Blog entry by Les Bell

Les Bell
Security News: 2022-11-22
by Les Bell - Tuesday, 22 November 2022, 9:48 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Global Cyber Risk Slightly Increases

Trend Micro and the Ponemon Institute collaborate to produce the Cyber Risk Index (CRI), which surveys how organizations view their cyber risk. The survey covers North America, Latin/South America, Europe, and the Asia-Pacific regions, and in the first half of 2022 incorporated data from 4,100 business of all sizes.

The index calculation works by rating two factors:

  • Organizations' ability to prepare for attacks - the Cyber Preparedness Index, or CPI
  • Organizations' assessment of the threats they face - the Cyber Threat Index, or CTI

The final calculation subtracts the CTI from the CPI to produce the CRI (CRI = CPI - CTI), yielding a value between -10 and +10, with lower values representing more risk.

The current global CRI is -0.15, a slight increase in risk from the second half of 2021, when it stood at -0.04. The leaves the risk index in the Elevated rating level. Overall, organizations in North America and Asia-Pacific saw their risk increase, while it decreased for Europe and Latin/South America.

North America's CRI was the worst, at -0.33 - a result of a slightly lower preparedness index and a higher threat index.  Asia-Pacific saw their risk index move from the Moderate to the Elevated level (from +0.20 to -0.11), primarily due to a might higher threat index (from 5.15 to 5.44).

Clay, Jon, Global Cyber Risk at Elevated Level, research report, 17 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/cyber-risk-index-1h-22-snapshot.html.

Hacker One Improves Protections

Bug bounty program operator HackerOne has announced a new program to improve the protection of ethical hackers from liability when disclosing vulnerabilities they have discovered. The history of security is full of sad tales of innocent researchers who have fallen victim of an unfortunate tendency among the owners of vulnerable systems to shoot the messenger, rather than acting on useful intelligence. Unfortunately not every company has a generative security culture that actively seeks out problems and rewards those who identify them.

HackerOne's new Gold Standard Safe Harbor document is a short, broad, easily-understood statement that outlines the legal protections security researchers can expect, and can be simply adopted by HackerOne's customers. It also eliminates the need for ethical hackers to closely review all the fine print of different bug bounty program statements.

HackerOne's as-yet-unreleased Hacker-Powered Security Report apparently states that more than half of hackers have not reported a vulnerability they discovered. In 20%  of cases, they said it was because an organization had previously been difficult to work with, and 12% said t was due to threatening legal language. The new GSSH aims to improve this situation.

Uncredited, HackerOne Announces Gold Standard Safe Harbor to Improve Protections for Good Faith Security Research, press release, 16 November 2022. Available online at https://www.hackerone.com/press-release/hackerone-announces-gold-standard-safe-harbor-improve-protections-good-faith-security.

VenomSoftX: Malicious Chrome Extension Steals Victims' Cryptocurrencies

A report from Avast tears down a recently-discovered infostealer which takes the form of a malicious Chrome extension. VenomSoftX has a wide rangeof capabilities: it provides full access to every web page the victim visits, can perform man-in-the-browser attacks to interfere with API request data on popular cryptocurrency exchanges, can steal credentials and clipboard content, modify wallet addresses on visited pages, and much more. Its standalone capabilities are so extensive tha, although it is distributed by the previously-known Powershell-based infostealer, ViperSoftX, it has been given its own name.

ViperSoftX is mostly spread from torrent sites offering cracked copies of programs such as Adobe Illustrator, Corel Video Studio, Microsoft Office and others. Although this means potentially global distribution and infection, the most impacted countries are India, the US and Italy, with the cryptocurrency thefts alone having netted the threat actor behind the campaign just over $US130,000.

The downloaded binary that infects the system is actually a self-decrypting loader using AES-CBC encryption, which in turn extracts and decrypts a packed blob containing five files - the most interesting of which is a large log file which contains a single malicious line of obfuscated code. There are two variants, which either download the ViperSoftX infostealer or use a PowerShell script to decrypt it locally. This can then load any of several payloads, of which VenomSoftX is the newest and most interesting - it masquerades as a common browser extension such as Google Sheets (which is actually not a browser extension in reality).

VenomSoftX consists of modular JavaScript; a bootstrap loader always loads on every page, and if a crypto exchange site is being visited, it will load the appropriate "webpack" JavaScript module. Otherwise, it loads a generic webpack_content.js module. Several of the modules are capable of collecting data and sending it to a C2 server using the MQTT IoT messaging protocol.

Rubin, Jan, ViperSoftX: Hiding in System Logs and Spreading VenomSoftX, blog post, 21 November 2022. Available online at https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/.

Useful Guidance on Phishing Protection

A useful short report from Trend Micro summarizes the most common variants of phishing attacks, such as whaling, business email compromise, smishing and vishing, and offers some guidance on good practices to defend against them.

Clay, Jon, Email Security Best Practices for Phishing Prevention, blog post, 17 November 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/k/email-security-best-practices.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink