Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, September 7, 2023, 10:11 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


BlackCat/ALPHV Claims More Scalps

Russian ransomware operation BlackCat, also known as ALPHV, has claimed a string of new scalps in Australia, apparently  through the compromise of a cloud service reseller. The group claims to have stolen over 4.95 TB (yes - that's terabytes) of data belonging to several companies:

  • TissuPath, a pathology company
  • Strata Plan, a property owners' corporation service provider
  • Barry Plant Blackburn, a real estate agency
  • Tisher Liner FC Law, a business and property law firm

The group is threatening to publish the data unless an extortion demand is paid. The nature of the data is unclear - much of it is undoubtedly financial data relating to real estate property owners, but TissuPath has stated that patient names, dates of birth, contact details, Medicare numbers and private health insurance details were exposed. It also claimed that its main database and reporting system was not compromised, and that the firm does not store patient financial data or identity documents such as drivers licence numbers.

Three of the firms above are clients of Core Desktop, a South Melbourne firm which provides managed services for Azure and Office 365. The firm first became aware of the breach on 22 August 2023 and, while uncertain of the initial compromise techniques, has shut down access to affected accounts, and reset administrator login credentials and client passwords to regain control of its systems.

The breach has been reported to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

Tran, Danny, Russian ransomware gang AlphV targets pathology company, law firms in latest string of attacks, ABC News, 5 September 2023. Available online at https://www.abc.net.au/news/2023-09-05/russian-ransomware-gang-alphv-targets-pathology-company-law-firm/102817900.

CISA Vulnerability Summary for the Week of 28 August

CISA has released its weekly vulnerability summary, and as usual it makes interesting reading. Even just a quick scan of those vulnerabilities with a CVSS score of 9.8 - about as bad as it gets - turns up some informative entries, such as an authentication bypass in the Stripe Payment Plugin for the WooCommerce plugin for WordPress (up to and including v 3.7.7) which allows unauthenticated actors to log in as users who have orders. There's another authentication bypass vulnerability in VMware's Aria Operations for Networks, which will allow access to the command line interface via SSH.

The Internet of Things continues to provide examples of just how bad things can be, with four vulnerabilities in SpotCam FHD 2 wireless security cameras, including hard-coded credentials for both a hidden telnet server and for uBoot, as well as remote command injection.

Security-related products are, unfortunately, not immune, with a deserialization vulnerability, possibly allowing remote code execution, in Oracle's weblogic-framework vulnerability scanner, and a remote code execution vulnerability in Splunk Enterprise.

There's plenty to think about in the lower-scoring vulnerabilities, too.

CISA, Vulnerability Summary for the Week of August 28, 2023, security bulletin, 6 September 2023. Available online at https://www.cisa.gov/news-events/bulletins/sb23-249.

How Storm-0558 Got That Key

Back in July, we covered a series of attacks on US government agencies which were achieved using forged authentication tokens for Outlook Web Access in Exchange Online and Outlook.com. The threat actor involved, dubbed Storm-0558 by Microsoft, was able to sign the forged tokens using an acquired Microsoft Managed Service Account (MSA) consumer signing key, which was accepted for enterprise systems due to a token validation vulnerability. The attack was so significant that the Department of Homeland Security's Cyber Safety Review Board announced plans for an in-depth review on the malicious targeting of cloud computing environments, with the intention of strengthening identity management and authentication in the cloud.

However, one question remained unanswered: how did Storm-0558 obtain the Microsoft account consumer key in the first place? Such highly-trusted keys are normally subject to strong controls to prevent their being leaked.

Now, Microsoft Security Research Center has provided details of their technical investigation. As expected, Microsoft's production environment has such strong controls, including dedicated accounts, secure access workstations, and the use of multi-factor authentication based on hardware tokens. The production environment also prevents the use of email, conferencing, web research and other collaboration tools that commonly provide a path for malware infections. However, some data does leave the production environment.

The MSRC investigation revealed that a consumer signing system crash in April 2021 resulted in a process dump or 'crash dump' of the crashed process. Now, crash dumps redact sensitive information and should not include the signing key, but in this particular case, a race condition allowed the key to remain in the crash dump, and its presence there was not subsequently detected.

The crash dump was then moved from the isolated production network into a debugging environment on the Internet-connected corporate network. At some time after this, Storm-558 was able to compromise the account of a Microsoft engineer, which then gained them access to the debugging environment, the crash dump and the key. Although the logs from that time have not been retained, this seems the most likely way the threat actor obtained the key.

Microsoft states that the issues that allowed the key to leak via this improbable path - the race condition and the failure to detect the key in the crash dump in either the production or debugging environments - have now been corrected. This might have been a one-in-a-million exposure, but as Sir Terry Pratchett wryly observed, the strange thing about one-in-a-million events is that they happen so often.

MSRC, Results of Major Technical Investigations for Storm-0558 Key Acquisition, blog post, 6 September 2023. Available online at https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: