Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Ransomware Strike on Vic Govt Service Provider

A ransomware group has breached tech services company PNORS Technology Group, which counts a number of Victorian government departments among its over 1,000 clients. Two of its businesses, Datatime and Netway, were victims of an attack on 3 November. "The impacted PNORS Technology Group businesses deal with document and data capture, digital conversion and managed IT support for a number of external clients, including government departments", said CEO Paul Gallo.

"Initial investigations by cyber security experts indicated this incident was limited to systems being encrypted and locked. However, overnight the criminals behind the cyber attack released to the company, in a private communication, a sample of what is believed to be stolen data".

Investigations by PNORS, the Victorian Department of Premier and Cabinet and their hired consultants are continuing, with further notifications expected as the extent of the breach is uncovered. A hint from Captain Obvious: the file encryption phase of a ransomware attack is impossible to miss; the exfiltration phase is easy to miss, especially since it often happens well before the encryption.

Murray-Atfield, Yara, Technology group providing services to Victorian government departments hit by cyber attack, ABC News, 5 November 2022. Available online at https://www.abc.net.au/news/2022-11-05/pnors-technology-group-data-security-incident/101620900.

UK Government Scans UK-hosted Systems

The UK's National Cyber Security Centre has instituted a program of scanning all internet-accessible systems that are hosted within the UK for common or high-impact vulnerabilities. The scan, which is regularly performed "using standard and freely available network tools", is fairly non-intrusive, looking at returned version numbers and the contents of HTTP response headers and payloads, and not delivering exploit code. The intention is to build an overview over time of the country's vulnerability exposure.

All scans are performed from just two cloud-hosted IP addresses:

• 18.171.7.246
• 35.177.10.231

which have both A and PTR records for scanner.scanning.service.ncsc.gov.uk. HTTP request headers will also contain the line

X-NCSC-Scan: NCSC Scanning agent - https://www.ncsc.gov.uk/scanning-information

System owners can opt out of being scanned, although I can't see much reason to do so. Typical home networks, behind NATting routers, will not be scanned, of course.

National Cyber Security Centre, NCSC Scanning information, information page, 1 November 2022. Available online at https://www.ncsc.gov.uk/information/ncsc-scanning-information.

Hacktivist DDoS Attacks More Bark Than Bite, Says FBI

According to a Private Industry Notification released by the FBI, the use of distributed denial of service attacks by hacktivists actually "have minimal operational impact on victims; however hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service".

According to the FBI, the targets of such DDoS attacks are selected precisely because of their greater perceived, as opposed to actual, impact; financial institutions, health and medical facilities, emergency services, airports and government facilities are common targets. DDoS attacks are popular with hacktivists because they require little technical knowledge, but allow the attackers to claim responsibility and 'talk up' the attack on social media, possibly recycling information that was exfiltrated in earlier attacks in order to build credibility.

FBI Cyber Division, Hacktivists Use of DDoS Activity Causes Minor Impacts, Private Industry Notification 20221104-001, 4 November 2022. Available online at https://www.ic3.gov/Media/News/2022/221104.pdf.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.