Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CyberEspionage Group Deploys New PowerShell Backdoor

Researchers at SafeBreach have discovered what appears to be a 0day exploit which usesa malicious Word document macro to launch PowerShell scripts which infect the system. The Word document superficially looks like a job application form called "Apply Form.docm", but editing it will run a macro which drops a Visual Basic script and creates a scheduled task to run it, masquerading as part of the Windows update process.

It also creates two PowerShell scripts, which first of which connects to the attacker's C2 server, establishing a channel which is encrypted with AES-256-CBC. The second script then decrypts and executes the received commands, uploading the results in a similar way.

Taking advantage of some elementary errors by the attackers (single AES key for all victims, predictable victim ID's), the SafeBreach researchers were able to find the various commands which were waiting for the 69 or so victims; the vast majority are for exfiltration of data, while the remainder were mostly for user and system enumeration, including network and RDP connections.

Bar, Tomer, SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor, blog post, 18 October 2022. Available online https://www.safebreach.com/resources/blog/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor/.

Microsoft Misconfiguration Exposes Customer Data

Micosoft Security Response Center has disclosed a vulnerability which exposed data - primarily contact details and email contents - relating to customers' relationships with Microsoft and its business partners. The vulnerability was a misconfiguration which allows unauthenticated access to a Microsoft Azure Blob Storage endpoint. Curiously, they state that the "endpoint is not in use across the Microsoft ecosystem", which sounds like a classic example of improper web API asset management.

MSRC also states that "our investigation found no indication customer accounts or systems were compromised" and the affected customers have been notified.

However, Microsoft also take issue with the way in which the researchers who discovered the exposure disclosed it, claiming they made the problem worse. SOCRadar had claimed that sensitive customer information, including product orders and offers, project details and IP for over 65,000 entities in 111 countries, going back 5 years, was exposed.

msrc, Investigation Regarding Misconfigured Microsoft Storage Location, blog post, 19 October 2022. Available online at https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/.

Uncredited, Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket, blog post, 19 October 2022. Available online at https://socradar.io/sensitive-data-of-65000-entities-in-111-countries-leaked-due-to-a-single-misconfigured-data-bucket/.

Ransomware Gang Targets Russian Companies

Generally, ransomware gangs are equal-opportunity operators - they'll accept money from anyone after locking up their files. However, Singapore researchers at Group-IB have identified one group, OldGremlin, which they say specializes in attacking Russian firms across a range of industries.

Their motto seems to be "work smarter, not harder" - since their discovery in March 2020, the group has conducted a total of 16 campaigns, and while they only ran five campaigns this year, their ransom demands have been steadily increasing - in 2021, their biggest demand was for $4.2 million, in  2022 it grew to $16.9 million.

In order to gain initial access, the group uses well-crafted phishing emails, which often present as interview requests, commercial proposals and financial documents. They develop their own ransomware, and while they historically targeted the Windows platform, deploying well-known tools such as PowerSploit and Cobalt Strike, their most recent activities have spread to Linux. They are also stealthy; their victims are typically infected for 49 days before their ransomware is deployed.

Group-IB, Gremlins' prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records, press release, 20 October 2022. Available online at https://www.group-ib.com/media-center/press-releases/oldgremlin-2022/.

Further Criticism of (ISC)²

Former board member at (ISC)², Wim Remes, has leveled further criticism at the certification body, pointing out the organization's poor record on member engagement. He also points out the problems with the new requirements for members to raise a petition, which would effectively make it impossible.

As Remes points out, under the new process for board elections, in which the board will submit a slate of qualified candidates equal to the number of open seats, an election is, in effect, just a coronation.

Wollacott, Emma, Security certification body (ISC)² defends 'undemocratic' bylaw changes, The Daily Swig, 19 October 2022. Available online at https://portswigger.net/daily-swig/security-certification-body-isc-defends-undemocratic-bylaw-changes.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.