Blog entry by Les Bell

Les Bell
by Les Bell - Friday, November 4, 2022, 9:05 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


ACSC Annual Cyber Threat Report Released

The Australian Cyber Security Centre has released its annual threat report, covering the period from July 2021 to June 2022, and it makes predictably depressing reading and ideal fodder for TV news lead stories. Key trends:

  • Cyberspace has become a battleground (No sh*t, Sherlock! [LB])
  • Australia's prosperity is attractive to cybercriminals BEC has trended towards high-value transactions such as property settlements.
  • Ransomware remains the most destructive cybercrime
  • Worldwide, critical infrastructure networks are increasingly targeted
  • The rapid exploitation of critical public vulnerabilities became the norm (Patch, patch, patch! [LB])

The ACSC has seen a cybercrime reported every 7 minutes, on average, slightly more frequently than last year, with the most reported types being fraud, online shopping and online banking. Losses due to business email compromises amounted to over $A98 million, with an average loss of $64,000 per report.

There are lots more facts and figures, along with the expected guidance, in the report.

Australian Cyber Security Centre, Annual Cyber Threat Report - July 2021-June 2022, Australian Signals Directorate, 6 October 2022. Available online at https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022.

YAPB (Yet Another Privacy Breach)

Yet another Australian business has been hit with a breach - or, more accurately, their customers/clients have been hit. In this case, the victims are tenants, landlords and tradespeople whose personal data was accessed by an unauthorized and unidentified third party via the rental property database of Melbourne real estate agency Harcourts.

Customers were notified via an email stating that the company became aware of the breach on 24 October. The breach apparently occurred via compromise of the account of a service provider, allegedly through the use of a personal device for work, rather than the more secure company-issued device - there's a lesson there about BYOD policy.

The impact for affected individuals could be severe, since the database contained full legal names, email and physical addresses, phone numbers and a copy of their signature. The database also contained photo ID's supplied by tenants, and the bank details of tradespeople. Debate is once again raging about the amount of possibly unnecessary personal data that business are requesting and storing.

Hall, Amy, Advocates had warned of the dangers of a real estate data breach. It just happened, SBS News, 3 November 2022. Available online at https://www.sbs.com.au/news/article/advocates-had-warned-of-the-dangers-of-a-real-estate-data-breach-it-just-happened/6mlieq0g0.

New Variant of Raccoon Stealer

In recent years, Raccoon Stealer has been one of the most successful infostealers offered by cybercriminals as Malware-as-a-Service, but it disappeared in March 2022. However, it re-emerged as a new variant in July 2022, and has reached new levels of activity.

An article from specialist malware analysis and hunting firm Any.Run breaks down the operation of Raccoon Stealer. The malware's operation kicks off with extensive antiforensics checks, with the goal of abandoning execution in a sandbox or under a debugger - Any.Run's analysts had to develop some workarounds to get it to run so they could examine its behaviour.

It starts by dynamically loading the Windows API libraries it will need, and then decrypts various strings and C2 server details. Next, it checks the system locale, and will terminate if it finds itself running in a Russian-affiliated (CIS) country. After checking whether it has System (or LocalSystem) admin privileges, it enumerates processes and connects to its C2 servers for instructions about what kind of data to collect.

Apart from basic system information, Raccoon Stealer will look for credentials saved in browsers, session cookies, banking data, cryptocurrency wallets, and credit card information, but it can also exfiltrate arbitrary files. The Any.Run article provides a full analysis of how it performs these actions, with decompiled code for we masochists who enjoy reading the stuff.

Uncredited, Raccoon Stealer 2.0 Malware Analysis, blog post, 30 August 2022. Available online at https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: