Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Browser Application Mode Enables Phishing

Application mode is a feature of Chromium-based browsers such as Google Chrome, Microsoft Edge and Brave. It allows web developers to create applications which launch and run in a browser window with no URL bar, toolbars or menu, and which display a website's favicon, rather than the browser icon, in the Windows taskbar. The browser's app mode is launched with the --app command line argument, which can also specify a target URL - which may be an https:// URL or a file:// URL for locally-sourced content (bypassing firewall filtering).

Security researcher mr. d0x has demonstrated how this can be used to create fake login forms which can be launched from a Windows shortcut .lnk file - a favourite technique by threat actors to launch loaders and other malware. With a little HTML, CSS and Javascript, just about any login prompt can be impersonated.

mr. d0x, Phishing With Chromium's Application Mode, blog post, 1 October 2022. Available online at https://mrd0x.com/phishing-with-chromium-application-mode/.

CISA Alert Details Impacket Network Manipulation, CovalentStealer Exfiltration

The US Cybersecurity & Infrastructure Security Agency, along with the FBI and the NSA, has issued a joint advisory detailing the TTP's and IOC's they observed during response to what turned out to be the activities of multiple APT's who had compromised a defense contractor's enterprise network.

Initial compromise was gained via a Microsoft Exchange server, perhaps as early as January of 2021. A compromised admin account was then used to access the Exchange server's API, and this was then followed by a series of command-line commands to investigate the system and network, as well as the collection of sensitive files. By March, the attackers had installed 17 China Chopper webshells on the Exchange server, as well as the HyperBro remote access trojan, and were pivoting to other systems.

The lateral movement was primarily achieved using the Impacket open-source toolkit, which allows remote command execution via the Windows management instrumentation API and protocols. This was followed by privilege escalation and more plundering of user's Exchange mailboxes.

Exfiltration of the data was achieved using CovalentStealer, which can automatically collect files on selected filepaths and user credentials, then exfiltrate them to a Microsoft OneDrive cloud folder, all under control of a configuration files.

Uncredited, Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, Alert AA22-277A, 4 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-277a.

Online Fraudster Jailed for 25 Years

A Norcross, GA man who had banked over $US9.5 million from business email compromise, romance scams and other online frauds has been sentenced to 25 years in a federal prison for his money laundering activities. Starting in October 2018, Elvis Eghosa Ogiekpolor had, in conjunction with the money mules he directed, opened at leat 50 faudulent business bank accounts in the name of a dozen sham companies to receive the proceeds from multiple BEC scams and romance frauds. The funds were withdrawn as cash and cashier's checks, and hundreds of thousands of dollars were wired overseas.

Multiple romance fraud victims testified at trial; one was convinced to wire $US32,000 to one of Ogiekpolor's accounts because her 'boyfriend' - actually one of Ogiekpolor's co-conspirators - claimed a part of his oil rig needed to be replaced but that he bank account was frozen. She had borrowed the funds against her retirement and savings, which ultimately required her to refinance her home to repay the loan. Another victim transferred almost $US70,000 for a similar 'frozen bank account' excuse.

Several of Ogiekpolor's co-conspirators have already been convicted.

Uncredited, Georgie man who laundered millions from romance scams, Business Email Compromises, and other online fraud receives 25-year sentence, press release, 3 October 2022. Available online at https://www.justice.gov/usao-ndga/pr/georgia-man-who-laundered-millions-romance-scams-business-email-compromises-and-other.

Vm2 Vuln Allows Sandbox RCE Breakout

A popular control for servers running Node.js workloads is to run their code in vm2, a popular JavaScript sandbox, thereby isolating the server from any vulnerability in the code running on it. But what if there is a vulnerability in the sandbox code itself?

The was the question Oxeye security researchers Gal Goldshtein and Yuval Ostrovsky asked themselves, and they answered it by starting with an analysis of previous vulnerabilities previously found in the software. Realizing that a previous bug reporter had exploited the error mechanism on Node.js to escape the sandbox, they searched for similar channels between the sandbox and the underlying OS - and found one in the exception handling code.

The vulnerability they found allows remote code execution on the host server, and merits a CVSS score of 10.0. There is no mitigation, other than updating to the latest release of vm2.

Dickson, Ben, JavaScript sandbox vm2 remediates remote code execution risk, The Daily Swig, 4 October 2022. Available online at https://portswigger.net/daily-swig/javascript-sandbox-vm2-remediates-remote-code-execution-risk.

Google Hacking Video Series

A rather nice new series of docudramas, with obviously high production values, has been released by Google. The series of six stories (plus trailers and bonus episode) looks at various security teams inside Google as they respond to attacks by a nation-state actor, perform red-team penetration testing, and try to find 0day exploits.

Google, HACKING GOOGLE, video playlist, 4 October 2022. Available online at https://g.co/safety/HACKINGGOOGLE.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.