Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

OpenSSL Project Issues Security Advisory

The OpenSSL Prject has released a security advisory to address multiple vulnerabilities affecting OpenSSL versions 3.0.0, 2.2.2, and 1.0.2. An attacker could exploit some of these vulnerabilities to obtain sensitive information.

The most serious vuln (CVE-2023-0286) could allow an attacker to read memory contents or DoS the server. However, it requires the attacker to provide both an X.509 certificate chain and CRL, and is really only likely to affect applications which have implemented their own functionality for retrieving CRL's.

The remaining vulnerabilities are classified as moderate, and involve a timing side channel in RSA decryption (CVE-2022-4304), a read buffer overrun in certificate verification (CVE-2022-4203), a use-after-free in a helper function for streaming ASN.1 data (CVE-2023-0215), a double-free in PEM file handling (CVE-2022-4450), an invalid pointer dereference triggered by malformed PKCS7 data (CVE-2023-0216), a NULL dereference when validating a DSA public key (CVE-2023-0217) and another NULL dereference during PKCS7 data verification (CVE-2023-0401).

The obvious mitigation is proactive patching with the appropriate updated version of OpenSSL, which should be percolating through distribution repositories.

OpenSSL Project, OpenSSL Security Advisory [7th February 2023], security advisory, 7 February 2023. Available online at https://www.openssl.org/news/secadv/20230207.txt.

North Korean Ransomware Targets Healthcare Sector

Various agencies, including the NSA, FBI, CISA and South Korean intelligence services, have jointly issued a Cybersecurity Advisory to highlight continuing ransomware attacks by the Democratic People's Republic of Korea (DPRK - in other words, North Korea) against the healthcare and public health sector. Although their primary concerns are the US and South Korean governments and health sectors, it seems unlikely the DPRK would confine their activities to just those countries.

Beset by currency sanctions, the DPRK views ransomware payments via cryptocurrencies as a good way to fund its other activities. The healthcare sector is particularly at risk, as both denial of access to patient data via encryption and leaking of exfiltrated patient data can be particularly damaging for both patients and compromised organization. Imprecations to never pay a ransom are all very well, but . . .

The advisory updates one that was previously issued, adding TTP's and IOC's for two new ransomware campaigns called Maui and H0lyGh0st. While the technical details are of interest to some of us, for most, the key information is a list of suggested mitigations - all of which would be considered good practice in most environments. These include authenticating and encrypting network sessions with TLS, implementing the principle of least privilege, hardening systems by disabling unnecessary admin interfaces and implementing multi-layer network segmentation by trust level.

CISA, #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities, Alert AA23-040A, 9 February 2023. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa23-040a.

Infostealer Lures Victims with Fake Jobs

Trend Micro researchers recently discovered an infostealer campaign which targets Eastern Europeans in the cryptocurrency industry, luring them with fake jobs. The victims are enticed, via phishing or social media, into download and unpacking a RAR archive which contains two files: Interview questions.txt, a Cyrillic-charset text file, and Interview conditions.word.exe. That last filename is an obvious red flag to tech-savvy users - but we're talking about the crypto business here, remember?

When the user opens that malware file, it kicks off a first-stage loader for the Enigma infostealer, which is a  derivative of the Stealerium open-source stealer/clipper/keylogger. This first stage begins registration and downloads a second-stage payload. It uses two C2 servers: the first uses Telegram to deliver payloads, send commands and a heartbeat, while the second is used for DevOps and logging purposes, using the Amadey C2 control panel, which is popular in Russian hacker forums. It seems that this malware is under continuous rapid development, hence the extensive logging.

The first, second and third stage loaders are encrypted and heavily obfuscated, using multiple techniques, to resist reverse engineering - for example, human-readable function names are replaced with hash values, rendering the code hard to understand. The second stage attempts to disable Microsoft Defender (possible if the victim's user account has admin privileges), then downloads and runs the third stage, which in turn downloads, decompresses and executes the final stealer.

The stealer configures itself then sets to work, stealing user information, tokens and passwords from Chrome, Edge, Outlook, Telegram, Signal, OpenVPN and other applications, as well as capturing screenshots and extracting clipboard content. It then exfiltrates this via Telegram.

The Trend Micro blog post contains a link to IOC's, as well as some obvious mitigations.

Zahravi, Aliakbar and Peter Girnus, Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs, blog post, 9 February 2023. Available online at https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.