Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, 23 August 2022, 9:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Ancient Linux Vuln Allows Privilege Escalation

An eight-year old memory management vulnerability in the Linux kernel could allow privilege escalation, say three academics from NorthWestern University. The DirtyCred proof-of-concept exploit works by swapping unprivileged task  credentials in memory with root credentials from a SetUID process, making use of a bug in the kernel's heap memory reuse code.

Lakshamanan, Ravie, "As Nasty as Dirty Pipe" - 8 Year Old Linux Kernel Vulnerability Uncovered, The Hacker News, 22 August 2022. Available online at https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.html.

Healthcare Info of Almost 1.4 M Patients Exposed Via Ad Tracker

A US healthcare provider, Novant Health, has revealed that the sensitive information of 1,362,296 patients was accidentally disclosed when an advertising performance tracker script was misconfigured. The company added the Meta (formerly Pixel) JavaScript ad tracking script to a May 2020 promotional campaign for COVID-19 vaccinations which made use of Facebook advertisements.

However, the tracker was misconfigured both on the Novant Health site and the 'MyChart' portal, which allows patients to book appointments, request prescription refills and other services with 64 US healthcare providers. The misconfiguration exposed a long list of sensitive data, including email address, phone number, appointment type and date, both to Facebook/Meta and its advertising partners.

Novant discovered the issue in May 2022 and has contacted all the people affected. However, they also say that attempts to get Meta to delete the data were met with no response.

Toulas, Bill, Misconfigured Meta Pixel exposed healthcare data of 1.3M patients, Bleeping Computer, 22 August 2022. Available online at https://www.bleepingcomputer.com/news/security/misconfigured-meta-pixel-exposed-healthcare-data-of-13m-patients/.

Bitcoin Stolen from General Bytes ATM's

Unknown hackers have been able to exploit a fairly obvious vulnerability in the Crypto Application Server that controls General Bytes Bitcoin ATM's, and thereby steal cryptocurrencies from the ATM customers. The hack was achieved by the simple act of calling an admin URL that is used for initial installation of the server and creates the first admin user. By calling this API and creating an admin user called 'gb', the attackers were then able to modify the 'buy', 'sell' and 'invalid payment address' settings to use a crypto wallet that they controlled.

From that point on, any cryptocurrencies received by the ATM went to the hackers, rather than the intended destination.

The moral of the story? Review any installation scripts and remove them after installation has been completed. Allow admin access only from trusted subnets. And, of course, patch proactively.

Abrams, Lawrence, Hackers steal crypto from Bitcoin ATM's by exploiting zero-day bug, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/.

LatentBot Mutates Into Grandoreiro

LatentBot is a trojan that dates back to 2013; written in Delphi, it has a modular design that allows it to download additional modules for keystroke logging, cookie-stealing and remote access. Since June 2022, a new derivative called Grandoreiro has appeared, targeting companies in Spanish-speaking countries with official-looking emails apparently from government agencies.

The victims are directed to download and share a document, but in practice, the link redirects to a malicious domain and then downloads a ZIP file containing the Grandoreiro loader. The loader goes through a number of antiforensics checks, such as walking through a list of currently executing processes, looking for malware analysis tools, seeing if it is being run from a particular directory, looking for debuggers and reading from an I/O port which is used by VMWare.

If all of this succeeds, it gathers some basic information, checks for the presence of crypto wallets which it will investigate later and then fetches the main payload. This uses even more antiforensics techniques - for example, it includes two tightly-compressed bitmapped images which, when expanded, inflate the resulting binary to over 400 MBytes, which exceeds the size limit for most execution sandboxes.

From there on, Grandoreiro communicates with its C2 network in exactly the same way as LatentBot, and can download any of a huge selection of backdoor capabilities.

Shivtarkar, Niraj, Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals, Zscaler ThreatLabz blog, 18 August 2022. Available online at https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals.

More Info on Mēris

Google has released a bit more information about last week's massive DDoS attack by the Mēris botnet. Apparently there were 5,256 source IP addresses from 132 countries engaged in the attack - approximately 22% of them Tor exit nodes (although these accounted for only 3% of the traffic). As previously mentioned, the use of TLS/SSL required the connections to be terminated in order to inspect the traffic, only relatively few TLS handshakes were required due to the use of HTTP pipelining, which sends multiple requests over a single HTTP connection.

Google Cloud Armor's 'Adaptive Protection' feature was apparently able to quickly identify the attack, alert the customer and recommend a protective rule - in this case, rate-limiting the connections, which would still allow legitimate traffic.

Kiner, Emil and Satya Kondaru, How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps, Google Cloud blog, 19 August 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Tuesday, 23 August 2022, 9:04 AM ]