Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Microsoft Accounts Locked Out of Win 11

A recent Microsoft patch for Windows 11, KB5016691, has the unintended effect of locking out newly-added Microsoft user accounts after the first reboot or log out. The company has addressed the issue by issuing a Known Issue Rollback, which will revert known buggy patches distributed via Windows Update.

However, in enterprises, administrators will have to install and configure a Known Issue Rollback Group Policy in order to fix the problem. However, this is unlikely to be a common problem, since enterprises use Active Directory rather than Microsoft accounts.

Microsoft Support, Unable to sign in after adding a new Microsoft Account user in Windows, Windows 11 status page, 7 September 2022. Available online at https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#unable-to-sign-in-after-adding-a-new-microsoft-account-user-in-windows.

Medical Infusion Pumps Vulnerable

Security firm Rapid7 has discovered vulnerabilities in medical equipment produced by Baxter Healthcare, specifically infusion pumps which are used in clinical settings to deliver medication and nutrition directly into the bloodstream of patients.

The devices, which connect via wi-fi in order to provide data for patient monitoring, store the wi-fi credentials of the hospital network in their batteries, so that after disposal anyone with access can retrieve them. The devices also have two format string vulnerabilities, as well as other vulnerabilities which give access to wi-fi configuration data.

Heiland, Deral, Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED), 8 September 2022. Available online at https://www.rapid7.com/blog/post/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/.

140,000 WordPress Sites Vulnerable Via Backup Utility

WordPress sites which use the BackupBuddy utility are being warned to update the plugin, following reports of 0day exploitation of an arbitrary file read and download vulnerability. The vulnerability is due to an insecure implementation of the mechanism for downloading files from the server, allowing unauthenticated users to download any file on the server.

The plugin's download does not validate its parameters, and can be triggered from any admin page, including some that do not require authentication. From there, the URL arguments can use directory traversal to escape the backup files directory and access any file. The appearance of the classic "/../../" string in logs is a sure sign of exploitation.

Bannister, Adam, WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation, The Daily Swig, 8 September 2022. Available online at https://portswigger.net/daily-swig/wordpress-warning-140k-backupbuddy-installations-on-alert-over-file-read-exploitation.

Iranian State-Sponsored Group Lives Off The (Windows) Land

Microsoft reports that it has been tracking ransomware campaigns conducted by DEV-0270, also known as Nemesis Kitten, and has laid out its TTP's and some IOC's in a detailed profile article. Although the group seems to operate on behalf of the Iranian government, it also funds itself via ransomware.

Interestingly, although the group does make use of an open-source disk encryption utility called DiskCryptor, it also encrypts Windows 10, Windows 11 and Windows Server 2016 systems using their own built-in BitLocker encryption. This use of a system's code and features against itself is known as living-off-the-land, and the programs are referred to as LOLBIN's.

The profile provides a detailed insight into the group's operations.

Microsoft Security Threat Intelligence, Profiling DEV-0270: PHOSPHORUS' ransomware operations, blog article, 7 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.