Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Sophisticated Exploit PoC Breaks End-to-End Encryption in Matrix

Matrix is an open standard and suite of protocols which aim to make real-time communications, such as teleconferencing, operate as transparently as email. A user with an account on any Matrix server - called their homeserver - can use these protocols to communicate across the entire Matrix ecosystem. Since this will utilize untrusted servers, the specification enables end-to-end encryption by default, using the Olm and Megolm cryptographic ratchets, which are intended to provide perfect forward security.

Now, researchers at Royal Holloway University, University of Sheffield and Brave Software have published a paper revealing some subtle vulnerabilities in the implementations of these protocols in the matrix-react-sdk and matrix-js-sdk reference development libraries for these protocols. These lead to two critical severity vulnerabilities.

In the first attack, a malicious homeserver can add users which they control to end-to-end encrypted rooms, by spoofing room membership messages, which are not authenticated in these protocols. Once they have been added, these users can decrypt future messages sent in that room.. In the second attack, the malicious homeserver adds a device, which they control, to another user's account in the room. While the device will be labeled 'unverified', with a warning icon, to all users in the room, the damage is done - existing devices will have shared their session data with the new device, allowing decryption of all future messages.

The Matrix project has released patches for the affected libraries (which not all Matrix implementation use) and users are advised to upgrade.

Albrecht, Martin R, Sofía Celi, Benjamin Dowling, and Daniel Jones, Practically-Exploitable Cryptographic Vulnerabilities in Matrix, preprint, undated. Available online at https://nebuchadnezzar-megolm.github.io/.

Hodgson, Matthew, et. al., Upgrade now to address E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2, blog post, 28 September 2022. Available online at https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients.

Admin Pleads Guilty to Sabotaging Former Employer

An admin who had worked for a major Hawaii-based finance sector company has pleaded guilty to sabotaging his former employer's network. Casey K. Umetsu worked for the firm between 2017 and 2019 as a network administrator, but shortly after leaving their employ, he used his credentials to access an admin dashboard and made numerous changes, including redirecting web and email traffic to external machines - effectively a denial of service. He also locked other administrators out of the dashboard so that they could not resolve the problem for several days.

His plan was to convince the company to hire him back at a higher salary - but the company contacted the FBI, who tracked him down, and he now faces a maximum sentence of 10 years in prison and a fine of up to $US250,000, which counts as a spectacular CLM (Career Limiting Move).

Of course, there's a lesson here for all of us, although the former employer paid a high price for it: have a procedure to rapidly revoke the access of highly-privileged employees (admittedly easier to say than to do).

Enoki, Elliot, Honolulu Man Pleads Guilty to Sabotaging Former Employer’s Computer Network, DOJ Us Attorney's Office, District of Hawaii, 28 September 2022. Available online at https://www.justice.gov/usao-hi/pr/honolulu-man-pleads-guilty-sabotaging-former-employer-s-computer-network.

Microsoft Eyes North Korean Hackers Weaponizing Open Source

Over the last few months, Microsoft's Threat Intelligence Center has been tracking an actor they label ZINC (also known as Labyrinth Chollima and BlackArtemis) using social engineering attacks against employees in media, defence, aerospace and IT in the US, UK, India and Russia. The attacker starts with LinkedIn connections as a way to build trust with victims, then switched to communication via WhatsApp, which they used to deliver their payloads with the lure of employment.

The payloads are weaponized versions of popular open-source programs including PuTTY, KiTTY, TightVNC. Sumatra PDF Reader and others, and the embedded payload is an obfuscated variant of the ZetaNile malware. This relates to a similar campaign reported by Mandiant earlier this month.

ZINC's goals are cyberespionage and theft of corporate data, but this attacker will also settle for personal data, financial gain and network disruption.

MSTIC and LinkedIn Threat Prevention and Defense, ZINC weaponizing open-source software, blog post, 29 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.