Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

How to Not Be an Easy Mark for China

The NSA, FBI and Cybersecurity & Infrastructure Security Agency has issued an Alert which usefully lists the top vulnerabilities exploited by Chinese state-sponsored threat actors. The advisory lists each vuln with vendor, CVE number and vulnerability type - with remote code execution being the most popular type of vulnerability, for obvious reasons.

A list of suggested mitigations is also given, but the most basic message, as always, applies: patch, patch, patch. Topping the list is the venerable Log4j vulnerability, which is still being actively exploited. A proactive vulnerability management and patch management program would prevent the vast bulk of exploits, unless you are singled out for the 0day treatment.

Uncredited, Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors, Alert AA220279A, 6 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-279a/.

Russian Group Offers Malware-as-a-Service

Eternity (EternityTeam, Eternity Project) appeared around January 2022, offering a variety of malware, include an infostealer, cryptominer, botnet, and a DDoS bot. Now, the group has assembled its set of tools into a single multifunction bot called Lilithbot which it is selling on a subscription basis via a Telegram channel.

The Russian threat group has continually enhanced its software, adding antiforensics and other capabilities, including ransomware functionality (with video-based training for the customer). Researchers at Zscaler have analysed a sample of the malware and its C2 network, providing IOC's in their report.

Jain, Shatak and Aditya Sharma, Analysis of LilithBot and Eternity Threat Group, Zscaler blog, 5 October 2022. Available online at https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group.

Identity Service Dex Patches Consent Page Vulnerability

Open-source identity service Dex acts as a front end to other identity providers, mapping the OpenID Connect protocol to other identity protocols such as LDAP, SAML, OAuth 2.0 and Active Directory. Researchers recently discovered a vulnerability in the implementation of the Dex consent page which - if a user has previously authenticated - can be used by a malicious web site to steal an OAuth authorization code and exchange it for an access token.

This will allow the attacker to masquerade as the user, gaining full access to the user's applications - and because the exploit can be repeated, they can renew the token as required. The fix, which adds an HMAC to the protocol, has been added to Dex version 2.35.0 and later (2.35.1 required for the Google connector).

Woollacott, Emma, Dex patches authentication bug that enabled unauthorized access to client applications, The Daily Swig, 6 October 2022. Available online at https://portswigger.net/daily-swig/dex-patches-authentication-bug-that-enabled-unauthorized-access-to-client-applications.

Android & iOS Apps Steal Facebook Logins

A perennial problem, for some users, is the recurring compromise of their Facebook accounts. "Don't open any messages from me - I've been hacked!", is a common refrain on the social media platform. Often, their account has simply been cloned, but in other cases, their credentials have been stolen, and they wonder how.

Facebook parent Meta has now identified more than 400 malicious Android and iOS apps that steal Facebook credentials. A variety of apps were found, including photo editors, games, health and lifestyle apps, business or ad management apps and, of course, that old classic:: the flashlight app that does nothing but turn a light on and off, yet requires a 40 MByte download and every permission to do it.

The Meta researchers are working with Google and Apple to notify affected users and their blog article includes IoC's so researchers who care can investigate further. For users, there's a lot to be said for multi factor authentication - not to mention not downloading silly apps.

Agranovich, David and Ryan Victory, Protecting People From Malicious Account Compromise Apps, blog post, 7 October 2022. Available online at https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.