Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

FIDO Passkeys Bid to Replace Passwords

Passwords have been the bane of life for most security professionals ever since . . . well, since passwords were invented. We have shored them up with length and - wrongly - complexity requirements, password safes and various kinds of second factors. Now, the FIDO Alliance and W3C are making ground on a promise to replace passwords altogether.

The FIDO2 passwordless authentication scheme, also known as FIDO Authentication, encompasses the W3C's Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP), wrapping them all up in the user-friendly moniker, passkeys. A passkey is a cryptographic keypair which is shared between a client device and a web site or application, and can be stored on a phone, a computer, or a security key. Microsoft, Google and Apple have all signed up to the standard, which will allow users to authenticate using just a username or email address and the passkey on an unlocked device.

This finally dispenses with passwords entirely - for some time we have known that the security of multi-factor authentication using crypto techniques like security keys is provided primarily by the key and not the password. Latest to sign on to the passkey and WebAuthn approach is Dashlane, which has announced that it will integrate passkeys into its cross-platform password manager, which runs on most platforms and integrates with most browsers.

Pierce, David, Dashlane is ready to replace all your passwords with passkeys, The Verge, 31 August 2022. Available online at https://www.theverge.com/2022/8/31/23329373/dashlane-passkeys-password-manager.

Meanwhile, Back In Password Hell

Since passwords aren't going to immediately disappear, we still have to grapple with users who will use their corporate emails to register on external websites, possibly re-using passwords and thereby enabling credential-stuffing attacks. Specialist in shadow IT discovery, Scirge (from the Old English word for sheriff) has developed a browser plugin and related tools which can discover external web accounts, track who has accessed them and regulate which corporate email addressed may be used for online registration.

The plugin can also enforce password strength (and - gaak! - complexity) rules, detect compromised and shared accounts, and also deliver individually tailored security awareness messages.

Hacker News Staff, Stop Worrying About Passwords Forever, The Hacker News, 1 September 2022. Available online at https://thehackernews.com/2022/09/stop-worrying-about-passwords-forever.html.

Chilean Government Under Novel Ransomware Attack

At least one Chilean Government agency has suffered a ransomware attack by what appears to be yet another, previously-unseen, offshoot of the fragmented Conti gang. The attack has targeted Microsoft and VMware ESXi servers, encrypting files with the NTRU encryption algorithm.

Curiously, the malware delivers its ransom note before commencing the file-encryption process, perhaps as an anti-forensic technique, and although a Tor site for ransom payment has been established, there is as yet no sign of data exfiltration.

Toulas, Bill, New ransomware hits Windows, Linux servers of Chile govt agency, Bleeping Computer, 1 September 2022. Available online at https://www.bleepingcomputer.com/news/security/new-ransomware-hits-windows-linux-servers-of-chile-govt-agency/.

BianLian Malware Targets Exchange Servers, SonicWall VPN Devices

Yet another piece of malware written in the Go programming language has emerged, in this case using its cross-platform capabilities to exploit Microsoft Exchange servers via the ProxyShell vulnerability and also targeting SonicWall VPN devices as a mechanism for pivoting within victim networks. BianLian also deploys a trojan dropper, which can fetch arbitrary plugins from a C2 server, as a back door for persistence.

The malware uses a number of techniques to evade discovery, waiting for up to six weeks after initial infection before it activates, deleting shadow copies, purging backups and rebooting servers in safe mode to perform its file encryption safe from observation by security software.

Armstrong, Ben, et. al., BianLian Ransomware Gang Gives It a Go!, [Redacted] blog, 1 September 2022. Available online at https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.