Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

BreachForums Owner Pleads Guilty

Back in March, we reported on the arrest of the owner of BreachForums, one of the biggest sites for sale of stolen databases containing PII, and its subsequent closure by the new administrator. The owner and operator of BreachForums had used the handle 'Pompompurin', but the FBI identified him as Conor Brian Fitzpatrick, arresting him at his home in Peekskill, New York and charging him with conspiracy to commit access device fraud.

Another chapter in this story was written last week when Fitzpatrick pleaded guilty to three charges:

• 18 U.S.C. § 1029(b)(2) and 3559(g)(1) Conspiracy to Commit Access Device Fraud;
• 18 U.S.C. § 1029(a)(6) and 2 Access Device Fraud – Unauthorized Solicitation; and
• 18 U.S.C. § 2252(a)(4)(B) and (b)(2) Possession of Child Pornography

Fitzpatrick has agreed to pay restitution, which is likely to exceed $US700,000, based on the gross proceeds of his operation. He remains free on a $US300,000 bond, but his bail conditions restrict him from using any computer unless it has a monitoring program installed by the court, as well as various other online activities. And related to that third charge, he is allowed no unsupervised contact with minors.

He will be sentenced in the Eastern District of Virginia on 17 November, when he could face a jail term of up to 40 years.

Dissent, Owner of BreachForums pleads guilty in federal court to three counts, including one involving child pornography, blog post, 14 July 2023. Available online at https://www.databreaches.net/owner-of-breachforums-pleads-guilty-in-federal-court-to-a-charge-that-shocks-everyone/.

Adobe, Citrix, Oracle, Release Security Patches

Yet another big day for sysadmins, with three major vendors releasing security fixes.

Adobe ColdFusion

Adobe is first cab off the rank, with updates for ColdFusion versions 2023, 2021, 2018, which all contain a critical (CVSS score 9.8) insecure deserialization vulnerability, CVE-2023-38203, which could allow remote code execution. The fix is to update to ColdFusion 2023 Update 2, ColdFusion 2021 Update 8 or ColdFusion 2018 Update 18. (Your scribe is simply surprised that ColdFusion is still a thing, recalling an amusing pen-testing engagement involving it, back in the heady days of the ".com boom".)

Adobe, Security updates available for Adobe ColdFusion, security bulletin APSB23-41, 14 July 2023. Available online at https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html.

Citrix NetScaler ADC and NetScaler Gateway

Citrix is grappling with three major vulnerabilities affecting multiple versions of NetScaler ADC (Application Delivery Controller) and NetScaler Gateway:

• CVE-2023-3466, a reflected cross-site scripting (XSS) vulnerability with a CVSS score of 8.3
• CVE-2023-3467, a privilege escalation vulnerability with a score of 8.0
• CVE-2023-3519, a particularly nasty unauthenticated remote code execution vulnerability, with a CVSS score of 9.8
  

That last vulnerability is being exploited in the wild, so affected customers are urged to update as soon as possible.

Citrix, Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467, security bulletin, 18 July 2023. Available online at https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467.

Oracle - Multiple Products, Plus Solaris and Linux

Finally, Oracle has released its quarterly Critical Patch Update Advisory, as well as its Solaris Third Party Bulletin and Linux Bulletin. The Critical Patch Update Advisory alone contains 508 new security patches across multiple product families - there's literally something for everyone, including users of MySQL, Oracle itself, and all the related applications and API's, including JD Edwards and Siebel.

Oracle, Oracle Critical Patch Update Advisory - July 2023, security alert, 10 July 2023. Available online at https://www.oracle.com/security-alerts/cpujul2023.html.

Oracle, Oracle Solaris Third Party Bulletin - July 2023, security alert, 18 July 2023. Available online at https://www.oracle.com/security-alerts/bulletinjul2023.html.

Oracle, Oracle Linux Bulletin - July 2023, security alert, 18 July 2023. Available online at https://www.oracle.com/security-alerts/linuxbulletinjul2023.html.

FIN8 Revamps Sardonic Black Cat

The FIN8 cybercrime group (a.k.a. Syssphinx) has been active since at least early 2016, initially targeting point-of-sale systems, but gradually expanding into ransomware attacks on the retail, hospitality, entertainment and other sectors. The group makes extensive use of LOLbins and abuses legitimate services in order to evade detection, and generally uses spear phishing and social engineering to gain initial access.

FIN8's ransomware ventures have generally made use of other groups' tools. Beginning in 2021 with the Ragnar Locker, they then switched to White Rabbit. Now researchers from Symantec's Threat Hunter Team report that FIN8 have reappeared after a break to retool yet again, this time making use of the notorious ALPHV/BlackCat ransomware.

This time, the FIN8 crew have revamped the backdoor they previously used to install White Rabbit. Known as Sardonic, this backdoor was written in C++ and made use of that language's standard library. Perhaps with the goal of evading detection by automated static analysis, the new version of Sardonic has been rewritten in C, and its C2 protocol has been rejigged, perhaps to throw off network IDS/IPS and EDR products.

The Symantec blog post details the techniques FIN8 used to install the Sardonic backdoor, making use of PowerShell commands and scripts to download it and establish persistence. Apart from a detailed analysis of the techniques, it also contains a description of the Sardonic C2 protocol and a list of IOC's.

Symantec Threat Hunter Team, FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware, blog post, 18 July 2023. Available online at https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Free Cloud Security Tools

The US Cybersecurity & Infrastructure Security Agency has released a fact sheet to help businesses identify the right tools and techniques to protect information assets as they migrate them into the cloud. The Free Tools for Cloud Environments factsheet list open-source tools, methods and guidance to network defenders and incident response teams to help  identify, mitigate and detect vulnerabilities, anomalies and the threats that might exploit them.

The tools include:

• The Cybersecurity Evaluation Tool (CSET) (CISA)
• SCuBAGear (CISA)
• The Untitled Goose Tool (CISA)
• Decider (CISA)
• Memory Forensic on Cloud (JPCERT/CC)

While many are written in Windows PowerShell, some are in Python and will operate in wider cloud environments. One of the most impressive is Decider, which asks a series of questions to help network defenders identify adversary tactics, techniques and sub-techniques, mapping them to the MITRE ATT&CK framework, and allowing the export of results to tables such as ATT&CK Navigator heatmaps, which can then be used in threat intelligence reports.

CISA, Free Tools for Cloud Environments, factsheet, 17 July 2023. Available online at https://www.cisa.gov/resources-tools/resources/free-tools-cloud-environments.

Security Analyst Jailed For Over Three Years

Back in May we reported on the case of a security analyst who tried to exploit a ransomware attack on his Oxford (UK) employer by substituting his own Bitcoin wallet addresses for those in the attackers' ransom demands, and additionally spoofing emails to increase the pressure to pay up. Unfortunately, his man-in-the-middle exploit was foiled when his employer decided not to pay up - and even worse, his email interference showed up in system logs, leading to his arrest. At his appearance in court he sensibly decided to plead guilty.

On return to Reading Crown Court last week, Ashley Liles, aged 28, was sentenced for blackmail and unauthorised access to a computer with intent to commit other offences, and was jailed for three years and seven months. 

"This has been a complex and challenging investigation and I am extremely grateful for all the officers and staff that were involved for their commitment and dedication over a five year period", said Detective Inspector Rob Bryant, of the SEROCU Cyber Crime Unit "This case demonstrates that the police have the ability and technical skills to investigate cybercrime offences and bring cyber-criminals to justice."

And the moral of the story is: use your powers for good, not evil, lest your mug shot appear in a police force press release. This is a classic example of a CLM (Career Limiting Move).

South East Regional Organised Crime Unit, Man jailed for more than three years for attempting to extort money from the company he worked for, press release, 11 July 2023. Available online at https://serocu.police.uk/man-jailed-for-more-than-three-years-for-attempting-to-extort-money-from-the-company-he-worked-for/.

Cloud Service Provider Breached By Nation State-Sponsored Threat Actor

Cloud management service provider JumpCloud has disclosed a breach affecting some of their internal systems and inpacting a number of their customers. The firm has provided details of activity by "a sophisticated nation-state sponsored threat actor" wihch pivoted from the firm's systems to target "a small and specific set of our customers".

The attack started on 22 June with a sophisticated spear phishing campaign which gained the threat actor access to an internal orchestration system; in late June JumpCloud detected the activity and took action, activating their incident response plan, rotating credentials and rebuilding infrastructure. Subsequent forensic analysis revealed unusual activity in the commands framework for a small set of customers, and on 5 July the firm force-rotated all API keys.

Further work revealed that the attack vector was data injection into the command framework, and confirmed suspicions that attack was extremely targeted and limited to specific customers. The company has shared a list of IOC's, including IP addresses and file hashes.

Phan, Bob, [Security Update] Incident Details, blog post, 12 July 2023. Available online at https://jumpcloud.com/blog/security-update-incident-details.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

As Expected, Criminals Turn to AI

In recent months, generative AI has been the hot topic du jour, with over a quarter of UK adults having used it (Milmo, 2023). It was inevitable that cybercriminals would explore the potential of large language models to get rid of the grammatical errors that betray phishing and malmails as being written by non-native English speakers.

Services like ChatGPT are boxed in by rules which prevent them responding to prompts asking them to generate malware code, for example - although researchers have been able to bypass this. In fact, a lot of human intelligence is being devoted to generating prompts which mitigate the inherent limitations of generative transformers. Now researchers at email security firm SlashNext report on a new trend emerging in cybercrime forums: the development of "jailbreaks" for ChatGPT: specialised prompts which 'trick' the AI into generating output intended to trigger the disclosure of sensitive information, production of inappropriate content or even the execution of harmful code.

"Jailbreak" prompts, offered on a cybercrime forum (Image: SlashNext)

In fact, developers have now turned their hand to malicious AI modules, with one offering "WormGPT", which - claims the author - "lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home. WormGPT also offers anonymity, meaning that anyone can carry out illegal activities without being traced".

Announcement of WormGPT (Image: SlashNext)

According to the SlashNext researchers, WormGPT is based on 2021's GPTJ language model and offers features such as chat memory retention and code formatting capabilities. Although the author keeps its training data confidential, it apparently concentrates on malware-related sources. In his tests, SlashNext's Daniel Kelley instructed WormGPT to generate an email intended to pressure an unsuspecting account manager into paying a fraudulent invoice, resulting in a remarkably persuasive and strategically cunning email.

This development indicates that life is going to get much easier for Business Email Compromise attackers - but much more difficult for defenders. It will take literally no skills and little effort to create grammatically-correct emails, and a lot more skill to detect them. It seems likely that the only long-term solution will be the development of invoicing and payment systems that incorporate stronger authentication and verification mechanisms.

Kelley, Daniel, WormGPT – The Generative AI Tool Cybercriminals Are Using to Launch Business Email Compromise Attacks, blog post, 13 July 2023. Available online at https://slashnext.com/blog/wormgpt-the-generative-ai-tool-cybercriminals-are-using-to-launch-business-email-compromise-attacks/.

Milmo, Dan, More than a quarter of UK adults have used generative AI, survey suggests, The Guardian, 13 July 2023. Available online at https://www.theguardian.com/technology/2023/jul/14/more-than-quarter-of-adults-have-used-generative-ai-artifical-intelligence-survey-suggests.

Docker Images Leak Secrets, Claim Researchers

As the push to cloud computing continues, one of the most important technologies is the packaging of cloud applications as containers, using using Docker. So popular is this that thousands of container images are shared via cloud repositories like Docker Hub, as well as private repositories used as part of the CI/CD pipeline.

The Docker Paradigm (Image: IEEE Cloud Computing)

Users define a Dockerfile which controls image building, first downloading a base image from a registry, then adding customization layers containing compiled applications, configuration files and environment variables, before pushing the completed container back to the registry for subsequent deployment. One risk is the accidental incorporation of cryptographic secrets - such as API tokens and private keys - into one of the layers, resulting in subsequent exposure in the registry, should anyone care to look.

In a paper presented at the ACM ASIA Conference on Computer and Communications Security (ASIA CCS 2023) in Melbourne last week, researchers from RWTH Aachen University revealed that such accidental leakage is more extensive than previously suspected. Analyzing 337,171 images from Docker Hub and 8,076 from private registries, they found that 8.5% of the images leaked secrets. Specifically, they discovered 52,107 private keys and 3,158 API secrets, representing a large attack surface which can expose sensitive data, including personally-identifiable information.

This is not purely of academic interest: the researchers also found the leaked keys were being used in the wild, with 1,060 certificates relying on compromised keys being issued by public CA's and 275,269 TLS and SSH hosts using leaked private keys for authentication.

There is clearly scope for improving CI/CD pipelines to minimie this kind of exposure, and the paper offers some suggestions for mitigation.

Dahlmanns, Markus, Robin Decker, Constantin Sander and Klaus Wehrle, Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact, ASIA CCS 2023, July 10-14, Melbourne VIC Australia. Available online at https://arxiv.org/abs/2307.03958.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Big Day for Network Admins

It could be a long weekend for network admins, with both Cisco and Juniper releasing updates to deal with vulnerabilities.

For Cisco, the problem is an API vulnerability in the RESTful API of SD-WAN vManage. The API performs insufficient request validation, which could allow an unauthenticated, remote attacker to send a crafted API request, allowing either the retrieval or the update of the vManage instance configuration.

The vulnerability only affects the REST API and not the web management interface or command-line interface. Administrators can use the CLI show log command to review the vManage logs, looking for entries that may indicate a compromise. The vulnerability can be mitigated by using access control lists to restrict access to the API to only trusted IP addresses.

Juniper admins have to deal with multiple vulnerabilities in Juno OS, some of which can be exploited to take control of the affected system. The vulnerabilities range from buffer overflows in the flowd flow processing daemon on SRX series devices causing crashes, through an exception handling error in the processing of datagrams routed over VXLAN tunnels which can cause a DoS, to multiple vulnerabilities in the PHP code of the J-Web management interface. The fix is, of course, a software update.

It now being Friday, this puts network admins on the horns of a dilemma: the zeroth rule of system administration is:

Patch not on a Friday, lest ye be condemned to work the entire weekend fixing stuff

But these are security fixes, so best hop to it!

Cisco, Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability, security advisory, 12 July 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA.

Juniper, Junos OS and Junos OS Evolved July Security Bulletins, security advisories, 12 July 2023. Available online at https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=relevancy&f:ctype=[Security%20Advisories]&f:level1=[OS].

Security Researchers Targeted by Fake PoC Code

A salutary tale for malware analysts and security researchers: in an audacious attack, an unidentified threat actor is targeting them via a fake proof-of-concept that will install a backdoor on their systems, allowing the threat actor to gain access to the system and intelligence on their activities.

The PoC was shared on GitHub by an account named ChrisSander22, and while the PoC has now been removed it is not clear whether it was taken down by GitHub or its owner. However, the PoC has circulated independently within the security community.

The PoC claims to be a demonstration of CVE-2022-34918, a Linux kernel vulnerability, and upon casual inspection, that is exactly what it seems to be. Like many low-level exploits, it is distributed as C source code. Now, a lot of open-source code needs to be configured for the target operating system, and so developers are familiar with using tools like autoconf and automake, which set things up correctly. These tools make use of the M4 macro language to simplify the process, and so some of the files used, like aclocal.m4, become familiar and arouse no suspicion.

Except that in this case, the supplied aclocal.m4 is not a text file containing macros, but an ELF format binary executable. This was discovered by researchers at Uptycs when their XDR was triggered by the PoC attempting to make network connections and transfer data. Zeroing in on the aclocal.m4 file, they found that is run from within the PoC makefile and upon reverse-engineering it, they found that it copies itself to a hidden directory, renaming the copy to kworker, adds a command to the user's .bashrc file to restart itself, and then downloads a shell script from a C2 server and runs it.

This script then exfiltrates the /etc/passwd file (which will not contain password hashes but can still be useful), adds the attacker's public key to ~/.ssh/authorized_keys to permit future access and then sets about exfiltrating more data, such as the contents of the victim's home directory. Of course, with SSH access, the attacker can return for anything else they want.

The Uptycs blog post provides an interesting analysis, along with guidance for identifying and removing the backdoor, including IOC's.

Hegde, Nischay and Siddartha Malladi, PoC Exploit: Fake Proof of Concept with Backdoor Malware, blog post, 12 July 2023. Available online at https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Chinese Threat Actor Compromises US Government Agencies

Back in June, a US government civilian agency observed unexpected events in Microsoft 365 (Outlook Online) audit logs. After reporting this to Microsoft on 16 June and analyzing the MailItemsAccessed events in the audit logs, the network defenders deemed the activity suspicious, and Microsoft set about investigating.

Over the next few weeks, their investigation revealed that from 15 May a likely Chinese cyber-espionage-focused advanced persistent threat, tracked as Storm-0558, gained access to the email accounts of approximately 25 organizations including government agencies, as well as related consumer accounts - probably those of employees of these organizations.

Initial access was gained by forging authentication tokens for Outlook Web Access in Exchange Online and Outlook.com. To accomplish this, Storm-558 used an acquired Microsoft Managed Service Account (MSA) consumer signing key. Now, normally, MSA (consumer) and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems. However, the threat actor was able to exploit a token validation vulnerability in order to impersonate Azure AD users, and thereby gain access to their enterprise email.

Microsoft's investigation shows no indication that any Azure AD keys, or any other MSA keys, were used by Storm-558, and having taken steps to mitigate the acquired MSA key by disabling tokens signed with it and issuing a new key, their telemetry indicates the threat actor's activities have been blocked.

Microsoft has contacted admins at all the affected customers and provided them with information to assist them in responding. The Cybersecurity & Infrastructure Security Agency and FBI have released an advisory to assist Microsoft 365 users in monitoring and detecting threat actor activity. This provides detailed guidance on log management and analysis.

Bell, Charlie, Mitigation for China-Based Threat Actor Activity, blog post, 11 July 2023. Available online at https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/.

CISA and FBI, Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, cybersecurity advisory, 12 July 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.

Microsoft Security Resource Center, Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email, blog post, 11 July 2023. Available online at https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/.

A Bumper Year for Ransomware Operators

A report from blockchain analytics form Chainalysis provides heartening news for cryptocurrency enthusiasts, but a glum outlook for the rest of us.

First, cryptocurrency prices have recovered - for example, Bitcoin is up 80% over the year as of 30 June. And cryptocurrency scam revenues have plummeted by 77% over the previous years. However, this is primarily due to the disappearance of two large-scale scams: VidiLook (which offered proprietary tokens in exchange for watching ads) and Chia Tai Tianqing Pharmaceutical Financial Management, a more conventional investment scam. Both appear to have cashed out and gone to ground.

In fact, for the 2022/23 financial year, crypto inflows to known illicit entities are down 65% on the previous year, and inflows to mixers and high-risk exchanges are down 42%. However, bear in mind that transaction volumes are down across the board - legitimate transactions are also down 42%.

But there's no good news when it comes to ransomware, for which revenues have rebounded after a downturn in 2022. For the first half of this year, ransomware groups have pulled in at least $US449.1 million, and if this keeps up, they will extort $US898.6 million for the full 2023 year - not far behind their 2021 revenue of $US939.9 million.

The reason for this is a return to big game hunting - that is, the targeting of large enterprises with deep pockets, by sophisticated operators like ALPHV/Blackcat and Cl0p. By way of comparison, at the bottom end of the market are the ransomware-as-a-service (RaaS) operations like Dharma, which basically randomly spray their malware via undirected phishing attacks, and have an average payment size of $US265.

Contrast that with the highly-targeted operations of ALPHV/Blackcat and Cl0p, who achieved an average payment of over $US1.5 million and $US1.7 million respectively. Cl0p in particular has been very good at this - their median payment is almost $US2 million while ALPHV/Blackcat achieved a median payment of only $US305,585. The increased size of initial demands and the realized extortion payments may be due to the strengthening trend of refusal to pay, so that the ransomware gangs want to squeeze the maximum returns out of those who are willing to pay.

Chainalysis Team, Crypto Crime Mid-year Update: Crime Down 65% Overall, But Ransomware Headed for Huge Year Thanks to Return of Big Game Hunting, report, 12 July 2023. Available online at https://blog.chainalysis.com/reports/crypto-crime-midyear-2023-update-ransomware-scams/.

Fileless Cryptominer Targets Cloud Workloads

Cloud security firm Wiz reports on a newly-discovered sample of a Python-based fileless cryptominer which is targeting cloud workloads. Dubbed PyLoose on account of the URL that hosted the loader, the malware consists of a fairly simple Python script that holds a compressed and encoded precompiled XMRig miner for the Monero cryptocurrency, which it loads directly into the memory of the Python runtime via the memory file descriptor, memfd. Amazingly, the Python script is only 9 lines long, including the entire fileless payload compressed with zlib and encded in base64 (admittedly, one of those lines is very long!).

In the analyzed incident, the victim had a publicly accessible Jupyter Notebook service; this is an web-hosted interactive Python development environment, and admittedly it is unusual for this type of service to be publicly available (although I can think of a few). Hence the attacker was simply able to copy and paste the script into the notebook and run it.

The Wiz blog post contains an interesting analysis (jncluding MITRE ATT&CK techniques) along with IOC's and some suggested mitigations.

Mechtinger, Avigayil, Oren Ofer and Itamar Gilad, PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer, blog post, 11 July 2023. Available online at https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Zero-Day RCE Vulnerability Impacts Windows, Office

Microsoft has today warned of an unpatched remote code execution vulnerability in multiple Windows and Office versions. The vulnerability, CVE-2023-36884, which has a CVSS base score of 8.3, is reportedly being actively exploited in the wild, using specially-crafted Microsoft Office documents.

While the Redmondites work up a patch, potential victims can mitigate possible infections by setting the following registry key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

and adding the names of vulnerable applications to this key as values of type REG_DWORD with the value 1. And no - your eyes do not deceive you: we are still dealing with the mess that was Internet Explorer, all these years on.

The active exploitation was first uncovered by the Blackberry Threat Research and Intelligence team, who found two malicious documents submitted from an IP address in Hungary, sent as lures to an organization supporting Ukraine abroad, and a document targeting guests at the Vilnius NATO Summit who may also be providing support to Ukraine. Their analysis led them to attribute this operation to the RomCom group, also known as Tropical Scorpius, Storm-0978, UNC2596 and Void Rabisu, which has a history of attacks against Ukrainian politicians and their Western contacts.

The lures detected by Blackberry were Word documents delivered via a spear-phishing campaign, and when opened used CVE-2023-36884 to download an OLE object and connect to a C2 server in a typosquatting domain - a classic RomCom technique. In this case, they registered the domain ukrainianworldcongress[.]info, which is sufficiently close to the genuine ukrainianworldcongress[.]org that it will escape notice by most users.

The Blackberry blog post provides a detailed run-down of what their researchers observed, while Microsoft Threat Intelligence has also blogged on this, providing additional background information on RomCom campaigns. Finally, the MSRC vulnerability page provides a brief description and mitigation advice.

Blackberry Research & Intelligence Team, RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit, blog post, 8 July 2023. Available online at https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit.

Microsoft Threat Intelligence, Storm-0978 attacks reveal financial and espionage motives, blog post, 11 July 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/.

Microsoft Security Resource Center, Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884), vulnerability info, 11 July 2023. Available online at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884.

New Ransomware: Big Head

Back in June, Fortinet picked up on a new ransomware variant called Big Head, which was likely being distributed as a fake Windows Update; samples were subsequently submitted from the US, Spain, Frane and Turkey. Now researchers at Trend Micro have done a deep dive on the operation of this ransomware, uncovering a significant number of Big Head variants, and providing a detailed analysis of three of them.

The infection chain of Big Head ransomware sample 1 (image credit: Trend Micro)

The three samples seem to have been distributed via malvertisements as fake Windows updates and fake Word installers; each sample carries three encrypted executables as resources which it decrypts, drops and then runs. In the case of the first sample, each .exe performs a different function: the first randomly generates an ID for this victim, encrypts some files, deletes volume shadow copies and drops the ransom note; the second establishes a C2 channel; the third displays a fake Windows Update window to distract the user while performing the bulk of file encryption before deleting itself.

The second sample carries different executables and while it also performs file encryption for ransom, it also carries a copy of the WorldWind infostealer. The third sample similarly acts as ransomware, but also carries a copy of the Neshta virus - perhaps to act as a distraction for analysts.

Each variant targets specific filetypes and also specific locales; it also takes care to self-terminate if running in CIS locales. Interestingly, the Trend researchers were able to track the malware developers, through their Telegram account, to their YouTube channel where they have uploaded videos demonstrating the malware. The channel name is the Bahasa phrase "aplikasi premium cuma cuma" ("premium application for free") suggesting a SE Asian origin.

At this point, there are no reports of attacks or successful infections with this malware, but it is clear that it is under active development and we can expect further variants in the months to come, making this a useful heads-up to analysts and defenders everywhere.

Gonzalez, Ieriz Nicolle, Katherine Casona and Sarah Pearl Camiling, Tailing Big Head Ransomware’s Variants, Tactics, and Impact, research report, 7 July 2023. Available online at https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html.

More Firefox Updates

It seems like only last week that we reported on the Mozilla Foundation's release of Firefox 115 (it was). And yet here we are, preparing to restart the browser for the installation of Firefox 115.0.2, because of a newly-discovered CVE-2023-3600, a use-after-free vulnerability. You know what to do.

Uncredited, Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2, security advisory, 11 July 2023. Available online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Largest NHS Trust Hit By Ransomware

The largest of the UK's National Health Service's trusts, Barts Health NHS Trust, which runs five London hospitals serving over 2.5 million patients, has been hit by a ransomware attack, according to TechCrunch. The Trust is the latest victim to appear on the dark web leak site of ALPHV, also known as BlackCat, with a claimed 70 TB of sensitive data stolen, including employee identification documents such as passports and driver licences, as well as internal emails labeled "confidential".

ALPHV has given the Trust three days to contact them in order to prevent publication of data, "most of it citizens [sic] confidential documents".

This is the second breach of NHS data in recent weeks - the first being the compromise of a dataset containing information on 1.1 million patients across 200 hospitals, which was being used at the University of Manchester for research purposes.

Page, Carly, UK battles hacking wave as ransomware gang claims ‘biggest ever’ NHS breach, TechCrunch, 10 July 2023. Available online at https://techcrunch.com/2023/07/10/uk-hacks-public-sector-nhs-ransomware/.

Exploit Code Available for VMware Aria Operations RCE Vuln

A critical vulnerability in the VMware Aria Operations for Logs analysis tool just became a lot more critical, with the company revealing that exploit code has been published, making exploitation much more likely. The vulnerability - CVE-2023-20864 - is a deserialization vulnerability which could allow an unauthenticated actor with network access to execute arbitrary code with root privileges, meriting a CVSS score of 9.8 (Critical).

VMware released a fix for this vulnerability back in April, so customers who have not yet applied the patch should do so urgently. The vulnerability is not present in Aria Operations for Logs version 8.12.

Uncredited, VMware Aria Operations for Logs (Operations for Logs) update addresses multiple vulnerabilities. (CVE-2023-20864, CVE-2023-20865), security advisory, updated 10 July 2023. Available online at https://www.vmware.com/security/advisories/VMSA-2023-0007.html.

New Infostealer Targets Macs

Yesterday we reported on how Iranian APT, Charming Kitten, quickly put together an infection chain in order to get a backdoor installed on the Macintosh of a specific cyber-espionage target. Now comes a report from Israeli security firm Guardz of a new infostealer which also targets MacOS devices.

The stealer, which they have dubbed 'ShadowVault', is being offered in the XSS dark web forum for a fee of $US500 per month. It offers extensive capabilities, including extraction of passwords, cookies, credit cards, wallets and extensions from Chromium-based and Firefox browsers, keychain database extraction, exfiltration of files, decryption of crypto wallets from all browsers, and more. For an additional fee, it can be signed with an Apple development key.

There's a moral here: while Windows systems remain the largest target for infostealers, cybercriminals and cyber-espionage groups are showing increasing interest in Macs, and Apple's customers cannot affort to be complacent about their security.

Goldman, Lauri, Guardz Uncovers A New Threat Targeting macOS – ‘ShadowVault’, blog post, 10 July 2023. Available online at https://guardz.com/blog/guardz-uncovers-a-new-threat-targeting-macos-shadowvault/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Charming Kitten's Long Infection Chain Reaches Macs

The Iranian APT variously known as Charming Kitten, APT42, TA453, Mint Sandstorm and Yellow Garuda has been running a campaign targeting experts in nuclear security and Middle Eastern affairs, according to researchers at Proofpoint. The group, which is affiliated with Iran's Islamic Revolutionary Guard Corps, is using a spear-phishing campaign to deliver highly customised lure emails, the first of which is innocuous but quickly followed by an email containing a malicious link to a Google Script macro which, in turn, launches a long infection chain.

The long infection chain uses PowerShell scripts to download its various stages (image credit: Proofpoint)

A password-protected RAR file contains a dropper in the form of a .lnk file which in turn uses PowerShell to download additional stages from a cloud hosting provider - at first using base64 encoding but then switching to AES encryption, culiminating in the assembly of the final PowerShell backdoor, which the researchers dubbed GorjolEcho.

This achieves persistence by putting a copy of the initial loader stages in a StartUp entry, and then displays a decoy PDF that matches the recipient's expectations. It then commences the exfiltration of encrypted data over HTTPS to its C2 server, which is hosted in a legitimate cloud service - interestingly, HTTP error responses will cause generation of an error message in Korean, presumably as an attempted diversion. The GorjolEcho backdoor can also download and run additional modules, likely for cyber-espionage purposes.

However, the use of a .lnk file and PowerShell means this attack won't work on Mac computers, which are common in academic circles. Realizing that a targeted individual had not fallen foul of the attack, the threat actor followed up a week later with a new Mac-specific infection chain. This time, to induce the target to run an executable, their email claimed to include a VPN client; use of this would be necessary for security reasons. In fact, this was a script which used the curl command to download another shell script, dubbed NokNok, a backdoor which loops indefinitely, sending an HTTP POST to its C2 server and either executing other bash shell modules in response to the commands it receives or exiting.

The NokNok backdoor delivery process (Image credit: Proofpoint)

The NokNok modules share common routines for encryption and base64 chunking in order to exfiltrate their results, which they generally obtain by using system commands - such as ps -ax to list running processes. There are probably additional modules for both GorjolEcho and NokNok.

While these infection chains represent a change from previous intrusions by Charming Kitten, there are sufficient similarities in both the coding techniques and overall TTP's employed for Proofpoint to attribute this campaign to the threat actor with high confidence. The efforts put in to develop new techniques, particularly using multiple legitimate cloud services as well as posting malware to new platforms, indicates a high degree of persistence.

Miller, Joshua, Pim Trouerbach, et. al., Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware, blog post, 6 July 2023. Available online at https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Android Spyware Plunders Phones, Sends Data to China

Security vendor Pradeo has detected two malicious Android apps which pose as file managers and could have aggregated 1.5 million installs from the Google Play Store. However, the apps are actually spyware which, despite claims to the contrary, exfiltrate a massive amount of data from the victims' phones.

The two apps are:

• File Recovery and Data Recovery - com.spot.music.filedate - over 1 million installs
• File Manager - com.file.box.master.gkd - over 500 thousand installs

On their Play Store Pages, the apps claim that no user data is collected (and that if it was, it would be encrypted in transit but cannot be deleted - a breach of many privacy laws, including the EU GDPR). However, according to Pradeo's analysis using their behavioural analysis engine, the data that is stolen and sent to servers in China includes:

• Users’ contact lists from the device itself and from all connected accounts such as email and social networks
• Media compiled in the application: Pictures, audio and video contents
• Real time user location
• Mobile country code
• Network provider name
• Network code of the SIM provider
• Operating system version number
• Device brand and model

That's quite a shopping list! Much of that information could be used to profile users and identify targets for a variety of purposes such as cyber-espionage or cybercrime, while the OS version and device information could be used in selecting an appropriate exploit.

The claimed installation numbers could have been faked in order to make the apps appear legitimate and rank higher in searches - in particular, an absence of reviews backs this interpretation. The apps are also somewhat stealthy - they hide their icons from the home screen, making them difficult to locate and uninstall - and they also force a reboot of the device, which then allows them to run automatically, and invisibly, in the background. It's entirely possible that some users may have forgotten they even installed these programs.

All this illustrates the dangers of mindlessly collecting lots of apps on a phone; users need to be careful to assess the legitimacy of apps before installing them, by reading reviews and looking for red flags, and in particular, reviewing the requested permissions before allowing installation to proceed. A 'flashlight' app that is a 40 MB download and requests access to everything on the phone is clearly not legitimate - and neither is a file manager that requests permission to access the phone book, user location information, etc.

Suau, Roxane, Two spyware tied with China found hiding on the Google Play Store, blog post, 6 July 2023. Available online at https://blog.pradeo.com/spyware-tied-china-found-google-play-store.

CISA Advisory on New Truebot Variants

The US Cybersecurity & Infrastructure Security Agency, along with its partners, has released an advisory on new variants of the Truebot loader. Traditionally, Truebot's operators - generally Russian cybercrime groups - have used phishing campaigns with malicious redirect hyperlinks to infect victims with the malware, which is then used to download the Clop ransomware.

However, the newer variants are now also obtaining initial access by exploiting CVE-2022-31199, a known vulnerability in the Netwrix Auditor - an application used for auditing both on-premises and cloud systems. In this campaign, after gaining a foothold, Truebot renames itself and then loads a remote access trojan called FlawedGrace. From there, FlawedGrace is used both for privilege escalation and to install payloads which allow the attackers to persist.

In fact, the entire campaign is quite complex, involving a variety of tools, such as Raspberry Robin malware, FlawedGrace, a custom data exfiltration tool which Cisco Talos call Teleport, and Cobalt Strike beacons. The 26-page CISA advisory provides a mapping to MITRE ATT&CK tactics and techniques, a comprehensive list of IOC's, guidance for incident response and suggested mitigations

CISA, Increased Truebot Activity Infects U.S. and Canada Based Networks, cybersecurity advisory, 6 July 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a.

Mozilla Releases Security Advisories

The Mozilla Foundation has released a number of advisories to address vulnerabilities in Thunderbird, Firefox and Firefox ESR. The obvious first defence for most users is to let their currently-installed versions download and install the next versions (Thunderbird 102.13, Firefox 115 and Firefox ESR 102.13).

Uncredited, Mozilla Foundation Security Advisory 2023-24 - Security Vulnerabilities fixed in Thunderbird 102.13, 4 July 2023. Available online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/.

Uncredited, Mozilla Foundation Security Advisory 2023-23 - Security Vulnerabilities fixed in Firefox ESR 102.13, 4 July 2023. Available online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/.

Uncredited, Mozilla Foundation Security Advisory 2023-22 - Security Vulnerabilities fixed in Firefox 115, 4 July 2023. Avilable online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Node.js Supply Chain Threatened by Manifest Confusion Vulnerability

The shift away from desktop applications to cloud-hosted applications which use the web browser as the universal desktop client has seen the popularity of the JavaScript language grow massively. And having to code in both JavaScript and a back-end language like PHP or Java increases costs and generally makes life difficult - so why not code the back end in JavaScript, too? The answer to that question is Node.js, which implements a JavaScript runtime on web servers and unsurprisingly has also become massively popular.

And just like the other languages, Node.js has its own package manager and repository for distribution of useful libraries, subsystems and code packages generally, in the form of npm. But now comes news of a massive threat to the Node.js software supply chain, in the form of what a former GitHub and npm engineering manager, Darcy Clarke, has termed, "manifest confusion".

The basic problem is this: a npm package's manifest - a JSON file which lists the package id, name, version info, contents, dependencies, etc. - is published independently from its tarball (the .tgz file with the actual contents), and manifests are never fully validated against the tarball's contents. In a blog post, Clarke writes that

From experience teaching some aspects of web application development, I would say this is a common problem. Web developers who work on both the client and server halves of a product often fail to recognise the trust boundary between the two and rely on the client to perform not just validation but sanitization in order to protect the server. What they don't realize is that a) the client is not under their control as it runs on an untrusted system, and b) an attacker may well run a completely different client of their own devising in order to bypass their sanitization.

Returning to the manifest confusion problem, Clarke continues:

This loophole means that threat actors could conduct a variety of different attacks - most obviously publishing a package which contains hidden dependencies or run install scripts which load malware - and Clarke's post provides proof-of-concepts for several of them. This vulnerability puts the entire npm software supply chain at risk.

Worst of all, this issue was first disclosed to GitHub in early November 2022 and further escalated by Clark in March of this year - but to date, nothing seems to have been done, publicly at least. In the meantime, Clarke recommends that users switch to using the package contents in the tarball for metadata where needed.

Clarke, Darcy, The massive bug at the heart of the npm ecosystem, blog post, 27 June 2023. Available online at https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem.

Interpol Arrests Key Figure in OPERA1ER Cybercrime Group

A cybercrime group - known variously as OPERA1ER, NX$M$, DESKTOP Group and Common Raven - has been perpetrating a variety of malware and phishing campaigns, as well as large-scale business email compromise scams, over the last four years, targeting financial institutions and mobile banking services in 15 countries across Africa, Asia and Latin America. First detected by security firm Group-IB and telco Orange, the group is believed to have stolen somewhere between $US11 million and $US30 million.

Interpol's Cybercrime Directorate established Operation Nervone to coordinate intelligence provided by the two firms above, as well as the US Secret Service's Criminal Investigative Division and Booz Allen Hamilon DarkLabs, in turn providing key information to the Direction de l'Information et des Traces Technologiques (DITT) in Côte d’Ivoire.

And so, in early June, authorities in Côte d’Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa. The sheer number of different agencies and security firms involved in this operation - it was also backed by the African Joint Operation against Cybercrime and the INTERPOL Support Programme for the African Union in relation to AFRIPOL - clearly illustrate the complexity of international investigations, especially in comparison to the relative ease of criminal operations on the borderless Internet.

Interpol, Suspected key figure of notorious cybercrime group arrested in joint operation, news release, 5 July 2023. Available online at https://www.interpol.int/News-and-Events/News/2023/Suspected-key-figure-of-notorious-cybercrime-group-arrested-in-joint-operation.

LockBit Halts Nagoya Port Operations

Who can forget the global impact of NotPetya, the 2017 wiper which disrupted global shipping and supply chains - all because of a Russian attack on Ukraine's tax collection? Here we go again, albeit on a much smaller scale, although the impact may well flow through to purchasers of Toyota motor vehicles.

Early on Tuesday morning, an employee at the Nagoya Port Authority discovered a ransomware infection on their computer. The ransomware turns out to be the notorious LockBit 3.0, and its Russian operators have made a ransom demand in exchange for system recovery.

The impact here is not likely to be the exfiltration of sensitive data - the port system likely deals with container shipping manifests - but will primarily be the impact of business process interruption, since Nagoya is Japan's major shipping port. In particular, it is the key hub for Toyota's exports and imports, with the car maker reporting that it cannot load or unload auto parts due to the port's shutdown.

Uncredited, Pro-Russian hackers target Port of Nagoya, disrupting loading of Toyota parts, The Japan Times, 5 July 2023. Available online at https://www.japantimes.co.jp/news/2023/07/05/national/nagoya-port-cyberattack/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.