Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, May 25, 2023, 10:21 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Chinese State-Sponsored Threat Actor Targets US Pacific Infrastructure

New reports from Microsoft and the NSA detail the activities of a stealthy cyber-espionage campaign against US critical infrastructure in the US and Pacific, particularly Guam. The threat actor involved, named Volt Typhoon, is a Chinese state-sponsored APT which has operated since mid-2021, and this campaign spans the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors with the likely long-term goal of disrupting critical communications infrastructure between the US and the Western Pacific rim in the event of any future crisis.

Volt Typhoon works hard to evade detection; once they have gained initial access - usually by compromising Fortinet FortiGuard devices - they leverage any privileges gained via the FortiGuard device, extract credentials for an Active Directory account used by the device and then pivot to other devices on the network, using these credentials. They also proxy all traffic to their targets through compromised SOHO routers, including those from ASUS, Cisco, D-Link, NetGear and Zyxel (these devices often have their admin interfaces exposed to the Internet - a very dangerous practice).

Having gained access, the Volt Typhoon operators exploit the target environment via the command line, typically using LOLbins and standard operating system commands such as wmic.exe and netsh.exe as well PowerShell. For example, the command

cmd.exe /c wmic path win32_logicaldisk get caption, filesystem,freespace,size,volumename

will return information about all local and network mounted drives on the system, including drive letter, format, free space, size (network drives shared from the same server usually show the same free space and size - a useful clue) and volume label. Since WMI tracing is disabled by default, this will escape detection, and by not introducing any backdoors or other malware, and by using existing accounts, the intruders will evade detection by EDR tools.

Typically, they will attempt to dump credentials from the LSASS (Local Security Authority Subsystem Service) for subsequent exfiltration, and to use the Ntdsutil.exe command to create installation media for new domain controllers, as the files in these contain usernames and password hashes which they can crack offline by means of dictionary or rainbow tables attacks. In a few cases, the Volt Typhoon operators will create a proxy on a compromised system by using the netsh portproxy command (another LOLbin) and very rarely they will use custom versions of the open-source Impacket and FRP (Fast Reverse Proxy) tools to establish a C2 channel.

The Microsoft report provides some guidance for mitigation and protection, including IOC's, while the associated NSA Joint Cybersecurity Advisory provides more detailed analysis and guidance.

Microsoft Threat Intelligence, Volt Typhoon targets US critical infrastructure with living-off-the-land techniques, blog post, 24 May 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/.

NSA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, Joint Cybersecurity Advisory, May 2023. Available online at https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF.

XSS Campaign Targets WordPress Sites

Researchers at Wordfence, a vendor of a specialised web application firewall for WordPress, have revealed a large-scale attack exploiting Beautiful Cookie Consent Banner, a WordPress plugin which is installed on over 40,000 sites. This plugin is vulnerable to a Stored Cross-Site Scripting (XSS) exploit via the nsc_bar_content_href parameter in versions up to and including version 2.10.1 due to insufficient input sanitization and output escaping. This allows an unauthenticated attacker to inject arbitrary scripts into pages, which will then execute whenever a user accesses those pages. The vulnerability merits a CVSS score of 7.2 (high).

A partial patch was introduced in version 2.10.1 of the plugin, and the vulnerability was finally remediated in version 2.10.2 back in January. Wordfence recommends updating to the latest version, 2.13.0, as soon as possible (systems protected by their Wordfence firewall were always protected).

Wordfence's researchers suspect this campaign, which has run since early February, is being conducted by a single threat actor, as every attack contained the same payload - which in fact, failed to work. However, now that the vulnerability is being publicized, it seems likely a competent threat actor will adopt it, making reactive patching particularly important.

Gall, Ram, Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign, blog post, 24 May 2023. Available online at https://www.wordfence.com/blog/2023/05/wordfence-firewall-blocks-bizarre-large-scale-xss-campaign/.

Security Analyst Jailed for MitM Escalation

Finally, an enjoyable read for your coffee break, with the sad tale of a Security Analyst at a company which had fallen victim to a ransomware attack. Rather than working diligently on behalf of his employer to fend off the attack, the insider decided to turn the situation even further to his advantage, by substituting his own Bitcoin wallet addresses for those in the attackers' ransom demands, and additionally spoofing emails to increase the pressure to pay up.

Unfortunately, his man-in-the-middle exploit was foiled when his employer decided not to pay up - and even worse, his email interference showed up in system logs, leading to his arrest. Although it took 5 years for his case to finally come to court, he decided last week to plead guilty - presumably in hopes of a reduced sentence - and will return to Reading Crown Court for sentencing on 11 July.

South East Regional Organised Crime Unit, Man convicted of blackmail and other offences, press release, 22 May 2023. Available online at https://serocu.police.uk/man-convicted-of-blackmail-and-other-offences/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: