Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

White Hat Arrested; Was Black Hat in Reality

Back in January, Dutch police arrested three men, aged between 18 and 21, in connection with ransomware attacks on thousands of companies, but continued their covert investigation, isolating two of the suspects, before finally laying charges of computer intrusion, data theft, extortion, blackmail and money laundering.

The three typically demanded a ransom of around €100,000, but in some cases as high as €700,000; the prime suspect, a 21-year-old from Zandvoort, earned approximately €2,500,000 in the last few years. Despite victims paying up, in many cases the exfiltrated data was leaked online anyway, demonstrating the futility of paying ransoms - as well as the old saw that there is no honour among thieves.

However, the most intriguing fact is that one of those arrested was reportedly an active member of the Dutch Institute for Vulnerability Disclosure, a government-backed group of ethical hackers. It seems he may have been living something of a double life.

Clueley, Graham, "Ethical hacker" amongst those arrested in Dutch ransomware investigation, blog post, 28 February 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/ethical-hacker-amongst-those-arrested-in-dutch-ransomware-investigation/.

LastPass Doubly Hacked; Compromised via WFH Engineer

When LastPass discovered an intrusion last August, they thought they had kicked out the attacker and that was the end of the matter. It wasn't.

In a support note posted online, the company has revealed that “the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022”.

The company was blindsided by the fact that the TTP's and IOC's of the two breaches were different, leading investigators to conclude they were not related. In fact, the attacker had stolen valid credentials from a senior DevOps engineer and was able to subsequently use these to access the company's AWS infrastructure. It was only when AWS GuardDuty Alerts indicated that the attacker was trying to use cloud IAM roles to perform unauthorized activities that they woke up to the second attack.

So, how were those credentials obtained? According to the firm, "this was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.

"The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."

LastPass called in Mandiant, and has undertaken extensive remedial work, which is detailed on their page. But at root, this demonstrates the risk of hybrid work and telecommuting with employees using personal devices.

Uncredited, Incident 2 – Additional details of the attack, support note, February 2023. Available online at https://support.lastpass.com/help/incident-2-additional-details-of-the-attack.

Hackers Capitalize on ChatGPT Fever

Like everyone else, your humble scribe has tinkered with OpenAI's public test of ChatGPT, the interactive front end to the GPT-3 (Generative Pre-trained Transformer) language model. It's impressive, easily providing me with code to integrate it into Google Chat - code that was almost correct, too.

It's also amusing, because of the confident way it asserts completely incorrect information - I suspect more than a few students will get a nasty surprise when essay submissions are returned to them after marking, as a result - only to back down and apologize when challenged. However, I suspect all this experimenting is teaching us less about artificial intelligence and more about the average human's willingness to believe that whatever comes out of a computer must be correct.

Cybercriminals already know this, of course, and are quick to exploit it when any trend goes viral on social media. The latest example, therefore, is ChatGPT. Over the last week, I've repeatedly seen Facebook ads for a ChatGPT app for Windows, which had the curious property of having close to a thousand comments, only none which are visible, even when set to "display all comments".

Security researcher Dominic Alvieri has found fake websites as well as fake ChatGPT apps on the official Google Play store as well as third-party app stores. In most cases, the fake apps infect the victim with infostealers such as Redline, Aurora or Lumina.

These are all fairly obvious to more tech-savvy users, since ChatGPT depends upon massive compute resources, and is only available via its online interface at https://chat.openai.com/.

Constantinescu, Vlad, ChatGPT Apps to Spread Malware, blog post, 24 February 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/cybercriminals-leverage-fake-chatgpt-apps-to-spread-malware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.