Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 24 October 2022, 9:06 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


VMWare Vuln Attracts Ransomware, Cryptominers

Back in April, VMware disclosed CVE-2022-22054, a remote code execution vulnerability in VMware ONE Access with a CVSS score of 9.8, and released a patch for it. It didn't take long for threat actors to reverse-engineer the patch and develop exploits which rapidly spread in the wild.

You would think this wouldn't be a huge problem, since the patch was available - but in August, researchers at Fortinet Labs saw a massive spike in activity, coupled with a change in post-exploitation tactics. Prior to this, threat actors had been using the exploit to find and exfiltrate sensitive information such as credentials, but the August attackers switched to installing the Mirai botnet, or alternatively a combination of the RAR1Ransom ransomware and a cross-platform cryptominer called GuardMiner.

The fact that this campaign is still running, months after a patch became available, shows that many enterprises are not being sufficiently proactive with their patch management programs.

Lin, Cara, Mirai, RAR1Ransom and GuardMiner - Multiple Malware Campaigns Target VMware Vulnerability, blog post, 20 October 2022. Available online at https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability.

Google Project Aims to Improve Supply Chain Security

Google has announced a new open-source project it calls GUAC (pronounced like the dip) to assist with supply chain security. GUAC, or Graph for Understanding Artifact Composition, has been kicked off by the cloud service provider together with Kusari, Citi and Purdue University. It aggregates software security metadata from SBOM's, signed attestations from SLSA and vulnerability databases, into a high fidelity graph database, normalizing entity identities and mapping standard relationships between them.

Querying this database will help to prioritize vulnerability management and remediation workflows, by answering important questions such as which enterprise applications are affected by a newly-disclosed vulnerability (a huge problem for many enterprises following Log4j, for example), or which are the most used criticial components in enterprise systems.

At this stage, GUAC exists as a proof-of-concept that can ingest SLSA, SBOM and Scorecard documents and support simple queries. The focus is now turning to scaling the current capabilities and adding new document types for ingestion.

Lum, Brandon, et. al., Announcing GUAC, a great pairing with SLSA (and SBOM)!, Google Security Blog, 20 October 2022. Available online at https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html.

Ransomware Group Targets Healthcare Sector

The FBI, US Cybersecurity and Infrastructure Security Agency and Dept. of Health and Human Services have issued a joint cybersecurity advisory outlining the TTP's, IOC's and general background on a group called "Daixin Team" who have predominantly been targeting the US healthcare sector with ransomware and extortion operations. Although this advisory is based on US experience, there's no reason to assume the group has not been active in Australia as well, and the advice is generally applicable.

Daixin Team has been active since at least June 2022, deploying ransomware to encrypt servers containing a variety of health information, but also exfiltrating personal identifiable information and patient health information, then threatening to release it if a ransom is not paid.

The group has used various techniques to gain initial access, including exploiting an unpatched vulnerabilitiy in a VPN server, or using previously-compromised credentials. Once access has been gained, they move laterally via SSH and RDP connections, and will attempt privilege escalation via credential dumping and pass-the-hash attacks. The advisory provides a full run-down, and makes for interesting reading.

CISA, #StopRansomware: Daixin Team, Alert AA22-294A, 21 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-294a.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: