Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Medibank Won't Pay; BlogXX Counters

Shortly before the ASX opened on Monday, health and general insurer Medibank, subject of one of Australia's largest ransomware attacks, announced that it would not pay a ransom to the attacker responsible. Citing advice received from experts, the company stated,

Whether that will turn out to be the case remains to be seen; in the similar Vastaamo case in Finland, the ransomware operator turned to extorting individual patients only after the company refused to pay. In any case, there is general agreement that paying ransomware operators only funds an expansion of their activity, while refusal to pay would destroy their business model.

In any case, this is not good news for any of the 9.7 million affected customers, for whom the ordeal now drags on - but perhaps not for much longer. A successor to REvil/Sodinokibi called BlogXX is apparently claiming credit for the breach and is now threatening to release the data, according to MalwareHunterTeam.

MalwareHunterTeam, "The BlogXX ransomware gang just listed Medibank . . .", tweet, 7 November 2022. Available online at https://twitter.com/malwrhunterteam/status/1589596026926923776.

Uncredited, Cyber event updates and support, information page, 7 November 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.

Useful Guide to Creating Incident Response Playbooks

Those who have been through the stress of responding to a cybersecurity incident know that planning and preparation is key; an effective response cannot tolerate the delays of figuring things out from first principles in the heat of the moment. While many incident response teams start off with a small set of canned playbooks, such as those available from the Incident Response Consortium at https://www.incidentresponse.org/playbooks/, these inevitably lag behind the latest developments in the threat landscape and, perhaps more importantly, do not reflect the network environment, assets and resources of a specific organization.

A new guide from Trend Micro provides a catalogue of example playbooks and templates to suit specific industries and different phases of the incident response cycle. The accompanying article also provides some tips on the selection of an incident response service provider.

LaFleur, Chris, Incident Response Services & Playbooks Guide, blog post, 7 November 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/i/incident-response-services.html.

Robin Banks Steals Cookies

MSSP IronNet first reported on the Robin Banks Phishing-as-a-Service (PhaaS) platform back in July 2022. At that time, the new group was selling phishing kits to other groups who would use them to run social engineering scams, primarily targeting the financial services sector in the US, UK, Canada and Australia. For somewhere between $US50 and $US300 per month, a customer got access to a customisable phishing front end which could detect bots and divert them to a CAPTCHA landing page, plus a user-friendly management interface where they could access captured credentials or have them sent immediately to their personal Telegram channel.

Following that initial report, Cloudflare terminated their services to Robin Banks, distupring their operations. But now the actor has retooled, shifting their infrastructure to DDOS-GUARD, a well-known Russuan provider which hosts a number of phishing sites and criminal content, as well as hosting content for Qanon and 8chan. They have also upped security, requiring their customers to use two-factor authentication in order to access captured credentials, and creating their own private Telegram channel.

The group has also broadened its targets slightly, making use of the evilginx2 Adversary-in-The-Middle reverse proxy engine to steal login session cookies, thereby bypassing 2FA. The initial release of this feature has front-ends for Google, Yahoo and Outlook. and costs customers $US1,500 per month. IronNet's analysts show that Robin Banks' systems are mostly adapted from existing open-source code.

IronNet Threat Research, Robin Banks still might be robbing your bank (part 2), blog post, 3 November 2022. Available online at https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2.

Flight Services Company Jeppesen Restores Services

On 2 November, aviation services company Jeppesen experienced a cyber incident which caused an outage affecting some of its services. Jeppesen and its sister company Foreflight, which are both owned by Boeing, provides instrument approach plates, en-route charts and other documentation which are used by airlines and general aviation worldwide for flight planning and in-flight navigation. One particularly important service which was affected was their NOTAM (Notices to Airmen) service, which distributes notifications of airspace restrictions, runway closures and other essential information; however, following a comprehensive scan and forensic investigation this service has now been fully restored, with other services to follow.

In days of old, Jeppesen shipped huge leather binders full of bible-thin chart pages which pilots lugged around in their flight bags, and which needed to be updated and re-collated on a fortnightly basis, a tedious and time-consuming process. Since the advent of tablets, these have been replaced by a continuously-updated app on an iPad; however, one can't help wondering if some pilots long for the bad old days now that the service has been shown to be vulnerable, like everything else in the cyber-world.

Uncredited, Statement re cyber incident, home page update, 5 November 2022. Available online at https://ww2.jeppesen.com/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.