Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Privilege Escalation Vuln in Squiz Matrix CMS

Squiz Matrix is a popular website content management system in the UK, Australia & New Zealand region, especially among universities and some government agencies. However, the product was revealed to have a nasty insecure direct object reference vulnerability which would allow an attacker to edit the email address in the contact details of any user.

Once the attacker has changed the email address of an admin user to one they control, they can trigger a password reset, which sends a confirmation link email to that address, resulting in a privilege escalation exploit. Since the account ID numbers are allocated sequentially, and the lower numbers are more likely to be allocated to the earliest - therefore admin - users, it won't take many attempts before an attacker will get lucky.

Squiz released a fix back in mid-June; hopefully all those bureaucracies have applied the patches.

Bannister, Adam, Squiz Matrix CMS squashes admin account takeover bug, The Daily Swig, 5 September 2022. Available online at https://portswigger.net/daily-swig/squiz-matrix-cms-squashes-admin-account-takeover-bug.

Phishing for Dummies: EvilProxy

Simple phishing attacks are easily defeated by the deployment of multi-factor authentication, but sophisticated attackers have evolved a man-in-the-middle attack, using a reverse proxy to display a copy of the legitimate website's login screen, and then relaying credentials, including TOTP token values, to the site. Once the user has authenticated, the site will return a session cookie, which contains an authentication token, and the reverse proxy is able to steal this - the attackers can then use the session cookie to access the site, with no need to repeat the authentication process.

At first, only the most sophisticated groups were able to develop their own reverse proxies, but then toolkits like Modlishka, Necrobrowser and Evilginx2 made it easier for less sophisticated threat actors. This process has continued with the release of the EvilProxy/Moloch Phishing-as-a-Service platform, which is highly polished, with detailed instructional videos and tutorials, a user-friendly GUI, and a selection of off-the-shelf cloned phishing pages for popular sites including Apple, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, Yandex and many others.

Resecurity staff, EvilProxy Phishing-as-a-Service With MFA Bypass Emerged In Dark Web, Resecurity blog, 5 September 2022. Available online at https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web.

12 Arrested in SE Asian Sextortion Ring Takedown

Interpol warned in June of a dramatic increase in extortion campaigns, including DDoS attacks, quadruple extortion ransomware and sextortion. Now the agency's cybercrime division, operating in collaboration with the police forces of Hong Kong and Singapore, has uncovered a transnational sextortion ring which had extracted at least $US47,000 from 34 victims. The victims had been lured into downloading a malicious mobile app in order to engage in 'naked chats' - only to discover that the app had stolen the contact lists from their phones and the criminals were threatening to circulate their nude videos to all their relatives and friends if a blackmail demand was not met.

Fortunately, some of the victims contacted police, who were able to (presumably) use warrants to obtain IP addresses and other data which identified 12 core members of the sextortion ring, who were then arrested during July and August.

Uncredited, Asia: Sextortion ring dismantled by police, Interpol news, September 2022. Available online at https://www.interpol.int/News-and-Events/News/2022/Asia-Sextortion-ring-dismantled-by-police.

PII of 2.5 million Students Exposed in Loan Provider Breach

A data breach affecting US student loan providers EdFinancial and the Oklahoma Student Loan Authority has exposed the personally identifiable information of 2.5 million students. The breach occurred in the systems of a service provider in Lincoln, Nebraska, called Nelnet Servicing.

The information disclosed includes name, address, email address, phone number and social security number - all very useful in identity theft and social engineering attacks, especially since the Biden administration's recently-announced student loan relief plan will lead the victims to expect correspondence relating to their student loans.

BÎZGĂ, Alina, Data Breach at Student Loan Service Provider Exposes Personal Info of 2.5 Million Borrowers, BitDefender HotForSecurity blog, 5 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/data-breach-at-student-loan-service-provider-exposes-personal-info-of-2-5-million-borrowers/.

US Education Sector Under Attack

Beginnings are perilous times, and the beginning of the school year is no exception. The Los Angeles Unified School District, the second-largest in the US, has disclosed that it was the victim of a ransomware attack over the weekend, and is still working to recover its systems. The main student portal login page was down, and a voicemail to parents instructed them to reset their students' passwords in person or via a phone number - which inevitably had long hold times.

This comes as the Cybersecurity & Infrastructure Security Agency, FBI and Multi-State Information Sharing and Analysis Center released a joint advisory detailing TTP's and IOC's for Vice Society, a ransomware group which is known to target the education sector.

Staff, As LA Unified Battles Ransomware, CISA Warns About Back-to-School Attacks, Dark Reading, 7 September 2022. Available online at https://www.darkreading.com/attacks-breaches/la-unified-ransomware-cisa-warns-back-to-school-attacks.

CISA, #StopRansomware: Vice Society, Alert AA22-249A, 6 September 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-249a.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.