Les Bell
Blog entry by Les Bell
Welcome to this issue of Security News, for the week commencing 1st August 2022.
News Stories
Russia-Ukraine Cyberwarfare Escalates
As the conventional conflict in Ukraine grinds on, Russia is finding itself on the receiving end of attacks in cyberspace - not just from Ukrainians but from hackers all over the world. Cyber activist group Anonymous, in particular, has launched multiple campaigns which have compromised many websites and databases, changing some file names to "Glory to Ukraine" and deleting most others using a wiper script, and disrupting the web sites of Gazprom and state news (i.e. propaganda) channel Russia Today (RT). They even managed to shut down the control center of the Russian Space Agency, Roscosmos.
Fowler, Jeremiah, Hacker Group Anonymous and Others Targeting Russian Data, Website Planet blog, July 2022. Available online at https://www.websiteplanet.com/blog/cyberwarfare-ukraine-anonymous/.
Bad News for Students Everywhere
The CEO of textbook publisher, Pearson PLC, has said that he hopes blockchain technology will help the company take a cut of secondhand sales of its books.
"In the analogue world, a Pearson textbook was resold up to seven times, and we would only participate in the first sale", he told reporters.
Struggling students everywhere groaned into their ramen bowls.
CISSP course attendees can read more in the wiki's Cryptocurrencies and Blockchain Technology page.
Seal, Thomas, Pearson Says Blockchain Could Make It Money Every Time E-Books Change Hands, Bloomberg Technology, 1 August 2022. Available online at https://www.bloomberg.com/news/articles/2022-08-01/pearson-hopes-blockchain-will-make-it-money-every-time-its-e-books-change-hands.
Craig Wright - Satoshi or Not?
Australian Craig Wright has often
claimed to be the mythical Satoshi Nakomoto, who developed Bitcoin back in 2009.
In August 2022, Wright technically won a libel case against a blogger who had claimed that he was a fraud. However, the judge in the UK High Court case ruled that Wright had given "deliberately false evidence" in the case, and awarded only GBP1 in damages (Milmo, 2022). The claim that Wright was, in fact, Satoshi Nakamoto was not tested in court.
CISSP course attendees can read more in the wiki's Cryptocurrencies and Blockchain Technology page.
Milmo, Dan, Craig Wright wins 'only nominal damages of GBP1 in bitcoin libel case, The Guardian, 2 August 2022. Available online at https://www.theguardian.com/technology/2022/aug/01/craig-wright-wins-only-nominal-damages-of-1-in-bitcoin-libel-case.
Hackers Steal Passwords for 140,000 Payment Terminals
Wiseasy is a popular Android-based payment terminal used in hospitality and retail outlets in the Asia-Pacific region. The company's Wisecloud service provides remote management, configuration and update of its terminals. However, pen-testing and dark web monitoring company Buguard found Wiseasy employee passwords on a dark web marketplace used by cybercriminals.
The passwords, which were stolen by credential-stealing malware, were the only protection for two cloud dashboards - the Cloudeasy system did not use multi-factor authentication or other protections, although MFA has now been added.
CISSP course attendees can read more about Multi-Factor Authentication and password stealers in the course wiki.
Whittaker, Zack, Hackers stole passwords for accessing 140,000 payment terminals, Tech Crunch, 2 August 2022. Available online at https://techcrunch.com/2022/08/01/wiseasy-android-payment-passwords/.
Post-Quantum Cryptography News
The mere threat of quantum computers which could break all widely-deployed public-key cryptoprimitives such as RSA and Diffie-Hellman has been enough to spur frantic development of post-quantum, or quantum-resistant algorithms. At first, development seemed lethargic, but it accelerated in recent years with NIST running an open competition to standardize on the winners.
At the end of the third round, last month, NIST announced one winning algorithm for key encapsulation and four winning signature algorithms. Now, IBM has announced the available of most of these - the CRYSTALS-Kyber key encapsulation algorithm, and the CRYSTALS-Dilithium, FALCON and SPHINCS+ algorithms for signatures.
NIST also announced that four other key encapsulation algorithms, while not adopted as standards, would advance to a fourth round. However, one of these - SIKE (Supersingular Isogeny Key Encapsulation) - is quite probably dead in the water following the unexpected release of a paper detailing an attack which can recover a key in approximately one hour on a single-core PC.
Meanwhile, the ACM (Association for Computing Machinery) Technology Policy Council has released a short technical bulletin highlighting some risks and opportunities which have been obscured by our focus on the code-breaking implications of possible quantum computers. They point out that little progress has been made on quantum cryptanalysis, while powerful quantum simulators could be in use within two years.
CISSP course attendees can read the full background on the algorithms and the NIST competition in the Post-Quantum Cryptography wiki page, and some basic information on quantum computers on the Quantum Cryptography page.
Dames, Ann, How IBM z16 positions you to begin using quantum-safe cryptography, IBM cloud blog, 26 July 2022. Available online at https://www.ibm.com/cloud/blog/announcements/available-on-ibm-z16-future-proof-digital-signatures-with-a-quantum-safe-algorithm-selected-by-nist.
Garfinkel, Simson L. and Chris J. Hoofnagle, Quantum Computing and Simulation, ACM Technology Policy Council TechBrief, July 2022. Available online at https://dl.acm.org/doi/pdf/10.1145/3551664.
Goodin, Dan, Post-quantum encryption contender is taken out by single-core PC and 1 hour, Ars Technica, 2 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/.
Attackers Scanning for New Vulnerabilities
A new report from Palo Alto Networks' Unit 42 provides some insights which can assist defenders in planning their incident response plans and playbooks.
First, attackers tend to have particular favourites which they will scan for and repeatedly exploit, with just six CVE categories (ProxyShell, Log4j, ProxyLogon, SonicWall and Fortinet vulns and a vulnerability in Zoho ManageEngine ADSelfService Plus) accounting for more than 87% of vulnerabilities being exploited. These are all well known and have patches or compensating controls; the fact that they keep working clearly shows the importance of proactive patching. A second lesson is the importance of analyzing backwards along the kill chain, to find the vulnerability that led to the later stages of an attack, fix it, and block a campaign.
However, in other cases, some attackers are seen to be scanning for a vulnerability within 15 minutes of a CVE being released. This reinforces the old dilemma - patch as soon as you can, or regression-test the patch before deploying? Your vulnerability management and patch management processes clearly need to deal with this, possibly by patching highly-exposed systems immediately, but performing regression testing before patching well-defended critical systems such as back-end databases.
As found by others, the top access vectors was phishing, followed by software exploits, then brute-force credential attacks targeting RDP.
CISSP course attendees can read more background information in the Patch Management, Vulnerability Management and Incident Response wiki pages.
Edge Editors, Attackers Have 'Favorite' Vulnerabilities to Exploit, Dark Reading, 30 July 2022. Available online at https://www.darkreading.com/edge-threat-monitor/attackers-have-favorite-vulnerabilities-to-exploit.
Unit 42, Incident Response Report 2022, Palo Alto Networks, July 2022. Available online at https://www.paloaltonetworks.com/unit42/2022-incident-response-report.
Stealthy Trojan Bypasses AntiVirus
A new variant of a 2018 bot called Amadey is being distributed via SmokeLoader malware, disguised as software cracks and fake keys which naive people use to try to activate pirated software. Once Amadey has been downloaded, it resides in the Windows TEMP folder and also registers itself as a scheduled task so that it can persist.
From there, it contacts a C2 server and downloads a plug-in to collect environment information such as the current user and computer names, OS and a list of installed applications. It also takes periodic screenshots, which it sends back to the C2 server. It also catalogues the installed anti-malware software, and can bypass antivirus products from 14 different vendors, including Avast, Avira, BitDefender, Kaspersky, Sophos and Microsoft.
After inspecting the gathered information, the attackers can then take any of several follow-up actions, including installing specialized plug-ins, such as an Outlook email stealer, a generic info-stealer called RedLine, or a tool for gathering information about any VPN clients installed on the system.
Interestingly, researchers who examined an earlier version of Amadey noted that it would not install these additional payloads if it judged that the victim was in Russia.
For more information about bots and trojans, CISSP course attendees can see the Trojan wiki page.
Vijayan, Jai, Supercharged Version of Amadey Infostealer & Malware Dropper Bypasses AVs, Dark Reading, 26 July 2022. Available online at https://www.darkreading.com/attacks-breaches/supercharged-version-amadey-infostealer-malware-dropper-bypass-av.
URL Parsing Vulnerability Affects Golang Applications
Application developers increasingly rely on standard function and class libraries in modern languages such as Rust and Go, rather than writing all that low-level code themselves. This is not a bad thing - apart from the productivity gains, writing high-quality, high-performance, versatile low-level code is not easy, and shared code with lots of users and lots of eyes on it is likely to be safer than rolling your own.
Unless it's not, as developers using the Go programming language are finding out. A new vulnerability called ParseThru allows a threat actor to bypass URL argument validation, exposing the API's of applications written in the language to exploitation. The vulnerability is caused by changes to the way the net/url language library handles semicolons (;) in URL arguments - prior to version 1.17 they were treated as separators, but in 1.17 and later, non-URL-encoded semicolons are rejected and a warning logged.
When a Golang API using net/url version 1.17 or later communicates with a back-end service running an earlier version, an attacker is able to send a specially-crafted request containing a semicolon in the URL argument. The API code will ignore this, silently discarding the error message, but the back-end service will process it.
URL parsing vulnerabilities are not unique to Go, of course - this year alone they have been seen in libraries for C, JavaScript, PHP, Python and Ruby.
The take-away is that configuration management databases need to have a high degree of granularity. Would you know if an application you depended upon used two different versions of Go's net/url and was therefore vulnerable?
For CISSP course attendees, there's a little bit more information about the Go programming language in the course wiki, as well as info on configuration management databases.
Lakshmanan, Ravie, New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications, The Hacker News, 2 August 2022. Available online at https://thehackernews.com/2022/08/new-parsethru-parameter-smuggling.html.
Atlasssian Resolves RCE Vulnerability in Jira Server
Continuing its (Australian) winter of woe, has acted to fix a remote code execution vulnerability in its widely-used Jira Server and Data Center products. While the exploit, which worked via template injection in the Email Templates feature, required admin permissions, the company still gave it at CVSS score of 7.8.
Chirgwin, Richard, Atlassian patches email template vulnerability in Jira, IT News, 3 August 2022. Available online at https://www.itnews.com.au/news/atlassian-patches-email-template-vulnerability-in-jira-583531.
Australian Businesses Rate Cybersecurity As Highest Risk
While 20% of international respondents to PWC's annual Global Risk Survey rated 'cyber' as the top risk, behind market risks (22%) and business operating model risk (21%), Australian businesses see things differently, with 32% seeing 'cyber' as the top risk. Business operating model risk and geopolitical risks came well behind, at 22% and 19% respectively - in fact, the impact of COVID-19, economic volatility and climate change trailed even further behind.
This, in part, reflects increasing government attention, with the appointment of a Federal Minister for Home Affairs and Minister for Cyber Security (Claire O'Neil) - the first time cybersecurity has been a dedicated cabinet portfolio. However, it may also reflect an increasing realization that historical under-investment in cybersecurity has left companies exposed.
Perhaps we are finally getting the message through?
Crethar, Rick, et. al., PWC 2022 Global Risk Survey - Australian Highlights, Price Waterhouse Coopers, July 2022. Available online at https://www.pwc.com.au/publications/global-risk-survey/2022-GRS-Australian-highlights.pdf.
Samaratunga, Sam, et. al., PWC 2022 Global Risk Survey, Price Waterhouse Coopers, July 2022. Available online at https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-risk-survey.html.
New Exploitation Framework Found in the Wild
Many of us are familiar with the Cobalt Strike toolkit, which is widely used by both sides of the business. Now researchers have found a similar framework, named Manjusaka, which seems to have been developed and deployed by Chinese threat actors to attack both Windows and Linux systems. It joins an earlier toolkit called Brute Ratel.
Manjusaka consists of a versatile remote access trojan (RAT) which can execute arbitrary commands via a shell, steal credentials from the OS itself, web browsers, and wifi interfaces, as well as capturing screenshots. A matching file management module can explore directories and files, read, write and delete files, and move them.
A unique characteristic of Manjusaka is the fact that it is written in the Go programming language, while its implants are written in the cross-platform language, Rust, making possible attacks on different processors, such as those found in embedded systems and industrial control systems.
Abrams, Lawrence, Ransomware, hacking groups move from Cobalt Strike to Brute Ratel, Bleeping Computer, 6 July 2022. Available online at https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-move-from-cobalt-strike-to-brute-ratel/.
Toulas, Bill, Chinese hackers use new Cobalt Strike -like attack framework, Bleeping Computer, 2 August 2022. Available online at https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-cobalt-strike-like-attack-framework/.
China - Taiwan Tensions Could Impact Chip Shortages
The semiconductor supply chain woes that have bedevilled many industries could be made much worse if China was to invade Taiwan. The world's biggest semiconductor manufacturer, TSMC, is headquartered in Hsinchu, Taiwan, and would be rendered inoperable in any conflict.
"Nobody can control TSMC by force. If you take a military force or invasion, you will render TSMC factory not operable", the Chairman of the company said in an interview with CNN this week. "Because this is such a sophisticated manufacturing facility, it depends on real-time connection with the outside world, with Europe, with Japan, with U.S., from materials to chemicals to spare parts to engineering software and diagnosis."
This gives the western world yet another incentive to maintain stability in the region - but in this respect, China would gain nothing, either.
Zakaria, Fareed, On GPS: Can China afford to attack Taiwan?, CNN, undated. Available online at https://edition.cnn.com/videos/tv/2022/07/31/exp-gps-0731-mark-liu-taiwan-semiconductors.cnn.
India Backs Down on Data Privacy
While the Indian government has passed far-reaching legislation dealing with cybersecurity and privacy, it has put on hold the introduction of its long-awaited Personal Data Protection Bill.
The bill, which was introduced in 2019, had attracted criticism from all sides: tech giants Meta, Google and Amazon expressed concerns as expected, but privacy groups had complained that the bill exempted government departments, prioritized the interests of large corporations and did not adequately respect the fundamental right to privacy.
A parliamentary panel received dozens of recommendations and proposed amendments which identified issues that were relevant but beyond the scope of a modern digital privacy law, according to Junior IT Minister Rajeev Chandrasekhar. The government will now work on a new comprehensive legal framework and present a new bill.
Given that India is the world's second-largest Internet market and many companies have dealings there, the passage of a sweeping privacy bill there could pose challenges, especially if it is tighter that the EU's GDPR, which many find challenging enough.
CISSP course attendees can find more background in the course wiki's Privacy page.
Singh, Manish, India withdraws personal data protection bill that alarmed tech giants, TechCrunch, 3 August 2022. Available online at https://techcrunch.com/2022/08/03/india-government-to-withdraw-personal-data-protection-bill/.
VMWare Vulnerabilities - Patch Promptly!
VMware has released security updates to address multiple vulnerabilities
in multiple products
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability (CVE-2022-31656) affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability (CVE-2022-31658). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability (CVE-2022-31659), which VMware has evaluated to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
And many, many more . . . See https://www.vmware.com/security/advisories/VMSA-2022-0021.html for full details.
Universities Expose Students To Email Threats
A study of DMARC reports done by Proofpoint has revealed that universities are not doing a good job of securing their student email systems, exposing students to spam, phishing, malmail-based ransomware and other email-based threats.
While 65% of the top US and UK universities - 13 out of 20 - did have a base level of DMARC protection, 5 of the top 10 US universities did not publish any level of DMARC record, Proofpoint found.
Montalbano, Elizabeth, Universities Put Email Users at Cyber Risk, ThreatPost, 2 August 2022. Available online at https://threatpost.com/universities-email-cyber-risk/180342/.
Checkpoint Releases its 2022 Mid-Year Cyber Attack Trends Report
Security vendor Checkpoint has released its mid-year report on cyber attack trends and, as you'd expect, it makes depressing reading. Major trends include continuing growth in cyber attacks - up 42% globally - cyberwarfare (with associated hacktivism) becoming an essential part of conventional warfare, ransomware remaining the number one threat, supply chain attacks moving into the cloud, and everyday life now being noticeably impacted by cybercrime.
The chapter on prevention of attacks is interesting; for some years the focus in our industry seems to have swung away from prevention towards detection and response, leading to a perpetual game of whack-a-mole as entry-level SOC analysts frantically respond to what they see in Splunk - the theory being that the Bad Guys will get in anyway, so detection and response are where the rubber meets the road. The problem is that it can get hard to spot the Bad Guys, hidden as they are among the Very Naughty Boys - you'd better have some experienced threat hunters on hand to sort the wheat from the chaff
Perhaps it is time to apply a bit more effort to prevention, through the application of some basic security architecture and hygiene principles - this will improve the signal-to-noise ratio and also reduce the manpower requirements. Of course, Checkpoint would love to sell you a complete 'solution' to do a lot of this, but the basic principles are universally applicable.
Horowitz, Maya, et. al., Cyber Attack Trends 2022 Mid-Year Report, Checkpoint Research, August 2022. Available online at https://pages.checkpoint.com/cyber-attack-2022-trends.html.
Cryptocurrency Irony Abounds
Cryptocurrencies aren't usually a concern for infosec professionals, but you probably get dragged into conversations about cryptocurrencies and blockchain technology (which is why the CISSP course wiki has a page devoted to the topic). After I've regaled people with a few horror stories of rug pulls and other scams, my interlocutors generally lose interest, and I check off my good deed for the day.
But the horror stories continue. The collapse of cryptocurrency lender Celsius has provided yet another cautionary tale, this time laced with irony. The crypto giant was "marketing itself much like a bank but without the same regulations" (my emphasis), the lack of regulation presumably being why investors could expect huge returns. When the inevitable happened and the company collapsed, those same investors are now petitioning the bankruptcy court in hopes that regulations might allow them to recover at least some of their money.
How can I put this? If you take huge risks on unregulated . . . for lack of a better word, scams . . . then you cannot rely on regulation to kiss it better.
It would be funny, except that people have lost their life savings, causing real hardship.
In related news, the market is being flooded with second-hand Rolex and Patek Phillipe watches, as desperate crypto bros are forced to liquidate some of their toys.
Bogle, Ariel, Australian investors left with nothing as cryptocurrency giant Celsius goes bankrupt, ABC News, 4 August 2022. Available online at https://www.abc.net.au/news/science/2022-08-04/cryptocurrency-celsius-network-bankruptcy-australian-investors/101293028.
Hoffman, Andy, The Crypto Collaps Has Flooded the Market With Rolex and Patek, Bloomberg Pursuits, 29 July 2022. Available online at https://www.bloomberg.com/news/articles/2022-07-29/the-crypto-collapse-has-flooded-the-market-with-rolex-and-patek.
Everyone's a Winner in the Upcoming (ISC)² Board of Directors Election
In November, (ISC)² will run the election for its Board of Directors. There are five open positions, and by coincidence, the Board's Nomination Committee has recommended, and the entire Board has endorsed, five candidates. Unless a few candidates manage to raise the required 500 signatures to successfully petition to be included in the ballot, it's hardly an election at all.
Lest readers think this is no big deal, here are a few facts and figures: according to (ISC)²'s IRS form 990, its gross receipts for the last reported financial year were $US85,362,992 - not exactly chicken feed - and its assets were $US115,725,304. CISSP's might want to ask themselves whether this non-profit is delivering value for the Annual Maintenance Fees; those who think not might consider petitioning to stand for election - instructions were in the Board Candidates announcement email they received yesterday. The deadline is 2 September - better start organising those signatures now!
(Form 990 figures sourced from https://www.guidestar.org).
Remote Worker Reprimanded for Using Mouse Jiggler
A cautionary tale: telecommuter Gabrielle Judge was reprimanded by her employer for using a 'mouse jiggler' program, which keeps a computer awake and gives the appearance the worker is online and available. The program was not the only issue - apparently she had missed some meetings and explained offline periods as due to thunderstorms.
Security lessons: Obviously, there's the issue of a user installing unauthorised software (but if this is really a concern, use application whitelisting and don't give the user local admin privileges). But then there's the issue of security staff being dragged into policing employee productivity and timekeeping. It's not a security issue, but one of management supervision, and security can have a fraught relationship with staff anyway, with constant "Don't do this, don't do that" messaging. This just further erodes the trust we need. What do you think?
Harding, Rebekah, 'My manager caught me': Remote worker says they got reprimanded for using 'mouse jiggler' app, sparking debate, Daily Dot, 1 August 2022. Available online at https://www.dailydot.com/irl/remote-work-mouse-jiggler/.
Zero-Day Defence Hints
An article by Akamai's Principal Security Researcher provides a list of useful techniques for hardening defences against zero-day exploits, returning us to the them of stiffening defences, rather than operating reactively. The techniques should be well known to all of us, but it's good to be reminded now and again:
- Monitor and update from vulnerability scanner repositories
- Make the most of your web application firewall
- Monitor client reputation
- Control traffic rates
- Watch out for bots
- Don't overlook outbound activity
- Sequester identified attack sessions
- Contain the blast radius (network enclaves, microsegmentation)
CISSP course attendees can find more resources throughout the course wiki, but especially on the Cyber Resilience page
Barnett, Ryan, Zero-Day Defense: Tips for Defusing the Threat, Dark Reading, 4 August 2022. Available online at https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat.
GitHub Projects Cloned, Not Hacked, to Distribute Malware
Cloning of GitHub projects is not uncommon as people fork open-source projects to create customised derivatives. But attackers have cottoned on to this technique as a way of distributing back-doored versions and malware. Software developer Stephen Lacy dropped a bombshell when he revealed that he had discovered over 35,000 different cloned github repositories, including clones of crypto, golang, python, js, bash and docker. The malware is added to rpm package install scripts, docker images and install documentation.
The malicious projects were easily identified by a single IoC, the URL of what it presumably a C2 server - which suggests a single group is behind this attack.
Update: a day later, Paul Ducklin at Sophos followed up with some more information. A Twitter account going under the name of "pl0x_plox_chiken_p0x" claims to have created the cloned projects as part of some bugbounty research. To which we can only say: pull the other leg, squire - it has got bells on.
The lesson: it's safer to install software as signed packages from official distribution repositories, and when looking for software, don't search GitHib but instead follow links from official software project pages.
Ducklin, Paul, GitHub blighted by "researcher" who created thousands of malicious projects, Sophos Naked Security, 4 August 2022. Available online at https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/.
Sharma, Ax, 35,000 repos not hacked - but clones flood GitHub to serve malware, Bleeping Computer, 3 August 2022. Available online at https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/.
Malware Masquerades as Legit Software
Yet another reason to block users installing unauthorised software: threat actors are tricking users into downloading and installing malware by making it look like popular programs. The most popular mimicked applications include Skype, Adobe Reader, VLC Player, 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom and WhatsApp.
Independent users - working from home or in SME's, etc. - often simply Google for software they need to join webinars and meetings, unzip files, or perform other tasks. So they Google for them - and very often, unauthorised distribution sites appear at the top of the results page - and, of course, the attackers can simply pay Google to ensure they are at the top of the page. They also register plausible-looking domain names, add the icon of the genuine product to their infected installer program and generally look authentic and plausible. In other cases, the genuine software product is simply packaged with other malware infectors, or the malware is installed from within a modified installation script.
Lakshamanan, Ravie, VirusTotal Reveals Most Impersonated Software in Malware Attacks, The Hacker News, 3 August 2022. Available online at https://thehackernews.com/2022/08/virustotal-reveals-most-impersonated.html.
Draytek Vigor Routers RCE Vulnerability
Alhtough Draytek routers are not normally found in enterprise networks, the prevalence of telecommuting and hybrid work means that we need to keep a watching brief on devices like these that are widely deployed in homes and small businesses. Another vulnerability (CVE-2022-032548) has popped up, and given that this is an RCE vuln with a CVSS score of 10 and these routers are a favourite target of Chinese state-sponsored attackers, this one is worthy of prompt action.
Laulheret, Philippe, Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers, Trellix, 3 August 2022. Available online at https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html.
Security Training - Common Mistakes
The gap between the informed and always-on approach of security professionals and the sleepy approach of the average user means that we are not always the most sympathetic and well-equipped people to design and especially deliver security education, training and awareness to The Great Unwashed - err, I mean, the non-technical personnel in our enterprises. Nonetheless, there are some activities we typically have to be involved in, and one of these is phishing simulations.
Given that phishing is the number one attack vector - just ask any pen-tester how effective it is for them - it's worth doing this right, and a short article from CybReady gives three common phishing simulation mistakes that can sabotage our training efforts:
- Testing instead of educating - trying to catch and punish repeat offenders is counterproductive
- Using the same simulation for all employees - this will only catch the stragglers of the herd
- Relying on data from a single campaign
CISSP course attendees will find more tips in our Security Education, Training and Awareness wiki page.
CyebReady staff, Three Common Mistakes That May Sabotage Your Security Training, The Hacker News, 4 August 2022. Available online at https://thehackernews.com/2022/08/three-common-mistakes-that-may-sabotage.html.
Lockheed Martin Manufacturing Systems Targeted by Russian Hacktivists
The Russia-Ukraine conflict continues to spill over into cyberspace. According to Killmilk, the leader of pro-Russian hacker group Killnet, his group has switched from its earlier DDoS attacks on such targets as Lithuanian government and business, the website of the US Congress and - for some weird reason - the website of a Connecticut airport, to a more sophisticated attack on the manufacturing systems of defence contractor Lockheed Martin.
Killmilk has claimed he would also leak personal information of the company's employees so that they could be "persecuted and destroyed around the world", and has set out to recruit other groups to the cause: "I call on all hacker groups to create an escalation in Lockheed Martin's production cycles around the world, as well as to spread personal information about the terrorists of this company", he posted on Telegram.
In related news, the Russian military has claimed to have hacked into the US-supplied HIMARS Multiple Launch Rockets System which Ukraine has been putting to devastatingly good use against Russian command centres, ammo dumps and supplies.
Kadam, Tammay, Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS - Reports, The Eurasian Times, 2 August 2022. Available online at https://eurasiantimes.com/russian-hackers-launch-cyber-attacks-on-lockheed-martin/.
Top Malware Strains of 2021
The US Cybersecurity & Infrastructure Security Agency and Australian Cyber Security Centre have issued a joint advisory (Alert AA22-216A) listing a hit parade of 2021's malware. Probably most concerning is that two aging bits of code - the Qakbot and Ursnif banking trojans - have continued to evolve, adding new functionality such as reconnaisance, lateral movement, data gathering and infiltration, payload dropping and the formation of botnets.
As discussed here previously, phishing and malmail remain the most popular vectors for delivery, followed by RDP brute-forcing, and the best defensive controls remain the obvious ones: proactive patching, security education, training and awareness, offline, offsite backups and multi-factor authentication.
The advisory includes brief descriptions of the top malware strains - Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader - as well as Snort signatures for them.
CISA and ACSC, 2021 Top Malware Strains, Alert AA22-216A, 4 August 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-216a.
Identity and Access Management is the New Perimeter
The process of deperimeterization and movement to cloud has shifted our focus away from firewalls and network security. In an upcoming talk at Black Hat in Las Vegas, Igal Gofman, will make the case that threat actors have also shifted focus - to cloud-hosted IAM systems. He's got a good point - many enterprises, of all sizes, have cut costs by migrating to SaaS systems like Google Workspace and Microsoft 365, as well as building systems using PaaS and IaaS. This has now led to increasingly complex cloud architectures in which services authenticate to each other via API keys.
The problem is, says Gofman, that the Bad Guys are figuring out ways to compromise these identities, and his talk will cover these techniques, the competing cloud providers' security architectures, as well as open-source tools for gaining visibility into infrastructure.
Seals, Tara, Cyberattackers Increasingly Target Cloud IAM as a Weak Link, Dark Reading, 5 August 2022. Available online at https://www.darkreading.com/cloud/cyberattackers-increasingly-target-cloud-iam-as-a-weak-link.
Getting Started With Post-Quantum Crypto
Cloudflare has quickly jumped on the post-quantum bandwagon, and has encouraged others to do so as well by adding support for the CRYSTALS-Kyber key encapsulation algorithm on a number of test domains, and also adding support for CRYSTALS-Kyber in forks of the BoringSSL and Go open-source projects. This will allow security architects to investigate the performance and RAM requirement impact of using this algorithm.
Westerbaan, Bas, Christopher Patton and Peter Wu, Experiment with post-quantum cryptography today, Cloudflare blog, 4 August 2022. Available online at https://blog.cloudflare.com/experiment-with-pq/.
Logical Qubits Used for First Calculation
Researchers have, for several years, been trying to improve the stability of the qubits that form the basis of quantum computers. Last year, both Google and Honeywell announced significant advances by linking qubits into more stable groups called logical qubits, which use quantum error-correction. Without this, current quantum computers have error rates as high as one in one-thousand, which is clearly insufficient for even simple computing tasks.
Now, startup Quaninuum, formed through a merger between Cambridge Quantum and Honeywell Quantum Solutions, has been able to demonstrate - wait for it - calculations performed using a pair of logical qubits. This might not sound like much, but this is one of those 'walk before you can run' steps that will eventually make quantum computers practical.
Google Quantum AI, Exponential suppression of bit or phase errors with cyclic error correction, Nature, vol. 595, no. 7867, pp. 383–387, Jul.y 2021. doi: 10.1038/s41586-021-03588-y.
[Ryan-Anderson, C. et al., Realization of real-time fault-tolerant quantum error correction, arXiv, Jul. 15, 2021. Available online at http://arxiv.org/abs/2107.07505.
Shankland, Stephen, This '90's-Era Quantum Computing Idea Could Lead to a Massive Breakthrough, CNet, 5 August 2022. Available online at https://www.cnet.com/tech/computing/new-technique-brings-quantum-computers-closer-to-their-promise/.
Final Funny
Tying Spammers in Knots
Courtesy of contributor Peter Hillier: Security researcher Troy Hunt, of https://haveibeenpwned.com/ fame has wreaked vengeance on spammers by replying to them and inviting them to register on a site via an online form which ties them up in password generation hell. 😂
This reminds me of a similar technique I used to use on unsolicited salespersons calling our company. I had created a script for our Asterisk VoIP PBX which would read the weather forecast from the Bureau of Meterology web site every few hours, strip out the HTML, and drop the resulting text in a file. I had a matching extension number which, when dialled, would read the contents of the file via a text-to-speech library.
So when someone rang and tried to sell me cheaper electricity, or long-distance services, or whatever, I would quickly reply, "Sorry - you're talking to the wrong person. I'm not in charge of that, but I'll transfer you to the right person, if you'll just hold for a few seconds". Then I'd transfer them to that extension, leaving them befuddled by what sounded like Stephen Hawking regaling them with the Sydney weather forecast.
They never rang back.
Fraunfelder, Mark, This guy made a diabolical form to send spammers to password purgatory, BoingBoing, 4 August 2022. Available online at https://boingboing.net/2022/08/04/this-guy-made-a-diabolical-form-to-send-spammers-to-password-purgatory.html.
That ends this weekly security news summary. I'll resume on Monday with a new daily format which should be smaller, easier to read and keep track of. Watch for it in your RSS feed or at https://www.lesbell.com.au/blog/index.php.