Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Windows Defender Detects MS Edge As Malware

An error in a Microsoft Defender database update is causing the built-in anti-virus to detect Microsoft Edge, Google Chrome and other browsers based on the Chromium and Electron browsers to be reported as malware, specifically Behavior:Win32/Hive.ZY. Users can choose to ignore the warning, but it will keep popping up, as frequently as every 20 seconds, in an endless cycle.

Microsoft is reported to be investigating - obviously! - and a patch should be forthcoming soon.

Rubino, Daniel, Windows Defender is reporting a false-positive threat 'Behavior:Win32/Hive.ZY'; it's nothing to be worried about, Windows Central, 5 September 2022. Available online at https://www.windowscentral.com/software-apps/windows-11/windows-defender-is-reporting-a-false-positive-threat-behaviorwin32hivezy-its-nothing-to-be-worried-about.

Linux No Longer Securely Obscure

Just as the Mac soon fell prey to the early viruses that plagued Windows users, so Linux has now become a prime target for threat actors. Although Linux has historically benefited from a simpler security model than Windows (where security seemed to be an afterthought) the fact that Linux now powers the vast majority of cloud-hosted infrastructure has led to a 75% increase in attacks detected on the platform over the last year, according to Trend Micro researchers.

As an example, in October 2021, a new variant of the Lockbit ransomware emerged, this one targeting and encrypting VMware Linux ESXi servers. This was soon followed by another, called Cheerscrypt. This is all part of a trend: attackers are both broadening the targets of their attacks and also using more sophisticated techniques.

Trend Micro Staff, Midyear Cybersecurity Report, Trend Micro, 31 August 2022. Available online at https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/defending-the-expanding-attack-surface-trend-micro-2022-midyear-cybersecurity-report.

Ransomware Hits Portugal's Flag Airline

The Portuguese flag airline, TAP, has been hit with a ransomware attack by the Ragnar Locker group. While TAP has admitted to an attack in an announcement, it denies that there was any improper access to customer data.

The Ragnar Locker group say otherwise, claiming the TAP scalp on their name-and-shame list, along with images that appear to show compromised TAP customer information, including names, dates of birth, emails and addresses. The gang claims to be sitting on hundreds of gigabytes of exfiltrated data.

Trutja, Filip, Ragnar Locker Names and Shames Portugal's Flag Airline after Hitting It with Ransomware, Bitdefender HotForSecurity blog, 2 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/ragnar-locker-names-and-shames-portugals-flag-airline-after-hitting-it-with-ransomware/.

No Honour Among Thieves . . .

The popular (among cybercriminals) infostealer Prynt Stealer, which rents to crminals for rates between $100 a month and $700 per annum, is an unusual combination of code from the AsyncRAT remote access trojan and the StormKitty infostealer. It compresses credentials it obtains from browsers as well as messaging and gaming applications, and exfiltrates them via a Telegram channel to its operator.

However, according to a report from Zscaler ThreatLabz, Prynt Stealer has one more feature - a back door which uses a second Telegram channel to exfiltrate the same data to the program's author. While this behaviour has sometimes been observed in the past, it was on freely-shared malware - in this case, the Prynt Stealer developer is engaging in a bit of double dipping.

Honestly, what is the world coming to, when a hard-working cybercriminal gets ripped off like this?

Singh, Atinderpal and Brett Stone-Gross, No Honor Among Thieves - Prynt Stealer's Backdoor Exposed, Zscaler ThreatLabz, 1 September 2022. Available online at https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed.

New Guide to Securing the Software Supply Chain

The Software Supply Chain Working Panel of the Enduring Security Framework (ESF) - a cross-sector working group operating under the auspices of the Critical Infrastructure Partnership Advisory Council - issued a 64-page guide to securing the software supply chain. This provides detailed guidance for developers and project managers on secure development, including verification of third-party components.

Enduring Security Framework, Securing the Software Supply Chain: Recommended Practices Guide for Developers, Enduring Security Framework Software Supply Chain Working Panel, August 2022. Available online at https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.