Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Ethics of Reporting on Privacy Breaches

An interesting article on the ABC (Australia) web site examines the ethical issues faced by reporters in covering privacy breaches such as the recent Medibank breach. It's a topic I explore in a cybersecurity management course I teach, via a case study in which a hotel chain suffers a cryptominer infection via its guest wifi network. A relatively minor incident causes major reputational damage as security bloggers publicize it (coupled with inept crisis communications by the hotel chain's PR person), and I get students to discuss the allocation of responsibility, accountability and liability among the hotel IT staff, the hackers, the bloggers and the hotel guests themselves (after all, do you trust public wifi networks? I don't).

The Medibank breach was much more serious, seeing the release of personal medical information for millions of people. The ABC article examines the role of the general media in increasing the leverage available to extortionists, as well as the impact of reporting on the victims. It's thought-provoking material and useful to bear in mind for any future incident response planning, especially for crisis communications.

Terzon, Emilia, The editorial questions ABC News journalists faced when covering the Medibank data leak, ABC News, 11 December 2022. Available online at https://www.abc.net.au/news/backstory/2022-12-11/editorial-questions-reporting-on-medibank-hack/101737920.

Iranian Web Shell Campaign Uses GitHub as Dead Drop Resolver

Secureworks Counter Threat Unit researchers have reported on a malware campaign being run by a subgroup of the Iranian government sponsored threat group, COBALT MIRAGE. The initial intrusion is performed using any of several techniques; the specific intrusion analyzed by Secureworks started with compromise of a VMware Horizon server using two Log4j vulnerabilities.

Once initial access was obtained, the threat actor uploaded the Drokbk malware as a zip file which was extracted and then executed. The first stage of the malware is a dropper, which is created as a file, SessionService.exe, from an internal resource and then added to the SessionManagerService in order to persist. SessionService.exe is then executed; it begins by finding its C2 domain, which it does using the 'dead drop resolver' technique - this allows an actor to completely change its C2 infrastructure, with operating malware able to rediscover the C2 infrastructure via a public service, such as AWS S3 buckets, Pastebin or even comments on Britney Spears's Instagram account (yes, really). In this case, Drokbk uses the README.md file of a GitHub account to relay the C2 server name.

The analyzed sample initially sent a request, containing the hostname and time, to the C2 server, but no commands were received in response. Drokbk is only one of the tools being used by this threat actor; they are also known to use the Fast Reverse Proxy (FRPC) tool.

Secureworks Counter Threat Unit Team, Drokbk Malware Uses GitHub as Dead Drop Resolver, blog post, 9 December 2022. Available online at https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver.

Janicab Reemerges, Targeting Middle East and Europe

The Janicab backdoor, first seen in 2013, has reemerged in a campaign by a threat actor tagged Deathstalker, which appears to be targeting financial and legal institutions as well as travel agents in the Middle East and Europe, according to Kaspersky researchers. Janicab is cross-platform malware, able to run on both macOS and Windows, with the Windows version using a VBScript-based implant as the final stage and, rather than relying on downloaded exploitation tools, has much of the required functionality implemented internally.

Initial compromise is achieved via spear-phishing, using targeted lures in the form of a ZIP file containing a LNK-based dropper as well as a decoy document. Opening the LNK file executes a chain of malware files - an initial loader, a second stage which extracts a CAB archive containing additional resources and Python code, and finally, the last stage which is the Janicab backdoor. This then deploys a new LNK file into the Startup folder in order to persist.

Like Drokbk, described above, Janicab uses the 'dead drop resolver' technique to locate its C2 server - DeathStalker uses YouTube and WordPress web services for this purpose. Once communication is established, Janicab can perform a variety of functions such as keystroke logging, screen capture, running commands, checking for installed malware, etc. - the use of VBScript allows new modules to be added easily, and the number of variants seen to date suggest that it is under active development.

Global Research and Analysis Team, DeathStalker targets legal entities with new Janicab variant, APT report, 8 December 2022. Available online at https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.