Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Exfiltrated Medibank Data Posted Online

As we expected, shortly after midnight the BlogXX ransomware group began posting what appears to be client data from the Medibank attack, in two lists titled "good-list" and "naughty-list" on their blog.

"Looking back that data is stored not very understandable format [table dumps] we’ll take some time to sort it out," the group said. "We’ll continue posting data partially, need some time to do it pretty."

The group also posted what seem to be screenshots of messages they had exchanged with Medibank representatives.

I expect the next shoe to drop will be extortion demands on individual Medicare customers, although it's possible the attackers might settle for just enjoying the drama they have created.

AAP, Group claiming to be Medibank hackers start posting client data on dark web, The Guardian, 8 November 2022. Available online at https://www.theguardian.com/australia-news/2022/nov/09/group-claiming-to-be-medibank-hackers-start-posting-client-data-on-dark-web.

Security Professionals As Bad As Everyone Else

At the RSA Conference each year, NetWitness and Cisco run a Security Operations Center (SOC) as an educational exhibit, with NetWitness monitoring the traffic on the wireless network and Cisco providing automated malware analysis, threat intelligence, DNS visibility and intrusion detection. The goal is to educate conference attendees about what happens on a typical wireless network, running daily SOC tours and a conference session.

Cisco has now published a report on their findings, and it does not make happy reading, with the SOC capturing 55,525 cleartext passwords from 2,210 individual accounts. While many of these would possibly be demo accounts used by systems on the trade show floor, and a lot of credentials were leaked by devices running SNMP versions 1 and 2, there was an alarming number of unencrypted authentication exchanges with mail gateways, primarily on the domains of small and medium enterprises. It seems the best thing many small business could do to secure their email is to outsource its operation to a service like Google Workspace or Microsoft Outlook - they can do a much better job.

Perhaps the most egregious failure was by the CISO of a public corporation who paid the annual maintenance fee of his CISSP certification and received the receipt over a completely unencrypted session to his open-source Android email client. The SOC personnel had to alert the CISO to the problem and walk him through TLS configuration for his email client. Tsk, tsk.

Bair, Jessica, RSA Conference® 2022 Security Operations Center Findings Report, blog post, 3 November 2022. Available online at https://blogs.cisco.com/security/rsa-conference-2022-security-operations-center-findings-report.

Microsoft Surveys Threat Landscape

With its Digital Defense Report 2022, Microsoft has provided an excellent CISO-level overview of the threat landscape, broken into five sections:

• The State of Cybercrime
• Nation State Threats
• Devices and Infrastructure
• Cyber Influence Operations
• Cyber Resilience

Key takeaways:

• Cybercrime is increasing as the availability of hacking tools and services lowers the skill barrier to entry, with ransomware and extortion growing more audacious
• Nation state actors are increasingly targeting critical infrastructure, either as a component of hybrid warfare or, as China is doing in SE Asia, to gain intelligence and competitive advantage
• Both cybercriminals and nation states are moving to take advantage of vulnerabilities in IoT and OT devices, with a five-fold increase in attacks on remote management devices over the previous year
• Russia, Iran and China employed sophisticated influence operations to distribute propaganda and impact public opinion to extend their global influence
• The move to hybrid work has required a pivot in security practices, but the vast majority of successful cyberattacks could be prevented by using basic security hygiene

There are lots of other useful snippets and more than a few lessons in the report.

Uncredited, Microsoft Digital Defense Report 2022, technical report, November 2022. Available online at https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.