Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Chinese APT Targets Australia With Malmail Campaign

A Chinese threat actor identified as APT 40 (TA423, Red Ladon, GADOLINIUM, Leviathan) has been targeting both Australian and international government and energy companies, especially those with interests in the South China Sea, with a malmail campaign based around a fake Australian news media site. The campaign, which ran from April through June, was uncovered by Proofpoint in conjunction with PwC Threat Intelligence.

Victims of the targeted phishing campaign received an email promoting a site called "Australian Morning News" and inciting the recipient to click on an individualized link. Following the link would download the main module of the JavaScript malware ScanBox, which can report back on the configuration of the victim's browser to a C2 server and then load further plugin modules which can perform keylogging, browser fingerprinting, establish peer connections and other functions.

Earlier campaigns by the same threat actor used different TTP's - for example, the payload was Meterpreter rather than ScanBox, and it was delivered in a macro-laden RTF document template rather than by URL fetch. The same technique of registering a domain for a promoting a fake news site was also used in a previous campaign preceding the 2018 elections in Cambodia.

Raggi, Michael and Sveva Scenarelli, Rising Tide: Chasing the Currents of Espionage in the South China Sea, Proofpoint blog, 30 August 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea.

Google Launches Open Source Vulnerability Rewards Program

Reflecting its status as a major contributor to (and beneficiary of) open source software projects, Google has launched a new vulnerability rewards program focused on FLOSS. The new program joins existing programs targeting Android, Chrome and Google devices. Some of Google's open source projects, such as the Go programming language and the Angular JavaScript framework, are likely targets of threat actors looking for a way to leverage supply chain attacks, and the new program will help to mitigate that risk.

The program will offer rewards ranging from $US100 to $31,337 for submssions of vulnerabilities, design issues or insecure installations.

Perron, Francis, Announcing Google's Open Source Software Vulnerability Rewards Program, Google Security blog, 30 August 2022. Available online at https://security.googleblog.com/2023/08/Announcing-Googles-Open-Source-Software-Vulnerability-Rewards-Program%20.html.

Malicious Chrome Extensions Installed by Over 1.4 Million Users

Security vendor McAfee has identified five cookie-stuffing Chrome extensions which track user activity and insert code into e-commerce sites. This modifies cookies on the sites, adding affiliate program information so that the extension authors will receive an affiliate commission for any purchases.

The five extensions are:

• Netflix Party
• Netflix Party 2
• FlipShope - Price Tracker Extension
• Full Page Screenshot Capture - Screenshotting
• Autobuy Flash Sales

Collectively, the extensions have been installed by over 1.4 million users, doubtless making them a nice little earner for the operators. Like the Turkish coin miner discussed in yesterday's Security News, these extensions deliberately wait for a couple of weeks after installation before starting their malicious behaviour in an attempt to evade detection.

Devane, Oliver and Vallabh Chole, Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users, McAfee blog, 29 August 2022. Available online at https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/.

Chinese PII Database Leaked Online

A major drawback of the surveillance state operated by China came to light today, when a database belonging to a company which operates access control systems based on facial recognition and vehicle data was left exposed on the Internet for several months. The database, which contained over 800 million records, was left open to the public on an Alibaba-hosted server in China until a security researcher discovered it and reported it to the owner, Hangzhou-based Xinai Electronics - whereupon the database promptly disappeared.

The database included links to high-resolution photographs of the faces of construction workers, office visitors and others, each associated with name, age, sex and resident ID numbers, which uniquely identify the individuals. Neither the database nor the linked image files were protected by access control of any kind.

The security researcher who disclosed the breach was not the only one to discover it - a ransom note left by a would-be extortionist indicated that they had also stolen the database, although no payment was made to the related cryptocurrency wallet.

Whittaker, Zack, A high Chinese database of faces and vehicle license plates spilled online, TechCrunch, 31 August 2022. Available online at https://techcrunch.com/2022/08/30/china-database-face-recognition/.

Privacy Breach Affects Millions of Russian Streaming Service Customers

China is not the only country to suffer large privacy breaches, although in this case the issue is not surveillance. The 2021 customer database of Russian streaming service, START (start.ru) was stolen and is now being sold online. Fortunately, it seems nothing of great value was stolen - the database does not contain credit card or other financial information, although it does contain usernames, phone numbers and email addresses and - despite START's denials - MD5 password hashes, IP addresses and other data.

The stolen data seems to constitute a 72 GB JSON dump of a MongoDB database. Much of the data is redundant, but it boils down to almost 7.5 million unique email addresses. The breach is timely, as the Russian Ministry of Digital Development is proposing to introduce fines of up to 3% of a breached company's annual turnover, but this has not yet passed into law.

Toulas, Bill, Russian streaming platform confirms data breach affecting 7.5M users, Bleeping Computer, 30 August 2022. Available online at https://www.bleepingcomputer.com/news/security/russian-streaming-platform-confirms-data-breach-affecting-75m-users/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.