Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Cisco Corporate Network Breached by Ransomware Gang
The group, called Yanluowang, managed to exfiltrate some files from one employee's Box folder, and then attempted to extort the networking company. However, it took some work for them to get this far - the attackers had to use a whole series of voice phishing attacks and forged multi-factor authentication push notifications to finally trick a victim into handing over the credentials for his Google account.
From there, though, the gang were able to get VPN access into the company and pivot to domain controllers and Citrix servers, where they exfiltrated more data and installed their tools in an attempt to persist. Despite being evicted, the attackers kept trying to return - Cisco claims, unsuccessfully. No ransomware was installed, but the threat actor's behaviour suggests that would have been one of their next steps if not discovered.
Biasini, Nick, Cisco Talos shares insights related to recent cyber attack on Cisco, Cisco Talos, 10 August 2022. Available online at https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html.
Gatlan, Sergiu, Cisco Hacked by Yanluowang ransomware gang, 2.8 GB allegedly stolen, Bleeping Computer, 10 August 2022. Available online at https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/.
5G IoT API's a Disaster Waiting to Happen
One of the benefits of 5G is to move IoT devices off domestic and SME wi-fi networks, where they have to punch holes through NATting routers, onto a high-bandwidth, but - more importantly - low latency cellular network which will allow direct management. In a presentation at Black Hat, Technical University of Berlin researcher Altaf Shaik says that the IoT API's of 10 mobile carriers he examined share common, but serious, vulnerabilities which could allow unauthorised access to data or even direct access to devices on the 5G network.
The 5G standards do not define IoT service platforms, and so a plethora of new protocols have sprung up, many designed by telcos with limited experience in this area. The results include weak authentication and a lack of access controls which can reveal customer data, access to data streams or even direct access to devices via simple replay attacks.
Newman, Lily May, One of 5G's Biggest Features Is a Security Minefield, Wired, 9 August 2022. Available online at https://www.wired.com/story/5g-api-flaws/.
Threat Actors Shift Left
The automation and orchestration of the development and deployment process - generally labeled CI/CD (Continuous Integration / Continuous Deployment) has introduced vulnerabilities which attackers are now exploiting, according to two speakers at Black Hat. In their talk, RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise, Iain Smart and Viktor Garzdag provide examples of common vulnerabilities in these pipelines:
- Hardcoded credentials in version control systems and source control management
- Over-permissive roles
- Lack of audit, monitoring and alerting
Traditional, on-prem, software development practices were largely secure by virtue of being well inside the enterprise network. Now that source is in shared, cloud-hosted, repositories, along with all the test scripts, manifests and deployment tools that push them into production, they need a lot more attention from security professionals. Even for on-prem deployment, the COVID-19-inspired shift to hybrid work means that developers are often working with cloud-hosted tools. In short, DevOps must become DevSecOps or even SecDevOps.
Seals, Tara, Software Development Pipelines Offer Cybercriminals 'Free-Range' Access to Cloud, On-Prem, Sark Reading, 10 August 2022. Available online at https://www.darkreading.com/application-security/software-development-pipelines-cybercriminals-free-range-access-cloud-on-prem.
Amazon Expands Biometric Payments
Retail giant Amazon is expanding the use of its Amazone One palm print scanning checkout system to 65 Whole Foods stores across California. The system is contactless, reducing the risks of infection; the user can simply hold their hand, palm down, above the scanner. The scheme has, perhaps inevitably, drawn the ire of privacy advocates. - which Amazon has countered by simply offering customers a $10 credit to register for the system.
Axon, Samuel, Amazon begins large-scale rollout of palm print-based payments, Ars Technica, 11 August 2022. Available online at https://arstechnica.com/gadgets/2022/08/amazon-begins-large-scale-rollout-of-palm-print-based-payments/.
Multiple VMware Vulnerabilities
In an advisory, VMware warns of multiple vulnerabilities which will allow privilege escalation, information disclosure and authentication bypass.
Uncredited, Advisory VMSA-2022-0022, 9 August 2022. Available online at https://www.vmware.com/security/advisories/VMSA-2022-0022.html.
CISA Vulnerability Summary
The US Cybersecurity & Infrastructure Security Agency has released its weekly vulnerability summary for the first week of August. Well worth a look, albeit depressing - it really has something for everyone.
CISA, Vulnerability Summary for the Week of August 1, 2022. Available online at https://www.cisa.gov/uscert/ncas/bulletins/sb22-220.
COVID Contact App Finally Scrapped
After over two years, $A21 million and yet only two cases identified, the Australian government has finally canned its much-reviled COVIDSafe contact-tracing app. Many experts - your humble scribe included - warned that the app was an incredibly bad idea, largely due to the vagaries of Bluetooth antenna patterns, the likelihood of false positives from people passing on the other side of walls and windows, power consumption, the inverse square law and many other problems, but a previous government minister with little understanding of, and far too much faith in, technology pressed ahead regardless. As the old saying has it, if you think technology will solve your problem, then you don't understand technology and you don't understand your problem.
No-one will mourn its passing; First Dog on the Moon perhaps said it best:
Black, Jessica, The COVIDSafe app is dead - but was it ever really alive?, ABC News, 10 August 2022. Available online at https://www.abc.net.au/news/2022-08-10/covidsafe-app-scrapped-what-went-wrong/101317746.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.