Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Sydney University Discloses Data Breach
A third-party service provider to the University of Sydney has suffered a data breach affecting "a limited number of recently applied and enrolled international applicants’ personal data". The breach was confined to a single platform, and has not affected other university systems; the University claims that there is no evidence that any personal information has been misused, although experience shows that such statements often have to be revised over time.
So far, it appears that no data relating to domestic students, staff, alumni or donors has been affected, and the University is working to contact impacted students and applicants.
This incident is just the latest to affect a university, as the education sector - and its third-party providers - becomes an increasingly popular target.
University of Sydney, Cyber incident, web page, 30 August 2023. Available online at https://www.sydney.edu.au/about-us/governance-and-structure/cybersecurity/cyber-incident.html.
MS SQL Servers Targeted With Ransomware
Researchers from the Securonix Threat Research team have identified a campaign which targets Internet-exposed Microsoft SQL Server systems by brute forcing a login. After gaining access, the attackers immediately enumerate the database, in particular searching for other login credentials by using SQL statements like
SELECT name FROM sys.sql_logins WHERE name IS NOT NULL
Upon discovering that the xp_cmdshell stored procedure was enabled (!), the attackers used it to run commands such as wmic, whoami, net use, etc., on the underlying machine in order to enumerate system and user information.
Next, in order to secure persistent access, the attackers created several user accounts in the administrators group, then made a number of changes to enable RDP access, disabled the system firewall and mounted a remote shared drive using the SMB protocol, allowing them to transfer files and install their tools. From there, they installed the AnyDesk remote desktop program to provide an additional access mechanism.
This was followed by the installation of a port scanner to enumerate the local network and credential dumping using Mimikatz. In the case analyzed by Securonix, the threat actor seems to have decided the local network was not worth further exploration, and they dropped a modified variant of the Mimic ransomware, which sets about identifying and encrypting target files before leaving a ransom note in a text file.
The Securonix researchers dubbed this ransomware variant "FreeWorld", and the campaign itself DB#JAMMER. Their report maps the various stages of the attack to the MITRE ATT&CK matrix, and also provides IOC's and suggested mitigations.
Iuzvyk, D., T. Peck and O. Kolesnikov, Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware, blog post, 1 September 2023. Available online at https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.