Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Universal LockerGoga Decryptor Now Available

The LockerGoga ransomware has long wreaked havoc around the world, most notably in a famous targeted attack on Norsk Hydro in 2019. The ransomware operator, who was detained in October 2021 and is now awaiting trial, was part of a larger cybercrime group that infected over 1,800 people and enterprises in 71 countries, causing an estimated $US 104 million of damage.

Now, a joint effort between security firm Bitdefender, Europol, the NoMoreRansom Project, the Zurich Public Prosecutor's Office and the Zurich Cantonal Police has led to the release of a universal decryptor for LockerGoga.

LockerGoga renames encrypred files by adding a '.locked' extension to the filename. Victims who see this can download the new tool for free from Bitlocker and follow the steps in a tutorial to recover their files.

Uncredited, Bitdefender Releases Universal Lockergoga Decryptor in Cooperation with Law Enforcement, blog post, 16 September 2022. Available online at https://www.bitdefender.com/blog/labs/bitdefender-releases-universal-lockergoga-decryptor-in-cooperation-with-law-enforcement.

LastPass Development Environment Compromised

Password safe service provider LastPass disclosed last month that it had suffered a security breach, and has now revealed the extent of the damage. A forensic investigation performed in conjunction with incident response firm Mandiant has revealed that the threat actor was able to obtain access to the LastPass development environment for four days during August, after which their activities were curtailed.

The attacker was not able to gain access to customer data and especially their password vaults, which in any case are encrypted under a passphrase-derived key not stored in the LastPass systems; physical separation of the development environment kept that data safe. The next question is, was the source code integrity compromised? After extensive analysis, the LastPass investigators have concluded there was no injection of malicious code. And it's doubtful that having access to the source will reveal a significant vulnerability which the attackers can exploit (Kerchoff's Second Principle, and all that).

Access to the environment was obtained via compromise of a developer account, including an MFA bypass, although the exact mechanism by which this was achieved was not determined - possibly this was another case of MFA push bombardment.

Toubba, Karim, Notice of Recent Security Incident, blog article, 15 September 2022. Available online at https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/.

Growing Botnet Tries to Break Bitcoin Elliptic Curve Crypto

Specialist container security firm Aqua has discovered - using its honeypots - a new botnet which seems to be run by a threat actor called TeamTNT, which had been lying low in recent months. The attackers are scanning for misconfigured Docker daemons, and deploying a container image which then downloads a shell script to update the image and then clone a mysterious GitHub project set up by TeamTNT.

The container becomes a node in a distributed cracking project directed against the SECP256K1 Elliptic Curve encryption used to sign Bitcoin transactions. This will require an enormous amount of compute power, but since the threat actor isn't paying for it, that's not their problem. And with some quite powerful cloud containers, it will be interesting to see if they can pull it off. The odds are against it, however.

Morag, Assaf, Threat Alert: New Malware in the Cloud by TeamTNT, blog article, 15 September 2022. Available online at https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt.

Crypto Documentary Series

File under 'light entertainment': A new documentary series looks into the history of code-breaking of all kinds - from deciphering early language text to breaking the encryption of black phones used by criminals.

The first episode focuses on Elizabeth Smith Friedman, who worked for the US War Department and the US Navy (her husband, William Friedman, was also a legendary cryptanalyst who ran the Army's Signal Intelligence Service and was late the chief cryptologist for the fledgling NSA). During the Prohibition years, Elizabeth Friedman worked for the US Coastguard, decrypting the radio messagesof bootleggers and smugglers - and being the mother of young children, was a pioneer of working from home.

Cracking the Code airs in Australia on Sunday evenings at 9:20 pm on SBS Viceland, and is also available via SBS on Demand. It is probably available via streaming services elsewhere.

Johnson, Travis, Mysteries and secret messages are unlocked in 'Cracking The Code', SBS program guide, 15 September 2022. Available online at https://www.sbs.com.au/guide/article/2022/09/15/mysteries-and-secret-messages-are-unlocked-cracking-code.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.