Blog entry by Les Bell

Les Bell
by Les Bell - Monday, November 28, 2022, 8:30 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


EUROPOL Coordinated Action Brings Down Caller ID Spoofing Site

Caller ID spoofing isn't particularly difficult, but it was made even easier by a site called iSpoof wihch allowed criminals to anonymously make spoofed calls impersonating banks, government agencies and retail companies, send recorded messages and - perhaps most significantly - intercept time-based one-time passwords or mTAN's. Now, following an investigation initiated by the Metropolitan Police in the UK, police forces in Europe, Australia, the US, Ukraine, Canada and other countries have simultaneously arrested 142 suspects, including the main administrator of the web site, and shut it down.

The investigation revealed that the website had earned over €3.7 mllion from its fee-paying criminal customers in just 16 months. However, victims in the UK alone had lost £43 million to the scams operated through the site, and worldwide losses were in excess of £100 million (€115 million).

Said Europol Executive Director, Ms Catherine De Bolle:

The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located.  Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.

Uncredited, Action against criminal website that offered 'spoofinf' services to fraudsters: 142 arrests, press release, 24 November 2022. Available online at https://www.europol.europa.eu/media-press/newsroom/news/action-against-criminal-website-offered-%E2%80%98spoofing%E2%80%99-services-to-fraudsters-142-arrests.

ConnectWise XSS Vulnerability Allows Scammers to Masquerade As Legit

Tech support scams are one of the banes of modern world. Often run out of call centres in India and targetting the elderly and more vulnerable, these scams work by convincing the victim to download and install a remote access tool (whether knowingly or via trojaned download), handing control to the scammer so they can 'fix a malware infection' - in practice, they will do anything from demanding payment to fix a concocted 'infection' to plundering the victim's bank account.

The scammers will use any of several remote access tools, including TeamViewer, AnyDesk, LogMeIn or ConnectWise. Rather than pay for licensed copies of the software, the scammers will rely on the free trial version - often a good indication that the operation is not legitimate: for example, ConnectWise adds a prominent advisory message on the main page of all trial or free accounts.

However, as revealed by Guardio Labs, the customization features of this page - used by legitimate companies to brand their tech support portals - contains a cross-site scripting vulnerability which allows the scammers to disable the trial version advisory that would warn victims, by adding some JavaScript code to set the advisory message visibility property to 'hidden'. In fact, not only can scammers hide the advisory, they can use the customization features to masquerade as a legitimate tech support portal.

Guardio notified ConnectWise, who fixed the XSS vulnerability and completely removed the customization feature for trial and free accounts.

Tal, Nati, XSS Vulnerability Found in ConnectWise Remote Acces Platform With Great Potential For Misuse by Scammers, blog post, 24 November 2022. Available online at https://labs.guard.io/xss-vulnerability-found-in-connectwise-remote-access-platform-with-great-potential-for-misuse-by-scammers-a0773da2aacf.

Preventing Remote Code Execution Vulnerabilities

The increased exposure of RESTful and other API's on the public Internet has led to an increase in exploits such as Log4Shell and WannaCry which are able to perform remote code execution. These exploits make use of inadequate input sanitization, bugs in parsing libraries and even buffer overflows, not so much in the developers' own code - although that happens - but increasingly in libraries and frameworks which programmers make use of for standard functionality.

An article in Dark Reading summarizes a number of useful techniques that developer and admins can make use of in DevSecOps environments to proactively reduce the risk of RCE vulnerabilities. The major techniques are:

  • Continuously run software composition analysis tools on your code base - for example, OWASP dependency-check for Java, or commercial tools like Snyk and Mend can report vulnerable third-party libraries
  • Use static analysis security test (SAST) tools - e.g. Bandit for Python, GoSec for Golang or cross-language tools like SonarQube and SemGrp
  • Avoid default error messages - these may provide useful linformation (such as stack traces) to attackers
  • Configure everything as code - and use tools such as KICS and Checkov to scan configuration files for vulnerabilities before deployment
  • Do not run code on native machines, and apply the Principle of Least Privilege - use containers and maintain a narrow set of permissions and privileges for each
  • Employ dynamic analysis security test tools - e.g. ZAP to scan API's for vulnerabilties

Many of these tools can be integrated into the DevSecOps pipeline. Of course, all the usual secure coding guidelines also apply.

Manor-Liechtman, Gabriel, How Development Teams Should Respond to Text4Shell, Dark Reading, 24 November 2022. Available online at https://www.darkreading.com/dr-tech/how-development-teams-should-respond-to-text4shell.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: