Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Atlassian Products Not Rotating Session Cookies

Just over a week ago, Bangalore-based threat intelligence firm CloudSEK discovered a breach of their systems which led to a small leak of some customer information. At first, their investigations suggested that an employee's Jira password was compromised in order to gain access to Confluence pages. But upon deeper investigation, the details are a bit more concerning.

In fact, the threat actor did gain access to a CloudSEK employee's Jira account, but this was done using Jira session cookies present in stealer logs being sold on the dark web. Further investigation revealed that the session cookies of Atlassian products such as Jira, Confluence and BitBucket are not invalidated, even if the password is changed, even with 2FA enabled, and remain valid for 30 days. They only expire at that time, or if the user logs out before that time. A password change - or other significant changes - should see session cookies rotated, with a new cookie being issued.

The CloudSEK researchers have confirmed that this flaw can take over Jira accounts at hundreds of companies: over a million compromised computers and over 16,000 Jira cookies are currently for sale on dark web marketplaces. The company has released a free tool which lets companies check to see if their accounts are being advertised on dark web marketplaces; they have also notified Atlassian, who have acknowledged the issue and are working to resolve it.

Kulshrestha, Sparsh and Mayank Satnalika, Security Flaw in Atlassian Products (Jira, Confluence,Trello, BitBucket) Affecting Multiple Companies, blog post, 13 December 2022. Available online at https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/.

Qakbot Smuggles HTML in SVG Images

Your humble scribe fondly remembers the days of 7-bit ASCII email, before the evils of HTML formatting and massive MIME attachments. In particular, the shift to using highly-capable web browsers as email clients (rather than dumb text-only MUA's) opens up a world of possibilities for malicious users, who now have access to sophisticated scripting capabilities, cross-site scripting and other vectors.

However, crude embedding of malicious JavaScript code can easily be detected by network gateways and other security devices, so attackers have developed HTML smuggling techniques, which obfuscate or encode their payloads to evade detection. Cisco Talos researchers recently found a new technique used by the Qakbot banking trojan/stealer, which involves a particularly convoluted unpacking chain to infect the victim's computer.

The malicious email carries an HTML attachment, which in turn contains an SVG (Scalable Vector Graphics) image. SVG images are defined as XML markup tags, which in this case contain embedded HTML <script> tags. These, in turn, contain JavaScript which carries a base64-encoded password-protected ZIP file, which the user is prompted to open with a supplied password. And if the victim falls for this, they will find it unzips to an ISO file which infects their machine.

Once the machine is infected, it will hijack an email thread and propagate itself to still more victims. This may be a long and convoluted process, but it works, and it works well to evade detection by security devices.

Katz, Adam and Jaeson Schultz, HTML smugglers turn to SVG images, blog post, 13 December 2022. Available online at https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/.

FBI Takes Down 48 DDoS Sites, DoJ Charges Six Defendants

The FBI is now in the process of seizing 48 internet domains associated with web sites offering DDoS-for-hire services, commonly called "booter" services. The web sites had been used to launch millions of attempted - some successful - distributed denial of service attacks worldwide, targeting educational institutions, government agencies, gaming platforms and millions of individual users, disrupting their services and internet connections.

Although the sites claimed to offer "stresser' services, purportedly used for performance-testing networks and servers, the FBI determined that this was simply pretence, and that "thousands of communications between booter site administrators and their customers . . . make clear that both parties are aware that the customer is not attempting to attack their own computers", according to an affidavit filed in support of court-authorised warrants to seize the sites.

At the same time, prosecutors in both Los Angeles and Alaska filed charges against six defendants across the US, who each allegedly offered one-stop DDoS services, with subscriptions of various lengths and attack volumes. In each case, the FBI posed as a customer and was able to conduct test attacks to confirm that the  "booter" site functions as advertised.

The FBI, in conjunction with the UK National Crime Agency and the Netherlands Police, has launched a campaign using ads placed in search engines, triggered by the keywords associated with DDoS activities - the idea being to deter naive would-be-criminals searching for DDoS services and educate the public on their illegality.

Mrozek, Thom, Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services, news release, 14 December 2022. Available online at https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.