Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mudge Drops Twitter Right In It

As Elon Musk alleges that Twitter executives are clueless about the number of bots on the platform, former Twitter CSO Peiter "Mudge" Zatko has sent documents to US Congress, the Federal Trade Commission, the SEC and the Department of Justice alleging that the social media platform is rife with security problems such as a lack of adequate access controls and security governance.

In the 200-page document, Zatko alleges that Twitter engineers have unfettered access to the company's production systems and that the company's procedures for data center recovery are lax or non-existent. He further says that security oversight is so weak that some of the company's employees may even be agents of foreign governments. Twitter for, its part, claims that all is right with its world, that Zatko does not understand its SEC reporting requirements, and that this is a case of sour grapes. Security professionals who have known Mudge for decades are not so sure.

O'Sullivan, Donie at. al., Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies, CNN Business, 23 August 2022. Available online at https://edition.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html.

Iranian APT's New Tool Plunders Google, Outlook, Yahoo Accounts

Google's Threat Analysis Group has found that APT 35, variously known as Charming Kitten, Yellow Garuda and Cobalt Illusion, and associated with the Iranian Revolutionary Guard Corps, has developed a new tool which allows it to rapidly extract the contents of email accounts.

The HYPERSCRAPE tool, which is written in a .NET language, requires the attacker to have acquired a session using the victim's credentials, perhaps by means of a cookie-stealing attack. Once this has been done, the program can systematically plunder the victim's mailbox, downloading all the emails but resetting the status to 'unread' where required. It also deletes emails which it sees contain security alerts, to keep the victim in the dark about the compromise. It's not sophisticated, but it's certainly effective.

Lakshamanan, Ravie, Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts, The Hacker News, 23 August 2022. Available online at https://thehackernews.com/2022/08/google-uncovers-tool-used-by-iranian.html.

Dominican Republic Hit By Ransomware

The organization within the Department of Agriculture of the Dominican Republic that is responsible for agricultural reform has been hit by a ransomware attack. The Quantum ransomware is really a derivative of MountLocker, and the group behind it is yet another offshoot of the Conti ransomware gang.

All the servers of the Instituto Agrario Dominicano (IAD) were encrypted in the attack, with $US600,000 demanded for the key. However, the organization is unlikely to be able to afford to pay the ransom; it could not afford more than the most basic antivirus software and has no dedicated security personnel.

Abrams, Lawrence, Quantum ransomware attack disrupts govt agency in Dominican Republic, Bleeping Computer, 24 August 2022. Available online at https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/.

Adversary-in-the-Middle Attacks Target 365, Workspace Users

An as-yet-unidentified threat actor is running a large campaign against senior executives of companies who use Microsoft 365 and Google Workspace enterprise accounts. The initial spear-phishing part of the campaign works by sending the victims fake emails from the DocuSign email agreement platform; the "Review Document" button takes them to a fake login page which functions as a proxy to capture their credentials and also break the multi factor authentication process.

One this has been done, the attackers add a second authentication device to the account, and then use some sophisticated social engineering to insert themselves into conversation threads, posing as legitimate. In the final, highly-targeted part of the process, they generate an email to the target, informing them that a bank account they were to make a payment to has been frozen for audit, and providing updated payment details for an account which they control.

Toulas, Bill, Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams, Bleeping Computer, 24 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-monitor-microsoft-365-accounts-for-bec-scams/.

Lakshamanan, Ravie, Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users, The Hacker News, 24 August 2022. Available online at https://thehackernews.com/2022/08/researchers-warn-of-aitm-attack.html.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.