Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, 14 September 2022, 8:26 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cisco Attributes Breach to Lapsus$, Yanluowang Ransomware Groups

Back in May, Cisco's systems were breached by a highly sophisticated phishing attack. Cisco Talos and Cisco's internal response team have now concluded an investigation, and their report is highly instructive.

The initial access to a Cisco VPN was achieved by compromising an employee's personal Google account - the employee had enabled password sync in their Chrome browser and stored their Cisco credentials there. From there, the next step was to get past the Multi Factor Authentication for the Cisco VPN, and this was achieved with a variety of techniques, including voice phishing ("vishing") as well as pushing a high volume of push requests to the user's device until they either slip up or or give in, in frustration, to make it stop. The employee concerned reported receiving multiple calls, in variously-accented English, purporting to come from tech support.

After gaining access, the attackers enrolled a number of new devices for MFA and successfully authenticated to the Cisco VPN. From there a privilege escalation let them log in to multiple systems, rapidly deploying tools such as Cobalt Strike, PowerSploit, Mimikatz and impact, and creating backdoor accounts. This was followed by enumeration, mostly performed manually at the command line (indicated by numerous typing errors), and then pivoting to other systems, including Citrix servers and domain controllers, from which they extracted credentials.

The Cisco Talus report contains a lot of detail on TTP's, as well as useful recommendations; key among these is the need to educate users on what to do in response to multiple MFA push requests and who to contact. It's not as simple as setting up an authenticator app on their phones and telling them to get on with it.

Uncredited, Cisco Talos shares insights related to recent cyber attack on Cisco, blog post, 11 September 2022. Available online at https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html.

Skills Gap Contributing to Breaches

A new report from Fortinet turns up a slightly scary finding - 80% of respondents to a global survey suffered at least one breach that they could attribute to a lack of cybersecurity skills and/or awareness. 64% of organizations lost revenue or paid fines due to breaches in the past year, and 38% reported breaches that cost them more than $US1 million.

The key problem is the struggle to find and retain certified cybersecurity talent (reported by 60% of respondents), then retain them (52%). At least the message is reaching boards, with 76% of organizations reporting that their board of directors recommends increases in IT and cybersecurity headcounts.

Uncredited, 2022 Cybersecurity Skills Gap, Global Research Report, September 2022. Available online at https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2022-skills-gap-survey.pdf.

Programmable Logic Controllers on Public IP Addresses? Pwned!

An interesting example of an easy attack on industrial control systems has been analyzed by ICS security specialist firm Otorio. The attack, conducted and proclaimed by hacktivist group GhostSec, successfully breached 55 Berghof PLC's (Programmable Logic Controllers) being used by companies in Israel. The group was able to log in to the PLC's, which were on public IP addresses and secured with default or trivial passwords, then stop the PLC process and dump data from it.

Fortunately, the group stopped at this point, choosing to embarrass their victims rather than interfere with industrial processes - gaining access to a single PLC gives no insight into the entire process or the other devices being used.

Lakshamanan, Ravie, Hacktivist Group GhostSec Compromises 55 Berghof PLCs Across Israel, The Hacker News, 12 September 2022. Available online at https://thehackernews.com/2022/09/palestinian-hacktivist-group-ghostsec.html.

Let's Encrypt Reintroduces CRL's

Free certificate authority Let's Encrypt has announced plans to build infrastructure to distribute certificate revocation lists (CRL's). CRL's were never widely deployed, except for the most expensive types of certificates and private PKI's in high-risk environments, and most commercial CA's purveying web site SSL (really TLS) certificates have preferred to use the Online Certificate Status Protocol (OCSP) for their more expensive certificates. Those paying for the cheaper certificates would simply have to wait out the remaining lifetime of a compromised website private key.

However, the browser vendors - primarily Mozilla Firefox and Google Chrome - are now implementing proprietary, browser-specific CRL's which are highly compressed and much more efficient, and then distributed using the update mechanisms already built into their browsers - Firefox, for example, can push updates every six hours.

Let's Encrypt has now joined this effort, developing new specialized infrastructure, splitting what would be a single 8-GB CRL (for their 200 million active certificates) into 128 shards which will download separately, with the content of each shard being carefully tuned so as to minimize the need for frequent updates.

Gable, Aaron, A New Life for Certificate Revocation Lists, blog article, 7 September 2022. Available online at https://letsencrypt.org/2022/09/07/new-life-for-crls.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: