Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

More Fake Job Malmails Trigger 0day Malware

Researchers at ESET have uncovered a new set of malware tools being deployed by North Korean APT, Lazarus group (a.k.a. HIDDEN COBRA - the group behind the Sony Pictures Entertainment breach and WannaCry). Most notable among these is the first observed exploit of CVE-2021-21551 in Dell DBUtil drivers in order to disable all security products on compromised machines. The exploit uses techniques against the Windows kernel instrumentation API's that have never been seen before, in order to block the monitoring of low-level actions like process instantiation, event tracing, etc.

The delivery mechanism is the increasingly common one of fake job offers - in one case via LinkedIn messaging, in another via email. Opening the attached document triggers a chain of droppers, loaders, backdoors, uploaders and downloaders - in all cases, trojanized open-source projects which decrypt the embedded payload using block ciphers with long keys passed as command-line arguments.

Kálnai, Peter, Amazon-themed campaigns of Lazarus in the Netherlands, ESET We Live Security blog, 30 September 2022. Available online at https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/.

Fake CISO Profiles on LinkedIn - Related?

In a possibly related story, blogger Brian Krebs has noted the creation of a large number of fake LinkedIn profiles for people occupying CISO positions at Fortune 500 companies. Krebs gives the example of a so-called 'Victor Sites' who claims to be CISO at Chevron; the real CISO is Christopher Lukas. However, a Google search for the CISO of Chevron returns Sites as the first result.

Compounding the problem, a number of magazine journalists and bloggers are accepting the fake profiles as truth and republishing their information. LinkedIn is working on taking the fake profiles down, but seems to need a more robust process for validating claimed positions.

However, with the current burst of malmails and phishes making use of phone job offers at major companies, including via LinkedIn messaging, one can't help wondering . . .

Krebs, Brian, Fake CISO Profiles on LinkedIn Target Fortune 500s, blog post, 29 September 2022. Available online at https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/.

Ransomware Demands - Damned If You Do, Damned If You Don't

Enterprises who fall foul of ransomware attacks are often faced with a bleak choice: pay the ransom demand to recover, or refuse. Refusal might require significant cleanup, data recovery from backups and the possible loss of some data, but the alternative contributes funding to increasingly well-resourced gangs who can now afford to hire developers, buy 0day exploits and still live high on the hog - thereby making the problem worse and weaking our overall position.

The decision wasn't too hard in the early days, but the stakes have been raised with the ubiquitous use of ransomware that also exfiltrates the data as it encrypts. Not paying the ransom now risks the exposure of possibly sensitive personal data and significant damage to lives, not just a financial hit. Governments have raised the possibility of making ransomware payments illegal, but cavill at the possibility of being blamed by an enterprise and its customers and patients that were legally blocked from forestalling a disastrous public exposure.

In the latest example, the Vice Society ransomware gang has published data which they had exfiltrated from the Los Angeles Unified School District, which had refused to pay an extortion demand, remaining "firm that dollars must be used to fund students and education" and pointing out that payment will not guarantee full recovery. 

The 500 GB of data includes contact and legal documents, financial reports including bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students, according to TechCrunch.

Haber, Shannon, Los Angeles Unified Response on Cyberattack, press release, 30 September 2022. Available online at https://achieve.lausd.net/site/default.aspx?PageType=3&DomainID=4&ModuleInstanceID=4466&ViewID=6446EE88-D30C-497E-9316-3F8874B3E108&RenderLoc=0&FlexDataID=123107&PageID=1.

Carvalho, Alberto M., Thank you to our students, families and employees . . ., tweet, 3 October 2022. Available online at https://twitter.com/LAUSDSup/status/1576636549994717184.

Page, Carly, Hackers leak 500GB trove of data stolen during LAUSD ransomware attack, TechCrunch+, 3 October 2022. Available online at https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.