Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Dutch Police Exploit Bitcoin Slowness to Recover Ransomware Keys
The Dutch National police have been able to recover over 150 ransomware decryption keys from the Deadbolt ransomware gang and, presumably, restore file access for the victims. The technique they used was suggested by security firm Responders.NU, and relies on the way in which Bitcoin confirms transactions.
After a Bitcoin node verifies a transaction it then transmits the transaction to its neighbours. Sooner or later, the transaction will be picked up by Bitcoin miners, which will assemble the transaction into a candidate block and then try to validate the block, which typically takes around ten minutes. Once one succeeds, it will be incorporated into the blockchain and broadcast. However, to be considered irreversible, a transaction needs to be six blocks deep in the blockchain, which will take around an hour, before it is confirmed.
Therein lies the problem for the DeadBolt gang: when a victim paid the ransom, the DeadBolt automated system would create an automated bitcoin transaction in reply, containing the decryption key, without waiting for confirmation. The police then simply canceled the original transactions. Together with the police, Responders.NU created a website (https://deadbolt.responders.nu/) where DeadBolt victims who have not yet been identified can check whether their key is one of those recovered.
It was nice while it lasted, but inevitably, the gang discovered what was going on and modified their system to require Bitcoin confirmation.
Uncredited, Unique intervention on ransomware gang Deadbolt, news release, 14 October 2022. Available online at https://www.politie.nl/nieuws/2022/oktober/14/09-nederlandse-gedupeerde-geholpen-in-unieke-ransomware-actie.html.
Magniber Ransomware Spreads As JavaScript
Because it needs to needs access to low-level operating system API's to perform file encryption - not to mention disabling protection features like Windows' volume shadow copy service - ransomware generally needs to be a native binary executable, and will often rely upon some other exploit code to perform the initial infection.
However, in September HP Wolf Security detected a ransomware campaign that targeted home users with a website drive-by attack, using a ZIP file containing JavaScript code which would masquerade as a software update. The JavaScript code used a twist on the DotNetToJScript technique, allowing it to assemble and run a .NET executable in memory. The advantage of this technique is that by not creating a file, the malware evades detection tools that monitor file creation, and also leaves nothing behind on disk for analysts to use. The .NET code also de-obfuscates some shellcode and injects it into another process, which then runs the actual ransomware code.
From here, the code follows the well-trodden path of disabling backup and recovery features, then encrypting files before placing a ransom note in each directory and opening a browser window to display it.
Although this campaign targeted home users, enterprises can expect similar attacks as other groups pick up on this fileless approach to evading detection. The report from HP Threat Research provides further details, including IOC's.
Schläpfer, Patrick, Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates, blog post, 13 October 2022. Available online at https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/.
Microsoft Office Coders Make Rookie Crypto Mistake
Attendees at our SE221 CISSP Fast Track courses are familiar with the various techniques (OpenPGP, S/MIME, etc.) which are used for end-to-end email security. Equally, they are familiar with the dangers of using ECB (Electronic Code Book) mode with symmetric block ciphers: ECB is vulnerable to a variety of attacks - especially chosen-plaintext and chosen-ciphertext attacks - but worst of all will leak information when used to encrypt plaintext that has large-scaled structure imposed on repeated small sequences of data, such as bitmapped graphics.
This has caused lots of problems over the years - for example, when everyone switched to Zooming from home in 2020, it didn't take long for someone to discover that Zoom was using ECB mode to encrypt video and audio. Adobe's giant data breach of 2013 - which affected over 3 million customers - was, at base, down to exactly the same problem.
But the Redmondites have always considered themselves the smartest men in the room, and so everyone else's experience didn't stop them from using ECB mode in Office Message Encryption (OME) and - worst of all - to stick with it despite the risks. Now Finnish security consultancy, With Secure, has pointed this out to the world, and also notified it as a vulnerability to Microsoft - only to be told,
"The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report."
At the very least, the Microsofties should have used Cipher Block Chaining mode, although they would probably have shot themselves in the foot with a weak way of selecting an initialization vector. Better still, use Galois Counter mode, which is both efficient and also provides authenticity of origin. There is no mitigation, short of switching to S/MIME or OpenPGP email encryption; that will at least limit the impact to Microsoft's reputation only.
Sintonen, Harry, Microsoft Office 365 Message Encryption Insecure Mode of Operation, blog post, 14 October 2022. Available online at https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation.
Woolworths Suffers Data Breach, Medibank Hit By Ransomware?
Two more Australian companies have disclosed cyber-attacks. Supermarket giant Woolworths lost control of an estimated 2.2 million customer records via the MyDeal online shopping site, of which they acquired 80% in September. While only the email addresses were leaked for 1.2 million customers, roughly a further million also had their names, phone numbers, delivery addresses and, in some case, birth dates exposed.
The saving grace for Woolworths is that MyDeal operates on a completely separate platform from the parent company. It seems that access was gained via compromised user credentials - perhaps a phishing attack?
And on Wednesday of last week, insurance group Medibank "detected unusual activity on its network" and by the following morning had taken immediate containment actions as well as engaging external assistance. The insurer shut down some customer-facing systems and also cut them off from internal customer support staff.
The affected systems seem to have been restricted to their 'ahm' general insurance subsidiary as well as health insurance for international students. By late Friday, the company had restored services and stated that "we have found no evidence that our customer data has been accessed".
Details are scant, but to the less-than-casual observer, this incident just screams ransomware. Let's hope they're right about exfiltration . . .
AAP, Woolworths says 2.2 million MyDeal customers' details exposed in data breach, The Guardian, 15 October 2022. Available online at https://www.theguardian.com/australia-news/2022/oct/15/woolworths-says-22-million-mydeal-customers-details-exposed-in-data-breach.
Uncredited, Medibank cyber incident - Important information for our customers, web page, 14 October 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.
News for CISSP's
(ISC)2 Moving to Eliminate Board Elections?
The International Information Systems Security Certification Consortium, (ISC)2, which oversees the CISSP, CCSP and other industry certifications, came under criticism from members a few weeks ago for the fact it put forward five candidates - and only five candidates - for the five open board positions, despite the fact that many others had nominated for the election.
At a subsequent Town Hall, the CEO dismissed concerns, stating that the board needed more representation from non-US members (although many of the nominees discounted were from outside the US). Now it seems that the organization is further seeking to disenfranchise the membership, with a number of questionable amendments to the bylaws, which 'members' will have to vote on over the next month, starting on 16 October.
Some of the changes are fairly obvious and sensible, but towards the end of the list they become contentious, especially this section:
Updates related to future Board of Directors elections include:
- Changing election language to clarify that the Board of Directors will submit a slate of qualified candidates to the membership equal to the number of open seats
- Modifying the signed written petition rules to require 1% of overall membership in good standing
- Removing the option for a write-in candidate
Finally, the last change is to the annual meeting of the members which updates the right of petition language from 500 signatures to 1% of the global membership in good standing, to align with the updated petition requirement for elections.
Note that this not only enshrines the unpopular practice of the Board selecting the election candidates, but also raises the bar for petitions from 500 signatures to 1% of the overall membership - which equates to approximately 1500 signatures, which is going to be impossible in practice (especially outside the US).
Concerned CISSP Stephen Mencik has proposed an alternative set of changes to the bylaws, including the addition of external directors (with particular responsibility for the Ethics subcommittee), improved remote participation (to encourage international diversity) and especially more openness and transparency in the board election process. Mr. Mencik is seeking support (500 signatures required - for now) and interested readers are encouraged to review his proposals and endorse them, at https://jsweb.net/isc2/.
In any case, we recommend that readers who are certified take time to read the details of the proposed changes to bylaws, including the full 35 pages of the 2022 Annual Meeting and Bylaws Proxy Materials (below), and carefully consider them before voting.
(ISC)2 Management, Proposed Amendments to (ISC)2 Bylaws - Member Vote Opens Soon, blog post, 7 October 2022. Available online at https://blog.isc2.org/isc2_blog/2022/10/proposed-amendments-to-isc2-bylaws-member-vote-opens-soon.html.
Proxy Materials for Annual Meeting of the Members, International Information Systems Security Certification Consortium, Inc, 5 October 2022. Available online at https://www.isc2.org/-/media/956A62F1A1084D45A6D3AF4AC9E25EFA.ashx.
Mencik, Stephen, ISC2 By-Laws Changes Proposal, web page and petition form, undated. Available online at https://jsweb.net/isc2/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.