Blog entries about Les Bell and Associates Pty Ltd

Les Bell
by Les Bell - Friday, September 2, 2022, 9:16 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


WatchGuard Fixes Medium and Critical Severity Vulns

Firewall vendor WatchGuard has released patches for several vulnerabilities in its Firebox and XTM appliances. Security engineer Charles Fol investigated the boxes as part of a red team engagement, coming up with several exploitable bugs - two of which, an RCE vulnerability and a privilege escalation, would allow attackers remote root access.

This follows a series of breaches by the Russian state-sponsored group Sandworm, which allowed them to build a botnet called Cyclops Blink, by using a privilege escalation vulnerability. Thanks to all of the publicity surrounding that campaign, network administrators have hardened their Watchguard configurations, with far fewer exposing admin interfaces on the Internet.

Woollacott, Emma, WatchGuard firewall exploit threatens appliance takeover, The Daily Swig, 1 September 2022. Available online at https://portswigger.net/daily-swig/watchguard-firewall-exploit-threatens-appliance-takeover.

No-touch Activation of Touchscreens

Researchers at Zhejiang University and TU Darmstadt have shown that capacitive touchscreens can be fooled using electromagnetic interference to inject fake touch points without actually touching them. In a presentation at the 31st USENIX Security Symposium, they related how they were able to successfully run their GhostTouch attack against nine different smartphone models, injecting targeted taps continuously with a standard deviation as low as 14.6 x 19.2 pixels from the target area, a delay of less than half a second and at a distance of up to 40mm.

The researchers came up with various adversarial scenarios for this capability, including implanting malware without the owner's knowledge, establishing a malicious connection and answering an eavesdropping phone call.

The required setup is quite complex, involving an arbitrary waveform generator, RF amplifier, an antenna array and a ChipSHOUTER device. However, it is quite within the capabilities of a moderately sophisticated adversary and a dedicated device could probably be made substantially smaller. The lesson: keep your phone close to your chest, and don't lay it down on any untrusted desks or boardroom tables.

Wang, Kai, et. al., GhostTouch: Targeted Attacks on Touchscreens without Physical Touch, 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1543–1559. Available online at https://www.usenix.org/conference/usenixsecurity22/presentation/wang-kai.

Hackers Create Large Traffic Jam in Moscow

According to Twitter user @runews, somebody hacked the largest taxi service in Russia, Yandex Taxi, and booked every available cab to pick up at an address on Kutevsky Prospekt. The result was a massive traffic jam which reportedly held up drivers for 40 minutes while police tried to deal with the confusion. News site South Front blamed the hack on the usual suspects: the criminal Kiev (Kyiv) regime and their Yankee neocolonial imperialist puppetmasters.

Russian Market (@runews), Someone hacked #YandexTaxi, tweet, 1 September 2022. Available online at https://twitter.com/runews/status/1565319649683804160.

Doubts Arise Over International Contributors to Open Source

The nature of most open source projects make it possible for anyone, anywhere, to contribute, provided they establish their competence - open source projects are a meritocracy, and there are usually gatekeepers who review commits (Linus Torvalds is legendary for his scathing critiques of Linux kernel commits). With the growth of supply-chain attacks, you can bet your bottom dollar that foreign governments (for all values of 'foreign') are looking at this as a vector for injecting back doors into popular FLOSS projects.

A study by Dan Geer and his colleagues examined two popular open-source code repositories which have recently suffered supply-chain attack problems - the Python Package Index (PyPI) and Node Package Manager (npm) - to see where the major contributors are. Reassuringly, only a small fraction are in China or Russia. Less reassuringly, a growing proportion of developers provide no location information whatsoever - in 2020 21.7% of the top 100 contributors to PyPI and 9.6% of npm's top 100 had no profile information whatsoever on their GitHub profiles.

Previous research by the same group found no examples in which knowing the geographic location of a developer would have prevented a software supply chain compromise. The question therefore becomes less one of knowing where a developer is, so much as using a number of other identity-related signifiers of trustworthiness. Of course, it is in the nature of trust that a 'sleeper' can behave well in order to establish trust, until such time as they are willing to sacrifice this in order to gain an advantage. But then, that's true for all links in the software supply chain.

Geer, Dan, Joehn Speed Meyers, Jacqueline Kazil and Tom Pike, Should Uncle Sam Worry About 'Foreign' Open-Source Software? Geographic Known Unknowns and Open-Source Software Security, Lawfare blog, 25 August 2022. Available online at https://www.lawfareblog.com/should-uncle-sam-worry-about-foreign-open-source-software-geographic-known-unknowns-and-open-source.

Royal Australian Mint Puts Ciphertext on 50c Coin

2022 sees the 75th anniversary of the Australian Signals Directorate (formerly Defence Signals Directorate), the down-under equivalent to the NSA and GCHQ. To celebrate this, the Royal Australian Mint has produced fifty thousand 50c coins.

These are no ordinary coins bearing anodyne statements in Latin. Rather, the coins carry a hidden message which will be revealed once four layers of encryption have been broken. Although some layers appear to be based on classical ciphers which can be broken with paper and pencil (as well as a heaping dollop of persistence), the presence of a long hexadecimal string on one side of the coin suggests a computer will be necessary at some point. There are some curious patterns on the heads side, too.

The coin also functions as a recruitment advertisement - those who think they have cracked the message are invited to fill out a form, answering four (plus bonus) questions. The Royal Australian Mint site says the coins are "unavailable" (sold out already, at $A12.50 a pop?), but the high-res images on the ASD and Mint sites should provide enough for amateur cryptanalysts to work on.

ASD, 75th Anniversary Commemorative Coin, Australian Signals Directorate, 1 September 2022. Available online at https://www.asd.gov.au/75th-anniversary/events/2022-09-01-75th-anniversary-commemorative-coin.

Royal Australian Mint, 75th anniversary of the Australian Signals Directorate - 50c Uncirculated coin 2022, product page, September 2022. Available online at https://eshop.ramint.gov.au/2022-aluminium-bronze-uncirculated-75-anniversary-australian-signals-directorate.

Update

Well, that didn't take long. Just over one hour after the coin was launched, a 14-year-old from Tasmania broke all four levels of encryption.

Smith, Dan, Australian Signals Directorate 5-cent coin code cracked by Tasmanian 14yo in 'just over an hour', ABC News 2 September 2022. Available online at https://www.abc.net.au/news/2022-09-02/asd-50-cent-code-cracked-by-14yo-tasmanian-boy/101401978.

Epic RickRoll Hack

This goes back to April 2021, but it's still an entertaining and moderately educational read. A group of four students in the Cook County, Illinois school district were able to gradually - over several years - gain access to the school district's internal systems, including a classroom management system, which they used to run scans and exploit computers, and the school district's IP TV system, which ran all projectors and TV's across the district. The final part of the puzzle was to crack the public address system; while default passwords did not work, they found the default had been changed to the example given in the user manual, which was available online.

Having gained access to the TV system, the goup cleverly decided against compromising the servers, but instead stealthily inserted scripts into all the TV's and projectors, which triggered at10:55 am on 30 April 2021. Just what happened - well, you'll have to read the article, but it was certainly highly noticeable and memorable.

The hack was ultimately quite sophisticated, but the students managed to escape disciplinary action by the expedience of submitting a 26-page report, including security suggestions, which they sent to the school district's IT admins immediately after the incident. In fact, the school district confirms the events and views them as a penetration test, claiming "the incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students".

Burgess, Matt, Inside the World's Biggest Hacker Rickroll, Wired, 22 August 2022. Available online at https://www.wired.com/story/biggest-hacker-rickroll-high-school-prank/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

[ Modified: Sunday, September 4, 2022, 2:59 PM ]
 
Les Bell
by Les Bell - Friday, September 2, 2022, 9:00 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


FIDO Passkeys Bid to Replace Passwords

Passwords have been the bane of life for most security professionals ever since . . . well, since passwords were invented. We have shored them up with length and - wrongly - complexity requirements, password safes and various kinds of second factors. Now, the FIDO Alliance and W3C are making ground on a promise to replace passwords altogether.

The FIDO2 passwordless authentication scheme, also known as FIDO Authentication, encompasses the W3C's Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP), wrapping them all up in the user-friendly moniker, passkeys. A passkey is a cryptographic keypair which is shared between a client device and a web site or application, and can be stored on a phone, a computer, or a security key. Microsoft, Google and Apple have all signed up to the standard, which will allow users to authenticate using just a username or email address and the passkey on an unlocked device.

This finally dispenses with passwords entirely - for some time we have known that the security of multi-factor authentication using crypto techniques like security keys is provided primarily by the key and not the password. Latest to sign on to the passkey and WebAuthn approach is Dashlane, which has announced that it will integrate passkeys into its cross-platform password manager, which runs on most platforms and integrates with most browsers.

Pierce, David, Dashlane is ready to replace all your passwords with passkeys, The Verge, 31 August 2022. Available online at https://www.theverge.com/2022/8/31/23329373/dashlane-passkeys-password-manager.

Meanwhile, Back In Password Hell

Since passwords aren't going to immediately disappear, we still have to grapple with users who will use their corporate emails to register on external websites, possibly re-using passwords and thereby enabling credential-stuffing attacks. Specialist in shadow IT discovery, Scirge (from the Old English word for sheriff) has developed a browser plugin and related tools which can discover external web accounts, track who has accessed them and regulate which corporate email addressed may be used for online registration.

The plugin can also enforce password strength (and - gaak! - complexity) rules, detect compromised and shared accounts, and also deliver individually tailored security awareness messages.

Hacker News Staff, Stop Worrying About Passwords Forever, The Hacker News, 1 September 2022. Available online at https://thehackernews.com/2022/09/stop-worrying-about-passwords-forever.html.

Chilean Government Under Novel Ransomware Attack

At least one Chilean Government agency has suffered a ransomware attack by what appears to be yet another, previously-unseen, offshoot of the fragmented Conti gang. The attack has targeted Microsoft and VMware ESXi servers, encrypting files with the NTRU encryption algorithm.

Curiously, the malware delivers its ransom note before commencing the file-encryption process, perhaps as an anti-forensic technique, and although a Tor site for ransom payment has been established, there is as yet no sign of data exfiltration.

Toulas, Bill, New ransomware hits Windows, Linux servers of Chile govt agency, Bleeping Computer, 1 September 2022. Available online at https://www.bleepingcomputer.com/news/security/new-ransomware-hits-windows-linux-servers-of-chile-govt-agency/.

BianLian Malware Targets Exchange Servers, SonicWall VPN Devices

Yet another piece of malware written in the Go programming language has emerged, in this case using its cross-platform capabilities to exploit Microsoft Exchange servers via the ProxyShell vulnerability and also targeting SonicWall VPN devices as a mechanism for pivoting within victim networks. BianLian also deploys a trojan dropper, which can fetch arbitrary plugins from a C2 server, as a back door for persistence.

The malware uses a number of techniques to evade discovery, waiting for up to six weeks after initial infection before it activates, deleting shadow copies, purging backups and rebooting servers in safe mode to perform its file encryption safe from observation by security software.

Armstrong, Ben, et. al., BianLian Ransomware Gang Gives It a Go!, [Redacted] blog, 1 September 2022. Available online at https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Friday, September 2, 2022, 9:28 AM ]
 
Les Bell
by Les Bell - Thursday, September 1, 2022, 9:11 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Steganography for Fun and Profit

A malware campaign called GO#WEBBFUSCATOR is distributing malware payloads in what seems to be an image of the Deep Space Field captured by the James Webb Space Telescope. Of course, malware embedded in a JPEG won't do anything by itself unless able to exploit a buffer overflow vulnerability in an image viewer, but in this case, the file gets downloaded by an obfuscated VBA macro fetched by an infected email.

The downloaded image file is actually a base64-encoded 64-bit Windows executable written in the Go programming language and further obfuscated using a technique called gobfuscation. This makes reverse-engineering and analysis of the malware very difficult. Fortunately, since Microsoft has disabled macros by default, fewer and fewer systems are likely to be vulnerable to this particular attack.

Lakshamanan, Ravie, Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope, The Hacker News, 31 August 2022. Available online at https://thehackernews.com/2022/08/hackers-hide-malware-in-stunning-images.html.

Chrome Vulnerability Allows Clipboard Access

A vulnerability introduced in Chrome version 104 allows malicious web sites to write to the clipboard without asking user permission - something that was present in previous versions of the browser.

This could allow a range of attacks, e.g. altering strings which a user copies and pastes from a web page, such as phone numbers, digest values, cryptocurrency wallet addresses, etc. No fix has yet been released for the vulnerability.

Johnson, Jeff, Web pages can overwrite your system clipboard without your knowledge, blog article, available online at https://lapcatsoftware.com/articles/clipboard.html.

Pros and Cons of Managed Firewall Services

An interesting piece in Dark Reading lays out the pros and cons of managed firewalls, which offer services such as firewall monitoring, service and incident management, automatic updates and patching, security policy implementation, reporting, analysis and remediation and more. The author concludes that managed firewalls are generally a good option, but may not suit smaller enterprises with simple networks and small budgets, those with highly complex environments or organizations who want to avoid giving third party service providers privileged access to their systems.

Anderson, Eric, The Pros and Cons of Managed Firewalls, Dark Reading, 1 September 2022. Available online at https://www.darkreading.com/attacks-breaches/the-pros-and-cons-of-managed-firewalls.

Apple Releases Security Updates for Older iPhones and iPads

Apple has released patches for a buffer overflow vulnerability (CVE-2022-3289) in the WebKit browser engine which underpins the Safari browser. An earlier fix was released for macOS and newer handheld devices; this fix applies to iOS 12.5.6, which supports devices back to the iPhone 5s. The company says the update is necessary because they are receiving reports of active exploitation, although no details have been released.

Gatlan, Sergiu, Apple backports fix for actively exploited iOS zero-day to older iPhones, 31 August 2022. Available online at https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-actively-exploited-ios-zero-day-to-older-iphones/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Wednesday, August 31, 2022, 9:40 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Chinese APT Targets Australia With Malmail Campaign

A Chinese threat actor identified as APT 40 (TA423, Red Ladon, GADOLINIUM, Leviathan) has been targeting both Australian and international government and energy companies, especially those with interests in the South China Sea, with a malmail campaign based around a fake Australian news media site. The campaign, which ran from April through June, was uncovered by Proofpoint in conjunction with PwC Threat Intelligence.

Victims of the targeted phishing campaign received an email promoting a site called "Australian Morning News" and inciting the recipient to click on an individualized link. Following the link would download the main module of the JavaScript malware ScanBox, which can report back on the configuration of the victim's browser to a C2 server and then load further plugin modules which can perform keylogging, browser fingerprinting, establish peer connections and other functions.

Earlier campaigns by the same threat actor used different TTP's - for example, the payload was Meterpreter rather than ScanBox, and it was delivered in a macro-laden RTF document template rather than by URL fetch. The same technique of registering a domain for a promoting a fake news site was also used in a previous campaign preceding the 2018 elections in Cambodia.

Raggi, Michael and Sveva Scenarelli, Rising Tide: Chasing the Currents of Espionage in the South China Sea, Proofpoint blog, 30 August 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea.

Google Launches Open Source Vulnerability Rewards Program

Reflecting its status as a major contributor to (and beneficiary of) open source software projects, Google has launched a new vulnerability rewards program focused on FLOSS. The new program joins existing programs targeting Android, Chrome and Google devices. Some of Google's open source projects, such as the Go programming language and the Angular JavaScript framework, are likely targets of threat actors looking for a way to leverage supply chain attacks, and the new program will help to mitigate that risk.

The program will offer rewards ranging from $US100 to $31,337 for submssions of vulnerabilities, design issues or insecure installations.

Perron, Francis, Announcing Google's Open Source Software Vulnerability Rewards Program, Google Security blog, 30 August 2022. Available online at https://security.googleblog.com/2023/08/Announcing-Googles-Open-Source-Software-Vulnerability-Rewards-Program%20.html.

Malicious Chrome Extensions Installed by Over 1.4 Million Users

Security vendor McAfee has identified five cookie-stuffing Chrome extensions which track user activity and insert code into e-commerce sites. This modifies cookies on the sites, adding affiliate program information so that the extension authors will receive an affiliate commission for any purchases.

The five extensions are:

  • Netflix Party
  • Netflix Party 2
  • FlipShope - Price Tracker Extension
  • Full Page Screenshot Capture - Screenshotting
  • Autobuy Flash Sales

Collectively, the extensions have been installed by over 1.4 million users, doubtless making them a nice little earner for the operators. Like the Turkish coin miner discussed in yesterday's Security News, these extensions deliberately wait for a couple of weeks after installation before starting their malicious behaviour in an attempt to evade detection.

Devane, Oliver and Vallabh Chole, Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users, McAfee blog, 29 August 2022. Available online at https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/.

Chinese PII Database Leaked Online

A major drawback of the surveillance state operated by China came to light today, when a database belonging to a company which operates access control systems based on facial recognition and vehicle data was left exposed on the Internet for several months. The database, which contained over 800 million records, was left open to the public on an Alibaba-hosted server in China until a security researcher discovered it and reported it to the owner, Hangzhou-based Xinai Electronics - whereupon the database promptly disappeared.

The database included links to high-resolution photographs of the faces of construction workers, office visitors and others, each associated with name, age, sex and resident ID numbers, which uniquely identify the individuals. Neither the database nor the linked image files were protected by access control of any kind.

The security researcher who disclosed the breach was not the only one to discover it - a ransom note left by a would-be extortionist indicated that they had also stolen the database, although no payment was made to the related cryptocurrency wallet.

Whittaker, Zack, A high Chinese database of faces and vehicle license plates spilled online, TechCrunch, 31 August 2022. Available online at https://techcrunch.com/2022/08/30/china-database-face-recognition/.

Privacy Breach Affects Millions of Russian Streaming Service Customers

China is not the only country to suffer large privacy breaches, although in this case the issue is not surveillance. The 2021 customer database of Russian streaming service, START (start.ru) was stolen and is now being sold online. Fortunately, it seems nothing of great value was stolen - the database does not contain credit card or other financial information, although it does contain usernames, phone numbers and email addresses and - despite START's denials - MD5 password hashes, IP addresses and other data.

The stolen data seems to constitute a 72 GB JSON dump of a MongoDB database. Much of the data is redundant, but it boils down to almost 7.5 million unique email addresses. The breach is timely, as the Russian Ministry of Digital Development is proposing to introduce fines of up to 3% of a breached company's annual turnover, but this has not yet passed into law.

Toulas, Bill, Russian streaming platform confirms data breach affecting 7.5M users, Bleeping Computer, 30 August 2022. Available online at https://www.bleepingcomputer.com/news/security/russian-streaming-platform-confirms-data-breach-affecting-75m-users/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Wednesday, August 31, 2022, 9:47 AM ]
 
Les Bell
by Les Bell - Tuesday, August 30, 2022, 8:21 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


AI-generated Deepfake Used to Scam Crypto Project Teams

An unidentified cybercrime group has run an extremely sophisticated operation against crypto asset developers. The group contacted multiple development teams, offering an online meeting with the Chief Communications Officer of Binance, Patrick Hillman, to discuss opportunities to list their crypto assets on the crypto trading platform.

Hillman discovered the scam when he started to receive messages thanking him for taking the time to participate in the meetings. It seems that the scammers had used recordings of TV appearances and interviews to create a deepfake which was able to interact convincingly during the online meetings. For the record, Hillman has no role related to listing of crypto assets on Binance.

Constantinescu, Vlad, Crypto Projects Scammed with Deepfake AI Video of Binance Executive, Bitdefender Hot for Security blog, 29 August 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/crypto-projects-scammed-with-deepfake-ai-video-of-binance-executive/.

RCE 0Day Sells for €8 Million

Three screenshots posted to Twitter suggest that an Israeli spyware company called Intellexa has sold an iOS and Android zero-day exploit toolkit to somebody for the sum of €8 million. The price includes a complete turnkey suite for data analysis, a project plan for delivery to the customer, and a one-year warranty. The key exploit offers remote command execution, delivered with one click via a web link.

vx-underground, Leaked documents online show the purchase (and documentation of) an $8,000,000 iOS Remote Code Execution 0day exploit, Twitter thread, 26 August 2022. Available online at https://twitter.com/vxunderground/status/1562550443712352256.

Turkish Coin Miner Hides in Free Software

A cryptocurrency miner called Nitrokod has infected over 100,000 users around the world by hiding itself in what appears to be a desktop application front end for Google Translate, downloaded from popular sites like Softpedia. The program installer, a file called GoogleTranslateDesktop2.5.exe, checks for the existence of a file called C:\ProgramData\Nitrokod\update.exe, and if it does not exist or is an old version, puts that program in place.

It then waits for at least four reboots on four different days before contacting a C2 server in order to download and install the next stage of the infection, in an attempt to evade sandbox malware detection. It then uses multiple scheduled tasks to stealthily download and install the subsequent stages, deleting all evidence of the previous stages as it does so, before finally - in stage 6 - downloading and installing the XMRig crypto miner. The process is so long, stealthy and involved that a victim is unlikely to detect it, and even if they do, unlikely to be able to figure out the original source of the infection.

Checkpoint has written up a case study on the malware as a showcase for their upcoming Infinity XDR (Extended Detection and Response) product.

Marelus, Moshe, Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications, Check Point Research blog, 29 August 2022. Available online at https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/.

Highly-Targetable Ransomware Written in Golang

Trend Micro has discovered a neat example of targeted ransomware written in the Go programming language. As their researchers point out, Golang is increasingly popular with malware authors, possibly because Go statically compiles any necessary libraries into the produced executable, rather than dynamically linking them at load or run time; the latter techniques require the required library and function names to be visible in the malware, and by not doing this, the malware authors have made reverse-engineering and analysis significantly harder.

The malware, called Agenda, is currently being used to target healthcare and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand, and all the samples collected were highly customized, containing customer passwords, account and company ID's which are used as the filename extensions for encrypted files. The malware will also attempt to kill various services, change Windows passwords and reboot in safe mode. It shares some characteristics with the earlier REvil, Black Basta and Black Matter ransomware.

Fahmy, Mohamed, et. al., New Golang Ransomware Agenda Customizes Attacks, Trend Micro Research, 25 August 2022. Available online at https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Sunday, August 28, 2022, 4:52 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Atlassian Bitbucket RCE Vulnerability

Atlassian's developers must be feeling somewhat punch-drunk by now, after so many disclosures. Now security researcher 'The Grand Pew' has disclosed, via Bugcrowd's bug bounty program, a command injection vulnerability affecting all versions between 7.0.0and 8.3.0 of the company's git-based source code repository server, Bitbucket.

Users are advised to upgrade promptly; failing that, they should turn off public repositories. The vulnerability affects multiple API endpoints in Bitbucket.

Haworth, Jessica, Critical command injection vulnerability discovered in Bitbucket Server and Data Center, The Daily Swig, 26 August 2022. Available online at https://portswigger.net/daily-swig/critical-command-injection-vulnerability-discovered-in-bitbucket-server-and-data-center.

Clouds Gather Over LastPass

The popular password safe application, LastPass, has suffered yet another breach, this time affecting the source code to its source code. As in previous breaches, the company can claim - justifiably - that no user data has been compromised, as all its customers' passwords are encrypted under each customer's master password.

However, in this case, the attackers were able to compromise a developer account to gain access to "portions of source code and some proprietary LastPass technical information".This makes the breach a good test of Kerchoff's Second Principle - "security of an encryption system must depend upon the secrecy of a key and not upon secrecy of the system" - because whoever got that source code and technical info is going to be poring over it in search of some kind of implementation weakness or other exploitable vulnerability. LastPass customer data is probably OK, but I'm glad to be using a different product.

Seals, Tara, LastPass Suffers Data Breach, Source Code Stolen, Dark Reading, 27 August 2022. Available online at https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen.

Log4J Still a Problem

The Iranian threat actor Static Kitten (a.k.a. MuddyWater, Cobalt Ulster, Mercury and others) is targeting Israeli orgaizations running unpatched versions of Log4j. It might seem incredible that the long-known Log4Shell exploit would still be exploitable, but the fact that Log4j is embedded in so many systems, and that most enterprises do not have a configuration management system capable of reporting whether they have Log4j installed, and if so, where, indicates that this vulnerability is likely to be a thorn in our sides for some time to come.

Lakshamanan, Ravie, Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations, The Hacker News, 27 August 2022. Available online at https://thehackernews.com/2022/08/iranian-hackers-exploiting-unpatched.html.

Return-to-Work and Catch COVID?

While many managers, and some corporations, are struggling with how to manage employees working from home, the idea of a full return to work is deeply unattractive to many. Case in point: Google, which in April demanded employees return to the office for at least three days a week.

The result? Increased outbreaks of COVID-19 - currently, Google's LA offices are recording the most infections of any employer in that city, with 145 cases at their Venice office and 135 in the Playa Vista campus. Employees, fed up with the number of exposure notifications they are receiving, point out that the company has been recording record growth while they worked from home.

Complicating things further, unvaccinated employees are asking the company to drop its vaccination mandate for on-prem workers. Vaccinated staffers who would rather work from home anyway are doubtless really impressed with this.

Elias, Jennifer, Google employees frustrated after office Covid outbreaks, some call to modify vaccine policy, CNBC, 26 August 2022. Available online at https://www.cnbc.com/2022/08/26/google-employees-frustrated-after-office-covid-outbreaks.html.

Disinformation Bad - Meta-Disinformation Worse

An opinion piece by a RAND Corporation information scientist points out that the capabilities of artificial intelligence and the immersive nature of virtual reality will combine to make disinformation campaigns much more influential and effective. Rand Waltzman describes a scenario in which an audience watches a political candidate giving a speech - but unknown to them, each viewer sees a subtly different version of the candidate - one which has been modified to make his facial features slightly more similar to the viewers, a technique which has been shown experimentally to make voters rate the candidate more favourably.

The author also points out that virtual environments are seductive because of two features - presence and embodiment. Presence means that the clues that a computer is mediating communication are no longer present - communication feels very direct - while embodiment is the sensation that the virtual body is the actual body. This makes emotional manipulation of the participant very much more powerful than traditional media and social media - and we should have learned by now just how dangerous those can be.

Waltzman, Rand, Facebook MisInformation is Bad Enough. The Metaverse Will Be Worse, The RAND Blog, 22 August 2022. Available online at https://www.rand.org/blog/2022/08/facebook-misinformation-is-bad-enough-the-metaverse.html.


The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Monday, August 29, 2022, 9:01 AM ]
 
Les Bell
by Les Bell - Friday, August 26, 2022, 9:46 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Spearphishing Group Targets South Korean Politicians and Diplomats

South Korean academics, diplomats and government officials are yet again being targeted by the North Korean group Kimusky, otherwise known as GoldDragon. The group is using targeted emails which contain macro-enabled MS Word documents which, when opened, will download a Visual Basic script from a C2 server. The script profiles the victim's computer and will then fetch additional payloads. 

Interestingly, if the user clicks on a link which promises additional interesting documents, the link submits their email address - and if this is of no interest to the attacker, it then returns an uninfected document, indicating a highly target approach.

Lakshamanan, Ravie, Researchers Uncover Kamusky Infra Targeting South Korean Politicians and Diplomats, The Hacker News, 25 August 2022. Available online at https://thehackernews.com/2022/08/researchers-uncover-kimusky-infra.html.

Okta IAM Breach Implications Spread

The phishing attack, based on fake Okta sign-in pages, that caught Twilio employees early this month continues to ripple throughout industry. The attackers were able to fool many employees into handing over the login credentials and thereby gain access to Twilio internal systems. However, the same breach has been revealed to have affected 25 organisations so far, including Cloudflare, Signal and Mailchimp; others may not even realise they have been compromised.

The breach may cause many to rethink the use of federated identity management systems and cloud SaaS IAM services. For Cloudflare, the saving grace was their requiring FIDO U2F security keys to access their internal systems.

Seals, Tara, Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack, Dark Reading, 26 August 2022. Available online at https://www.darkreading.com/remote-workforce/twilio-hackers-okta-credentials-sprawling-supply-chain-attack.

Cozy Bear Tool Blows Through Active Directory Federation Services

Russian state-sponsored group APT 29 (Cozy Bear, Nobelium) has been discovered using a new tool called 'Magic Web' that allows hackers to create accounts and masquerade as any user on a network that uses Active Directory Federation Services. The tool works by replacing the Microsoft.IdentityServer.Diagnostics.dll' file with a back-doored version. The new version runs initialization code that hooks into the server and allows attackers to force Active Directory to accept any client certificate they create as being valid and add fraudulent claims for those certificates.

This is an extremely potent attack against enterprises that use ADFS, but only those specifically targeted by the threat actor are likely to encounter it. Simple IoC's are unlikely to work for this sophisticated attacker, so potential victims need to ensure their threat hunters know what to look for.

Uncredited, MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone, Microsoft Security, 24 August 2022. Available online at https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/.

New Group for Women CISO's and Senior Execs

At the 2014 RSA Conference a small group of senior women, dismayed that the dominant form of female representation there was as 'booth babes', started a Facebook group in an attempt to get away from this lazy approach to marketing. The movement has grown over the years, now formally establishing an advocacy and education non-profit to further the aims of the community.

The Forte Group aims to elevate the positive role of cybersecurity in business, offering board level governance and connections. The group will also offer career assistance and mentoring to women in cybersecurity and privacy.

Jackson Higgins, Kelly, Senior-Level Women Leaders in Cybersecurity Form New Nonprofit, Dark Reading, 26 August 2022. Available online at https://www.darkreading.com/remote-workforce/senior-level-women-leaders-cybersecurity-nonprofit.


The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
Les Bell
by Les Bell - Wednesday, August 24, 2022, 4:11 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Mudge Drops Twitter Right In It

As Elon Musk alleges that Twitter executives are clueless about the number of bots on the platform, former Twitter CSO Peiter "Mudge" Zatko has sent documents to US Congress, the Federal Trade Commission, the SEC and the Department of Justice alleging that the social media platform is rife with security problems such as a lack of adequate access controls and security governance.

In the 200-page document, Zatko alleges that Twitter engineers have unfettered access to the company's production systems and that the company's procedures for data center recovery are lax or non-existent. He further says that security oversight is so weak that some of the company's employees may even be agents of foreign governments. Twitter for, its part, claims that all is right with its world, that Zatko does not understand its SEC reporting requirements, and that this is a case of sour grapes. Security professionals who have known Mudge for decades are not so sure.

O'Sullivan, Donie at. al., Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies, CNN Business, 23 August 2022. Available online at https://edition.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html.

Iranian APT's New Tool Plunders Google, Outlook, Yahoo Accounts

Google's Threat Analysis Group has found that APT 35, variously known as Charming Kitten, Yellow Garuda and Cobalt Illusion, and associated with the Iranian Revolutionary Guard Corps, has developed a new tool which allows it to rapidly extract the contents of email accounts.

The HYPERSCRAPE tool, which is written in a .NET language, requires the attacker to have acquired a session using the victim's credentials, perhaps by means of a cookie-stealing attack. Once this has been done, the program can systematically plunder the victim's mailbox, downloading all the emails but resetting the status to 'unread' where required. It also deletes emails which it sees contain security alerts, to keep the victim in the dark about the compromise. It's not sophisticated, but it's certainly effective.

Lakshamanan, Ravie, Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts, The Hacker News, 23 August 2022. Available online at https://thehackernews.com/2022/08/google-uncovers-tool-used-by-iranian.html.

Dominican Republic Hit By Ransomware

The organization within the Department of Agriculture of the Dominican Republic that is responsible for agricultural reform has been hit by a ransomware attack. The Quantum ransomware is really a derivative of MountLocker, and the group behind it is yet another offshoot of the Conti ransomware gang.

All the servers of the Instituto Agrario Dominicano (IAD) were encrypted in the attack, with $US600,000 demanded for the key. However, the organization is unlikely to be able to afford to pay the ransom; it could not afford more than the most basic antivirus software and has no dedicated security personnel.

Abrams, Lawrence, Quantum ransomware attack disrupts govt agency in Dominican Republic, Bleeping Computer, 24 August 2022. Available online at https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/.

Adversary-in-the-Middle Attacks Target 365, Workspace Users

An as-yet-unidentified threat actor is running a large campaign against senior executives of companies who use Microsoft 365 and Google Workspace enterprise accounts. The initial spear-phishing part of the campaign works by sending the victims fake emails from the DocuSign email agreement platform; the "Review Document" button takes them to a fake login page which functions as a proxy to capture their credentials and also break the multi factor authentication process.

One this has been done, the attackers add a second authentication device to the account, and then use some sophisticated social engineering to insert themselves into conversation threads, posing as legitimate. In the final, highly-targeted part of the process, they generate an email to the target, informing them that a bank account they were to make a payment to has been frozen for audit, and providing updated payment details for an account which they control.

Toulas, Bill, Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams, Bleeping Computer, 24 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-monitor-microsoft-365-accounts-for-bec-scams/.

Lakshamanan, Ravie, Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users, The Hacker News, 24 August 2022. Available online at https://thehackernews.com/2022/08/researchers-warn-of-aitm-attack.html.


The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Thursday, August 25, 2022, 9:11 AM ]
 
Les Bell
by Les Bell - Tuesday, August 23, 2022, 8:34 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Counterfeit Phones Harbour WhatsApp Back Doors

Antivirus firm Dr. Web has discovered a number of low-end Android smartphones which carry pre-installed malware intended to target the WhatsApp and WhatsApp Business messaging apps. The phones, which are designed and named to mimic some high-end models, are popular in Asia, as is WhatsApp. This type of phone is also often picked up as a spare by travellers for use with a local SIM.

The back doors are present in the system partition of the phones, which actually have an outdated version of Android installed. One of the main Android system libraries has been slightly modified so that, when called from an application, it loads a trojan from the file libmtd.so. This checks to see which appplication caused it to load, and if it is WhatsApp or the "Settings" or "Phone" system apps, it then proceeds to load a second-stage trojan, which sends system information to a C2 server, which replies with a list of available plugins. From there, the trojan has full access to the application's files and can read chat messages, send spam, intercept and listen to phone calls and many other actions.

Uncredited, Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices, Dr. Web, 22 August 2022. Available online at https://news.drweb.com/show/?i=14542&lng=en.

Residential Proxies Used for Credential Stuffing Attacks

The FBI and Australian Federal Police have jointly warned that threat actors are using proxies on residential service provider networks to run credential stuffing attacks. By doing this, rather than repeatedly using a single IP address, they make it hard for firewalls to identify and rate limit the attacks.

Naive home users are often attracted to install proxy software on the promise that they will be pooling their bandwidth with that of other users and will therefore be able to enjoy faster downloads or earn some money from selling their unused bandwidth. This is, of course, technical nonsense - your cable modem or ADSL connection is a single pipe of fixed 'diameter' and you cannot get more through it by using someone else's pipe that links them to the Internet. Nevertheless, having installed the software, they now represent an opportunity for cyber criminals.

Residential networks are also a more likely source for web traffic; firewalls are more likely to block attempted logons from data center networks - although having said that, I routinely observe attempts to send traffic through the mod_proxy module on my own web servers.

Uncredited, Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts, FBI Private Industry Notification, 18 August 2022. Available online at https://www.ic3.gov/Media/News/2022/220818.pdf.

New Malware Combines RAT, Spyware and Ransomware

A new remote access trojan called Borat RAT has additional capabilities, being able to download a ransomware payload to the victim's machine and also run as a keylogger. The malware, discovered and named by Cyble, can also operate as a remote proxy, credential stealer and trojan dropper. It has a few other tricks which seem primarily intended to annoy or intimidate its victim, such as turning the monitor on and off, hiding and unhiding the taskbar and start button. It can also record audio and video if a microphone and webcam are discovered.

Uncredited, Meet Borat RAT, a New Unique Triple Threat, The Hacker News, 22 August 2022. Available online at https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.html.

Yet Another Air Gap Technique

Dr. Mordechai Guri of Ben Gurion University of the Negev, who specialises in devising incredibly ingenious techniques for exfiltrating data across air gaps, has come up with yet another. This time, he has used the micro-electro-mechanical gyroscope found in many smartphones to pick up ultrasonic tones which are generated by a nearby infected computer and demodulate them into binary data. By using the gyroscope, the exploit avoids using the microphone, which is highly protected - the gyroscope is generally regarded as safe for apps to use.

Dr Guri's experiments show that, after infecting the victim computer, perhaps via a compromised USB key, attackers can exfiltrate sensitive data over a few meters of air gap, using this 'speakers-to-gyroscope' covert channel. By now, Dr. Guri and his research group have pretty much demolished the notion that information cannot be exfiltrated from a computer that is not connected to any kind of network or communications link.

Guri, Mordechai, GAIROSCOPE: Injecting Data from Air-Gapped Computers to Nearby Gyroscopes, 18th Intl. Conf. on Privacy, Security and Trust (PST), Auckland, 21 December 2021. Available online at https://arxiv.org/abs/2208.09764.


The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

 
Les Bell
by Les Bell - Tuesday, August 23, 2022, 9:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Ancient Linux Vuln Allows Privilege Escalation

An eight-year old memory management vulnerability in the Linux kernel could allow privilege escalation, say three academics from NorthWestern University. The DirtyCred proof-of-concept exploit works by swapping unprivileged task  credentials in memory with root credentials from a SetUID process, making use of a bug in the kernel's heap memory reuse code.

Lakshamanan, Ravie, "As Nasty as Dirty Pipe" - 8 Year Old Linux Kernel Vulnerability Uncovered, The Hacker News, 22 August 2022. Available online at https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.html.

Healthcare Info of Almost 1.4 M Patients Exposed Via Ad Tracker

A US healthcare provider, Novant Health, has revealed that the sensitive information of 1,362,296 patients was accidentally disclosed when an advertising performance tracker script was misconfigured. The company added the Meta (formerly Pixel) JavaScript ad tracking script to a May 2020 promotional campaign for COVID-19 vaccinations which made use of Facebook advertisements.

However, the tracker was misconfigured both on the Novant Health site and the 'MyChart' portal, which allows patients to book appointments, request prescription refills and other services with 64 US healthcare providers. The misconfiguration exposed a long list of sensitive data, including email address, phone number, appointment type and date, both to Facebook/Meta and its advertising partners.

Novant discovered the issue in May 2022 and has contacted all the people affected. However, they also say that attempts to get Meta to delete the data were met with no response.

Toulas, Bill, Misconfigured Meta Pixel exposed healthcare data of 1.3M patients, Bleeping Computer, 22 August 2022. Available online at https://www.bleepingcomputer.com/news/security/misconfigured-meta-pixel-exposed-healthcare-data-of-13m-patients/.

Bitcoin Stolen from General Bytes ATM's

Unknown hackers have been able to exploit a fairly obvious vulnerability in the Crypto Application Server that controls General Bytes Bitcoin ATM's, and thereby steal cryptocurrencies from the ATM customers. The hack was achieved by the simple act of calling an admin URL that is used for initial installation of the server and creates the first admin user. By calling this API and creating an admin user called 'gb', the attackers were then able to modify the 'buy', 'sell' and 'invalid payment address' settings to use a crypto wallet that they controlled.

From that point on, any cryptocurrencies received by the ATM went to the hackers, rather than the intended destination.

The moral of the story? Review any installation scripts and remove them after installation has been completed. Allow admin access only from trusted subnets. And, of course, patch proactively.

Abrams, Lawrence, Hackers steal crypto from Bitcoin ATM's by exploiting zero-day bug, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/.

LatentBot Mutates Into Grandoreiro

LatentBot is a trojan that dates back to 2013; written in Delphi, it has a modular design that allows it to download additional modules for keystroke logging, cookie-stealing and remote access. Since June 2022, a new derivative called Grandoreiro has appeared, targeting companies in Spanish-speaking countries with official-looking emails apparently from government agencies.

The victims are directed to download and share a document, but in practice, the link redirects to a malicious domain and then downloads a ZIP file containing the Grandoreiro loader. The loader goes through a number of antiforensics checks, such as walking through a list of currently executing processes, looking for malware analysis tools, seeing if it is being run from a particular directory, looking for debuggers and reading from an I/O port which is used by VMWare.

If all of this succeeds, it gathers some basic information, checks for the presence of crypto wallets which it will investigate later and then fetches the main payload. This uses even more antiforensics techniques - for example, it includes two tightly-compressed bitmapped images which, when expanded, inflate the resulting binary to over 400 MBytes, which exceeds the size limit for most execution sandboxes.

From there on, Grandoreiro communicates with its C2 network in exactly the same way as LatentBot, and can download any of a huge selection of backdoor capabilities.

Shivtarkar, Niraj, Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals, Zscaler ThreatLabz blog, 18 August 2022. Available online at https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals.

More Info on Mēris

Google has released a bit more information about last week's massive DDoS attack by the Mēris botnet. Apparently there were 5,256 source IP addresses from 132 countries engaged in the attack - approximately 22% of them Tor exit nodes (although these accounted for only 3% of the traffic). As previously mentioned, the use of TLS/SSL required the connections to be terminated in order to inspect the traffic, only relatively few TLS handshakes were required due to the use of HTTP pipelining, which sends multiple requests over a single HTTP connection.

Google Cloud Armor's 'Adaptive Protection' feature was apparently able to quickly identify the attack, alert the customer and recommend a protective rule - in this case, rate-limiting the connections, which would still allow legitimate traffic.

Kiner, Emil and Satya Kondaru, How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps, Google Cloud blog, 19 August 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Tuesday, August 23, 2022, 9:04 AM ]