Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
(ISC)2 Board Election Controversy Continues
ISC)2 has announced that its open call for nominations to stand for the Board of Directors has closed - I confess, I did not even know it was open. This year, the current Board has recommended a slate of seven candidates for four open seats on the Board. However, three of the recommended seven are current Members, and many current certification holders do not feel that this is sufficient choice.
Accordingly, three experienced people are attempting to get onto the ballot via petition. They are:
- Stephen Mencik (US) - a 40-year security professional with both government and private sector experience
- Sami Koskinen (Finland) - over 20 years experience as a CISO, CIO and consultant
- Diana Contesti (Canada) - a past Chair of the Board and winner of the James R. Wade Award for service to (ISC)2
I have 'known' them all - in an online sense - since I became a CISSP back in 2002, as they have all been regular contributors to the CISSP Forum, and commend them for your consideration. If you are a member in good standing, then please support their petition by going to https://jsweb.net/isc2/election.html and providing your name, email address and (ISC)2 candidate number.
RIP Kevin Mitnick
Black hat? White hat? Whatever your opinion of Kevin Mitnick, it is now moot, as the great leveller has claimed him in the end.
Uncredited, Kevin David Mitnick, obituary, 19 July 2023. Available online at https://www.dignitymemorial.com/obituaries/las-vegas-nv/kevin-mitnick-11371668.
Worm Infects Linux, Windows Servers Via Redis Lua Vulnerability
Back in early December last year, we brought you news of a backdoor which was able to infect systems running a vulnerable version of the Redis NoSQL database. Redis is widely deployed on web servers, particularly for page caching, although it has many other applications where a high-performance non-relational database is required. The backdoor was installed by exploiting CVE-2022-0543, a very nasty - CVSS score 10.0, and it doesn't get any worse than that - vulnerability in the library for the Lua scripting language which allows an attacker to escape the Lua sandbox, permitting remote code execution.
Now Palo Alto Unit 42 researchers have identified a worm which is using the same vulnerability to infect both Linux and Windows servers. The worm, dubbed P2PInfect, is written in Rust (the backdoor mentioned above was written in Go), and although this vulnerability was disclosed over a year ago, the researchers have identified almost one thousand servers which still remain vulnerable.
P2PInfect exploits CVE-2022-0543 for intial access, and then drops a payload which establishes an initial connection to a peer-to-peer command and control network. Once it has done this, it then downloads additional binaries, including scripts specific to the victim OS as well as scanning software; after this has been done, the infected victim then fully joins the P2P network in order to share these scripts and binaries with future compromised victims.
Building a C2 network this way would make it much more difficult to sinkhole and bring down, especially if it can grow further. There is no attribution for this worm; nor is it clear what its purpose is - although the word "miner" appears several times in its binaries, there is no evidence of any cryptomining code. However, its C2 protocol appears to allow its operators to push new payloads into the network which could add new capabilities.
The obvious mitigation is to update vulnerable Redis installations - but given that this vulmerability is over a year old, it seems likely that the administrators of vulnerable systems are not getting the message.
Gamazo, William and Nathaniel Quist, P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm, blog post, 19 July 2023. Available online at https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.