Site blog

Les Bell
by Les Bell - Thursday, 19 October 2023, 10:13 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Really? That's Your Password?

A small study done by Outpost24 makes for scary reading, suggesting that web site administrators may be just as bad as ordinary users when it comes to advice about choosing passwords - especially changing default passwords after intial installation and configuration of software and systems. One of the first rules of system administration is to immediately change any vendor-preset default password, as these are widely known and make even brute force attacks increadibly easy.

In fact, legislation such as the UKs Product Security and Telecommunications Infrastructure Bill and California's Senate Bill 327, the default password law, will ban the use of default passwords, requiring developers to include a password-change step as part of any installation or setup process. But for the time being, default passwords live on - and administrators either do not change them, or change them to one of a few commonly-used variants.

According to the Outpost24 research, performed by mining the data in their Threat Compass threat intelligence backend database, the top 20 popular passwords associated with compromised accounts are:

  1. admin
  2. 123456
  3. 12345678
  4. 1234
  5. Password
  6. 123
  7. 12345
  8. admin123
  9. 123456789
  10. adminisp
  11. demo
  12. root
  13. 123123
  14. admin@123
  15. 123456aA@
  16. 01031974
  17. Admin@123
  18. 111111
  19. admin1234
  20. admin1

Oh, come on, people - it's like you're not even trying! Isn't anyone even using a password safe?

But while it's all very well to blame users, developers have to shoulder some of the blame here, too. For example, while I've recently railed against password complexity rules, it's obvious that many systems are not even enforcing an adequate minimum passphrase length, let alone requirements for multiple character types (and the even worse prohibition on repeated characters). And even when systems do enforce such requirements, administrators are complying in a very few predictable ways that barely increase the search space for attackers.

Developers should be incorporating stronger authentication mechanisms, ideally based on cryptographic techniques, with a view to abandoning passwords completely in due course. We've been doing this for command-line administration for decades now; in fact, the default for most IaaS cloud-based systems is to log in using an SSH private key, and the SSH authentication agent (e.g. PuTTY's Pageant) makes this extremely convenient by eliminating password prompts completely for the working day. For web access, FIDO2 authentication via passkeys is similarly easy, or even easier.

Remember, these passwords are from stolen credentials, which also suggests that complementary controls, such as multi-factor authentication, were also not implemented - or, perhaps, were easily circumvented by a man-in-the-middle or proxy attack. And of course, this list says nothing about credentials which were not stolen, so we know that not all admins are this bad. But all the same, we can see how easy it is for even script kiddies to compromise some systems.

Outpost24, IT admins are just as culpable for weak password use, blog post, 17 October 2023. Available online at https://outpost24.com/blog/it-admins-weak-password-use/.

Multiple Agencies Update "Secure By Design" Principles

A large coalition of national cybersecurity agencies - rather than listing them all, it's easiest just to say that Russia, China, North Korea and Iran are not on the list - has updated the guidance issued earlier this year on principles and approaches for designing software which is secure by design. Citing the need to shift the balance of security risk - specifically, the impact of threats - from customers to developers and manufacturers, the guidance revolves around three fundamental principles for tech firms:

  • Take ownership of customer security outcomes
  • Embrace radical transparency and accountability
  • Build organizational structure and leaderhip to achieve these goals - lead from the top

In order to achieve each of these objectives, the publication outlines a number of practices. For example, in support of that first principle, the practices include:

  • Eliminate default passwords (surprise!)
  • Conduct security-centric user field tests
  • Reduce hardening guide size
  • Actively discourage use of unsafe legacy features
  • Implement attention grabbing alerts
  • Create secure configuration templates
  • Document conformance to a secure SDLC framework
  • Document Cybersecurity Performance Goals (CPG) or equivalent conformance
  • Vulnerability management
  • Responsibly use open source software
  • Provide secure defaults for developers
  • Foster a software developer workforce that understands security
  • Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration
  • Align with Zero Trust Architecture (ZTA)
  • Provide logging at no additional charge
  • Eliminate hidden taxes (do not charge for security and privacy features or integrations)
  • Embrace open standards
  • Provide upgrade tooling

There's a lot more, for the other principles.

At only 36 pages, this guide is primarily aimed at senior managers - it is certainly much smaller than any of the many textbooks on correctness-by-construction and secure programming intended for architects and programmers. This is not to say that developers don't need to at least skim it - there are some useful ideas in there.

CISA et. al., Secure By Design - Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, technical report, 16 October 2023. Available online at https://www.cisa.gov/resources-tools/resources/secure-by-design.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

 
Les Bell
by Les Bell - Wednesday, 18 October 2023, 11:35 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


New Scheme Could Improve on Shor's Algorithm

Back in the mid-1990's, mathematician Peter Shor came up with an algorithm for factoring composite numbers much faster than was possible with previous methods. This would, of course, break the RSA public-key cryptosystem, which relies upon the difficulty of factoring large composite numbers; in fact, the RSA key-generation algorithm starts by generating two large probably-prime numbers, \(p\) and \(q\), and then multiplying them to create a modulus, \(N\), which forms part of the public key and is therefore known to any attacker. If an attacker can quickly figure out \(p\) and \(q\) by factoring \(N\), it's game over, and they can easily derive the private key. And since RSA is widely used for exchange of the secret session keys used by symmetric cryptoprimitives like AES, this would break a lot of Internet communications.

But there's one problem: Shor's algorithm specifically needs a quantum computer to run. Specifically, it uses a quantum circuit to effectively perform a Fourier transform, in order to find the period of a function; a function is said to be periodic when it repeatedly returns the same value as the input value is incremented - something that must happen when performing the modular arithmetic that underlies public-key cryptograpy (remember, \(N\) is a modulus).

To date, the development of quantum computers has been beset by difficulties, such as noise causing errors in the calculation, which have only gradually been overcome by a variety of techniques, such as using additional qubits (quantum bits) for error correction. To date, only relatively small numbers have been factored; for example, the factoring of 143 (11 x 13) using a 4-qubit nuclear magnetic resonance quantum computer in 2012 was considered quite a breakthrough, although later analysis, by other researchers, of the raw data they released indicated that they had simultaneously factored several much large numbers such as 3,599, 11,663 and 56, 153.

As of early 2023, the largest number to be factored using quantum computing is the 48-bit number 261980999226229, which still falls well short of the 2048-bit (617 decimal digit) moduli commonly used for RSA keys today, which by some estimates would require a quantum computer with 20 million qubits.

However, a new variant of Shor's algorithm, developed by NYU computer scientist Oded Regev, massively reduces the number of quantum operations required to factor a number. Ironically, Regev based his technique in what he had learned while trying to find attacks on the lattice-based algorithms and learning-with-errors algorithms which provide one approach to post-quantum, or quantum-resistant, cryptography.

A lattice is a multi-dimensional vector space with integer coordinates; you could think about the integers modulo \N\) as being a one-dimensional lattice, and the fourier transform stage of Shor's algorithm effectively amounts to finding the shortest vector - the period of the function - in that one-dimensional lattice. The post-quantum algorithms, such as NTRU, are based on a similar shortest vector problem, only in a space with hundreds of dimensions, which makes the problem intractably hard - including, it is believed, for quantum computers.

What Regev did was to start by generalizing the algorithm from one dimension to, first two dimensions, and ultimately many dimensions. Rather than repeatedly multiplying a single number, \(g\) with itself, he would try two numbers, \(g_1\) and \(g_2\) and repeatedly mutliply them with themselves and each other in a two-dimensional space, and then \(g_1, g_2, \ldots, g_n\) in an \(n\)-dimensional space. The problem was that although each \(g_i\) did not need to be multiplied as many times, this needed to be repeated for \(n\) different \(g_i\)'s, providing no advantage over Shor's original algorithm.

But musing while waiting for a lift one morning, the solution struck him - with a small number of dimensions, the numbers involved were large, so the algorithm could not benefit from the speedup of multiplying small numbers, but with a large number of dimensions, the quantum part was fast, but the remaining calculations, which have to be performed using a classical computer, required solving a very hard lattice problem. The trick is to find a sweet spot between these two extremes, modifying the algorithm to make it run fast in just a relatively small number of dimensions.

The result is a significant improvement; while Shor's algorithm for factoring an \(n\)-bit number requires \(\tilde{O}(n^2)\) qubits, Regev's requires only \(\tilde{O}(n^{3/2})\).

But wait - there's more. Just two weeks ago, Seyoon Ragavan and Vinod Vaikuntanathan at MIT published a further refinement of Regev's algorithm which reduces the number of qubits required to \(\tilde{O}(n \log{n})\) qubits.

If these results are correct, this makes quantum factorization of RSA keys closer than ever before, and the need for crypographic agility and the replacement of RSA, etc. with post-quantum algorithms more urgent than ever.

Brubaker, Ben, Thirty Years Later, a Speed Boost for Quantum Factoring, Quanta Magazine, 17 October 2023. Available online at https://www.quantamagazine.org/thirty-years-later-a-speed-boost-for-quantum-factoring-20231017/.

Ragavan, Seyoon, and Vinod Vaikuntanathan, Optimizing Space in Regev’s Factoring Algorithm, arXiv preprint, 2 October 2023. Available online at https://arxiv.org/abs/2310.00899.

Regev, Oded, An Efficient Quantum Factoring Algorithm, arXiv preprint, 17 August 2023. Available online at https://arxiv.org/abs/2308.06572.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

[ Modified: Wednesday, 18 October 2023, 11:49 AM ]
 
Les Bell
by Les Bell - Tuesday, 17 October 2023, 9:23 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cisco IOS XE Vulnerability Exploited in the Wild

Cisco has disclosed a 0-day privilege escalation vulnerability which is under active exploitation. The vulnerability, CVE-2023-20198, is in the web user interface of the IOS XE operating system, and sports a CVSS 3.x score of 10.0. If the web UI feature is enabled, and particularly if it exposed to an untrusted network - such as the public Internet - it will allow a remote, unauthenticated attacker to create an account with privilege level 15 access, and thereby gain control of the victim system.

As yet, there is no patch, and so Cisco is recommending that customers disable the HTTP and HTTPS servers on all Internet-facing systems, by issuing the following commands in global configuration mode:

no ip http server
no ip http secure-server

However, this may not be possible if the system runs other services that require HTTP/HTTPS, in which case, access should be carefully restricted to trusted networks.

Cisco's advisory lists a number of indicators of compromise, including the presence of unknown user accounts on the system, such as cisco_tac_admin or cisco_support. The presence of an implant on the system can be detected with a curl command:

curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

If the system is infected, this request will return a hex string. Adversary interactions with the implant can also be detected by four Snort rules.

Cisco, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability, security advisory, 16 October 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z.

BEC Scam Nets $A1.2 Million from Small Business

A new twist on a business email compromise scam, combined with social engineering, has cost a small earthworks business almost $A1.2 million.

The company's accounts manager received a phone call from a man claiming to be 'Mike' from the National Australia Bank - and since the firm had previously dealt with a Mike from a nearby branch of the bank, suspicions were allayed. Furthermore, 'Mike' knew details of the previous day's pay run, providing further evidence that he was from the bank.

However, 'Mike' claimed there had been fraudulent activities on the company's bank accounts which he would need to investigate, and tricked the accounts manager into granting him access.

Within minutes, said the business owner, Paul Fuller, the hacker had drained $A1.2 million out of the company accounts. "They (NAB) did get some money back but not nearly as much as went missing", said Mr. Fuller. To date, the bank as been able to recover $A84,000 but there is no prospect of recovering any more.

There are a couple of obvious safeguards which small business workers need to bear in mind. First, an inbound call provides no authentication; you do not know that the person who has called really is from the institution they claim to be. The same applies to text messages; in both cases, caller ID is easy to spoof. Instead, take the caller's details such as their name, department or employee number, and then call the institution using the phone number you already have on file or obtain from a trusted source, and ask for them by name or employee number. If they are unknown to the operator, congratulate yourself on dodging a bullet.

Secondly, stop and think - don't let yourself be panicked into precipitous actions. Is it likely that a customer service person in a rural branch of a huge bank would be investigating suspected fraud, or is it more likely that a specialized investigations department would be involved? And in either case, wouldn't such a bank employee already have the level of access required to perform that investigation?

It's entirely possible that this phone call was preceded by compromise of the company's email accounts, which were mined to obtained details of the banking relationship - for example, earlier emails involving the legitimate 'Mike'. It's possible the email system also contained emails sent to employees with attached payslips, for example - and this would be all the caller needed to sound credible to his victim.

This underscores the need for multi-factor authentication on both email and online banking accounts; email accounts are particularly valuable since the 'forgotten password' procedures for many other online accounts work by simply sending a password reset link to the email address, on the often-invalid assumption that only the account owner will have access to this. I also recommend the use of dedicated thin clients, such as a Chromebook or Chromebox, for online banking and accounting, to minimise the chances of infection by infostealers and other malware.

Saunders, Miranda and Emma Rennie, Warnings about evolving cyber threats after hackers steal $1.2 million from Grafton family business, ABC News, 15 October 2023. Available online at https://www.abc.net.au/news/2023-10-15/cyber-threats-hackers-steal-million-dollars-small-business/102789994.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Monday, 16 October 2023, 9:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


NSA Weakening Post-Quantum Crypto, Warns DJB

We have frequently warned of the need for cryptographic agility, a preparedness to replace the public-key algorithms we currently use in protocols like TLS, SSH, PGP & S/MIME as well as other secure protocols with new ones, should quantum computers become capable of breaking them. As part of this effort, the US National Institute of Standards and Technology (NIST) has been running an open competition to select best-of-breed post-quantum cryptographic algorithms, in much the same way as previous competitions produced AES and SHA-3.

But, claims Dan Bernstein of the University of Illinois Chicago, NIST is deliberately obscuring the level of involvement of the NSA in this process. Speaking to New Scientist magazine, he said,

"NIST isn’t following procedures designed to stop NSA from weakening PQC ... People choosing cryptographic standards should be transparently and verifiably following clear public rules so that we don’t need to worry about their motivations. NIST promised transparency and then claimed it had shown all its work, but that claim simply isn’t true."

Even worse, says Bernstein, calculations performed by NIST for the Kyber512 arlgorithm are "glaringly wrong", leading to an erroneous conclusion that it is more secure than it really is. NIST multiplied two numbers together, rather than adding them, which he claims would have given a more realistic assessment of Kyber-512's robustness to attack.

NIST spokesperson Dustin Moody rejects Bernstein's analysis, stating that "It’s a question for which there isn’t scientific certainty and intelligent people can have different views. We respect Dan’s opinion, but don’t agree with what he says". In any case, while Kyber-512 meets NIST's level one criteria, the agency recommends that in practice users should adopt the stronger Kyber-768 algorithm.

Moody also argues that NIST has followed tight guidelines to ensure transparency and security, and would never knowingly agree to weaken any of these cryptographic standards. He also states that the NSA has, as far as it can, tried to be more open.

But Bernstein claims that NIST has not been open about the level of NSA input, and has used freedom of information requests and court action to force the agency to release internal documents which show that NSA employees are members of the "Post Quantum Cryptography Team. National Institute of Standards and Technologies", as well as undisclosed meetings with personnel from both the NSA and the UK's GCHQ.

The NSA has a checkered past with allegations of attempts to weaken cryptographic algorithms, dating back to unexplained requests to IBM and NIST to change the values in S-boxes (substitution boxes, a type of lookup table) in the algorithm that eventually became DES, the Data Encryption Standard. There were allegations from some cryptologists that this was done to deliberately weaken the algorithm; however, many years later, after Eli Biham developed the differential cryptanalysis attack on DES and similar cryptosystems, it was revealed that NSA had known of this attack decades earlier - they called it the 'T-attack" - and the suggested changes actually made DES more resistant to this attack.

On the other hand, documents released by Edward Snowden alleged that the NSA had subverted the NIST standard for pseudo-random number generation, the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). There followed a period of intense debate amongst cryptologists culminating in a note by the Director of Research at the NSA, Dr. Michael Wertheimer, published in the Notices of the American Mathematical Society, in which he expressed regret that the agency continued to support Dual_EC_DRBG after researchers had discovered the potential for a trapdoor. He further pointed out that Dual_EC_DRBG was only one of four standards and that no-one was obliged to use it - in fact, because it was incredibly slow, they would be wise not to - but there are suggestions that NSA asked RSA Inc. to make it the default PRNG in their BSAFE software library, and compensated the company for doing so.

So, there you have it - something of a mixed bag. As for the case of Dual_EC-DRBG, expect a debate to erupt in the cryptologic community over the correct technique to use in assessing the strength of these algorithms (add? Or multiply?) as well as the ethics of engagement by agencies which have a dual role in both breaking the cryptosystems of adversaries and strengthening their own. Set a thief to catch a thief?

Bernstein, Daniel J., The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level, The cr.yp.to blog, 3 October 2023. Available online at https://blog.cr.yp.to/20231003-countcorrectly.html.

Green, Matthew, Hopefully the last post I'll ever write on Dual EC DRBG, blog post, 14 January 2015. Available online at http://blog.cryptographyengineering.com/2015/01/hopefully-last-post-ill-ever-write-on.html.

Sparks, Matthew, Mathematician warns US spies may be weakening next-gen encryption, New Scientist, 10 October 2023. Available online at https://www.newscientist.com/article/2396510-mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/.

Wertheimer, M., Encryption and the NSA Role in International Standards, Notices of the AMS, Vol. 62(No. 2), 165–167, February 2015.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
[ Modified: Monday, 16 October 2023, 9:10 AM ]
 
Les Bell
by Les Bell - Friday, 13 October 2023, 9:22 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


WordPress Plugins Problems Persist

The web content management system marketplace is dominated by WordPress, largely on account of its large number of plugins which make it an extremely versatile platform for corporate web site development. However, WordPress security news is dominated by problems not in the platform itself but in the plugins, which often have a very large installed base.

One example, initially brought to light by WPScan, is a vulnerability in the Composer plugin from tagDiv, which is a companion to the firm's Newspaper and Newsmag themes. CVE-2023-3169, which surfaced in August, is a cross-site scripting vulnerability which is exploitable via an exposed RESTful API which allowed unauthenticated access. The vuln was partially fixed in tagDiv Composer 4.1 (which at least required admin authentication), and fully fixed in version 4.2. However, according to Sucuri, at least one malware gang was making use of it to inject malware onto vulnerable sites - and that may remain after the sites updated the plugin.

The Balada malware gang has a history of exploiting tagDiv's premium themes, having run a massive campaign targeting the Newspaper and Newsmag themes back in 2017, when the themes had only 40,000 paid users - that number has grown to over 135,000 for Newspaper alone. Their current campaign has run through six distinct waves:

  • Wave 1: Initial script injections
  • Wave 2: Autogenerated malicious WordPress users
  • Wave 3: Backdoors in Newspaper’s 404.php file
  • Wave 4: Malicious wp-zexit plugin installation
  • Wave 5: Three new Balada Injector domains
  • Wave 6: Even more obfuscated injections

During this campaign, the Balada crew have been diligent in varying their techniques in order to evade detection and to make it harder to find indicators of compromise in locations like logs and the WordPress database. According to Sucuri, they achieved considerable success with this approach - in September, their SiteCheck scanner detected various types of Balada Injector on over 17,000 sites, almost twice the number seen in August. Over 9,000 of these detections were related to the Newspaper theme vulnerability.

Apart from a detailed analysis and some IOC's, the Sucuri blog post also provides a specific list of mitigation actions for site admins using the Newspaper theme.

In other WordPress plugin news, specialist firm Wordfence has revealed a sophisticated backdoor which is posing as a legitimate plugin. Like any other plugin, this backdoor has access to all the normal WordPress functionality, and uses it to create a new admin account called superadmin (which it can also delete when the attacker is finished with the backdoor).

The backdoor adds several filters which modify pages as they are being rendered - unless the pages are being viewed by an administrator, in which case they will appear normal - allowing the insertion of malicious content, spam links an buttons. The backdoor code can also detect pages being fetched by bots and search engine spiders, using keyword stuffing to increase the search engine ranking of pages serving malicious content. Other code allows the remote activation and deactivation of arbitrary plugins.

The result of all this is that the backdoor operators can remotely control and monetize the victim site; users may - or may not see - the malicious content, and admins may not even realize that the site has been infected.

Wordfence have included a signature for this backdoor in the free version of their product since 1 September 2023, and the commercial versions protect users via a firewall rule as of 9 October 2023. They also provide incident response services at a premium.

Phan, Truoc, tagDiv Composer < 4.2 - Unauthenticated Stored XSS, vulnerability description, 17 August 2023. Available online at https://wpscan.com/vulnerability/e6d8216d-ace4-48ba-afca-74da0dc5abb5/.

Sinegubko, Denis, Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins, blog post, 6 October 2023. Available online at https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html.

Wotschka, Marco, Backdoor Masquerading as Legitimate Plugin, blog post, 10 October 2023. Available online at https://www.wordfence.com/blog/2023/10/backdoor-masquerading-as-legitimate-plugin/.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Thursday, 12 October 2023, 10:22 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


More Shoes Drop on HTTP/2 Rapid Reset

A number of other stakeholders have now provided responses to the massive 'Rapid Reset' DDoS attack on the streams feature of HTTP/2 which we reported on yesterday. Google was obviously not the only large service provider affected by the attack; both Cloudflare and Amazon observed it, too, and have published their own analyses.

For Cloudflare, the attack peaked at just over 201 million requests per second - nearly three times more than their biggest previous attack. The attack was generated by a botnet of just 20,000 machines, which is much smaller than many other botnets, which can number up to millions of machines. This raises the prospect of a single attack delivering as much traffic as the entire web - around one to three billion requests per second - against a small group of targets.

Like Google - with whom both Cloudflare and Amazon collaborated - the firm was able to absorb the initial attacks and then introduce mitigations to limit the impact on their systems. One difficulty is that this attack effectively has no ramp-up period, meaning that for a few seconds, the network infrastructure has absorb the traffic before the client IP address can be quarantined in Cloudflare's 'IP Jail' system. To overcome this, the firm expanded the 'IP Jail' system to block such IP's from using HTTP/2 to connect to any domain on Cloudflare for some time. This will limit the attack, while any legitimate client on the same IP will see only a small performance decrease during that time.

Amazon Web Services has also implemented mitigations, and has also recommended that customers operating their own web servers running HTTP/2 should apply relevant patches as soon as possible. The company has also blogged with advice on building DDoS-resistant architectures using AWS edge services such as Amazon CloudFront, AWS Shield, Amazon Route 53 and Route 53 Application Recovery Controller.

On the server side, NGINX has blogged with advice on how to configure that web server to minimize its attack surface and has released a patch for the server's ngx_http_v2_module which imposes a limit on the number of new streams that can be introduced within one event loop. The developers are continuing to experiment with mitigation strategies.

There seems to be no word on Rapid Reset from the Apache project, but according to online forums, a few admins have disabled HTTP/2 as a precaution.

Pardue, Lucas and Julien Desgats, HTTP/2 Rapid Reset: deconstructing the record-breaking attack, blog post, 10 October 2023. Available online at https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/.

Scholl, Tom and Mark Ryland, How AWS protects customers from DDoS events, blog post, 10 October 2023. Available online at https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/.

Vernik, Michael and Nina Forsyth, HTTP/2 Rapid Reset Attack Impacting NGINX Products, blog post, 10 October 2023. Available online at https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/.

Microsoft Moves: Die, NTLM! Die!

Microsoft has long been burdened by the need to maintain backward compatibility with older product versions which were originally designed in an era when the world generally - and Microsoft in particular - was more . . . naive . . . about security. Although the Redmond giant has always tended to favour, first glitz and glamour, then functionality, and finally security, when it has bitten the bullet and moved to new architectures that compromised that backward compatibility, the results have been painful for at least some of its customer base. Remember Windows Vista? Nothing much changed as Microsoft waited for the market to catch up, with compatible versions of applications and - especially - device drivers, and when an effectively-updated Vista was relaunched as Windows 7, customers loved it.

Now it looks like the firm is preparing to bite the bullet again, this time addressing the problems surrounding legacy authentication, specifically the NTLM authentication protocol. NTLM replaced the very weak original LanMan hashes that date back to the days of Microsoft LAN Manager, but is still essentially a simple protocol which hashes a password and then sends the hash over the wire. Hardly any enterprise networks rely on NTLM, having adopted Active Directory - which is based on Kerberos - many, many years ago, but NTLM lives on for a few reasons:

  • NTLM doesn’t require local network connection to a Domain Controller
  • NTLM is the only protocol supported when using local accounts
  • NTLM works when you don’t know who the target server is

As a result, some applications and services continue to rely on NTLM, rather than switching to Kerberos. As a result, it is often not possible to disable NTLM; even some enterprise scenarios require it as a fallback when Kerberos is not available. And, of course, many SME's and microbusinesses rely on NTLM, as it is used by many third-party network accessible storage (NAS) products as well as Microsoft's own Workgroups feature and Remote Desktop Protocol in these non-AD environments.

In order to be able to finally dispense with NTLM, Microsoft is introducing two new features for Windows 11. The first is 'Initial and Pass Through Authentication Using Kerberos' (IAKerb), which the company describes as "a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight." As I first read that word, "public", a small daemon on my shoulder urgently whispered, "Embrace-Extend-Extinguish!", but I am prepared to wait and see - both Micosoft and the market have evolved since those days, I hope.

IAKerb works through a 'Negotiate' extension and will allow the Windows authentication stack to proxy Kerberos messages through the server on behalf of a client in a firewall-segmented or remote access scenario. As it does this, it will rely on the confidentiality and authenticity of origin services of Kerberos itself to protect its messages against relay and replay attacks.

The second new feature is perhaps more significant for non-AD sites and scenarios. In order to support local (as opposed to domain) remote logons, a local Kerberos KDC will be added to Windows 11, built on top of the Security Account Manager. This will leverage IAKerb and allow Windows to pass Kerberos messages between machines without having to add support, and open ports, for such services as DNS, netlogon or DCLocator. In addition, Microsoft is removing hard-coded references to NTLM from other Windows components, changing them to use the Negotiate protocol instead, allowing an easy transition to Kerberos.

These changes will be enabled by default and will not require configuration in most scenarios, although NTLM will continue to be available as a fallback for the time being. However, another set of changes coming to Windows 11 include additional service information being recorded in event logs, coupled with more granular policies, to allow domain admins to track and block NTLM on a service-by-service basis. The same telemetry info will be used by Microsoft itself to eventually pull the plug on NTLM for good - although even once it is disabled by default, users will be able to re-enable it. Somehow, I do not think it will go gentle into that good night.

So, for those of us who manage small networks, expect a few pain points in times to come. On balance, though, it will be worth it; an entire category of dictionary, rainbow tables and pass-the-hash attacks will eventually be consigned to the scrap heap of history.

Palko, Matthew, The evolution of Windows authentication, blog post, 11 October 2023. Available online at https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Wednesday, 11 October 2023, 9:39 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


US Agencies Release Guidance on Open Source in OT and ICS Environments

The US Cybersecurity and Infrastructure Security Agency, along with the FBI, NSA and Department of the Treasury, has released a new fact sheet enttitled Improving Security of Open Source Software in Operational Technology and Industrial Control Systems. This new guide is one of the priority initiatives of the JCDC (Joint Cyber Defense Collaborative) 2023 Planning Agenda, which focuses on systemic risk, collective response and high-risk communities related to critical infrastructure.

Since its distant origins, free and open source software has grown in significance, to the extent that almost every major software system - including those from former staunch advocates of proprietary code - includes several open source components. This includes operational technology (OT), which this fact sheet defines as "the hardware, software, and firmware components of a system used to detect or cause changes in physical processes through the direct control and monitoring of industrial equipment, assets, processes, and events." In this sense, industrial control systems (ICS) are a subset of OT in which networked systems control processes such as manufacturing, product handling, production and distribution.

The report identifies three challenges which OT/ICS shares with other software systems

  • Dependency vulnerabilities
  • Lack of commercial support
  • Inadequate documentation

Dependency vulnerabilities are a common concern in software supply chains generally, but the lack of commercial support can be an obstacle for commercial customers who rely on proactive support from vendors and who do not have processes to connect into the open source community's approach to software maintenance. And I can certainly relate to the last point; I have often discovered a peculiarly-named package in a system I'm working on, wondered what it was, and tracked down the project web site only to discover no explanation of what the package actually is. Greybeard readers may remember the "Real Programmer" jokes, including "Real programmers don't write documentation. You've got the source code - what more do you need?". It's not as funny as it once was.

A related problem is the differing maintenance mindsets between the wider IT software world, which views software as highly mutable and capable of frequent patching and updates after deployment (c.f. the CI/CD pipeline so popular in cloud enviroments). Engineers running complex systems like refineries and mineral-processing plants would be horrified; these systems are subject to stringent change management policies and safety regulations, and even shutting them down for maintenance can bring huge costs.

Increasing interconnection of OT/ICS systems to conventional business IT networks brings a whole new set of risks to this world, requiring an even stronger defensive posture for the business systems.

The fact sheet makes a number of detailed recommendations for improving security of open source in OT/ICS, starting at the senior leadership level and working down. They encompass:

The guide also provides an extensive listing of resources and references.

CISA, Securing Open Source Software in Operational Technology, fact sheet, 10 October 2023. Available online at https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/Securing-Open-Source-software-in-operational-technology. Direct PDF download at https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf.

Massive Layer Seven DDoS Attack Uses HTTP/2

From Google comes analysis of a massive distributed denial of service attack on a number of the company's cloud services and their customers. The August attack, which was delivered at layer 7 (the ISO/OSI model application layer) over the HTTP/2 protocol, was significantly larger than any previous layer 7 attack, peaking at 398 million requests per second.

The attack, which Google dubbed "Rapid Reset", was largely stopped at the edge of Google's network by its global load balancing infrastructure, with minimal impact and no outages.

Unlike the classic HTTP/1.1 protocol, which MIME-encodes binary data, bloating it into text, HTTP/2 is a much more efficient binary protocol. And where HTTP/1.1 opens a TCP connection for each object within a page, with a consequent three-way SYN/SYN-ACK/ACK handshake (and a four-way handshake when the connection ends), HTTP/2 multiplexes multiple bidirectional "streams" within a single TCP connection. This also economizes on server CPU, not to mention sockes and ports, which would constrain the number of connections between client and server. It also allows processing concurrent requests, rather than dealing with them serially, as HTTP/1.1 would do, with up to almost 100 times higher utilization of each connection.

This attack exploits a feature of the stream capabilities in HTTP/2, which allows clients to signal the server, cancelling a stream by sending a RST_STREAM frame. This can be done unilaterally, and the client may also assume that the server will cancel the stream immediately, before processing any other data from that TCP connection. The Rapid Reset attack works like this: the client opens a large number of streams at once, but rather than waiting for a response to each request stream from the server (or an intermediate proxy), it simply cancels each request immediately. According to Google's researchers:

The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.

In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.

So the attack is cheap - in terms of network bandwidth - for the attacker by expensive for the server.

Since the original attack, Google has seen some variants on the Rapid Reset attack which are not as efficient, but probably still more efficient than standard HTTP/2 attacks. One variant, for example, does not cancel streams at once, but instead waits for some time, in order to bypass mitigations which monitor the rate of inbound RST_STREAM frames. A second variant simply tries to overwhelm the server with more streams than it can handle.

Google has deployed a number of mitigations for the Rapid Reset attack variants and is working on others, in conjunction with industry partners. It has reserved CVE-2023-4487 to track the fixes to the various HTTP/2 implementations.

It seems unlikely that Rapid Reset will work against HTTP/3, which uses Google's QUIC protocol, with UDP rather than TCP as the transport. Nonetheless the firm recommends proactive implementation of some similar mechanisms to limit the amount of work done by a single transport connection.

Snellman, Juho and Daniele Iamartino, How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack, blog post, 11 October 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack.

'Son of Mirai' Adds More Exploits

Speaking of distributed denial of service attacks, remember the heady days when the Mirai IoT botnet set new records? Mirai itself is long gone, but its DNA (code, really) lives on in descendants such as IZ1H9, which has recently updated its arsenal of exploits, with payloads for D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK devices in a variant recently sighted by Fortiguard Labs researchers.

Their blog post is littered with CVE's, indicating the number of exploits in this new, rapidly-evolving variant. It has attacked tens of thousands of consumer-level devices, primarily through remote code execution exploits, amassing a large botnet.

The full report from Fortiguard Labs Threat Research provides a detailed analysis of the various exploits, along with IOC's and an offer of free training to protect against phishing attacks.

Lin, Cara, IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits, blog post, 9 October 2023. Available online at https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Tuesday, 10 October 2023, 10:41 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Vulnerabilities in Supermicro BMC Firmware

Back in December last year, we reported on vulnerabilities in the AMI MegaRAC software which runs on the baseboard management controller circuitry of many servers in order to provide server management in data centers. Only a month later came news that two other vulnerabilities had been discovered at the same time by security firm Eclypsium, who had given AMI time to develop mitigations.

Now it's Supermicro's turn in the barrel, accordint to a new report from Binarly who have examined the firmware for Supermicro X11 v 1.66, discovering seven vulnerabilities:

(At time of writing, most of those vulnerabilities are not yet in the National Vulnerability Database.)

The first vulnerability allows an authenticated attacker to gain root access and completely compromise the system, persisting through BMC reboots and leading to lateral movement within the data center infrastructure. The next three cross-site scripting vulnerabilities allow allow execution of arbitrary JavaScript code in the context of a logged-in BMC user, leading to privilege escalation via creation of a new admin account and - hey presto! - CVE-2023-40289 is now available.

The remaining three XSS vulnerabilities also allow execution of arbitrary JavaScript code, but depend on additional conditions to succeed, making them more difficult. However, these seven vulnerabilities collectively offer a chain which can lead to exploitation of the server OS via legitimate iKVM BMC functionality or by flashing the UEFI BIOS of the target system with malicious firmware to achieve persistence.

Binarly are highly critical of Supermicro's response, claiming the firm's calculations of lower CVSS scores reflect a misguided attempt to minimise the impact of the vulnerabilities. Supermicro customers are urged to patch their systems as soon as possible, and also to follow the advice in the NSA's information sheet on BMC hardening.

Binarly Research Team, Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs, blog post 3 October 2023. Available online at https://binarly.io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/index.html.

National Security Agency / Central Security Service, NSA and CISA Release Guide to Protect Baseboard Management Controllers, press release, 14 June 2023. Available online at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3426648/nsa-and-cisa-release-guide-to-protect-baseboard-management-controllers/.

NSA and CISA, Harden Baseboard Management Controllers, cybersecurity information sheet, June 2023. Available online at https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS.PDF.

Trend Micro Offers Managers a Guide to Cybersecurity Risk Assessment

Security firm Trend Micro has published an article on risk management which won't tell information risk management professionals anything they don't know, but is a nice introduction to send to busy managers who need to appreciate the basics. It ends with a gentle pitch for the firm's Vision One EDR/XDR product, as one might expect, but is easily readable and contains some links to other relevant non-technical articles on, e.g. cyber risk quantification.

Clay, Jon, A Cybersecurity Risk Assessment Guide for Leaders, blog post, 5 October 2023. Available online at https://www.trendmicro.com/en_us/ciso/23/b/cybersecurity-risk-assessment.html.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Monday, 9 October 2023, 8:40 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


NSA, CISA Highlight Common Security Misconfigurations

A new advisory released by the NSA and CISA highlights the most common cybersecurity misconfigurations identfied by the agencies during red team/blue team assessments conducted by their Hunt and Incident Response teams. The 10 most common network misconfigurations are:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

The advisory explains each category of misconfiguration, with examples, and maps them to the MITRE ATT&CK and D3FEND frameworks. Taking just the first category as an example - Default configurations - these are mainly default credentials and default service permissions and configurations settings:

A lot of software, and some devices, ship with predefined default credentials for privileged admin accounts. Threat actors routinely use simple searches [T1589.001] to find these and gain authenticated access [T1078.001] They may also reset these accounts [T1098] via predictable forgotten password questions. Other techniques include leveraging default VPN credentials to get internal network access [T1133], using well-known setup information to gain access to web applications and the databases behind them, and leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement.

Many services have overly permissive access controls or vulnerable default configurations. In the Windows environment, these can includes Active Directory Certificate Services, insecure legacy protocols and services such as the NetBIOS name service, and the SMB protocol, which even today does not require network messages to be signed to assure authenticity and integrity. These services allow a variety of exploits, including Golden Ticket attacks and a variety of spoofing, poisoning and relay techniques - not to mention extraction of hashes, allowing a leisurely dictionary or rainbow tables attack.

The other categories are given similar treatment, with details of the typical vulnerabilities and the exploits they enable. The focus in this section is not so much on mitigation, as on work that should have been performed earlier, as systems are installed and deployed. For example, many of these misconfiguration problems should have been dealt with during a system hardening and automated audit process, for example, using SCAP (Security Content Automation Protocol), or even earlier, during system design and development.

There is one exception, however, and that is poor credential hygiene, which currently has to be dealt with via security education, training and awareness (remember, October is Cybersecurity Awareness Month so now is the time to get on top of this). In the long run, of course, the answer lies in the use of multi-factor authentication and cryptographic techniques which will hopefully see an end to passwords altogether (well, we can dream . . .).

Having said that, the advisory concludes with two long sets of tables of mitigations - one for defenders of production systems and networks, and one for software manufacturers. Think of this as a long 'to-do list' to be pinned to the wall; there's a good chance some of these tasks have been overlooked in your environment. The final section of the advisory is a list of references, which itself points to a lot of useful information.

CISA, NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations, cybersecurity advisory AA23-278A, 5 October 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a. Direct PDF download at https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
 
Les Bell
by Les Bell - Friday, 6 October 2023, 9:27 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Forwarded Emails Breached Patient Confidentiality

The personal details of 192 patients at the Royal Women's Hospital in Melbourne have been compromised in a data spill.

In this case, the hospital's systems, such as the Electronic Medical Record system (which is shared with three other institutions), its email system and other IT systems, have not been compromised. Rather, the spill occurred when a staff member forwarded work emails to their personal email account, "to review and coordinate their patient appointments and care approaches". It was the personal email account that was compromised, and no medical records have been compromised.

The affected patients are being contacted; at this stage no data seems to have been posted on the dark web but this is certainly a future possibility.

There are many obvious problems with the use of email to share work records, especially when medical professionals often work in both hospitals and their own professional rooms, not to mention hybrid work patterns. A better approach would be to support remote access to the required applications for data management, either via VPN or perhaps a zero trust architecture approach; this would also ensure that all data access is subject to the appropriate application-based access controls.

But in this case, it seems that work email was being used anyway - which leads to the next question: why did the staff member forward the email to a personal account? Could the work email system not be accessed externally? If that is the case, why - is that a deliberate architecture/policy choice? If so, it's an outstanding demonstration of the old saw that users will always find a work-around for over-restrictive security controls.

9 News staff, Almost 200 patients at major Melbourne hospital caught up in data leak, 9 News, 5 October 2023. Available online at https://www.9news.com.au/national/data-breach-royal-womens-hospital-melbourne-victoria-health-news/74175702-20e2-4ca7-818c-6695aa6edaa9.

Malicious npm Packages Deliver r77 Rootkit

Yet another in the apparently never-ending stream of supply chain attacks - this time via npm, the package manager for the JavaScript server runtime, node,js.

Discovered by ReversingLabs researchers, this particular campaign relies on an easily-overlooked confusion over package names: a developer looking for the package node-hide-console-window (which controls visibility of an application's console window) instead stumbles across node-hide-console-windows. Just one little 's' makes all the difference - although the developers of the malicious package were careful to make the npm page for their trojaned version look very similar to the genuine package's, right down to the version history.

In essence, this is similar to the typosquatting attack more commonly used by phishing campaign operators.

The ReversingLabs researchers discovered the malicious package during a routine scan of the npm public repository and immediately noticed that it was owned by a new account not connected to any other npm projects. Examination of the index.js file revealed that it would download and run an executable, which turned out to be DiscordRAT 2.0, an open-source remote access trojan; this particular variant was created only 10 days before the publication of the malicious node-hide-console-windows package.

The RAT would create a channel to an associated Discord server and fetch an initial payload, then wait for additional commands. In addition to all the usual commands expected in a RAT, it also boasts a !rootkit command, which allows the operator to launch the r77 rootkit on the victim. r77 is a fileless ring 3 rootkit which can disguise files and processes in order to evade their detection; in this case when it is launched it create two registry subkeys to hide the RAT's executable and its process.

The latest two versions of the malicious node-hide-console-windows package have additional functionality to also download a compiled version of the the Blank-Grabber Python infostealer.

The ReversingLabs blog post gives a detailed analysis along with IOC's for the malicious packages and second stage payloads.

Valentić, Lucij, Typosquatting campaign delivers r77 rootkit via npm, blog post, 4 October 2022. Available online at https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: