Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Latitude Refuses to Pay Ransom

Back in mid-March, then in late March, we reported on the data breach affecting customers of consumer lender Latitude Financial (ASX:LFS). Today Latitude confirmed that it has received a ransom demand and, in line with advice from both government and cybercrime experts, will not pay a ransom. Said Latitude Financial CEO, Bob Belan:

The company believes that there has been no suspicious activity in their systems since Thursday, 16 March, and is now restoring its business operations.

Gardy, Mark, Cybercrime update, ASX announcement, 11 April 2023. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02652931.

Tasmanian Department of Education Fileshare Hacked; 16,000 Documents Leaked

A Russian ransomware gang has allegedly obtained over 16,000 documents from the Tasmanian Department for Education, Children and Young People via the third-party file transfer service GoAnywhere, and has released them on the dark web. The documents primarily related to current and historical financial information and may include:

• names
  
• addresses
  
• school name
  
• DECYP reference number (used for DECYP internal account purposes)
  
• child name
  
• homeroom
  
• year group
  
• Business names
  
• Bank Account (if the Department paid the affected individual)
  
• Learner's Date of Birth (TasTAFE only)

The Tasmanian Government has established a helpline number for affected individuals on 1800 567 567.

Uncredited, Hackers release personal data from Tasmanian Government data breach, Pulse Hobart, 7 April 2023. Available online at https://pulsehobart.com.au/news/hackers-release-personal-data-from-tasmanian-government-data-breach/.

DECYP, Cyber Investigation Update, web page, 11 April 2023. Available online at https://www.decyp.tas.gov.au/cyber-investigation-update/.

CISA Adds Five Known Exploited Vulnerabilities; Veritas Backup Exec Used for Ransomware

The US Cybersecurity & Infrastructure Security Agency has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog:

• CVE-2021-27876 Veritas Backup Exec Agent File Access Vulnerability
  
• CVE-2021-27877 Veritas Backup Exec Agent Improper Authentication Vulnerability
  
• CVE-2021-27878 Veritas Backup Exec Agent Command Execution Vulnerability
  
• CVE-2019-1388 Microsoft Windows Certificate Dialog Privilege Escalation Vulnerability
  
• CVE-2023-26083 Arm Mali GPU Kernel Driver Information Disclosure Vulnerability
  

The most significant of these is CVE-2021-27877, which NIST's National Vulnerability Database rates has having a CVSS 3.1 score of 9.8 (critical). Mandiant reports that this vulnerability has been used by the ALPHV/BlackCat ransomware gang to gain initial access to one of their victims' networks. However, Veritas released patches for these vulnerabilities back in March 2021 - over two years ago - so there really is no excuse, etc., etc.

CISA, CISA Adds Five Known Exploited Vulnerabilities to Catalog, alert, 7 April 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exploited-vulnerabilities-catalog.

Apple Device 0days Likely Used For Spyware Implants

Last week, Apple rushed out patches for macOS Ventura, iOS version 16 and iPadOS version 16 in response to the disclosure of two zero-day exploits. The first related to a remote code execution vulnerability in the WebKit HTML engine, while the second was a code execution vulnerability in the OS kernel, which would allow privilege escalation.

The vulnerabilities were jointly reported to Apple by the Amnesty International Security Lab and the Google Threat Analysis Group, which suggests that the exploits were first discovered by privacy and human rights activitists, then analysed by Google's researchers. If so, then they were probably being used to implant spyware on behalf of government agencies somewhere.

In fact, all supported versions of iOS, iPadOS and macOS contained these vulnerabilities, and patches have been released for them. Users should check for an install these updates as soon as possible.

Ducklin, Paul, Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads, blog post, 10 April 2023. Available online at https://nakedsecurity.sophos.com/2023/04/10/apple-zero-day-spyware-patches-extended-to-cover-older-macs-iphones-and-ipads/.

Western Digital My Cloud Pain Continues; Company Issues Workaround

The pain of last week's breach at storage drive manufacturer Western Digital continues for its customers. With the company's My Cloud service being taken down, customers had no way to access their files, even though their devices were on the customers' own networks, as even local access required a connection to the cloud service. In fact, the problem applied not just to My Cloud, but also My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, as well as their related apps.

However, the company has now released a workaround which will enable access to local devices on the LAN via network mapped drives, for up to 5 concurrent local users. The procedure is slightly involved, but most SME and home users should be able to follow it, with the aid of embedded videos to walk them through.

Western Digital Support, Instructions to Enable Local Network Access on a My Cloud Home, My Cloud Home Duo and SanDisk ibi, web page, 10 April 2023. Available online at https://support-en.wd.com/app/answers/detailweb/a_id/50626.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Open Garage Doors, Everywhere, in One Easy Step!

In an outstanding demonstration of the dangers of the Internet of Things, security researcher Sam Sabetan has disclosed a collection of critical vulnerabilities in Nexx smart devices - garage door openers, alarms and plugs - which allow remote attackers to open and close garage doors, control alarms and switch devices on and off for any and all Nexx customers.

The devices boast five different vulnerabilities:

• Use of Hard-coded Credentials; CWE-798 (CVE-2023–1748, CVSS3.0: 9.3)
  
• Authorization Bypass Through User-Controlled Key; CWE-639 (CVE-2023–1749, CVSS3.0: 6.5)
  
• Authorization Bypass Through User-Controlled Key; CWE-639 (CVE-2023–1750, CVSS3.0: 7.1)
  
• Improper Input Validation; CWE-20 (CVE-2023–1751, CVSS3.0: 7.5)
  
• Improper Authentication Validation; CWE-287 (CVE-2023–1752, CVSS3.0: 8.1)
  

In short, the critical issue is this: the Nexx devices use a single universal password to communicate with their controlling servers in the cloud, using the MQTT (Message Queueing Telemetry Transport) IoT messaging protocol. For applications like this, a unique password should be assigned for each device in order to achieve secure, confidential, authenticated communications.

To make matters worse, the Nexx messages are broadcast universally - i.e. to all devices - and the garageDoorOpener messages expose user emails, device ID's and contractions of user names. This allows enumeration of customer and device information, as well as simple replay attacks. And it goes on from there: the Nexx app is also vulnerable to Insecure Direct Object Reference attacks, the smart alarm controller - which can turn other manufacturers' alarm systems on and off remotely - does not properly validate bearer tokens and also exposes the MAC address of those alarms.

In short, this is an epic IoT security fail. Nexx has not responded to contacts from Sabetan, the US Cybersecurity & Infrastructure Security Agency, or media outlets, and one can almost understand why: the exposure of affected customers (at least 20,000 of them) is massive, and remediation will also be a costly undertaking, if it can be done at all (if the firmware which contains the hard-coded passwords is not stored in flashable media). The only safe course for Nexx customers is to unplug these devices and contact Nexx to get them fixed or replaced.

Sabetan, Sam, The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets, blog post, 5 April 2023. Available online at https://medium.com/@samsabetan/the-uninvited-guest-idors-garage-doors-and-stolen-secrets-e4b49e02dadc.

Self-Extracting Archives Considered Harmful

Our readers are doubtless familiar with the use of WinZIP, WinRAR and similar utilities to compress files and package them for faster download and distribution. So common have these techniques become that the Windows desktop shell has code built in to transparently open ZIP files as though they are just another folder. However, most archiving utilities offer another feature that Windows doesn't: the ability to encrypt an archive under a password in order to provide some degree of security for email attachments.

In order to make it possible for a recipient to extract the contents of an password-protected archive file without having to buy additional software, many utilities can create self-extracting archive (SFX) files which package the desired files along with a stub of code for decryption and file extraction. The risk here is that it entices the recipient to run code which has just been received from a source which may be untrusted or even unknown - but naive end-users rarely stop to consider this.

Threat actors are increasingly making use of this to install malware such as backdoors into victims' machines. Crowdstrike's Falcon OverWatch team provides a nice example they recently discovered: an apparently empty SFX archive which could could implant a persistent backdoor.

(Image credit: Crowdstrike)

In this case, the malware used a registry key to configure utilman.exe to run an ImageFileExecutionOptions debugger at logon time, with the debugger then running a password-protected SFX archive. But the really curious fact is that the archive contains only a text file of 0 bytes length, rather than any actual malware. In fact, the backdoor was established by using the ability of WinRAR SFX archives to run extended SFX commands upon successful unarchiving; in this case, the SFX would automatically spawn a command prompt, PowerShell and a copy of Task Manager with no visible dialogs - just what a threat actor needs in order to regain access to a compromised system.

Because many anti-malware tools will scan only the files within a self-extracting archive, and this archive contained only an innocent-looking empty text file, it could easily escape detection.

Minton, Jill, How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads, blog post, 31 March 2023. Available online at https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/.

ChatGPT Happily Works on the Dark Side

Many IT and security professionals have experimented with ChatGPT, getting it to write code. Inevitably, our thoughts drift to how threat actors might make use of such tools. While ChatGPT's creators, OpenAI, have put in place some protections and obvious requests to write malware will be blocked, we are learning that chaining multiple requests and using oblique phrasing can often circumvent OpenAI's defensive efforts.

Now Forcepoint solutions architect Aaron Mulgrew has shown how, with just a few hours experimenting and very limited tech skills, ChatGPT can be enticed into writing some functional malware - in this case, an undetectable information exfiltration tool that uses steganographic techniques.

The basic technique that Mulgrew used was to generate small snippets of code and then manually assemble the completed code. By asking ChatGPT for code to a) find large PNG files, b) steganographically encode the found files and c) exfiltrate them to Google Drive, he was able to create a working proof-of-concept. Unfortunately, when processed by VirusTotal, this first version was flagged as malicious by five different vendors out of 69 possible detections - not a bad start, though.

Armed with some clues about why some vendors might be detecting this code, Mulgrew then set about getting ChatGPT to refactor the code, first by incorporating some steganography code directly, rather than calling an external library. Next, to evade sandbox detection, he had ChatGPT delay execution of the code by two minutes. Finally, after a simple request to obfuscate the code was rebuffed, he simply had ChatGPT change all the variable names to random English first names and surnames. This time, VirusTotal did not detect the code as malicious.

The final step was to achieve initial access or delivery, e.g. by getting a naive user to execute it. Mulgrew was able to coax ChatGPT into providing instructions to package the executable as a Windows screensaver (.SCR) file. However, this led to three detections by VirusTotal - but at least the point was made: ChatGPT can be 'social engineered' into writing malware, and we should expect threat actors to take advantage of this in coming months.

Interestingly, Mulgrew ended his experiment by getting ChatGPT's advice on how to mitigate this kind of attack, and it was pretty much what you might expect: generally obvious but certainly not foolproof.

Mulgrew, Aaron, I built a Zero Day with undetectable exfiltration using only ChatGPT prompts, blog post, 4 April 2023. Available online at https://www.forcepoint.com/blog/x-labs/zero-day-exfiltration-using-chatgpt-prompts.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Data Breach Affects Over 2,000 South Australian Students

TAFE SA (South Australia's Technical and Further Education provider) has disclosed a somewhat disturbing breach affecting 2,224 students who were enrolled in classes prior to the end of 2021, and possibly going as far back as 2016.

TAFE SA only discovered the breach after SA Police informed them that they had seized devices containing scanned copies of student identification forms. These contain copies of proof-of-identity documents, including driver's licences and passports. The forms also contain student ID numbers, course details, a fill name, address and date of birth - just what is needed for identity theft.

TAFE has, of course, conducted an investigation into how the breach occurred, but a forensic investigation has, to date, found no evidence that network systems were illegally accessed or that the breach occurred from an external source - all of which suggests that this was an insider attack. Access to the system that holds the student ID forms has been further restricted, with access on a need-to-know basis.

Affected students have been contacted and are being offered advice as well as support through IDCARE. TAFE will also reimburse expenses for replacement of compromised identity documents.

You already know what we are going to say: once identity documents have been used to verify identity, they are a liability, and not an asset.

TAFE SA, Data Breach, information page, 28 March 2023. Available online at https://www.tafesa.edu.au/about-tafesa/data-breach.

FBI Seizes 'Bot Shop' Credential Store

In a coordinated multinational action, the FBI has seized several domain names associated with a site which traded in passwords, cookies and other credentials stolen from malware-infected computers, according to blogger Brian Krebs. Genesis Market has been online since 2018, under the slogan "Our store sells bots with logs, cookies, and their real fingerprints" and allowed its criminal customers to select victims by IP address or by domain names.

Early yesterday, agencies from multiple countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the UK, led by the FBI, replaced the home pages on domains associated with Genesis Market and served arrest warrants on dozens of people affiliated with its operations.

The 'bots' sold by the sites provide all the original victim's authentication cookies, which can be loaded into a browser plugin, allowing access to online system accounts with no need for a password or other authentication credentials - including, in some cases, no need for second authentication factors. In general, systems will view any connection from the bot as being part of the same session the victim had established previously. The bot also provides the fingerprint - i.e. the agent type and other identifying characteristics sent in HTTP requests - of the victim's browser, so that will also look the same to targeted sites.

The FBI has made no official statement to date; but a statement is likely forthcoming.

Krebs, Brian, FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers, blog post, 4 April 2023. Available online at https://krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Western Digital Hit By Security Breach - MyCloud Taken Offline

Storage drive manufacturer Western Digital has disclosed a network security incident involving some of its systems. On 26 March the company identified an incident in which an unauthorized third party gained access to its systems. The firm activated its incident response procedures and commenced an investigation with the assistance of external incident response and digital forensics experts.

The investigation to date suggests that the intruder was able to exfiltrate certain information from the affected systems and the company is working to understand that nature and scope of that data. Among the response actions, several systems and services have been taken offline; at time of writing the My Cloud status page at https://status.mycloud.com/os4 indicates that My Cloud Home and My Cloud OS 5 services are down.

(Author pauses, stares at all the WD external backup drives around his office and counts himself fortunate to be very cautious in his use of external cloud services.)

FGS Global, Western Digital Provides Information on Network Security Incident, news release, 3 April 2023. Available online at https://www.businesswire.com/news/home/20230402005076/en/Western-Digital-Provides-Information-on-Network-Security-Incident.

US DoJ Seizes Over $US112 Million From Crypto Investment Scammers

The US Department of Justice has managed another win in the constant battle against cryptocurrency scammers, this time seizing virtual currency worth an estimated $US112 million linked to cryptocurrency investment scammers. Judges in the District of Arizon, the Central District of California and the District of Idaho had authorized seizure warrants.

The virtual currency accounts were allegedly used to launder proceeds of various cryptocurrency confidence scams. In these schemes - often referred to as 'pig fattening' or 'pig butchering' - fraudsters cultivate long-term relationships with victims met online, eventually enticing them to make investments in fraudulent cryptocurrency trading platforms. In reality, however, the funds sent by victims for these purported investments were instead funneled to cryptocurrency addresses and accounts controlled by scammers and their co-conspirators.

In 2022, investment fraud caused the highest losses of any scam reported by the public to the FBI’s Internet Crimes Complaint Center (IC3), totaling $3.31 billion. Frauds involving cryptocurrency, including pig butchering, represented the majority of these scams, increasing a staggering 183% from 2021 to $2.57 billion in reported losses last year.

Office of Public Affairs, Justice Department Seizes Over $112M in Funds Linked to Cryptocurrency Investment Schemes, news release, 3 April 2023. Available online at https://www.justice.gov/opa/pr/justice-department-seizes-over-112m-funds-linked-cryptocurrency-investment-schemes.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Class Action Invites Latitude Financial Customers to Join

While many security professionals agonise over the possibility of fines for privacy breaches, it is worth remembering that much older penalties continue to apply and can have much more severe consequences than a fine. We reported last week that the breach of consumer lender Latitude Financial had worsened as more details emerged, with investigations revealing that as many as 14 million customer records were compromised.

Now comes news that law firms Gordon Legal and Hayden Stephens and Associates are investigating a potential legal action against Latitude Financial and are looking into whether the lender's security measures and protocols were effective and whether the company had taken appropriate steps to protect its customers' personal information. Of course, should this reach court - or even prior mediation - a lot will depend on a) how the breach actually occurred and b) how a court defines 'appropriate steps' (a more common phrase in legislation is 'reasonable steps').

Current and former customers who believe they may have been affected by the data breach are invited to register their interest. Their site also contains links to useful online resources for those affected, as well as a list of news reports on the breach.

Hayden Stephens and Associates, Latitude Financial Data Breach Investigation, web site, 28 March 2023. Available online at https://www.latitudedatabreach.com.au/.

WordPress Plugin Exposes Millions of Sites

By far the most popular web site content management system is WordPress; millions of businesses use it as the basis of their sites, especially because of its huge range of extensions and plugins. Unfortunately, many of these sites are poorly maintained - a practice that could hit a huge number this week, as hackers exploit a critical vulnerability in a premium WordPress plugin.

The vulnerability, which has a CVSS 3.1 score of 8.8 (high) is present in the Elementor Pro plugin. In particular, it is in the elementor-pro/modules/woocommerce/module.php component, which is loaded when Elementor Pro is installed on WordPress sites that also have the WooCommerce merchant server plugin activated. The component registers two AJAX actions, one of which - pro_woocommerce_update_page_option - is intended to allow the Administrator or the Shop Manager to update some WooCommerce options.

Unfortunately, the function does not check that the user invoking it has appropriate privileges, and it also does not sanitize user input. As a result, an authenticated attacker is able to create an administrator account by enabling the users_can_register setting and setting the default_role to administrator while also changing the administrator email address (admin_email). The vulnerability was discovered and documented by Jerome Bruandet of Ninja Technologies Network.

However, now researchers at another firm, Patchstack, report that the vulnerability is being actively exploited. Users are advised to urgently update their Elementor Pro installations to version 3.11.7 or later (the free version of Elementor is unaffected).

Bruandet, Jerome, High severity vulnerability fixed in WordPress Elementor Pro plugin. blog post, 28 March 2023. Available online at https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin/.

Dave, Critical Elementor Pro Vulnerability Exploited, blog post, 30 March 2023. Available online at https://patchstack.com/articles/critical-elementor-pro-vulnerability-exploited/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

World Backup Day - You Know What To Do (Don't You?)

Today is 31 March, which for more than a decade has been World Backup Day. While we, as information assurance professionals, are well aware of the need to protect our data (aren't we?), our employees, friends and associates are often not up to speed on this requirement. Now is the time to re-energize your awareness campaigns, not to mention ensuring that enterprise backup strategies and procedures are fully up-to-date and tested.

The World Backup Day web site provides some useful - albeit scary - statistics:

• 21% of people have never made a backup
• 29% of data loss cases are caused by accident (implying 71% are deliberate?)
• 113 phones are lost or stolen every minute, and
• 30% of all computers are already infected with malware

Now is a good time to promote the 3-2-1 backup strategy:

You should have three copies of your data (that's the production data and two separate backups) on two different media (e.g. disk and tape) with one copy stored off-site for disaster recovery.

Consider this just the bare minimum; there are so many options for personal system backup these days it is easy to meet this basic level and exceed it. We have SSD's and magnetic media, RAID arrays, external USB hard drives and flash drives, high-capacity LTO tape drives, optical media such as Bluray-R and cloud storage. Plus we have a wide range of software to manage all of this on both desktop (Windows, Mac, Linux) and NAS/server platforms.

In our office, all desktop and laptop machines are backed up to external hard drives using R-Drive Image to run a grandfather-father-son rotational backup scheme as a nightly batch job (we chose R-Drive image (https://www.drive-image.com/) after a semi-exhaustive comparison - and yes, it has earned its price several times over following failure of a 1 TB SSD). I also store all work on a NAS, using the Windows 'offline files' feature to keep a local copy on laptops for use while traveling and as a backup, and the NAS itself is backed up both locally and off-site.

Remember: any backup media - and this includes cloud storage - should be protected to the same level as the original data requires; this may require encryption, particularly in the cloud. And don't forget to backup external resources such as web site content - and this does not mean saving a database backup in an unprotected directory on the web server, or in unprotected AWS buckets.

Uncredited, World Backup Day, web site, undated. Available online at https://www.worldbackupday.com.

ChatGPT Leaks User Data

OpenAI has revealed that its ChatGPT AI chatbot leaked information including the titles of active users' chat history and the first message of newly-created conversations. Perhaps more significantly, it also exposed the payment data for 1.2% of ChatGPT Plus customers, including their first and last name, email address, payment address, the last four digits of their credit card number (thank you, PCI-DSS!) and the card expiry date.

The word 'active', above, is significant - the vulnerability that underlies this discovery is in the Redis client library, redis-py, which OpenAI uses to cache user information in their server instances. For a period of approximately nine hours on Monday, 20 March, a change to the OpenAI server caused a spike in Redis request cancellations, creating a small probability for each connection to return bad data. Since the problem was in this cache subsystem, it only affected currently active sessions, with the possibility that a subscriber would see another user's data rather than his own.

OpenAI's admins took the service offline and their developers immediately contacted the Redis development team to develop a bug fix which was quickly deployed and service restored. All affected users were contacted, but the risk seems to be low.

While everyone ponders the broader impact of artificial intelligence, it's important to remember these systems are still just software, with many of the vulnerabilities of simpler applications.

Uncredited, March 20 ChatGPT outage: Here’s what happened, OpenAI blog, 24 March 2023. Available online at https://openai.com/blog/march-20-chatgpt-outage.

Robertson, Adi, FTC should stop OpenAI from launching new GPT models, says AI policy group, The Verge, 30 March 2023. Available online at https://www.theverge.com/2023/3/30/23662101/ftc-openai-investigation-request-caidp-gpt-text-generation-bias.

CISA Adds Ten New Known Exploited Vulnerabilities

The US Cybersecurity & Infrastructure Security Agency has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities are being actively exploited in the wild, making it important to prioritize their patching or at least deployment of compensating controls:

• CVE-2013-3163 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2014-1776 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2017-7494 Samba Remote Code Execution Vulnerability
• CVE-2022-42948 Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability
• CVE-2022-39197 Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
• CVE-2021-30900 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
• CVE-2022-38181 Arm Mali GPU Kernel Driver Use-After-Free Vulnerability
• CVE-2023-0266 Linux Kernel Use-After-Free Vulnerability
• CVE-2022-3038 Google Chrome Use-After-Free Vulnerability
• CVE-2022-22706 Arm Mali GPU Kernel Driver Unspecified Vulnerability

Note that some of these vulnerabilities go back a very, very long way - 2013? Seriously? - and the fact that they are still being exploited indicates that somebody, somewhere is asleep at the wheel

CISA, CISA Adds Ten Known Exploited Vulnerabilities to Catalog, alert, 30 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/30/cisa-adds-ten-known-exploited-vulnerabilities-catalog.

Whistle Blown on Russian Cyberwarfare Efforts

A whistleblower, probably connected to a Moscow cybersecurity consultancy named 'Vulkan', has released a tranche of documents which reveal links between Vulkan, the Russian foreign intelligence agency (the SVR), military intelligence (the GRU and GOU), and the domestic intelligence agency (the FSB) - the latter a collaboration which could never have happened during the Soviet era, when the agencies were traditional enemies.

The software engineers at Vulkan are alleged to have worked for the agencies to support offensive security operations, train others to attack national infrastructure (particularly in Ukraine, but documents also reveal targets in the US and Switzerland), spread disinformation online and surveil and control those sections of the Internet under Russian control.

Documents link Vulkan to several projects, including Scan-V, a tool which builds a database of vulnerabilities across the Internet, and which is possibly used by Sandworm (Unit 74455 - who are also behind NotPetya and the Cyclops Blink botnet) and a system known as Amezit, which is used to surveil and control the Internet in the Commonwealth of Independent States. Another project, Crystal-2V, is used to train operatives in cyber-attacks on transport infrastructure.

The whistleblower, who leaked the documents to Munich-based investigative startup Paper Trail Media, has taken a huge risk by making them public. Eleven different media outlets, including the Guardian, Washington Post and Le Monde have been sifting through the documents and we can expect a lot more detail to emerge in coming days.

Harding, Luke, Stiliyana Simeonova, Manisha Ganguly and Dan Sabbagh, ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics, The Guardian, 31 March 2023. Available online at https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Australia, New Zealand, Lag in MFA Adoption, Says Yubico

MFA vendor Yubi has published the results of their first State of Global Enterprise Authentication Survey, which garnered responses from over 16,000 employees in 8 countries: Australia, New Zealand, Singapore, the UK, the US, France, Germany and Sweden. And the results do not look good for A/NZ.

In Australia, 65% of employees still rely on username and password as the primary account authentication mechanism - higher than the global average of 59% (NZ is a little better, at 63%), leaving them exposed to basic phishing attacks. Worse still, Australians still rely heavily on SMS-based verification, at 38% of respondents, compared with the global figure of 33% (NZ: 31%). This is despite the fact that the use of SMS for verification was deprecated by NIST SP 800-63B over five years ago - a point I have been hammering in my teaching.

Australia is in line with global trends in the use of password managers, although NZ still lags a little. But we're behind again in the adoption of FIDO U2F security keys - while the global adoption rate is 20%, Australia lags at 15% and NZ at 13%. I can't help wondering if people are concerned about being denied access to systems if they don't have their keys to hand, or not being able to cope with some imagined complexity; in practice, it's not a problem - we turned on mandatory MFA, using U2F security keys, across two businesses some years ago and have had no problems other than one lost key (which was immediately revoked).

There are some other interesting statistics in the survey report, including some alarming data about user perceptions of what constitutes secure authentication.

And if you remain unconvinced about the dangers of phishing attacks, take a look at this recent video:

Yubico AB, State of Global Enterprise Authentication Survey: including exclusive data from Australia & New Zealand, survey report, March 2023. Available online at https://www.yubico.com/resource/state-of-global-enterprise-authentication-survey-australia-and-new-zealand/.

Microsoft Brings AI to Windows Security

Microsoft this week revealed its new OpenAI GPT-4-powered security analysis tool, called Security Copilot. The new product applies OpenAI's generative artificial intelligence and Microsoft's own security-specific language and data model to the data produced by the company's security products such as Microsoft Sentinel, Defender and Intune, allowing relatively untrained analysts to identify security incidents, obtain response instructions and even produce PowerPoint presentations which summarize an incident attack chain for management.

It's also possible to drag and drop files onto the product's prompt bar and ask questions, such as whether a dropped log file contains indications of a particular threat activity. Multiple queries can be collected into 'books' which can perform sequences of steps such as reverse-engineering malware and diagramming its operation. Results can also be shared within a team and saved to provide a record of, say, an incident response investigation.

The product is not fool-proof - in Microsoft's own demo it produces a spurious reference to 'Windows 9' - but it should prove near-irresistable to overworked enterprise SOC teams.

Microsoft Security, Introducing Microsoft Security Copilot, web page, 28 March 2023. Available online at https://www.microsoft.com/en-us/security/business/ai-machine-learning/microsoft-security-copilot.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Australian Privacy Breaches Continue with Meriton Latest Victim

Today comes news of yet another Australian company which has suffered a data breach; this time it is property firm Meriton, which has contacted almost 2,000 staff and customers, warning them to take steps to protect themselves.

Approximately 35.6 GB of data was compromised in the January 14 breach, including contact information of guests in Meriton serviced apartments, as well as other data - potentially including health information should they, for example, have suffered an injury which required an ambulance to be requested. However, staff are more severely affected, with potential access by cybercriminals to employment information such as their salary, bank account details, tax file numbers and performance appraisals.

The company has contacted the Australian Cyber Security Centre (ACSC) as well as the Office of the Australian Information Commissioner (OAIC), and is working with data forensics and incident response professionals. It has also promised to implement enhanced cybersecurity measures in future.

Tran, Danny, Hotel and property giant Meriton hit by data hack, personal documents may be at risk, ABC News, 29 March 2023. Available online at https://www.abc.net.au/news/2023-03-29/australian-hotel-chain-meriton-hit-by-data-breach-hack/102141880.

ABC Charts Scale of Privacy Breaches

Coincidentally, the Australian Broadcasting Corporation has published an interactive news report detailing the incredible scope of Australian and international data breaches which put Australians at risk of "serious harm". Their graphic shows a total of 2,784 breaches recorded since the start of 2020, based on reports to the OAIC and obtained via administrative access requests to de-aggregated versions of the summary data released in the OAIC's bi-annual reports (available for download as a spreadsheet).

Their analysis makes sobering reading, with some stand-out conclusions. For example, "There were 164 fewer data breaches disclosed last year than back in 2020." - yet this does not gel with the growth of ransomware attacks reported internationally.

In addition, breaches involving multinationals Amazon and Spotify did not fall into the scop of 'notifiable events' in Australia and therefore do not appear in the dataset at all.

A problem that rarely attracts attention is that each successive breach allows a threat actor who collects the information to aggregate information about the affected individuals; while an individual breach may not - to the breached organization - appear to reach the threshold of putting individuals "at likely risk of serious harm" and requiring mandatory disclosure to the OAIC, when combined with other breaches it certainly may pose risk of serious harm.

We may therefore see the law further refined to require breached organizations to take steps to determine what other information may exist from previous breaches before determining the level of risk posed in a holistic manner.

Fell, Julian, Georgina Piper and Matt Liddy, This is the most detailed portrait yet of data breaches in Australia, ABC Story Lab, 28 March 2023. Available online at https://www.abc.net.au/news/2023-03-28/detailed-portrait-data-breaches-oaic-disclosures/102131586.

Pen Tests Suggest Security Postures Are Weakening, Says Cymulate

In their new "2022 State of Cybersecurity Effectiveness", Cymulate researchers analysed the results of over 1 million penetration tests conducted within production environments. Their results indicate that, using their risk rating methodology, the average enterprise's information exfiltration risk rating has increased from 30 out of 100 in 2021, to 44 out of 100 in 2022 (compare this with reporting to the OAIC described above).

In addition, there is bad news about patch management: four of the top 10 vulnerabilities in customer environments were more than two years old.

It's not as though companies aren't working hard, either. Malware detection rates are improving, and most enterprises are doing better at securing their attack surfaces; it's just that threat actors are adapting even faster.

Porter, Katrina, Cymulate Releases Findings from Over One Million Security Assessments, news release, 28 March 2023. Available online at https://cymulate.com/news/one-million-security-assessments/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Latitude Breach Goes from Bad to Worse

I doubt that readers are surprised, but: the number of customer records stolen from consumer lender Latitude Financial is far larger than initially disclosed. Latitude has revealed that the data accessed by the attacker now totals:

• 6.1 million customer records - the vast bulk provided before 2013 - including names, addresses, phone numbers and dates of birth
• 7.9 million Australian and New Zealand drivers' licence numbers
• 53,000 passport numbers

Retail customers of major chains including JB Hi-Fi, The Good Guys and Harvey Norman - all of whom use Latitude - could be affected, and some of the data goes back as far as 2005.

We've said it before, but it bears repeating: despite much infosec lore categorising data as information assets, this kind of personally identifiable information is not an asset - it is a liability. There is no business advantage to keeping identity verification data once verification has been accomplished - it does not contribute to business revenue or profit. On the contrary, it exposes the business to increased losses due to reputation damage, not to mention fines and judgements under privacy law.

There are also lessons here about the dangers of prematurely stating that either information has not been compromised or that a breach is small; later revelations simply reduce consumer confidence. There is also a lot to be said for better education of C-suites and boards about incident response, not to mention cyber risk management more generally.

Barrett, Jonathan, Latitude Financial cyber-attack worse than first thought with 14m customer records stolen, The Guardian, 24 March 2023. Available online at https://www.theguardian.com/australia-news/2023/mar/27/latitude-financial-cyber-data-breach-hack-14m-customer-records-stolen.

Patch and Update Exchange Servers, or Get Throttled

Microsoft's Exchange mail and calendar server has suffered from a lot of high-profile vulnerabilities and exploits recently - think of ProxyLogon and ProxyShell - but it seems that Exchange admins (or, more likely, their managers) are not getting the message. The Internet still has many Exchange servers which are lagging behind the latest, or even quite old, security patches - and there are still enterprises running old versions of the software that are well beyond end-of-life support, such as Exchange 2010 and even Exchange 2007.

One problem is the tragedy of the commons: my security depends, at least in part, on you not relaying malware email attachments and other malmail to my systems. We're all in this together.

Now Microsoft is raising the stakes for those who are running unpatched and insecure Exchange servers, with the introduction of a new enforcement system to Exchange Online - the Redmondites' cloud mail system - that will:

• Report details to admins about any unsupported or out-of-date Exchange servers in their environment that connect to Exchange Online to send email
• Throttle emails sent from these servers if they are not remediated, progressively increasing the throttling duration over time
• Block email from unremediated servers after a suitable period.

The enforcement actions will ramp up over time - see the table below:

Enforcement stages (Image: Microsoft)

Admins can request a pause on blocking for up to 90 days per year, but this will provide only temporary relief. Enforcement actions will be introduced against Exchange 2007 servers only at first, but others will follow. The fact that this will induce customers to spend up on new Exchange licences is purely coincidental.

The Exchange Team,  Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online, Exchange Team Blog, 23 March 2023. Available online at https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Careful What You Ask For

Honestly, you just can't trust anyone these days. In a lovely example of this old adage, thousands of naive would-be-cybercriminals have been caught out, registering for DDoS-as-a-Service or 'booter' sites which turned out to be fakes set up by the UK's National Crime Agency.

Last week, the NCA unmasked one of the sites, replacing it with a splash page warning users that their data has been collected and law enforcement will be in touch shortly:

The National Crime Agency Operation PowerOff splash page (Image: National Crime Agency)

Distributed denial of service attacks are illegal in most countries - in the UK, they are covered under the Computer Misuse Act, 1990 - and while those who accessed these sites from the UK will be contacted either by the NCA or local police, details of overseas registrants will be passed to international partners including Dutch and German police.

This operation follows December's takedown of 48 of the world's most popular booter sites by the FBI in collaboration with European agencies. The NCA also arrested an 18-year-old man in Devon; he was suspected to be an administrator of one of the sites.

NCA, NCA infiltrates cyber crime market with disguised DDoS sites, news release, 24 March 2023. Available online at https://www.nationalcrimeagency.gov.uk/news/nca-infiltrates-cyber-crime-market-with-disguised-ddos-sites.

Australian Federal Police Bust Cybercrime Gang

The Australian Federal Police (AFP) has busted a sophisticated cybercrime syndicate which had allegedly performed multiple identity theft and business email compromise (BEC) attacks between January 2020 and March 2023.

The AFP investigation began in October 2021, after an Indonesian businessman lost over $A100,000 in a BEC attack. The trail they uncovered led them to two Brisbane women, a Melbourne man and an Adelaide man who had allegedly operated as a cybercrime and money-laundering syndicate with links to South Africa. The AFP alleges the syndicate orchestrated more than 15 sophisticated breaches, setting up over 80 bank accounts with stolen identities to help transfer $A1.7 million in stolen cash from Australian and overseas victims.

Apart from the BEC attacks, the syndicate allegedly also ran scams targeting Facebook Marketplace users and fraudulent superannuation investments, running about 180 bank accounts through which their victims individually lost anywhere between $A2,500 and $A500,000.

On Thursday of last week, investigators executed fives search warrants across Queensland, Victoria and South Australia, arresting  35-year and 27-year old women in the Durack and Sherwood suburbs of Brisbane, a man, 26, in Wyndham Vale, Melbourne and a man, 30, in the Adelaide suburb of Croydon Park. They also seized fake passports, international driver licences and luxury handbags - plus, of course, a number of digital devices which will be subject to forensic examination.

The accused face multiple charges, including possession of false documents, dishonestly obtaining or dealing in personal financial information, dealing in proceeds of crime worth $A100,000 or more - charges which carry a maximum penalty of 20 years imprisonment.

AFP Media, Cybercrime syndicate dismantled after allegedly laundering $1.7 million, media release, 24 March 2023. Available online at https://www.afp.gov.au/news-media/media-releases/cybercrime-syndicate-dismantled-after-allegedly-laundering-17-million.

USB Keys Explode on Insertion

We are all well aware of the potential for malware to infect a system via USB keys, which is why it is so important to have a 'found devices' policy for all employees as well as a documented procedure for dealing with them inside IT/IS departments. This usually involves investigating their contents in a constrained and untrusted environment, such as an isolated throw-away machine or a revertible VM. However, from Ecuador comes news of a new challenge for junior analysts dealing with these devices.

In mid-March journalist Lenín Artieda, at Ecuadorian television station Ecuavisa, received a USB key through the mail - which, upon being inserted into a computer, exploded. Artieda was apparently unhurt and rapidly decamped for a safer location.

However, he was not alone - another journalist, Mauricio Ayora at TC Television, also received a USB key. Fortunately his employer had a strict policy about connecting devices to computers, and set it aside until after news of the first attack broke. And at Telemazonas, journalist Milton Perez also received a USB key, this time accompanied by a note clearly intended to lure the intended victim:

This time, sheer luck saved Perez - he did not insert the drive properly and it failed to detonate. However, police later confirmed that it contained explosive material, and they performed a controlled detonation of the device sent to TC Television.

So, add to your forensic toolkit: one long-handled extension for plugging suspect USB devices into computers, and a Kevlar containment sleeve to wrap around it. Stab vest and Kevlar protection for other body parts is optional.

Cluley, Graham, Danger USB! Journalists sent exploding flash drives, Bitdefender blog, 24 March 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/danger-usb-journalists-sent-exploding-flash-drives/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.