Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Class Action Launched Against Optus

Class action law firm Slater and Gordon has launched an action against Optus, representing 100,000 customers whose data was compromised by an attack some six months ago. The suit alleges Optus breached privacy, telecommunications and consumer laws as well as - perhaps more troubling - the company's own internal policies.

According to Slater and Gordon's class actions practice group leader, Ben Hardwick:

In general, privacy laws require data controllers or custodians to take 'reasonable steps' or implement 'reasonable safeguards' to protect personal data, and a possible line of defence could be the argument that it is not reasonable to expect even the best security professionals to foresee, and have the resources to protect against, every possible attack - this is why we perform risk management in order to prioritize our defences.

However, if the suit specifically alleges that the breach was due to Optus staff not complying with its own policies, that suggests that this class of attack was foreseen and a reasonable safeguard - by Optus' own definition - should have been in place to prevent it. It also implies a lack of audit and testing to detect the absence of the appropriate control. There are suggestions that customer data was exposed while testing an API or via a now-unused API; the use of real customer data for testing is a fundamental no-no, but the breach could also have been due to improper web API asset management or excessive data exposure.

With almost ten million Optus customers affected, the plaintiff class should grow substantially, and as this action plays out many CISO's and commentators will be watching closely.

Knight, Ben, Optus data breach class action launched for millions of Australians caught up in cyber attack, ABC News, 21 April 2023. Available online at https://www.abc.net.au/news/2023-04-21/optus-hack-class-action-customer-privacy-breach-data-leaked/102247638.

May, Natasha, Optus sued by 'vulnerable' victims of data breach, The Guardian, 21 April 2023. Available online at https://www.theguardian.com/australia-news/live/2023/apr/21/australia-news-live-renewables-superpower-clean-energy-summit-jim-chalmers-nsw-liberals-leadership-indigenous-voice-cost-of-living-interest-rates-drug-reform.

Ransomware Attacks Poorly-Secured Microsoft SQL Servers

South Korean security firm AhnLab has discovered a relatively new type of ransomware now being used to compromise poorly-secured Microsoft SQL Server database servers. The Trigona malware first appeared in late 2022, and Palo Alto Networks' Unit 42 has also detected it being deployed against a range of industries in the US, Italy, France, Germany, Australia and New Zealand.

The threat actor monitored by AhnLab's Security Emergency response Center (ASEC) achieves initial compromise of the SQL Servers via either brute force or dictionary attacks, indicating that the servers a) are directly exposed to the Internet - tsk, tsk! - and b) have weak passwords on either admin or service accounts. Another problem is the installation of SQL Server on desktop and even laptop machines as part of some ERP and vertical-market applications - the author remembers installing the software for a TV tuner card on his desktop PC and being amazed to discover a complete installation of SQL Server, just to maintain the electronic program guide (EPG) when a smidgin of XML would have done the job!

Having achieved initial access, the actor installs CLR Shell, a backdoor which is written in assembler for the .NET common language runtime. This backdoor - similar to a webshell - can accept commands to enumerate system information as well as achieving privilege escalation by editing the registry and rebooting the system to change the SQL service account to LocalSystem. Having done this, the actor installs a dropper, svcservice.exe, which will create and launch the Trigona ransomware, svchost.exe, as well as a batch file which edits registry keys to ensure Trigon runs after every reboot, then deletes volume shadow copies and disables the system recovery feature. The batch file the invokes a copy of the Trigona svchost.exe for each possible drive letter from C:\ to Z:\ before finally deleting the svcservice.exe dropper and its related files.

As the ransomware runs, it leaves a ransom note, under the filename how_to_decrypt.hta, in every directory. This instructs the victim to download the Tor browser and go to a specific address - embedded in the file via JavaScript - for instructions on how to make payment. Unusually, Trigona is written in Delphi (the contemporary descendant of the old Turbo Pascal). Another unusual characteristic of this threat actor is that it requests payment in Monero, rather than the more popular Bitcoin.

Sanseo, Trigona Ransomware Attacking MS-SQL Servers, blog post, 17 April 2023. Available online at https://asec.ahnlab.com/en/51343/.

Lee, Frank and Scott Roland, Bee-Ware of Trigona, An Emerging Ransomware Strain, blog post, 16 March 2023. Available at https://unit42.paloaltonetworks.com/trigona-ransomware-update/.

How To Host User-Controlled Content?

Most security professionals, and some web developers, are aware of the challenges of hosting user-generated or -controlled content in their applications. This can include simple cases like user-uploaded photos or graphics, through to more sophisticated cases which might involve the use of HTML tags. If user uploads are ruthlessly sanitized, the result can be cross-site scripting, cross-site request forgery and a range of other attacks.

The classic solution is to separate untrusted, user-controlled content from trusted site content by using sandbox domains. You may have noticed Google doing this, for example - while their own trusted content is hosted at google.com, the untrusted user-controlled content is downloaded from googleusercontent.com. Many other sites work the same way.

A new article from Google Security provides a useful tutorial on more modern techniques which are both easier and more secure, and work by taking advantage of HTTP header fields that many developers simply are not aware of. The article describes two basic use cases.

The first is serving completely passive user content, such as images and file downloads. The basic technique here is to set the Content-Type header to a well-known MIME type this is supported by all browsers and guaranteed not to contain active content. If in doubt, application/octet-stream is a safe choice. However, in addition, a number of other response headers, such as Cross-Origin-Resource-Policy and Content-Security-Policy, should also be set to ensure that the browser fully isolates the response.

However, some user-controlled content, such as HTML or scalable vector graphics (SVG files), needs to be interpreted by the browser. Here, the basic technique is to use the Content-Security-Policy: sandbox header, but once again, there are advanced twists, such as adding a sandbox domain to the public suffix list, and developing specialised handlers that convert the user-controlled content into a pre-rendered blob (binary large object).

Dworkin, David, Securely Hosting User Data in Modern Web Applications, blog post, 18 April 2023. Available online at https://security.googleblog.com/2023/04/securely-hosting-user-data-in-modern.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.