Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Google Rushes Out Patch for Chrome 0Day Vulnerability

Google has released an update for the Windows, Mac and Linux versions of the Chrome browser in order to mitigate CVE-2022-4135, a heap buffer overflow in Chrome's GPU Process. This vulnerability is being exploited in the wild, but details are scarce, since Google will restrict access to the details until a majority of users have updated their systems, especially if other projects depend upon it.

Bommana, Prudhvikumar, Stable Channel Update for Desktop, blog post, 24 November 2022. Available online at https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html.

Interpol Cracks Down on Online Fraud

A major international operation stared by INTERPOL in late June has now culminated in the arrest of almost 1,000 suspects who were allegedly engaged in a wide range of online scams and money laundering. At the same time, virtual assets worth $US129,975,440 were seized.

Opeeration HAECHI III specifically targeted vishing (voice phishing), romance scams, sextortion, investment fraud and money laundering associated with illegal online gambling, and was coordinated by INTERPOL's Financial Crime and Anti-Corruption Centre, involving 30 countries: Australia, Austria, Brunei, Cambodia, Cote d’Ivoire, France, Ghana, Hong Kong (China), India, Indonesia, Ireland, Japan, Korea, Kyrgyzstan, Laos, Malaysia, Maldives, Nigeria, Philippines, Poland, Romania, Singapore, Slovenia, South Africa, Spain, Sweden, Thailand, United Arab Emirates, United Kingdom, and the United States.

The investigators saw several new trends in financial crime, such as an increase in fraudulent investment schemes committed via instant messaging apps combined with cryptocurrency payments. In another case, the Austrian and Indian National Central Bureaus of INTERPOL identified a group of scammers who had been impersonating INTERPOL officers, relieving victims of $US159,000 via financial institutions, crypto exchanges and online gift cards. The Indian authorities raided the scammers' call centre, seizing four cryptocurrency wallets and other evidence.

The operation highlights the international nature of online cybercrime, and the need for cross-border cooperation by authorities.

Uncredited, Cyber-enabled financial crime: USD 130 million intercepted in global INTERPOL police operation, news release, 24 November 2022. Available online at https://www.interpol.int/News-and-Events/News/2022/Cyber-enabled-financial-crime-USD-130-million-intercepted-in-global-INTERPOL-police-operation.

RansomExx Gets Rusty

The RansomExx ransomware has been around since 2018, operated by a threat actor called DefrayX or Hive0091. The same group is also behind the PyXie malware, Vatet loader and Defray ransomware.

Now, like many other malware developers, DefrayX has switched their development from the C++ programming language to Rust. Although the Rust programming language has garnered attention from systems programmers because it is memory safe, it is drawing increased attention from malware developers because it can produce statically-linked stand-alone binaries and - perhaps more importantly - it has much lower detection rates when scanned by antivirus tools. Its large and complex binaries also make them harder for malware analysts to reverse engineer.

The new variant of RansomExx, dubbed RansomExx2, has similar functionality to its C++ progenitor - it is a command-line program which requires a list of directories to encrypt, passed as command-line arguments, and then performs encyption with AES-256 and wraps the AES keys with RSA encryption. IBM X-Force Threat Researchers have provided a comprehensive write-up on a sample.

Hammond, Charlotte, RansomExx Upgrades to Rust, blog post, 22 November 2022. Available online at https://securityintelligence.com/posts/ransomexx-upgrades-rust/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.