scheduled task used to deploy the ransomware across the domain.

Fahmy, Mohamed, Sherif Magdy and Ahmed Samir, LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company, blog post, 25 October 2022. Available online at https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html.

Education Sector Targeted by Vice Ransomware Operator

One good (!) point in favour of the LV ransomware group is that their post seeking access brokers specifically excluded the healthcare and education sectors. However, other groups are not so choosy, as the LA Unified School District, and many other institutions, can attest. In fact, one group, tracked by Microsoft as DEV-0832 Vice Society, seems to be particularly interested in the education sector, both in the US and globally.

Vice Society seems to favour low-hanging fruit - poorly-secured networks - and uses a wide range of TTP's which are common to ransomware operators. These include Powershell scripts, initial compromise via unpatched systems, use of LOLbins and other tools including commodity ransomware such as BlackCat, QuantumLocker and Zeppelin, as well as generic backdoors like the SystemBC remote access trojan. This suggests that either they adapt to the victim's defences, or that there are multiple operators working under the Vice Society umbrella. They also deploy tools to Linux systems.

Vice Society makes extensive use of customized PowerShell scripts for credential harvesting and post-exploitation discovery, as well as staging of tools via network shares. Interestingly, they seem to favour data exfiltration over encrypting files, in some cases not bothering to proceed to encryption.

The Microsoft report provides suggested mitigations.

Uncredited, DEV-0832  (Vice Society) opportunistic ransomware campaigns impacting US education sector, blog post, 25 October 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/.

Medibank Breach Goes from Bad to Worse to Worst

As previously reported, the breach of Australian health insurance company Medibank has continued to become more severe. From an initial report that no data had been exfiltrated, to a report that only one subsidiary and particular accounts were affected, as Medibank's internal and third-party responders have dug deeper, the news has got worse. The latest revelation is that all Medibank, ahm and international student customers' personal data had been accessed.

Now, whether it has actually been exfiltrated remains an open question, for outsiders at least. But one would have to assume that it has, and that the information - including sensitive health-claims data - of 4 million current customers, along with an unknown number of former customers, are now at elevated risk.

We have previously seen, in the case of Finnish mental healthcare provider Vastamo, that when the breached enterprise refuses to pay a ransom, the attacker will turn to extorting the individual patients. We can only hope this does not eventuate, for the sake of the affected patients and also Medibank itself, which at this stage, has only suffered a sharp drop in its share price after the resumption of trading on the ASX and the costs of incident response. Vastamo did not survive for long after the scandal surrounding its breach broke,

Terzon, Emilia and Samuel Yang, Medibank says all customers' personal data compromised by cyber attack, ABC News, 26 October 2022. Available online at https://www.abc.net.au/news/2022-10-26/medibank-hack-criminals-access-hack-data/101578438.

RCE Vulnerability in Melis Platform CMS Now Patched

Many content management systems and e-commerce platforms are based on the Laminas PHP framework, formerly known as Zend. During routine static analysis of these projects, Sonar researchers found three critical vulnerabilities in Melis Platform, a business-oriented CMS used by many large enterprises.

These lead to a potential insecure deserialization vulnerability, which will allow object injection via the PHP $_POST variable, which is set by the user, based on form content. The question faced by the researchers was, is it exploitable? To do this, an attacker has to find a chain of calls to methods in available classes - called a Popchain - that can be triggered from the vulnerable section of code and will execute a malicious action, such as creating a file or executing a command.

They found the required code in the Laminas cache code, in particular a method which saves to disk "deferred items that have not been committed", and were able to use this to create a .PHP file and get it executed. This is an interesting example of the capabilities of static code analysis tools, although some ingenuity is subsequently required to craft a proof-of-concept exploit.

A patch for Melis Platform is now available, and users are urged to update to version 5.0.1 or above.

El Ouerghemmi, Karim  and Thomas Chauchefon, Remote Code Execution in Melis Platform, blog post, 18 October 2022. Available online at https://blog.sonarsource.com/remote-code-execution-in-melis-platform/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

RNC Sues Google

The Republican National Committee has sued Google for allegedly directing the emails it send straight to users' spam folders. According to its filing in the US District Court in Califormia, Google is discriminating against the party by "throttling its email messages because of the RNC's political affiliation and views".

In rejecting the claims, the tech giant retorted, "As we have repeatedly said, we simply don't filter emails based on political affiliation. Gmail's spam filters reflect users' actions".

"We provide training and guidelines to campaigns, we recently launched an FEC (Federal Electrion Commission) -approved pilot for political senders, and we continue to work to maximize email deliverability while minimizing unwanted spam", said Google spokesperson José Castañeda.

Binoy, Rhea et. al., Republican National Committee sues Google over email spam filters, Reuters, 25 October 2022. Available online at https://www.reuters.com/world/us/republican-national-committee-sues-google-over-email-spam-filters-2022-10-22/.

CVSS 9.8 RCE Vulnerability in HyperSQL Database

Researchers at Code Intelligence have discovered a potential remote code execution vulnerability in all versions up to and including 2.7.0 of the HyperSQL database (HSQLDB). This is a critical vuln for two reasons: a) a CVSS score of 9.8 and b) the fact that HSQLDB is used in thousands of popular packages and programs, including LibreOffice, JBoss, Log4j, Hibernate, Spring-Boot - itself used in thousands of other products - and many others..

The vulnerability, which is recorded as CVE-2022-41853, is in the parsing procedure for binary and text format data processed by the java.sql.Statement and java.sql.PreparedStatement classes, and can be used to call any static method from any Java class in the classpath.

A fix will be available in HSQLDB version 2.7.1 and later; meanwhile, the issue can be remediated by defining the hsqldb.method_class_names property.

Wagner, Roman, Potential Remote Code Execution Vulnerability Discovered in HSQLDB, blog post, 10 October 2022. Available online at https://www.code-intelligence.com/blog/potential-remote-code-execution-in-hsqldb.

Exploits In The Wild for Cisco AnyConnect Secure Mobility Client

Cisco has advised customers to urgently update installations of the Cisco AnyConnect Secure Mobility Client for Windows, following the discovery by their product security incident response team of exploits circulating in the wild. The related vulnerabilities have been known for over two years, so a patch has long been available.

The two vulnerabilities allow the copying of user-supplied files to system directories, and the hijacking of DLL's. Put together, the two allow injection of arbitrary code and its execution with SYSTEM privileges. Although authentication is required, this would allow privilege escalation.

Uncredited, Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability, Security Advisory, 25 October 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj.

Uncredited, Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability, Security Advisory, 25 October 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW.

Event Log Vulnerabilities Can Lead to DoS

Two rather curious exploits discovered by Varonis can allow an attacker to crash the Event Log service of any Windows machine, or even DoS the machine by filling the hard drive space.

The two vulnerabilities exploit a vulnerability in the OpenEventLogW API which allows a user to open a handle for an event log on a local or remote machine. By default, non-privileged users cannot get a handle for event logs on remote machines - with one exception, the legacy "Internet Explorer" log, which still exists and has its own security descriptor that overrides the default permissions.

Varonis' researchers came up with two PoC exploits; LogCrusher will crash the Event Log on a remote machine, stopping logging and leaving security controls in the dark, while OverLog repeatedly backs up spurious entries created in the Internet Explorer Event Log to a file, eventually filling the hard drive and preventing the machine from swapping to disk.

Microsoft has responded with a patch that restricts the OpenEventLogW API remote access to the IE Event Log to local administrators only, reducing the likelihood of exploitation. We have often referred to Internet Explorer as a cancer wrapped around the heart and lungs of Windows; its eradication is proving difficult.

Taler, Dolev, The Logging Dead: Two Event Log Vulnerabilities Haunting Windows, blog post, 25 October 2022. Available online at https://www.varonis.com/blog/the-logging-dead-two-windows-event-log-vulnerabilities.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.