Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Government of Vanuatu Networks Shut Down

We start with a story which seems to have slipped under the radar for the last month. Following an election in the tiny Pacific islands nation of Vanuatu, when the new government took office on 6 November, they discovered that government email accounts would not work - and neither would any other computerized government services, such as drivers licence renewals, tax payments or medical information.

Being a tiny nation spread across many islands, there are few opportunities for redundancy in Vanuatu's computer networks, and so government systems are highly centralized in the capital, Port Vila. Government officials first discovered suspicious activity on their networks on 6 December, but only revealed the breach to local media several days later, with international media slow to pick up on the attack. Meanwhile, government services reverted to using pen and paper - which will severely slow service delivery across the dozens of islands that make up the country.

The Australian Cyber Security Centre has provided assistance, and several weeks on, approximately 70% of government services had been restored. These include financial services, health procurement, immigration and passport data and, most importantly, phone connections for emergency services.

As a small dot on the globe, albeit often voted the happiest nation in the world - and if you have visited, you'll know exactly what I mean - Vanuatu may have escaped attention from cybercriminals. But now the cyber world has caught up with it, and it may possibly have finally been subjected to a ransomware attack, although there is no confirmation of this.

McLaughlin, Jenna, The Pacific island nation of Vanuatu has been knocked offline for more than a month, NPR, 6 December 2022. Available online at https://www.npr.org/2022/12/06/1140752192/the-pacific-island-nation-of-vanuatu-has-been-knocked-offline-for-more-than-a-mo.

Internet Explorer Vulnerabilities Still Causing Damage

The tightly-coupled innards of Windows continue to cause trouble for Microsoft and its customers. Internet Explorer may be officially dead, replaced by Edge, but the Microsoft software ecosystem still relies on IE components for some functionality. An example is Microsoft Word, which renders HTML content in rich text documents using IE.

Now Google's Threat Analysis Group reports the discovery in October of a 0day exploit in the wild, targeting users in South Korea. The lure was an Office document entitled "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" - a reference to the tragic crowd crush incident during Seoul Halloween celebrations.

Once opened, the document downloads a remote RTF template containing HTML, which causes Office to call the IE rendering engine DLL. This technique is well known, but in this case, it exploits a 0day vulnerability (CVE-2022-41128)  in the IE JScript engine. The exploit JavaScript first contacts a C2 server, then launches the exploit shellcode, which covers its tracks by erasing the IE cache and history before downloading the next stage. Google's analysts did not have access to that code, but the same attackers have previous used a variety of implants such as ROKRAT, BLUELIGHT and DOLPHIN.

The infection could easily be blocked by an alert user, since the downloaded document carries the Mark of the Web and requires the user to disable protected view and allow editing. The attack is attrobuted to the North Korean group, APT37, also known as ScarCruft, Reaper and InkySquid.

LeCigne, Clement and Benoit Sevens, Internet Explorer 0-day exploited by North Korean actor APT37, blog post, 7 December 2022. Available online at https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/.

Darknet Service Trojanizes Legitimate Android Apps

A banking trojan campaign uncovered by fraud intelligence firm ThreatFabric has led investigators to a third-party dark web service which can bind malicious payloads to legimate Android applications, thereby tricking victims into installing them.

The initial campaign employed several types of desktop malware such as the Erbium stealer, Auora stealer and Laplas clipper, as well as the Ermac Android banking trojan. The latter was distributed by a one-page website offering applications for wi-fi authorization; several updates were downloaded, with payloads targeting different banking applications. The same site also offered downloads for Windows, which also carried banking trojans.

The researchers tracked these back to a binding service, initially offered by a threat actor in March 2022, called Zombinder, which is now used by several different actors. This is being used to distribute a variety of mobile malware, mainly banking trojans such as Ermac and Xenomorph.

Uncredited, Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers, blog post, 8 December 2022. Available online at https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html.

Medibank Goes Offline To Remediate Its Networks

Australian insurer Medibank will take its systems offline - and close its retail storefronts - this weekend while it performs remediation work on the networks and systems which were affected by its recent highly-publicized data breach. All systems for both Medibank and its ahm general insurance subsidiary will be offline from 8:30 pm AEDT tonight (9 December) and are expected to be back online by Sunday 11 December at the latest.

The Medibank app, as well as online terminals for directly processing claims at service provider practices, will also be offline.  The lesson: never underestimate remediation costs following a breach.

Uncredited, Planned outage to Medibank systems, notification, 7 December 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.