Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Linux Variant of Windows Backdoor

ESET researchers have identified a new Linux variant of the SideWalk backdoor which has been used in an attack against a Hong Kong university in February 2021. Based on code similarities and the IP address of a C2 server, they attribute the malware and the attack to Sparkling Goblin, a China-based APT which has previously taken an interest in Hong Kong academic institutions during previous student pro-democracy protests.

ESET had originally blogged about this malware in its Windows form back in August 2021, and documented the Linux malware in July of that year, but had not realised that it was just a variant of the same code - an indication of how long it can take to reverse-engineer and analyze malware. Their report makes fascinating reading.

Hrčka , Vladislav, Thibaut Passilly and Mathieu Tartare, You never walk alone: The SideWalk backdoor gets a Linux variant, ESET WeLiveSecurity blog, 14 September 2022. Available online at https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/.

Ransomware Exploits VoIP Systems

Too tight a focus on data security can seduce us into losing sight of all the other stuff that's on our networks. Voice-over-IP phone systems, in particular, are often supplied as a black box turnkey 'solution' that we don't get to see into very deeply. This is concerning particularly because they live on the network perimeter and are exposed to outside threats.

Back in June, CrowdStrike identified an exploit against Mitel VoIP appliances; the attackers were able to perform a command injection, exploiting some vulnerable PHP code and achieving unauthenticated remote command execution. This was used to establish a reverse shell and then a webshell based on a Linux pipe. This was followed by extensive antiforensic activity.

Subsequent research by Arctic Wolf suggests that the actor behind this is the Lorenz ransomware group, which they have tracked using this technique, then waiting for a month post-exploitation before using the Mitel appliance's command line interface to pivot to other systems, commencing credential dumping followed by network and domain enumeration. Having obtained credentials for two accounts - one with domain admin privileges - they then moved through the environment using EDP. This was followed by data exfiltration via FileZilla and then using BitLocker drive encryption to take data hostage.

The moral of the story: if you haven't got the ability to monitor activity on VoIP PBX's, then they may well be the weakest link in your defences.

Bennett, Patrick, The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance, CrowdStrike blog, 23 June 2022. Available online at https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/.

Neis, Markus, et. al., Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back for Free, Arctic Wolf blog, 12 September 2022. Available online at https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/.

Teams App Stores Tokens as Plaintext

Researchers at Vectra have identified a privilege escalation vulnerability in Microsoft Teams which will allow an attacker who has obtained filesystem access on a victim machine to steal the credentials of any logged-in Teams user - worst of all, bypassing multi factor authentication.

The basic problem is that the Teams client is written as an Electron app, - in other words, a web application that runs through a customised browser, and therefore makes use of traditional browser authentication mechanisms like cookies and session strings. However, Electron does not provide encrypted storage or access to system protected directories, and because the product presents a relatively high level of abstraction to the programmer, these vulnerabilities are far from evident (and hard to fix).

Peoples, Connor, Undermining Microsoft Teams Security by Mining Tokens, Vectra blog, 13 September 2022. Available online at https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.