Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Bluetooth Allowlist Allows Tracking

Researchers at Ohio State have found that Bluetooth Low Energy (BLE) devices are vulnerable to location tracking, due to a design flaw in the protocol.

Yue Zhang, a postdoctoral researcher at OSU presented the findings at the ACM Conference on Computer and Communications Security, receiving a "best paper" honourable mention. Zhang and his adviser, Prof. Zhiqiang Lin, proved the threat by testing over 50 available devices as well as four BLE development boards, and finding them all to be vulnerable. The Bluetooth SIG, who maintain Bluetooth standards, "was certainly made aware of the MAC address tracking threat, and to protect devices from being tracked by bad actors, a solution called MAC address randomization has been used since 2010", said Lin. Later, in 2014, the Bluetooth SIG introduced a new feature called the "allowlist", which allows connections from only recognised devices.

In their paper, Zheng and Lin show that the allowlist feature actually introduces a side channel for device tracking, since a device with an allowlist behaves differently even though it has used randomized MAC addresses. Worse, the randomization scheme itself is flawed and vulnerable to replay attacks. The two authors notified the Bluetooth SIG, as well as device manufacturers and OS developers, and were awarded a bug bounty by Google, who rated the vulnerability as of high severity. They have also proposed an improved protocol.

Woodall, Tatyana, Study uncovers new threat to security and privacy of Bluetooth devices, news release, 17 November 2022. Available online at https://news.osu.edu/study-uncovers-new-threat-to-security-and-privacy-of-bluetooth-devices/.

Zhang, Y., & Lin, Z. (2022). When Good Becomes Evil: Tracking Bluetooth Low Energy Devices via Allowlist-based Side Channel and Its Countermeasure, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 3181–3194. Available online at https://doi.org/10.1145/3548606.3559372.

Major Phishing Campaign Targets US, Canadian Shoppers

Akamai Security Research is reporting a new, highly sophisticated phishing kit which is mimicking several large retail brands in the runup to the holiday season. The kit uses a variety of antiforensics techniques to evade detection, including a novel approach of obfuscating URL's: the email which delivers the scam contains a token from which a redirection URL is constructed, and any attempt to access a scam page without the token will not reach the phishing landing page.

The campaign also uses URL shorteners, fake user profiles and testimonials, and CDN services to make its infrastructure resilient. It also makes use of sophisticated social engineering, offering victims the chance to win a prize, and requesting credit card details "only" to cover the cost of shipment - which, around this time of year, is a common marketing technique and will appear entirely legitimate to the victim. Whoever created these lures is familiar with US pre-holiday promotions, and in fact, the campaign is geo-targeted, with the sites being inaccessible from outside the US and Canada.

The Akamai report provides a full analysis, and IOC's are also available.

Katz, Or, Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment, blog post, 16 November 2022. Available online at https://www.akamai.com/blog/security-research/sophisticated-phishing-scam-abusing-holiday-sentiment.

APT Targets Governments World-wide, Especially Asia/Pacific

Trend Micro has been tracking a wave of spearphishing attacks which target the government, academic, think-tank and research sectors around the world, but particularly in Myanmar, Australia, the Philippines, Japan and Taiwan. Analysis of the malware families used point to a notorious advanced persistent threat group called Earth Preta, Mustang Panda or Bronze President, and likely of Chinese origin.

The campaign uses fake Google accounts to distribute the malware via spearphishing emails containing Google Drive links that point to compressed archive files which the user is lured into downloading and executing. The documents which are used to lure the victims show signs of some research into, and possibly earlier breaches of, the target organizations, as they showed signs of familiarity.

Some of the malware has been observed previously, but two malware families are new, and they all use a variety of techniques to evade detection through a multi-stage loading process, connection to C2 and final installation of a backdoor. The Akamai writeup provides a thorough analysis, and IOC's can also be downloaded.

Dai, Nick, Vickie Su and Sunny Lu, Earth Preta Spear-Phishing Governments Worldwide, research report, 18 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.