Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, 17 October 2023, 9:23 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cisco IOS XE Vulnerability Exploited in the Wild

Cisco has disclosed a 0-day privilege escalation vulnerability which is under active exploitation. The vulnerability, CVE-2023-20198, is in the web user interface of the IOS XE operating system, and sports a CVSS 3.x score of 10.0. If the web UI feature is enabled, and particularly if it exposed to an untrusted network - such as the public Internet - it will allow a remote, unauthenticated attacker to create an account with privilege level 15 access, and thereby gain control of the victim system.

As yet, there is no patch, and so Cisco is recommending that customers disable the HTTP and HTTPS servers on all Internet-facing systems, by issuing the following commands in global configuration mode:

no ip http server
no ip http secure-server

However, this may not be possible if the system runs other services that require HTTP/HTTPS, in which case, access should be carefully restricted to trusted networks.

Cisco's advisory lists a number of indicators of compromise, including the presence of unknown user accounts on the system, such as cisco_tac_admin or cisco_support. The presence of an implant on the system can be detected with a curl command:

curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

If the system is infected, this request will return a hex string. Adversary interactions with the implant can also be detected by four Snort rules.

Cisco, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability, security advisory, 16 October 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z.

BEC Scam Nets $A1.2 Million from Small Business

A new twist on a business email compromise scam, combined with social engineering, has cost a small earthworks business almost $A1.2 million.

The company's accounts manager received a phone call from a man claiming to be 'Mike' from the National Australia Bank - and since the firm had previously dealt with a Mike from a nearby branch of the bank, suspicions were allayed. Furthermore, 'Mike' knew details of the previous day's pay run, providing further evidence that he was from the bank.

However, 'Mike' claimed there had been fraudulent activities on the company's bank accounts which he would need to investigate, and tricked the accounts manager into granting him access.

Within minutes, said the business owner, Paul Fuller, the hacker had drained $A1.2 million out of the company accounts. "They (NAB) did get some money back but not nearly as much as went missing", said Mr. Fuller. To date, the bank as been able to recover $A84,000 but there is no prospect of recovering any more.

There are a couple of obvious safeguards which small business workers need to bear in mind. First, an inbound call provides no authentication; you do not know that the person who has called really is from the institution they claim to be. The same applies to text messages; in both cases, caller ID is easy to spoof. Instead, take the caller's details such as their name, department or employee number, and then call the institution using the phone number you already have on file or obtain from a trusted source, and ask for them by name or employee number. If they are unknown to the operator, congratulate yourself on dodging a bullet.

Secondly, stop and think - don't let yourself be panicked into precipitous actions. Is it likely that a customer service person in a rural branch of a huge bank would be investigating suspected fraud, or is it more likely that a specialized investigations department would be involved? And in either case, wouldn't such a bank employee already have the level of access required to perform that investigation?

It's entirely possible that this phone call was preceded by compromise of the company's email accounts, which were mined to obtained details of the banking relationship - for example, earlier emails involving the legitimate 'Mike'. It's possible the email system also contained emails sent to employees with attached payslips, for example - and this would be all the caller needed to sound credible to his victim.

This underscores the need for multi-factor authentication on both email and online banking accounts; email accounts are particularly valuable since the 'forgotten password' procedures for many other online accounts work by simply sending a password reset link to the email address, on the often-invalid assumption that only the account owner will have access to this. I also recommend the use of dedicated thin clients, such as a Chromebook or Chromebox, for online banking and accounting, to minimise the chances of infection by infostealers and other malware.

Saunders, Miranda and Emma Rennie, Warnings about evolving cyber threats after hackers steal $1.2 million from Grafton family business, ABC News, 15 October 2023. Available online at https://www.abc.net.au/news/2023-10-15/cyber-threats-hackers-steal-million-dollars-small-business/102789994.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: