Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

US Sanctions Iran Over Albanian Attack

The US Treasury Department has announced sanctions against the Iranian Ministry of Intelligence and Security (MOIS) and its Minister for engaging in cyber-enabled activities against Albania and other US allies. The sanctions mean that US citizens, as well as visitors to the US, are prohibited from conducting business or carrying out any transactions involving funds, goods or services with the sanctioned entitities.

“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”

In the most recent campaigns, the threat groups MuddyWater and APT39, both controlled by MOIS, have attacked several NATO members, as well as Iranian dissidents and journalists.

US Department of the Treasury, Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities, press release, 9 September 2022. Available online at https://home.treasury.gov/news/press-releases/jy0941.

Monti Steals from Conti

A new threat group called 'Monti' is running a ransomware campaign relying almost entirely on reusing the software tools and TTP's of the now-dispersed Conti gang. The only difference is that Monti makes use of the Acrion 1 Remote Monitoring and Maintenance (RMM) Agent.

As more of Conti's ransomware-as-a-service toolkits and source code leak, it seems likely that more similar ransomware groups will proliferate, says Blackberry Research and Intelligence, which has analysed the latest campaign.

Staff, Monti, the New Conti: Ransomware Gang Uses Recycled Code, Dark Reading, 10 September 2022. Available online at https://www.darkreading.com/vulnerabilities-threats/monti-conti-ransomware-recycled-code.

Fuzzing: More Than Tripping Over Buffer Overflows

A blog article from Google points out the success of their OSS-Fuzz project in discovering a wide range of vulnerabilities. Although fuzzing was first invented as a technique for bombarding application inputs as a way of discovering buffer overflow vulnerabilities, modern fuzzers have much broader capabilities, using instrumentation and machine learning to guide their actions.

In their latest success, OSS-Fuzz, which monitors 700 different critical open source projects, found a RCE vulnerability in the TinyGLTF project.

Metzman, Jonathan, Dongge Liu and Oliver Chang, Fuzzing beyong memory corruption: Finding broader classes of vulnerabilities automatically, Google Security Blog, 8 September 2022. Available online at https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html.

WordPress SSRF Vulnerability Survives Five Years

A dispute has arisen between security researchers at Sonar and the WordPress development team over a server-side request forgery vulnerability that was first discovered back in 2017 yet remains unpatched. The vulnerability is in the WordPress pingback functionality, which allows authors to be notified when another web site links to their blog. This functionality is exposed via an XMLRPC (XML remote procedure call) API.

The Sonar researchers claim that this could be used in a DDoS attack, and have demonstrated a proof-of-concept, which they disclosed to WordPress on 21 January. However, the WordPress development team consider it a low-impact issue and therefore a low priority. After all, the pingback functionality can always be disabled.

Scannell, Simon and Thomas Cauchefon, WordPress Core - Unauthenticated Blind SSRF, blog article, 6 September 2022. Available online at https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.