Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Uber Hacked, Bug Bounty Submissions Disclosed

Rideshare company Uber seems to be in an invidious position after an unidentified hacker gained access to its internal systems, including its AWS console, VMware ESXi VM's, Google Workspace dashboard, its AD domain and - probably most damaging - the submissions to its bug bounty program, which it runs through HackerOne.

The attacker was definitely not stealthy, posting comments on bug bounty submissions and broadcasting a message announcing the hack via an employee's Slack account. It seems like the hacker gained access via a social engineering attack which obtained an employee's credentials and pivoted from there, gaining access to many of Uber's internal systems - then posting screenshots to confirm this.

Having download all the bug bounty submissions before this, it seems likely that the hacker will either makes use of them in future, or - more likely - auction them off to the highest bidder. The security team at Uber are likely to have their hands full for the foreseeable future. Meanwhile, there is no word on whether customer credentials or financial data were exposed.

Abrams, Lawrence, Uber hacked, internal systems breached and vulnerability reports stolen, Bleeping Computer, 16 September 2022. Available online at https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/.

vx-underground, Update: A Threat Actor claims ..., Tweet, 16 September 2022. Available online at https://twitter.com/vxunderground/status/1570597582417821703.

Uber Comms, We are currently responding . . ., Tweet, 16 September 2022. Available online at https://twitter.com/Uber_Comms/status/1570584747071639552.

Trojaned Version of PuTTY Drops Backdoor

A novel WhatsApp spearphishing attack employed by a likely North Korean threat actor uses the possibility of a tech job with Amazon to entice possibly privileged users to run a trojaned version of the popular PuTTY SSH client. The campaign, reported by Mandiant, hides the infected utility within a .ISO image file in order to escape detection.

If the victim falls for the lure and runs the trojaned version of PuTTY - which is much larger than the genuine program - the program writes an embedded payload to disk and then lanches it. This code makes itself persistent by creating a scheduled task, then drops a copy of the AIRDRY (also known as BLINDINGCAN) backdoor. This can be configured to remain inactive for a time, but will then contact a C2 server to request commands, which will most generally be to download and execute a plugin.

Maclachlan, James, et. al., It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp, Mandiant blog, 14 September 2022. Available online at https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing.

Akamai Blocks Record DDoS Attack

On September 12, Akamai detected and successfully mitigated the largest (so far!) attack against a European customer. A previous attack against the same customer, who is headquartered in Eastern Europe, peaked at 659.6 Mpps (million packets per second), but this one - probably initiated by the same threat actor - peaked at 704 Mpps.

This time around, the attacker targeted not just their primary data center, but six separate locations around the world, using 1,813 different IP addresses per minute. Such a widely distributed attack would make it hard for customer security staff to respond, as they were being bombarded from six different locations.

Sparling, Craig, Record-Breaking DDoS Attack in Europe, Akamai blog, 15 September 2022. Available online at https://www.akamai.com/blog/security/record-breaking-ddos-attack-in-europe.

ACSC Releases Updated Information Security Manual

The Australian Cyber Security Centre has issued a new release of the Information Security Manual, the definitive set of guidelines for Australian Government departments and other organizations which may have to comply with it.

The new edition of the ISM places increased emphasis on cyber supply chain risk management and supplier relationship management, with a lot of clarification and tightening of definitions, and a new control requiring the development and implementation of a supplier relationship management policy. A new control requires a minimum length of 30 characters for local administrator accounts and service accounts, and an existing control was clarified to require restarting workstations on a daily basis.

Email security requirements are also tightened, with clarification that subdomains are within scope (I suspect someone saw an opportunity for easy 'compliance' there) and a clarification that MTA-STS is used to prevent the unencrypted transfer of emails.

Perhaps the biggest recent innovation is the introduction of the ISM in machine-readable OSCAL (Open Security Controls Assessment Language) format for use in automated tools.

Uncredited, Information Security Manual, Australian Signals Directorate / Australian Cyber Security Centre, 15 September 2022. Available online at https://www.cyber.gov.au/acsc/view-all-content/ism.

Need for Scam Workers Drives Human Trafficking

The Australian Broadcasting Corporation has continued its investigation into the human trafficking which underlies online scamming sweatshops based in Cambodia. The scammers use the messaging capabilities of language-learning apps (among others) in order to contact and gain the trust of their potential victims through an initial phase of innocuous chat - a process referred to as "pig butchering" (a literal translation of the Chinese term for fattening an animal before slaughter). This is followed by claims of windfall returns through a cryptocurrency platform which the victim is encouraged to use.

Insiders, lured to what they initially believed would be legitimate employment, report being told to "find customers" by creating fictious accounts and adding friends on social media, then convincing their marks to deposit money into fake investments or online gambling accounts. Once the account balance reaches $10,000, the money will be transfered to the scammers. The bosses demand 14-hour days, seven days a week, with a target of $55,000 per month for each 'employee' and beatings for not achieving this.

The workers are held captive, and if they are released, may find themselves on the street with no identity documents and no way of getting back to their home country. Cambodia - which was traditionally a country from which people were trafficked in search of better employment - is only responding slowly to this new crime wave.

Handley, Erin, et. al., Inside the 'pig-butchering' scams seeing thousands trafficked into cyber slavery, ABC News, 16 September 2022. Available online at https://www.abc.net.au/news/2022-09-16/cambodia-human-trafficking-online-scam-pig-butchering/101407862.

Crypto Bros' Spat - About Who Is the Original Crypto Bro - Reaches Court

A defamation suit brought by Bitcoin personality Craig Wright (possible alter ego: Satoshi Nakamoto) against Twitter poster Hodlonaut (real identity: Magnus Granath) over Wright's claim to be the original inventor/developer of Bitcoin has finally reached court in Oslo.

Wright has several times attempted to prove that he is Satoshi, but on each occasion, the 'proof' has not stood up to scrutiny. This time, he has abandoned attempts to produce a strong, cryptographic proof, claiming that he intentionally destroyed a hard drive which contained his private keys and in any case, "identity is not related to keys". He is now relying on his relationships with many people in the cryptocurrency community, along with his patents, career history and academic achievements to confirm that he is, indeed, the owner of Satoshi's stash of 1.1 million Bitcoin.

His testimony makes entertaining reading, especially his attempts to gloss over a 2019 article in Bitcoin Magazine which debunked Wright's claims. Many readers will particularly enjoy his claim that "practically no on in information technology knows who [philosopher Jean-Paul] Sarte is".

Ligon, Cheyenne, Craig Wright Tells Court He 'Stomped on the Hard Drive' Containing Satoshi Wallet Keys, CoinDesk, 15 September 2022. Available online at https://www.coindesk.com/policy/2022/09/15/craig-wright-tells-court-he-stomped-on-the-hard-drive-containing-satoshi-wallet-keys/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.