Blog entry by Les Bell

Les Bell
by Les Bell - Friday, 25 November 2022, 10:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Aviation Industry A Ransomware Target?

A few days ago we wrote about the Daixin Team's attack on AirAsia, whose network they dismissively complained was so badly managed they were embarrassed to exploit it. However, Cyble has compiled a list of recent ransomware attacks on airlines around the world. Although not naming the airlines, they seem to be generally smallish, domestic or budget carriers in several countries:

  • Malaysia
  • Thailand
  • Portugal
  • Kuwait

Doubtless there are others which have gone unreported. And even the larger carriers are not immune - British Airways suffered an embarrassing supply-chain attack which resulted in the theft of customer credit card details.

The aviation industry was badly affected by COVID lockdowns which required budgets to be slashed. However, airlines also are custodians of a lot of sensitive data - some of it personal, some of it operational - and some systems with real safety implications, all of it highly interconnected to external systems and contractors. The fact that times are tough is not a good reason to drop your guard, unfortunately.

Uncredited, Aviation Industry Facing Ransomware Headwinds, blog post, 23 November 2022. Available online at https://blog.cyble.com/2022/11/23/aviation-industry-facing-ransomware-headwinds/.

Microsoft Warns of IoT Supply Chain Problems

In a blog post, Microsoft's Security Threat Intelligence team warn of a threat affecting Internet of Things (IoT) devices and operational technology (OT) networks which they may expose.

As security professionals are aware, IoT devices are often manufactured at low cost for a mass market, designed by engineers who focus on electronics and sensor technology and who rely on pre-packaged software in the form of operating systems, subsystems and programming languages for the system-on-a-chip controllers embedded into their designs. Just take a look at online tutorials for Raspberry Pi and similar devices, which generally rely on high-level Python code to read sensor inputs and control outputs, with the assumption that the underlying layers of the stack are a) reliable and b) secure.

The latter assumption, especially, is often invalid. In the particular case which triggered the blog post, an intrusion into electrical grid critical infrastructure in India, the initial intrusion point was an IoT device, and specifically an embedded web server, which is commonly used to provide either a user interface or API for devices. In this particular case, the server was the Boa web server, supplied as part of a software development kit for IoT devices, such as those provided by RealTek. The problem is that development and support of the Boa web server ceased in 2005. While patches for the Realtek SDK are available, they may not get through the entire supply chain to the final, shipped devices - let along to network owners and oeprators who acquire them.

Microsoft's blog post provides a list of recommended mitigations, primarily aimed at network operators - the IoT device designers seem to be a lost cause. . .

Castleman, Adam, et. al., Vulnerable SDK components lead to supply chain risks in IoT and OT environments, blog post, 22 November 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/.

San Francisco Cops Seek Permission for Robots to Use Deadly Force

A little beyond the usual remit of security defenders, this story: the San Francisco Police Department is petitioning the city's Board of Supervisors for permission to deploy robots which are capable of killing suspects that officers believe are so dangerous that the "risk fo loss of life to members of the public or officers is imminent and outweighs any other force option available to SFPD".

Police forces now often use remote-controlled robots for tasks such as inspecting suspected explosive devices; as well as carrying cameras and manipulators, such robots can also fire a blank shotgun shell into a device in an attempt to harmlessly destroy the device, if not the robot as well. And such robots could also conceivably fire a live round. YouTube already has several videos which show robot dogs discharging automatic weapons at targets.

Unsurprisingly, this proposal is meeting with significant opposition. After all, what could possibly go wrong?

Tarantola, A., San Francisco police seek permission for its robots to use deadly force, Engadget, 23 November 2022. Available online at https://www.engadget.com/san-francisco-police-seek-permission-for-its-robots-to-use-deadly-force-183514906.html.

Fake VPN Apps Catch Android Users

Extensive advertising campaigns featuring masked, hoodie-wearing bad guys, coupled with the desire to access geo-restricted content, has motivated many individual consumers and SME operators to install virtual private network (VPN) client software, although for many cloud-hosted applications there is little to suggest that VPN's provide much additional security than the use of standard TLS everywhere.

Now ESET researchers warn of a campaign targeting Android device users with a fake SecureVPN web site which hosts a trojaned Android app. The threat actor behind this campaign is the Bahamut cyberespionage APT, which has been active since at least 2017, targeting victims in the Middle East and South Asia with spearphishing lures. This particular campaign and the associated malware appeared first in early 2022, hosted on a simple web site created with a free web template. The malicious domain was named thesecurevpn[.]com, playing on the legitimate product's domain at securevpn.com.

The fake VPN malware shares code with the earlier SecureChat campaign run by Bahamut; once it is installed it can exfiltrate a range of sensitive data from the victim's device, including contacts, SMS messages, device location, device accounts, recorded phone calls, device info including installed apps and a list of files on external storage. It can also extract information about cals made using a range of popular messaging apps including Facebook Messenger, Viber, WhatsApp, Telegram, WeChat and others.

ESET's report provides a full analysis including MITRE ATT&CK techniques and other IOC's.

Stefanko, Lukas, Bahamut cybermercenary group targets Android users with fake VPN apps, 23 blog post, 23 November 2022. Available online at https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: