Les Bell and Associates Pty Ltd
Blog entries about Les Bell and Associates Pty Ltd
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
US Airports Hit by Russian-Speaking Hackers
The public websites of over a dozen US airports have been subjected to a DDoS attack, most likely by a Russian hacktivist group known as "Killnet", who last week claimed responsibility for a similar attack on US state government sites.
While the websites of ATL (Atlanta Hartsfield-Jackson), LAX (Los Angeles International) and other airports were inaccessible for some time, there was no disruption to flights or other airport operations, and the only impact was probably to people seeking flight arrival and departure gates, times and similar information.
Wallace, Greg, et. al., Russian-speaking hckers knock multiple US airport websites offline. No impact on operations reported, CNN, 10 October 2022. Available online at https://edition.cnn.com/2022/10/10/us/airport-websites-russia-hackers.
Emotet Emerges Once More
The Emotet malware, and its C2 network, have been around since 2014, when the malware first appeared in the form of a banking trojan controlled by a threat group called Mummy Spider. Over the years, it evolved into a sophisticated family of trojan droppers and payloads which were offered in the form of Malware-as-a-Service, with the Emotet operators specializing in the initial infection of the victims, and then on-selling them to their partners for exploitation.
However, in January of 2021, the C2 network was sinkholed in an international operation by Europol, Ukraine arrested two individuals who were behind it, and in a move that saw the end of Emotet, its C2 infrastructure was used to push an updated which uninstalled it. Other malware distributors moved into the resultant gap in the market.
But now, with the assistance of the former Conti ransomware gang and the TrickBot botnet, Emotet has been bootstrapped back into existence as a continually evolving modular exploitation toolkit. The latest incarnations go to great lengths to obfuscate the information of their C2 infrastructure - presumably to avoid being sinkholed again.
VMware Threat Analysis Unit has now released a 68-page report which details the latest 'waves' of Emotet, complete with IoC's, timelines and details of the Emotet configurations.
Bagci, Ethem, Emotet Exposed: A Look Inside the Cybercriminal Supply Chain, technical report, 10 October 2022. Available online at https://blogs.vmware.com/security/2022/10/emotet-exposed-a-look-inside-the-cybercriminal-supply-chain.html.
It's Not What You Know - It's Who You Know
In Germany, the Interior Minister, Nancy Faeser, is reported to want to dismiss the president of the Bundesamt fur Sicherheit in der Informationstechnik (BSI), the Federal information security agency. Arne Schoenbohm is suspected to have had contact with people involved with Russian security services, according to media reports.
The Cyber Security Council of Germany, of which Schoenbohm was a founder, counts as a member a German company that is a subsidiary of a Russian cybersecurity firm founded by a former KGB employee, according to the reports.
Neither Schoenbohm. the interior ministry nor the BSI has replied to requests for comment.
Mitwollen, Birgit, et. al., Germany's cybersecurity chief faces dismissal, reports say, Reuters, 10 October 2022. Available online at https://www.reuters.com/world/europe/germanys-cybersecurity-chief-faces-dismissal-reports-2022-10-09/.
Hackers Start Their Day With Caffeine
Phishing has long been by far the most effective way of obtaining login credentials or delivering malmails, both techniques for initial exploitation after which an attacker can move on to install more sophisticated tools. In a new report, Mandiant researchers have detailed the operation of a new Phishing-as-a-Service (PhaaS) platform called Caffeine, which allows attackers to automate all the boring work and focus on the more interesting and productive parts of their task.
Caffeine is a polished suite of easy-to-use tools which allow anybody to craft customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URL's for host malware payloads and even track campaign email activity. Not only is it user-friendly, it is inexpensive and also has a completely open registration process rather than being hidden in the dark web or behind encrypted messaging channels. It is also designed to have wide appeal, featuring email templates for deployment against Russian and Chinese victims.
The Mandiant report provides a comprehensive analysis of Caffeine, along with IOC's and YARA rules for detection of some of its components.
McCabe, Adrian and Steve Sedotto, The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform, Mandiant blog, 10 October 2022. Available online at https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Healthcare System Ransomware Attacks Continue
Although ransomware operators will often attack any target of opportunity - their primary goal is profit, after all - it seems that healthcare organizations are singled out for particular attention. In the latest attack, one of the largest hospital chains in the US, CommonSpiritHealth, revealed that it had experienced "an IT security issue" that took its systems down.
CommonSpirit operates over 140 hospitals, with many in Tennessee, Texas and Seattle announcing that they were affected. Patients have reported their surgery being delayed.
Collier, Kevin, Ransomware attack delays patient care at hospitals across the U.S., NBC News, 8 October 2022. Available online at https://www.nbcnews.com/tech/security/ransomware-attack-delays-patient-care-hospitals-us-rcna50919.
FBI Warns of Fake Batteries
Counterfeiting of their products has long been a problem for fashion brands such as Louis Vuitton and others, but it reaches a critical level for products such as aircraft parts, where the failure of an off-spec part can lead to tragedy. Somewhere in between these is the growing problem of counterfeit batteries; fakes may lack functionality - I found this out the hard way after purchasing a replacement phone battery and discovering that a fake lacked the NFC functionality built into the OEM product, rendering some phone application useless.
Another problem is the possibility of short battery life or low capacity, or even thermal runaway leading to a fire which could destroy a device, or worse. So serious is the problem that the FBI has issue an alert providing advice, perhaps the best of which is the old adage: if that price is too good to be true, then the battery is likely counterfeit.
Uncredited, The FBI and Intellectual Property Rights Center Warns Public of Counterfeit Battery Scams, Alert Number I-093022-PSA, 30 September 2022. Available online at https://www.ic3.gov/Media/Y2022/PSA220930.
1.2 Million Compromised Credit & Debit Cards Leaked
Researchers at Cyble, monitoring dark web carder sites, have discovered the release of a dataset of over 1.2 million debit and credit cards by a group calling themselves 'BidenCash'.
The database, which was leaked on a forum hosting mainly Russian- and English-speaking cybercriminals, provides the card number, expiry date, CVV, the cardholder's name, address, date of birth, email and phone number, and also includes the social security number of US cardholders. Sorted by number of affected consumers, the top countries are the US, India, Brazil, the UK, Mexico, Turkey, Spain, Italiy, Australia and China.
Cyble's report includes a detailed analysis and a brief history of the 'BidenCash' group.
Uncredited, 'BidenCash' Strikes Again: Over 1.2 Million Compromised Payment Cards Data Leaked, Cyble blog, 7 October 2022. Available online at https://blog.cyble.com/2022/10/07/bidencash-strikes-again-over-1-2-million-compromised-payment-cards-data-leaked/.
Intel Alder Lake UEFI BIOS Source Code Leaked
Intel has confirmed that the UEFI BIOS source code for their Alder Lake processors has been leaked to 4chan and GitHib, along with tools for building optimized BIOS images. In confirming the breach, and Intel spokesperson claimed that they do not believe this leak will expose any new security vulnerabilities, and in fact, since the code is covered by the company's bug bounty program, it is an opportunity for researchers to help harden the code.
However, researcher Mark Ermolob, who immediately set to work analyzing the code, reported that he had found previously-undisclosed MSR's (Model-Specific Registers). Since the UEFI BIOS code runs at the beginning of the secure boot process, working closely with the TPM (Trusted Platform Module), and the MSR's are typically reserved for trusted code, this could pose a problem.
Even worse, Ermolov found the private key used to sign code for Intel's Boot Guard feature, so that feature is now useless. This all suggests that there could be further serious ramifications of this breach.
Alcorn, Paul, Intel Confirms Alder Lake BIOS Source Code Leak, New Details Emerge, Tom's Hardware, 10 October 2022. Available online at https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge.
'Fattening the Pig' - More Details Emerge
As previously reported, Cambodia-based scammers have lured thousands of people from Thailand, Vietnam, Taiwan and elsewhere to work in scam call centers under appalling conditions. Now further details have emerged, detailing threats of beatings and even electrocution for workers who fail to make quotas of roughly $US12,500 'revenue' each month, in exchange for an initial 'salary' of $US200 or, in most months, nothing. When a worker does not make enough money for the bosses, they are sold to another gang.
The scam workers target victims all over the world, using romance and investment lures, working from converted hotels surrounded by walls to prevent escape. According to the Global Anti-Scam Organization, the average loss from victims is about $US100,000.
Thai police complain of a lack of cooperation from Cambodian authorities which has hampered attempts to repatriate Thai workers. In August, one group of predominantly Vietnamese workers managed to escape, throwing Molotov cocktails to startle their guards, then running from the building to jump into the Binh Di river and swim to Vietnam, on the other bank at least 70 m away. One 16-year-old drowned, and another man was caught, dragged backwards and beaten.
Ratcliffe, Rebecca, Nhung Nguyen and Navaon Siradapuvadol, Sold to gangs, forced to run online scams: inside Cambodia's cybercrime crisis, The Guardian, 10 October 2022. Available online at https://www.theguardian.com/world/2022/oct/10/sold-to-gangs-forced-to-run-online-scams-inside-cambodias-cybercrime-crisis.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Brazilian Gang Runs Supply Chain Attack via NPM
Security researchers at CheckMarx have discovered 199 trojanized and other malicious NPM packages in a supply chain attack linked to a group called "LofyGang", which appears to be of Brazilian origin.
The gang seems to be primarily interested in collecting credit card information as well as accounts on streaming services and online gaming services, as well as Discord. They create sock-puppet accounts with names which are variations and permutations of a few key roots such as lofy, life, polar, panda, kakau, evil, devil and vilão (villain), and the presence of Brazilian Portuguese phrases in their files clued the researchers in to their origin.
Their main activity in underground hacking forums is to sell fake Instagram followers, many of which are linked to their malicious package profiles. And while they sell their malware to others, it is often trojanized - not with code in the main package, but in a dependency, to evade detection.
Harush, Jossef, LofyGang - Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year, Checkmarx blog, 7 October 2022. Available online at https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/.
Election Interference Advisory
The FBI and CISA have published a joint public service announcement describing methods used by foreign actors to spread and amplify false information, including reports of alleged malicious cyber activity, in attempts to undermine trust in election infrastructure.
The agencies also confirmed that they "have no information suggesting any cyber activity against U.S. election infrastructure has impacted the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast.”
In short, these foreign actors have not been able to compromise election systems, but they are likely to spread a lot of sensationalized BS on social media, just to stir up doubt and mistrust.
FBI & CISA, Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections, Alert Number I-1006622-PSA, 6 October 2022. Available online at https://www.ic3.gov/Media/PDF/Y2022/PSA221006.pdf.
Impact of Identity Theft
We all deal with the theoretical impact of data breaches and privacy breaches in our daily work; we go through risk analysis and estimate the costs of remediation, fines and judgements, reputation damage and so on. But most of us, fortunately, have never had to reckon the personal cost of identity theft.
A story in The Saturday Paper relates the real costs - not financial, but time and stress - of having your personal information stolen, in this case, by burglary, followed by online activities and social engineering. Emma Phillips' wallet and keys were stolen, along with a few other possessions - but of course it contained her driver's licence and credit cards.
Months later, somebody changed her bank account details; the bank changed them back and launched an investigation but the following day the bank took four phone calls from someone impersonating her with the correct identification details. This was followed by an attempt to empty the account from a distant branch (in the middle of COVID lockdowns that restricted travel). And so it went, for months on end, with multiple accounts affected, right down to Medicare.
A useful reminder that data which might not be particularly valuable to us can be incredibly valuable to the subject of that data.
Phillips, Emma, What happens when your identity is stolen, The Saturday Paper, 8 October 2022. Available online at https://www.thesaturdaypaper.com.au/life/2022/10/08/what-happens-when-your-identity-stolen.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
How to Not Be an Easy Mark for China
The NSA, FBI and Cybersecurity & Infrastructure Security Agency has issued an Alert which usefully lists the top vulnerabilities exploited by Chinese state-sponsored threat actors. The advisory lists each vuln with vendor, CVE number and vulnerability type - with remote code execution being the most popular type of vulnerability, for obvious reasons.
A list of suggested mitigations is also given, but the most basic message, as always, applies: patch, patch, patch. Topping the list is the venerable Log4j vulnerability, which is still being actively exploited. A proactive vulnerability management and patch management program would prevent the vast bulk of exploits, unless you are singled out for the 0day treatment.
Uncredited, Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors, Alert AA220279A, 6 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-279a/.
Russian Group Offers Malware-as-a-Service
Eternity (EternityTeam, Eternity Project) appeared around January 2022, offering a variety of malware, include an infostealer, cryptominer, botnet, and a DDoS bot. Now, the group has assembled its set of tools into a single multifunction bot called Lilithbot which it is selling on a subscription basis via a Telegram channel.
The Russian threat group has continually enhanced its software, adding antiforensics and other capabilities, including ransomware functionality (with video-based training for the customer). Researchers at Zscaler have analysed a sample of the malware and its C2 network, providing IOC's in their report.
Jain, Shatak and Aditya Sharma, Analysis of LilithBot and Eternity Threat Group, Zscaler blog, 5 October 2022. Available online at https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group.
Identity Service Dex Patches Consent Page Vulnerability
Open-source identity service Dex acts as a front end to other identity providers, mapping the OpenID Connect protocol to other identity protocols such as LDAP, SAML, OAuth 2.0 and Active Directory. Researchers recently discovered a vulnerability in the implementation of the Dex consent page which - if a user has previously authenticated - can be used by a malicious web site to steal an OAuth authorization code and exchange it for an access token.
This will allow the attacker to masquerade as the user, gaining full access to the user's applications - and because the exploit can be repeated, they can renew the token as required. The fix, which adds an HMAC to the protocol, has been added to Dex version 2.35.0 and later (2.35.1 required for the Google connector).
Woollacott, Emma, Dex patches authentication bug that enabled unauthorized access to client applications, The Daily Swig, 6 October 2022. Available online at https://portswigger.net/daily-swig/dex-patches-authentication-bug-that-enabled-unauthorized-access-to-client-applications.
Android & iOS Apps Steal Facebook Logins
A perennial problem, for some users, is the recurring compromise of their Facebook accounts. "Don't open any messages from me - I've been hacked!", is a common refrain on the social media platform. Often, their account has simply been cloned, but in other cases, their credentials have been stolen, and they wonder how.
Facebook parent Meta has now identified more than 400 malicious Android and iOS apps that steal Facebook credentials. A variety of apps were found, including photo editors, games, health and lifestyle apps, business or ad management apps and, of course, that old classic:: the flashlight app that does nothing but turn a light on and off, yet requires a 40 MByte download and every permission to do it.
The Meta researchers are working with Google and Apple to notify affected users and their blog article includes IoC's so researchers who care can investigate further. For users, there's a lot to be said for multi factor authentication - not to mention not downloading silly apps.
Agranovich, David and Ryan Victory, Protecting People From Malicious Account Compromise Apps, blog post, 7 October 2022. Available online at https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Browser Application Mode Enables Phishing
Application mode is a feature of Chromium-based browsers such as Google Chrome, Microsoft Edge and Brave. It allows web developers to create applications which launch and run in a browser window with no URL bar, toolbars or menu, and which display a website's favicon, rather than the browser icon, in the Windows taskbar. The browser's app mode is launched with the --app command line argument, which can also specify a target URL - which may be an https:// URL or a file:// URL for locally-sourced content (bypassing firewall filtering).
Security researcher mr. d0x has demonstrated how this can be used to create fake login forms which can be launched from a Windows shortcut .lnk file - a favourite technique by threat actors to launch loaders and other malware. With a little HTML, CSS and Javascript, just about any login prompt can be impersonated.
mr. d0x, Phishing With Chromium's Application Mode, blog post, 1 October 2022. Available online at https://mrd0x.com/phishing-with-chromium-application-mode/.
CISA Alert Details Impacket Network Manipulation, CovalentStealer Exfiltration
The US Cybersecurity & Infrastructure Security Agency, along with the FBI and the NSA, has issued a joint advisory detailing the TTP's and IOC's they observed during response to what turned out to be the activities of multiple APT's who had compromised a defense contractor's enterprise network.
Initial compromise was gained via a Microsoft Exchange server, perhaps as early as January of 2021. A compromised admin account was then used to access the Exchange server's API, and this was then followed by a series of command-line commands to investigate the system and network, as well as the collection of sensitive files. By March, the attackers had installed 17 China Chopper webshells on the Exchange server, as well as the HyperBro remote access trojan, and were pivoting to other systems.
The lateral movement was primarily achieved using the Impacket open-source toolkit, which allows remote command execution via the Windows management instrumentation API and protocols. This was followed by privilege escalation and more plundering of user's Exchange mailboxes.
Exfiltration of the data was achieved using CovalentStealer, which can automatically collect files on selected filepaths and user credentials, then exfiltrate them to a Microsoft OneDrive cloud folder, all under control of a configuration files.
Uncredited, Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, Alert AA22-277A, 4 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-277a.
Online Fraudster Jailed for 25 Years
A Norcross, GA man who had banked over $US9.5 million from business email compromise, romance scams and other online frauds has been sentenced to 25 years in a federal prison for his money laundering activities. Starting in October 2018, Elvis Eghosa Ogiekpolor had, in conjunction with the money mules he directed, opened at leat 50 faudulent business bank accounts in the name of a dozen sham companies to receive the proceeds from multiple BEC scams and romance frauds. The funds were withdrawn as cash and cashier's checks, and hundreds of thousands of dollars were wired overseas.
Multiple romance fraud victims testified at trial; one was convinced to wire $US32,000 to one of Ogiekpolor's accounts because her 'boyfriend' - actually one of Ogiekpolor's co-conspirators - claimed a part of his oil rig needed to be replaced but that he bank account was frozen. She had borrowed the funds against her retirement and savings, which ultimately required her to refinance her home to repay the loan. Another victim transferred almost $US70,000 for a similar 'frozen bank account' excuse.
Several of Ogiekpolor's co-conspirators have already been convicted.
Uncredited, Georgie man who laundered millions from romance scams, Business Email Compromises, and other online fraud receives 25-year sentence, press release, 3 October 2022. Available online at https://www.justice.gov/usao-ndga/pr/georgia-man-who-laundered-millions-romance-scams-business-email-compromises-and-other.
Vm2 Vuln Allows Sandbox RCE Breakout
A popular control for servers running Node.js workloads is to run their code in vm2, a popular JavaScript sandbox, thereby isolating the server from any vulnerability in the code running on it. But what if there is a vulnerability in the sandbox code itself?
The was the question Oxeye security researchers Gal Goldshtein and Yuval Ostrovsky asked themselves, and they answered it by starting with an analysis of previous vulnerabilities previously found in the software. Realizing that a previous bug reporter had exploited the error mechanism on Node.js to escape the sandbox, they searched for similar channels between the sandbox and the underlying OS - and found one in the exception handling code.
The vulnerability they found allows remote code execution on the host server, and merits a CVSS score of 10.0. There is no mitigation, other than updating to the latest release of vm2.
Dickson, Ben, JavaScript sandbox vm2 remediates remote code execution risk, The Daily Swig, 4 October 2022. Available online at https://portswigger.net/daily-swig/javascript-sandbox-vm2-remediates-remote-code-execution-risk.
Google Hacking Video Series
A rather nice new series of docudramas, with obviously high production values, has been released by Google. The series of six stories (plus trailers and bonus episode) looks at various security teams inside Google as they respond to attacks by a nation-state actor, perform red-team penetration testing, and try to find 0day exploits.
Google, HACKING GOOGLE, video playlist, 4 October 2022. Available online at https://g.co/safety/HACKINGGOOGLE.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
More Fake Job Malmails Trigger 0day Malware
Researchers at ESET have uncovered a new set of malware tools being deployed by North Korean APT, Lazarus group (a.k.a. HIDDEN COBRA - the group behind the Sony Pictures Entertainment breach and WannaCry). Most notable among these is the first observed exploit of CVE-2021-21551 in Dell DBUtil drivers in order to disable all security products on compromised machines. The exploit uses techniques against the Windows kernel instrumentation API's that have never been seen before, in order to block the monitoring of low-level actions like process instantiation, event tracing, etc.
The delivery mechanism is the increasingly common one of fake job offers - in one case via LinkedIn messaging, in another via email. Opening the attached document triggers a chain of droppers, loaders, backdoors, uploaders and downloaders - in all cases, trojanized open-source projects which decrypt the embedded payload using block ciphers with long keys passed as command-line arguments.
Kálnai, Peter, Amazon-themed campaigns of Lazarus in the Netherlands, ESET We Live Security blog, 30 September 2022. Available online at https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/.
Fake CISO Profiles on LinkedIn - Related?
In a possibly related story, blogger Brian Krebs has noted the creation of a large number of fake LinkedIn profiles for people occupying CISO positions at Fortune 500 companies. Krebs gives the example of a so-called 'Victor Sites' who claims to be CISO at Chevron; the real CISO is Christopher Lukas. However, a Google search for the CISO of Chevron returns Sites as the first result.
Compounding the problem, a number of magazine journalists and bloggers are accepting the fake profiles as truth and republishing their information. LinkedIn is working on taking the fake profiles down, but seems to need a more robust process for validating claimed positions.
However, with the current burst of malmails and phishes making use of phone job offers at major companies, including via LinkedIn messaging, one can't help wondering . . .
Krebs, Brian, Fake CISO Profiles on LinkedIn Target Fortune 500s, blog post, 29 September 2022. Available online at https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/.
Ransomware Demands - Damned If You Do, Damned If You Don't
Enterprises who fall foul of ransomware attacks are often faced with a bleak choice: pay the ransom demand to recover, or refuse. Refusal might require significant cleanup, data recovery from backups and the possible loss of some data, but the alternative contributes funding to increasingly well-resourced gangs who can now afford to hire developers, buy 0day exploits and still live high on the hog - thereby making the problem worse and weaking our overall position.
The decision wasn't too hard in the early days, but the stakes have been raised with the ubiquitous use of ransomware that also exfiltrates the data as it encrypts. Not paying the ransom now risks the exposure of possibly sensitive personal data and significant damage to lives, not just a financial hit. Governments have raised the possibility of making ransomware payments illegal, but cavill at the possibility of being blamed by an enterprise and its customers and patients that were legally blocked from forestalling a disastrous public exposure.
In the latest example, the Vice Society ransomware gang has published data which they had exfiltrated from the Los Angeles Unified School District, which had refused to pay an extortion demand, remaining "firm that dollars must be used to fund students and education" and pointing out that payment will not guarantee full recovery.
The 500 GB of data includes contact and legal documents, financial reports including bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students, according to TechCrunch.
Haber, Shannon, Los Angeles Unified Response on Cyberattack, press release, 30 September 2022. Available online at https://achieve.lausd.net/site/default.aspx?PageType=3&DomainID=4&ModuleInstanceID=4466&ViewID=6446EE88-D30C-497E-9316-3F8874B3E108&RenderLoc=0&FlexDataID=123107&PageID=1.
Carvalho, Alberto M., Thank you to our students, families and employees . . ., tweet, 3 October 2022. Available online at https://twitter.com/LAUSDSup/status/1576636549994717184.
Page, Carly, Hackers leak 500GB trove of data stolen during LAUSD ransomware attack, TechCrunch+, 3 October 2022. Available online at https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Malware Achieves Persistence in VMware ESXi Hypervisors
Mandiant has discovered a new family of malware which targets VMware ESXi hypervisors, Linux vCenter servers and Windows VM's. The malware allows a threat actor to:
- maintain persistent access to the hypervisor
- send command to the hypervisor which will then be routed to the guest VM for execution
- transfer files between the hypervisor and guest machines
- tamper with logs on the hypervisor
- execute arbitrary command from one guest to another guest on the same hypervisor.
It is important to note that this is a post-exploitation tookit; the attacker has to use some other - as yet undetermined - exploit to gain admin access to the ESXi hypervisor. But once this has been done, they are likely to escape detection for a long time, due to the lower level of support for endpoint dection and response products on hypervisors.
In their reports, Mandiant identified two new malware families, VIRTUALPITA and VIRTUALPIE, which are installed as malicious vSphere Installation Bundles (VIB's), despite not being signed by VMware or any of its trusted partners. Another component, VIRTUALGATE, is installed on Windows VM's to enable communication via VMware's virtual machine communication interface (VMCI).
The compaign is highly targeted and evasive, and while definitive attribution is not yet possible, the motive is probably cyber-espionage, and the threat actor possibly of Chinese origin.
Marvi, Alexander, Jeremy Koppen, Tufail Ahmed and Jonathan Lepore, Bad VI(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors, Mandiant blog, 29 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence.
Marvi, Alexander and Greg Blaum, Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors, Maniant blog, 29 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening.
Threat Actor Dangles US, NZ Jobs to Deliver Cobalt Strike Beacons
Cisco Talos researchers have uncovered a threat actor sending malmails which lure recipients into opening an infected MS Word document with details of a job with either the US government or a trade union in New Zealand. If the recipient falls for the lure, attempts to exploit CVE-2017-0199, a remote code execution vulnerability, by downloading a malicious Word document template from a BitBucket repository controlled by the attacker.
The downloaded .dotm template then executes an embedded VBA script - one variant of this deobfuscates and executes multiple Visual Basic and PowerShell scripts while another downloads and runs an executable that runs malicious PowerShell commands. Ultimately it downloads and runs a leaked version of a Cobalt Strike beacon which is cnfigured to inject arbitrary binaries, although the Redline infostealer and Maday botnet have also been seen as payloads.
Rghuprasad, Chetan and Vanja Svajcer, New campaign uses government, union-themed lures to deliver Cobalt Strike beacons, Talos Intelligence blog, 28 September 2022. Available online at https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Sophisticated Exploit PoC Breaks End-to-End Encryption in Matrix
Matrix is an open standard and suite of protocols which aim to make real-time communications, such as teleconferencing, operate as transparently as email. A user with an account on any Matrix server - called their homeserver - can use these protocols to communicate across the entire Matrix ecosystem. Since this will utilize untrusted servers, the specification enables end-to-end encryption by default, using the Olm and Megolm cryptographic ratchets, which are intended to provide perfect forward security.
Now, researchers at Royal Holloway University, University of Sheffield and Brave Software have published a paper revealing some subtle vulnerabilities in the implementations of these protocols in the matrix-react-sdk and matrix-js-sdk reference development libraries for these protocols. These lead to two critical severity vulnerabilities.
In the first attack, a malicious homeserver can add users which they control to end-to-end encrypted rooms, by spoofing room membership messages, which are not authenticated in these protocols. Once they have been added, these users can decrypt future messages sent in that room.. In the second attack, the malicious homeserver adds a device, which they control, to another user's account in the room. While the device will be labeled 'unverified', with a warning icon, to all users in the room, the damage is done - existing devices will have shared their session data with the new device, allowing decryption of all future messages.
The Matrix project has released patches for the affected libraries (which not all Matrix implementation use) and users are advised to upgrade.
Albrecht, Martin R, Sofía Celi, Benjamin Dowling, and Daniel Jones, Practically-Exploitable Cryptographic Vulnerabilities in Matrix, preprint, undated. Available online at https://nebuchadnezzar-megolm.github.io/.
Hodgson, Matthew, et. al., Upgrade now to address E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2, blog post, 28 September 2022. Available online at https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients.
Admin Pleads Guilty to Sabotaging Former Employer
An admin who had worked for a major Hawaii-based finance sector company has pleaded guilty to sabotaging his former employer's network. Casey K. Umetsu worked for the firm between 2017 and 2019 as a network administrator, but shortly after leaving their employ, he used his credentials to access an admin dashboard and made numerous changes, including redirecting web and email traffic to external machines - effectively a denial of service. He also locked other administrators out of the dashboard so that they could not resolve the problem for several days.
His plan was to convince the company to hire him back at a higher salary - but the company contacted the FBI, who tracked him down, and he now faces a maximum sentence of 10 years in prison and a fine of up to $US250,000, which counts as a spectacular CLM (Career Limiting Move).
Of course, there's a lesson here for all of us, although the former employer paid a high price for it: have a procedure to rapidly revoke the access of highly-privileged employees (admittedly easier to say than to do).
Enoki, Elliot, Honolulu Man Pleads Guilty to Sabotaging Former Employer’s Computer Network, DOJ Us Attorney's Office, District of Hawaii, 28 September 2022. Available online at https://www.justice.gov/usao-hi/pr/honolulu-man-pleads-guilty-sabotaging-former-employer-s-computer-network.
Microsoft Eyes North Korean Hackers Weaponizing Open Source
Over the last few months, Microsoft's Threat Intelligence Center has been tracking an actor they label ZINC (also known as Labyrinth Chollima and BlackArtemis) using social engineering attacks against employees in media, defence, aerospace and IT in the US, UK, India and Russia. The attacker starts with LinkedIn connections as a way to build trust with victims, then switched to communication via WhatsApp, which they used to deliver their payloads with the lure of employment.
The payloads are weaponized versions of popular open-source programs including PuTTY, KiTTY, TightVNC. Sumatra PDF Reader and others, and the embedded payload is an obfuscated variant of the ZetaNile malware. This relates to a similar campaign reported by Mandiant earlier this month.
ZINC's goals are cyberespionage and theft of corporate data, but this attacker will also settle for personal data, financial gain and network disruption.
MSTIC and LinkedIn Threat Prevention and Defense, ZINC weaponizing open-source software, blog post, 29 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Multi-Platform, Multi-Function Malware
Black Lotus Labs has released their analysis of a new malware sample christened 'Chaos' by its developers, who seem to be Chinese. Chaos is written in the Go programming language, and has been designed to operate on both Windows and Linux systems on multiple different architectures, including Intel/AMD, ARM and PowerPC.
Once Chaos is installed on a device, it becomes persistent and then creates a UDP port from which it establishes initial contact with a C2 server, sending the OS version and platfrom. On Windows, it will create a registry key and copy itself into another directory. It follows this by establishing a TLS connection with the C2 server and collecting additional information about the system it has infected.
From here, it will receive staging commands, which will use another port to download additional files which it will go on to use in obtaining SSH connections to new hosts, whether using keys it found on the infected host, by brute forcing, or by using keys it downloads. It may also download a file containing passwords likely to succeed.
If it manages to break into another system, it contacts yet another C2 server which carries copies of Chaos compiled for all useful combinations of OS and platform.
Infected systems will also receive any of 70 additional commands which might further exploit the current system, open a reverse shell, run scripts to exploit known CVE vulnerabilities on other machines, launch DDoS attacks or start cryptomining using the xmrig Monero miner.
Black Lotus Labs, Chaos Is A Go-based Swiss Army Knife of Malware, Lumen blog, 28 September 2022. Available online at https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/.
Brute Ratel Red-Team Toolkit Cracked, Shared By Threat Actors
In red-team penetration testing, the whole idea is for the red team to document their exploits as they twist and pivot inside the defenders' network, so that they can share this information with the blue team in order to improve their defensive controls and their incident response procedures and playbooks. A popular framework for this purpose is Brute Ratel, a post-exploitation toolkit that works by installing agents called badgers on network devices and using them to run attacks while evading IDS, EDR and AV products. As it does this, it records its progress, generating a timeline and graph of each attack for use in subsequent analysis.
So far, so good. But now, a threat actor has cracked the licence protection in Brute Ratel, so that it can be installed and run without an activation key, and as word spreads in underground forums, it is likely that cybercrime groups have gained access to the tool - or very soon will. The problem with this is that one of Brute Ratel's key strengths is its ability to generate novel shellcode which cannot be detected by existing EDR and AV products the shellcode is a unique IOC each time.
Brute Ratel now joins Cobalt Strike as a defensive weapon that has fallen into the wrong hands.
BushidoToken, Brute Ratel cracked and shared across the Cybercriminal Underground, blog post, 28 September 2022. Available online at https://blog.bushidotoken.net/2022/09/brute-ratel-cracked-and-shared-across.html.
Microsoft Exchange RCE 0day Active in the Wild
Vietnames security firm GTSC is warning of an extensive campaign which targets Microsoft Exchange servers via two previously-undiscovered vulnerabilities. GTSC notified Microsoft via submission to the Zero Day Initiative, but the Redmond company is yet to acknowledge them and they do not have CVE numbers. However, GTSC calculates their CVSS scores to be 8.8 and 6.3, since their exploitation leads to remote command execution.
The attack was revealed when GTSC observed IIS log entries which looked similar to those of the ProxyShell vulnerability, and with a little analysis, their red team figured out how to access the Exchange back end and perform RCE.
Tracing through the logs, they also found that the exploit was followed by information collection, the installation of Chinese Chopper web shells, which seem to be managed by Antsword, a Chinese-based open-source website admin tool that supports web shell management.
Although they do not wish to release technical details, GTSC have provided a temporary mitigation which uses a URL rewrite rule.
GTSC Team, Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server, blog post, 28 September 2022. Available online at https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html.
Former eBay Execs Get Jail Time for Harrassment
Two former security executives at eBay Inc have been sentenced to prison for their part in a campaign of harrassment and intimidation directed at a MA couple whose eCommerce newsletter had annoyed then-CEO Devin Wenig.
Jim Baugh, former senior director of safety and security, and David Harville, former director of global resiliency received sentences of 57 months and 24 months respectively, along with fines of $US40,000 and $US20,000, after pleading guilty to cyberstalking-related charges.
The campaign began after Wenig, annoyed by comments critical of eBay in the newsletter of David and Ina Steiner, texted another executive that it was time to "take her down". In the campaign that followed the couple were subjected to anonymous harrassing tweets, bizarre emails and creepy package deliveries like spiders, cockroaches, a funeral wreath, a bloody Halloween pig mask and a book on how to survive the death of a spouse.
Seven eBay employees were charged in connection with the campaign, although Wenig was not, having "absolutely zero knowledge" of the actions that followed. A civil suit by the Steiners remains pending.
Raymond, Nate, Ex-eBay execs heading to prison for harrassing couple behind newsletter, Reuters, 30 September 2022. Available online at https://www.reuters.com/world/us/ex-ebay-exec-heading-prison-harassing-couple-behind-newsletter-2022-09-29/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Campaign Targets US Defence Contractors
Security researchers at Securonix have uncovered a sophisticated attack campaign directed at multiple military and weapons contractors, including a likely supplier to the F-35 Lightning II fighter program. The initial compromise is achieved by a spear-phishing malmail which carries an attached shortcut file with a seductive name like 'Company & Benefits.pdf.lnk". This then uses the forfiles command to stealthily run a PowerShell command line script which repeatedly attempts to connect to a C2 server in order to fetch the next of seven stages of downloaded scripts which complete the infection.
The multiple-stage infection process exmploys many aggressive antiforensics techniques; for example, if it detects it is being executed in a virtualization sandbox, it disables networking on the system, deletes all the user files it can find, and then shuts the machine down. Of particular interest is that if the system language is Chinese or Russian, then it simply exits after initiating a shutdown.
Along the way, the different stages contact a variety of C2 servers which are themselves hidden behind a Cloudflare front end which will also provide CDN services and TLS encryption. The Securonix blog article provides a comprehensive analysis including IOC's and threat hunting queries.
Iuzvyk, D., T. Peck and O. Kolesnikov, Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors, blog post, September 2022. Available online at https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/.
Auth0 Code Compromised, Somehow
Authentication service provider Auth0, now a subsidiary of Okta, has disclosed that a third party has somehow acquired a copy of some Auth0 code respositories, dated October 2020. However, an extensive investigation conducted by both the company itself and a DFIR consultancy found no evidence of unauthorized access to its environments, and no evidence of any data exfiltration.
Although the mechanism of the breach remains a mystery, the company has notified law enforcement and taken additionl steps to ensure the code cannot be used to compromise any accounts.
Uncredited, Auth0 Code Repository Archives From 2020 and Earlier, blog post, 26 September 2022. Available online at https://auth0.com/blog/auth0-code-repository-archives-from-2020-and-earlier/.
Facebook Shutters Chinese, Russian Disinformation Networks
Facebook parent company Meta has disclosed actions it has taken to shut down two unconnected networks - one Chinese, one Russian - which were violating the firm's policy against what it terms 'coordinated inauthentic behaviour'.
The Chinese-origin operation targeted primarily the US and Czechia (the Czech Republic), posting on Facebook, Instagram, Twitter and two petition platforms in Czechia. Its focus was to influence US voters of all political stripes ahead of the upcoming midterm elections, and also to influence Czechia's foreitn policy towards China and Ukraine.
The Russian network focused on Germany, France, Italy, Ukraine and the UK with narratives on the Ukraine conflict and its impact in Europe. This was a large and complex campaign which used sock puppet accounts on Facebook, Instagram, LiveJournal, YouTube, Telegram, Twitter, Change.org and Avaaz to direct readers to a network of over 60 web sites impersonating legitimate news organizations such as The Guardian and Der Spiegel.
The full, 30-page report includes IOC's; for social media users the obvious lesson is to check the URL bar on links you follow from posts, to make sure you are looking at the real news site.
Nimmo, Ben and David Agranovich, Removing Coordinated Inauthentic Behavior From China and Russia, news release, Meta, 27 September 2022. Available online at https://about.fb.com/news/2022/09/removing-coordinated-inauthentic-behavior-from-china-and-russia/.
Nimmo, Ben and Mike Torrey, Taking down coordinated inauthentic behavior from Russia and China, Detailed Report, September 2022. Available online from https://about.fb.com/wp-content/uploads/2022/09/CIB-Report_-China-Russia_Sept-2022-1-1.pdf.
"Quantum Builder" Shortcuts Used to Deliver RATs
A new campaign is using a tool called "Quantum Builder" to generate malicious Windows shortcut and similar files in order to deliver the Agent Tesla keylogger RAT to victims.
Quantum Builder, which is linked to the Lazarus Group APT, can generate mailicious .lnk, .hta and PowerShell payloads which use multiple stages to deliver Agent Tesla. The payloads use a variety of sophisticated techniques:
- User Account Control bypass
- Multi-stage infection chain making use of LOLBins
- In-memory execution of PowerShell scripts
- Execution of decoys to distract victims post-compromise
ZScaler ThreatLabz, who discovered the campaign, say they are unable to confidently make attribution at this stage, but have provided a full analysis in their report.
Zscaler ThreatLabz, Agent Tesla RAT Delivered by Quantum Builder With New TTPs, blog post, 27 September 2022. Available online at https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.