Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Releases Incident Response Tool for Microsoft Clouds

The Cybersecurity & Infrastructure Security Agency has released a new tool to help SOC analysts and threat hunters detect potentially malicious activity in Microsoft Azure, Azure Active Directory and Microsoft 365 environments. Untitled Goose adds novel authentication and data gathering methods in order to run a full investigation against these environments, enabling users to:

• Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
• Query, export, and investigate AAD, M365, and Azure configurations.
• Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
• Perform time bounding of the UAL.
• Extract data within those time bounds.
• Collect and review data using similar time bounding capabilities for MDE data.

Untitled Goose was developed by CISA with support from Sandia National Laboratories.

cisagov, untitledgoosetool, GitHub project, 23 March 2023. Available onlline at https://github.com/cisagov/untitledgoosetool.

New Security Features in Windows 11 Insider Preview Build 25324

The latest preview build of Windows 11 has a number of new features, some of them specifically related to security.

First of all, Windows is finally getting support for the SHA-3 family of hash digest functions, which won NIST's competition for a new hash function many years ago. Earlier hash functions like MD5 and the SHA-1 and SHA-2 series use the Merkel-Damgaard construction and are vulnerable to length extension attacks, which led NIST to search for an alternative. The winner was the Keccak algorithm, developed by a team including Joan Daemen (of AES/Rijndael fame), and which uses sponge construction, solving the length extension attack problem (and several others). The Windows CNG library will now support a range of SHA-3 and related functions:

• SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
  
• HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
  
• extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).
  

The omission of SHA3-224 is of no real significance - the primary use of SHA2-224 was to prevent length extension attacks, and SHA3 is not vulnerable.

Other new features include support for camera selection for Windows Hello sign-in, and warnings against re-use of Windows passwords on sites and apps, including a UI warning on unsafe copy and paste.

Langowski, Amanda and Brandon LeBlanc, Announcing Windows 11 Insider Preview Build 25324, Windows Blog, 23 March 2023. Available online at https://blogs.windows.com/windows-insider/2023/03/23/announcing-windows-11-insider-preview-build-25324/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NSA, CISA Issue Guidance on Identity and Access Management

Last September, we brought you news of the Supply Chain Working Panel of the Enduring Security Framework (ESF) - a cross-sector working group operating under the auspices of the Critical Infrastructure Partnership Advisory Council. Now, as part of the ESF, the Cybersecurity & Infrastructure Security Agency and the NSW have released a new paper  advising best practice for Identity and Access Management (IAM). This is a major pain point for most defenders, since threat actors often exploit vulnerabilities in authentication and authorization services to compromise user credentials, achieve persistence by creating new accounts, and gain elevated privileges. Once they have achieved a toe-hold via compromised credentials, these techniques allow them to pivot and compromise additional systems in the victim network.

The paper discusses a number of mitigation techniques for these attacks:

• Identity Governance - policy-based centralized orchestration of user identity management and access control and helps support enterprise IT security and regulatory compliance;,
• Environmental Hardening - makes it harder for a bad actor to be successful in an attack;
• Identity Federation and Single Sign-On – Identity federation across organizations addresses interoperability and partnership needs centrally. SSO allows centralized management of authentication and access thereby enabling better threat detection and response options;
• Multi-Factor Authentication - uses more than one factor in the authentication process which makes it harder for a bad actor to gain access;
• IAM Monitoring and Auditing - defines acceptable and expected behavior and then generates, collects, and analyzes logs to provide the best means to detect suspicious activity.

The paper is very detailed and prescriptive; for each of the techniques above there are examples of why it matters, implementation guidance and recommended immediate actions. Well worth while reading and following - I am continually amazed that since NIST's SP 800-63 was updated in 2017, so few people have followed its advice and are still recommending very weak practices.

CISA, CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management, alert, 21 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-and-nsa-release-enduring-security-framework-guidance-identity-and-access-management.

Uncredited, Recommended Best Practices for Administrators: Identity and Access Management, technical report, March 2023. Available online at https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF.

BreachForums Shuttered

Yesterday we reported on the arrest of BreachForums owner/operator Conor Brian Fitzpatrick, a.k.a. 'Pompompurin'. The hacker site continued to operate, however, being taken over by another administrator under the handle 'Baphomet'.

But less than a day later came news that Baphomet had taken the site down. In a message posted to the BreachForums Telegram channel, he stated, "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all", implying that some replacement might emerge.

It is possible that the shutdown was prompted by the possibility that law enforcement may have gained access to the site's code and information about its users.

Lakshamanan, Ravie, BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum, The Hacker News, 22 March 2023. Available online at https://thehackernews.com/2023/03/breachforums-administrator-baphomet.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

BreachForums Owner Arrested on Hacking Charges

One of the biggest sites for the sale of stolen databases is BreachForum, where hackers offer personal information such as usernames and passwords for sale and subseqent use in fraud. The site is owned and, until a few days ago was operated, by a hacker using the handle 'Pompompurin'.

However, the FBI has identified Pompompurin and last week arrested Conor Brian Fitzpatrick at his home in Peekskill, New York. The agent who led the arrest stated that Fitzpatrick had admitted to using the alias, and he is now scheduled to appear in a Virgina court this week to face charges of conspiracy to commit access device fraud, following his release on a $300,00 bond paid by his parents.

Meanwhile, Breachforums remains operational, having been taken over by another administrator under the handle 'Baphomet'.

Truță. Filip, Police Arrest BreachForums Owner ‘Pompompurin’ on Hacking Charges. Parents Bail Him Out, Bitdefender blog, 21 March 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/police-arrest-breachforums-owner-pompompurin-on-hacking-charges-parents-bail-him-out/.

Ferrari Hit By Ransomware Attack

Luxury carmaker Ferrari's Italian subsidiary, Ferrari S.p.A., has disclosed a ransomware attack by an unidentified threat actor which has exfiltrated customer contact data. The company received a ransom demand, but its policy is not to pay such a ransom since it only funds further criminal activity.

Instead, Ferrari has contacted the affected customers and hired a global cybersecurity firm to manage incident response and forensic investigation. The company has also informed the relevant authorities and is assisting investigations.

Ferrari owners in Italy should probably brace for upcoming identity theft attempts.

Ferrari N.V., Cyber Incident in Ferrari, news release, 21 March 2023. Available online at https://www.ferrari.com/en-EN/corporate/articles/cyber-incident-in-ferrari.

Summary of 2022 Zero-Day Exploitations

Incident response firm Mandiant has shared some highlights of the firm's analysis of zero-day exploitations during 2022. The company tracked 55 zero-day vulnerabilities which it believes were exploited - slightly down from 2021's record-breaking 81, but still almost triple the level of 2020.

As in previous years, Chinese state-sponsored cyber-espionage groups led the field, making more use of zero-days than other groups. The leading affected vendors are the ones with the broadest product ranges - Microsoft, Google and Apple - and the most affect product types were operating systems (19 exploits), browsers (11), security, network and IT management products (10) and mobile OS's (6).

Four exploitations were financially motivated - three of these linked to ransomware operations.

There's a lesson here for most of us on the defender side of this game: patches need to be deployed faster than ever before, especially on Internet-facing systems which are not on well-defended network segements inside multiple layers of firewalls. While patient zero literally gets no warning, most of us will get a chance to deploy security patches, if we are fast enough.

Sadowski, James and Casey Charrier, Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace, blog post, 20 March 2023. Available online at https://www.mandiant.com/resources/blog/zero-days-exploited-2022.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Hinata Botnet Could Deliver 3.3 Tbps DDoS, Says Akamai

Akamai researchers have analysed a newly-discovered botnet which has been spreading over the first three months of this year. The malware, which its author appears to have christened 'Hinata' after an anime character, is written in the Go programming language which is increasingly popular among malware authors because it makes reverse-engineering the resultant binaries more difficult than other languages.

However, in Hinata, Go delivers another 'benefit', in the form of a multi-threaded design which can drive network I/O harder than a single-threaded approach. In early versions, the bot was able to run DDoS attacks using a variety of protocols: HTTP, UDP, TCP and ICMP. However, the latest version focuses on HTTP and UDP only. In order to spread, Hinata exploits two main vulnerabilities - a Hadoop YARN RCE and a vuln in the miniigd SOAP service of Realtek SDK devices (CVE-2014-8361). It can also exploit Huawei HG532 routers (CVE-2017-17215).

Based on their benchmark tests with a sample of the malware and a jury-rigged C2 server, the researchers found that with a 10-second UDP flood, the bot can generate 6,733 packets totaling 421 MB. If the botnet can marshall 10,000 nodes - roughly 7% of the size of the Mirai botnet - it could therefore deliver 336 Tbps.

The Akamai blog post is a nice example of malware analysis and reverse engineering. It provides IOC's, including YARA rules and sample infector scripts, as well as Snort rules.

Seaman, Chad, Larry Cashdollar and Allen West, Uncovering HinataBot: A Deep Dive into a Go-Based Threat, blog post, 16 March 2023. Available online at https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet.

Privacy Breach Hits Australian Skin Cancer Study

Medical research institute QIMR Berghofer has been hit by a data privacy breach affecting the personal details of more than one thousand people participating in a skin cancer study, according to the institute. The breach occurred at a contractor, Datatime, which provides scanning and data entry services.

The 2021 QSKIN study involved the mailing of survey forms to 9749 participants, whose names and addresses were held by Datatime. 1128 participants completed the survey and returned the forms to Datatime, presumably for scanning, and their information, including name, address and Medicare numbers may have been compromised in the breach.

This particular breach occurred back in November 2022, and we reported on it at the time, so it is curious that QIMR Berghofer is only disclosing it publicly now. It also highlights the importance of supplier relationship management; the medical researchers relied on the fact that "Datatime is ISO Accredited" - but they are certified against ISO 9001, and not an information security related standard like ISO 27001.

Uncredited, Media statement, media statement, 20 March 2023. Available online at https://www.qimrberghofer.edu.au/news/media-statement/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Android Vulnerable to Spyware Apps, Say Researchers

In a forthcoming paper, to be presented at the Privacy Enhancing Technologies Symposium in Zurich this (northern hemisphere) summer, researchers from UCSD, Cornell and New York Universities will recommend that the Android mobile OS enforce stricter requirements on which apps can hide icons.

At present, it is possible for spyware apps to not appear in the launch bar when they initially open, and to masquerade under innocuous names like "Wi-Fi" or "Internet Service", making it difficult for victims to identify spyware planted on their devices by a disgruntled spouse, partner or other stalker. The apps also resist attempts to install them, and some will also automatically restart themselves after being stopped by the Android system or after reboots. “We recommend adding a dashboard for monitoring apps that will automatically start themselves", say the researchers.

A secondary concern is that spyware apps often do little to protect sensitive information they collect; for example, many do not encrypt data as they upload it to their command and control servers - and this includes the login credentials of the spyware purchaser themselves. On other cases, the uploaded data is stored using public URL's - some of them easily predictable - that makes the data easily accessible. One leading spyware service had an authentication vulnerability that would allow all the data, for every account, to be accessed by third parties.

There are several lessons here. Obviously, some spyware products rely on simple tricks to evade detection on the victim's phone, and Android could easily be enhanced to eliminate these. But also, people who buy and use spyware are placing themselves at risk.

Patringenaru, Ioana, This is What Happens When Your Phone is Spying on You, UC San Diego Today, 13 March 2023. Available online at https://today.ucsd.edu/story/spywarestudy2023.

Samsung Exynos Modem Chips Vulnerable, Says Google

Sticking with Android for a few moments longer: TechCrunch reports that Google's Project Zero security team has found 18 different zero-day vulnerabilities in the Samsung Exynos modem chips used in many different Android phones, wearables and even vehicles. These include four severe vulnerabilities which could be used to compromise a victim's phone "at the baseband level with no user interaction, and require only that the attacker know the victim's phone number", according to Project Zero head Tim Willis.

Among the affected devices - although there are more - are:

• Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
  
• Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series;
  
• Google Pixel 6 and Pixel 7 series (patched in the March security update);
  
• Connected vehicles that use the Exynos Auto T5123 chipset.

While they wait for patches, suggested user mitigations include turning off wi-fi calling and Voice-over-LTE in the device settings. The remaining 14 vulnerabilities are less severe since they require either access to the device or internal access to the cellular network systems.

Whittaker, Zack, Google warns users to take action to protect against remotely exploitable flaws in popular Android phones, TechCrunch, 17 March 2023. Available online at https://techcrunch.com/2023/03/16/google-warning-samsung-chips-flaws-android/.

Australian Taxation Office, Centrelink, Accounts Vulnerable to Voice Deepfake Attack

Both the Australian Taxation Office and the Commowealth social services agency Centrelink give their clients the option of verifying their identity over the phone using a "voiceprint" along with some other information. Now a Guardian journalist has discovered that using just four minutes of training audio they were able to use a machine learning-based voice cloning app to generate a synthetic voiceprint and then use this, along with their customer reference number, to gain access to their own account.

This would allow an attacker to access sensitive information held by either government agency, and illustrates the danger of relying such an easily-fakable characteristic as a form of biometric authentication. The same technique has been adopted by a number of banks and other agencies world-wide, who should perhaps be putting their efforts behind cryptographic techniques instead.

Evershed, Nick and Josh Taylor, AI can fool voice recognition used to verify identity by Centrelink and Australian tax office, The Guardian, 17 March 2023. Available online at https://www.theguardian.com/technology/2023/mar/16/voice-system-used-to-verify-identity-by-centrelink-can-be-fooled-by-ai.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cozy Bear Targets Ukraine Supporters with Infostealer

Yesterday we reported on a Microsoft Outlook vulnerability being exploited by the Russian GRU-affiliated group APT28, a.k.a. Fancy Bear. Today it's the turn of another Russian group: APT29, a.k.a. Cozy Bear or NOBELIUM, a group affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation, who are now targeting European governments and diplomatic entities which are aiding Ukraine. You may recall them from such high-profile breaches as the US Democratic National Congress hack and their trojanning of the Solar Winds Orion network management software.

This time, they specifically targeted entities with an interest in the activities of the Polish Ministry of Foreign Affairs and especially the activities of the Polish Ambassador to the US, such as a talk he gave in early February to the Columbus School of Law at the Catholic University of America in Washington DC. They prepared for this campaign by creating HTML pages containing relevant lures on the web site of a library in El Salvador, and then used spearphishing to direct likely victims to those pages.

The HTML pages in turn dropped .ISO files which contained two files: a binary called BugSplatRc64.dll and a shortcut (.lnk) file which would invoke the DLL with the command line

C:\Windows\system32\rundll32.exe BugSplatRc64.dll,InitiateDs

When this runs, it copies BugSplatRc64.dll into the user's AppData directory and creates a new registry key to invoke it on boot, as a way of persisting. BugSplatRc64.dll is an infostealer; it first gathers basic information such as the user name and IP address which it then sends to the attacker's C2 server. From there, it connects to the C2 server every minute, checking for a payload which it will download and execute as shellcode within its process.

Interestingly, the C2 server uses the public API of the popular Notion note-taking software, making it hard to differentiate from legitimate traffic. This is a common technique of APT29; previously they have used the Trello API, only switching to Notion in late 2022.

Blackberry Research & Intelligence Team, NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine, blog post, 14 March 2023. Available online at https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine.

US DoJ, German Bundeskriminalamt Take Down Darknet Cryptocurrency Mixer

Despite popular belief to the contrary, cryptocurrencies such as Bitcoin do not provide complete anonymity; both police intelligence services and commercial forensics companies have developed techniques for tracking Bitcoin transactions to the destination wallets. Clearly, this poses a problem for cybercriminals such as ransomware groups, who want to use cryptocurrency as an untraceable form of international payment.

The solution has been so-called 'mixer' services, which run deposited Bitcoin (and other cryptocurrencies) through multiple rounds of transactions before depositing the total into a destination wallet, making it hard for analysts to trace in the process. Effectively, it's a highly randomized, automated form of money laundering.

Now, a coordinated operation between the US Department of Justice and the German Bundeskriminalamt has seen the seizure of two domains, a Github account, and the back-end servers of the ChipMixer service, along with over $US46 million in cryptocurrency. At the same time, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged in Philadelphia with money laundering, operating an unlicensed money transmitting business and identity theft in connection with ChipMixer. If convicted, he faces a maximum of 40 years in jail.

Although ChipMixer had a domain on the public Internet, its main operation was a Tor hidden service which was used by a large criminal clientele to launder the proceeds of their crimes. Between August 2017 and March 2023, ChipMixer processed:

"ChipMixer facilitated the laundering of cryptocurrency, specifically Bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection", said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania. "Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology. We thank all our partners at home and abroad for their hard work in this case. Together, we cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security."

DoJ Office of Public Affairs, Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer that Processed Over $3 Billion of Unlawful Transactions, news release, 15 March 2023. Available online at https://www.justice.gov/opa/pr/justice-department-investigation-leads-takedown-darknet-cryptocurrency-mixer-processed-over-3.

Ransomware Group Gives Up Encryption, Focuses on Exfiltration

A new report from Redacted details the recent operations of the BianLian ransomware gang. Like many such groups, the ransom revenue they get from their activities has allowed them to thrive, polishing their tactics and techniques and hitting ever more victims. However, there is a new twist in their operations.

While ransomware gangs used to simply encrypt the victims' files, holding them hostage until a ransom was paid, when they would release a decryption key to the victims, many if not most ransomware operators added a second string to their bow: exfiltrating data and threatening to release it publicly so as to cause embarrassment to the victim (or their customers or patients). This in part explains why they have sought out the healthcare sector for special attention. In other cases, they have ransomed identity information which can be sold to other cybercriminals for identity theft attacks.

Now BianLian have taken the obvious next step. Folllowing the release (by Avast) of a decryption tool that would allow victims to recover their files, the group has decided to skip the encryption step and focus instead on extorting a payment in return for not releasing exfiltrated files. In addition, they have also invested more effort in research allowing them to tailor their threats to the victim, investigating relevant laws and regulations that might specifically apply.

The Redacted report contains a full analysis of tactics and techniques, as well as IOC's such as digest values, active and historical IP addresses and more.

Fievishohn, Lauren, Brad Pittack and Danny Quist, BianLian Ransomware Gang Continues to Evolve, blog post, 16 March 2023. Available online at https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Latitude Financial Hit With Customer Data Breach

Shares in lender and digital payment processor Latitude Group Holdings have been suspended from trading on the ASX following their notification of a cyber incident. In their announcement, the firm stated that "unusual activity" detected over the last few days is believed to have originated from a major vendor used by Latitude". Despite their taking immediate action, the attackers were able to obtain employee credentials and then use those to steal information held by two other service providers.

From the first provider, the attackers stole approximately 103,000 identification documents - more than 97% of them drivers' licences - while approximately 225,000 customer records were stolen from the second service provider.

Latitude has shut down some systems - both internal and customer-facing - while it works to contain the attack in collaboration with external specialists and the Australian Cyber Security Centre. It is also contacting the affected customers.

Here we go again; this is the second breach of identity documents, specifically drivers' licences, in recent months (the first being from Optus). Replacement of drivers' licences is a particularly painful process, and there is a lesson to be learned here about the retention of documents used for identity verification after that process has been performed. Identity documents should be viewed as a potential liability and not an information asset. If we don't fix this, expect legislation.

Gardy, Mark, Cyber Incident, ASX Announcement, 16 March 2023. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02644401.

Microsoft 365 CVSS 9.8 Vulnerability Being Exploited in the Wild

A couple of days ago, the US Cybersecurity & Infrastructure Security Agency added three new "known exploited vulnerabilities" to its catalog. One of these is CVE-2023-23397 (see also Microsoft's vulnerability page), which has variously been categorised as a remote code execution or privilege escalation vulnerability in Microsoft Outlook. Most significantly, this vuln merits a CVSS 3.x score of 9.8, which makes it critical.

The vulnerability allows a remote and unauthenticated attacker to obtain a victim's logon credentials by simply sending a specially-crafted malicious email. But it gets worse: the victim doesn't even need to look at the email. As Microsoft notes, the code in the malicious email "triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane". The code then executes a pass-the-hash attack by sending the victim's NTLMv2 hash to a C2 server the attacker controls, allowing the attacker to reuse the hash with other services.

The vulnerability is present in both 32-bit and 64-bit versions of Microsoft 365 for Enterprise, as well as Microsoft Office 2013, 2016 and 2019. Interestingly, according to MDSec - who reverse-engineered one mitigation approach in order to create a proof-of-concept - the vulnerability actually exists in the Outlook code which allows the user to select an audio file to be played when a reminder for a mail item is triggered. Cute, but unnecessary - remember, the enemy of security is complexity.

According to Microsoft's Threat Analytics reports, this exploit has been used against some 15 European government, military, energy and transport organizations since April 2022, with attribution to the Russian GRU unit APT28, a.k.a. Fancy Bear. And of course, now that a PoC is available, expect others to develop their own exploits, making patching even more critical.

Meanwhile, suggested mitigations include disabling the use of NTLMv2 authentication by adding users to the "Protected Users" security group, as well as blocking outbound traffic on TCP port 445 (SMB).

Chell, Dominic, Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability, blog post, 14 March 2023. Available online at https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/.

Targett, Ed, Urgent: Microsoft 365 Apps being exploited in wild through CVSS 9.8 bug, The Stack, 14 March 2023. Available online at https://thestack.technology/critical-microsoft-outlook-vulnerability-cve-2023-23397/.

CISA Known Exploited Vulnerabilities Updates

Since we mentioned them above, here are the latest additions to the CISA Known Exploited Vulnerabilities Catalog:

• CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability (covered above)
  
• CVE-2023-24880 - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
  
• CVE-2022-41328 - Fortinet FortiOS Path Traversal Vulnerability
• CVE-2023-26360 - Adobe ColdFusion Improper Access Control Vulnerability
  

In fact, Adobe has released security updates for a number of their products; here are the relevant Adobe Security Bulletins:

• Commerce APSB23-17
• Experience Manager APSB23-18
• Illustrator APSB23-19
• Dimension APSB23-20
• Creative Cloud Desktop Application APSB23-21
• Substance 3D Stager APSB23-22
• Photoshop APSB23-23
• ColdFusion APSB23-25
  

CISA, CISA Adds Three Known Exploited Vulnerabilities to Catalog, Alert, 14 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/14/cisa-adds-three-known-exploited-vulnerabilities-catalog.

CISA, CISA Adds One Known Exploited Vulnerability to Catalog, Alert, 15 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/15/cisa-adds-one-known-exploited-vulnerability-catalog.

CISA, Adobe Releases Security Updates for Multiple Products, Alert, 14 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/14/adobe-releases-security-updates-multiple-products.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Plan for TLS Certificate Renewal Automation

The Chromium Project, which underlies the Chrome browser as well as Microsoft's Edge browser, has announced that it is planning to introduce a proposed maximum "term limit" of 7 years for root CA's, as well as a maximum validity period of 3 years for subordinate CA's, and has submitted these proposed changes to the CA/Browser Forum Server Certificate Working Group for consideration. It is not clear if Google will unilaterally enforce these changes in Chrome if the Working Group rejects them.

Of more pressing concern for most readers, however, is the related proposal to reduce the maximum validity period for TLS server certificates from 398 days to just 90 days. This is just a continuation of a long-standing trend - the maximum validity period used to be three years, but was then reduced to two years and most recently, just over a year; I have routinely warned course attendees against buying long-validity certificates since most CA's do not distribute CRL's for server certificates and a compromise could allow an attacker to masquerade as the victim server for anything up to three years.

The rationale for a 90-day validity is to allow for faster adoption of emerging security capabilities and best practices, as well as promoting cryptographic agility - a 90-day validity will make it easier to quickly adopt new post-quantum algorithms.

I long ago adopted the practice of documenting the procedure of documenting the certificate renewal procedure for our certificates - a process which was frustrated by continual changes at the CA, which made certificate renewal an unnecessarily stressful and error-prone process. Readers who only manage one or two certificates for annual renewal will recognise the problem and view the prospect of manual renewal every three months with some horror. Fortunately, there is a solution.

The ACME (Automatic Certificate Management Environment) protocol enables automatic lifecycle management of TLS certificates. For example, it automates the domain verification step required by the CA - otherwise performed manually by email or creation of a text file containing a hash value on the web server - as well as the generation of a private key and submission of a Certificate Signing Request and the receipt of the issued certificate. Some ACME clients can even install the new certificate and configure the web server to use it.

The most popular ACME client is the Electronic Frontier Foundation's certbot, which is available via the standard package manager for many Linux distributions and has quite comprehensive online instructions. However, Let's Encrypt provides a useful list of alternative clients.

In a timely coincidence, Google Trust Services has announced that it will now provide free TLS certificates for Google Domains customers, and their blog post walks users through the process of installing the required API key and then using the Certbot client to register an account and obtain a certificate.

Electronic Frontier Foundation, Certbot, web page, undated. Available online at https://certbot.eff.org/.

Let's Encrypt, ACME Client Implementations, web page, 29 June 2022. Available online at https://letsencrypt.org/docs/client-options/.

Uncredited, Moving Forward, Together, Chromium Project page, 3 March 2023. Available online at https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/.

Warner, Andy and Carl Krauss, Google Trust Services now offers TLS certificates for Google Domains customers, blog post, 2 March 2023. Available online at https://security.googleblog.com/2023/03/google-trust-services-now-offers-tls.html.

Blackcat Turns Nasty

In yet another example of the consequence of not paying ransom demands, the Russia-based Blackcat ransomware group has made good on threats against a medical practice in Lackawanna Count, Pennsylvania. In February, the group compromised a radiation oncology system which stored photographs of patients undergoing cancer treatment, but the Lehigh Valley Health Network refused to pay the ransom demand.

A few weeks later, Blackcat threatened to publish data stolen from the system, claiming "We are ready to unleash our full power on you!". Now they have followed through, releasing graphic images of patients who are undergoing treatment for breast cancer, along with 7 documents containing patient information.

This is another step in an escalation by ransomware operators, as they attempt to deal with victims who refuse to pay up. As the media covers more and more cases of ransomware attacks, the public is coming to understand how aggressive the ransomware operators are and just how difficult perfect defence is, as well as the fact that paying only encourages cybercriminals.

It would be going too far to say the public - especially the directly affected victims - are sympathetic to compromised enterprises, but they are now in no doubt that the bad guys are the attackers, not the companies they breach. But it certainly makes it easier for affected companies to refuse to pay people who commit such heinous crimes.

In related news, Amazon's Ring smart doorbell division is denying that it has fallen victim to a ransomware attack by a group called ALPHV, which is known to use Blackcat. However, leaked internal chats suggest that Ring's security teams are working on something.

Newman, Lily Hay, Ransomware Attacks Have Entered a ‘Heinous’ New Phase, Wired, 13 March 2023. Available online at https://www.wired.com/story/ransomware-tactics-cancer-photos-student-records/.

Truță, Filip, Amazon’s Ring Denies Hackers’ Claims of Ransomware Infection, Bitdefender blog, 15 March 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/amazons-ring-denies-hackers-claims-of-ransomware-infection/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Emotet Bloats Files to Avoid Detection

Emotet, a botnet operation which originally started as a banking trojan back in 2014, has emerged again after a three-month hiatus, according to analysts at Trend Micro. To date, the Emotet operators have built three different botnets, known as Epochs 1, 2 and 3, but in the last few weeks Epoch 4 has emerged, delivering malmails to victims.

The primary infection technique is the use of macros in malicious Microsoft Office documents. While Microsoft disabled the execution of macros in files which bear the Mark of the Web, the document template employs social engineering techniques to trick the user into enabling macros. The Emotet crew have also taken to binary padding the documents, increasing the file size to well over 500 MBytes in order to avoid being scanned by anti-malware products - this will work because the padding comprises only 00 bytes, so that the compressed version originally downloaded is very much smaller.

The document macro will download a ZIP file from any of seven C2 servers, then extract the contents to a folder before using regsvr32.exe to load a DLL file in order to infect the victim machine. Once the machine is infected, Emotet will run infostealer and spam relay routines, which it creates by creating a copy of the certutil.exe utility, starting it in a suspended state and then replacing its code by process hollowing.

The increasing use of evasion and anti-forensic techniques highlights the importance of security education, training and awareness; alert and suspicious users really are the last line of defence against these kinds of attacks.

Kenefick, Ian, Emotet Returns, Now Adopts Binary Padding for Evasion, blog post, 13 March 2023. Available online at https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html.

Infostealers Spread to Crackers via AI-Generated YouTube Videos

Just about the most vulnerable users on the Internet are those who want to use pirated copies of expensive software by cracking the copy protection and licence-checking features of these programs. The web is rife with malware binaries which claim to crack popular programs, but which really infect the naive victim's machine.

By now, these victims must be getting gun-shy, so often are they infected (although they may not even realize it, in some cases). As a result, simple Google ads and forum posts are decreasingly effective, and the malware operators are looking for new ways to social-engineer their victims into downloading their warez.

Their latest technique, according to CloudSEK researchers, is to use YouTube videos to appeal to the victims; after all, real people must be more trustworthy than featureless and anonymous ads, right? But actually, the videos do not feature real people at all - they are generated by artificial intelligence platforms like Synthesia and D-ID, with facial features designed to appeal to the victims, and pretend to be tutorials on how to download cracked versions of software products like Photoshop, Premiere Pro, AutoCAD and others.

In order to reach as many victims as possible, as quickly as possible, the hackers will use a variety of techniques such as phishing to take over popular YouTube accounts - ideally, with 100,000 subscribers or more. They then upload their fake video(s), adding fake comments to lend credibility to the content, and using region-specific SEO tags to improve the video's search engine rankings. For a popular YouTube channel, it will not take long for the channel owner to discover the hack and regain control, but if the video remains online for even a few hours, they can still infect hundreds of victims. On less active channels, the videos can remain online for months at a time, especially if the channel owner simply never bothers to reclaim their channel.

This entire process is highly automated, making it an efficient operation. Typically, the malware payload will be an infostealer such as Vidar, Redline or Raccoon, and it will plunder the victim's credentials, cryptocurrency wallets and other applications.

M, Pavan Karthick and Deepanjli Paulraj, Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware, blog post, 13 March 2023. Available online at https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware.

Free Economics Glossary

Courtesy of security maven Robert Slade comes a highly useful resource for cybersecurity management professionals: a glossary of economics terms. Given that a common complaint of boards and C-suites is that security wonks just don't understand business, this could be a way of fighting back. Granted, it is restricted to purely economics terms - from 'absolute advantage' to 'zero-sum game' - and doesn't cover wider business jargon, but then, so much of that is mal-adapted from the tech world anyway (exhibit 1: the way business has adopted the term "agile", perverting it along the way).

Uncredited, The A to Z of economics, online glossary, undated. Available online at https://www.economist.com/economics-a-to-z.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Fake ChatGPT Extension Steals Facebook Ad Accounts

A few weeks ago we reported that hackers were capitalizing on the enormous public interest in ChatGPT to create fake websites as well as fake ChatGPT apps which would install infostealers such as Redline, Aurora and Lumina. Now, AV firm Guardio has found and analyzed yet another example being promoted via Facebook sponsored posts. This time it is a Chrome extension which claims to provide - and in fact is called - "Quick access to Chat GPT".

The extension is actually a trojan horse, in that it does exactly what it promises, by providing an interface to the official ChatGPT API - but it is also a browser-based infostealer. Once installed, it will steal cookies for any active sessions, and also will take over the victim's Facebook account. What is particularly interesting is that, once the stealer has gained access to a high-profile Facebook business account, it will use it to create more sponsored posts, promoting its own installation at the expense of the victim. And because the extension has full access to the browser, it can also make use of an authenticated session to the Meta Graph API and can perform a variety of other actions.

The data harvested will likely be sold off - including any ChatGPT queries the extension sends on behalf of the victim. But possibly the big payoff will be the full access to Facebook business accounts that the exension gets for the attackers.

Guardio's blog post provides a detailed analysis of the malicious extension's techniques and procedures, as well as IOC's.

Tal, Nati, “FakeGPT”: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs, blog post, 9 March 2023. Available online at https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-stealing-facebook-ad-accounts-with-4c9996a8f282.

BatLoader Continues to Evolve

eSentire's Threat Response Unit has produced a report detailing their monitoring of the continued evolution of BatLoader. We first reported on BatLoader back in November of last year; at that time, VMware's Carbon Black MDR analysts had identified it as being a derivative of the earlier Zloader, which in turn traces back to the old Zeus banking trojan.

eSentire watched the BatLoader operators throughout February as they registered a number of domains which typosquat on popular application and brand names by simply adding a few characters on the end of the brand name, e.g. adobe-l[.]com as opposed to adoble.com. Using this technique, they are spoofing Adobe, Tableau, Spotify, Zoom and - inevitably (because it works!) - ChatGPT. These domains are then used to host fake download pages which deliver Windows Installer files masquerading as the related applications, with the pages being promoted via Googe Search ads.

In addition to installing the desired free application, the modified Windows Installer file contains custom actions which will execute commands - for example, installing Python (which seems to have replaced the previous versions' use of PowerShell), running pip to install other packages, and running Python programs. In this incarnation of BatLoader, the Python scripts use a technique found via Stack Overflow to achieve privilege escalation. As before, the loader is dropping payloads such as Ursnif and Cobalt Strike and, most recently, Vidar Stealer.

The eSentire TRU write-up provides recommended mitigations - primarily improved security education, training and awareness - as well as IOC's.

eSentire TRU, BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif, blog post, 9 March 2023. Available online at https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.