Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, 13 September 2022, 8:29 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Does Cybersecurity Awareness Change Behaviour?

Badly-designed awareness campaigns are of dubious value in changing security culture, with a majority of US Government employees surveyed by NIST reporting 'security fatigue' (Stanton et. al., 2016). Now the EU's cybersecurity agency, ENISA, is partnering with Anima People, UCL and Gothenburg University to run a research study about the effectiveness of their European Cybersecurity Month, which takes place each October to promote cybersecurity among EU citizens and organizations. If you are interested in participating, see https://ec.europa.eu/eusurvey/runner/Cybersecurity_Awareness_ECSM-PreC.

Stanton, B., M. F. Theofanos, S. S. Prettyman, and S. Furman, Security Fatigue, IT Professional 18, no. 5 (September 2016): 26–32. doi:10.1109/MITP.2016.84.

China Gets Some of What It Gives

China is accusing the NSA's Office of Tailored Access Operations of running a major campaign of attacks against its Northwestern Polytechnical University in Xi'an during June of this year. The National Computer Virus Emergency Response Centre (NCVERC) released its findings last week, accusing the NSA of delivering thousands of attacks, using at least 40 different cyber weapons, against the university, which conducts military and aeronautical engineering research.

"The U.S. NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data," the NCVERC said.

Lakshamanan, Ravie, China Accuses NSA's TAO Unit of Hacking its Military Research University, The Hacker News, 12 September 2022. Available online at https://thehackernews.com/2022/09/china-accuses-nsas-tao-unit-of-hacking.html.

Apple Fixes Eighth 0Day for 2022

A serious vulnerability, CVE-2022-32917, which could allow malicious applications to execute code with root privileges, is reported as being actively exploited in the wild. Apple has released patches for iPhones, iPads and Macintoshes for what is the eighth zero-day vulnerability in their devices this year. Users are urged to update their devices promptly.

Gatlan, Sergiu, Apple fixes eighth zero-day used to hack iPhones and Macs this year, Bleeping Computer, 12 September 2022. Available online at https://www.bleepingcomputer.com/news/security/apple-fixes-eighth-zero-day-used-to-hack-iphones-and-macs-this-year/.

More Info on Iranian Group APT42

Last week we posted about a Microsoft report on an Iranian group called DEV-0270 or Nemesis Kitten. Mandiant has now joined the chorus of firms reporting on this group, which is associated with the Islamic Revolutionary Guard Corps (IRGC) and has been running highly-targeted spear-phishing and social engineering campaigns against a wide range of sectors - education, government, healthcare, legal, media and pharmaceuticals - in at least 14 countries, including Australia, Europe and the US.

The group's operations encompass three major areas: credential harvesting to gather multi-factor authentication credentials and compromise networks and devices; surveillance operations using Android mobile malware to track locations and monitor the communications of individuals of interest to the Iranian government; and deployment of custom malware, including backdoors, for their more advanced campaigns. By correlating Telegram traffic, open-source intelligence and OPSEC lapses by the group, Mandiant assesses that they are also associated with two front companies, Najee Technology and Afkar Systems.

Mandiant Intelligence, APT42: Crooked Charms, Cons and Compromises, blog article and report, 7 September 2022. Available online at https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises.

Developers Speed Up Their Ransomware

Ransomware developers have realized that encrypting all the data in every file is a slow process, and the longer it takes, the greater the chances of detection and the more data a victim may be able to save. Intensive file I/O operations may also be detected and flagged by anti-malware which is monitoring the system.

In response, a number of ransomware families have adopted a techniques such as intermittent or partial encryption of files, according to a report from Sentinel Labs. In many cases, simply encrypting the first 64 or 128 bytes of a file - often, the header - is enough to render a file un-openable by applications. However, some ransomware samples will encrypt every third or fourth block or 10% of the complete file, or various combinations.

As a result, these ransomware encryptors are significantly faster than earlier examples, and better able to evade detection. In many cases, they still manage to exfiltrate data for use in subsequent extortion.

Milenkoski, Aleksandar, Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection, Sentinel Labs, 8 September 2022. Available online at https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/.

US Claws Back Cryptocurrency Stolen by North Korea

People often assume that cryptocurrency transactions are untraceable, making them a favourite payment method of ransomware and extortion operators, as well as a favourite target of hackers such as North Korea's Lazarus Group. However, that turns out not to be the case, even when the cryptocurrency is passed through exchanges and tumblers, as Erin Plante, senior director of investigations at specialist blockchain analysis firm Chainalysis has related in a report.

Five months ago, Lazarus Group struck at Ronin Network, a decentralized finance (DeFi) side channel for the play-to-earn game Axie Infinity, scoring $US600 million, the bulk of which they laundered through Ethereum-Bitcoin swaps and mixing in batches through the Tornado Cash tumbler. However, using their specialized tools, Chainalysis was able to track some of the funds right through this process and, in cooperation with law enforcement and cryptocurrency industry organizations, $US30 million worth of cryptocurrency has been seized.

This is the first time that cryptocurrency stolen by a North Korean hacking group has been retrieved, and it is unlikely to be the last.

Plante, Erin, $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers to Profit, Chainalysis report, 8 September 2022. Available online at https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: