Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Research Shows Substantial Rise in NSW Cybercrime Reports

Research by the NSW Bureau of Crime Statistics and Research shows that reports of cybercrime have increased by 42% in the three years to June 2022. This is based on data from the Australian Cyber Security Centre's ReportCyber Application Platform (RCAP), which is only one of several different reporting systems, not counting direct reports to state police forces, suggesting that there is a pressing need to integrate these systems in order to permit more comprehensive analysis (but see below).

Based on the RCAP data, all cyber offense categories - cyber-enabled fraud, identity theft, cyber-enabled abuse, online image abuse, and device offences - increased, with the exception of abuse. The biggest increases were seen in device offences such as malware, especially ransomware (117%), followed by fraud (95% - no surprise there) and identity crime (35%). 89% of the reporting victims were individuals; 53% were male and 87% were over 25 years of age.

The majority (71%) of reports were closed by police in RCAP with no further investigation undertaken. Fraud and online image abuse (OIA) were the most likely offence categories to be referred to police for further investigation (at above 40%). Device offences were the least likely to be referred to police at 5%. This may well be because victims know the attackers are based overseas in countries where they are unlikely to be apprehended - if, indeed, any investigation is done at all.

Reports were more likely to be referred to police when the incident involved a victim aged 17 years or younger, the suspect was known to the victim, money was lost, or an online image abuse offence was indicated. Most OIA reports (84%) were referred to police within 7 days compared to just 42% of identity crime reports. In the vast majority of cases, victims do not know any details about the offender and many of those who do, report that the suspected perpetrator resides overseas. This makes it near impossible for local and federal police agencies to prosecute offenders and undermines the deterrent value of any criminal sanctions prescribed for these offences.

All in all, the report makes depressing reading in light of the high cost of police follow-up, coupled with the low probability of successful action, let alone restorative justice for victims. Add to this the wide range of exploits and vulnerabilities, coupled with the susceptibility of many people to social engineering, and the onus really has to remain on strengthening individuals and their systems in order to prevent their exploitation, rather than retrospective policing actions.

Klauzner, Ilya and Amy Pisani, Trends and Characteristics of Cybercrime in NSW, bureau brief, 9 May 2023. Available online at https://www.bocsar.nsw.gov.au/Pages/bocsar_publication/Pub_Summary/BB/BB165-Summary-Cybercrime-in-NSW.aspx.

Commonwealth Budget Adds $A85 Million for Anti-Scam Measures

Meanwhile, at the Federal level, the 2023 Budget released by Treasurer Jim Chalmers includes some allocations for tackling online scams and cybercrime. The major announcement is the establishment of a national anti-scam centre, at a cost of $A58 million, to share scam data across both government and private sectors, and to "establish public-private sector Fusion Cells to target specific scam issues" (I'm not sure what 'Fusion Cells' are, but they sound very cool and will doubtless eliminate all scamming 😉).

An additional $A17 million will be spent over four years to identify and take down phishing websites and investment scams (this sounds rather broad, and if not restricted in scope somehow, I suspect a lot more than $A17 million will be required).

Finally, $A10 million has been allocated for an SMS sender ID registry in an attempt to stop criminals impersonating government and industry names in smishing attacks. To be honest, I can't see that having much effect at all.

Visontay, Elias, Federal budget 2023: winners and losers summary, The Guardian, 9 May 2023. Available online at https://www.theguardian.com/australia-news/2023/may/09/budget-2023-winners-and-losers-summary-who-will-benefit-is-better-worse-off-federal-labor-australia-government-.

News from the World of DDoS

Quite a bit of action in the DDoS world this week, with Fortinet researchers providing details of two botnets and some good news from the US DoJ.

First, FortiGuard Labs has reported on a new version of a botnet first observed in February, but now infecting unpatched wireless access points via a vulnerability (CVE-2023-25717 - CVSS score 9.8) in the Ruckus Wireless Admin panel. The botnet, christened 'AndoryuBot', targets this remote code execution vulnerability to gain initial access, and then downloads a script for further propagation. After initialization, it connects to its C2 server via the SOCKS protocol and waits for commands to launch a DDoS attack, using any of 12 different methods.

Admins running Ruckus Wireless Admin Panel v 10.4 or older should apply the patches released several months ago; older versions which are beyond end-of-life will not get a fix.

In a second report, FortiGuard Labs describes new samples of the RapperBot campaign, which has been active since June 2022, primarily targeting IoT devices, primarily by brute-forcing weak or default SSH or telnet (!) credentials. Once compromised, the devices are used for DDoS attacks.

However, the new variant adds some new functionality, primarily in its C2 protocol, and also adds an SSH public key to compromised devices as a way of remaining persistent should the device be rebooted. Perhaps the most interesting twist is the addition of a Monero cryptomining capability into the bot, whereas previous versions would execute a separate cryptominer.

Finally, the US Department of Justice continues to make progress in shutting down DDoS-for-hire services, also referred to as 'booter' sites. This week, the DoJ seized 13 more Internet domains associated with these services, most of them reincarnations of domains which had been seized during a previous seizure back in December. For example, one of the domains seized this week, cyberstress.org, seems to be the same service as was previously operating as cyberstress.org.

In conjunction with these domain seizures, the Justice Department also announced that four defendants, who had been charged in late 2022 in Los Angeles, have now pleased guily to federal charges, admitting that they operated or participated in the operation of booter services. They will be sentenced this (northern) summer.

Lin, Cara, AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717), blog post, 8 May 2023. Available online at https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717.

Salvio, Joie and Roy Tay, RapperBot DDoS Botnet Expands into Cryptojacking, blog post, 9 May 2023. Available online at https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking.

Mrozek, Thom, Federal Authorities Seize 13 Internet Domains Associated with ‘Booter’ Websites that Offered DDoS Computer Attack Services, press release, 8 May 2023. Available online at https://www.justice.gov/usao-cdca/pr/federal-authorities-seize-13-internet-domains-associated-booter-websites-offered-ddos.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.