Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Chip Makers Take On PQCrypto

We have written here before about the need for cryptographic agility - the ability to replace those public-key crypto algorithms that are expected to fall, sooner or later, to quantum cryptanalysis. That's a challenge, because most of the quantum-resistant algorithms are compute-intensive, but desktop, laptop and cloud server machines should be able to cope without too much difficulty.

However, the same is not true for the small, low-powered, system-on-a-chip devices that power the Internet of Things. This is especially true for the smart cards used as credit cards, access badges, etc., which will require specialised hardware to be able to perform acceptably. In the first part of an interview, Joppe W. Bos, senior principal cryptographer at NXP Semiconductor, explains some of the challenges - as co-creator of the CRYSTALS-Kyber algorithm recently adopted by NIST for standardization, he is in a unique position to describe the challenges.

Valerio, Pablo, Post-Quantum Cryptography needs to be ready to protect IoT, IoT Times, 17 August 2022. Available online at https://iot.eetimes.com/post-quantum-cryptography-needs-to-be-ready-to-protect-iot/.

Intel Adds CPU Circuitry to Defeat Power-On Attacks

Processors that incorporate a Trusted Platform Module have an obscure vulnerability in which an attacker manipulates the voltage supplied to the CPU at just the right time - as it is loading the firmware for its security engine. By triggering an error condition just then, the attacker could get the security engine to load malicious firmware, which would then grant the attacker to some data, such as biometric templates, stored in the TPM.

Now Intel is adding a tunable replica circuit to the company's 12th generation Alder Lake Core processors, which correlates the times and voltages at which the various circuits on a motherboard power up, and if they don't match, will generate an error and failsafe reset. The circuit is being added to these laptop processors because the attack - which remains theoretical at this stage - requires physical access to the motherboard, something that is harder to achieve for server and desktop machines.

Shah, Agam, Intel Adds New Circuits to Chips to Ward Off Motherboard Exploits, Dark Reading, 20 August 2022. Available online at https://www.darkreading.com/dr-tech/intel-adds-new-circuit-to-chips-to-ward-off-motherboard-exploits.

Fake Cloudflare DDoS Protection Pages Trick Users Into Installing Trojans

Occasionally, when visiting a busy web site, you will see a Cloudflare DDoS protection page that holds you up for a few seconds, as a way of rate-limiting bots which are attempting to overwhelm the site with bogus requests. In a new social engineering twist, hackers are using weakly protected WordPress sites to host an obfuscated JavaScript payload that displays the Cloudflare DDoS page - but then asks the visitor to click on a button to bypass the delay. This downloads a container file called 'security_install.iso', which the victim is told installs a program called DDOS GUARD that will get them faster access.

In fact, this is actually a link to the first of a chain of Windows PowerShell scripts which culminate with installing the NetSupport remote access trojan and the Raccoon Stealer password stealer on the victim's system.

Defensive techniques include better hardening WordPress sites, and educating users to never install programs that scareware messages are prompting them to download.

Toulas, Bill, WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/wordpress-sites-hacked-with-fake-cloudflare-ddos-alerts-pushing-malware/.

Gimme Cookie! Want Cookie!

A timely reminder that web security ultimately depends on cookies, which are vulnerable to a variety of stealing attacks. Although authentication to a web site might involve multi-factor authentication, once that has been done, everything depends on those cookies. And because those cookies can be quite long-lived - who wants to have to log in to a web site every few minutes? - markets are emerging where cookies are sold. Low-end cybercriminals can operate malware like Raccoon Stealer and RedLine Stealer, but may not have the sophistication to be able to make use of the credentials once they have acquired them - so they sell them on.

Once generated by a server, the cookies are also stored by the browser, usually in an SQLite database which may also store user ID and passwords. A variety of techniques can be used by the attacker to extract the cookies, which can then be used to take over MS Office 365 and Google Workspace sessions, among others.

Perhaps it's time for us to accept the inconvenience of having to re-authenticate more frequently in order to minimise the likelihood of this attack?

Gallagher, Sean, Cookie stealing: the new perimeter bypass, Sophos X-Ops, 18 August 2022. Available online at https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/.

Attribution Insights from IBM X-Force Research

A fascinating deep dive into malware analysis from IBM X-Force Research shows how the Bumblebee malware, which first appeared last year, was probably developed from the source code of the Ramnit banking trojan. What is interesting about this - apart from the malware coding techniques uncovered - is that Bumblebee has been linked to offshoots of the Conti ransomware group. which fragmented following a series of high profile leaks of chat messages and the doxxing of some group members.

This suggests that the various spinoffs from Conti are forming new alliances and acquiring new TTP's, possibly heralding completely new attacks. The report makes fascinating reading for those who enjoy reverse-engineering malware.

Hammond, Charlotte and Ole Villadsen, From Ramnit to Bulblebee (via NeverQuest): Similarities and Code Overlap Shed Light on Relationships Between Malware Developers, IBM Security Intelligence, 18 August 2022. Available online at https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest/.

Online Scammers Often Victims Themselves

While we are all familiar with tech support scammers operating out of Mumbai, it seems that a new breed of financial scammers has arisen, operating out of Laos, Myanmar and Cambodia under the control of Taiwanese and Chinese scam bosses. In Cambodia, for example, giant casinos built to lure Chinese gamblers found themselves near-empty due to COVID travel restrictions and were re-purposed as scam operations, staffed by migrant workers lured by fraudulent job ads or even abducted off the street, and who are now held against their will in slave conditions.

The trafficked workers are forced to work from 8 am to 11 pm each day, and threatened or beaten if they do not raise enough money from their victims; trying to leave is dangerous, with some being killed and others recaptured. The gang bosses are well connected, both politically and to local police, who are notoriously lax in investigating or even side with the bosses. This is an untimely reminder that cybercrime isn't just about bits of information and purely financial gain, but sometimes crosses over into people trafficking, slavery and worse.

Kennedy, Lindsey and Nathan Paul Southern, The online scammer targeting you could be trapped in a South-East Asian fraud factory, The Sydney Morning Herald, 21 August 2022. Available online at https://www.smh.com.au/world/asia/the-online-scammer-targeting-you-could-be-trapped-in-a-south-east-asian-fraud-factory-20220818-p5baz3.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.