Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Record HTTPS DDoS Attack

A massive DDoS attack, using the SSL/TLS protocol, was directed at one of Google's Cloud Armor DDoS protection customers in early June. The 69-minute attack started by sending 10,000 requests per second to the load balancer, but by 10 minutes later it had risen to a peak of 46 million requests per second - equivalent to receiving all the daily requests to Wikipedia within 10 seconds.

The attack seems to have been delivered by the Mēris botnet, although this is more than twice the rate it has previously achieved. Mēris works by using unsecured proxies to deliver traffic, and using TLS/SSL requires both the botnet and the victim to use a lot of compute power for key exchanges.

Ilascu, Ionut, Google blocks largest HTTPS DDoS attack 'reported to date', Bleeping Computer, 18 August 2022. Available online at https://www.bleepingcomputer.com/news/security/google-blocks-largest-https-ddos-attack-reported-to-date/.

Prisoner Details Leaked by Misdirected Email

The Western Australian Department of Justice has had to apologise after sensitive details - full names, an image, date of birth and information about partners - of two prisoners were accidentally sent to the wrong distribution list.

The error occurred when an employee was trying to organize approval for an inter-prison phone call between family members, but picked the wrong list.

This kind of error happens frequently - one memorable case occurred when an employee of a major retail chain sent out a large spreadsheet containing details of gift cards to everyone who had purchased one of the gift cards. Unsurprisingly, a few of the recipients, having obtained details of so many tokens, took the opportunity to use them. If ever there was an argument for the use of groupware or - better still - automated workflows for approval processes, this is it.

Fiore, Briana, Department of Justice apologises over leak of 'sensitive' WA prisoner details, ABC News, 18 August 2022. Available online at https://www.abc.net.au/news/2022-08-18/department-of-justice-wa-apology-prisoner-information-leak/101346460.

Apple Releases Safari 15.6.1 to Fix Zero-Day Exploit

A buffer overflow vulnerability in the WebKit core of Apple's Safari browser has been sighted as an exploit in the wild, leading the company to release an update for their browser. Like other buffer overflows, this vuln could be used to crash the browser, corrupt data or even permit remote code execution.

Abrams, Lawrence, Apple releases Safari 15.6.1 to fix zero-day bug used in attacks, Bleeping Computer, 18 August 2022. Available online at https://www.bleepingcomputer.com/news/security/apple-releases-safari-1561-to-fix-zero-day-bug-used-in-attacks/.

Deep Analysis of APT 41, Winnti/Wicked Spider

Singapore-based security firm Group-IB has released a detailed report on the activities of the Chinese-backed threat actor APT 41, also known as Winnti or Wicked Spider. During 2021, APT 41 were very busy, hitting a total of 80 different private and public sector enterprises and using novel techniques to deploy its customized Cobalt Strike toolkit, perhaps to evade detection. They encoded the main binary into Base64, which was then broken up into chunks of 775 or 1,024 characters, then appended to a text file and directed at the victim using an SQL injection attack.

Using this technique, the attackers were only able to achieve success about half the time, suggesting they are more interested in victim quantity than quality. It seems that APT 41 may be a coalition of smaller groups, as they use a wide variety of tools after initial compromise and mix cyber-espionage activities with financial cybercrime.

Rostovstev, Nikita, APT41 World Tour 2021 on a tight schedule, Group-IB, 18 August 2022. Available online at https://blog.group-ib.com/apt41-world-tour-2021.

Janet Jackson Awarded CVE-2022-38392 for 'Rhythm Nation'

An interesting twist on malware variants than can cross air gaps: playing the Janet Jackson music video, Rhythm Nation, on one laptop can cause another nearby laptop to crash, as well as crashing the first computer. The vulnerability, discovered by a computer manufacturer in the Windows XP era, was found - after some serious research - to be due to the music audio matching a natural resonant frequency of the 5400 RPM disk drives used by that, and other, laptop manufacturers, and was fixed by adding a custom filter to block that part of the audio spectrum from reaching the speakers.

Urban myth? Perhaps, but nonetheless, MITRE has awarded it CVE-2022-3872.

Chen, Raymond, Janet Jackson had the power to crash laptop computers, Microsoft 'The Old New Thing' blog, 16 August 2022. Available online at https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.