Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

ESET Releases APT Activity Report for 2022

Security software and services firm ESET has released its APT Activity Report T3 2022, covering the last three months of the year. The report summarises the campaigns of threat actors affiliated with several states: China, Iran, North Korea and Russia (not that one should imagine for a moment that other countries don't have similar groups).

Not unexpectedly, the primary target of Russian-linked groups was Ukraine, against which they deployed an array of wipers and ransomware - for example, the notorious Sandworm group reappeared, this time with a new wiper targeting the Ukrainian energy sector (always a favourite Russian target in winter - it was also the target of Russian missile attacks this time).

Meanwhile, the Pandas - the China-aligned groups - seemed to shift their focus even more towards Europe, although some groups such as LuckyMouse and MirrorFace are continuing to target the S.E. Asian region, hitting companies in Hong Kong and also running a spearphishing campaign against Japanese political entities. The Iranian groups were more concerned with the Middle East, of course - primarily Israel and Israeli companies' overseas operations.

North Korean APT's are focused on financial rewards, targeting cryptocurrency firms and exchanges - a useful workaround for a country beset by financial sanctions.

The report provides a useful technical overview of the various campaigns with lots of links to more detailed reports, along with lists of targeted countries and regions, as well as industry sectors.

Boutin, Jean-Ian, ESET APT Activity Report T3 2022, blog post, 31 January 2023. Available online at https://www.welivesecurity.com/2023/01/31/eset-apt-activity-report-t3-2022/.

ImageMagick Vulns Lead to DoS, Arbitrary File Disclosure

One of the all-time-great secret tools of command line ninjas is the ImageMagick program suite, which can be used from the command line to convert graphic file formats and resize images without a whole lot of mousing around. The command-line nature of the ImageMagick convert utility means that is often used on web servers to downsize uploaded high-resolution images 'on the fly', so as to not waste bandwidth for viewers who will only see a smaller version on the final page anyway.

Now comes the disclosure of two 0day vulnerabilities discovered by Mexican security firm Metabase Q:

• CVE-2022-44267 - A DoS vulnerability triggered when parsing a PNG image with a filename consisting of a single dash ("-")
• CVE-2022-44268 - An information disclosure vulnerability that could be exploited to read arbitrary files from a server when parsing an image

Like many command-line utiliities, the ImageMagick programs will interpret a filename argument of '-' as a reference to the standard input stream (stdin), rather than an actual file (in *ix systems, files and devices are treated the same way anyway). Since web site image processing is usually based on actual files, there will be no data on stdin, and the process will block, waiting for input. Of course, that will affect only that thread or process, rather than the entire web server or system, but if that '-' was embedded on every page . . .

The second vulnerability could be more severe; it abuses the structure of a PNG file to get ImageMagick to read and incorporate an arbitrary file into the output image. Metabase Q's proof-of-concept, for example, retrieves the content of /etc/passwd, which could conceivably enumerate some user and system accounts, although it would have to be a really old system to contain password hashes. But other files, some considerably more sensitive, could be retrieved this way.

The vulnerabilities exist in ImageMagick versions up to and including 7.1.0-49; they were fixed in version 7.1.0-52, which was released in November 2022 and should have percolated through repositories by now and have been updated by switched-on site admins. I'll still be using my updated ImageMagick.

Gonzales, Bryan, ImageMagick: The hidden vulnerability behind your online images, blog post, undated. Available online at https://www.metabaseq.com/imagemagick-zero-days/.

Google Expands Fuzzer Reward Program

Since 2017, Google has run an OSS-Fuzz Reward Program to encourage the use of fuzz testing in the open source community. Lest you think this is an obscure little corner of software testing, let me point out there is money in it: the OSS-Fuzz Reward Program has awarded over $US600,000 to over 65 different contributors for their assistance.

Now, Google has announced many new types of rewards which expand the scope of the program, covering contributions such as integration of new sanitizers to find new vulnerabilities, notable FuzzBench integrations, and project fuzzing coverage increase. The total possible rewards for a project integration has increased by 50% to $US30,000, depending on the criticality of the project.

The firm has also continued to add new language support and tools to the OpenSSF FuzzIntrospector tool, which was integrated into OSS-Fuzz last year.

Chang, Oliver, Taking the next step: OSS-Fuzz in 2023, blog post, 1 February 2022. Available online at https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html.

OpenAI Escalates Arms Race With Itself

Your humble scribe counts himself lucky to have retired from academia just as artificial intelligence tools like ChatGPT have made it possible for students to submit realistic essays that were not written by the student himself (nor by a for-hire essay-writing service). Detecting automated plagiarism of this kind can be quite tricky; those who have played with ChatGPT - which must be all of us, by now - know that its output reads easily, although a sequence of conversations will reveal a certain underlying structure that never varies.

The main drawback of ChatGPT is the fact that it was pre-trained in 2021 and is not aware of developments since then. It also has a nasty characteristic that is a dead giveaway: it will cite non-existent papers and will confess, when pushed, that it lied. Given time, though, both of these will be overcome. But even in the meantime, it will take a human marker far longer to investigate possible plagiarism than a student would do in creating it. How, then, to detect AI-written submissions?

OpenAI to the rescue! The firm has, inevitably, trained a classifier to distinguish between human-written and AI-generated text from a variety of providers. It's not very good yet; in testing it accurately categorized 26% of AI-written text as "likely AI-written" but incorrectly categorized 9% of human-written text as being the work of an AI (false positives). However, this represents a significant improvement over the previous classifier.

Of course, the classifier has to be trained on a corpus consisting of pairs of AI- and human-written text on the same topic; something that is expensive to arrange, especially on some topic areas, and could conceivably be gamed to bias the classifier. And reliability will be much lower when applied to topics that the classifier has not been trained on.

It was inevitable that one solution to a problem posed by AI would be AI, even if this puts OpenAI into an arms race with itself. But at least the firm is engaging with educators and others to discuss these problems, via a feedback form and other resources.

Kirchner, Jan Hendrik, Lama Ahmad, Scott Aaronson and Jan Leike, New AI classifier for indicating AI-written text, blog post, 31 January 2023. Available online at https://openai.com/blog/new-ai-classifier-for-indicating-ai-written-text/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.