Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Fashion Company Fined for Privacy Breach Coverup

The parent company of women's fashion site Shein has been $US1.9 million following an investigation by the Attorney General's office in New York State. The investigation found that the company had failed to properly safeguard customer data, using a weak hashing algorithm, storing some credit details as plaintext and failing to reset customer passwords or otherwise protect accounts following the breach.

Shein minimized the impact of the breach, stating only that the names, email addresses and "encrypted password credentials" of approximately 6.42 million customers had been stolen. In fact, 39 million accounts were exposed, worldwide, with only a small fraction being notified. Worse still, the claim that the company had "seen no evidence that credit card information was taken from our systems" was blatantly false, since it was unaware of the breach until notified by a payment processor that its systems appeared to have been compromised and card data stolen.

The company, Zoetop Business Company, Ltd, will now have to maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice and prompt password resets.

Cluely, Graham, Fine for Shein! Fashion site hit with $1.9 million bill after lying about data breach, Bitdefender blog, 18 October 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/fine-for-shein-fashion-site-hit-with-1-9-million-bill-after-lying-about-data-breach/.

PHP Infostealer Masquerades as Cracked Software Installer

The Ducktail Infostealer has been operating since late 2021, and is attributed to an otherwise unidentfied Vietnames threat group. It was based on a binary written using .NetCore, and used a Telegram channel for C2. The campaign targeted users with access to their employers' Facebook Business accounts, with the intent of stealing data and hijacking the accounts.

A new variant has now emerged, written - somewhat curiously - in the PHP programming language. The malware masquerades as a free or cracked installer for a variety of applications, including games, Microsoft Office, Telegram and other programs, and is distributed in ZIP file format via a number of file sharing platforms. The new version looks for a broader range of information, including browser cookies, cryptocurrency account information and more, although it  still searches Facebook Business accounts and related pages. The new variant also has a new C2 mechanism, exchanging JSON messages with a dedicated web server, where it also stores exfiltrated data.

Dewan, Tarun and Stuti Chaturvedi, New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts, Zscaler blog, 13 October 2022. Available online at https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts.

Red Team / Blue Team Visualization Tool

The US Cybersecurity & Infrastructure Security Agency has released RedEye, an interactive open-source analytic tool to visualize and report red team command and control activities. RedEye allows Blue Teamers to quickly assess complex data and evaluate mitigation strategies, enabling effective decision making.

CISA, RedEye -visualizing Penetration Testing Engagements, YouTube video, 15 October 2022. Available online at https://www.youtube.com/watch?embed=no&v=b_ARIVl4BkQ.

cisagov, RedEye, GitHub repository, 15 October 2022. Available online at https://github.com/cisagov/RedEye/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.