Les Bell
Blog entry by Les Bell
News Stories
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
Local Privilege Escalation Vuln in Kaspersky VPN Client
A vulnerability in Kaspersky's VPN Secure Connection for Microsoft Windows will allow an already-authenticated user to gain SYSTEM privilege on the victim's computer. While no exploits for CVE-2022-2735 have been seen in the wild, customers should update to version 21.6 or later.
Seals, Tara, High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover, Dark Reading, 5 August 2022. Available online at https://www.darkreading.com/endpoint/high-severity-bug-kaspersky-vpn-client-pc-takeover.
Phishers Exploit Unvalidated Redirects on Amex and Snapchat Sites
The problem of unvalidated redirects and forwards in web server code has been known about since - well, since soon after CGI code first ran on web servers. Yet it continues to catch out many developers and their sites' users, most recently a campaign which was active for over two and a half months, and targeted American Express - who fixed the problem - and Snapchat, which remains vulnerable. Similar attacks have previously targeted Fedex and Microsoft.
Kay, Roger, Phishers Bounce Lures Off Unprotected Snapchat, Amex Sites, INKY Email Security Blog, 3 August 2022. Available online at https://www.inky.com/en/blog/phishers-bounce-lures-off-unprotected-snapchat-amex-sites.
5.4 Million Twitter Accounts Compromised
Not the highest-impact social media breach by a long shot, but Twitter has confirmed that a threat actor used a zero-day exploit to gather the profiles of 5.4 million Twitter users, including verified phone numbers and email addresses, screen names, login name, location and other information. The hacker subsequently sold this data dump to two different interested parties.
While much of this information was public anyway, it may have exposed personal information of users who had pseudonymous accounts for privacy reasons. It also seems likely that the information could be used by the purchasers to run highly-targeted spear-phishing attacks. Twitter recommends that users who may be affected - or suspect they may be affected - should enable multi-factor authentication on their accounts.
Abrams, Lawrence, Twitter confirms zero-day used to expose data of 5.4 million accounts, Bleeping Computer, 5 August 2022. Available online at https://www.bleepingcomputer.com/news/security/twitter-confirms-zero-day-used-to-expose-data-of-54-million-accounts/.
Cloud Billing Risk: Recursive Serverless Functions
I'm almost certain you never foresaw this particular risk: the possibility that a recursive function, running on a serverless cloud platform, could rapidly consume massive amounts of resources before any budget alert could fire to warn you of what's happening. Cloud developers are reporting horror stories on all the major cloud platforms - AWS, Azure and Google Cloud Platform - with one developer burning through $US72,000 in a few hours while exploring and testing.
OK, this isn't strictly security, but it's a big risk and probably worth passing on to your development teams. It's one thing to screw up and max out CPU and memory on your own development workstation - it's quite another to do it on a pay-as-you-go platform that can automagically scale up to consume an entire cloud.
Losio, Renato, Are Recursive Serverless Functions the Biggest Billing Risk on the Cloud?, InfoQ, 6 August 2022. Available online at https://www.infoq.com/news/2022/08/recursive-serverless-functions/.
Traffic Light Protocol Updated to Version 2.0
The Traffic Light Protocol, which governs the dissemination of threat intelligence, has seen its first significant update. The colour WHITE has been replaced by CLEAR (to avoid racial and ethnic overtones as well as the connotation of white being an additive mix of all the other colours) and a new marker, TLP:AMBER+STRICT, has been added. So there are now five levels:
- TLP:RED - for the eyes and ears of individual attendees only; you can act on information but not forward it; used when information cannot be effectively acted upon without significant risk for the privacy, reputation or operations of the organizations involved.
- TLP:AMBER+STRICT - may be shared within recipient's organization only but cannot be shared with customers, business partners or suppliers
- TLP:AMBER - may be shared within the recipient's organization and also with customers or clients
- TLP:GREEN - may be circulated freely within your community (which if not otherwise defined is the cybersecurity/defence community), but not publicly nor outside the community
- TLP:CLEAR - may be freely shared with the world
FIRST, TRAFFIC LIGHT PROTOCOL (TLP): FIRST Standards Definitions and Usage Guidance - Version 2.0, August 2022. Available online at https://www.first.org/tlp/.
Boards Now On Board with Security?
Not quite, not yet. According to a global survey report released by executive recruitment firm Heidrick and Struggles, only 12% of CISO's actually sit on the board of their company, but the situation is improving, in part due to market regulators like the SEC, ASIC and stock markets themselves. Gartner now predicts that 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member by 2025.
However, growing awareness of cybersecurity incidents and breaches by the board requires a change in approach, as they become inured to 'the sky is falling' pitches for budget increases. By now, many firms have lived through ransomware and other attacks and recovered to resume business as usual. A more measured approach is required to dealing with cybersecurity risks.
Aiello, Matt, et. al., 2021 Global Chief Information Security Officer (CISO) Survey, Heidrick & Struggles, 2022. Available online at https://www.heidrick.com/en/insights/technology-officers/2021-global-chief-information-security-officer-ciso-survey.
Glover, Claudia, Cybersecurity on the board: How the CISO role is evolving for a new era, Tech Monitor, 5 August 2022. Available online at https://techmonitor.ai/technology/cybersecurity/ciso-on-the-board.
IoT Device SSH Servers Used to Form Botnet
A derivative of the Mirai botnet named RapperBot has been rapidly evolving since first discovered back in June, The malware scans IoT devices and attempts to brute-force its way into the embedded SSH server, and has now amassed over 3,500 IP addresses it uses for this purpose. Once it has broken into a device it exfiltrates valid credentials back to its C2 network, and since mid-July, it has switched from propagating further to maintaining remote access into the compromised devices, adding its own public key to the authorized_keys file on the victim. In a nasty twist, it also deletes the existing public keys, which will prevent administrators logging in to fix the issue.
Lakshamanan, Ravie, New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack, The Hacker News, 6 August 2022. Available online at https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html.
Weapons Systems Increasingly Complex, Increasingly Vulnerable
As high-tech weapons systems become more complex, relying on networked digital components, they are increasingly difficult to secure. An opinion piece in The Hill calls attention to the need to address the national security risk posed by vulnerabilities in weapons systems ranging from the B2 Spirit bomber, through tactical radio systems down to the engine and transmission controllers of ground combat vehicles.
Gates, Alexander, US strategic advantage depends upon addressing cybersecurity vulnerabilities of weapon systems, The Hill, 6 August 2022. Available online at https://thehill.com/opinion/cybersecurity/3591153-us-strategic-advantage-depends-upon-addressing-cybersecurity-vulnerabilities-of-weapon-systems/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.