Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

TPG Exchange Servers Breached

Australian telco TPG Telecom has notified the Australian Stock Exchange (ASX) that their security consultants, Mandiant, had found evidence of unauthorised access to a hosted Microsoft Exchange service which hosts email accounts for up to 15,000 business customers of their iiNet and Westnet brands. The announcement gave no indication of the timeframe of the breach - only that it was discovered on 13 December as part of "Mandiant''s ongoing engagement to assist with cyber protection" during which they conducted a "forensic historical review and discovered the unauthorised access".

The analysis revealed that the primary purpose of the threat actor was to search for customers' cryptocurrency and financial information. The unauthorised access has been blocked, additional controls put in place, and all affected customers are being contacted.

2022 has been a bad year for Microsoft Exchange users; one wonders why they keep using it. . .

Rickards, James, Unauthorised access to Hosted Exchange service, market announcement, 14 December 2022. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02612242.

Australia Considers Sanctions on Medibank Hackers

Having introduced Magnitsky Act-like laws to permit international sanctions, the Australian Government is now considering using them against cybercriminals for the first time. The government has previously sanctioned Iran's 'morality police' as well as Iranians and Russians linked to human rights abuses.

The Department of Foreign Affairs and Trade has provided advice to the Minister, Penny Wong, about possible use of these cyber-related powers. In a response tabled to a Senate question on notice, the Department stated, "The department routinely provides advice to ministers on possible sanctions measures, including cyber sanctions".

Hurst, Daniel, Russian Medibank hackers could be first targets of Australian sanctions against cyber-attackers, The Guardian, 15 December 2022. Available online at https://www.theguardian.com/australia-news/2022/dec/15/russian-medibank-hackers-could-be-first-targets-of-australian-sanctions-against-cyber-attackers.

InfraGard Member List Compromised via Social Engineering

The FBI runs a threat information sharing network called InfraGard which has more than 80,000 members, who are supposed to be vetted individuals in security roles - both physical and cyber - at private sector critical infrastructure companies. Now the InfraGard portal and membership database has been breached by a simple, but audacious, social engineering attack.

Security blogger Brian Krebs reports that a thread offering the InfraGard database for sale was posted to a relatively new cybercrime forum called 'Breached'. The database contains the names and contact information for tens of thousands of InfraGard members. The seller is using the handle 'USDoD', with the Defense Department's seal as their avatar, and is asking for $US50,000 - perhaps a bit optimistically, considering much of the information is already publicly available.

The breach was accomplished by submitting a phony membership application using the name, Social Security Number, date of birth and other personal details of a finance corporation CEO. InfraGard requires identity verification by either email or telephone - and while the attacker controlled a suitable email address, they chanced using the CEO's genuine mobile phone number. They got lucky: a month later they received an email stating that their application had been approved.

From there, the attacker had a friend write a Python script to query an API on the InfrGard website, and the data was theirs. As Krebs wrote his article, USDoD still had access to the InfraGard site and was using it to message members.

Krebs, Brian, FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked, blog post, 13 December 2022. Available online at https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/.

FortiOS 0day Exploited In The Wild

Fortinet has been having a bad year, and this continues as the company has issued an advisory for a heap-based buffer overflow in the SSL VPN component of their ForiOS software. The vulnerability will allow a remote unauthenticated attacker to execute abitrary code or commands via specially-crafted requests.

The advisory provides multiple IOC's which customers should immediately check for; the recommended workaround is to disable the SSL VPN service. The permanent fix is, of course, to upgrade to a later version of FortiOS.

Fortinet PSIRT, FortiOS - heap-based buffer overflow in sslvpnd, PSIRT advisory, 12 December 2022. Available online at https://www.fortiguard.com/psirt/FG-IR-22-398.

Citrix ADC and Gateway Exploits In The Wild

Citrix has released builds to fix a critical vulnerability, CVE-2022-27518, which affects Citrix ADC and Citrix Gateway versions 12.1 and 13.0 which are configured with a SAML SP or IdP configuration. Version 13.0-58.32 is not affected. This vulnerability is being exploited in the wild and customers are urged to update as soon as possible or take other measures to mitigate the problem.

CVE-2022-27518 is an "improper control of a resource through its lifetime" vulnerability - probably a memory problem such as use-after-free or similar - which allows an unauthenticated attacker remote code execution.

The National Security Agency has also issued a guidance document with advice on threat hunting steps Citrix customers can take to look for artifacts on their devices which may be attributed to APT5, also known as Keyhole Panda, UNC2630 and MANGANESE.

Lefkowitz, Peter, Critical security update now available for Citrix ADC, Citrix Gateway, blog post, 13 December 2022. Available online at https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/.

National Security Agency, APT5: Citrix ADC Threat Hunting Guidance, guidance document, 13 December 2022. Available online at https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.