Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

MA Town Employee Schools Everyone on Cryptomining

Out of Cohasset, Massachussets comes the cautionary tale of Nadeam Nahas, the town's assistant facilities director - now former assistant facilities directory - who has been charged with fraudulent use of electricity and vandalizing a school, after setting up a secret cryptocurrency mining operation in a remote crawl space in the town's Middle/High School.

Apparently, back in December 2021 Nahas's boss, the town's facilities inspector was conducting a routine inspection of the school when he found electrical wires, temporary duct work, and numerous computers that seemed out of place. He contacted the town's IT director, who determined that it was a cryptomining setup, unlawfully using the school's electrical system. I suspect you'd need more than a few computers to compete with ASIC-based mining rigs, so the theft of electricity could well be significant.

The local police were called, and the Coastguard Investigative Service and Department of Homeland Security assisted with safely removing and examining the equipment. A three-month investigation identified Nahas as a suspect, and after a show-cause hearing, a criminal complaint was issued. He resigned from his job in early 2022, and was due to be arraigned yesterday but did not show up and the judge issued a warrant for his arrest.

Ah, crypto. When will people ever learn . . . ?

Uncredited, Police: Crypto mining operation found in school crawl space, AP News, 23 February 2023. Available online at https://apnews.com/article/massachusetts-c59f30e1736c7409e41357f1ae2e7b93.

Cloud Security: All Your Containers Are Belong to Us?

Cloud security firm Sysdig has produced their "2023 Cloud-Native Security and Usage Report' and the contents make sobering reading. The report is based on "data gathered from billions of containers, thousands of cloud accounts, and hundreds of applications" operated by Sysdig's customers, so it is based on what DevOps people are doing, rather than what they say they are doing.

The two biggest threats to cloud security continue to be misconfigurations and vulnerabilities - which are an increasing threat because they are being introduced into supply chains in ever-greater numbers. Sysdig found that 87% of container images running in production have critical or high severity vulnerabilities.

This suggests that 'shift-left' strategies, which attempt to improve code quality and detect and eliminate vulnerabilities earlier in the software development life cycle (an increasingly nebulous concept in itself) are not working and that enterprises need runtime security technologies. Sysdig cite the example of Falco, a Cloud Native Computing Foundation (CNCF) open-source project they originally created, which helps organizations detect runtime threats across clouds, containers, hosts and Kubernetes environments.

On the up side, it seems that paying attention to supply-chain security will pay off handsomely, allowing developers to focus their remediation efforts on only those vulnerable packages loaded at runtime, which is only 15% of the critical or high severity packages - this seems to be yet another example of the Pareto rule.

In other findings, there is a lot of talk about zero trust, but not much action. The fact that 90% of granted privileges are not used indicates that developers and admins are not applying the principle of least privilege. In practice, 58% of identities are not humans - they are service accounts and often have not been used for over 90 days, or are expired test accounts or third-party accounts which should have been revoked.

Sysdig, Inc., Sysdig 2023 Cloud-Native Security and Usage Report, technical report, January 2023. Available online at https://sysdig.com/2023-cloud-native-security-and-usage-report/.

One Year On, Ukraine Still Not Wiped, Despite Massive Efforts

It's been one year since the beginning of Russia's little adventure in Ukraine. While TV news reports focus on the conventional kinetic warfare - lord knows, it's spectacular enough, and costly in human terms - there has been, of course, a similar cyberwar taking place across the borderless space of the Internet.

Russian state-sponsored threat actors have a long history of unleashing cyber-attacks on the country's former satellites - long-term infosec wonks will remember the 2007 attacks on Estonia's parliament, government ministries and media organizations, and who can forget 2017's NotPetya, a wiper aimed at Ukraine's tax revenues, but which claimed victims all over the world as collateral damage?

Now three security firms - ESET, Fortinet and Mandiant - have all independently found that, in 2022, Ukraine was targeted by more samples of wiper malware than in any previous year - in fact, more than in any year, anywhere. Fortinet counted 16 different 'families' of wiper malware, compared to one or two in previous years, indicating that Russia has assigned a much larger number of developers to wiper development in an attempt to get ahead of Ukraine's hardened defences.

And, just as we saw with NotPetya, these variants are spreading and causing collateral damage around the world, not just directly but as a consequence of other hackers reusing them in 25 different countries, according to Fortinet. However, Russia seems to have traded quality for quantity as it increased its efforts - many of the newly-developed wipers are relatively crude and will be easier to detect and deal with.

Greenberg, Andy, Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever, Wired, 22 February 2023. Available online at https://www.wired.com/story/ukraine-russia-wiper-malware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.