Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, November 30, 2022, 6:44 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Crypto Exchange Breached

I've been ignoring the litany of bad news surrounding cryptocurencies: declining values, rugpulls, collapsing exchanges and all the rest - but I couldn't resist this one.

Canadian crypto exchange Coinsquare, which claims to be "Canada's trusted platform to securely buy, sell and trade Bitcoin, Ethereum, and more", has emailed customers to notify them that it had discovered a "data incident" in which an unauthorized third party accessed a customer database which contains customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances".

Coinsquare's email stated - just as many other recently-breached companies have - that "No passwords were exposed. We have no evidence any of this information was viewed by the bad actor". If we have learned one thing from all the recent breaches, it is that many companies have inadequate monitoring of the traffic exiting their networks, so that information exfiltration goes undetected.

I'd suggest taking a wait-and-see approach on this one.

Munawa, Frederick, Major Canadian Crypto Exchange Coinsquare Says Client Data Breached, Coindesk, 27 November 2022. Available online at https://www.coindesk.com/tech/2022/11/26/major-canadian-crypto-exchange-coinsquare-says-client-data-breached/.

CISA Adds Two New Exploited Vulnerabilities

On Monday, the US Cybersecurity & Infrastructure Security Agency added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating that they were now being exploited in the wild.

One is the heap buffer overflow vulnerability in the Google Chrome GPU process (CVE-2022-4135) which we covered last Saturday, and for which Google rushed out an update.

The other is an as-yet-unspecified vulnerability in Oracle Fusion Middleware Access Manager; the OpenSSO Agent can easily be exploited to grant an unauthenticated attacker network access and take over the Access Manager. The vulnerability (CVE-2021-35587) has a CVSS 3.1 base score of 9.8 (CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability impacts versions 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0, which should be updated as soon as possible - it already should have been, since Oracle issued a Critical Patch Update in January 2022, following disclosure by Jangggg of VNPT and peterjson - Security Engineering - VNG Corporation. Which raises the question: why, one year on, is CISA seeing active exploitation?

CISA, Known Exploited Vulnerabilities Catalog, web page, 28 November 2022. Available online at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

Killnet Brags of Starlink and whitehouse.gov DDoS Attacks

Trustwave reports that the Russian state-linked threat actor, Killnet, claims to have launched successful DDoS attacks against a number of targets in the US and UK.

The group claims that on November 18, it, along with several other hacker groups, ran a DDoS attack against Starlink, the SpaceX-operated satellite Internet access provider - presumably as retribution for the company's provision of ground stations to Ukraine. Starlink's 3,00 low-earth orbit satellites provide high-bandwidth, low-latency Internet access - ideal for use by Ukrainian defending forces. The claim is supported by a Reddit thread in which users complained that they could not log in to their Starlink accounts.

The previous day, the group also claims, they ran a 30-minute attack on the official site of the White House, whitehouse.gov (which they claimed had 'military state protection against DDOS'!), and a few days later they DDoS'ed the site of the Prince of Wales, princeofwales.gov.uk, promising future attacks against other UK government, financial and healthcare sites. Again,the motivation appears to be those countries' support for Ukraine

SpiderLabs Research, Killnet Claims Attacks Against Starlink, Whitehouse.gov and United Kingdom Websites, blog post, 23 November 2022. Available online at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/killnet-claims-attacks-against-starlink-whitehousegov-and-united-kingdom-websites/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: