Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Former Ubiquiti Engineer Pleads Guilty to Data Theft, Extortion

A former employee at network form Uniquiti has pleaded guilty to allegations of stealing confidential data, extorting a ransom and causing the publication of misleading news articles. Nickolas Sharp misused his admin privileges to access the company's AWS and GitHub accounts, stealing gigabytes of confidential data. To cover his tracks, he changed the log retention policies, altered other files and used a Surfshark VPN service - but did not realise that an Internet outage at his home had exposed his real IP address.

Once the breach was discovered, Sharp was one of those tasked with remediating it - but he simultaneously sent an extortion demand to his employer, demanding payment of BTC50 - which, at that time, was approximately $US2 million - to return the data and disclose a purported backdoor, and when the company refused to pay, he leaked some of the data.

However, by now the FBI had tracked his IP address and executed a search warrant at his home in Portland, OR. He denied all involvement and stated that he had not previously used Surfshark - only to be confronted with records showing that he had set up a Surfshark account six months before the breach. To this, he claimed that someone else must have used his PayPal account.

Proving the truth of the old adage that when you're in a hole, you should stop digging, Sharp then contacted various tech news outlets, posing as a whistleblower and claiming that Ubiquiti had been hacked by an unknown actor who had gained root privileges. The publication of these stories caused Ubiquiti's stock price to fall by 20% - a drop of over $US4 billion in market capitalization.

Having pleaded guilty to one count of transmitting a program to a protected computer that intentionally caused damage, one count of wire fraud, and one count of making false statements to the FBI, Sharp now faces up to 35 years in prison. His actual sentence will be handed down in May.

Biase, Nicholas, Former Employee Of Technology Company Pleads Guilty To Stealing Confidential Data And Extorting Company For Ransom, press release, 2 February 2023. Available online at https://www.justice.gov/usao-sdny/pr/former-employee-technology-company-pleads-guilty-stealing-confidential-data-and.

OpenSSH 9.2/9.2p1 Released

The OpenSSH project has released OpenSSH 9.2/9.2p1, which fixes a number of security bugs. Prime among them is CVE-2023-25136, a pre-authentication double-free memory fault, which first appeared in 9.1 and is not believed to be exploitable. Double-free faults occur when a programmer calls malloc() (or equivalent) to allocate memory once, but then somehow calls free() twice - potentially allowing remote code execution

The vulnerabilitiy occurs in the unprivileged pre-auth process which is subject to a chroot() and is further sandboxed by the OpenSSH privilege separation architecture - although the main sshd runs with root privileges, a new connection causes a forked child to change to the effective UID of the connecting user.

The vulnerability was first disclosed by Mantas Mikulenas, who discovered it when an old version of PuTTY caused the child sshd process to crash with a  "seccomp violation" error. The new version is available from the OpenSSH mirrors, and binaries for different platforms should flow through repositories shortly.

Mantas M., Bug 3522 - Crash with "free(): double free detected" with old clients, bug report, 15 January 2023. Available online at https://bugzilla.mindrot.org/show_bug.cgi?id=3522.

Uncredited, OpenSSH 9.2/9.2p1 (2023-01-02), release note, 2 February 2023. Available online at https://www.openssh.com/releasenotes.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.