Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, March 2, 2023, 4:45 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Extra Chrome Security for Google Workspace Users

Many SME's - and more than a few large ones - use Google Workspace, a SaaS application suite that takes away a lot of the maintenance chores that come with complex desktop software. The Google Workspace applications are accessed via a desktop browser progressive web applications (PWA's) or phone apps, and while Firefox and other browsers will work, there's a natural tendency to use the Chrome browser.

Now an article in the Google Security Blog provides a number of advanced tips for Workspace Administrators on hardening Chrome configurations for their users. To quickly summarize:

  • Bring Chrome under Cloud Management
  • Enforce built-in protections against Phishing, Ransomware & Malware
  • Enable Enterprise Credential Protections in Chrome
  • Gain insights into critical security events via Audit Logs, Google Security Center or your SIEM of choice
  • Mitigate risk by keeping your browsers up to date with latest security updates
  • Ensure employees only use vetted extensions
  • Ensure your Google Workspace resources are only accessed from Managed Chrome Browsers with protections enabled
  • Enable BeyondCorp Enterprise Threat and Data Protections

Enabling these features effectively turns on a form of EDR in the browser; admins can detect when users enter their corporate credentials into other websites, navigate to malicious sites or download (or upload) malware files, restrict access to highly confidential applications to only users with strong authentication credentials, force automatic updates to Chrome and review the extensions users have installed.

Nair, Kiran, 8 ways to secure Chrome browser for Google Workspace users, blog post, 1 March 2023. Available online at https://security.googleblog.com/2023/03/8-ways-to-secure-chrome-browser-for.html.

Bootkit Bypasses UEFI Secure Boot

One of the great advantages of Windows 11 - and one of the problems it poses for older hardware - is its secure boot facility. Using the keys in the Trusted Platform Module as the root of a chain of trust, it ensures that an unmodified set of operating system files load at boot time and blocks kernel-mode malware such as rootkits. There have previously been a few UEFI bootkits and rootkits, but they generally reside on an easily-discoverable FAT32 disk partition.

But now, there's a bootkit circulating in the wild that can bypass the UEFI Secure Boot feature in fully-patched Windows 11 systems. The bootkit, called BlackLotus, has been selling on hacking forums for $US5,000 since at least October 2022, according to ESET researchers.

The bootkit exploits CVE-2022-21894, a vulnerability that dates back to December 2021 and which was fixed in Microsoft's January 2022 update. However, the affected, validly signed binaries have still not been added to the UEFI revocation list - and BlackLotus takes advantage of this by carrying its own copies of the unpatched binaries.

The resultant bootkit can run on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled, and can disable security features such as BitLocker, Hypervisor-protected Code Integrity (HVCI - which Windows Device Security refers to as Memory Integrity) and Windows Defender. Once it has installed, the bootkit deplys a kernel driver and an HTTP downloader which communicates with its C2 and can download user-mode or kernel-mode payloads.

ESET's lengthy article provides a full analysis of BlackLotus's operation along with IOC's. Attribution is uncertain, but the fact that the installers do not run if the system locale is one of the Comonwealth of Independent States - i.e. the old Soviet bloc - may well be significant.

Smolár, Martin, BlackLotus UEFI bootkit: Myth confirmed, blog post, 1 March 2023. Available online at https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/.

Iron Tiger Takes a Bite of Linux

Iron Tiger (APT 27) has been in the cyber-espionage business for over a decade now, using their own custom malware to target foreign embassies in search of intelligence on the government, defence and technology sectors. One of their tools, called SysUpdate, is a versatile backdoor which can manage services, grab screenshots, search for, upload and download files, and execute commands. It uses a complex chain of loaders, probably in an attempt to evade detection.

According to a new report from Trend Micro, it seems that since late 2022, Iron Tiger has deployed a Linux version of SysUpdate, replacing the previously-used C++ class library with the ASIO C++ asynchronous library and producing ELF binaries. It seems likely that they will now produce a version targeting Mac OS. They also added a new C2 protocol, tunneling commands and responses in DNS TXT resource record requests - a feature which has also been seen in at least one sample of the Windows variant.

To date, the Linux variant has only been seen in one compromised victim, a gambling company in the Philippines - an industry which has attracted Iron Tiger before.

Lunghi, Daniel, Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting, blog post, 1 March 2023. Available online at https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: