Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Spearphishing Group Targets South Korean Politicians and Diplomats

South Korean academics, diplomats and government officials are yet again being targeted by the North Korean group Kimusky, otherwise known as GoldDragon. The group is using targeted emails which contain macro-enabled MS Word documents which, when opened, will download a Visual Basic script from a C2 server. The script profiles the victim's computer and will then fetch additional payloads. 

Interestingly, if the user clicks on a link which promises additional interesting documents, the link submits their email address - and if this is of no interest to the attacker, it then returns an uninfected document, indicating a highly target approach.

Lakshamanan, Ravie, Researchers Uncover Kamusky Infra Targeting South Korean Politicians and Diplomats, The Hacker News, 25 August 2022. Available online at https://thehackernews.com/2022/08/researchers-uncover-kimusky-infra.html.

Okta IAM Breach Implications Spread

The phishing attack, based on fake Okta sign-in pages, that caught Twilio employees early this month continues to ripple throughout industry. The attackers were able to fool many employees into handing over the login credentials and thereby gain access to Twilio internal systems. However, the same breach has been revealed to have affected 25 organisations so far, including Cloudflare, Signal and Mailchimp; others may not even realise they have been compromised.

The breach may cause many to rethink the use of federated identity management systems and cloud SaaS IAM services. For Cloudflare, the saving grace was their requiring FIDO U2F security keys to access their internal systems.

Seals, Tara, Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack, Dark Reading, 26 August 2022. Available online at https://www.darkreading.com/remote-workforce/twilio-hackers-okta-credentials-sprawling-supply-chain-attack.

Cozy Bear Tool Blows Through Active Directory Federation Services

Russian state-sponsored group APT 29 (Cozy Bear, Nobelium) has been discovered using a new tool called 'Magic Web' that allows hackers to create accounts and masquerade as any user on a network that uses Active Directory Federation Services. The tool works by replacing the Microsoft.IdentityServer.Diagnostics.dll' file with a back-doored version. The new version runs initialization code that hooks into the server and allows attackers to force Active Directory to accept any client certificate they create as being valid and add fraudulent claims for those certificates.

This is an extremely potent attack against enterprises that use ADFS, but only those specifically targeted by the threat actor are likely to encounter it. Simple IoC's are unlikely to work for this sophisticated attacker, so potential victims need to ensure their threat hunters know what to look for.

Uncredited, MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone, Microsoft Security, 24 August 2022. Available online at https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/.

New Group for Women CISO's and Senior Execs

At the 2014 RSA Conference a small group of senior women, dismayed that the dominant form of female representation there was as 'booth babes', started a Facebook group in an attempt to get away from this lazy approach to marketing. The movement has grown over the years, now formally establishing an advocacy and education non-profit to further the aims of the community.

The Forte Group aims to elevate the positive role of cybersecurity in business, offering board level governance and connections. The group will also offer career assistance and mentoring to women in cybersecurity and privacy.

Jackson Higgins, Kelly, Senior-Level Women Leaders in Cybersecurity Form New Nonprofit, Dark Reading, 26 August 2022. Available online at https://www.darkreading.com/remote-workforce/senior-level-women-leaders-cybersecurity-nonprofit.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.