Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Record DDoS Attack Reaches 900 Gbps

DDoS (Distributed Denial of Service) attacks continue to grow in intensity as botnet operators add more compromised systems to their networks. Now Akamai reports a record-breaking DDoS attack - the largest ever launched against one of their customers in the Asia-Pacific (APAC) region, with the attack traffic peaking at 900.1 gigbits per scond and 158.2 million packets per second. The attack was not just intense, but was also short-lived, sustaining the peak for less than a minute and with the overall attack lasting just a few minutes.

(Credit: Akamai)

The attack was distributed across all 26 of Akamai's scrubbing centers, although Hong Kong, Tokyo, São Paulo, Singapore, and Osaka saw the most traffic.  48% of the traffic was in-region. Akamai reports that, thanks to its proactive DDoS capabilities, there was no collateral damage.

Sparling, Craig, Akamai Mitigates Record DDoS Attack in Asia-Pacific (900 GBps), blog post, 8 March 2023. Available online at https://www.akamai.com/blog/security/record-breaking-ddos-in-apac.

APT Targets SonicWall Appliances

Firewalls are particularly attractive targets for threat actors; after all, compromising a firewall opens up the possibility of many new attacks on the network the firewall is defending, and there's also an opportunity to capture all kinds of useful traffic flowing through the firewall to and from a network the attacker cannot yet reach. Firewalls therefore have to be treated as bastion hosts and staunchly defended against attack - they are absolutely not a set-and-forget "solution" (I hate that word!).

An example of this is a campaign recently identified by Mandiant, working in partnership with SonicWall's Product Security and Incident Response Team (PSIRT). Analysis of a compromised machine revealed a number of malware files which give the attacker highly privileged access to the appliance, as well as allowing long-term persistence. The files mostly consist of bash scripts, along with one ELF executable which is a variant of the TinyShell backdoor.

The main malware script, /bin/firewalld, starts by executing the TinyShell backdoor with command-line arguments that get it to create a reverse or 'shovel-back' shell which connects outwards to the attacker's C2 server at a specific date/time. From there, it scans every file on the system, likely to perform credential theft, executing SQL commands on the sqlite3 database /tmp/temp.db (which contains session information including hashed credentials) and also executing other components. The /bin/firewalld script is started by /etc/rc.d/rc.local in the event of a reboot.

/bin/iptabled is essentially the same script, presumably in order to provide a degree of resilience. The two scripts each check to see if the other is running, and starts it if it is not. You will notice the innocuous filenames here - these are exactly the kind of filenames you would expect to see on a firewall machine - although not in these locations.

However, a firmware update could overwrite these files. In order to avoid that, the /bin/geoBotnetd script checks every ten seconds for a new firmware upgrade to appear at /cf/FIRMWARE/NEW/INITRD.GZ, and if it does, effectively re-packages it to contain the malware scripts, ready for installation. Finally, the main malware script also modifies the main SonicWall binary firebased to call the /bin/ifconfig6 script on shutdown - this simply brings the eth0 network interface down, sleeps for 90 seconds and then shuts the system down as it normally would. Presumably this is a quick fix for some problem the attackers encountered.

The techniques used in this campaign are similar to those used in previous attacks by Chinese threat actors on Pulse Secure VPN devices as well as attacks on Fortinet devices.  For this reason, Mandiant suspects a Chinese threat actor, which it currently tracks as UNC4540, is behind this campaign.

Lee, Daniel, Stephen Eckels and Ben Read, Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices, blog post, 8 March 2023. Available online at https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall.

Tips on Avoiding LDAP Injection Attacks

LDAP - the Lightweight Directory Access Protocol - is often used as part of authentication by web applications, especially for single sign-on across disparate applications. This makes LDAP injection - a close relative of the better known SQL injection - an attractive technique for attackers; they can use it to enumerate user accounts or credentials, log in without a valid password or even perform privilege escalation attacks.

A nicely-written short blog post from Trend Micro gives a brief rundown with examples of LDAP injection techniques, as well as advice on mitigation.

Trend Micro DevOps Resource Center, How to Avoid LDAP Injection Attacks, blog post, 9 March 2023. Available online at https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Acer Confirms Breach

It seems like only yesterday we reported on the alleged exfiltration of 160 GB of assorted product information and strategic presentations from Taiwanese tech manufacturer Acer. (Oh, wait - it was.)

Now Acer has confirmed the breach, adding that they had "detected an incident of unauthorized access to one of our document servers for repair technicians. ... While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server". It seems that the breach is confined to Acer's intellectual property.

Hardcastle, Jessica Lyons, Acer confirms server intrusion after miscreant offers 160GB cache of stolen files, The Register, 8 March 2023. Available online at https://www.theregister.com/2023/03/08/acer_confirms_server_breach/.

Microsoft Introduces Local Security Authority Protection

The Local Security Authority (LSA) Subsystem process - lsass.exe - is responsible for enforcing the security policy on a Windows system. It authenticates users logging on, handles password changes and creates access tokens. In short, if an attacker can compromise this process, they own you and the machine, and possibly a chunk of your network.

The latest pre-release, Windows 11 Insider Preview Build 25314, released yesterday to the Canary Channel, adds a new feature called Local Security Authority protection. This prevents an entire class of attacks by preventing unsigned drivers and plugins from loading into the LSA. This could potentially cause some incompatibilities, but Microsoft says the company will audit for a period of time to check for these and if no incompatibilities are detected, LSA protection will automatically be turned on.

The setting for this can be seen in the Windows Security application under "Device Security" -> "Core Isolation".

Another security improvement in this build is the disabling of the Remote Mailslot Protocol. Mailslots were the NetBIOS equivalent of the UDP protocol - a simple, connectionless protocol - and hardly anything uses it these days.

Langowski, Amanda and Brandon LeBlanc, Announcing Windows 11 Insider Preview Build 25314, blog post, 8 March 2023. Available online at https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/.

Jenkins Vulnerabilities Allow RCE

Jenkins is an extremely versatile open-source cloud automation and orchestration server which is a near-essential part of the DevOps pipeline. Perhaps the key to its flexibility is its support for plugins. Now researchers at Aqua Nautilus have discovered a chain of vulnerabilities which they have dubbed CorePlague, in Jenkins Server and Update Center. Exploitation of these vulnerabilities - CVE-2023-27898 and CVE-2023-27905 - can allow an unauthenticated attacker to execute arbitrary code on the Jenkins server, leading to complete compromise of the system.

The key to the vulnerabilities is a stored XSS exploitable by a Jenkins plugin with a malicious core version, which the attackers upload to the Jenkins Update Center. The vulnerability will be triggered when the victim opens the Available Plugin Manager on their Jenkins Server, when the XSS allows the attacker to run arbitrary code using the Script Console API. The exploitation does not require the manipulated plugin to be installed - the malicious plugin could simply be on the public Jenkins Update Center.

The Jenkins team were notified back in January, and have issued patches for both the Jenkins Server and for the Jenkins Update Center. Users should check their server versions and update.

Goldman, Ilay and Yair Kadkoda, CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE, blog post, 8 March 2023. Available online at https://blog.aquasec.com/jenkins-server-vulnerabilities.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

German and Ukrainian Police Bust DoppelPaymer Ransomware Gang

In late February, the German Regional Police (Landeskriminalamt Nordrhein-Westfalen) and the Ukrainian National Police (Націона́льна полі́ція Украї́ни), arrested suspected core members of the DoppelPaymer ransomware threat actor. The gang, which has ties to Russia, has been extorting large companies since 2019 - its most prominent victims include the UK's National Health Service and Duesseldorf University Hospital, the latter case resulting in the death of a woman who had to be urgently taken to another city for treatment.

Dirk Kunze, head of the cybercrime department of the North Rhine-Westphalia state police, said at least 601 victims had been identified worldwide, with US victims having paid at least $US42.5 million between May 2019 and March 2021. The group specialized in "big game hunting" and operated a professional recruitment operation, asking candidates for references for past cybercrimes and offering 'employees' paid vacations.

German offcers raided the house of a German national who is believed to have been a key player in the group, and seized equipment which is being analyzed in order to determine his exact role. Ukrainian police officers interrogated a Ukrainian national following a simultaneous raid, and also searched two locations in Kiev and Kharkiv, seizing electronic equipment for forensic examination.

Three further suspects are beyond the reach of European law enforcement: Russian citizens Igor Turashev, 41, and Irina Zemlyanikina, 36, as well as Igor Garsin, 31, who was born in Russia but whose nationality is unknown. Turashev is also wanted by US authorities for his part in attacks carried out with BitPaymer, a predecessor to DoppelPaymer.

Europol Media Office, Germany and Ukraine hit two high-value ransomware targets, media release, 6 March 2023. Available online at https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets.

Jordans, Frank, European police, FBI bust international cybercrime gang, news report, 6 March 2023. Available online at https://apnews.com/article/germany-russia-europol-fbi-cybercrime-ukraine-ransomware-f0652c5ef0a281738a50ee02e4191413.

Intensive Spam Campaign Gets Woman Arrested

A Sydney woman was arrested by the Australian Federal Police at her home on 1 March, appearing before Penrith Local Court the following day where she was bailed to reappear on 11 April 2023. What got her arrested was a spamming campaign in which she is alleged to have used multiple domains to send - wait for it - 32,397 emails over a 24-hour period until she was arrested. That's more than an email every three seconds; isn't automation wonderful?

An ordinary spam campaign would not have triggered such rapid action, but all these emails were sent to the office of a Commonwealth Member of Parliament (hence the AFP taking an interest). The volume of emails impaired workers from operating office systems and prevented members of the public making contact with the office.

The woman was charged with one count of committing unauthorised impairment of electronic communication, contrary to section 477.3 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is 10 years’ imprisonment. Further charges have not been ruled out.

AFP Media, Woman charged for alleged cyber-attack against Federal MP, media release, 2 March 2023. Available online at https://www.afp.gov.au/news-media/media-releases/woman-charged-alleged-cyber-attack-against-federal-mp.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Privileged Insider Defrauds Australian Museum

Australian Federal Police have executed a search warrant at the Macquarie Park (Sydney) home of a man, 23, arresting him in connection with an alleged cybercrime-enabled fraud against the Australian National Maritime Museum (ANMM). Police seized a number of electronic items including a laptop, hard drives and a mobile phone for forensic analysis.

Photo Credit:AFP

The man appeared at Burwood Local Court on Friday 3 March on several charges:

• Two counts of unauthorised access and modification with intent to commit a serious computer offence, contrary to section 477.1 of the Criminal Code Act 1995 (Cth),
  Four counts of dishonestly obtaining or dealing in personal financial information, contrary to section 480.4 of the Criminal Code Act 1995 (Cth), and
  Five counts of dishonestly obtaining property by deception, contrary to section 192E of the Crimes Act 1900 (NSW).

The AFP will allege that the man was a contracted IT support worker for a third-party service provider, and that he accessed ANMM's accounts payable system and changed bank account details stored in the system to his own.  It is further alleged that he obtained the financial details of several individuals and businesses, using the credit card information to make a series of unauthorised purchases.

In November 2023, the ANMM detected anomalies in provided financial information for some contractors, and called in independent forensic investigators who identified the extent of the issue. The AFP was then notified, and linked the alleged offender to the unauthorised access to several systems and servers.

AFP Detective Leading Senior Constable Clare Yammine said trusted insiders remained a very real threat to the Australian community, and initial estimates of the total value of money allegedly diverted in this matter at $90,000.

“The AFP is committed to preventing and prosecuting cybercrime and fraud committed against Australians and businesses,” Leading Sen-Constable Yammine said.

AFP Media, Third-party IT contractor arrested for $90,000 fraud, media release, 4 March 2023. Available online at https://www.afp.gov.au/news-media/media-releases/third-party-it-contractor-arrested-90000-fraud.

Yet Another IoT Thing to Worry About: EV Charge Points

Researchers at specialist energy network security firm Saiflow have found that cyber attackers can disable electric vehicle (EV) charge points and cause a denial of service by exploiting versions of the Open Charge Point Protocol (OCPP) that use WebSocket communications. OCPP is used for communication between the charge points (CP) and a central system management service (CSMS) which together form a charging station network.

The attack exploits two new vulnerabilities that were found in the OCPP standard. First, the standard does not specify how to handle more than one connection to a single charge point simultaneously. As a consequence, an attacker can disrupt the current connection between the CP and the CSMS by simply opening an additional "new" connection to the CSMS. To do this, the attacker also has to exploit a second vulnerability: weak authentication in OCPP.

SaiFlow's researchers tested this approach on multiple CSMS providers; some would close the original CP connection, effectively disconnecting the CP, while others will keep the connection but not use it. Both cases expose the charging station network to a DDoS attack, but the second case will also fail to notify the charge point operator that something is wrong. The attack can also expose some sensitive and personal information.

These vulnerabilities exist in OCPP 1.6J, which is the most commonly deployed; OCPP 2.0.1, which is only now rolling out, could also be vulnerable if authentication is not properly implemented.

Saposnik, Lionel Richard and Doron Porat, Hijacking EV Charge Points to Cause DoS, blog post, 1 February 2023. Available online at https://www.saiflow.com/hijacking-chargers-identifier-to-cause-dos/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mustang Panda Deploys New Backdoor

Mustang Panda (also identified as TA416, RedDelta and BRONZE PRESIDENT) is a China-based cyber-espionage threat actor that may have been operating since 2014, target a wide range of organizations in S.E. Asia, the US and Europe. Now ESET researchers report that the group has been running a campaign since January 2023 which is utilizing a new backdoor which seems to be completely original and not descended from existing malware or other publicly-available projects. The new malware, dubbed MQsTTang, is much simpler than the group's previous tools, consisting of only a single stage and using only the most basic evasion techniques.

The backdoor gets its name from its somewhat novel use of the standardized IoT messaging protocol MQTT for its C2 communication; as a side benefit, this allows the group to hide its C2 servers behind legitimate brokers. It provides only fairly limited functionality - at this stage, just remote command execution, with output sent back to the attackers.

The malware is distributed via spearphishing malmails, typically as RAR archives containing only a single executable, which usually has a name related to diplomacy and passports, suggesting the targets are political and government organizations. ESET has seen unknown entities in Bulgaria and Australia in their telemetry, but believe the campaign is targeting a Taiwanese government institution as well as others in Asia and Europe - Mustang Panda has dramatically increased its activities there since the Russian invasion of Ukraine.

The ESET report provides a detailed analysis along with a mapping to MITRE ATT&CK techniques as well as IOC's.

Côté Cyr, Alexandre, MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT, blog post, 2 March 2023. Available online at https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/.

Cryptomining Campaign Targets Redis Deployments

Redis is a popular in-memory NoSQL key-value database that is popular for real-time analytics and sharing session data in web server farms and cloud environments. Now Cado Labs researchers report on a cryptoacking campaign which targets insecure Redis deployments in order to install the XMRig cryptominer.

The basic initial access exploit is very simple: the insecure Redis instance is given a command which creates a simple cron job that runs every two minutes. This job will run the curl command to fetch a shell script, save it as .cmd and then invoke bash to execute it. What is novel about this is that it fetches the file from the free and open source transfer.sh command line file transfer service, rather than historically popular services like pastebin.com.

Once the script is running, it starts by un-hardening the system, disabling SELinux and setting the resolver to use public DNS servers. It also removes other cron jobs and frees up as much memory as possible, probably for use by XMRig - however, to do this it forces the kernel to drop some in-memory data structures which could severely impact performance for the legitimate applications on the system.

From there, ths script clears log files, reconfigures iptables firewall rules, kills any competing cryptominers and downloads binaries for pnscan - which it will use to propagate itself - and XMRig, which then sets about mining Monero cryptocurrency.

The Cado Labs report provides more detail, along with IOC's.

Muir, Matt, Redis Miner Leverages Command Line File Hosting Service, blog post, 2 March 2023. Available online at https://www.cadosecurity.com/redis-miner-leverages-command-line-file-hosting-service/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Extra Chrome Security for Google Workspace Users

Many SME's - and more than a few large ones - use Google Workspace, a SaaS application suite that takes away a lot of the maintenance chores that come with complex desktop software. The Google Workspace applications are accessed via a desktop browser progressive web applications (PWA's) or phone apps, and while Firefox and other browsers will work, there's a natural tendency to use the Chrome browser.

Now an article in the Google Security Blog provides a number of advanced tips for Workspace Administrators on hardening Chrome configurations for their users. To quickly summarize:

• Bring Chrome under Cloud Management
• Enforce built-in protections against Phishing, Ransomware & Malware
• Enable Enterprise Credential Protections in Chrome
• Gain insights into critical security events via Audit Logs, Google Security Center or your SIEM of choice
• Mitigate risk by keeping your browsers up to date with latest security updates
• Ensure employees only use vetted extensions
• Ensure your Google Workspace resources are only accessed from Managed Chrome Browsers with protections enabled
• Enable BeyondCorp Enterprise Threat and Data Protections

Enabling these features effectively turns on a form of EDR in the browser; admins can detect when users enter their corporate credentials into other websites, navigate to malicious sites or download (or upload) malware files, restrict access to highly confidential applications to only users with strong authentication credentials, force automatic updates to Chrome and review the extensions users have installed.

Nair, Kiran, 8 ways to secure Chrome browser for Google Workspace users, blog post, 1 March 2023. Available online at https://security.googleblog.com/2023/03/8-ways-to-secure-chrome-browser-for.html.

Bootkit Bypasses UEFI Secure Boot

One of the great advantages of Windows 11 - and one of the problems it poses for older hardware - is its secure boot facility. Using the keys in the Trusted Platform Module as the root of a chain of trust, it ensures that an unmodified set of operating system files load at boot time and blocks kernel-mode malware such as rootkits. There have previously been a few UEFI bootkits and rootkits, but they generally reside on an easily-discoverable FAT32 disk partition.

But now, there's a bootkit circulating in the wild that can bypass the UEFI Secure Boot feature in fully-patched Windows 11 systems. The bootkit, called BlackLotus, has been selling on hacking forums for $US5,000 since at least October 2022, according to ESET researchers.

The bootkit exploits CVE-2022-21894, a vulnerability that dates back to December 2021 and which was fixed in Microsoft's January 2022 update. However, the affected, validly signed binaries have still not been added to the UEFI revocation list - and BlackLotus takes advantage of this by carrying its own copies of the unpatched binaries.

The resultant bootkit can run on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled, and can disable security features such as BitLocker, Hypervisor-protected Code Integrity (HVCI - which Windows Device Security refers to as Memory Integrity) and Windows Defender. Once it has installed, the bootkit deplys a kernel driver and an HTTP downloader which communicates with its C2 and can download user-mode or kernel-mode payloads.

ESET's lengthy article provides a full analysis of BlackLotus's operation along with IOC's. Attribution is uncertain, but the fact that the installers do not run if the system locale is one of the Comonwealth of Independent States - i.e. the old Soviet bloc - may well be significant.

Smolár, Martin, BlackLotus UEFI bootkit: Myth confirmed, blog post, 1 March 2023. Available online at https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/.

Iron Tiger Takes a Bite of Linux

Iron Tiger (APT 27) has been in the cyber-espionage business for over a decade now, using their own custom malware to target foreign embassies in search of intelligence on the government, defence and technology sectors. One of their tools, called SysUpdate, is a versatile backdoor which can manage services, grab screenshots, search for, upload and download files, and execute commands. It uses a complex chain of loaders, probably in an attempt to evade detection.

According to a new report from Trend Micro, it seems that since late 2022, Iron Tiger has deployed a Linux version of SysUpdate, replacing the previously-used C++ class library with the ASIO C++ asynchronous library and producing ELF binaries. It seems likely that they will now produce a version targeting Mac OS. They also added a new C2 protocol, tunneling commands and responses in DNS TXT resource record requests - a feature which has also been seen in at least one sample of the Windows variant.

To date, the Linux variant has only been seen in one compromised victim, a gambling company in the Philippines - an industry which has attracted Iron Tiger before.

Lunghi, Daniel, Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting, blog post, 1 March 2023. Available online at https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Adds One Known Exploited Vulnerability

The US Cybersecurity & Infrastructure Security Agency has added another vulnerabilit to its Known Exploited Vulnerabilities Catalog, indicating that it is frequently used in the wild and poses a significant risk. CVE-2022-36537 affects the AutoUploader component of the ZK Java framework, and has a CVSS 3.1 score of 7.5, making it a high risk.

According to CISA, "ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager".

Affected users should update their software to the latest version immediately.

Uncredited, CISA Adds One Known Exploited Vulnerability to Catalog, alert, 27 February 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/02/27/cisa-adds-one-known-exploited-vulnerability-catalog.

Post-Exploitation Framework Offers Attackers Lots of Options

A new post-exploitation framework - essentially a backdoor on steroids - known as EXFILTRATOR-22, or EX-22 for short, has emerged in underground marketplaces as a service available to threat actors, according to CYFIRMA. Whoever developed the framework is thoroughly familiar with defence evasion and antiforensics techniques, and claims that the tools are completely undetectable by every antivirus and EDR vendor in their promotions via Telegram and YouTube. The claim seems plausible - as of 13 February, the framework still has only 5/70 detections on online sandboxes.

The framework is highly functional, with a wide range of features:

• Reverse shell with elevated privileges, allowing remote command execution
• File download and upload
• Keylogger
• Ransomware functionality
• Screen capture
• Live VNC session, allowing both viewing of user activity and remote control
• Privilege escalation
• Persistence, so that the framework restarts after a reboot
• Lateral movement via a worm which can rapidly infect a large number of nearby devices
• LSASS Dump
• Stealing authentication tokens

In short, this is a very powerful toolkit which will be attractive to cybercriminals, even at quite high subscription rates ($US1000 per month and $5000 for lifetime access), especially in view of the low detection rates, which make it attractive by comparison with tools like Cobalt Strike and Brute Ratel.

According to the CYFIRMA researchers, similarities between EX-22 and both the code and the C2 infrastructure of the LockBit ransomware suggest that the two share the same developers, who are probably based in Asia, most likely SE Asia. Their report provides both a MITRE mapping and IOC's, as well as a detailed analysis.

CYFIRMA Research, EXFILTRATOR-22 - An Emerging Post-Exploitation Framework, February 2023. Available online at https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/.

Bitdefender Releases MortalKombat Decryptor

The MortalKombat ransomware spreads through phishing emails and exposed Remote Desktop Protocol (RDP) instances, installing itself via the BAT loader. Once it is running, it encrypts files,  adding the unmissable file extension:

..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware

It also changes the desktop wallpaper to a Mortal Kombat theme and generates a ransom note called HOW TO DECRYPT FILES.txt.

Now Romanian security firm Bitdefender has released a free universal decryptor for the current version of MortalKobat. As well as the usual double-click execution, the decryptor can also be run silently from the command line, making it ideal for scripted repair of larger network infections.

Bitdefender, Bitdefender Releases Decryptor for MortalKombat Ransomware, blog post, 1 March 2023. Available online at https://www.bitdefender.com/blog/labs/bitdefender-releases-decryptor-for-mortalkombat-ransomware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

White Hat Arrested; Was Black Hat in Reality

Back in January, Dutch police arrested three men, aged between 18 and 21, in connection with ransomware attacks on thousands of companies, but continued their covert investigation, isolating two of the suspects, before finally laying charges of computer intrusion, data theft, extortion, blackmail and money laundering.

The three typically demanded a ransom of around €100,000, but in some cases as high as €700,000; the prime suspect, a 21-year-old from Zandvoort, earned approximately €2,500,000 in the last few years. Despite victims paying up, in many cases the exfiltrated data was leaked online anyway, demonstrating the futility of paying ransoms - as well as the old saw that there is no honour among thieves.

However, the most intriguing fact is that one of those arrested was reportedly an active member of the Dutch Institute for Vulnerability Disclosure, a government-backed group of ethical hackers. It seems he may have been living something of a double life.

Clueley, Graham, "Ethical hacker" amongst those arrested in Dutch ransomware investigation, blog post, 28 February 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/ethical-hacker-amongst-those-arrested-in-dutch-ransomware-investigation/.

LastPass Doubly Hacked; Compromised via WFH Engineer

When LastPass discovered an intrusion last August, they thought they had kicked out the attacker and that was the end of the matter. It wasn't.

In a support note posted online, the company has revealed that “the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022”.

The company was blindsided by the fact that the TTP's and IOC's of the two breaches were different, leading investigators to conclude they were not related. In fact, the attacker had stolen valid credentials from a senior DevOps engineer and was able to subsequently use these to access the company's AWS infrastructure. It was only when AWS GuardDuty Alerts indicated that the attacker was trying to use cloud IAM roles to perform unauthorized activities that they woke up to the second attack.

So, how were those credentials obtained? According to the firm, "this was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.

"The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."

LastPass called in Mandiant, and has undertaken extensive remedial work, which is detailed on their page. But at root, this demonstrates the risk of hybrid work and telecommuting with employees using personal devices.

Uncredited, Incident 2 – Additional details of the attack, support note, February 2023. Available online at https://support.lastpass.com/help/incident-2-additional-details-of-the-attack.

Hackers Capitalize on ChatGPT Fever

Like everyone else, your humble scribe has tinkered with OpenAI's public test of ChatGPT, the interactive front end to the GPT-3 (Generative Pre-trained Transformer) language model. It's impressive, easily providing me with code to integrate it into Google Chat - code that was almost correct, too.

It's also amusing, because of the confident way it asserts completely incorrect information - I suspect more than a few students will get a nasty surprise when essay submissions are returned to them after marking, as a result - only to back down and apologize when challenged. However, I suspect all this experimenting is teaching us less about artificial intelligence and more about the average human's willingness to believe that whatever comes out of a computer must be correct.

Cybercriminals already know this, of course, and are quick to exploit it when any trend goes viral on social media. The latest example, therefore, is ChatGPT. Over the last week, I've repeatedly seen Facebook ads for a ChatGPT app for Windows, which had the curious property of having close to a thousand comments, only none which are visible, even when set to "display all comments".

Security researcher Dominic Alvieri has found fake websites as well as fake ChatGPT apps on the official Google Play store as well as third-party app stores. In most cases, the fake apps infect the victim with infostealers such as Redline, Aurora or Lumina.

These are all fairly obvious to more tech-savvy users, since ChatGPT depends upon massive compute resources, and is only available via its online interface at https://chat.openai.com/.

Constantinescu, Vlad, ChatGPT Apps to Spread Malware, blog post, 24 February 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/cybercriminals-leverage-fake-chatgpt-apps-to-spread-malware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Autonomous Cyber Defence

As cyber attacks become more prevalent and the consequences of a breach get greater and greater (think of attacks on healthcare, industrial control systems and the Internet of Things), we face increasing manpower shortages. It takes a range of skills across networking, software development, system administration and operations to deal with possible attacks on complex systems, and there simply aren't enough skilled people to go around.

Last week I stumbled across an academic paper which points to the likely future: automated defence using machine learning. The authors are researchers at the US Department of Energy's Pacific Northwest National Laboratory, which is particularly interested in techniques to defend industrial controls systems - such as, in particular, the power grid - against cyber attacks. Their paper first caught my attention because it uses similar techniques to my own research in computational trust, but here they are adapted to cyber defence.

A number of factors have combined to make this automated approach almost practical. Among these is the emergence of an ontology for describing cyber attacks, along with developments in deep learning and, of course, the availability of increasing compute power to solve the problems.

Let's start with the first of these. Attendees at my CISSP courses and university lectures will be familiar with the concept of the cyber intrusion kill chain, first introduced by Lockheed-Martin over a decade ago. This laid out a seven-stage model of a typical sophisticated attack, as attempted by an advanced persistent threat. This influenced the development of MITRE's ATT&CK matrix, which is rather more granular and much more detailed.

This also saw more formalization in the use of terms like Tactics, Techniques and Procedures - tactics are derived from the kill chain's stages and describe high-level activities such as reconnaisance, persistence, C2, collection and exfiltration, while techniques are how the attacker achieves his goal for each tactical stage. In essence, tactics are classes of exploits, like privilege escalation, screen capture or phishing (ATT&CK breaks these down further, with hundreds of sub-techniques). The final level, procedures, equate to the specific exploits which take advantage of vulnerabilities - and these, of course, are now captured in the CVE and CWE databases.

In this model, the attacker works their way along the kill chain, tactic by tactic, using techniques to enable a move to the next stage. In terms of game theory, this is referred to as a stochastic game (or Markov game), in which the entire game is represented by a directed graph, with the probability of transitioning from one state to another state dependent upon the skills and resources of the attacker, versus the skills and resources of the defender. Now take a look at this figure, taken from the paper:

Here, rectangular boxes are tactical stages of an attack, while the ovals within them are techniques that could - if successful - complete that stage and allow the attacker to move on to the next stage.

In their paper, the authors model the behaviour of an automated defender as it tries to block the various stages of the attack. At each stage, the defender does not know which technique the attacker will use next - first of all, the defender may not know all the possible techniques and besides, attackers vary their techniques. Even if it can guess the technique, the specific procedure will be difficult to predict (because of 0day exploits, etc.). In addition, not everything the attacker does may be captured or, if it is, its significance is not known until later.

The game starts in an Attack Initiated state, and the attacker's goal is to get through the stages to the Impact/Exfiltration state (in red above). The defender's goal is to get the game to the Attack Terminated state, which will occur if the attacker runs out of techniques to get to the next stage.

After each attacker action (i.e. procedure - attempted exploit), the defender can choose one of three actions. It can either do nothing, it can react by removing all processes that were used by the attacker in his last attack action, or it can act proactively to block a specific set of API calls or operations in order to prevent the next attack action. However, killing processes and blocking API's is bad for business, and therefore incurs some cost, which the defender will attempt to avoid.

The goal of the automated defender is to develop a policy which recommends the optimal action at each state of the game. It does this using a technique called reinforcement learning, in which it earns a reward (computed by a reward function) for each state - the reward is simply a number which is proportional to how desirable that state is. The defender's goal is to maximise its total rewards in the long run, and it will try to develop a policy in order to do that.

The question is, how to develop that policy? In my own research, I used Bayesian networks to 'learn' the policy, but things have moved on since then, particularly with the emergence of deep learning techniques. In this paper, the authors explored four different Deep Reinforcement Learning approaches - a Deep Q-Network approach (DQN) and three different Actor-Critic approaches.

To run their simulations, they used a fairly grunty Alienware machine (16-core i7 processor, 64 GB RAM, three NVidia GM200 graphics cards) - but that's actually not that big; the machine I am typing this on is similar, only based on an i9. Their software is written in Python (of course) and running in a customized OpenAI Gym simulation environment (I ran my simulations in Java and C, for performance - less necessary today). Compared to the cost of standing up and manning a SOC, this setup is a bargain.

I'm not going to do a deep dive into the learning parameters or the algorithms involved - here, I'm just interested in the security aspects. But the results are encouraging. Overall, the Deep Q-Network approach did best against a range of simulated attacks as soon as possible, although it fell behind when defending against a more skilled and persistent adversary (Av₃), who is more likely to quickly identify the right action and not give up.

Now, bear in mind this is a simulation based on a relatively small number of tactics and techniques, and modeling the probability of each technique succeeding or failing probabilistically, based on the assumed skill and persistence of the attacker. There were no actual attacks involved, no mining of events from a SIEM, etc - extracting that information from IDS/IPS and SIEM systems is a completely different problem, which others, in both the public and private sectors, are also working on.

But I feel that this type of approach, in which sensors feed event information to a machine learning system which has learned from previous attacks, is likely the way of the future.And bear in mind, this is just one paper, from one group of researchers - there's a lot more going on - but I felt it was worth reporting on, in particular to explain how it relates to other things discussed in our courses.

These developments will take SOAR (Security Orchestration, Automation and Response) to a whole new level. Watch this space.

Dutta, A., Chatterjee, S., Bhattacharya, A., and Halappanavar, M., Deep Reinforcement Learning for Cyber System Defense under Dynamic Adversarial Uncertainties, arXiv, 3 February 2023. Available online at https://arxiv.org/abs/2302.01595.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

MA Town Employee Schools Everyone on Cryptomining

Out of Cohasset, Massachussets comes the cautionary tale of Nadeam Nahas, the town's assistant facilities director - now former assistant facilities directory - who has been charged with fraudulent use of electricity and vandalizing a school, after setting up a secret cryptocurrency mining operation in a remote crawl space in the town's Middle/High School.

Apparently, back in December 2021 Nahas's boss, the town's facilities inspector was conducting a routine inspection of the school when he found electrical wires, temporary duct work, and numerous computers that seemed out of place. He contacted the town's IT director, who determined that it was a cryptomining setup, unlawfully using the school's electrical system. I suspect you'd need more than a few computers to compete with ASIC-based mining rigs, so the theft of electricity could well be significant.

The local police were called, and the Coastguard Investigative Service and Department of Homeland Security assisted with safely removing and examining the equipment. A three-month investigation identified Nahas as a suspect, and after a show-cause hearing, a criminal complaint was issued. He resigned from his job in early 2022, and was due to be arraigned yesterday but did not show up and the judge issued a warrant for his arrest.

Ah, crypto. When will people ever learn . . . ?

Uncredited, Police: Crypto mining operation found in school crawl space, AP News, 23 February 2023. Available online at https://apnews.com/article/massachusetts-c59f30e1736c7409e41357f1ae2e7b93.

Cloud Security: All Your Containers Are Belong to Us?

Cloud security firm Sysdig has produced their "2023 Cloud-Native Security and Usage Report' and the contents make sobering reading. The report is based on "data gathered from billions of containers, thousands of cloud accounts, and hundreds of applications" operated by Sysdig's customers, so it is based on what DevOps people are doing, rather than what they say they are doing.

The two biggest threats to cloud security continue to be misconfigurations and vulnerabilities - which are an increasing threat because they are being introduced into supply chains in ever-greater numbers. Sysdig found that 87% of container images running in production have critical or high severity vulnerabilities.

This suggests that 'shift-left' strategies, which attempt to improve code quality and detect and eliminate vulnerabilities earlier in the software development life cycle (an increasingly nebulous concept in itself) are not working and that enterprises need runtime security technologies. Sysdig cite the example of Falco, a Cloud Native Computing Foundation (CNCF) open-source project they originally created, which helps organizations detect runtime threats across clouds, containers, hosts and Kubernetes environments.

On the up side, it seems that paying attention to supply-chain security will pay off handsomely, allowing developers to focus their remediation efforts on only those vulnerable packages loaded at runtime, which is only 15% of the critical or high severity packages - this seems to be yet another example of the Pareto rule.

In other findings, there is a lot of talk about zero trust, but not much action. The fact that 90% of granted privileges are not used indicates that developers and admins are not applying the principle of least privilege. In practice, 58% of identities are not humans - they are service accounts and often have not been used for over 90 days, or are expired test accounts or third-party accounts which should have been revoked.

Sysdig, Inc., Sysdig 2023 Cloud-Native Security and Usage Report, technical report, January 2023. Available online at https://sysdig.com/2023-cloud-native-security-and-usage-report/.

One Year On, Ukraine Still Not Wiped, Despite Massive Efforts

It's been one year since the beginning of Russia's little adventure in Ukraine. While TV news reports focus on the conventional kinetic warfare - lord knows, it's spectacular enough, and costly in human terms - there has been, of course, a similar cyberwar taking place across the borderless space of the Internet.

Russian state-sponsored threat actors have a long history of unleashing cyber-attacks on the country's former satellites - long-term infosec wonks will remember the 2007 attacks on Estonia's parliament, government ministries and media organizations, and who can forget 2017's NotPetya, a wiper aimed at Ukraine's tax revenues, but which claimed victims all over the world as collateral damage?

Now three security firms - ESET, Fortinet and Mandiant - have all independently found that, in 2022, Ukraine was targeted by more samples of wiper malware than in any previous year - in fact, more than in any year, anywhere. Fortinet counted 16 different 'families' of wiper malware, compared to one or two in previous years, indicating that Russia has assigned a much larger number of developers to wiper development in an attempt to get ahead of Ukraine's hardened defences.

And, just as we saw with NotPetya, these variants are spreading and causing collateral damage around the world, not just directly but as a consequence of other hackers reusing them in 25 different countries, according to Fortinet. However, Russia seems to have traded quality for quantity as it increased its efforts - many of the newly-developed wipers are relatively crude and will be easier to detect and deal with.

Greenberg, Andy, Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever, Wired, 22 February 2023. Available online at https://www.wired.com/story/ukraine-russia-wiper-malware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.