Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Finnish Police Identify Vastaamo Hacker

The National Bureau of Investigation in Finland has been making progress in its investigations of the massive privacy breach of mental health care provider Vastaamo.

For those who missed the original incident, Vastaamo suffered a breach which encrypted their patient records and held them ransom. When the company CEO refused to negotiate with the attackers, they responded by releasing sensitive patient records on a dark web server, and then turned to extorting payments from the patients themselves. It appears that the company's software was only minimally secured and did not comply with Finland's regulations for healthcare records systems. The CEO was terminated and has now been charged with a data protection offence, facing up to a year in prison. Prosecutors claim that infosec management at the company was in "absolute chaos when it comes to available resources, budget, using and utilising the necessary expertise, and training and skills". The company itself was subsequently liquidated.

On 27 October , the Helsinki District Court remanded a Finnish man, about 25 years old, in absentia on probable cause of aggravated computer break-in, attempted aggravated extortion, and aggravated dissemination of information violating personal privacy. The suspect was remanded in absentia, since police established that he lived abroad, and a European arrest warrant has been issued against him. He can be arrested abroad under this warrant, after which the police will request his surrender to Finland. An Interpol notice will also be issued against the suspect.

Teivanen, Aleksi, Prosecutors: Vastaamo's information security was in absolute chaos, Helsinki Times, 5 October 2022. Available online at https://www.helsinkitimes.fi/finland/finland-news/domestic/22293-prosecutors-vastaamo-s-information-security-was-in-absolute-chaos.html.

Poliisi, One person remanded in absentia for Vastaamo hacking incident, news item, 28 October 2022. Available online at https://poliisi.fi/-/yksi-vangittu-poissaolevana-liittyen-vastaamon-tietomurtoon?languageId=en_US.

SQLite Vulnerability Fixed, 22 Years On

The SQLite database engine project has released a fix for a format string parsing vulnerability that was originally introduced into version 1.0.12, back in the days of 32-bit systems in October 2000. CVE-2022-35737 was uncovered by researcher Andreas Kellas, and affects modern 64-bit systems; how it manifests depends on whether it is compiled with stack canaries enabled or not.

Essentially, the vulnerability can be exploited by passing large strings to the SQLite implementation of printf() when the format string contains the %Q, %q or %w format specifiers - any of these will cause the program to crash. But in the worst case, if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution, or at least cause the program to hang.

The impact of this vulnerability could be massive, since SQLite is used as a database in all kinds of systems, especially embedded systems. It is also disappointing since SQLite has a good security track record. Users are advised to update to version 3.39.2.

Kellas, Andreas, Stranger Strings: An exploitable flaw in SQLite, blog post, 25 October 2022. Available online at https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/.

Kaspersky Details APT10 LODEINFO Backdoor

Security company Kaspersky has published a new two-part report on the operation of the LODEINFO backdoor, which is being used by the Chinese Cicada group, APT10, in attacks against Japanese media groups, diplomatic agencies and government and public sector organizations.

APT10's intial access tactics have been continually evolving, and they have continued to obfuscate LODEINFO to make detection more difficult. They are now delivering LODEINFO via a spear-phishing malmail which carries a self-extracting RAR file containing the legitimate K7Security Suite executable, NRTOLD.exe. However, the RAR also contains a malicious DLL name K7SysMn1.dll, and when NRTOLD.exe is executed, rather than load the genuine DLL, the attackers rely on the Windows DLL search path vulnerability to load the malicious DLL from the same folder as the .EXE. Since the DLL is side-loaded and heavily obfuscated, it may not be detected by security applications.

Another variant uses VBA code in a password-protected Word file to download shellcode which is injected into the memory of the WINWORD.EXE process.

In fact, six different variants of LODEINFO appeared during 2022, the APT10's TTP's appear to be rapidly evolving.

Ishimaru, Suguru, APT10: Tracking down LODEINFO 2022, part 1, blog post, 31 October 2022. Available online at https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/.

Ishimaru, Suguru, APT10: Tracking down LODEINFO 2022, part 2, blog post, 31 October 2022. Available online at https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/.

Don't Forget That OpenSSL Patch!

A reminder that the OpenSSL Project team will release a patch for a significant vulnerability in version 3 today, November 1st, between 13:00 and 17:00 UTC. While many Linux distributions still use version 1 of OpenSSL, recent distributions have moved to version 3, and so users should monitor their upstream repositories for an update to version 3.0.7.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.