Site blog

Les Bell
by Les Bell - Thursday, 15 September 2022, 6:43 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Mudge Spills Beans on Twitter

Former Twitter CISO Peiter "Mudge" Zatko has appeared before a Congressional committee to testify on failures of governance at the company, which he divided into two categories: the company does not know enough about its own data, and employees have too much access to data. “They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.”

The lack of granular access control mechanisms is particularly concerning in light of Mudge's allegations that the company is unable to identify and expel foreign agents in its employ. He claimed that the company knowingly allowed a foreign agent placed by the Indian government to influence negotiations over social media restrictions in the country. Furthermore, a week before Mudge was fired by the company, the FBI had informed Twitter's security team that at least one agent from China's Ministry of State Security was working there.

The problems, claims Mudge, stem from a corporate culture that avoids negativity and selects favourable information to present to the board. "I saw that Twitter was a company that was managed by risk and crises, instead of one that manages risk and crises", he claimed. When he told one executive that he was confident there was a foreign agent within the company, their response was, "Well, since we already have one, what does it matter if we have more?", he claims.

Mudge's testimony comes at an awkward time for Twitter, as it also supports Elon Musk's case for backing out of his planned acquisition on the grounds that the company had failed to disclose that a large proportion of user accounts were, in fact, bots. Twitter, of course, paints his account of events as "a false narrative ... riddled with inconsistencies and inaccuracies".

A related article suggests that various companies are frantically searching for dirt in order to discredit Mudge, but that they will find it difficult.

Paul, Kari, Twitter whistleblower tells Senate of 'egregious' security failings by company, The Guardian, 14 September 2022. Available online at https://www.theguardian.com/technology/2022/sep/13/twitter-whistleblower-testimony-congress-peiter-zatko.

Bond, Shannon and Raquel Maria Dillon, Twitter may have hired a Chinese spy and four other takeaways from the Senate hearing, NPR, 13 September 2022. Available online at https://www.npr.org/2022/09/13/1122671582/twitter-whistleblower-mudge-senate-hearing.

Kaplan, Fred, The People Looking for Dirt to Discredit Twitter Whistleblower "Mudge" Are Not Going to Find It, Slate, 13 September 2022. Available online at https://slate.com/news-and-politics/2022/09/twitter-whistleblower-mudge-hearing-dirt-nope.html.

New Google Tool Minimizes Use-after-free Vulnerabilities

A use-after-free bug arises when a programmer allocates memory from the heap, then frees it but accidentally continues to use it. If an attacker finds the bug and can figure out how to exploit it, it becomes a vulnerability - and these are surprisingly common, because figuring out the ideal code location for a free() function call is surprisingly tricky.

Work done at Google found that half of the known exploitable bugs in the Chrome browser are use-after-frees, and this has spurred their developers on to create a tool which can prevent their exploitation. This defines a new 'smart' pointer type, raw_ptr<T>, which uses a reference counting similar to the garbage collector found in some modern OO languages. When the application code calls free() or delete, but the reference count is not zero - indicating that a variable somewhere still points to the allocated block, the memory is quarantined, rather than being immediately released for reuse. Only after the reference count reaches zero will the memory be reused.

Taylor, Adrian, Bartek Nowlerski and Kentaro Hara, Use-after-freedom: MiraclePtr, Google Security Blog, 13 September 2022. Available online at https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html.

WordPress Plugin 0Day Actively Exploited

Wordfence - a security firm which specializes in WordPress security - has published details of a new zero-day exploit with a CVSS score of 9.8, which is being actively used in the wild for unauthenticated privilege escalation. The underlying vulnerability is in the WPGateway plugin, which is tied to the WPGateway cloud service, an administration dashboard which simplifies the setup and management of WordPress sites.

A simple IOC is the addition of an administrator account called rangex. This is also signaled by an entry in the access_log:

//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1

Administrators who are using the WPGateway plugin should remove it immediately, until a patched version becomes available.

Gall, Ram, PSA: Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild, Wordfence blog, 13 September 2022. Available online at https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/.

You Knew This Would Happen, Right?

After every major news event, there's inevitably a round of attacks seeking to exploit it in some way. For example, within hours of the 2004 Indian Ocean tsunami, hackers had set up fake Red Cross donation sites and were phishing like crazy.

Inevitably, the death of Queen Elizabeth II has triggered similar activity, and Proofpoint's Threat Insights team have found one such campaign. The victims are lured by emails purporting to be from Microsoft, inviting them to an "artificial technology hub" in her honour. The emails contain links to a credential-harvesting page which uses the EvilProxy phishing kit to run a MitM attack which can bypass multi factor authentication.

I dare say this won't be the last such campaign.

Threat Insight, Proofpoint identified a credential #phish campaign using lures related to Her Majesty Queen Elizabeth II. Messages purported to be from Microsoft and invited recipients to an “artificial technology hub” in her honor, Twitter thread, 15 September 2022. Available online at https://twitter.com/threatinsight/status/1570092339984584705.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Wednesday, 14 September 2022, 8:26 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cisco Attributes Breach to Lapsus$, Yanluowang Ransomware Groups

Back in May, Cisco's systems were breached by a highly sophisticated phishing attack. Cisco Talos and Cisco's internal response team have now concluded an investigation, and their report is highly instructive.

The initial access to a Cisco VPN was achieved by compromising an employee's personal Google account - the employee had enabled password sync in their Chrome browser and stored their Cisco credentials there. From there, the next step was to get past the Multi Factor Authentication for the Cisco VPN, and this was achieved with a variety of techniques, including voice phishing ("vishing") as well as pushing a high volume of push requests to the user's device until they either slip up or or give in, in frustration, to make it stop. The employee concerned reported receiving multiple calls, in variously-accented English, purporting to come from tech support.

After gaining access, the attackers enrolled a number of new devices for MFA and successfully authenticated to the Cisco VPN. From there a privilege escalation let them log in to multiple systems, rapidly deploying tools such as Cobalt Strike, PowerSploit, Mimikatz and impact, and creating backdoor accounts. This was followed by enumeration, mostly performed manually at the command line (indicated by numerous typing errors), and then pivoting to other systems, including Citrix servers and domain controllers, from which they extracted credentials.

The Cisco Talus report contains a lot of detail on TTP's, as well as useful recommendations; key among these is the need to educate users on what to do in response to multiple MFA push requests and who to contact. It's not as simple as setting up an authenticator app on their phones and telling them to get on with it.

Uncredited, Cisco Talos shares insights related to recent cyber attack on Cisco, blog post, 11 September 2022. Available online at https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html.

Skills Gap Contributing to Breaches

A new report from Fortinet turns up a slightly scary finding - 80% of respondents to a global survey suffered at least one breach that they could attribute to a lack of cybersecurity skills and/or awareness. 64% of organizations lost revenue or paid fines due to breaches in the past year, and 38% reported breaches that cost them more than $US1 million.

The key problem is the struggle to find and retain certified cybersecurity talent (reported by 60% of respondents), then retain them (52%). At least the message is reaching boards, with 76% of organizations reporting that their board of directors recommends increases in IT and cybersecurity headcounts.

Uncredited, 2022 Cybersecurity Skills Gap, Global Research Report, September 2022. Available online at https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2022-skills-gap-survey.pdf.

Programmable Logic Controllers on Public IP Addresses? Pwned!

An interesting example of an easy attack on industrial control systems has been analyzed by ICS security specialist firm Otorio. The attack, conducted and proclaimed by hacktivist group GhostSec, successfully breached 55 Berghof PLC's (Programmable Logic Controllers) being used by companies in Israel. The group was able to log in to the PLC's, which were on public IP addresses and secured with default or trivial passwords, then stop the PLC process and dump data from it.

Fortunately, the group stopped at this point, choosing to embarrass their victims rather than interfere with industrial processes - gaining access to a single PLC gives no insight into the entire process or the other devices being used.

Lakshamanan, Ravie, Hacktivist Group GhostSec Compromises 55 Berghof PLCs Across Israel, The Hacker News, 12 September 2022. Available online at https://thehackernews.com/2022/09/palestinian-hacktivist-group-ghostsec.html.

Let's Encrypt Reintroduces CRL's

Free certificate authority Let's Encrypt has announced plans to build infrastructure to distribute certificate revocation lists (CRL's). CRL's were never widely deployed, except for the most expensive types of certificates and private PKI's in high-risk environments, and most commercial CA's purveying web site SSL (really TLS) certificates have preferred to use the Online Certificate Status Protocol (OCSP) for their more expensive certificates. Those paying for the cheaper certificates would simply have to wait out the remaining lifetime of a compromised website private key.

However, the browser vendors - primarily Mozilla Firefox and Google Chrome - are now implementing proprietary, browser-specific CRL's which are highly compressed and much more efficient, and then distributed using the update mechanisms already built into their browsers - Firefox, for example, can push updates every six hours.

Let's Encrypt has now joined this effort, developing new specialized infrastructure, splitting what would be a single 8-GB CRL (for their 200 million active certificates) into 128 shards which will download separately, with the content of each shard being carefully tuned so as to minimize the need for frequent updates.

Gable, Aaron, A New Life for Certificate Revocation Lists, blog article, 7 September 2022. Available online at https://letsencrypt.org/2022/09/07/new-life-for-crls.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Tuesday, 13 September 2022, 8:29 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Does Cybersecurity Awareness Change Behaviour?

Badly-designed awareness campaigns are of dubious value in changing security culture, with a majority of US Government employees surveyed by NIST reporting 'security fatigue' (Stanton et. al., 2016). Now the EU's cybersecurity agency, ENISA, is partnering with Anima People, UCL and Gothenburg University to run a research study about the effectiveness of their European Cybersecurity Month, which takes place each October to promote cybersecurity among EU citizens and organizations. If you are interested in participating, see https://ec.europa.eu/eusurvey/runner/Cybersecurity_Awareness_ECSM-PreC.

Stanton, B., M. F. Theofanos, S. S. Prettyman, and S. Furman, Security Fatigue, IT Professional 18, no. 5 (September 2016): 26–32. doi:10.1109/MITP.2016.84.

China Gets Some of What It Gives

China is accusing the NSA's Office of Tailored Access Operations of running a major campaign of attacks against its Northwestern Polytechnical University in Xi'an during June of this year. The National Computer Virus Emergency Response Centre (NCVERC) released its findings last week, accusing the NSA of delivering thousands of attacks, using at least 40 different cyber weapons, against the university, which conducts military and aeronautical engineering research.

"The U.S. NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data," the NCVERC said.

Lakshamanan, Ravie, China Accuses NSA's TAO Unit of Hacking its Military Research University, The Hacker News, 12 September 2022. Available online at https://thehackernews.com/2022/09/china-accuses-nsas-tao-unit-of-hacking.html.

Apple Fixes Eighth 0Day for 2022

A serious vulnerability, CVE-2022-32917, which could allow malicious applications to execute code with root privileges, is reported as being actively exploited in the wild. Apple has released patches for iPhones, iPads and Macintoshes for what is the eighth zero-day vulnerability in their devices this year. Users are urged to update their devices promptly.

Gatlan, Sergiu, Apple fixes eighth zero-day used to hack iPhones and Macs this year, Bleeping Computer, 12 September 2022. Available online at https://www.bleepingcomputer.com/news/security/apple-fixes-eighth-zero-day-used-to-hack-iphones-and-macs-this-year/.

More Info on Iranian Group APT42

Last week we posted about a Microsoft report on an Iranian group called DEV-0270 or Nemesis Kitten. Mandiant has now joined the chorus of firms reporting on this group, which is associated with the Islamic Revolutionary Guard Corps (IRGC) and has been running highly-targeted spear-phishing and social engineering campaigns against a wide range of sectors - education, government, healthcare, legal, media and pharmaceuticals - in at least 14 countries, including Australia, Europe and the US.

The group's operations encompass three major areas: credential harvesting to gather multi-factor authentication credentials and compromise networks and devices; surveillance operations using Android mobile malware to track locations and monitor the communications of individuals of interest to the Iranian government; and deployment of custom malware, including backdoors, for their more advanced campaigns. By correlating Telegram traffic, open-source intelligence and OPSEC lapses by the group, Mandiant assesses that they are also associated with two front companies, Najee Technology and Afkar Systems.

Mandiant Intelligence, APT42: Crooked Charms, Cons and Compromises, blog article and report, 7 September 2022. Available online at https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises.

Developers Speed Up Their Ransomware

Ransomware developers have realized that encrypting all the data in every file is a slow process, and the longer it takes, the greater the chances of detection and the more data a victim may be able to save. Intensive file I/O operations may also be detected and flagged by anti-malware which is monitoring the system.

In response, a number of ransomware families have adopted a techniques such as intermittent or partial encryption of files, according to a report from Sentinel Labs. In many cases, simply encrypting the first 64 or 128 bytes of a file - often, the header - is enough to render a file un-openable by applications. However, some ransomware samples will encrypt every third or fourth block or 10% of the complete file, or various combinations.

As a result, these ransomware encryptors are significantly faster than earlier examples, and better able to evade detection. In many cases, they still manage to exfiltrate data for use in subsequent extortion.

Milenkoski, Aleksandar, Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection, Sentinel Labs, 8 September 2022. Available online at https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/.

US Claws Back Cryptocurrency Stolen by North Korea

People often assume that cryptocurrency transactions are untraceable, making them a favourite payment method of ransomware and extortion operators, as well as a favourite target of hackers such as North Korea's Lazarus Group. However, that turns out not to be the case, even when the cryptocurrency is passed through exchanges and tumblers, as Erin Plante, senior director of investigations at specialist blockchain analysis firm Chainalysis has related in a report.

Five months ago, Lazarus Group struck at Ronin Network, a decentralized finance (DeFi) side channel for the play-to-earn game Axie Infinity, scoring $US600 million, the bulk of which they laundered through Ethereum-Bitcoin swaps and mixing in batches through the Tornado Cash tumbler. However, using their specialized tools, Chainalysis was able to track some of the funds right through this process and, in cooperation with law enforcement and cryptocurrency industry organizations, $US30 million worth of cryptocurrency has been seized.

This is the first time that cryptocurrency stolen by a North Korean hacking group has been retrieved, and it is unlikely to be the last.

Plante, Erin, $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers to Profit, Chainalysis report, 8 September 2022. Available online at https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Monday, 12 September 2022, 8:26 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


US Sanctions Iran Over Albanian Attack

The US Treasury Department has announced sanctions against the Iranian Ministry of Intelligence and Security (MOIS) and its Minister for engaging in cyber-enabled activities against Albania and other US allies. The sanctions mean that US citizens, as well as visitors to the US, are prohibited from conducting business or carrying out any transactions involving funds, goods or services with the sanctioned entitities.

“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”

In the most recent campaigns, the threat groups MuddyWater and APT39, both controlled by MOIS, have attacked several NATO members, as well as Iranian dissidents and journalists.

US Department of the Treasury, Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities, press release, 9 September 2022. Available online at https://home.treasury.gov/news/press-releases/jy0941.

Monti Steals from Conti

A new threat group called 'Monti' is running a ransomware campaign relying almost entirely on reusing the software tools and TTP's of the now-dispersed Conti gang. The only difference is that Monti makes use of the Acrion 1 Remote Monitoring and Maintenance (RMM) Agent.

As more of Conti's ransomware-as-a-service toolkits and source code leak, it seems likely that more similar ransomware groups will proliferate, says Blackberry Research and Intelligence, which has analysed the latest campaign.

Staff, Monti, the New Conti: Ransomware Gang Uses Recycled Code, Dark Reading, 10 September 2022. Available online at https://www.darkreading.com/vulnerabilities-threats/monti-conti-ransomware-recycled-code.

Fuzzing: More Than Tripping Over Buffer Overflows

A blog article from Google points out the success of their OSS-Fuzz project in discovering a wide range of vulnerabilities. Although fuzzing was first invented as a technique for bombarding application inputs as a way of discovering buffer overflow vulnerabilities, modern fuzzers have much broader capabilities, using instrumentation and machine learning to guide their actions.

In their latest success, OSS-Fuzz, which monitors 700 different critical open source projects, found a RCE vulnerability in the TinyGLTF project.

Metzman, Jonathan, Dongge Liu and Oliver Chang, Fuzzing beyong memory corruption: Finding broader classes of vulnerabilities automatically, Google Security Blog, 8 September 2022. Available online at https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html.

WordPress SSRF Vulnerability Survives Five Years

A dispute has arisen between security researchers at Sonar and the WordPress development team over a server-side request forgery vulnerability that was first discovered back in 2017 yet remains unpatched. The vulnerability is in the WordPress pingback functionality, which allows authors to be notified when another web site links to their blog. This functionality is exposed via an XMLRPC (XML remote procedure call) API.

The Sonar researchers claim that this could be used in a DDoS attack, and have demonstrated a proof-of-concept, which they disclosed to WordPress on 21 January. However, the WordPress development team consider it a low-impact issue and therefore a low priority. After all, the pingback functionality can always be disabled.

Scannell, Simon and Thomas Cauchefon, WordPress Core - Unauthenticated Blind SSRF, blog article, 6 September 2022. Available online at https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Saturday, 10 September 2022, 9:01 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


MS Teams Vulnerable to . . . GIF's?

Security researcher Bobby Rauch has discovered a number of vulnerabilities in Microsoft Teams, particularly the way it handles base64-encoded GIF files - not scanning these allows malicious commands to be delivered within otherwise normal-looking graphics files. By using this along with several other vulnerabilities, an attacker can bypass security controls to perform remote command execution, data exfiltration and phishing attacks.

The main component of this attack, called GIFShell, allows a threat actor to create a reverse shell which delivers malicious commands and then exfiltrates the resultant data in GIF's returned via Microsoft's own infrastructure. The result is a unique C2 infrastructure which will avoid detection by EDR and other network monitoring tools.

Recommended mitigations including turning off the default external access settings in the Teams Admin Center, and monitoring access to Microsoft Teams' log files.

Rauch, Bobby, "GIFShell" - Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs, Medium, 24 August 2022. Available online at https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7.

Bumblebee Malware Loader Uses Virtual Hard Disk, PowerShell Script

A new variant of the Bumblee malware loader is continuing the trend of obscuring malware payloads by wrapping them in contain files such as .ISO CD/DVD images. The new version has switched from using ISO's to a VHD (virtual hard disk) file which contains a .LNK shortcut. This in turn runs an obfuscated Windows PowerShell script which, after hiding its window from the user, loads a second stage.

The second stage makes use of the open source PowerSploit post-exploitation framework to perform DLL injection, loading the Bumblebee malware into the memory of the PowerShell process. This technique works entirely in the memory of the target PC and does not touch the disk, reducing the chance of detection by anti-malware software.

Toulas, Bill, Bumblebee malware adds post-exploitation tool for stealthy infections, Bleeping Computer, 8 September 2022. Available online at https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/.

Lazarus Group Targets Energy Sector

North Korean threat actor Lazarus Group has been running a campaign against energy providers around the world, including the US, Canada and Japan, according to Cisco Talos. The campaign is intended to turn an initial foothold gained via vulnerabilities in VMWare Horizon into long-term access with the likely goal of cybersepionage.

Once the attack compromises VMWare, this is followed by deployment of Lazarus Group's previously identified custom malware implants, an RCE bot called VSingle which fetches commands over HTTP and a backdoor called YamaBot which is written in Go. However, the campaign is also using a new remote access trojan Talos calls MagicRAT.

Malhotra, Asheer, Lazarus and the tale of three RATs, Talos Intelligence, 8 September 2022. Available online at https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html.

pfSense Firewall RCE Vulnerability

pfSense is a popular firewall distribution popular with consultants and resellers support SME's. A recent remote command execution vulnerability (CVE-2022-31814) could spell disaster for some of their customers if left unpatched.

Fortunately the vulnerability is in a plug-in component which is not enabled by default. pfBlockerNG is used to allow or deny entire IP address ranges, such as blocking access from entire countries, but the vulnerability will allow an unauthenticated user to execute commands on the firewall with root privilege.

pfBlockerNG 2.1.4_26 and earlier are affected and admins should upgrade to a later version or use pfBlockerNG-devel, which is unaffected. The vulnerability is due to inadequate sanitization of the PHP $_SERVER['HTTP_HOST'] variable, which passes tainted data into the PHP exec() function.

Leyden, John, Vendor disputes seriousness of firewall plugin RCE flaw, The Daily Swig, 8 September 2022. Available online at https://portswigger.net/daily-swig/vendor-disputes-seriousness-of-firewall-plugin-rce-flaw.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Friday, 9 September 2022, 7:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Microsoft Accounts Locked Out of Win 11

A recent Microsoft patch for Windows 11, KB5016691, has the unintended effect of locking out newly-added Microsoft user accounts after the first reboot or log out. The company has addressed the issue by issuing a Known Issue Rollback, which will revert known buggy patches distributed via Windows Update.

However, in enterprises, administrators will have to install and configure a Known Issue Rollback Group Policy in order to fix the problem. However, this is unlikely to be a common problem, since enterprises use Active Directory rather than Microsoft accounts.

Microsoft Support, Unable to sign in after adding a new Microsoft Account user in Windows, Windows 11 status page, 7 September 2022. Available online at https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#unable-to-sign-in-after-adding-a-new-microsoft-account-user-in-windows.

Medical Infusion Pumps Vulnerable

Security firm Rapid7 has discovered vulnerabilities in medical equipment produced by Baxter Healthcare, specifically infusion pumps which are used in clinical settings to deliver medication and nutrition directly into the bloodstream of patients.

The devices, which connect via wi-fi in order to provide data for patient monitoring, store the wi-fi credentials of the hospital network in their batteries, so that after disposal anyone with access can retrieve them. The devices also have two format string vulnerabilities, as well as other vulnerabilities which give access to wi-fi configuration data.

Heiland, Deral, Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED), 8 September 2022. Available online at https://www.rapid7.com/blog/post/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/.

140,000 WordPress Sites Vulnerable Via Backup Utility

WordPress sites which use the BackupBuddy utility are being warned to update the plugin, following reports of 0day exploitation of an arbitrary file read and download vulnerability. The vulnerability is due to an insecure implementation of the mechanism for downloading files from the server, allowing unauthenticated users to download any file on the server.

The plugin's download does not validate its parameters, and can be triggered from any admin page, including some that do not require authentication. From there, the URL arguments can use directory traversal to escape the backup files directory and access any file. The appearance of the classic "/../../" string in logs is a sure sign of exploitation.

Bannister, Adam, WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation, The Daily Swig, 8 September 2022. Available online at https://portswigger.net/daily-swig/wordpress-warning-140k-backupbuddy-installations-on-alert-over-file-read-exploitation.

Iranian State-Sponsored Group Lives Off The (Windows) Land

Microsoft reports that it has been tracking ransomware campaigns conducted by DEV-0270, also known as Nemesis Kitten, and has laid out its TTP's and some IOC's in a detailed profile article. Although the group seems to operate on behalf of the Iranian government, it also funds itself via ransomware.

Interestingly, although the group does make use of an open-source disk encryption utility called DiskCryptor, it also encrypts Windows 10, Windows 11 and Windows Server 2016 systems using their own built-in BitLocker encryption. This use of a system's code and features against itself is known as living-off-the-land, and the programs are referred to as LOLBIN's.

The profile provides a detailed insight into the group's operations.

Microsoft Security Threat Intelligence, Profiling DEV-0270: PHOSPHORUS' ransomware operations, blog article, 7 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Thursday, 8 September 2022, 6:36 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cyberespionage Group Worok Target SE Asia Companies, Governments

A previously-unknown threat group, named Worok by the ESET researchers who discovered and investigated them, has been targeting high-profile companies and government, mostly in Asia. Analysis of previously-obtained telemetry data suggests the group was active in late 2020 but then went quiet until February 2022; they seem to be engaged in cyberespionage, stealing information rather than deploying ransomware or attempting extortion, and their targets are quite diverse, including a telecom, a bank, a maritime company, a government entity in the Middle East and even a company in southern Africa.

The group gains initial access via the ProxyShell vulnerability, which allows them to install web shells in order to persist in the victim's network. From there, a variety of implants are used. The group's reconnaisance tools include Mimikatz, Earthwork, ReGeorg and NBTscan, and from there they use a first-stage loader to pull down a .NET loader called PNGLoad, which extracts a steganographically-hidden PowerShell script from a PNG image.

The loaders are all heavily obfuscated, with multiple stages of decryption and unpacking before they execute, and analysis indicates that the Worok group develops its own tools, although it may share some with an earlier APT called TA428.

Passilly, Thibaut, Worok: The big picture, ESET WeLiveSecurity blog, 6 September 2022. Available online at https://www.welivesecurity.com/2022/09/06/worok-big-picture/.

Shikitega Stealth Malware Targets Linux

A new piece of malware, targeting Linux computers, including IoT devices, has been discovered by AT&T Alien Labs and christened 'Shikitega'. What is interesting about this particular malware is the stealthy way it downloads and installs in multiple stages; each stage is quite small - typically only a few hundred bytes, which performs some small task, then downloads and runs the next stage. At the culmination of the process, Shikitega installs a Monero cryptominer, but retains full control of the victim.

Along the way, the malware downloads and uses the Metasploit 'Mettle' meterpreter, and uses multiple cycles of XOR decoding to deobfuscate its final payload shellcode, which uses the execve() syscall to execute (you guessed it) /bin/sh, passing it commands received from its C2 server. To persist in the system, it also downloads 5 shell scripts. setting four crontab entries - two for the currently logged in user and two for root. If necessary, it will install crond and start it.

Caspi, Ofer, Shikitega - New stealthy malware targeting Linux, AT&T blog, 6 September 2022. Available online at https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux.

Control Panel Manages ServHelper Back Doors

The days when hackers used IRC (Internet Relay Chat) as their command and control channel, with simple text commands, are long gone; these days, the bad guys use sophisticated dashboards and control panels to manage their assets (actually, your assets).

The Evil Corp ransomware gang (also known as TA505) has long used a piece of backdoor malware called ServHelper, which it uses to deploy a variety of payloads such as cryptominers and ransomware, mainly against the US finance sector, although other industries and countries are also targeted. As this and similar groups have scaled up their operations, managing multiple campaigns became increasingly difficult, especially when a single phishing campaign can target thousands of victims. Evil Corp's solution to this problem is a sophisticated control panel called 'TeslaGun'.

A single instance of TeslaGun can manage multiple campaigns with different delivery methods and attack data. Generally the payloads require no interaction, but the control panel does allow remote control via RDP and VNC connections, and other software can be dropped on the victims' machines. The C2 servers for the control panel are mainly located in a single data center in Moldova, although they keep changing IP addresses to evade detection.

PTI Team, TA505 Group's TeslaGun In-Depth Analysis, Prodaft, 5 September 2022. Available online at https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis.

Maine Privacy Law Survives Legal Challenge

In 202, the US state of Maine introduced one of the tightest privacy laws in the US for internet service providers, in the form of an 'opt in' web privacy standard. This stops ISP's from using, disclosing, selling or providing access to customers' personal information without permission.

Almost immediately, industry associated sued, claiming that the new law violated their First Amendment rights. A federal judge rejected this argument, but industry groups hired a veritable "army of industry lawyers" to challenge the law. However, the groups have now dropped their suit and agreed to pay the state's costs of $US55,000 (which seem quite low, to this writer).

Whittle, Patrick, Internet service providers drop challenge of privacy law, AP News, 6 September 2022. Available online at https://apnews.com/article/technology-lawsuits-united-states-maine-data-privacy-9b2a40a18839c16df732368ee04ea856.

Mirai Variant Targets D-Link Routers

While D-Link products are rarely used in the enterprise, they are popular with home users, and the trend to hybrid work and telecommuting means that compromised devices belonging to employees can represent an exposure for the employer. Now a derivative of the notorious Mirai botnet, called Moobot, is targeting vulnerable D-Link routers with a combination of old and new exploits.

First discovered by Fortinet in December 2021, Moobot was then targeting Hikvision CCTV cameras to recruit into its DDoS botnet. However, it has now switched to targeting D-Link devices via a range of RCE vulnerabilities. Although D-Link has released patches for these vulnerabilities, home users are notoriously lax about patching their devices. Although Moobot simply uses the RCE capability to install their DDoS malware, it obviously has the capability to do a lot more, and so enterprise security personnel may have to encourage employees to install the relevant patches.

Zhang, Chao Zhibin, Cecilia Hu and Aveek Das, Mirai Variant MooBot Targeting D-Link Devices, Palo Alto Networks, 6 September 2022. Available online at https://unit42.paloaltonetworks.com/moobot-d-link-devices/.

HP Laptop Utility Hosts CVSS 8.2 Vulnerability

Major supplier Hewlett-Packard has disclosed a serious vulnerability in the HP Support Assistant which is preloaded on its laptops. CVE-2022-38395 is a DLL search path vulnerability in Fusion, which the utility uses to launch its HP Performance Tune-up function. The function requires admin privileges, and by placing a DLL in the right directory, an attacker is able to achieve a privilege escalation attack.

Users are advised to update to HP Support Assistant version 9.11 or later and Fusion version 1.38.2601.0 or later.

HP Customer Support, Privilege escalation in HP Support Assistant, Knowledge Base article, 6 September 2022. Available online at https://support.hp.com/us-en/document/ish_6788123-6788147-16/hpsbhf03809.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Thursday, 8 September 2022, 6:39 AM ]
 
Les Bell
by Les Bell - Wednesday, 7 September 2022, 6:33 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Privilege Escalation Vuln in Squiz Matrix CMS

Squiz Matrix is a popular website content management system in the UK, Australia & New Zealand region, especially among universities and some government agencies. However, the product was revealed to have a nasty insecure direct object reference vulnerability which would allow an attacker to edit the email address in the contact details of any user.

Once the attacker has changed the email address of an admin user to one they control, they can trigger a password reset, which sends a confirmation link email to that address, resulting in a privilege escalation exploit. Since the account ID numbers are allocated sequentially, and the lower numbers are more likely to be allocated to the earliest - therefore admin - users, it won't take many attempts before an attacker will get lucky.

Squiz released a fix back in mid-June; hopefully all those bureaucracies have applied the patches.

Bannister, Adam, Squiz Matrix CMS squashes admin account takeover bug, The Daily Swig, 5 September 2022. Available online at https://portswigger.net/daily-swig/squiz-matrix-cms-squashes-admin-account-takeover-bug.

Phishing for Dummies: EvilProxy

Simple phishing attacks are easily defeated by the deployment of multi-factor authentication, but sophisticated attackers have evolved a man-in-the-middle attack, using a reverse proxy to display a copy of the legitimate website's login screen, and then relaying credentials, including TOTP token values, to the site. Once the user has authenticated, the site will return a session cookie, which contains an authentication token, and the reverse proxy is able to steal this - the attackers can then use the session cookie to access the site, with no need to repeat the authentication process.

At first, only the most sophisticated groups were able to develop their own reverse proxies, but then toolkits like Modlishka, Necrobrowser and Evilginx2 made it easier for less sophisticated threat actors. This process has continued with the release of the EvilProxy/Moloch Phishing-as-a-Service platform, which is highly polished, with detailed instructional videos and tutorials, a user-friendly GUI, and a selection of off-the-shelf cloned phishing pages for popular sites including Apple, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, Yandex and many others.

Resecurity staff, EvilProxy Phishing-as-a-Service With MFA Bypass Emerged In Dark Web, Resecurity blog, 5 September 2022. Available online at https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web.

12 Arrested in SE Asian Sextortion Ring Takedown

Interpol warned in June of a dramatic increase in extortion campaigns, including DDoS attacks, quadruple extortion ransomware and sextortion. Now the agency's cybercrime division, operating in collaboration with the police forces of Hong Kong and Singapore, has uncovered a transnational sextortion ring which had extracted at least $US47,000 from 34 victims. The victims had been lured into downloading a malicious mobile app in order to engage in 'naked chats' - only to discover that the app had stolen the contact lists from their phones and the criminals were threatening to circulate their nude videos to all their relatives and friends if a blackmail demand was not met.

Fortunately, some of the victims contacted police, who were able to (presumably) use warrants to obtain IP addresses and other data which identified 12 core members of the sextortion ring, who were then arrested during July and August.

Uncredited, Asia: Sextortion ring dismantled by police, Interpol news, September 2022. Available online at https://www.interpol.int/News-and-Events/News/2022/Asia-Sextortion-ring-dismantled-by-police.

PII of 2.5 million Students Exposed in Loan Provider Breach

A data breach affecting US student loan providers EdFinancial and the Oklahoma Student Loan Authority has exposed the personally identifiable information of 2.5 million students. The breach occurred in the systems of a service provider in Lincoln, Nebraska, called Nelnet Servicing.

The information disclosed includes name, address, email address, phone number and social security number - all very useful in identity theft and social engineering attacks, especially since the Biden administration's recently-announced student loan relief plan will lead the victims to expect correspondence relating to their student loans.

BÎZGĂ, Alina, Data Breach at Student Loan Service Provider Exposes Personal Info of 2.5 Million Borrowers, BitDefender HotForSecurity blog, 5 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/data-breach-at-student-loan-service-provider-exposes-personal-info-of-2-5-million-borrowers/.

US Education Sector Under Attack

Beginnings are perilous times, and the beginning of the school year is no exception. The Los Angeles Unified School District, the second-largest in the US, has disclosed that it was the victim of a ransomware attack over the weekend, and is still working to recover its systems. The main student portal login page was down, and a voicemail to parents instructed them to reset their students' passwords in person or via a phone number - which inevitably had long hold times.

This comes as the Cybersecurity & Infrastructure Security Agency, FBI and Multi-State Information Sharing and Analysis Center released a joint advisory detailing TTP's and IOC's for Vice Society, a ransomware group which is known to target the education sector.

Staff, As LA Unified Battles Ransomware, CISA Warns About Back-to-School Attacks, Dark Reading, 7 September 2022. Available online at https://www.darkreading.com/attacks-breaches/la-unified-ransomware-cisa-warns-back-to-school-attacks.

CISA, #StopRansomware: Vice Society, Alert AA22-249A, 6 September 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-249a.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Tuesday, 6 September 2022, 6:56 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


QNAP Fixes Photo App Vuln

NAS vendor QNAP has issued a patch to fix a vulnerability in its Photo Station application. The vulnerability is being actively exploited by a ransomware zero-day from the DeadBolt threat actor, starting on Saturday and continuing this week.

The attack is only a problem for users whose NAS servers are open to the Internet - something of a no-no around here. If you want to share photos, use a cloud service: they're free and perfectly set up for sharing via the web. NAS devices work best for sharing on the LAN, and QNAP has had several problems with their devices being exploited when exposed to the Internet.

Toulas, Bill, QNAP patches zero-day used in new Deadbolt ransomware attacks, Bleeping Computer, 5 September 2022. Available online at https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/.

Android Banking Trojan Poses as Antivirus and Cleaner Apps

As Google has restricted apps in its Play Store from using management API's and Accessibility permissions, the operators of the SharkbotDropper trojan have produced a new version which manages to evade detection and remains in the Play Store. The trojan poses as an antivirus called "Kyhavy Mobile Security" and a cleaner app called "Mister Phone Cleaner", with over 50 thousand and 10 thousand installs respectively.

While the previous versions of the dropper used the Accessibility permissions to fake on-screen button clicks to automatically install Sharkbot with no user interaction, the new version can no longer do this - so it downloads an APK package and the asks the user to install what it claims is an update for the fake antivirus. While an alert user might not fall for this, enough apparently do to make it worthwhile, and allows the app to evade detection in the Play Store.

Once installed, Sharkbot will perform credential stealing by displaying a phishing site in front of a banking application, keylogging, remote control via Accessibility permissions, SMS message interception and other functions. It also uses new C2 infrastructure to target user in Spain, Australia, Poland, Germany, the USA and Austria.

Segura, Alberto and Mike Stokkel, Sharkbot is back in Google Play, Fox It blog, 2 September 2022. Available online at https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/.

IRS Blunder Releases Confidential Data of 120,000 Taxpayers

A bureaucratic blunder by somebody at the US Internal Revenue Service has seen the Form 990-T confidential data on 120,000 taxpayers made available for download via the Tax Exempt Organization Search function. This form is used to report business income, claim an income tax refund, request a credit for certain federal excises and a few other purposes. While the IRS is required to publish the information filed by non-profit tax-exempt organizations, but should be kept private for individuals.

The files which contained this information have been removed from the IRS site, and the agency will be contacting organizations which routinely use the files in an attempt to have them replace them with the updated versions as they become available. Reading between the lines, it sounds as though people who do not routinely use the files but have downloaded them would not be known to the IRS.

Uncredited, IRS statement on Forms 990-T, Internal Revenue Service, 2 September 2022. Available online at https://www.irs.gov/newsroom/irs-statement-on-forms-990-t.

Quantum Computing Overhyped, Says Oxford Quantum Physicist

Oxford University physicist Nikita Gourianov has ripped into the quantum computing industry, daring to point out the elephant in the room: the industry has not yet developed one single product that can solve practical problems. As he points out, quantum computing firms are obtaining vastly more funding from investors than they are able to earn in real revenue, and such revenue as they do obtain "most comes from consulting missions aimed at teaching other companies about 'how quantum computers will help their business, as opposed to genuinely harnessing any advantages that quantum computers have over classical computers'".

This places security pros in a bind; while the prudent course for us is to assume that sooner or later quantum cryptanalysis will break public-key crypto, Gourianov argues that these fears are overblown. The original article is behind a firewall, but the link below provides an overview.

Tangermann, Victor, Oxford Physicist Unloads on Quantum Computing Industry, Says It's Basically a Scam, The Byte, 2 September 2022. Available online at https://futurism.com/the-byte/oxford-physicist-unloads-quantum-computing.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Sunday, 4 September 2022, 8:44 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Windows Defender Detects MS Edge As Malware

An error in a Microsoft Defender database update is causing the built-in anti-virus to detect Microsoft Edge, Google Chrome and other browsers based on the Chromium and Electron browsers to be reported as malware, specifically Behavior:Win32/Hive.ZY. Users can choose to ignore the warning, but it will keep popping up, as frequently as every 20 seconds, in an endless cycle.

Microsoft is reported to be investigating - obviously! - and a patch should be forthcoming soon.

Rubino, Daniel, Windows Defender is reporting a false-positive threat 'Behavior:Win32/Hive.ZY'; it's nothing to be worried about, Windows Central, 5 September 2022. Available online at https://www.windowscentral.com/software-apps/windows-11/windows-defender-is-reporting-a-false-positive-threat-behaviorwin32hivezy-its-nothing-to-be-worried-about.

Linux No Longer Securely Obscure

Just as the Mac soon fell prey to the early viruses that plagued Windows users, so Linux has now become a prime target for threat actors. Although Linux has historically benefited from a simpler security model than Windows (where security seemed to be an afterthought) the fact that Linux now powers the vast majority of cloud-hosted infrastructure has led to a 75% increase in attacks detected on the platform over the last year, according to Trend Micro researchers.

As an example, in October 2021, a new variant of the Lockbit ransomware emerged, this one targeting and encrypting VMware Linux ESXi servers. This was soon followed by another, called Cheerscrypt. This is all part of a trend: attackers are both broadening the targets of their attacks and also using more sophisticated techniques.

Trend Micro Staff, Midyear Cybersecurity Report, Trend Micro, 31 August 2022. Available online at https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/defending-the-expanding-attack-surface-trend-micro-2022-midyear-cybersecurity-report.

Ransomware Hits Portugal's Flag Airline

The Portuguese flag airline, TAP, has been hit with a ransomware attack by the Ragnar Locker group. While TAP has admitted to an attack in an announcement, it denies that there was any improper access to customer data.

The Ragnar Locker group say otherwise, claiming the TAP scalp on their name-and-shame list, along with images that appear to show compromised TAP customer information, including names, dates of birth, emails and addresses. The gang claims to be sitting on hundreds of gigabytes of exfiltrated data.

Trutja, Filip, Ragnar Locker Names and Shames Portugal's Flag Airline after Hitting It with Ransomware, Bitdefender HotForSecurity blog, 2 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/ragnar-locker-names-and-shames-portugals-flag-airline-after-hitting-it-with-ransomware/.

No Honour Among Thieves . . .

The popular (among cybercriminals) infostealer Prynt Stealer, which rents to crminals for rates between $100 a month and $700 per annum, is an unusual combination of code from the AsyncRAT remote access trojan and the StormKitty infostealer. It compresses credentials it obtains from browsers as well as messaging and gaming applications, and exfiltrates them via a Telegram channel to its operator.

However, according to a report from Zscaler ThreatLabz, Prynt Stealer has one more feature - a back door which uses a second Telegram channel to exfiltrate the same data to the program's author. While this behaviour has sometimes been observed in the past, it was on freely-shared malware - in this case, the Prynt Stealer developer is engaging in a bit of double dipping.

Honestly, what is the world coming to, when a hard-working cybercriminal gets ripped off like this?

Singh, Atinderpal and Brett Stone-Gross, No Honor Among Thieves - Prynt Stealer's Backdoor Exposed, Zscaler ThreatLabz, 1 September 2022. Available online at https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed.

New Guide to Securing the Software Supply Chain

The Software Supply Chain Working Panel of the Enduring Security Framework (ESF) - a cross-sector working group operating under the auspices of the Critical Infrastructure Partnership Advisory Council - issued a 64-page guide to securing the software supply chain. This provides detailed guidance for developers and project managers on secure development, including verification of third-party components.

Enduring Security Framework, Securing the Software Supply Chain: Recommended Practices Guide for Developers, Enduring Security Framework Software Supply Chain Working Panel, August 2022. Available online at https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Monday, 5 September 2022, 7:17 AM ]